[This Transcript is Unedited]

DEPARTMENT OF HEALTH AND HUMAN SERVICES

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

September 8, 2005

National Center for Health Statistics
3311 Toledo Road
Hyattsville, Maryland

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax, Virginia 22030
(703)352-0091

List of Participants:

  • Simon P. Cohn, M.D., Chair
  • Marjorie S. Greenberg
  • Jeffrey S. Blair, MBA
  • Justine M. Carr, M.D.
  • John P. Houston, J.D.
  • Stanley M. Huff, M.D.
  • A. Russell Localio, Esq., M.A.
  • Harry Reynolds
  • Carol J. McCall, FSA
  • Mark A. Rothstein, J.D.
  • Donald M. Steinwachs, Ph.D
  • C. Eugene Steuerle, Ph.D
  • Kevin C. Vigilante, M.D.
  • Paul Tang, M.D.
  • Judith Warren, Ph.D
  • Virginia Cain, Ph.D
  • Michael Fitzmaurice, Ph.D
  • Maya Bernstein, J.D.
  • Steven Steindel, Ph.D
  • Marietta Squire
  • Donna Pickett
  • Wanda Goban-Jenkins

TABLE OF CONTENTS


P R O C E E D I N G S (9:20 a.m.)

Agenda Item: Welcome and Introductions

DR. COHN: Good morning, everyone. Would everyone please be seated, we are
going to get started here momentarily.

I want to call this meeting to order. This is the first of two days of
meetings of the National Committee on Vital and Health Statistics. The National
Committee is the main public advisory committee to the U.S. Department of
Health and Human Services on national health information policy.

I am Simon Cohn. I am the Associate Executive Director for Health
Information Policy for Kaiser Permanente, and Chair of the committee. I want to
welcome committee members, HHS staff and others here in person. I also want to
thank Marjorie for taking us in at the last minute.

DR. GREENBERG: And my wonderful staff.

DR. COHN: And your wonderful staff. I want to welcome those listening in on
the Internet.

I want to remind everyone to speak clearly and into the microphone, since
we are being broadcast.

Before we do introductions, I want to take a moment to reflect on those
affected by Hurricane Katrina, as well as the heroic actions of those called in
to restore order and care for those that were in harm’s way. The reason that we
are not at the Hubert Humphrey Building today is that those meeting rooms are
now being used as command centers for the Hurricane Katrina efforts. So I do
want to apologize to committee members and others that had to come out here on
short notice, but there is a good reason for our relocation for this meeting.
Clearly, our thoughts are with those affected by this major disaster, both
those personally affected as a result of the disaster, and those delivering
care. I would just take a moment of silence to recognize those people.

With that, let’s have introductions around the table, and then around the
room. For those on the National Committee, I would ask if you have any
conflicts of interest related to any of the issues coming before us today,
would you please so publicly state during your introduction. I want to begin by
observing that I have no conflicts of interest on any of the issues today.

Marjorie?

DR. GREENBERG: I am Marjorie Greenberg from the National Center for Health
Statistics, CDC, and Executive Secretary to the committee. I do welcome you all
here to NCHS.

DR. ROTHSTEIN: I am Mark Rothstein from the University of Louisville School
of Medicine, member of the committee. I have no conflicts.

DR. HOUSTON: I am John Houston with the University of Pittsburgh Medical
Center. I am a member of the committee and I do not have any conflicts.

MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield of North Carolina. I
am a member of the committee and no conflicts.

DR. WARREN: Judy Warren, University of Kansas School of Nursing. I am a
member of the committee and no conflicts.

MR. LOCALIO: Russell Localio, University of Pennsylvania School of
Medicine. I am a member of the committee and I have n conflicts.

DR. STEINWACHS: Don Steinwachs, Bloomberg School of Public Health, Johns
Hopkins University, member of the committee. I don’t have any conflicts that I
am aware of.

DR. TANG: Paul Tang, Palo Alto Medical Foundation, member of the committee,
no conflicts.

DR. CAIN: Virginia Cain, NIH, liaison to the committee.

DR. LANSKY: I’m David Lansky from the Markle Foundation. I am a visitor.

MS. MC CALL: Carol McCall, Humana, member of the committee, no conflicts.

DR. CARR: Justine Carr, Beth Israel Deaconess Medical Center, member of the
committee and no conflicts.

MR. HUNGATE: Bob Hungate, Physician Patient Partnerships for Health, member
of the committee and no conflicts.

DR. FITZMAURICE: Michael Fitzmaurice, Agency for Health Care Research and
Quality, liaison to the committee and staff to the Subcommittee on Standards
and Security.

DR. HUFF: Stan Huff with Intermountain Health Care and University of Utah
in Salt Lake City, member of the committee and no conflicts for issues that are
coming before the committee today.

DR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention,
liaison to the full committee.

MR. BLAIR: Jeff Blair, Medical Records Institute, member of the committee,
no conflicts I am aware of.

MR. HITCHCOCK: Dale Hitchcock, Office of Planning and Evaluation at HHS. I
am here substituting for Jim Scanlon, who is tied up with the efforts the
Department has ongoing on the hurricane relief plans.

MS. SQUIRE: Marietta Square, CDC, NCHS and staff to the committee.

DR. KYLE: Frank Kyle, American Dental Association.

MS. PICKETT: Donna Pickett, National Center for Health Statistics, CDC, and
staff to the Subcommittee on Standards and Security.

MS. GOVAN-JENKINS: Wanda Govan-Jenkins, NCHS, CDC and staff to Standards
and Security Committee.

MR. ALFANO: Bill Alfano, Blue Cross Blue Shield Association.

MS. LUKE: Marilyn Sigmund Luke, America’s Health Insurance Plans.

DR. DEERING: Mary Jo Deering, National Cancer Institute, lead staff to the
committee’s Work Group on the National Health Information Infrastructure.

MR. RODE: Dan Rode, American Health Information Management Association.

MR. JACKSON: Debbie Jackson, National Center for Health Statistics, CDC,
committee staff.

MR. FERGUSON: Jamie Ferguson, Kaiser Permanente.

MS. BERNSTEIN: Maya Bernstein, Office of the Assistant Secretary for
Planning and Evaluation. I am lead staff to the Subcommittee on Privacy and
Confidentiality.

MS. SANCHEZ: Linda Sanchez, Office for Civil Rights.

MS. KANAAN: Susan Kanaan, writer for the committee.

MR. KING: Eric King, MEDTECH Systems.

DR. COHN: I want to welcome everyone. Before we do agenda review, I would
like to start with a couple of comments.

As I am sure you are all aware, this continues to be an interesting and
exciting time for the committee. Many of our recommendations, including the
need for increased HHS leadership in health information technology and the NHII
are clearly coming to pass. Since our last meeting, Secretary Levitz’ 500-day
plan, which incudes as a centerpiece the next phase of the HHS health IT
strategy, is unfolding.

What we are talking about is an acceleration of the activities and efforts
to move health care into the information age, to transform the health care
system and improve the health of all Americans. This is the vision that we
foresaw when we published our document, Information for Health in 2001, which
laid out a strategic vision and framework for developing the NHII.

The Executive Subcommittee, Jim and Marjorie, have been working with me
this summer on how we can best support and assist the Secretary and Department
going forward in this accelerated environment. Indeed, because of our content,
expertise and experience, we do have a lot to contribute here. In addition, we
have a reputation for strategic focus and for an open collaborative process and
the ability to deliver timely, thoughtful, practical recommendations that are
supported by both the public and private sector.

We have had discussions over the summer with HHS leadership on how we can
best make a contribution. This has included ongoing conversations with David
Brailer, and I have also had a second conversation with the Secretary since we
all last talked. While the new initiatives are of course unfolding, I believe
it is safe to say that we will play an important role in helping to assure the
success of the Secretary’s health IT strategy and the new initiatives.

As I have commented, this is an exciting time. I want to acknowledge all of
you for your continued hard work and support of the committee’s mission, and
also for your commitment to the betterment of the health of Americans in our
population.

Since our last meeting, we have also had an executive subcommittee retreat.
I want to thank the members of the executive subcommittee for their help and
flexibility as we develop plans and priorities for this next fiscal year. I am
anticipating tomorrow’s subcommittee and work group chairs will share thoughts
on work plans and priorities for this coming year.

Let me now shift gears. I want to take a moment and congratulate Jim
Scanlon, our Director, on a well-deserved promotion at HHS. In fact, he has
been promoted so far that we can’t even attend the meetings anymore. Hopefully
that is not the case.

He was previously acting Deputy Assistant Secretary for Science and Data
Policy in the Office of the Assistant Secretary for Planning and Evaluation. He
is now no longer acting; he has been promoted to full Deputy Assistant
Secretary. We want to congratulate him, and I am sorry he isn’t here.

DR. GREENBERG: In his absence.

DR. COHN: I have also on the advice of Bob Hungate appointed Justine Carr
to be our liaison representative to the national advisory committee of AHRQ.
Justice, congratulations, and thank you for being willing to take on this added
responsibility.

DR. CARR: Thank you. I look forward to it.

DR. COHN: Now finally in terms of this, I do want to congratulation Carol
McCall for being willing to take on the responsibilities of vice chair of the
Quality Work Group. So Carol, thank you very much.

MS. MC CALL: Looking forward to it.

Agenda Item: Review of Agenda

DR. COHN: Let’s now move into the agenda review. We are moving the agenda
around a bit, as you all probably noticed. This morning, we begin with a
presentation by David Lansky of the Markle Foundation on personal health record
systems. This is an area that has had increased attention recently, because of
the CMS RFI on this topic.

I should also comment that David participated — we were together at this
open forum recently. CMS for the RFI had an open forum, discussing the RFI on
personal health records, and the NCVHS was a presenter at that forum. David’s
presentation is intended to be an overview of the topic, and I understand he is
also going to be critiquing our letter prior to our consideration of this
action item for later today.

After an early break, we will move to an update from the Department. Dale
Hitchcock is representing Jim Scanlon from ASPE. I understand the CMS is unable
to participate today in our meeting. I think we have Linda Sanchez, as I
understand, presenting from the Office of Civil Rights. Linda, thank you for
joining us. This will be after our first break.

This will be followed late this morning and potentially continuing after
lunch — we will discuss the letter on personal health record systems which
comes to us for action at this meeting. This will be followed this afternoon by
a discussion of the NCVHS 2003-2004 report which most of you reviewed at our
last meeting. This has been further revised and we are bringing it forward for
hopefully your approval today and tomorrow.

Finally, there is also the HIPAA report to Congress, our seventh annual.
This is again an action item for this meeting.

DR. GREENBERG: We will not have the updates from ONCHIT.

DR. COHN: As you can tell, we are still working on the agenda as we are
giving the agenda update here.

My understanding also is that even though ONCHIT. My understanding is that
even though ONCHIT is on the agenda for an update, they are not going to be
presenting an update today.

DR. GREENBERG: They are also totally occupied by the disaster efforts.

DR. COHN: I think we will have them on our November agenda, but we will
confer with them for this meeting.

DR. GREENBERG: Also, I prepared a little sheet here for you, and I don’t
have it so I’ll go up and get it, regarding some of the logistics on lunch. Do
you mind if I just mention that, because we have to get closure on that?

DR. COHN: Sure.

(Remarks off the record regarding luncheon arrangements.)

DR. COHN: We will continue to be flexible with the agenda and timing of our
sessions, and we will certainly try to accommodate this.

Let me talk a little bit about the end of the day. We will be adjourning
mid-afternoon. After our adjournment, all three subcommittees are meeting
simultaneously. What they will be doing is meeting about 75 minutes. After
that, we will have about an hour to an hour and a half for the meeting of the
NHII Work Group. I’m sure the principal discussion will probably be the
personal health record letter.

This evening we have dinner in downtown Washington. We will after lunch
take a show of hands to find our how many people are coming for that.

Probably most importantly, I just want to take a moment to talk about
tomorrow morning a little bit. As you all remember, the timing of the agenda
was based on our belief that we were going to be in downtown Washington. That
was even a little early for those having to get into downtown Washington.

I looked at the agenda, and I am going to suggest that the full committee
meeting start at 10:30 rather than at ten. I think that there are items there,
especially the executive subcommittee retreat comments, which are not a
discussion for this particular meeting.

I am going to also suggest that the subcommittees and work groups that are
scheduled to start that morning begin at 9 o’clock and not at 8 or 8:30.
Hopefully everyone is comfortable with that, given the added travel time to get
here. I’m not hearing any objection to that idea.

Agenda Item: Personal Health Records Systems

With that, let’s begin our first session. I do appreciate the committee’s
flexibility as we move through this agenda, because it still is likely that
there may be some moving around of agenda items as we go through the day.

With that, I want to thank our first presenter, David Lansky. You obviously
have other things going on today that interfered with your plans, so thank you
for joining us, and we look forward to your presentation.

DR. LANSKY: Thank you, Dr. Cohn. Thank you all, first the Chair and
everyone, for accommodating my change of schedule. The hurricane nightmare has
gotten everyone involved very constructively in trying to take the lessons we
have all learned from the last ten years or so working in this field, and make
sure we are better able to respond to this situation in the next one.

I think the work you have been doing this year on personal health records
is suddenly finding a forum in this horrible crisis. One of the lessons learned
on the margins here is that the lack of infrastructure and capability to move
peoples’ health records around in a disaster of this magnitude becomes a huge
problem for hundreds of thousands of people. So I know that ONCHIT and everyone
else is very busy trying to do what they can to provide both a transitional
solution to that, but also, sad as it is, to use this opportunity to advance
improving the system as a whole.

I do very much applaud what you have done with the PHR letter that is in
draft form now. I think your efforts to move this particular agenda forward is
absolutely vital, and will now be more visible and recognized for its
importance.

I know many of you have been on the subcommittee which has had many
hearings on this subject, and are very, very well informed on all the issues. I
think the letter reflects that. I prepared a very surface overview of a number
of the components of the personal health record field, and I’ll just go through
it quite quickly, because I know you have all spent a lot of time with this.
What I would like to do is fast-track through the first part of this material
and go to the policy issues that come toward the end of it. Then if we have a
few minutes to talk about that, I would be glad to do that. Again, thank you
for accommodating my change of schedule today.

There are hard copies of my slides in the back of the room. Whether we can
see them here, I don’t know.

I wanted to start just by anchoring this discussion a little bit in the
pillars of all of our work in the last five, ten years, the IOM reports. It is
worth reminding ourselves as we look at the six aims for health care
improvement that the IOM articulated some years ago, and have become ground
rules for everybody.

The IOM at that time went further and identified a set of design rules,
so-called, which would be implementation mechanisms to achieve these worthy
nobel goals of safety and efficiency and so on. The design rules, ones that I
italicized on the slide here, six of the ten are very patient centered in their
intention. This is probably quite a shift from the classical paradigm of
medical delivery, but the IOM in its wisdom saw that the increasing role of
patients and consumers and families and caregivers in the delivery of health
care services was critical.

As we talk about the personal health record as a technology or as an
approach, I hope you will think of it as an instrument which is available
increasingly to address these design objectives that the IOM articulated.
Continuing healing relationships, using the personal health record as a medium
of working more closely with professionals and patients of families,
customization based on patient needs, identifying those needs and delivering
services to meet those needs. The patient as a source of control is a critical
theme, and we are going to come back to that. I know your letter discusses that
at some length as well. Shared knowledge between the patient and professional
and among professionals. The need for transparency, all that goes on in the
health care system the public has a right to know and understand. The ability
to anticipate needs, the use of health risk assessments and other tools to
capture information from people in advance of and during the course of care.

So this is not an esoteric technology, an interesting thing on the margin.
This is at the heart of what the Institute of Medicine and others have said
needs to happen in health care.

The potential of a personal health record at this point, by giving people
more engagement in their health care, more control over their health
information, we all believe and many of us have experienced now seeing that it
can improve peoples’ ability to manage their health. Improve efficiency in the
system, patient satisfaction and quality and safety of care, and communication
among the whole health care team.

I didn’t bring these as slides, I’ll just wave them at you. As you think
about this personal health record idea, we aren’t coming up with something new.
Hundreds of thousands or millions of people over the years have managed their
health information themselves.

People send me periodically versions of this. Someone sent me a 50-page
diary essentially, a personal narrative of a loved one’s last illness, which
was done as an e-mail circular to a number of friends and family, but is
actually a personal health record in great detail about the patient’s
experience. Someone else sent me a spreadsheet with cancer patients, seven or
eight years’ worth of weekly readings on chemotherapy treatment, personal
symptoms, blood counts, all kinds of things that this patient managed for
himself in the course of his illness, and obviously found it very valuable.

So the application of technology of this is hopefully very helpful, but it
is not really about the technology, it is about peoples’ ability, as they
already do in other media, to manage their own health information.

But of course, we do now have the advantage of new technology. This is
actually Dr. Tang’s own — I hope it is familiar, Paul — this is the portal
that Palo Alto Medical Foundation has to permit their patients to access
information that is in the medical record, that is maintained by the
institution, and then gradually to have more capabilities to communicate with
their providers and add their own information.

If we think of this personal spreadsheet that someone maintained as a
completely unconnected personal tool and what Palo Alto Medical Foundation
offers as a very connected relationship support tool, there are also other
gradients in here. This is actually the Web M.D. solution, which is a
commercial product, which is primarily managed offline, that is, between the
patient directly, unconnected to their providers, but increasingly, these kinds
of products have capabilities of connecting the patient to the provider. So
this is just to say there is a spectrum of connectedness between the patient
being totally on their own and the patient being very much connected to their
professional team they may be working with.

So from a diagrammatic point of view, right now, if I am this patient and
family, this mother and child sitting in the middle of this picture, I may have
to go out and talk to a dozen different information sources. My PBM might have
an online portal. My doctor may have an online portal. My insurance company may
have an online portal, and so on and so forth. I may have a personal health
record at a private company like Web M.D.

Actually, my mother, who is 84 and lives in Boston, has three portals that
she manages herself for her PBM and two provider networks at all her consumer
portals, which don’t talk to each other. So on the one hand, it is wonderful
that someone in her situation can have access to these tools. On the other
hand, we are proliferating. As you know, CMS is developing a consumer portal.
We are going to have a proliferation of these independent, unconnected, not
standards based resources for people, and I think we have the opportunity to
try to step into this flow and introduce some structure to it. One way to do
that would be to create a personal health record hub, which all these portals
and other technologies can talk to, and which gives the user one central way of
accessing all of her or her family’s health information.

Today, as your letter notes, there are a number of services and functions
available. It is a plethora. There is not a uniform thing out there called a
personal health record. You have got patient information content, we have
messaging, scheduling and convenience features like that, preventative service
reminders, adherence and disease management tools, patient diaries, symptom
logs, health tracking tools, drug management tools, financial tools for
consumer defined health plans, HSAs and so on. So it is a plethora of good
ideas, but it is hard for people to locate them, hard for them to integrate
with each other.

MS. MC CALL: This is first a process question. Will you entertain questions
as you go along, or would you prefer that you wait?

DR. LANSKY: I’ll leave it to the Chair’s judgment on that.

MS. MC CALL: I want to honor the time.

DR. COHN: I think I am going to ask you to go through — can you hold the
question?

MS. MC CALL: Absolutely.

DR. LANSKY: I will go through briefly, and hopefully we will have more
time.

So there is a variety of services available. People like these services,
when polls have been done and products have been offered. People love e-mailing
their doctor, they like looking at things like keeping track of their kids’
immunizations. They are aware that there are often mistakes in their medical
record and they would like the opportunity to review them and correct them.
They like the ability to move information from one provider to another, and a
very popular service is looking at my own test results as quickly as possible.
So these things are popular, especially with people with chronic illness,
especially with caregivers of young children or of spouses or parents. So the
public interest in this is quite high when we talk about specific benefits,
specific services of value to me in my own life.

When we talk about abstractions like a personal health record or even
worse, an online medical record, a lot of concern is expressed. So we have to
be thoughtful about understanding public reception of benefits and risks as we
go forward.

I think the next slide summarizes the level of public anxiety about the
potential risks. With all the privacy spills of this last year, and the
publicity around them, there is certainly a heightened sensitivity that putting
my personal health record online creates a new potential for exposure. We
sometimes like to say, this is the only country in the world, or the only
developed country, where the possibility of someone finding out my health
status could mean the loss of my job or the loss of my ability to access health
care. So that anxiety is very strongly felt by some portions of our population,
and could be an impediment to moving this agenda forward.

I think as your letter points out quite articulately, there is no single
personal health record today. But it is good to talk about the attributes of
the personal health record, both prescriptively, what we think they should be,
and descriptively. This is more prescriptive probably than descriptive. Most
people in this field talk about the personal health record as something the
individual can control. This concept of personal control is a significant one I
want to come back to. It is probably one of the things that distinguishes this
from other forms of health information management, the idea that the patient is
the person who controls the information and who gets to see it. It is a
significant attribute. It raises some question even in this Katrina situation,
the notion that a person can have access to and control their health
information regardless of these external circumstances, is an interesting
feature of this concept.

Potentially it could contain information from a lifetime, that is, across
all providers and across all episodes of care and time spans. It could be
accessible from any place at any time. Again, in this Katrina environment, the
notion that people who are now cut off from their medical history, and even the
ability to call up a physician who might know their medical history, those
people if this structure had been put in place, this idea of a lifelong record
accessible at any place any time would have been very valuable to many people.

Private and secure is a vital American value as we think about this, and
your letter addresses that well. Transparency; in this case we refer to the
idea of an audit trail that anybody who sees information that is my personal
health information, I should have the ability to know about that visit.
Interactivity, meaning that I can share my information with providers or with
other family members across time and space.

We have been using this term ecosystem of late to try to suggest that the
personal health record is going to fold into a very complex and rapidly moving
environment of information sources and services. I don’t think we know what
that ecosystem looks like and what the different flows of climate are across
that space, what the landscape even looks like. But I think it is worth
continuing to monitor what that environment is like as we think about the PHR
services and products.

I’ll just put out a few assumptions which we could discuss and I am sure
you have spent much time discussing. Despite all the good efforts by many
people in this room, electronic health record adoption is slow. So for a
typical American out there who wants to have a personal health record that
connects to their doctor’s health record, 17 percent or 20 percent of the
people have that capability today, 80 percent of the people don’t. So we have
to be thoughtful about the ability of the person regardless of how wonderful
the PHR technology is, to establish that connectivity.

RIOs and other information exchanges, again despite enormously good effort,
are moving slowly. We have no reason to think in three years or five years we
will have a massive shift in that environment.

Standards and implementation guides to bring standards together for
purposes of uniform adaptation and adoption, we are barely forming the
infrastructure to develop those standards and harmonization mechanisms. It is
realistic that it will be two years or five years or X years before that is
widely in place.

However, it is worth noting in contrast, and you have heard this in your
testimony earlier at the subcommittee, there is a high proportion of
standardized electronic health data emerging from transactions. Those
transactions include encounters, pharmacy dispensing and laboratory orders and
tests and test results. So it is worth looking at these islands of highly
standardized electronic data as one of the accelerators of personal health
records, in conjunction with the other things that are going on in the field
that we are aware of.

Finally, and this is a cross-cutting wind across the ecosystem, patients
remain very loyal to and dependent upon their individual doctors for direction
on how to access and use their health information. So to the extent that a
physician environment offers a patient a PHR, there is a lot of likelihood of
good success and a good outcome there.

We don’t know about the other strategies that are employer based or health
plan based or commercially based in terms of achieving that comparable level of
success. We do know that physician sponsorship is very influential.

So as we look at this pattern of IT adoption of digital data and
availability of culture and relationships, it affects the way we think about
the emergence of PHRs as a tool in our society, despite the positives I
mentioned earlier.

It is also worth remembering that alas, paper is now floating in New
Orleans, but for many people in this country, paper remains the mechanism of
storing their health information. In surveys we have done — I think I have a
slide later — a large percentage of people, especially older Americans, only
trust paper as the way of storing their health information. A paper personal
health record is certainly a valuable tool that we should be supporting in
collaboration with the electronic media that we might use.

I think I mentioned already the spectrum of product approaches. Portals we
would call something where the person primarily gets to access online in a
relatively passive way a body of their own health information. Large provider
organizations are typically offering these today. They are very common now. We
see roughly 15 percent of patients when they are offered this kind of a tool
take advantage of it. I know Paul’s organization has a better success rate, and
I think Group Health is now doing better. So we are seeing some organizations
with more time and more commitment getting higher numbers of patients using
these tools.

It has a limited amount of patient source data. If I want to log my
symptoms on a daily basis or upload by glucose meter, that is not very commonly
available in these systems. They are primarily provider based system with a
portal for the patient.

They are difficult to port. It is difficult to take a system I have
maintained at one provider organization, then move across the country and take
that data with me. And patients do not have much control over how that
information is used and shared. It is typically a provider resource.

There are also independent personal tools. I don’t think there are major
successes to report there, despite some very fine products. The business model
is difficult, the uptake rates are low. They are typically now sponsored by
some third party, a drug company or an employer or a health plan, but they are
not paid for directly by the users themselves.

They typically are more successful when they address a specialized
audience, diabetes parents, you may have heard from Cynthia Solomon, parents
with children with hydrencephalus. So highly specialized groups with very
specific information needs are very likely to make up an independent approach
and work with their providers to get it used.

The third category we haven’t talked as much about, I know you had
testimony from one source on this, are what are called transaction data driven.
As I suggested a minute ago, take advantage of the data that is out there, go
where the data is, and then do the best you can with populating a PHR from it.
I think the health plans in particular are advancing that as a model, and we
will have to see how successful that can be in bringing value to your patients.

In terms of market accelerators, there are a number of them. Of course, the
Internet itself and the digital lifestyle many of us have slumped into, is one
driver of adoption of PHRs. Demographics and some of the target groups like
baby boomers are very high users of PHRs, more so than older populations, and
those of us who have both parents and children with health needs are going to
be early adopters and users of these tools.

There are some competitive pressures, both in the technology industry and
among providers, to take up these tools. If you are in a market with a large
provider system which offers a portal or a consumer tool, other providers are
likely to take that up as well.

The consumer driven plan designs. Your letter mentions this as a potential
driver. I share the uncertainty, whether that will be a factor, but it may be
one in increasing patient interest and having health management tools of this
kind.

Finally and very importantly now, public policy. The President has been
articulate, a number of Senators have spoken on this, Dr. Brailer and Secretary
Levitt are passionate about advancing this cause, and certainly CMS, VA and DoD
are all moving very rapidly. So having a strong and increasingly coordinated
national governmental push could be a big driver of adoption for the public as
a whole.

There are some barriers as well. The reality is, consumer demand is modest
for this kind of tools when they are offered. People do have privacy concerns.
Not all of our fellow Americans have comparable computer skills, health
literacy skills, numeracy skills and so on. The presentation of health data is
complex, and we have not yet done a great job of making it understandable for
people. The information is not usually ported from one provider or system to
another. Patients don’t have an ability to control their information, and they
don’t have a sense of transparency about the health information in many of
these settings, and of course, there is not a trusted national brand yet that
people in the public would say, that is a Nokia or that is a Quicken health
record. I know I can trust that company to deliver a reliable product. So until
we have comparable success in this field, it may be slow going with the public
recognition of these products.

Physicians are not yet enthusiastic advocates of this. They of course
themselves don’t always have an electronic health record. They are not being
paid to do any work around personal health records. Some of them do perceive it
as a threat to their control of patient information. There is a work flow
concern as we saw with e-mail. There is now that work flow concern with PHRs,
that they will generate new work that they are not paid or prepared to handle.

There is a liability concern that has been more and more voiced that the
personal health record, if I as a provider am expected to know what is in it
and I am liable if I make a decision or something happens untoward for the
patient because of some information I did not review in that personal health
record, am I acquiring a new liability. The number of health provider
organizations are beginning to express that. And we don’t have a business model
yet that make this viable.

I won’t dwell on the data that I have shared here. I think you have seen
most of it before. There is a public over estimation of the adoption of EHRs,
so people believe their doctors are farther along than they actually are.

I think I will just skip through these graphics and move on to some of the
policy issues, given our time today.

There have been some attempts to develop public communications efforts, to
educate the public about why this might be helpful for them. I think the key
takeaways from that research are these. People are unaware of or receptive
toward the value of these services. People do want convenience and they do want
control. Those are opportunities for us to talk about. People do want their
information available electronically in health care and other sectors, but
there is a comparable fear of doing that. People do want to work with their
doctors to acquire this information.

Let me take a mental break there and move more into the policy
implications. This is an overview of the landscape we seem to be in, the kinds
of products out there, the kinds of services, what we know about the public
mood.

Let me shift now to what some of the policy issues are that I know your
letter and your hearings have discussed at length.

First of all, the federal role in personal health records. You have a
distinct opportunity to inform the Secretary and to suggest ways to move
forward. There is a strong rationale for the federal government playing a hand
in this arena, which to some might look like it is a market situation, why does
the government have a role. I think it is important to restate why there is a
role for the government. The President has certainly said this is a national
objective, and that gives us all a reason to give it greater attention.

PHRs as we saw with the IOM citation are one of the tools we can achieve a
variety of public health goals that the nation has adopted. Many of the current
federal activities will be strengthened by the use of PHRs in support of
current federal activity, and some new and emerging federal policy objectives
can be helped with this set of strategies.

You have done remarkable work over the years on the NHII. You have
articulated in the past why the government needs to be the articulate leader of
this strategy. No one else in our society has that opportunity and that role.

The need for connectivity. None of these individual objectives can be met
unless there is an infrastructure which ties the pieces together, and there has
to be national leadership to make that happen. It is not going to happen by
itself in the market, at least, it hasn’t in the last 15 or 20 years.

This slides summarizes as a reminder if you need it how big the government
is in health care, and how many fingers it has touching different aspects of
American life and the health care system. But the government’s role in PHR is
expressed in a variety of ways. It is as a provider of course in the VA and
other settings. It is as a payor in the context of CMS and others, CHB, for
example. It is a regulator, it is a researcher, it is a disseminator of primary
knowledge to the public, it is a public educator, it sets policy, and it is an
employer through the very large federal employee program. So there are many
ways in which the government can be active in stimulating a successful PHR
program, and conversely, by lack of coordination the government can be a little
bit disruptive, putting out many different uncoordinated PHR agendas.

I think the issues that we have heard as we interviewed federal agencies,
what they see emerging for them. First of all, how do they understand whether
and how PHRs will advance their own objectives in their own agencies. What will
it cost them to proceed down a path of supporting personal health records. If
there are standards, and if there is an inoperable health information
environment, what is the importance of standardizing the PHR piece of that. In
other words, is the EHR standardization effort an interoperability effort
enough, or is there a supplemental effort around PHRs that has to be taken on
explicitly.

What are the privacy concerns? The question is, is HIPAA enough? You have
raised it in your letter, and I think that is going to become an increasingly
explicit topic of discussion.

How does the government encourage innovation and not stifle it? If the
government were to put out 40 million CDs with the government’s official PHR on
it, that might not encourage innovation. But is there a way that the
government’s actions can stimulate what is a brand-new field and very
unpredictable in its course of continuing improvement in the availability of
information for patients and families.

Are there regulations needed or certification processes needed for PHR
products. Then there are a number of other elements that are listed here in
terms of the capacity of the federal government to be involved, how it ties to
other federal agency objectives, Department of Homeland Security, for example,
and document management has come up this week as a new set of challenges which
overlap with the PHR issues.

A second broad category of policy concern is privacy and HIPAA. We know
that the public cares about privacy. We know that HIPAA provides a very
important framework for further analysis, but it is not clear that HIPAA when
it was crafted in the mid-90s anticipated either the electronic health record
or the personal involvement with their own health information that we are now
seeing. So there are several questions that have to be revisited.

The individual has a right under HIPAA to access their own health
information and to make demand for it. Is that an enabler of personal health
records and if so, how do we exploit that in effect. Secondly, privacy
protections your committee has raised very strongly. If the PHR offerer is not
a covered entity under HIPAA, why privacy protections apply? What guarantees do
the patients have about the uses of their information when shared with a third
party non-covered entity?

HIPAA provides for personal representatives or proxies to manage health
information. How does that play into the need in the PHR context for caregivers
and proxies to be working with the patients themselves? The notifications of
content provisions of HIPAA, do those apply equally, and how do they apply to
the PHR environment?

One of the issues now with the California notification law or breach law
has revealed to all of us the spills of private information, but that law is
not national in scope, and there is no guarantee that spills of personal health
record will — I will receive notification if that were to happen to me,
outside of California. Then, do we need provisions that are stronger than HIPAA
as it addresses PHR information.

A third issue of public policy that I want to give attention to is personal
control. Surveys we have done and others have done have said it is very
important for people to control their information. There are several
implications or challenges that raises.

First of all, we have seen this in Connecting for Health painfully and
repetitively, do we mean control in the aggregate or in the granular level. If
I am a patient and I say you may see my medical record or you may not, or can I
say, you may see my psychiatric medications or you may not, or can I go down to
a specific lab result, diagnosis or medication, and exclude or include certain
people from seeing that. That is a question that is both a policy,
philosophical and technical challenge.

What does control mean in the context of technical decisions about
architecture? As we build the national health information network and we debate
issues like unique identifiers and record locator services and other arcane
issues of technology, what do those imply for the ability of a patient to
control their health information. As we move out of the purely institutional
and provider oriented way of thinking about it, these technical decisions have
import for the ability of PHR to have personal control.

Does the exercise of personal control jeopardize patient safety? Do we have
two fundamental American objectives that are at odds? Some providers are
concerned that patients will exercise that control unintelligently if you will
and sabotage their own best interest by controlling information that could be
used in their own best interest and the patient’s interest. Can physicians be
effective if patients are limiting information access without adequate
knowledge of how to do so. Then, the fear of secondary uses. Do we prevent
secondary misuse of data, or do we provide consequences when those misuses
occur.

These are all going to be the emerging policy challenges in the privacy
area for the next several years.

The fourth area here is standards. The broad question is, do we need
standards for patient supplied information. If the PHR is able to leverage, as
you say in your letter, EHR standards for laboratory results and so on, what
happens when I want to report my medication use patterns, I am splitting pills
or I am skipping doses, or I want to report my symptoms, my pain level day by
day, or my angina level day by day. We don’t have a standard nomenclature and
vocabulary to record all that. So does the PHR data become less portable for
lack of portability of patient supplied data, and is there any mechanism to
begin to introduce standards there.

Finally, I want to just mention the Medicare role, because it is such a
dominant player in our health system and our society. As you know, Dr.
McClellan in the program there is very interested in personal health records,
as Simon said at the outset. We have done some work, and others are now
providing input to CMS on how they might proceed. The prescription drug benefit
program next January certainly may be an opportunity for CMS to jumpstart some
attention to managing my own health information. I already have a consumer
portal which could become a medication management portal.

Our recommendation to CMS is that they focus on becoming an information
data supplier to the variety of personal health records that may be out there,
and that CMS not become a vendor or distributor of personal health records
themselves. I think it is a question for you all to ponder as you go forward,
what is the right role of government and major agencies like CMS. Should they
be an offerer of personal health records, supplier of information to third
party personal health records, or some other combination thereof.

Finally on that subject, I just want to say that I think anything CMS does
has the opportunity to educate all Americans, especially older Americans and
their families, about all the issues you struggle with. It is very helpful and
important that CMS do proceed in this way. Even if what they do on a technical
level or a data supply level is modest, the mere act of doing it educates
people that it is possible to see my own health information, make better
decisions because of it, share with my doctors and my family. That is a very
valuable role they can play.

This is some general thoughts on where the policy framework might need to
go from here to extending where you have come with your letter so far.

First of all, this idea of a road map of some kind. It seems like everyone
in this space, both in the EHR arena and the PHR arena, interoperability arena,
would benefit from what we call a road map, a common sense of how do we move
through this ecosystem going forward, what does it look like today, what do we
want it to look like in ten years, what are the main roads that are going to
cross that territory over the next ten years, and what do we need different
components of the health care information system to do to traverse that
landscape over the next ten years.

I think we need to monitor very closely — and you suggest this in your
research recommendations — what the next generation of innovations will be. We
don’t know sitting here what the next equivalent is going to be to move us
through this territory. We should watch closely to see what gets traction, both
with professionals and patients.

We can certainly see experiments, where with what preliminary knowledge we
have, we can see the next generation of ideas and find out what works. I think
as I suggested briefly here, there are some policy tracks that need further
debate.

A number of policy actions that should be considered. We think the
Secretary and the new AHIC should designate a private-public panel or an
extension of an existing panel to guide the deployment of PHR pilots so that
CMS and others can learn in a systematic fashion what the next wave of
challenges will bring. Employers plans, FEHB, CMS should explore incentives at
the patient level as well as the professional level for adoption of these
tools, and some coordination around those, what those incentives might be.

Using the medication environment, I think our broad thought is, it would be
worthwhile for everyone to focus on a common area of implementation.
Medications is probably the one with the greatest traction, greatest risk to
public safety, greatest visibility because of the prescription drug plan under
Medicare. If there were to be a single point of focus for the next few years,
perhaps medication safety and medication management might be it, and give at
least the federal initiatives and maybe private initiatives some direction
there.

PHR-like functionality, whatever that might mean, might be something we
encourage AHRQ, CMS and other federal payors and grantors to consider as a
requirement of their federal IT spending, that they create a focus, as they are
now doing with interoperability and that Congress is telling them to do, they
do the same thing with giving the patient access to their own information as a
condition of using federal money for IT.

Creating awards for state PHR pilots with Medicaid. Medicaid is always a
forgotten stepchild with enormous potential, and reaches an enormous number of
vulnerable Americans who have particularly acute health needs. It would
certainly be desirable to make these technologies available through the
Medicaid program.

Some consideration of the certification process for personal health records
to address some of the issues I have summarized this morning. Then increase
ONCHIT’s ability to focus on this. They have always wanted to, it is in their
original strategic framework, but they certainly have not given much attention
to personal health records.

My last slide is a commercial. October 11, we will be sponsoring along with
Robert Wood Johnson and AHRQ a conference on personal health records here in
Washington. I hope you are all able to come and send your friends.

Thank you very much.

DR. COHN: David, thank you very much. Carol, should we start with your and
your question, since you were kind enough to defer it until the end?

MS. MC CALL: Absolutely. These are some related questions. Back on slide
nine, you talk about all the different things that can be in a PHR, and then
acknowledge that they are not identical, and they may not be intended to be. So
that is point number one.

Backdrop point number two has to do with data and data ownership, because I
think that is going to be a key issue. So the question with those as backdrops
is this. Who owns the data? I know that you have already put that out there,
but within that context and aggregation, with so many different variations on a
theme, how can you actually aggregate things that in no way fit together, no
common vocabularies? Those things that you have talked about with folks and
heard potential solutions for?

The reason I ask is because there is this huge assumption that at the end,
we are going to have PHRs and we will have secondary uses, because it is all
going to fit together. Yet it doesn’t seem like the way people are thinking
about it now it is actually designed to do that. So I would just love to hear
your thoughts on that.

DR. LANSKY: I would distinguish the ownership issue from the control issue,
and focus on the control issue and let lawyers discuss the ownership issue.
Certainly in the personal health record context, to the extent that that is not
a portal environment but it is actually in my custody, and I can truly control
accesses to it, and review those accesses through some auto mechanism, that
seems to be consistent with the philosophy of PHR, not to diminish the role of
the electronic health record or the pure portal, but just to distinguish.

The aggregation issue I think applies equally to the interoperability
environment and to the PHR environment. In the PHR environment in some ways it
is easier, because I will choose voluntarily or not to relinquish my data.
Someone knocks on my door and says, can I have your data for an adverse event
study or for a quality reporting purpose, I may choose or not choose to
participate in that. Whether I am properly informed is an important question.

The interoperability equivalent of the same issue, we did some animations
and tested some explanations of the interoperable health information network.
As soon as we got to the applications that were aggregate data, public health,
surveillance, et cetera, quality reporting, there was huge pushback from many,
many stakeholders.

So far in our testing in this country, the notion of aggregation is not an
easy one to sell. The use of all these connectivity solutions for the purposes
of improving clinical care is easy to sell. The idea that you can improve
clinical care by aggregating data and feeding it back systematically is, we
have a long way to go.

DR. STEINWACHS: I enjoyed your presentation very much, David.

A couple of things, just to get your reaction. You didn’t mention
explicitly some of the functionalities that might be tied to PHRs, like
decision support. Elsewhere you mentioned things like reminders and so on, but
when you were raising the issue about what information to share with the
provider, it almost seemed to me, you could almost think of, is there a
decision support tool there that says to the patient, you should share probably
with your — on your diabetes.

Is there much being done in thinking about decision support for the patient
or the user of the PHR beyond just saying, remember to do this or remember to
do that?

DR. LANSKY: I don’t really know the answer to that. I think there are
people thinking about it, and some small applications that do it. I hear a lot
about it. I haven’t seen very many sophisticated applications. Part of it is
because since there is not a lot of connectivity, you can’t bring a lot of
resources to bear to apply the decision support to.

I think all of you would be in a much better position to comment on this. I
think from the provider extensions of the EHR-PHR, where you have got the
connectivity, the ability to reach into the home and deliver additional
intelligence, there is more opportunity right now to do that than in a
freestanding PHR product environment.

DR. STEINWACHS: Another thing I was looking for, you always listen to
things from your own framework and orientation. One of the frustrations
frequently when we talk about assessing quality and health care and so on is
the lack of information on functional status, on how people are doing. So if
you said, one of the stars out there that we may never reach, but the idea that
a PHR might be a mechanism particularly for chronically ill stimulated by the
providers, could be a way for the people to record, for this to be captured, to
be shared.

Where do you see that? Is that way out there, or is it something in an
achievable range in this three to five years?

DR. LANSKY: I think there are modest experiments, research projects which
do that now, using home based technology to capture that information and feed
it back to a central research facility.

So many of these things, and you know better than I over the last 20 years,
in outcomes research and health status measurement and so on, they have
remained essentially in the laboratory and not been used broadly in clinical
care or in disease management or other applications, despite the potential of
them, we think.

I observed in the Katrina disaster recovery discussions the difficulty of
getting the principal establishment, so to speak, to take seriously that set of
opportunities for capturing that patient supplied data as part of the
mainstream of information flow.

So I guess I would say the technology will certainly permit it. There are
companies like Intel that are building business strategies around that. Yet, I
don’t think it is considered to be a principal element of the short term
thinking.

MR. REYNOLDS: David, nice job. You took a very complicated subject and made
it very clear.

On page 32 you talk about incentives. It’s the second bullet. You talk
about rewarding doctors who provide PHRs. Then if you go back to page 17, you
talk about some of the physician barriers, which are a lack of a EHR.

From your viewpoint, which one is the chicken and which one is the egg, and
where would we really want to focus incentives to get the doctors moving,
versus having an individual doctor or someone offer a PHR versus working on
their own EHR so it could be consolidated into a PHR?

MS. MC CALL: It is your birthday, make a wish. What would you love to see?

DR. LANSKY: On that issue, I think it is important to recognize the
patient’s confidence in their doctor as one of their agents of their health
information. The doctor is a physical repository of a lot of it in the current
environment.

If I were to make my wish and snap my fingers, we could move more rapidly
to a portable interoperable PHR-based system, in which we reverse the
information management infrastructure. But it is not going to happen, both for
cultural reasons and for infrastructure reasons. So I think the realistic
strategy for the next five to ten years is to do exactly as you suggest, to do
complementary strategies, where we do what we can to incent providers to adopt
standards-based interoperable IT to manage their clinical practice, and do what
we can to encourage patients to interoperate with that infrastructure and to
have their own web-based or in their pocket tools to manage their information.
But they should go in parallel, and if anything, maybe have a multiplier
effect, so that when we get synergy, when we have patients with the tools and
their doctors with the tools, then we really encourage that kind of
partnership.

MS. MC CALL: Just to clarify, I want to make sure I understand your last
point, if they go in parallel, are you saying that — is that consistent with
the idea that people want them to come from their doctors? So they go in
parallel, that means they are both out there, versus if I only trust my doc,
that means the EHR has to come first.

DR. LANSKY: I don’t personally cast it as either-or. I think it is a
multi-factorial intervention. If the patient comes in with a USB stick to their
doctor’s office and says, here, plug this in, I want you to read what is on it,
it came from my doctor in Omaha, that may be a brand new thing for that doctor,
but it is a good lesson for that doctor to have, and maybe will help motivate
that doctor, if it happens ten times, to consider an EHR themselves more
quickly. So I think synergy is a desirable element here.

MS. MC CALL: You make a potential implication for Medicare to be a data
supplier to private EHRs, which would be great if they could go on a parallel
path, but not if one has to come before the other.

DR. LANSKY: What CMS might do in that respect would supply equally well the
provider based portal and a freestanding PHR tool.

DR. COHN: Carol, that was actually the topic of the RFI from CMS. Michael,
I think you are next.

DR. FITZMAURICE: Along with Don and Harry and everyone else, I want to
compliment you on the clarity and the scope of your presentation, the issues
that you covered.

Partly because of where I live, which is at the Agency for Health Care
Research and Quality, we think sometimes in terms of research agendas. So with
a research agenda for a personal health record, what are some of the important
questions that need answers?

What I am hearing and what I am thinking, implications for the quality of
care that might be enhanced by a personal health record, what happens to
patient outcomes when they have it versus when they don’t; are there patient
safety considerations, both patient safety incidents that are ameliorated,
patient safety incidents that may arise because of personal health records.

Marjorie always comes at us with the value of functional status. So maybe
the value of functional health status information, self reported and
continuously reported. Those are some of the thoughts that come up.

Have you thought about other things you would like to see in any research
agenda, questions you would like to have answers for, because you have gotten
an awful lot of answers about what the public thinks so far?

DR. LANSKY: I think your list is very good. We would be content to get some
of those questions answered in the next few years. I think like the chronic
care improvement program and the disease management programs, I think it is
worth inviting people to do some research into redesign of the care model
itself. If this infrastructure were in place, EHR, PHR, connectivity standards,
what becomes possible to rethink the way care is delivered from our current
paradigm? And what difference does it make?

I think we have all speculated, particularly in terms of functional
outcomes and health status, there is an opportunity to make significant gains
by reconfiguring the delivery of care. We haven’t really seen that achieved
yet. So that would be my meta objective.

DR. HOUSTON: I am going to echo the fact I thought it was a great
presentation, and I have two separate questions.

The first being, can you touch briefly in one of your slides about the
secondary uses? It really didn’t go into much discussion about that. I know
there has been a lot of discussion within the NHII Work Group regarding
secondary uses and issues related to that.

At the same time, I noticed in your presentation you talked about the
different models and the different products that are available. You even
referenced Web M.D. What is your personal opinion regarding the issue of
secondary uses? Is it as big an issue as I think some of us may suspect, in
terms of maybe not Web M.D., or maybe it is Web M.D., using that data even on a
de-identified basis for the purposes maybe of financial gain or whatever?

DR. LANSKY: Two thoughts. I think true transparency is the essential issue.
People if they choose to participate in anything, a marketing program, a
research program, whatever it might be, as long as they understand that is what
is going on with their health information, then I think we are fine. Achieving
that through transparency is a challenge.

The second issue I think is unforeseen consequences, like the privacy
spills, the ChoicePoint and others. If three years from now someone suddenly
discovers that all this information they have been disclosing under one set of
expectations is being used for something quite different that they don’t
approve of, it could create a public unraveling of a lot of good that is being
done right now in this larger arena.

So I think my concern about secondary uses is, many people in this country
are very content to get things for free, because someone else picks up the bill
in order to achieve something they need in exchange for providing a service.
That is not inherently problematic. I think when it is problematic is when
people are surprised that they have slipped into a relationship and a use of
their very personal health information that they didn’t anticipate.

DR. HOUSTON: Is that happening on a large scale? Are there PHRs out there
with substantial secondary uses? Or is this something that is foreseen rather
than actual?

DR. LANSKY: I think it is more foreseen. It is analogous to what is seen in
other industries, where people are getting marketing calls and solicitations
they didn’t want and have a hard time getting rid of.

In the case of where you have AIDS and cancer, they start getting these
solicitations, and someone figured that out, that would be extremely troubling.

MS. MC CALL: If it is something that is foreseen, how would you classify
activities today with the tremendously standardized electronic pharmacy claims
information? Where it is aggregated today and de-identified and bought and sold
and used for a variety of things? Would you put that in the same bucket of,
golly, if people understood that that were a use, do you think that would be of
the same type? Or are you talking about something different in degree or
different in kind?

DR. LANSKY: I think it is interesting that there are many uses put to our
data that we are not aware of. When people find out about it, they tend to be
troubled. I think we are at a fork in the road in our society on those issues,
and I don’t know what the right answer is.

DR. HOUSTON: I had another question. You indicated on slide ten of your
presentation that there was a higher likelihood that people with chronic
illnesses would use PHRs, or at least some aspects of PHRs. Yet there is a
chart later on where, when you look at the demographics, I would think that the
people that most likely have chronic illnesses, maybe I’m wrong, are people in
the older category.

DR. LANSKY: Yes.

DR. HOUSTON: Yet, those are the ones that seem least interested in using a
PHR. In fact, the statistics almost seem to go — when I try to understand
them, they almost run counter to your previous slide. It just seems like the
slides either conflict, or my understanding of the use of PHRs by people above
the age of 65 with chronic illnesses —

DR. LANSKY: Which title of slide are you looking at?

DR. HOUSTON: People vary in their preferences for PHR media.

DR. LANSKY: Yes, that is about media. The purpose of that slide, it is hard
to see without color, is that the older population prefers paper over
electronic media significantly.

DR. HOUSTON: My thought is when I read this though, understanding that, to
me a paper record doesn’t constitute a PHR at least in the context of what we
are speaking of. Yet, it seems that age group is less likely to engage in the
use of an electronic PHR, yet it seems like your earlier slides would seem to
indicate that people with chronic illnesses would be more likely to.

Again, I am looking specifically at the last two bars on the right of this
slide. It seems like people without chronic illnesses age 65 and above have a
higher likelihood of using an electronic EHR than those who have chronic
illnesses above the age of 65.

DR. LANSKY: My takeaway from the research is — I think your point is
exactly right. There are several attributes of people which make them more
likely to use personal health record when it is available. One of them is being
younger and being a comfortable Internet user or technology user. One of them
is having chronic conditions. Those two tend to be opposite pulls.

I think our research says the sweet spot if you will right now are people
between 45 and 60 who tend to be younger, very computer comfortable, and
increasingly subject to chronic conditions. But people over 75 are very
unlikely to use PHRs, though some will, but it is in the ten percent range.

DR. HOUSTON: But looking at these last two bars specifically, in the age 65
plus category, it appears that the intervention who do not have chronic
illnesses are more likely to engage in the use of an electronic PHR than those
who do have a chronic illness.

DR. LANSKY: I would just say that is a measurement error. I don’t think it
is a big distinction. It is a relatively small number of people with
non-chronic in the over 65 population. I think the N in that bar is pretty
small.

DR. COHN: Well, David, I want to thank you. I think this has been a very
good introduction to the topic.

What I want to do is give everybody a ten-minute break, and then we will
reconvene, and at that point we will continue on with the conversation. David,
thank you very much, we appreciate you coming out.

(Brief recess.)

Agenda Item: NHII Letter on Personal Health
Records

DR. COHN: Switching the agenda a little bit, as I have told you, this is
sort of fluid today in terms of how we are handling things. But given that we
just had a conversation about personal health records, it seemed to make sense
to start talking about the letter. It turns out that both Dale and Linda will
be able to be here for the discussion, and then be able to have the updates
from the Department after we are done with the personal health record
discussion.

So let me have you turn to Tab 3, which is the letter report to the
Secretary on personal health records. I assume that everybody has read it,
because I don’t think I am intending to read through the whole thing. It is
being brought forward for action at this meeting.

This has been the work of the NHII Work Group in close consultation and
collaboration with the Subcommittee on Privacy and Confidentiality, who
provided major input into the privacy section. We want to thank them for their
help in terms of crafting something that I think represents wider views of the
committee. So Mark, thank you for your help on that. I think everybody else is
probably a member of both work groups, so it may be that that worked pretty
well.

What I want to do is, without reading things, just briefly go through
section by section, asking if there are comments. I do want to make sure that
we stop when we get to recommendations to read through them, to make sure
people are comfortable. We are at this point taking comments. We would like to
at the end of today come to some sort of conclusion about any sort of major
changes — hopefully the won’t be major changes, but any changes that need to
occur so that these can be discussed by the work group tonight. So I think that
would be the expectation of the conversation.

So anyway, we will go through, asking people about sections, then we will
talk specifically about the recommendations, and hopefully get your input and
thoughts as we go forward. Sound okay to everyone?

Our first section is background. I think as you know, what we try to do is
anchor this from the NHII document from 2001. I found it helps frame the issues
and the overlaps. I think David actually was also referencing that this
morning, where he talked about the fact that these things don’t have sharp
edges to them, there is a lot of overlap between EHRs and PHRs and everything
else. I thought that the NHII documents and graphics helped show a natural
overlap and interconnection. So hence you see that in the introductory
material.

Do people have comments, questions related to the background?

DR. ROTHSTEIN: I just have one suggestion in the last sentence of the first
paragraph, the one that begins, each area. I’m not sure I agree with the
statement that each area is equally important, that is, the areas mentioned in
the preceding sentence, the one that begins, it incudes all those things.

So I would propose that we replace that sentence that says each area is
considered equally important with, all of these areas are important, and have
the goal of promoting information exchange.

PARTICIPANT: Or just strike the word equally?

DR. COHN: We get rid of considered equally. Maybe, each area is important?

PARTICIPANT: Yes.

DR. COHN: Will that work?

DR. ROTHSTEIN: If you read the rest of the sentence, the syntax doesn’t
make sense. So I will leave it to Mary Jo or someone else to clean up the
syntax, but the point I want to make is, take out the equally, that’s all.

DR. STEINWACHS: Simon, I would like to push back on that a little bit. I
think we may have to clean up the sentence a little bit, but the areas we are
referring to are the provider dimension, the personal health dimension and the
population health dimension. I think the NHII report is very explicit on
considering those three areas of equal importance.

DR. ROTHSTEIN: See, I didn’t realize that. Then what we need to do to clear
that up is instead of saying each area, just spell them out as you just did. I
thought each area referred to the prior sentence.

DR. STEINWACHS: No, as soon as we said that I realized what your problem
was.

DR. DEERING: I would support reiterating the names of them. That was why we
put it in there, especially at the time that this was written the provider
dimension was the only one that was getting attention, except because of
bioterrorism, public health was coming along. So I think it would clarify the
point to re-articulate that.

DR. HOUSTON: But earlier in the paragraph it says NCVHS identified three
primary areas. If in this sentence we simply say, each of these primary areas
is considered equally important, it is at least consistent in terms of the way
we are trying to identify the area.

MR. BLAIR: Have we decided to get away from the words that we used in the
report, where we refer to these as dimensions instead of areas?

DR. STEINWACHS: Yes.

DR. COHN: Jeff, that decision was made a number of versions ago, based on
input from Harry Reynolds, based on his view that this was more readable and
understandable.

MR. BLAIR: That’s fine.

DR. DEERING: I’ll give you some wordsmithing and bring it back, something
like each of these areas serving health care providers, population health and
individuals are considered important. So in other words, I use the word areas
rather than dimension, but then I articulate what the three areas cover.

DR. COHN: In this sentence, you mean, or is this another issue?

DR. DEERING: It is on that last sentence, each of these primary areas.

DR. WARREN: In going back and looking at the paragraph, because every time
I hear something like each area, I always go back and — what does it refer to.
But I think since you started that in the first sentence, if you just said each
of the three primary areas, because it comes back to that first sentence in the
paragraph, then we should be okay.

DR. FITZMAURICE: Could I suggest something? In that first sentence,
identify three primary areas, I would put in parentheses dimensions, so that
people know that it refers to the figure on the next page, that areas and
dimensions are the same thing.

DR. COHN: Thanks for that point, that the graphic does talk about the
dimensions.

DR. STEINWACHS: That helps.

DR. COHN: Maybe in the very first sentence here, where we are saying,
identify three primary areas or dimensions. That is what you were referring to?

DR. FITZMAURICE: Yes.

DR. COHN: Mary Jo, are you okay there?

DR. DEERING: And then the last sentence would read, each of these three
areas or dimensions?

DR. WARREN: Each primary area. We just codify it to add the word dimension.

DR. FITZMAURICE: No, the first sentence.

DR. DEERING: I understand that, but I am trying to make them parallel.

DR. WARREN: I think if you got the dimension in the first sentence, I don’t
think you need to repeat it in the last one. I would just go back with each
three primary areas, just so that you are in parallel with that first sentence,
so we know which area is being talked about.

DR. COHN: Let’s move on from this area. We will have Mary Jo and the work
group try to wordsmith this one offline. Anything else in the first section?

Move to the second section. I do want to remind you that we are happy to
handle minor wordsmithing issues offline. Mary Jo will be the holder of all of
that. Indeed, I noticed things as we went through, but minor questions or
whatever. We are most interested in substance.

So done with the first section, on to the second section, which is,
personal health records are evolving in concept and practice. Here I think once
again, we are reflecting things that David was saying when he was reflecting
things that we were saying about the fact that this is an evolving area, it is
not possible to define it particularly well, and it is more a question of how
you describe it. So we are positing a framework for attributes which we are
including here.

The recommendation one here is that NCVHS recommends that HHS support the
development and promote consensus on a framework for characterizing personal
health record systems, building on this initial framework. Recommendation two
is, HHS and others should use the agreed-upon framework as a basis for public
education efforts highlighting the benefits and risks of various types of PHRs,
not only consumers and patients, but also health care providers and other
stakeholders.

Comments, questions on this one?

DR. FITZMAURICE: On recommendation one, NCVHS recommends that HHS support
the development and promote consensus, I am thinking by whom. If we mean a
public consensus, I would suggest inserting the word, promote public consensus
on a framework. But if we have somebody else in mind, then we ought to spell
out whose consensus is needed. Stakeholder, public, government consensus?

DR. COHN: Public-private?

DR. FITZMAURICE: Public-private. Who has got to agree for this to move on?

DR. COHN: I think public-private. Other comments on this section? Good.

The next section is entitled, personal health record systems value depends
on users, sponsors and functionality. There is no recommendations in this area.
Basically it describes benefits. There are a couple of places where —
actually, one place where we talk about members which we will fix to some other
word, on page six, line 17. But I think Mary Jo and I will figure out the right
word to go in there.

Basically it sets up the privacy conversation here, noting that there may
need to be some consumer protections, or at least the Department should keep a
close watch on that. Are there any comments?

DR. WARREN: What line were you talking about?

DR. COHN: To me it was a wordsmithing issue, line 17, page six. We are
talking about systems for their members. Members works for some of those
categories, but not for others.

MR. HUNGATE: Maybe constituencies?

DR. COHN: Constituents? I don’t know if an employer has constituents.

DR. DEERING: How about members, comma, patients, comma, or employees?

DR. COHN: That sounds good.

MS. MC CALL: In terms of the table that starts on page five and continues
on to page six, given what we just heard, it may be that we want to talk about
possible benefits, as opposed to, these are the benefits, that these are set in
stone. We heard that these are very heterogeneous, and we go on to say so. That
is point number one.

Point number two is that when I look back on the diagram, the circles that
we have on page two, it seems that one of the dimensions in terms of population
health is not necessarily — we say that they will benefit, but I don’t see
anything that is specifically geared toward that particular constituency. I
guess it would be in the role column.

Was that something that as a group you talked about?

DR. DEERING: We had public health in some of the earliest versions. I am
trying to recall why we took it out. Steve, do you recall that? There was a
role in there. It was a mix of — the public health was not really a role, it
was a generic sector as opposed to an individual, a patient, a provider.

DR. STEINDEL: Yes, my recollection is exactly the same. As we refined this
table over many iterations, we focused the table down onto more specific
benefits that can be attributed to an individual type group. When we started
looking at public health and research, they were more societal benefits. So it
was more difficult to fit into this type of table.

MS. MC CALL: Understood. What I am thinking about is that I am going back
to a comment that Dave made, which is that secondary uses — and if people
don’t understand that those are there, early signals are that people are very
uncomfortable with that. So unless we write into a letter and recommend that we
come to terms with all of that, and peoples’ opportunities to play, because we
call it out as a benefit to society, if it doesn’t get addressed while things
are being architected, we may find ourselves down the road with some policy
issues.

DR. COHN: That issue is actually brought up in the privacy section,
explicitly. I am more comfortable leaving it in privacy and not explicitly
articulating it here, because I don’t know what we would say about it
specifically.

MS. MC CALL: Again, just in terms of the benefits. We talk about from — if
the anchor document is information for health, and one of the key dimensions
and the overlap is the ability to do that lower circle, when we talk about
benefits, do we want to articulate some of the benefits of in this section, as
opposed to just leaving it for privacy. That is really the specific question.

DR. COHN: But I do want to point out that the dimensions graph was not a
benefits graph, it was an overlap of information graph.

MS. MC CALL: Understood.

DR. STEINDEL: Another reason why we took out benefits with respect to
public health, population health and research is, we don’t have total clarity
on what the benefits will be derived from the personal health record itself.

Now, we are relatively clear that we can derive benefits in the population
health dimension from the electronic health record, and from the type of
records that are being envisioned at that level. But when we go down to the
individual, because there is so much diversity in what might exist as a
personal health record, we thought it might be premature to state how it could
benefit at a societal level.

MS. MC CALL: Right.

DR. GREENBERG: Having this vague memory of an e-mail exchange when it was
decided to drop this, and objecting to it, but being too busy to comment. Now
it is all coming back, I think.

But I really support what Carol has said. This committee’s mission
statement includes using information to improve the health of the population.
Just by indicating that there is a benefit does not mean that people will have
access to it, because payors and employers and even providers may not have
access to personal health record data.

So I think to have something about population health, which is related to
the consumers, but it is more at a population level, that the whole concept of
people having a better understanding of their health care needs, their health
care services, their resources available to them, access to all sorts of things
that could be tied in to PHRs, should improve the health of the population. If
it doesn’t, why would we even be promoting this?

So I just think for the committee to come out with all these — because
this is the problem with everything you see in HIT. They always have the
consumers, they have the patients, the providers, the payors, the employers,
and they rarely say anything about population health, and this is an
opportunity for the committee not to repeat that error.

DR. DEERING: We have called out that this is a potential benefit, and by
the way, that is in the text above it, but it is not in the header of the
table, so you are quite right.

With Simon and the members’ permission, I too would come down on trying it,
because if we are saying it is potential benefits, it is not so much from the
direct use of the data, which is I think what made us take it out; are we
talking about data flows from the PHR into public health. I think Marjorie has
just framed it in a way that I am beginning to see some statements. It might
only be a couple of bullets. It is a secondary benefit, not from the use of the
information flow itself.

DR. HOUSTON: I think we were also dealing — I think part of the discussion
too as I recollect was that we were dealing with the personal health dimension
directly in this letter. I guess to the extent that you could add bullets that
demonstrate the value of the personal health record to patients in a public
health way, I think is meaningful. I would tend to think that we shouldn’t — I
don’t think we should add a section to this for anything else, discussing
public health benefits. I really thought we were trying to focus on —

DR. DEERING: On the personal health dimension.

DR. GREENBERG: Yes, but I don’t see how that is contradictory.

DR. COHN: I think the only question is on this chart.

DR. HOUSTON: But I would say, make the discussion how it is a public health
benefit, but in the context of the various constituent groups that we have
identified.

MS. MC CALL: It may draw back to the sentence we just talked about, about
optimum information exchange among them, that there is a personal dimension
benefit.

DR. HOUSTON: But looking at the diagram though, if you look at all the
different bullets that are within this chart, and the ones that overlap the
personal health dimension, and fashioning those bullets into —

DR. COHN: I am going to make a suggestion here. I am very concerned about
us going too far in this direction, first of all. I would probably be willing
to have something that says, societal benefits, and something like improved
health of the population, or something on that level, but I am not sure I would
go much further than that.

DR. STEINDEL: Simon, I would like to point out that a lot of that was
discussed in the NHII document. It actually is to a certain extent in the
diagram itself, where we list the bullets in the population health dimension,
where it says — the two that come to mind are surveillance systems and health
disparities data. So we do list some of the types of things we are envisioning
that might come from the population health dimension in these areas. But I am
uncomfortable with going into much detail as well.

DR. COHN: John Paul, I think you have some reticence on this one.

DR. HOUSTON: No, I agree. I didn’t want to go into much detail. All I was
trying to do is say, if you look inside the circle here, the ideas overlap
between the personal health dimension and the population health dimension, and
focus only on those items where included in this chart might insure that there
is some coverage of population health without having to delve into it deeply.

DR. STEINWACHS: I’ll leave it to you to figure out how you orchestrate it
in the table, but it seemed to me that part of the issue here is, are there
public health things that accrue to the patient level as well as to society.

You have implicit in here the opportunity for PHRs to support health
promotion and disease prevention. That might be one piece. You talk about
empowering other employers, you talk about empowering consumers. I don’t know
whether that is an employer thing or population, but I thought John Paul was
going a little bit at, are there things here already that are things that
accrue to public health benefits.

So you could talk about it and not make it a separate row, but have a
paragraph that talks about it, or you could make it a separate row.

MR. HUNGATE: This is just a slightly different tack on the same content.
CMS has stated that it is a public health agency. Every payor and every
employer has a defined population. So population health is involved in a way
through the payors and employers segments of the table. There is a broader
society overlay on that, but there is a piece there that can be construed in
that direction.

DR. HOUSTON: Let me give you an example, Simon, of how we can rectify this.
If you look at the chart —

DR. COHN: My problem is, my version of the chart, I can’t read anything on
it. As you have me look at it, I am desperately looking for that —

DR. GREENBERG: What are you looking for?

DR. COHN: A version of the chart that I can read. Are you talking about the
chart or the diagram?

DR. HOUSTON: The diagram, I’m sorry. If you look at the overlap area, there
are two areas. There is one bullet that says public education materials, which
is in the overlap area, and the neighborhood environmental hazards. Those are
two items that you might decide under consumers in the chart to add as bullet
points as benefits.

Do you see what I am saying? Add under consumers the concept of things such
as neighborhood environmental hazards or public education materials as being a
benefit to consumers of the personal health record.

DR. COHN: But are those benefits to the population?

DR. HOUSTON: They are in the overlap.

DR. DEERING: They are benefits to the consumer from the population health
dimension that could be delivered via —

DR. HOUSTON: The personal health record. My point is, if you look at this
diagram, you see it overlaps. Just by looking at the diagram on its face, you
see it overlaps. Identify those items that might be part of the benefits
section of a personal health record to the different populations, and add those
bullets in. That is my only point.

DR. COHN: Okay. So you would have a box here that says societal benefits or
population health benefits?

DR. HOUSTON: No, I would use the same boxes. But my example is that under
consumers, for example, a benefit to a consumer might be from the chart public
education materials or neighborhood environmental hazards information. The only
thing is adding those bullets.

DR. DEERING: It draws a connection to the diagram that is there and makes
the point in a very gentle way.

DR. STEINDEL: I could go along with that type of approach, yes.

DR. COHN: Is everybody okay with that as a solution?

DR. GREENBERG: I’m really just trying to understand what the strong
objection is to adding a category that says population health and putting a few
bullets. I’m just not getting what the risk is there. I can understand public
health, because in this country we use them differently, and people might start
thinking, they are going to send this data to public health. That is not the
point, although we are not going to send it to payors or employers, either.

MS. MC CALL: I think that goes back to the point you were making earlier,
to say that what you were trying to do in this table is to focus on benefits
that accrue to the individual, not those that accrue to the population. Not to
say that those aren’t there, but that the intent of this table was to focus on
things that accrue to people one at a time.

DR. GREENBERG: Build market advantage. Does that accrue to the individual?

MS. MC CALL: I’m a witness here, too, so we really have to go back to the
authors. If the intent was to have that, I think it is to honor the intent of
the table about individual accrual.

DR. COHN: Mary Jo, can you help us with this one? I am hearing two
diametrically opposed —

DR. DEERING: I think it may actually be an overstatement to say that this
is intended to remain purely within the personal health dimension, because
clearly we have the whole provider area on the top of the second page, page
six.

I think these are sectors. As I personally indicated, I am increasingly
comfortable seeing population health as a sector for which there are again
benefits that are not those directly related to secondary uses of data
necessarily, but that are benefits that accrue because of the existence of the
personal health record and personal health record systems. That is my feeling.

DR. COHN: So why don’t we try a box that says population health? One is
probably improved health of the American citizen rate.

DR. GREENBERG: Health promotion and disease prevention.

DR. COHN: Health promotion, disease prevention, and maybe we stop there.

DR. DEERING: Right. Keep it simple and high level and see what we think of
it.

DR. COHN: And the work group will consider it and come back with that
tomorrow. But it is high level and short.

DR. TANG: Suggest that we take out one bullet under payors, which is the
push information marketing to beneficiaries.

DR. COHN: Okay, that is a friendly amendment there.

DR. HOUSTON: Why do we want to remove that?

DR. TANG: It is a borderline to no benefit to the patient.

DR. HOUSTON: But I think it is a conduit to provide information regarding
the plans to the individuals through the PHR.

DR. DEERING: Just provide instead of push. Just provide information.

DR. TANG: We already support wellness and preventive care. I suppose it can
support the disease management.

DR. HOUSTON: It can be alternative therapies.

DR. ROTHSTEIN: We have improved customer service transactions and
information.

DR. HOUSTON: But I think there might be different therapies, formularies,
things like that that the patient might be interested in that payors might want
to provide to the beneficiaries.

MS. MC CALL: Think about it more along the e-disease management line, as
opposed to — it is really the use of the words push and marketing, as opposed
to provide information and education.

DR. COHN: So Paul, are you okay with provide information and education to
beneficiaries?

DR. TANG: Yes, that would be fine.

DR. COHN: That sounds a little better, doesn’t it?

DR. ROTHSTEIN: Along those lines, I have several suggestions. Under health
care providers, I would propose to delete the bullet, build market advantage. I
would also delete under payors the last bullet, build market advantage.

I take this chart to mean that these are health care benefits to
individuals, health care benefits of the system. So supporting wellness and
preventive, that is fine, and promote portability, et cetera. Build market
advantage, I don’t see in there.

DR. DEERING: Just by way of explanation, originally if you look at the
header of the overall section, it is about value. This section began as a
discussion of value propositions. So the word value is still in the header on
the prior page. That word value, originally the table was labeled key value
propositions. Then the label got changed to key benefits and now key potential
benefits. So the intention of the chart is changing. So I think it is up to the
committee, if they want to continue down this evolution, then you are quite
correct that that doesn’t remain there. But originally this was a discussion
about, what will actually make this work.

DR. HOUSTON: Can I suggest changing this to provide market intelligence, or

DR. COHN: That is not what we are talking about here.

DR. HOUSTON: No, I think it is. I thought it was to help understand the
market.

DR. COHN: No, I think what — is a competitive advantage to a new
marketplace to get market share.

DR. DEERING: How about customer loyalty?

DR. COHN: Which is why people do this.

DR. TANG: I hope this will be considered a friendly suggestion. I think you
accomplish what you want in the words and the prose, and the table may actually
be causing more trouble than it is worth.

DR. COHN: You’re trying to get rid of the whole table?

DR. TANG: Just get rid of the table.

DR. COHN: No. Nice try, Paul.

DR. GREENBERG: That is certainly what happened to the research
recommendations in the annual report; we will just get rid of them. I couldn’t
resist that, but anyway, I was going to make a slightly less drastic
recommendation. That is, I think it is fair enough to say we are all public
health people to some degree, but at the same time, we are a capless society,
people have got to support these things. So the fact that there is value to
providers and payors and employers in supporting it is not a dirty concept in
the U.S.

But in the table, things kind of jump out. So down here, I would take that
market language out of the table, because it seems to be geared more towards
health benefits. Then in the sentence here at 16 and 17, we also heard of
growing interest from payors, providers and employers to sponsor PHR systems
with their members.

DR. COHN: It is already over here.

DR. GREENBERG: Okay, well, fine, you could mention it there, or it is
already mentioned here, so that is fine.

DR. COHN: Line 14.

DR. GREENBERG: I would take it out of the table, but make sure it is
acknowledged in the text.

DR. COHN: I think what I am hearing is that you can remove those bullets.
It actually is already in the language of the text, customer loyalty and all
this stuff. So I think it is there.

Mark, final comment, then we will move on to privacy.

DR. ROTHSTEIN: Phrasing it that way — no, I question whether we should
separate consumers from patients in the table. I recognize the theoretical
distinction, but we use them together in the text.

So what I would propose is to eliminate the line between them and just have
a category that says consumers, patients and caregivers, and lump those two
categories together. If you do that, there are several bullets that can be
eliminated because they are duplicates.

DR. STEINDEL: Mark, we actually did have extensive discussion around doing
that during the development of this table.

DR. HOUSTON: I can attest to that.

DR. STEINDEL: That is why the asterisk is at the end of the table. We came
to the conclusion there were differences between people who use the PHR when
they are acting in a consumer role in particular and when they are acting in a
patient role. Yes, there are some overlapping benefits between the two, but we
decided that there was a distinction between people acting in either role. It
also occurs in some of the other areas as well. We decided that if we started
to do something like that, it would either be doing what Paul just suggested
and eliminating the table altogether and somehow trying to figure out how to
relate that in the text of the table, or just put the asterisk that said we
recognize the fact that people do different roles.

DR. ROTHSTEIN: Well, actually my suggestion was trying to save your
language as it is. If I were writing this from scratch, I wouldn’t use either
of those terms. I would just say individuals. But keeping the wording as you
have it, I think we can combine them. I don’t feel that strongly about it, if
everyone is in a hurry to get to privacy.

DR. TABOR: Tables are useful when they are clarifying.

DR. COHN: Steve, do you have a comment you wanted to make on this one?

DR. STEINDEL: I thank Paul for his support of the table.

DR. COHN: Leave the table. No table is perfect, and I don’t know that we
have created perfection here.

DR. DEERING: I hate to say it, but I actually think — I don’t even know
why I hate to say this despite all of our debate, but I think that Mark’s
solution actually has an editorial value as well, because we use those phrases
all together throughout the text. We use them interchangeably, unless it is
very clear in the sentence that it is only a patient.

So we actually do ourselves a greater service by following Mark’s
suggestion.

DR. COHN: So what is the title there? Is it individuals?

DR. DEERING: Consumers, comma, patients and their caregivers.

DR. COHN: Is everybody okay with that?

DR. HOUSTON: Simon, you moved the asterisk down from roles to the actual
cell that says consumers, patients and caregivers, so that it is clear that —

DR. DEERING: Right. I’m not talking about a payor turning into a doctor. We
are talking about people as individuals wearing different hats.

DR. COHN: Certainly one can be a payor at times and a consumer at other
times.

DR. GREENBERG: Even payors are people.

DR. COHN: So Mary Jo, we will defer to you to play around with this one,
and we will consider it. This is as I said futzing with the form.

Carol, I would like to get to privacy. Is this a critical piece?

MS. MC CALL: It is one quick clarifying — I think it is a helpful comment.

DR. COHN: Sure, please.

MS. MC CALL: Marjorie had said something that this was in the title of the
table. It is really about the health benefits that inure. So I think — she had
used the word, and I think it may help clarify to just call it health benefits.

DR. COHN: But this isn’t just health benefits.

DR. DEERING: It is not just health benefits.

MS. MC CALL: I withdraw.

DR. COHN: If it fit it, we would use that, I agree. Okay, are we okay so
far? Are we holding things together?

Let’s move on to privacy, if that is okay. Let me just introduce it before
people start jumping in here.

Privacy was one of the more — I won’t say contentious, but it took a long
time to work on. There are still little areas I see which require a little bit
of wordsmithing.

For example, on page eight, there is a sentence here which says — this is
line 11, 12 and 13, it says, consequently the committee is unaware of anything
that compels the PHR vendor. I would suggest we are talking about PHR vendors
not covered by HIPAA, because otherwise that sentence doesn’t make much sense.
That would be the one clarification there. So basically these are not covered
by HIPAA, PHR vendors not covered by HIPAA. That was the only change I was
making on that line, because that is what it applies to.

Beyond that, we have four recommendations. Let me just read them, and then
we will let everybody raise their hands and comment.

First of all, recommendation three. In any public education program about
PHR systems, HHS and other parties should inform consumers about the importance
of understanding the privacy policies and practices of PHR system vendors,
including the enumeration of potential secondary uses and disclosures of
personally identifiable health information. Recommendation three.

Recommendation four. HHS should identify and promote best practices with
respect to privacy policies and practices for PHR systems and models for plain
language wording of notices describing these policies and practices.

Recommendation five. For any HHS sponsored pilot projects in any
contractual relationships that CMS undertakes with entities intending to use
CMS data in PHRs, HHS should require that these PHR systems provide advance
notice of any uses or disclosures of the personally identifiable health
information. In those situations where HIPAA does not apply, secondary uses or
disclosures of information in PHRs should not be allowed without the express
consent of the consumer or patient.

Recommendation six. Entities not covered by HIPAA that offer PHR systems
should voluntarily adopt strict privacy policies and practices, and should
provide clear advance notice of these policies and practices. This notice
should specifically include a full description of all secondary uses of PHR
data. In addition, NCVHS recommends that no health information in a PHR be used
for secondary purposes without the express consent of the consumer or patient,
which may be obtained in conjunction with the notice.

Recommendation seven. HHS should collaborate with other federal agencies as
appropriate to review and assess issues related to privacy and other consumer
protections for PHR systems. Such a review should evaluate existing authorities
and mechanisms for addressing potential problems, identify gaps and recommend
appropriate action.

Now, the floor is open. Russell, you had your hand up first, then Paul,
then Jeff.

MR. LOCALIO: I’d like to kill two birds with one stone here. Mary Jo has a
copy of some of my comments I e-mailed earlier in the week.

It seems to me that under both the privacy and the security
recommendations, the one big gap has to do with the regulatory limitations that
apply only to covered entities. I know the history of this, and I think
everybody else around the table knows the history of this. It seems that
especially in view of the previous speaker, who outlined some of the concerns
that people have about privacy and associated security issues, that the gap is
that there is today lacking Congressional authorization to regulate the entire
spectrum of entities who might deal with PHRs.

So I would say that one of our recommendations should be very blunt in both
privacy and security. That is, to recommend to the Secretary that the Secretary
at least remind Congress of this gap and the need to close it. Simple as that.
That would resolve a lot of problems.

DR. FITZMAURICE: How would you word that?

MR. LOCALIO: How would I word the recommendation to the Secretary? I would
leave that to the work group to consider. But I just think the point is quite
clear. There is a gap, we all know there is a gap. I think it needs to be
filled. It doesn’t help too much, a voluntary adoption of strict policies.

I don’t think any patient out there is going to put much credibility into a
voluntary adoption of strict privacy policies, when the person’s only recourse
is through some type of civil litigation which is too expensive. So there is
going to be no recourse on anybody doing anything about this unless there is
some type of regulatory control, and there ought to be regulatory control, I
think people are in agreement with that. What is lacking is the Congressional
authority.

I even think that recent concepts of federalism notwithstanding, there is
probably ample room in the commerce clause for Congress to do this.

DR. COHN: There is ample what for Congress to do this?

MR. LOCALIO: The issue is, does Congress have the authority to doing these
things. I still think because this could be a national system, the portability
of personal health information across state lines falls into interstate
commerce. Therefore, there is ample authority for Congress to do something. It
is just that somebody has to say to Congress, we really want you to do
something about this, because there is a big gap.

DR. COHN: I know there are people who are planning to speak. Do people want
to talk about this particular issue and make a decision on what we want to do
with that? Mark, do you want to comment on this?

DR. ROTHSTEIN: Yes, and defer the other comments on other things. Russell
raises a very fundamental point.

DR. COHN: Jeff, do you have a comment?

MR. BLAIR: I don’t have any objection to reminding Congress to fill in the
gap. The only piece that I was concerned about is, we don’t know how many years
that is going to take.

DR. GREENBERG: You don’t have what?

MR. BLAIR: We don’t know how many years that will take. The exposure is one
that is great. So some of them, like the full disclose of the use of secondary
information was one that at least I had hoped could be something that could be
implemented quickly.

So if you want to separate that and have a separate recommendation to
Congress, then I would certainly support that. I just don’t want them bundled
where nothing happens until Congress acts.

DR. STEINDEL: Again, going back in the historian role, there was discussion
of including worrying such as Russ pointed out in one of the very early drafts
of this letter, and we decided not to go that route in the letter concerning
the personal health record. If that was a direction that the committee wanted
to go, that direction should be approached independently. We decided to stay
within the bounds of what could be constructed within existing regulation, et
cetera.

MR. HUNGATE: There was also concern about the dynamic nature of the
development that is going on here, and the entrepreneurial effort that is
taking place, the wide variation. There are a lot of things wherein
standardization is going to need to be accomplished over time by the industry
that is involved here, and protection of privacy is a critical element. We use
voluntary standards participation quite a bit in the system to help make things
move in the right direction. Open systems early upon that kind of collaboration
between vendors.

I think we should give this model some opportunity and see how well it can
work with the regulatory option held as a second choice and decision.

DR. TANG: I don’t know if I agree with the recommendation. I’m not sure
whether — again, I would have to do a lot of thinking as to whether I
personally would support what Russell proposes. I don’t think there is a
consensus on the committee that that is the be-all, or else I think we would
have all come to that conclusion, because we had ample discussion about it.

I’m not sure whether I wouldn’t personally want to impose this upon private
PHR vendors, having an additional legal framework put in place. In fact, I
think it may kill some of the private PHR vendor efforts if that is imposed on
them. I believe there was discussion about just that.

DR. COHN: Maybe I will insinuate my comment before Paul and before Mark and
before Don.

There was an introductory paragraph to this section that I want to remind
everyone about where, while it doesn’t rise to the level of a recommendation,
it is a cautionary note saying to the Secretary and the Department, you need to
closely monitor this situation, and if there are issues there may need to be
regulatory or further action. I think that was how we — how the work group
decided to handle this particular issue. But that is just one’s man view. I
would direct you to that paragraph just as a comment.

DR. DEERING: Simon, I only wanted to jump in and say that recommendation
seven specifically says the HHS and everybody else should take a very thorough
look at what exists now, what is available and where the gaps are. So I think
that was our ultimate fallback position.

MS. MC CALL: I too would point out recommendation seven, having a call to
action to look at the gaps.

To the point about closely monitoring, and the fact that that is in the
above paragraph, one idea is to enhance recommendation five by reinforcing a
recommendation to closely monitor and then say, see recommendation seven,
bringing that monitoring result into a dialogue where it is reviewed as a
potential problem, and then they can recommend appropriate action if it is in
fact a gap.

MR. BLAIR: Very good, very perceptive.

DR. DEERING: I’m not sure I really followed that, but I can follow up with
you later maybe.

DR. STEINDEL: Mary Jo, the approach is reasonable, except recommendation
five is focusing specifically on CMS sponsored pilots. It is not looking at the
whole PHR industry, which is what we would need to do, to insert that type of
wording that Carol suggested, that would be universal.

MR. BLAIR: Maybe Carol’s suggestion then could be included in seven, where
she is pointing not only the monitoring, but the results of the monitoring that
are acted on. Maybe both of those need to be in seven.

MS. MC CALL: That would make them broader. That would be very good.

DR. DEERING: Another option for it is, in the paragraph that begins
somewhere around line eight, depending on your version, on page eight, line
eight or nine or ten, the whole paragraph there, gets at this issue. We could
insert the language about monitoring into that paragraph with a reference to
recommendation seven specifically below. I don’t believe elsewhere in the
document thought we explicitly draw attention to a given recommendation.

MS. MC CALL: No, it would actually be one recommendation referring to
another. But I think that Steven’s point is good, recommendation five is
specific to CMS-related pilots. Therefore saying that there is monitoring
activity, it would only be in reference to those.

Really what it is, my intent in the recommendation was to make it a broader
monitoring activity. If there is voluntary adoption of strict privacy policies,
and if that doesn’t really address the need, then that is a gap that needs
closed. But it needs to be done on a broader basis than just CMS.

DR. COHN: Probably if it needs to be anywhere, it needs to be in
recommendation seven.

MS. MC CALL: I would agree, I would agree.

DR. DEERING: I was just thinking that if I heard you correctly, it sounds
like the monitoring portion could be tacked onto recommendation six, because
that is where you are saying we want voluntary practices and we want to let
those voluntary practices proceed.

So it could be that if there was a final sentence added to recommendation
six that says finally, NCVHS recommends that HHS monitor this carefully, so
that the monitoring is related specifically to the voluntary implementation.

DR. COHN: I actually think it is still recommendation seven, where it says
HHS should collaborate with other federal agencies as appropriate to monitor,
et cetera, and to review and assess issues.

DR. STEINDEL: I am leery about introducing the concept of HHS and
monitoring into a recommendation, because then that either directly or
indirectly implies some type of regulatory role, or looking at some type of
regulatory role, or gathering the information which we may or may not have
authority to gather on a formal basis.

I can see endless discussions about how are we going to monitor, whereas in
recommendation seven, we just say that we should collaborate with other federal
agencies to review and assess. I don’t think other federal agencies have a
problem with reviewing and assessing, and going out and looking at their
programs that they are sponsoring, asking how they are using this.

I know that based on recommendation seven, and we have heard numerous
references to CDC and the use of personal health records here, we would be
looking at and reviewing and assessing the personal health records that are out
there in terms of our agency mission and reporting back on a regular basis.
That is just part of what we do for a living.

I think the wording there is good enough for right now. I don’t think it is
good enough for what we will find after we review and assess.

DR. ROTHSTEIN: I wanted to get back to Russ’ suggestion. First of all, on
the merits, I couldn’t agree more. But in terms of a strategy, even if you
think that is where we ought to be going, I’m not sure that this is the right
document to do that.

The privacy and confidentiality recommendations for the NHIN, which we will
be discussing starting this afternoon and then tomorrow and then daily, in that
content this is an issue that we absolutely cannot avoid, because this is a
global issue that you have to deal with in the NHIN, whether we want to retain
the HIPAA distinctions among the covered entities.

So because we are going to deal with that issue frontally in the NHIN
report, I think this may not be the best vehicle for doing that, even though I
agree with the sentiment.

MR. LOCALIO: Do you want to incorporate the NHIN report by reference? Or is
that not far enough along so this would not be possible?

DR. ROTHSTEIN: Right, it is in draft form.

DR. TANG: I would like to support Russ’ position, it being more proactive
than monitoring and reacting to. It is telegraphing what the privacy and
confidentiality, the trajectory it is going. But I think it is relevance to
this document, because I think we need to be proactive to all the concerns we
have had, at least in the PHR work group.

We are worried about the misuse or the unanticipated use or the unknown use
of this information. If we don’t get out ahead of it, this is privacy at its
core, and I think it is worth putting in this document, even if we are going to
telegraph a little bit about what we will say in more detail in the privacy
report.

DR. COHN: We have heard pros and cons. I share Mark’s view, because we
really don’t have anything in this document that — this is a recommendation
that sits out there, there is really very little supportive pieces. I am
persuaded by him, in terms of that we should defer it to a wider view on this
one, but I have to ask everybody else’s view.

Marjorie, Don was first, and he has been very patiently waiting.

DR. STEINWACHS: I appreciate that people would like to start with a
voluntary approach. I have the same misgivings in the same camp as both Russell
and Paul.

It seemed to me possibly in the paragraph starting on line eight or ten,
depending on the version you have —

DR. COHN: Of which page?

DR. STEINWACHS: Page eight. In a sense I think you are saying there that
this issue is critical to confidentiality. It does not really, that paragraph,
say something more explicit about starting with a voluntary approach, but
recognizing that that may not be adequate, or do something in this paragraph
that bridges what the paragraph is saying to me, which says it has got to be
done, and then coming down here and saying, this is voluntary. So being
voluntary, an organization can say, I’m not going to comply, but I am going to
market my records. It may not be transparent.

DR. HOUSTON: I thought seven was to put a little bit of emphasis on the
fact that if you don’t voluntarily —

MS. MC CALL: Use the mike.

DR. HOUSTON: I thought number seven was really intended to be the stick out
there that says, and if there isn’t voluntary compliance and it does become an
issue, —

DR. STEINWACHS: Seven doesn’t really sound that way to me when I read it.
It does not sound like a stick. It is too subtle for me, I guess.

DR. HOUSTON: That was the intent of number seven, was t be that stick; if
you didn’t do it, then —

DR. STEINWACHS: It doesn’t come across that way to me.

DR. GREENBERG: I’m glad that Don didn’t defer to me, because I wanted to
comment on his as well as what I think I was going to say.

MR. BLAIR: Some of us are waiting patiently to comment on Locario’s thing.
Everybody is commenting on Locario’s, and you have indicated several other
folks came after —

DR. GREENBERG: Don’s was on Russ’, and that was what I was — I am happy to
cede the floor to Jeff.

MR. BLAIR: But you just said you were going to respond to that and then go
on to some other points.

DR. GREENBERG: No, no, I was on this same issue.

MR. BLAIR: Okay, go ahead.

DR. GREENBERG: I don’t know where I am, actually. What I was going to say
before Don spoke was, although we can’t refer to any recommendations, because
we don’t have a letter at this point form the work of the privacy committee, I
think you could refer to the fact that the privacy subcommittee has been
holding hearings on some of the limitations or whatever on current privacy
regulations, and will be coming — and the Department will be coming forward
with further recommendations. So you could refer to that. That was my
compromise there, without saying what — because we can’t prejudge on how the
committee is going to come out on what the privacy subcommittee recommends,
even if they reach consensus.

But I do think that it isn’t going too far to take what Don has suggested
to indicate here in number five, or whichever one it is about the voluntary
sticks, that the committee recognizes that voluntary compliance may not be
adequate. Otherwise, it could seem a little naive not to acknowledge that. But
that doesn’t commit you to anything. That is just saying you recognize that may
not be adequate. So I thought that was a good suggestion.

I agree that seven doesn’t speak to me in any kind of concrete way.

MR. BLAIR: Have we finished the discussion on Russ’ —

DR. COHN: No. You are waiting for something else? Harry is on this point.

DR. GREENBERG: Let me just ask Maya, since you were organizing lunch today,
what is the plan?

(Discussion off the record regarding luncheon arrangements.)

DR. COHN: Harry, were you going to comment on this issue?

MR. REYNOLDS: Yes, I am. Having been involved in the language of the one
that you haven’t seen yet and the one that we do see, the NHIN and this, and
stepping back into somebody that is going to read this from the committee, we
are looking at ourselves, but somebody else that is going to read this would
see one recommendation if it is the individual person, because you are talking
about the PHR. Then another, possibly stronger recommendation, when it turns
into something that is related to the NHIN.

So I guess at issue is, we know we are looking at it from the NHIN
standpoint, so I guess the question I would be a little bit schizophrenic, it
is important if it is NHIN, and it is not as important if it is just the
individual. The PHR is about the individual, the NHIN is about how it would be
traversed other places.

All I am trying to do is make sure that we think about that, because if
that is any indication that it is going forward philosophically, that may
create — back to Russ’ point, that may create a situation where we have said
we are going to be real strong about the individual, but we are may be more
strong if it is going to be NHIN.

It is just a question, because both of these letters are going to the same
place.

DR. COHN: Mark, I think I am going to try to let you address that.

DR. ROTHSTEIN: I understand what you are saying, Harry, but I think in this
letter, it comes more out of left field than it would in the NHIN report.

What I would suggest we consider is possibly dropping a footnote somewhere
in one of these recommendations, to be determined, and say the NCVHS is
currently considering the broader issue of coverage of health privacy laws, in
the context of the NHIN, and we will have a recommendation to you shortly,
something like that, where we recognize the issue, clue them that it is coming,
but without having to set out all the arguments for it in this document.

MS. MC CALL: Would the implication be that if we moved forward with a
footnote that when it does come out, those recommendations essentially replace
what is here?

DR. ROTHSTEIN: It depends what is approved. But hypothetically, if we
approve the document in a month or two, whenever we get it, that says the three
HIPAA categories have lost their meaning in the modern world and the same rules
need to be applied across the board, I think that would necessarily pre-empt
what we had said earlier. But we have heard open that possibility with this
footnote, that is all I’m suggesting.

MS. MC CALL: With the footnote, I think it could be a great idea. I just
don’t want us to leave ourselves where Harry said we could be. We could have a
footnote, it could come out, unless we actually replace what this says with
what that says, we still could be in balance. We still could be a peer
schizophrenic, which I think was your point.

MR. BLAIR: If it says replace, then there is no point in anybody acting on
this. If it says expand upon, then I think —

DR. COHN: Mary Jo, did you have a comment? It looked to me like you were
trying to help us move together.

DR. DEERING: I should probably come last because that is actually my
function. But I thought I was hearing a potential approach that I can’t come
out with precise words on, but I am happy to work on over lunch, because I
brought my lunch.

What I am hearing is twofold. I have heard a lot of people say that we are
not recommending voluntary ad infinitum. It is a stopgap measure. We understand
that there are a variety of concerns here.

I think that there is room to put in the two thoughts that several of you
have said, and to probably put them into that paragraph, as opposed to altering
the current recommendations. The two points that I heard are, number one, a
statement regarding, the voluntary may not do it, there is an evolutionary area
that we need to monitor, then secondly, I think it is very good to signal that
we are going to be looking further into this in a subsequent report from the
privacy committee. I wouldn’t see that necessarily as a footnote, but all
perhaps up there somewhere in that paragraph that precedes all the
recommendations, or as a second, two or three stand-alone paragraph that
introduces the recommendation.

DR. COHN: It sounds like Steve has an issue in this.

DR. STEINDEL: No, I have a direct comment with regard to Mary Jo. I was
looking at that the same way, as, a footnote does not do it justice. My
suggestion was going to be to add that concept to the end, where we talk about
next steps.

DR. DEERING: The whole end of the letter?

DR. STEINDEL: The end of the letter, where we talk about next steps and key
up the NHIN letter in the next steps section, maybe as a separate paragraph,
that can give it a little more emphasis. But editorially, I agree with you, it
is not a footnote. It needs to appear as textual data.

DR. COHN: Well, maybe it is both. That is probably the better answer. There
is a sentence or two here, it is a small little piece at the end, at least as
an option.

DR. DEERING: Yes, if only at the end, it might lose its power and its
context, so you can do both.

DR. COHN: Paul, and then after that, I’d like to see if we can come to an
agreement here about what we need to do.

DR. TANG: I don’t think it is a footnote at all.

DR. COHN: I think we are all agreeing it is not a footnote.

DR. TANG: Well, but the followup point, it has been a central part of our
discussion for a considerable amount of time. It is in some sense related to
what Margaret said. It is an issue that came out of left field that became
core, because we heard so much from our testimonies. I think that Harry’s point
is a wise one, that we should have a way that we can very much anchor and
telegraph, not only refer to privacy.

I think it is no less dangerous to have a third party PHR that in our
vernacular is not a covered entity, than it is to put your information on the
NHIN. I think the dangers are the same. We have been saying that for the
majority of our discussion. I think it would be much more consistent for us to
take Russ’ approach and be proactive about it and consistent along Harry’s
line, than to footnote or otherwise skirt the issue. Related to HIPAA, the
patients or the consumers are the ones that are not at all going to appreciate
this, because we didn’t going in, but we learned a lot about it during the
testimony.

DR. COHN: I am hearing as usual on privacy a spectrum of conversations. I
think we need to somehow figure out where we want to be. I am hearing on one
hand a whole recommendation that says Congress, we call upon you to enact
comprehensive health information privacy policies, and leave it, but not
specifying further, because we haven’t held testimony to figure out what that
means.

We have a middle position that describes some edition of asking HHS and
other agencies or just HHS to monitor, recognizing that legislation may be
necessary to close any identified gaps. That would also have to include
sentences placed in this section and at the end that says, we are having
further deliberations about the larger issues of health information privacy in
relationship to the NHIN, and additional recommendations in this area will be
forthcoming. Or we can pretty much leave things as they are.

It is sort of like A to Z with M in the middle here. Am I — I’m not making
a suggestion, I’m laying out the frame here, and what would people like to see
happen.

MR. BLAIR: I like what you said. There is one other aspect that I would
like to suggest, which is to preface that by indicating that we feel that there
is a sense of urgency on this issue.

DR. COHN: Which one are you supporting? Are you supporting A or Z?

MR. BLAIR: I thought you were addressing the fact that we would be putting
forth that compliance would be voluntary, interim to Congressional action. The
reason for that would be because of the sense of urgency, that we need to have
action before —

DR. COHN: No, what I was proposing as an M was something along the lines of
monitor — and if there are issues identified, recognizing that Congress may
have to deal with identified gaps. So I wasn’t — there is a position here
which says, we call upon Congress to do everything. Then I thought there was a
middle position which is really the monitoring, analysis of issues, closure of
gaps, either by regulation and/or legislation if needed, and then there is the
status quo. So I was trying to make a differentiation here.

Do you want to comment on those, or do you have another proposal?

MR. BLAIR: No.

DR. COHN: I was just trying to lay out what I thought were — we were
hearing the broad choices here.

DR. FITZMAURICE: I am in support of what you laid out. I just want to add
something else for your consideration. Do we know enough from current hearings
to come to closure, or do you need also to say we will consider having hearings
on this particular subject in the near future?

MS. MC CALL: I am going to answer your question. I think that you have
clearly articulated the three different choices that we have in front of us,
with one exception. In that middle row, M is for monitoring, I heard us talk
about the fact that monitoring — it needs to be more, not just monitor and
maybe we will come and take a look and it is a problem, and if there is a
problem we will do something about it, but that monitoring was an active part,
tightly coupled, with volunteerism, and it would also actively come into a
review process, that it is an interim piece.

So it really has to do with how active or passive such a monitoring
activity is, and what its purpose is. Its purpose is to help close gaps,
because we will know that they will be there. Its purpose is to inform is as
speedy a fashion as possible.

So that would be my own comment on the middle road as a choice.

DR. COHN: So you would describe actively monitoring the evolving whatever
it is?

MS. MC CALL: Right, that there be some activity. I do want to acknowledge
that monitoring — there may be an issue with that. I don’t know how to do
that.

DR. COHN: I guess the question is, we just need to figure out which of
these areas we want to be in.

MS. MC CALL: Right, and if we can’t execute on it, then I think that is
what we need to talk about. I would like to talk more about whether or not —
monitoring is a word, but is it truly feasible. Because if it is not feasible,
then I would get rid of that as one of the options and paths that we consider.

I do want to acknowledge Russell’s comment. There is an issue here. I want
our recommendations, no matter what path they take, to acknowledge the issue.
If monitoring is not going to be a truly feasible approach during some interim,
then we are not making a recommendation that actually does justice to the
exposure.

DR. HUFF: I think your characterization of the options is accurate. The
only new idea that occurred to me is that while there is an issue, the PHR — I
think it is better — legislation is better directed at a broader issue. With
the PHR, individuals can obviously be harmed by disclosure or unethical action
by somebody who held a PHR. But ultimately I can do a lot of protection by
choice in who I buy my PHR from. If they are not a reputable company, I can go
somewhere else.

So in some sense, I am protected if I am educated enough to choose somebody
that is reputable, I can protect myself from that.

I think the issue in general is more directed at the whole market EHRs in
exchange with other entities, where that information is going to be collected
as part of my medical care, and then if we don’t have legislation and other
measures to protect me, then it is out of my control.

In the PHR sphere that is a direct part of this discussion, it seems that I
have a lot of control over when my information goes initially by who I buy it
from and who I share it with. That is the only reason that I would vote to say
basically, keep this the way it is now, but absolutely take it on head on in
subsequent recommendations that have a broader scope, including the EHR and the
data exchange and that part.

DR. HOUSTON: I tend to agree with Stan, who I think articulated that very
clearly. I don’t think that, going back to Paul’s comment, that there is a —
that the risks are equal when we are dealing with NHIN and the PHR for
specifically that reason. I think that my recommendation personally would be
that we go with the way that it is worded, frankly, and that is all I’m going
to say.

DR. GREENBERG: Mark whispered to me, it would be good if we had Jim Scanlon
here, who has been around a long time downtown, and what would he think.

The main thing that Jim always told me was that we don’t make policy in
letters. It doesn’t quite apply to a letter of recommendation, but I do think
that extension of that is that we wouldn’t recommend a major change in policy
in a letter that is not directly related to that.

Two reasons. One is that it will kind of get lost and two, I think it will
be confusing. I agree with Stan that PHR is not the biggest problem here,
because there is more consumer control. So Jim isn’t here, and maybe Dale has
some idea of what he would think, but I think this discussion has been very
useful. I think I do not actually support my esteemed colleague, John, about
keeping the language the way it is. I think we have had enough discussion that
there is some need in this letter for a stronger acknowledgement of recognizing
the problems here.

I personally would indicate, because it is good to tell the Secretary, it
is not just, yes, this is a problem, but tell him, yes, we are looking at this,
so we will be coming forward with further recommendations in a way that defers,
but I think it is a more appropriate context.

I think that would acknowledge the problems, but push it to a more
appropriate vehicle. I do think that my esteemed colleague directly to the
right of me, Dr. Rothstein — I am particularly impressed that as the chair of
the privacy committee, he doesn’t think this is necessarily the right vehicle,
either. So I would defer to him on that, but add some language that we
acknowledge the issues.

DR. BERNSTEIN: I’m not sure why Steve is so concerned about the use of the
word monitoring, although I understand that if you come from a more regulatory
agency, it implies more — monitoring to me means reviewing and assessing.

My only point is that it seems like we are talking about either voluntary
industry compliance or legislation. There is a spectrum of possibilities in
between those two things which we haven’t fully talked about, and I think which
could come out of this recommendation seven. One is seeing if other agencies
already have regulatory authority there. Maybe something like the Federal Trade
Commission has something we don’t know about, or some other agency. We have the
possibility for guidance. We might have the possibility of regulation before we
get to legislation.

I think one thing Jim would say as a long-time federal civil servant is
that you don’t ask for the most extreme type of way of doing something like —
to me, legislation is the hardest to get in the longest time period and so
forth. It is most likely to be done not the way you want. If you can do
something with a regulation, then you shouldn’t get legislation. If you can do
something with guidance, you should avoid regulation. If you can do something
with a meeting, you would with a meeting instead of avoiding all those other
things which are more severe forms of getting to the goal you want.

I think we should consider that there is a possible spectrum of things in
between voluntary industry compliance and legislation that could come out of
the results of recommendation seven, that is, reviewing and assessing.

When I think of monitoring, in particular with PHRs, I don’t think you need
to regulate to monitor the industry. That is, PHRs are available to the public.
Any member of the staff can go and look online and see what kind of notice they
are getting to their — you can go out on the Net and collect the kind of
notice that they are giving to their customers. We can go out there and find
information. You can look on the web, educate yourself.

Steve is shaking his head at me, but it is possible to understand some of
what is going on in the industry without regulating it and making them by
regulation send you data.

DR. GREENBERG: How about evaluate? Not as threatening as monitor.

DR. BERNSTEIN: Yes.

DR. GREENBERG: I agree that monitor can be a problem.

DR. STEINDEL: I don’t see the problem with the words review and assess,
because that is doing basically what you are saying.

DR. BERNSTEIN: I agree.

DR. STEINDEL: When you start bringing in the words monitoring, a lot of
times what we say, especially when we can point to voluntary organizations that
are over an area, we can ask them for information and ask them to monitor. We
don’t have an organization that is over PHRs, so we can’t point to them.

So what we have to start doing, when we say monitoring, the first thing
that is going to come from these organizations that are offering PHRs is what
kind of information does the government want to have. You start listing the
information that you want to have, and they are going to say, we are voluntary,
we don’t have to give it to you, we don’t want to give it to you, so how are
you going to monitor?

That is why I say, it has got to get to the point where when you start
asking for this information, you have to start asking for it formally, if you
want to put us in a monitoring role. If you leave us in a review and assessing
role, what you are saying in my mind can happen. You can look at a PHR and you
can say internally, this is what I have seen. Maybe we should bring this up
someplace.

DR. BERNSTEIN: I agree we are just talking a semantic difference, really. I
just don’t apply all those regulatory things to the word monitoring, but that
is okay. If you do, or if there is a population out there that does, we should
avoid that word.

All I am saying is, there are ways to get information that are not
regulatory. There are steps we can take to influence what industry does aside
from legislation.

DR. STEINDEL: Where my mind set is coming from, and this is coming from the
years I spent in the clinical laboratory industry, which is regulated from both
sides, the delivery of laboratory care and also the medical devices that come
into it, and the word monitoring there was a very red flag to that industry.

DR. COHN: Mary Jo, do you want to comment?

DR. DEERING: It did sound like you needed a vote on whether there was to be
a recommendation for legislation.

I was simply going to add that it does sound like everyone is persuaded
that regardless of any other action that we may take here, that between the
paragraph about HIPAA that precedes the recommendation, I do believe we need
some sort of an indication that the committee is continuing to look at this in
other areas, and recognizes that it is important and that more is coming.

So at an absolutely minimum, we need one or two paragraphs before the
recommendations that do signal that more is coming. What more than that other
people want, I think you have to vote on.

DR. COHN: I need the help from the committee at this point. You can now
understand, those of you who weren’t part of the NHII or the privacy
subcommittees, why we spent hours on these recommendations in this area,
because the discussions are complex. It isn’t as though there is an absolutely
clear answer to all of this.

Now, I guess I need some sense from — we are not voting on this letter
today, but I really do need a sense from the committee of what the work group
needs to do to fashion the right solution here. I have heard some people say do
nothing and leave it alone. That is one option. Maybe I am off on this one, but
I see Russ nodding his head with some recognition that we are not unsympathetic
with the issue, but that this may not be the right vehicle.

MR. LOCALIO: I like the idea of deferring it until it can be addressed
completely. So long as we recognize in this document that it is going to be
continued, then this document and the forthcoming one would be consistent. So
we aim for consistency and address the issue in full at the appropriate time,
among the appropriate people, and we will be back discussing this at some time
in the future.

DR. TANG: I just want to say, I can live with that, as long as we say it is
in the broader context of NHIN that we are going to evaluate this. I can agree
with that.

DR. STEINDEL: Simon, based on a lot of discussion and how it has gone round
and round, I am hearing very good closure on the idea of basically leaving the
letter alone with the insertion of the broader paragraphs. That we would touch,
but we would not touch the other areas.

MR. BLAIR: I agree with Steve, and I hope this is arriving at consensus. My
suggestion is that when we add the wording, that there will be additional
recommendations on a broader perspective for the NHIN, that we use the word
additional. I am only concerned that if we say there are other things that are
coming, I don’t want these recommendations to sit on the shelf with the idea
that they are not complete. I think we ought to imply that these are complete
for PHRs, and that we will have additional recommendations for a broader
perspective of NHIN.

MS. MC CALL: It is a great point. We don’t want to make them impotent. In
other words, just leave them out. But are they complete for PHRs?

DR. COHN: This is our first report on PHRs. This is not the penultimate.
Kevin, you have been quiet also.

DR. VIGILANTE: Actually, I would just like to make a motion.

DR. COHN: What is your motion?

DR. VIGILANTE: The motion is that we agree to empower Mary Jo with the
authority to craft some middle-ground language that formally recognizes the
gap, expresses our concern, that we have embraced the voluntary as the first
stage, but realize that it is related to NHIN, and recommendations for the NHIN
which will be forthcoming will be considered consistent and integrated with any
solution for PHRs.

DR. DEERING: Which we will expand on, right.

DR. VIGILANTE: And then have the work group look at that, and then resubmit
to the committee. That is my motion.

DR. STEINDEL: Second. I would just charge the work group with adding
language in here that points appropriately — and I think Jeff’s language about
additional, et cetera, so that these recommendations are not neutered, to the
upcoming NHIN recommendations.

DR. VIGILANTE: I second that.

DR. COHN: So it is an amended motion that you are comfortable with. Is
everyone — do we want to vote? Is everyone in favor of that as a solution to
this particular set of issues? All in favor?

(Chorus of Ayes.)

DR. COHN: Opposed? Abstentions. Oh, my God, we made it through one issue in
privacy.

I guess I would ask everyone, I know that you have other issues that you
want to bring up. It is now 12:20. Would you like to break for lunch at this
point, or do you want to finish up the whole privacy section? Let’s break.

DR. BERNSTEIN: You have guests here who are on the schedule who have to
leave at a certain time. You want to keep track of those people. I believe
Linda has to leave at 2 o’clock. You want to make sure to get her on the
schedule before she has to go.

(Whereupon, the meeting recessed for lunch at 12:25 p.m., to reconvene at
1:07 p.m.)


A F T E R N
O O N S E S S I
O N (1:07 p.m.)

Agenda Item: Update from the Department

DR. COHN: What we are going to do is, we are going to break from the PHR
discussion for just a second, because we would like Linda Sanchez and Dale
Hitchcock give us the Departmental review. I know Linda probably is not going
to make it through our entire PHR discussion, so I thought we would just take
this break at this moment and do that, and then we can get back to the PHR
letter.

Linda, do you want to start out?

MS. SANCHEZ: Sure, thank you. I am Linda Sanchez from the Office for Civil
Rights. Suma Gandru wasn’t able to be here, but with the new location it didn’t
work out. But I am happy to be here in her stead.

I am just going to provide some general information about where we are with
compliance, and then let you know about a bulletin we put out last week
regarding the privacy rule and Katrina relief effort.

As of August 31, 2005, OCR has received over 14,916 complaints, and we have
closed 68 percent of those cases. Case closures include — and I think you are
probably used to this list — cases where OCR lacks jurisdiction under HIPAA,
such as something that happened before the compliance date, or an entity that
is not a covered entity, cases where the activity does not violate the rule
such as when a covered entity does not disclose based on an authorization,
since that is a permissive disclosure, not a required one, and cases where the
matter has been satisfactorily resolved through voluntary compliance, efforts
by the covered entity.

The allegations raised most frequently in the complaints — and this has
remained pretty much the same over time — has been, number one, the
impermissible use or disclosure of a person’s protected health information,
second, the lack of adequate safeguards to protect that information, three, the
refusal or failure to provide the individual with access to or a copy of
records, and this continues to be a problem, four, the disclosure of more
information than is minimally necessary, and five, failure to have the
individual’s valid authorization for disclosure that requires one.

Complaints are most often filed against private health care practices,
number one, and then general hospitals, pharmacies, outpatient facilities and
outpatient primary care facilities.

As you know, we do refer to the Department of Justice cases that appear to
involve a knowing disclosure or obtaining a protected health information in
violation of the rule for their criminal investigation. At this point, or as of
August 31, we referred over 231 cases to DOJ.

I just want to mention a little bit about what was in the Katrina bulletin
which is available on our website. We didn’t announce any changed policies in
this bulletin. We just wanted to clarify for covered entities some issues that
may have been raised in their efforts to respond to the disaster.

First is that a covered entity may share for treatment purposes without
getting any sort of consent or authorization. This includes sharing information
with non-covered entities for triage or case management, so certainly they
could share with a relief agency or with relief workers as needed to treat the
patient.

Regarding notification, a covered entity may disclose information on
patients as needed to locate family or friends that are responsible for their
care or to let people know the location of this patient. This could be done
through an intermediary such as through the police or website or relief
agencies. So they can certainly provide the identity of a person if they are
trying to locate people who need to help them.

Also, a reminder that the privacy rule does have a special provision for
disclosures to disaster relief agencies and appoint people to that, and to note
that if it appears that attempting to obtain a person’s opportunity to object
to a disclosure to family and friends, would actually impede those emergency
relief efforts, that that requirement can be waived.

I am happy to take any questions.

DR. HOUSTON: Linda and I spoke, and the next time we are at an the HHS
facility, I am going to meet with them and we are going to go over statistics
and what we might try to do. The agreement is that the next time we are in the
HHS facility down at the Humphrey Building, we are going to sit down and meet
about trying to come up with what we want to try to do statistically. So I
agreed that I wouldn’t ask the questions.

DR. STEUERLE: I’m not going to ask that question, but you mentioned these
exceptions that are being made per the Hurricane Katrina. I am wondering if
there are further implications. If you are making exceptions in this case, does
that imply that there are certain aspects of existing law regulations that you
consider possibly harmful for other situations?

MS. SANCHEZ: I’m sorry I wasn’t clear.

DR. STEUERLE: Or are these exceptions essentially within the law?

MS. SANCHEZ: This is already in the law. None of these are changes to what
is in the privacy —

DR. STEUERLE: This is clarification?

MS. SANCHEZ: We just wanted to clarify for providers that might be in a
situation they are not used to.

DR. HOUSTON: HIPAA is in my mind clear as to what we are permitted to do. I
think what they are trying to do is make sure they get the word out so that
people not understanding HIPAA might use this as a reason not to disclose
information. So HIPAA is very clear as to what it allows you to do, and it does
allow us to release data in these types of situations.

MS. SANCHEZ: I think it is quite likely that many covered entities have
never thought about or looked closely at the provision regarding emergency
relief agencies. That just probably has not come up for them in the past. We
wanted to point that out to them. The other provisions, they may be asked to be
making disclosures that they wouldn’t normally to organizations they haven’t
necessarily thought through in the normal policies. So we just wanted to
clarify some of that for them.

DR. STEUERLE: I’m sorry. My point wasn’t whether what you were doing was
something that is illegal. Obviously you are not. It is whether the declaration
of an emergency, which then relieves some of the regulatory requirements, is
something that has implications for other things that might be almost an
emergency or not quite an emergency, or somebody has declared it.

If we are saying that some of the requirements of HIPAA are too tight to
allow information to be processed and passed on in a useful way in an
emergency, does that also have implications that there are other cases that
might not be declared full-fledged emergencies for which a similar need for
information might be there, but we can’t relax. I don’t know if that makes
sense or not.

MS. SANCHEZ: I don’t really have a response for that. I am sure it is
something we can look at.

DR. STEINDEL: Gene, as I understand it, none of what was mentioned has
anything to do with the fact that an emergency was declared. These already
exist within HIPAA. What the COR was doing was just pointing out to providers,
this is what you are allowed to do in any circumstance.

I think the only thing that may have raised a little flag is the emergency
relief agency, which also exists today. It is just that they usually don’t
become prominent in the release of health care information until an actual
emergency exists. But it could also occur like if there was a fire in your
town.

DR. STEUERLE: I’m just looking at the section right now. Very specifically,
HIPAA says a covered entity may disclose public health information to a public
or private entity authorized by law or by its charter to assist in disaster
relief efforts, for the purpose of coordinating with such entities, a use or
disclosure is permitted by paragraph da da da, and section. So it is very
explicit. I just think I’m reminding everybody.

DR. TANG: I just want to commend the Department for doing that, because I
think that was very useful. There is so much confusion normally, so in this
case I thought it was a really smart idea to do.

MS. SANCHEZ: Thank you.

DR. COHN: Other questions or comments?

MS. SANCHEZ: Thank you.

DR. COHN: Linda, thank you.

MS. SANCHEZ: We are also very interested in personal health records.

MR. HITCHCOCK: Thank you, Simon. It is a pleasure to be here. Jim sends his
regrets, he wished he could be here, but he is being pulled in any number of
ways these days.

Just one comment about his promotion that Simon announced this morning.
This is significant. It is the only career Deputy Assistant Secretary position
in ASPE. The others are political appointees. So what this means, and I can’t
think of a better person to do this, is that Jim will be the stability and the
continuity, if you will, when administrations change, and he will continue to
bring his knowledge and experience to the Department, only at a very high
level.

I said, Jim, people are going to want to know what you are doing about the
hurricane efforts, what it is that you are up to. He started giving me this
line about, he could tell me but he would have to — you know how that goes.

What he is actually doing is, he has a team of people detailed to him from
around the Department, and they are putting together daily briefing books for
the senior staff, letting them know what the current and daily issues are in
New Orleans, what progress is being made, what remains to be done, what the new
emerging problems might be, what the successes are. They get a huge volume of
paperwork from the field that gets faxed or e-mailed in around 4:30, and they
have to pull together these briefing books for the senior officials in the
Department, so they will have them either that evening or the next day. Beyond
that, he spends most of his time in the Secretary’s command center or in the
Deputy Assistant Secretary’s conference room, going over issues and working on
solutions. So that is what he is up to.

Since we last met, there have been a number of significant developments
related to data policy. I will just touch on a few of those today.

We will start with the Data Council. The Data Council is currently focusing
its efforts in several priority areas. We look at the HHS data collection
strategies, priorities. One of those you might be interested in is, we are
still working on ways to either collect or report and analyze better racial and
ethnic data. We are also involved in the data budget reviews for FY 07,
reviewing plans for all the major surveys and data collection systems, and
looking at the preliminary budget requests.

The budgets are still, as you might suspect, tight overall, so there are no
large budget increases. But most of our major data systems are being supported
at at least the current levels, and there are some small improvements planned.
We did not identify any new large data initiatives.

We are looking at data improvement initiatives in the five areas of
population data. One of them is going to be prescription drug utilization and
expenditure data. We are looking at these data for program and policy purposes,
as well as for research and statistics. Several enhancements are planned and
underway for these areas.

The discussion in the prescription drug data is being directed to the data
that might be available, and I stress the might. This is not really clear yet
who can get this and when under the new Part D Medicare drug benefit plan. For
health insurance data, we have got a number of sources that we deal with, both
within the Department and Bureau of Census, that produce, as most of you
probably know, estimates that differ slightly from each other. We are looking
at ways to understand and reconcile those differences and estimates among four
surveys. The four surveys are the national health interview survey, medical
expenditure panel survey that AHRQ does, current population survey and American
Community Survey, I believe is the fourth one that we are looking at.

We are also looking at ways to collect better data from the states on
health care access, utilization and health insurance at the state level, and we
are looking at ways to improve our income measures, primarily ones that would
include looking at assets as well as just income, and all the major surveys.
Like I alluded to earlier, we are looking at ways of collecting and/or using
current resources and combining years and that sort of thing to provide better
estimates by race and ethnicity.

Privacy and confidentiality issues and Health and Human Services data are
always on our plate. Maya Bernstein, who we heard from today, did a splendid
job organizing our lunch, —

DR. GREENBERG: Woman for all seasons.

MR. HITCHCOCK: Woman for all seasons. Maya has reactivated the Data
Council’s privacy and confidentiality work group.

Our office, Jim and mine, we are starting a study on best practices,
research and statistical confidentiality and privacy practices. Again, this is
a project of Maya’s. Also in the auspices of the Data Council we have initiated
a study of fiscal data collection standards, major HHS data collection systems,
what is available, what is used, and what are some opportunities for
improvement and/or integration of these standards.

That is really what I have to say in Jim’s behalf. I will be happy to try
to answer any questions people might have, or take comments back to Jim, for
that matter.

DR. STEINWACHS: One question I guess is, I remember after September 11, we
spent a lot of effort trying to figure out what the health consequences were of
that tragedy. I was just wondering whether or not there was discussion in the
Department about the health consequences of the natural disaster.

It raises a variety of issues, because populations disperse, and may never
come back. It seemed to me there are some difficult methodological issues about
how do you know what the impact is and is there something to be learned from
it, other than — you can count the deaths that attribute very quickly, but
after that, we may lose.

Maybe there is nothing we can do that is stupendously great for this, but
how are we prepared in the future, because these things will happen again, and
you don’t always know what kinds of consequences and what risks will people
face when you look at longer term outcomes.

MR. HITCHCOCK: I’m sure there have been all sorts of discussions that have
been held at the highest level of the Department. At this point I don’t think
they are more than what-ifs or what should we be doing, sort of thing. I think
the attention as it is across all parts of government are focused on the search
and rescue and medical care provision in the areas that are affected right now.

MR. BLAIR: I didn’t know, Dale, whether you have information to follow up
on CMS’ efforts on implementing our e-prescribing recommendations. Will we
receive testimony from somebody else or hear from somebody else?

MR. HITCHCOCK: That one I can’t answer.

DR. COHN: I think we will likely have testimony at the subcommittee in
September from CMS on that. Steve, did you want to make a comment?

DR. STEINDEL: Yes, I just have a response to Don. The issues that you have
raised obviously are of interest to CDC, and they have been raised at the
Department leave within the context of the Katrina events, and are being looked
at with the monitoring systems that we are putting in at CDC.

DR. GREENBERG: I was going to say something similar in that regard. There
is a very high effort to look at infectious diseases and all of that, and the
overt kind of health issues.

But I think what you raise, Don, is very important and I would suggest that
the Populations Subcommittee might want to spend a little time talking about
that. When you mentioned 9/11, it reminds me, I have a colleague, now retired,
but who was very much involved with the ICF, the International Classification
of Functioning Disability and Health. He wrote an op-ed piece that was
published somewhere, I’m not sure, but after 9/11, called ICF and Terrorism.

We are very good at counting deaths in the U.S. We are very good at
counting hospitalizations and even we have a pretty good sense of what people
are seen for in doctors’ offices, but things that don’t result in real
diagnoses, which is basically what ICD can capture, can have a profound effect
on peoples’ health and well-being. I think this raises that issue in this
context as well as everyday life and chronic disease.

So I would really encourage the Populations Subcommittee to talk about that
a bit, and whether the way we currently collect this data, even if you could
find the people, tells us what you are asking, some of the mental health
issues, some of the functioning issues, some of the participation issues, all
of that.

DR. ROTHSTEIN: Just briefly on another topic, in the spirit of my
colleague, Mr. Houston, I would like to restate my query request that we post
on our website the Secretary’s responses to our letters. We post our letters,
but we don’t post the responses by the Secretary. Also, some sort of grid which
would indicate which letters that we have sent have not yet been addressed by
the Secretary. I think that is very valuable for the public to be able to see
that.

DR. COHN: Point well taken. I don’t know that we need to address that right
now.

DR. GREENBERG: If I might suggest a little variant on that?

DR. ROTHSTEIN: At every meeting I raise this.

DR. GREENBERG: But since you made this recommendation and you added with
this grid, we used to include something in the — well, we have the work plan,
but we used to have a grid that we gave you every time about what the status of
the recommendations were, and letters in response. Of course, often the
responses are what I refer to as a bread and butter response,, partly because
of what Jim said, that you don’t make policy in letters.

But nonetheless, we have taken that on board. I don’t know if we have had
any responses, and often we don’t get them electronically, but we have to solve
that little technical glitch. We will certainly commit to putting the responses
on all the ones we can get. Let’s make that a high priority, staff.

But I myself, although I think it would be good to provide you all with
such a grid, I think the proof is more in the pudding. If we start putting
those responses there and there is no response, it is obvious there is none to
post. I would not personally support a grid on the public website saying, these
we referred responses and these we haven’t, partly because it is not a yes-no
thing. There is such a variant in how that response — we have taken all of
your recommendations and we put them into an NPRM, or thank you, we will take
this under advisement. To count both of those as responses is —

DR. STEINWACHS: Couldn’t we have a little caricature of Simon there that
says, Simon says we have received this, we haven’t received that?

DR. GREENBERG: Would you agree to that?

DR. COHN: Sure. Mike?

DR. FITZMAURICE: I wanted to refer also to Don’s question about what is HHS
doing. I don’t know how much Linda mentioned this, so I may be duplicating what
she said. With Katrina, the concern is getting care to the evacuees as quickly
as possible. Secondly, there is a group formed to get information to those
treating new evacuees as quickly as possible. The concern is that they come
into shelters, and the physicians don’t know what drugs the patients need.

In general, they don’t know what drugs need to be brought in to supply the
patients. So there is a concerted effort among the PPMs and among HHS, some
information vendors, to try to pull together that information for those people
in New Orleans and to make it available wherever the patients are.

You get the same kind of issues that we deal with in all of our hearings:
How do you identify the patient, how do you know this information is about that
patient. But if you can get aggregate information, you know how much insulin to
send to a given area, or how much other drugs for specific kinds of conditions,
even if you don’t know those specific patients have those conditions. Overall,
this is what the New Orleans area was consuming, and you need to provide that
level of consumption wherever the patients go.

As you get more detailed to the individual, then how do you capture the
information that the physician is generating or the health care provider is
generating when the patient comes into the shelter? Then the patient gets
triaged to Washington, D.C., the armory gets triaged to Houston; how do you
follow that patient with the necessary information to continue care?

We don’t have the answers, and our infrastructure is not really set up to
supply those answers, but we are weighing in a very rapid manner how do you
resolve the issues of privacy concerns with the HIPAA privacy rule, do you have
these business associate agreements, how rapidly do you have to revise them to
allow people to consolidate information for public health purposes? Do you go
with the emergency provisions, the public health provisions? All of those
things are happening rapid fire.

We don’t think any of it is standing in the way of treating individual
patients at this time, but in terms of planning for the very short term of how
do you get the necessary drugs into the right place? That is the problem that
this information group which is led by David Brailer is focusing on. After
drugs, maybe it is laboratory information, but drugs is the top priority at
this time.

DR. COHN: Michael, thank you. I guess I am hoping that somebody has sent in
a copy of our e-prescribing recommendations to help with all of that.

DR. FITZMAURICE: We are concerned more with the immediate problem at hand.
We are meeting daily. As we get a couple more days, we will want to get into
the interoperability, because if we solve the problem for the area — think of
it as one large RIO, but right now we are thinking of it as individuals who
need to be taken care of. How can we be sure that the physicians have the
supplies of things to get there to take care of the patients?

DR. COHN: And Michael, I did not mean — that came out sounding facetious,
and I did not mean it that way. What I was really referencing was more the
capabilities already existing with groups like Rx Hub and all of this to
actually get information down to the site of care that already exists.

DR. FITZMAURICE: Many of the organizations that have testified to us and
provided us with good expertise are the very same organizations that are
supplying that expertise at —

DR. COHN: Thank you. Other comments, questions? After taking a deep breath,
let’s move back into privacy and the personal health record letter.

I think we have handled the first issue on privacy. My understanding is
that there were some other hands with what were felt to be other issues on
privacy. Jeff, do you remember what yours was?

MR. BLAIR: I do, and Maya has been able to take care of that during lunch.
I had a question on question six, and she was able to resolve the question.

DR. COHN: Great. Mike Fitzmaurice.

DR. FITZMAURICE: I have a question on recommendation five, or a suggestion,
which starts on my line 31. The second part of it says, in those situations
where HIPAA does not apply, secondary uses or disclosures of information in
personal health records should not be allowed without the express consent of
the consumer or patient.

I am scratching my head saying who should not allow this? Then I am
thinking, maybe we could reword it to say, in those situations where HIPAA does
not apply, we believe the consumer or patient should control secondary uses of
that information, secondary uses or disclosure of that information. We state it
as a principle rather than saying, somebody should control this and not allow
it.

It also carries over to recommendation six as well.

DR. BERNSTEIN: Forgive me. You are in recommendation five?

DR. FITZMAURICE: I am in recommendation five, the last sentence. It starts
on my line 34. I would suggest the same kind of wording could be used for the
last half of recommendation six.

DR. BERNSTEIN: I’m not sure I follow you.

MR. BLAIR: Am I able to react to Michael’s?

PARTICIPANT: Could you actually restate it, please?

DR. FITZMAURICE: It reads, in those situations where HIPAA does not apply,
secondary uses or disclosures of information in personal health records should
not be allowed without the express consent of the consumer or patient. Does
that mean that the vendors must be the policemen? Who controls this?

PARTICIPANT: What do you say your addendum is?

DR. FITZMAURICE: My addendum is, in those situations where HIPAA does not
apply, the consumer or patient should control secondary uses or disclosures of
information in or from personal health records. I would strike the, should not
be allowed.

DR. COHN: Jeff, do you want to react? I assume Maya was going to jump in
also.

MR. BLAIR: The thing I am struggling with, you can see the expressions on
my face, I think the reality is, there are probably very few cases where the
patient controls the information, because it is being provided as services.
Whether it is being provided by a government agency or a private sector company
or the employer or what, matter of fact, I can think of very few where the
consumer or patient actually controls. They use it.

I guess, Michael, my only thought is that if we wind up using that wording
even if we would like that to be the case, I feel as if we can’t change control
to the patient, and I think in a lot of cases we can’t, then the rest of the
recommendation, which I think has value, would be either ignored or considered
nonoperable.

DR. FITZMAURICE: I understand what you are saying, but I am thinking of the
information that now is residing in a personal health record. If that
information comes from some other place, that other place controls the
information. But if the information comes into an individual’s personal health
record, —

DR. BERNSTEIN: Can I point out, we keep reminding ourselves that
recommendation five only applies to HHS sponsored pilots and contractual
relationships that CMS enters into. It can therefore write into those
agreements or contracts or legal instruments these rules.

So when you ask who is it that should allow in the context of that
relationship, that is what we are recommending, that those instruments should
not permit those other secondary uses. So it really is HHS in that case who is
in control of that. The two parties who are in that relationship can negotiate,
but they are not going to give you the contract or the pilot project unless you
agree to their terms.

The idea is that we would ask — that the committee is asking HHS to impose
those requirements on its own pilots and contracts.

DR. FITZMAURICE: So you are talking about data that is in the hands of
individuals. Somebody else was holding on to their personal health record, not
the patient or individual.

DR. COHN: Michael, there are many different models of personal health
records.

DR. FITZMAURICE: So I do not understand what the issue is with regard to
the secondary uses of those data. A patient may want secondary use, or a
patient may want to forbid it, but are you saying that we are not advocating
that the patient control the secondary uses of the patient’s data in a personal
health record?

DR. BERNSTEIN: Yes, we are saying express consent of the patient.

DR. COHN: Michael, I am struggling here. The only thing I am hearing from
you is wordsmithing. Am I hearing a different concept that I am missing here?

DR. FITZMAURICE: The only concept that I was trying to put is the patient
control. Maya points out that the express consent of the patient or consumer is
required. Maybe those are the same thing. Maybe you’re right.

DR. VIGILANTE: If the patient is in control, they can choose to release or
not release to a second party. I think the point is here, let the patient know
that the entity with whom they are in a relationship may or may not use their
data, de-identified for secondary uses, and to require consent to that effect
prospectively. I think it is a more rigorous position than the one you are
adopting.

DR. FITZMAURICE: Maybe my confusion was that I didn’t realize who the third
party was, and so the third party is whoever is undertaking the pilot for CMS.
That was my confusion.

MS. MC CALL: What is interesting is that we keep having to remind ourselves
that recommendation five is only with respect to pilots with CMS. Every comment
that we make seems to be trying to make it broader. So it begs an issue, is
there something missing.

PARTICIPANT: I would just direct your attention to recommendation six. This
is the one that is designed to cover those other — the private sector.

MS. MC CALL: Exactly. We need to understand that these are different twists
on the same theme. So as we talk about any changes in here, not wordsmithing
necessarily, but that we make sure that we understand that that is paired as a
set.

DR. STEUERLE: This is one of the few areas where I did weigh in in the
phone conversations. My concern is that there are some secondary uses,
particularly in this case, where you might have an HHS pilot project, where
they might think of some data merges or other things that would be useful down
the road. It is not really useful to go back.

This happens all the time in services, because you don’t go back all the
time and ask them. You try to get some up-front consent that you can use, with
whatever limitations you put on it. I’m not saying that the passive tense is
better than the active tense which you are going for, but I still like the
current wording a little better than yours. Yours you could read as saying you
have got to go back, the patient constantly is in control of it. I think it is
part of Jeff’s statement, what does control mean.

DR. FITZMAURICE: I like your position better, Gene. I did not mean
continuous forever and ever each time.

DR. STEUERLE: The word express consent gets us around that. If HHS is smart
enough to design express consent up front the right way, then we dodge that
problem.

DR. FITZMAURICE: Maybe we can just add pilots, disclosure of information
and PHR pilots.

DR. COHN: It is also in any contractual relationships that CMS undertakes.

MR. BLAIR: Maybe Michael’s suggestion of adding pilots makes sense. I think
that helps a lot.

DR. COHN: I don’t think so, Jeff. This is more than just pilots. This is
also contractual federal relationships.

DR. ROTHSTEIN: I was just going to give some history of where these two
recommendations came from in San Francisco, when we revised them substantially.

Our thinking was that ideally, we would like to apply this rule across the
board, but we can’t, because there is no legislative authority to do so, as we
discussed this morning. So we drafted in recommendation six, or attempted to
draft, some recognition that for the non-covered entities there is not much we
can do except go down and encourage voluntary compliance in the interim, until
we have some legislative authority.

However, in recommendation five we recognized that there are certain kinds
of PHRs that are developed under contract with CMS or pilot programs, that HHS
can write into those contracts anything that it wants, and it does have that
legislative authority to do so. So for that sub-class, we want this higher
standard to apply.

That was the intent. That is why five and six have different levels of
requirements.

MR. BLAIR: That was very helpful. Thank you, Mark.

A lot of folks have had difficulty realizing the distinction. I can’t see
it. I think there are some type of headings. Maybe we can make the headings
more prominent to clarify that to a new reader. There are no headings?

DR. COHN: No.

DR. BERNSTEIN: The recommendations are just numbered, Jeff. They don’t have
titles.

MR. BLAIR: Maybe we need to do that, because there is a lot of confusion
today, and we have had to go back and clarify why each recommendation is
different. They address different contexts.

MS. MC CALL: Can there be a broader recommendation with an A and a B, so
that the context is set in the header?

DR. COHN: I am looking to Mary Jo. We can decide to put titles on all of
these. I actually don’t think it is all that confusing personally, but —

DR. DEERING: We have lived with it for three months. We know this chid
inside and out.

DR. COHN: I guess we could bold specific words in these recommendations. If
people feel this is very confusing, the work group either here or subsequently
will come up with titles for each of these recommendations.

DR. TANG: Or perhaps we have more of an introduction on, here is the
principles we are looking for, and we recognize — almost like Mark said, we
recognize that we can actually apply them in the legal arrangements we have
with government funded projects. Things that we don’t fund are not covered by
HIPAA. But we have the introductory paragraph, recommendations, and
introductory paragraph, recommendations. That is a different way of putting a
heading around it, but maybe that is a way that makes it clearer. It basically
gives the annotation Mark just gave.

DR. COHN: So is everyone okay with this at this moment before we move on to
the next issue on privacy?

DR. DEERING: I’m not sure I see how — there is a total of five paragraphs.
This is the only one that lends itself to an introductory paragraph. So would
we have language in front of these two?

DR. VIGILANTE: If you put HHS-sponsored pilot projects in italics, I think
that would be sufficient.

DR. DEERING: Bold and italics?

DR. BERNSTEIN: I thought I heard a suggestion that we perhaps explicitly
say what Mark described in the text, saying that we understand that there is
authority. That may make it more understandable when we get down to the
recommendations.

MR. BLAIR: No, that was not what I was reacting to. When I said it was very
helpful, what Mark said, it was, but I didn’t feel like we needed to — what am
I missing?

DR. BERNSTEIN: Then let me just ask, do you think it would be appropriate
or useful?

MR. BLAIR: I wasn’t suggesting that all those words be then put in. All I
was suggesting was that this is an example of all day today where a number of
folks have gotten these recommendations out of the context that they were
intended to be in.

DR. BERNSTEIN: The subcommittees have done the same thing for the two
months that we have been meeting.

MR. BLAIR: So I think this latest recommendation, you just have a little
label or title, highlight that recommendation six is for situations where you
don’t have a covered entity. You do own some of them, but I guess I can’t see
them. Just a little bit of a label to help —

DR. BERNSTEIN: Is there a reason why it would be inappropriate to do what I
suggested?

DR. COHN: Which is what?

DR. BERNSTEIN: Which is to just add a sentence or two that is more explicit
that says, we know we have, authority is to strong a word, but a method for —

DR. COHN: I think that is what the paragraph before these recommendations
says, I thought.

DR. BERNSTEIN: It doesn’t talk about what we can do within the Department
already with our contracts and whatever, as opposed to what the Department can
impose on the private sector. I am wondering if it is worth making what Mark
said more explicit, so there is more understanding of the recommendations that
follow.

DR. ROTHSTEIN: If we are considering that, what I would also suggest is
that we flip recommendations five and six, so we start with the general rule
and then go to the exception for the government contracts. Maybe it is
confusing when you start with the exception and then go to the general rule.

MS. MC CALL: Another fairly straightforward — leave the same order, but in
recommendation six, start the sentence that says, for any work that is not an
HHS-sponsored pilot, and entities are not covered by HIPAA, then.

DR. COHN: I am actually getting persuaded that we need to come up with two
or three word titles on each of these recommendations. That seems to me the
easiest solution to the quagmire that I feel like we are wandering into.

For example, calling recommendation three public education programs or
something like that, recommendation four best practices for privacy policies,
recommendation five HHS-sponsored pilots, recommendation six non-HIPAA covered
entities, that sort of thing.

DR. GREENBERG: The recommendations are embedded in the letter, which makes
it sometimes — like, I was having trouble finding two when this was three. But
if you have the italicized or bolded headings, it will make them stand out
more.

DR. COHN: What I would ask is, this is something that we don’t need to vote
on, the wording of those titles. These will be handled after — anyway, but
this is the type of wordsmithing that we go forward with. So are we okay with
this? Just things to point out what they are.

Other privacy section issues?

DR. TANG: This is making a statement more precise and accurate, and it
reflects a little bit of the concept. Page seven, line 43, and the statement
down there says, while several PHR vendors testified that their companies have
no access to any patient data, the committee is concerned. I don’t think they
actually said they have no access, because all of these vendors would be
definition have to have access, so that is not precisely true. So may I
suggest, testified that their companies do not mine patient data currently,
however the committee is concerned that some business models. They can only
make the statement about what they do now.

DR. DEERING: That they do not use patient data, or something.

DR. GREENBERG: Is that what they said?

DR. TANG: Yes.

DR. DEERING: That they make no secondary use of patient data?

DR. TANG: Correct, currently.

DR. DEERING: That they currently make no secondary — I would not like to
say currently, because that implies that those who said it are holding open the
door to doing it later. There were some who said our business practice is
founded on the principle that we will never.

DR. TANG: I didn’t think anybody said that.

DR. DEERING: I thought some of them did.

DR. TANG: I only remember one testifier saying in response to a question
that they do not do that.

DR. COHN: I like your wording. I’m not sure we need to use the term
currently, which I think is what we are arguing about right now. I think the
point is still made in the sentence that we are concerned, so I don’t know that
the word currently needs to be there.

DR. TANG: Fine.

DR. COHN: But I think the point is well made. Are people okay with that?

MS. MC CALL: I think that going back to page eight, within recommendation
six there is the sentence, this notice should specifically include a full
description of all secondary uses. I think that could be clarified to say it
should lay out what is considered to be a secondary use.

I bring that up because of something Eugene said a little while ago, which
is that there could be some links or transformations of data that could be —
they could without articulating all the details be interpreted to be secondary
use. Yet, they may not be within the domain of use as we think about it.

So there may be some things that are considered derivative uses that are
not considered to be secondary. I just wanted to try to clarify that language,
that that action items needs to be clear about what is and is not secondary
use.

DR. COHN: Paul, do you have a response to that?

DR. TANG: I think what was helpful is to set the context, because this came
up. It used to say no secondary use even though it may only result in reports
of de-identified data. We struck that latter phrase out.

The context is, when a patient signs up for a PHR service from a third
party that does store their information, then the expectation by the consumer
is that I am storing my data only for the purposes I am donating it for, not
for any other. So any derivative use of that data would be considered secondary
use of information, according to what we were thinking.

DR. GREENBERG: Or would require consent.

DR. TANG: Would require consent, correct. So it is true that any
derivative, even along the lines that you mention, would be considered
secondary use and would have to be disclosed up front or not done.

DR. GREENBERG: Not just disclosed, but would refer —

DR. TANG: Consent, correct.

MS. MC CALL: I’m going to pick on you, Eugene. Was there an example in your
mind when you said those words earlier, that there may be some linkage of data?

DR. STEUERLE: I’m just thinking that in some cases, data is gathered. We
don’t always think ahead, whether we are government or we are a private entity
or whatever, we don’t think always ahead what exactly are we going to do with
it. So we go to words like full description of. It is implying a knowledge that
we may not have in advance.

I didn’t even know what these imply. If my house burns down and somebody
wants to have access to my PHR, do they read this to say no, they can’t provide
it? Any time you start — the harsher the regulation, we don’t fully understand

MS. MC CALL: The broad question is, so what is secondary use. You are
saying anything other than just spitting it back at me, exactly as I put it in,
no transformations, no changes, no nothing.

DR. STEUERLE: What if George Washington Hospital wants access to data on
somebody who came up from New Orleans, and the developer of the PHR didn’t put
in any information at all about secondary use, or didn’t put it in the
contract, what do they have to go through to get it?

DR. TANG: They have to go through the patient.

DR. STEUERLE: No, the patient is in a coma. So how do you resolve that
issue? I’m not saying we have to resolve it here. Let’s be careful about our
language, that we don’t do things we don’t understand.

DR. DEERING: I only wanted to observe that a small point is that that is
absolutely one of the classic use cases that is usually written into a PHR, do
you want this used in an emergency when you are unconscious. So I don’t think
that is the scenario that we necessarily — if we actually got there.

But the other point was that — I think it was made somewhere over there on
the table that it is not secondary if you sign up in advance. It may be a
secondary use of the original clinical data point or whatever it is, but if you
signed up so it will be used for X, Y and Z, we are doing this for all of these
purposes, we may come back to you for X, Y and Z, this is as much a question to
the experts, is it secondary if it is one of the things you signed up for in
advance?

DR. COHN: It is a permitted use then.

DR. DEERING: It is a permitted use?

DR. COHN: You are in consent.

DR. DEERING: Then the home point is, does this not then cover — does that
not address your concern? Or not?

MS. MC CALL: I’m not yet comfortable that it does, only in that I think we
have buried it in the definition, which is to say, that which is not permitted
is denied, and we will make sure to lay out that which is permitted. Anything
that you buy from me and I sell to you is permitted.

But I think it may just push the issue out. The example that you gave, you
have given me some clinical data, some lab results or something, and there are
some services that this PHR vendor is going to provide, that is a use of the
data, you are an outlier, it is time to pick up the phone and call somebody. Is
that permitted? It is permitted generally but not specifically? I didn’t know
that you were going to do that. I didn’t know that you were going to try to
send me a reminder, so do I have to as a vendor articulate every single
possible reminder that I could get off of a raw value?

So it is really — I want us to try to think through some of those, and
just be careful today with our language, that we recognize that not all things
may be able to be articulated.

DR. ROTHSTEIN: I think maybe there is a hangup on the word secondary. We
could easily eliminate using the word secondary by spelling out uses beyond
those to which the consumer has agreed when they signed up.

Now, the difference between an EHR and a PHR, even though they are
different models of PHRs, is that for public policy reasons, we don’t want to
put absolute restrictions on what you need consent or authorization for, for
public health and so on. PHRs are voluntary. There is no requirement that you
have one, and when you sign up to have a PHR, you should have a right to know
the uses. If it is for use that you did not agree to, I think the position of
this document is, that is not permitted. So the default is, you can’t disclose
that information.

MR. BLAIR: Friendly amendment to your suggestion, Mark. Instead of
eliminating the word secondary, you just gave a definition of secondary use,
and my suggestion is that you just add that definition there either in a
sentence before or after or in parentheses or something, but don’t eliminate
the phrase secondary use.

DR. DEERING: Just a friendly observation here, editorially. We need to go
on to the very last clause in that sentence, because what you have just
suggested obviates that clause. We specifically added the phrase, recommends
that no health information in a PHR may be used for secondary purposes without
the express consent of the consumer or patient, which may be obtained in
conjunction with the notice.

We wanted to provide by adding that clause that if you can think in advance
of things that you want to do, then you can indeed get it up front. I’m afraid
that if we only substitute what you have said, then we are going back to — it
sounded somehow to me like you are making it more likely that there will be
multiple recurrences.

DR. ROTHSTEIN: That wasn’t my statement. My statement was consistent with
the language that you read.

DR. COHN: I’m going to let Judy make a comment, then I want to go back to
you, Carol. I am concerned that where you are going is going to be far more
restrictive than what you have been arguing against. So I think you better
rethink about whether you are that upset about leaving it a secondary, so I’d
just have you think about that.

DR. WARREN: My concern is, we are throwing around the word secondary uses.
In Standards and Security we are already doing hearings about secondary use of
data. We are looking at it granted more from an EHR perspective, about things
we can learn from that data, but the examples in the use cases I have heard in
this discussion to me all are examples of primary use.

So I am beginning to think that maybe what we need to do is define primary
use and secondary use and be consistent between all of our documents on what
those terms mean.

DR. GREENBERG: I am having the exact same concern.

DR. HUFF: In some of the discussion we just had, in my mind secondary use
just means uses of data that were not anticipated at the time it was collected.
It doesn’t have anything to do with whether somebody approved or disapproved.

DR. GREENBERG: They could have been anticipated.

DR. HUFF: They could have been. So anticipated secondary uses and approved
secondary uses and all other kinds of things, but the principle of secondary is
the idea that I collected this blood pressure to know whether you are
hypotensive right now, and later I can use that for purposes of deciding
whether you have got chronic hypertension or whatever.

That is the idea of secondary use, is just that it is a use — and
then there is a whole different dimension or axis area that says whether that
secondary use has been approved or not approved or other things, and let’s not
confuse those two issues.

MR. BLAIR: Given what Stan has said and what Judy just points out, I think
Mark is right. I think Mark proposed that we change the word secondary use and
instead say exactly what we mean, which is use for purposes that the patient
did not understand it was going to be used for. Your wording was probably
better than mine.

DR. COHN: Maya, did you have wording for us?

DR. BERNSTEIN: Carol and I have been having a slight side conversation when
she said maybe we should talk about secondary uses. I literally was thinking to
myself, I really don’t want to pick that scab, because trying to define what we
mean by secondary uses is very difficult.

I don’t necessarily want to shy away from it, because it is probably
important for us to understand. But so far around the table, I have heard about
four different definitions of what people completely intuitively think we mean
by secondary uses.

Paul earlier said — he used the phrase patient expectation. Mary Jo then
said — she referred to the up-front notice, the list of things that a patient
gets told. Then somebody else over here said — I’m sorry, I don’t know your
name.

DR. COHN: Judy.

DR. WARREN: Said we should make a definition an industry standard of what
counts as a primary use and what is a secondary use. That is different from
what the patient might expect when they think a PHR is. What if the vendor just
puts in their notice, we are going to use your information for marketing
purposes? Does it become a primary use because we have been notified up front,
or is it really a secondary use because it is not the sort of thing that we
normally would associate directly with a PHR?

All I am saying is, this is not an easy problem to solve.

MR. BLAIR: But Mark’s definition I thought was very appropriate. He said,
we replace the words secondary use. I can’t phrase it as well as Mark’s, but
Mark’s was essentially any use of the data that the patient was not aware of
when they signed up for the service.

DR. WARREN: Actually, he said uses beyond those to which a consumer has
agreed in advance, which means — what does that mean, to agree in advance?
Does it mean I got the notice and I signed on the line that it is okay?

MR. BLAIR: Yes.

DR. WARREN: Therefore, if the list included marketing, that’s okay?

DR. COHN: What is the primary PHR use? I would ask everyone, I think I may
even go where Maya is going perhaps, which is, do we really need this level of
precision in this recommendation, I guess is the question. Are we being helped
by this?

DR. TANG: One of our recommendations is to come up with a taxonomy. While
we could defer this to that exercise as well, since so much of what we are
recommending hinges on this, particularly around privacy, it would be worth our
while to make sure we are clear.

DR. BERNSTEIN: I take your point. If these recommendations are taken up,
first of all I don’t think we can solve the definition of what secondary use is
here, given the different possibilities. I think all of them are completely
reasonable ideas about what secondary use is. I think that if we try to define
it further in this letter, it is going to take us awhile and it will be
difficult, and the letter has to go out.

My understanding of the committee’s goal is to get this letter out. I do
think that this is just the type of issue that the privacy committee has
expertise in, and that if we want to go into further detail, it is the sort of
thing we can — it might be more than one subcommittee, actually, could think
about it.

But since we are only recommending voluntary industry compliance anyway,
any vendor who takes up any of those definitions of secondary uses and follows
it will be doing more than probably we expect, and it will be a good thing. So
whether they decide that they go by Paul’s patient expectations or they use
Mark’s language, whatever it is in the list and we have a consent, or they use
some industry standard or their company standard and they stick to it, that
will be a good thing, based on this recommendation.

So I’m not sure that it is really required to really understand what we
mean just yet. If we want to understand it further, I do think it is something
that the Privacy Subcommittee could pick up.

DR. DEERING: I have such a simple fix.

DR. COHN: Okay, please.

DR. DEERING: Just simply delete the word secondary. I think it does it all.

MR. BLAIR: That is the thing that concerns me. If you want to replace that
with what Mark said is the principal exposure, then I can understand that. But
if you just delete it without — then what is left?

DR. DEERING: I’ll read it to you. Let me read it to you. In those
situations where HIPAA does not apply, uses of disclosure of information in
PHRs should not be allowed without the express consent of the consumer or
patient.

DR. COHN: Then the next sentence —

DR. DEERING: The next one is virtually the same. NCVHS recommends that no
health information in the PHR be used for purposes to be used without the
express consent of the consumer or patient. In other words, you are not going
to use it unless they say so.

DR. GREENBERG: I agree. Obviously the patient is going to agree to it being
used for himself.

MR. BLAIR: Mark, do you feel comfortable with that?

DR. ROTHSTEIN: This would not be the way I would draft it, but hearing such
support for it, far be it from me. I can live with that.

DR. COHN: And if you have other thoughts, we can consider them during the
NHII Work Group meeting. So does that help? Carol, are you happy with the
outcome?

MS. MC CALL: I think for now. There is work to be done, that is obvious.
But for now, I think it actually makes more clear the issues. It gets to what
Mark was saying which is, this is complete transparency. If you want to do
something, you have got to let me know, and I have to know that and agree to
it. Otherwise you can’t do it. Otherwise, it just begs the definition of
secondary, which is what I did not want us to get stuck on from this
recommendation.

DR. CARR: I was going to say the same thing. In this voluntary patient
decision, this is just the patient’s permission. I think secondary is very
important for us to define in a retrofit to this perhaps, but I agree. So I was
going to say the same, take the word out.

DR. BERNSTEIN: What would you like to do with the third sentence?

DR. COHN: Of which recommendation?

DR. BERNSTEIN: Of recommendation six, or five, for that matter. If you take
out the word secondary from the third sentence, you have got a problem.

DR. GREENBERG: You take out for secondary purposes. You just say no
information in a PHR can be used without the express consent of the consumer.

DR. BERNSTEIN: I’m saying it means that every use, internal or external,
minor or major, any use, you have to have a notice about it, you have to be
able to describe it, and you have to then get permission for it, which is
cumbersome, let’s just say.

If you are a vendor, I think it is cumbersome. I’m not even talking about
the things you didn’t anticipate. These are just the things you can anticipate.

DR. ROTHSTEIN: But I don’t think there is any way of getting around that.

DR. BERNSTEIN: Okay, that’s fine then.

DR. ROTHSTEIN: Because secondary, the word, tried to contemplate all those
uses to which people wouldn’t normally consent without their knowledge.

Keep in mind, what we are talking about are PHRs that people are
voluntarily — they think this is their records. If other people aggregate data
or refer for other purposes, let’s get their permission, and especially in
number five where we are talking about pilot projects, where presumably the
Department has greater control over things. I don’t see that as a problem.

DR. COHN: I am hoping that maybe we will make it beyond privacy sometime in
our lives, but I hold that as a hope rather than a reality. Any final comments
about privacy before we move on to security?

Okay, let’s move on to security. The security recommendation, it says for
any HHS-sponsored pilot projects and any HHS contracts to produce PHR systems,
HHS should require that security protections consistent with the HIPAA security
rule be implemented.

DR. DEERING: You skipped one.

DR. COHN: Oh God, I’m not going to read that. HHS should work with relevant
stakeholders to promote and develop a standard framework for authentication,
access control, authorization and auditability based on a variety of
principles, which I will not read all together here.

I think there is some wordsmithing pieces, where we bounce back and forth
between consumer-patient and patient and all of that in the first paragraph. We
probably want to use the term individual. Other than that, I thought it was
okay.

DR. TANG: Let me try to set the context first.

DR. COHN: Is this a question or a comment?

MR. TANG: It is a change to that recommendation.

DR. COHN: Which recommendation?

DR. TANG: Recommendation eight, fourth bullet, last part of the last
sentence.

DR. COHN: Do you want to read that whole —

DR. TANG: Well, one of the things is a long sentence, but the last part of
the sentence talks about the ability of the patient to add information to the
PHR, should include functionality that provides the patient with the ability to
control who has access to patient entered information, comma, including
specific subsets of that information.

One of the issues around this whole control aspect has been whether it is
feasible technically to allow a patient to control access to parts of
information. We had divided it between PHR and EHR. EHR has very explicit uses
defined by HIPAA and by common practice. So in this particular bullet four, it
talks about giving the patient the ability to cordon off or use what is in
their PHR in any way they choose, which is reasonable, but it is making the
assumption that this PHR is a stand-alone PHR. In the case where the
information is either a view of or has been submitted to the providers and
incorporated into an EHR, I don’t think — the patient would not be able to
subset that particular piece of information from use.

Jeff is nodding, and you are —

DR. COHN: I am confused. I see we have a section here that describes PHR
and then PHR systems which are views into the provider, which is what I think
you are talking about. You are talking about the specific patient information
the patient is entering themselves.

DR. TANG: Yes. This statement says we recommend a PHR vendor should give
the patient control over specific subsets of data that they enter. While that
can be true in a PHR that is stand-alone, it would be — for the reason we
discussed before concerning EHRs, it would be impractical for information that
the patient has entered through a PHR, that is essentially posted in the EHR.
Was that clearer?

Let me give you two extremes of PHRs. One is a self-contained stand-alone.
The patient enters information, has control over it, and can share pieces of it
to whomever they choose.

PARTICIPANT: Give me an example.

DR. TANG: Sexual history. The other extreme is that the PHR is essentially
a portal into an EHR. If a patient enters information such as their sexual
history into that PHR, which is basically an application view into the EHR,
then it will be impractical for the provider, who has accepted that piece of
information you have contributed to segregate it from other pieces of the EHR.

So this statement appears, when I look at it more carefully, that it is
assuming the stand-alone PHR, and this recommendation could not be applied to
the integrated EHR-PHR.

MR. BLAIR: So are you suggesting that we have a context label for this,
saying for stand-alone PHRs?

DR. TANG: Either that, or I was going to append, where this sentence
becomes two sentences, but incudes specific subsets of that information, comma,
if it has not been incorporated into the EHR.

DR. COHN: John Paul, would you like to comment on this once, since you
provided major input int this?

DR. HOUSTON: I don’t agree with Paul that you can’t control access to that
type of information programmatically within this type of environment.

I would say this, that maybe in cases where someone would design something
so that they can’t — you can’t do what you are talking about, you can’t have
the patient control access to the patient’s information. But I think that is a
design issue.

But having said that, maybe if there is a way to couch this in terms of, to
the greatest extent practical, or something of that sort. But again, I don’t
agree with the premise in its entirety.

DR. TANG: My claim is that there is no commercial system that I am aware of
where you can segregate out information.

DR. HOUSTON: I don’t know of that many commercial systems where there is a
— I shouldn’t say that. I know there are a few systems out there where there
is a merging of PHR information and EHR information. But I don’t think there
are a whole lot of them that are out there. In fact, I think a lot of them
actually segment the data.

DR. HUFF: This whole part is future, anyway. It says we are creating a
framework and standards that we want people to adhere to in the future, right?
It is not talking about whether it is implemented in systems today.

So I am just supporting what John is saying. I think it is accurate the way
it is stated, according to our intent. I think it is. Programming is
programming. You can program something to do this. We are not setting any time
frame. We are setting an objective, and I think this is the appropriate
objective.

DR. TANG: Conceptually, if you are taking a history verbally rather than
electronically, and my point will be that there shouldn’t be a difference, then
when you tell me something, I either include it in the record or I don’t. Once
I include it in the record and EHR, then I deal with it the way HIPAA allows me
to deal with it, that is, minimum necessary disclosed for treatment.

If I receive it electronically, I don’t see why that should be any
different, or why you should program a system to segregate all the —

DR. HUFF: That isn’t what this says. This says, if I independently enter
data in my record, and you include it in the PHR, I should continue to have
control of that.

DR. TANG: What is the difference between independently electronically and
independently —

DR. HUFF: Because in the one case, the information came through you, and
you are the instrument and it is attributable to you, the fact that you heard
it and recorded it in the record.

DR. VIGILANTE: And you often don’t say what the patient did. The patient
may write a very, very long narrative history that you condense down into a
sentence or two.

DR. TANG: We are dealing with this right now. Once the medical record is an
official instrument of the provider, when the patient brings a piece of paper
or a diary or whatever and they choose to extract it, and they choose to
incorporate it wholesale or choose not to keep that document and put it in our
medical record.

Similarly, I think patient submitted data must be validated and accepted
into the provider’s EHR.

DR. HOUSTON: But there is another aspect to this. If the patient doesn’t
necessarily know architecturally how the PHR that he or she is interacting
with, whether it is bolted to an EHR in the back end, whether it is
freestanding, or what. I think from a consumer expectation, the fact that one
provider says — one PHR provides access controls to the patient, it allows the
patient to decide how his or her information can be viewed by whom, you might
have another provider who will say, I’m sorry, we can’t because all your
information goes into my EHR, and since it is in my EHR you don’t have any
controls over it now because it is part of my EHR.

I just believe this is functionality you can program into it.

DR. HUFF: What we are talking about is attribution of information and being
able to accurately attribute information to its source. If it is a complicated
source, that can be complicated. But for instance, I have the obligation
already, if I receive laboratory data from an outside laboratory, I have to
attribute that information not to my lab’s — I have to keep in the record that
this information came from that primary laboratory. I think we are just
requiring the same here. If the initial source

was the patient, that should be noted. Sometimes that is noted by the fact
that you are saying it is in the history section of this thing. In other words,
I know that somebody told me this. I didn’t see it. Other times it is more
explicit, where you say it was this laboratory that this lab data came from.

I think all this is saying, you need to be able to attribute data to the
patient when they are the original source, and you need the capability in your
system to then allow access to that accordingly.

DR. TANG: First of all, the attribution is always there. I think what this
statement is saying is, we are giving them — they obviously have access to the
information; that is guaranteed by HIPAA. But this statement is recommending
that they have additional control over a piece of their medical record.

DR. HUFF: All they have control over is this stuff that they have entered.

DR. TANG: I understand, but —

DR. GREENBERG: If it is attributed, then why couldn’t — if it is clear,
and you have to attribute that this information was submitted by the patient,
then it would seem technically you could allow them that access. You could
allow them that decision power.

DR. TANG: You could, of course. So now we are breaking up the record into
pieces, and the principle of HIPAA, meaning you share the minimum necessary in
order to treat the patient, falls apart if we are having to say, by attribution
the rule only applies to information that is not attributed to source A.

DR. HOUSTON: We are not talking about an EHR, though.

DR. TANG: So my qualifier, I am just adding a qualifier to that phrase that
says, if it has not been incorporated into the EHR. If you submitted the
information to me, then I would take that as consent to incorporate it into my
record about your care.

PARTICIPANT: But the problem I have is this. A PHR that is bolted to an
EHR, tethered to an EHR, the consumer-patient may have no idea that that is
occurring. To them, the PHR that they interact with, and they put their
wellness information, or their other information related to their diabetes and
whatever else, they view that potentially just the same as they view a PHR that
is untethered to something else. So the fact that behind the scenes Hospital X
decides that it is going to merge all that information into an EHR can be done
without the patient ever having any knowledge or understanding that he or she
has now given up rights to that data.

DR. STEUERLE: — for electronic submission of information, a PHR, how does
that differ from verbal transmission of information?

MS. MC CALL: I think that is actually key here.

DR. STEUERLE: A hospital designated that it came from me, even my name,
that it came from me or it came from somebody else, are things that I might
submit in a handwritten document.

I think you are saying, Paul, you can’t even apply it to the electronic
transmission of data, you have got to apply it to all data provided by the
patient. You have to have a consistent rule.

DR. TANG: From patient verbally in office.

MS. MC CALL: I think the situation that is being described is, imagine that
I go to Dr. Simon and verbally give you the information that I am X height and
weight, and that goes into the EHR, and there it is. Now I can look at that
through this portal.

Alternatively, I don’t give you my height and weight, and then I come in
and I add that to the PHR separately, and I put in my height and I put in my
weight. On those elements that I added myself, I hear us saying yes, I can let
you see them or not, but for those that I give to you verbally, that came
trough the EHR door, and those are — they are treated differently.

DR. VIGILANTE: On the other hand, when you take information from a patient,
very often there is an interaction. You test that information, you go back and
forth. Someone says, I was unconscious. Then you find they really weren’t
unconscious, they are a little drowsy, or they describe pain as being sharp, or
there is always this interchange with them that generally improves the quality
of the information in terms of its medical relevance.

I see that historical information provided by patients may not have the
same medical meaning as interactively with pain history. I think distinguishing
that at some level is important.

DR. COHN: I know you are trying to argue your case. I am looking at the
whole four. You are trying to make a little change that at least to my view
makes the differentiation between PHRs and EHRs and all this. I can’t tell the
difference any longer as you start describing this. I don’t know with a
connected really PHR when it becomes EHR information versus when it becomes PHR
information.

DR. TANG: I think that is a crucial piece, though.

DR. COHN: Well, it is, but how do you tell?

DR. TANG: Let me take Carol’s example, if she does not tell me her height
and weight. She goes home and enters it into her PHR. That is still completely
hers. When she hits the submit button, then it becomes mine to accept into the
EHR and to deal with it as part of the EHR.

DR. HOUSTON: I would argue it doesn’t. Take the same scenario and apply it
to a freestanding PHR. You have no rights to that data if it is freestanding
and unbolted.

DR. TANG: No, when you hit submit to the doctor, it becomes part of the
doctor’s —

DR. HOUSTON: But in this context the PHR is the personal health record.
This patient might be entering data into his or her PHR for the purposes of his
or her health management, not understanding that the fact that this data
becomes available for other purposes, because of the fact that it is bolted to
an EHR. T hat is the issue.

If you take the HMP and you enter data into the EHR, yes, I absolutely
agree with the right. I think we are talking about the fundamental issue here
of the patient —

DR. HUFF: Just to clarify and make sure that we are not misunderstanding
each other, to me if I tell you the information in my office, obviously I
wanted you to understand it, because I shared it with you personally by saying
it. If I am at home and I choose to use IHC’s personal health console, which is
our portal into the record, and there is a sexual history questionnaire there
that I fill out, and I say, there is some stuff I want to record here or who
knows what, my expectation is not that because I used IHC’s PHR that that
information would necessarily come to your knowledge.

I just want to make that part explicit. I don’t think because I chose to
use IHC’s PHR I should give up the right or have the assumption that the data
that I entered is now available to everybody who uses IHC’s EHR.

DR. TANG: But that is not what I am saying, that is the most important
piece.

DR. HUFF: That is why I wanted to see if we were understanding each other.

DR. TANG: I don’t think we are. Regardless of the technology, how
information is stored, that is your point, patients have rights over what they
enter, meaning to keep private, no matter where it is stored. So the difference
is the send button. So in our case, the value people get out of the PHR that we
have, which is a view of their EHR, is because it is a view of their EHR. In a
separate, clearly marked place is a place they can enter as much information as
they want into various sections, and it goes nowhere but — it is visible to no
one but them. That may be their supplement.

When we have a — we call it pre-visit questionnaire or HRA, that stays
with them. When they hit submit, it becomes our privilege to accept and
incorporate that information that they have submitted to us in the EHR. From
then on, it is treated as part of the EHR.

So the case that you just presented, Stan, if I store stuff not intending
to send it to me, it should go nowhere. When you hit the submit button, then it
is like telling us.

DR. HUFF: So I think we are agreeing then what the behavior should be. I
thought this expressed that pretty well. So what would you add?

DR. TANG: The addition is, comma, if it has not been incorporated into the
EHR because the definition of PHR may include the functionality that most
patients do want actually, to be able to use it —

DR. HUFF: I don’t think that helps, because what is the definition of the
EMR? That personal part of the data to me would be in the same database in the
same file using the same coding system, so it is in the EHR from one
perspective, so I’m not sure when it is added to the EHR it clarifies what our
intent is.

DR. CARR: Painful as this might be to say, it actually does tie back to the
privacy thing, because once it is in an EHR, it becomes available for secondary
uses. I think the reality is, we are trying to create divisions in something
that is really a continuum, and the more we get into it, the more confusing it
becomes. As John says, the patient doesn’t know what the architecture is.

But I completely agree with what you say. Once it is there, if there is a
chart review that has to be done or — as with a paper record. A patient hands
you something and it gets put into the record, it is there and visible to
anybody who does the chart review. So we are just making — it is more
tractable and auditable now, but I think the reality is exactly as Paul says. I
think that we are leaving patients with this arbitrary confusion, but we can’t
say that it won’t be used for secondary uses once it is submitted.

DR. DEERING: I had an editorial suggestion, which is of course my role
here. I would like to add maybe two verbs to Paul’s recommendation that could
take care of perhaps both the patient’s action and the institution’s action.

Paul would add including specific subsets of that information —

DR. COHN: Could you read the whole paragraph?

DR. DEERING: Okay. PHR systems that are views into providers’ electronic
health records and that allow the patient to add information to the PHR should
include functionality that provides the patient with the ability to control who
accesses the patient entered information, including specific subsets of this
information. Then I would modify Paul’s clause to read, unless it has been
submitted to and incorporated into the provider’s EHR, just because it makes a
more conscious effort.

DR. HOUSTON: I think of this a little bit differently. I think there needs
to either be some understanding — the patient has to either authorize or
accept through some type of online terms and conditions which we described in
number one, the fact that this information is going to be included in the EHR.
I think that is the way we need to state this.

DR. COHN: I think that was already handled in the privacy section. I think
that will be different from environment to environment. Some will do it with
each piece of information, others will do it with use of the system, I would
imagine.

DR. DEERING: I also have an alternate editorial recommendation which may or
may not accomplish the same thing. It would be in this area number four.
Instead of adding language, we would delete it. To say very simply, PHR systems
should include functionality that providers a consumer with the ability to
control who accesses the consumer’s information within the PHR. This would
include the ability for the consumer to provide access to specific subsets of
information within the PHR, period.

Then, through terms and conditions of use, I would understand that I can in
fact control whether or not somebody sees that information. How do I do that? I
don’t submit it to the EHR. Because the functionality is capable, I need to
understand how to use the system. So it affects the same thing you were talking
about. But what I don’t want to do is bind us into hit enter and all of that. I
think we go down a bad path. So that is my recommendation.

DR. COHN: Who has other comments?

MR. HUNGATE: I am troubled by this discussion. In the privacy hearings, I
heard articulated the view that patients needed to be able to say to their
personal physician, I don’t want that information shared beyond my confidence
with you, unless you tell me. That is something a patient would expect.

DR. TANG: That is an NHIN comment. They want to be able to opt out of
sending it on.

MR. HUNGATE: Right. Now, it sounds to me in this context like we are saying
that if it went into the PHR on mine and then move to the EHR, I lose that
control. That is the interpretation I make on what we are saying.

DR. COHN: No.

DR. GREENBERG: That is not even being addressed here, I don’t think.

MR. HUNGATE: Then I don’t understand. I apologize for this.

DR. COHN: I am hearing two different ways of handling this. We may at some
point decide to send this over to the NHII Work Group to come back with a
recommendation. They are both attempts to get to the same end, I think.

MR. REYNOLDS: We have been talking about this in lots of the committees at
great length. We have got to be careful. I hear what, Paul, as you say it, but
you are assuming you are the only EHR that a patient would have. You are
assuming that whatever they put in the PHR is only for use by you.

One of the things is that we have got to keep clear the structure of a PHR.
PHR says part of it is mine, and we talk about views; a payor could do one, a
stand-alone vendor could do one, a hospital or doctor could do one. So those
are the three kinds of models that you have.

When you say PHR, if you are not going to let the patient have control over
some piece of it, then don’t call it a PHR. It is EHR in multiple places, with
patient input. So that is the number one issue here, is, this is the personal
health record.

We got into it in the privacy committees and everything else. The
definition of these things just goes like this. Depending on who is looking at
it, it puts them all in the middle. So all the discussion has been that the
person in the PHR can have some segment to protect and decide what happens.
They can then have, whether a payor gives them claims data, that could be one
PHR, or whether it is connected to six of you in this room through your EHRs,
the views come up and now they have got a complete thing when it turns to an
NHIN. But the point is, let’s don’t morph PHR and EHR. If we do, then we will
never be able to explain it to the general public, we will never explain it to
anybody, and we are going to struggle mightily to decide what to recommend or
not recommend.

DR. TANG: I think we agree on all the principles. What we are talking about
is the sentence that starts out, for the PHRs that are views of an EHR. That is
why I am saying, then when — for those which are basically views into the EHR,
if someone enters information it says they should be able to control access to
a subset of the information. I am saying no, that is not what we are saying
when it is part of an EHR, or has been submitted or accepted into an EHR.

DR. VIGILANTE: So once you hit the send button, you relinquish control,
because it is there, it exists, you can’t change it.

DR. GREENBERG: I’m with Harry, I think we are confusing two things. I don’t
fully understand all these models, but I think a patient inputting information
to their EHR is a different thing than a PHR. So if you have a system that
gives them a PHR which is a view into their EHR, but you call that a PHR, then
obviously you have to explain to them, this is part of the terms. If they want
to use this, you explain to them, this is your PHR, this is for your use. But
if you say, submit to the EHR, then it becomes part of the EHR. They agree to
that.

I assume you are not talking about a system that doesn’t distinguish
between the PHR and the EHR, or are you? Otherwise, that is just inputting
personal information into the EHR.

DR. COHN: I think Paul is agreeing with you also. Gene, your comment, then
I want to wrap this piece up.

DR. STEUERLE: I’m just wondering why in the end we need this entire
sentence, why we just don’t have something at the beginning, that statements in
this document about PHR should not necessarily be interpreted to apply to EHRs,
which we deal with elsewhere.

DR. HOUSTON: The problem is that the consumer doesn’t necessarily
understand architecturally what a provider decides to do in terms of the
structure of the PHR and the EHR. A consumer when they sign up for PHR may say,
this is great, it is freestanding, I can enter my own data and it is there and
I have a little control over it, only to find out that it is part of a bigger
EHR and all that data is going to be merged together, and they didn’t realize
it.

DR. COHN: As much as I love this particular conversation, I think we are
all beginning to say the same thing over and over again.

What I hear is that we have two options of how we want to address this,
which I think may get us to the same place, or may not quite. I need to see
Carol’s suggestion written down so we can look at it. I think the work group
probably does. My sense though is that we are all saying the same thing.

We are all fundamentally agreeing with the distinction that Paul is making,
which is that once something goes into an EHR, it is part of the EHR and
follows the EHR rules.

DR. GREENBERG: It doesn’t automatically go into the EHR.

DR. COHN: Exactly. I think we just need to see which way solves that
better. I think we have talked this one to death. I don’t want to vote on which
wording is the right wording here, but I think the work group needs to look at
them both, and maybe we can come up with our agreement and bring it back. Is
everybody okay on that?

DR. GREENBERG: Anyone can come to the work group meeting.

DR. DEERING: I was just double tasking, so I’m not sure what —

DR. COHN: I heard your wording and I heard Carol’s wording that got rid of
a couple of sentences.

DR. DEERING: Carol’s wording, if I understand correctly, would take out the
last sentence.

MS. MC CALL: Take out the last sentence as well as the first two words of
that first sentence, the words independently held. It doesn’t draw a
distinction between the types of systems. It is a principle. It says,
regardless of system, a PHR is a PHR, and you have the ability to control who
sees that, period.

Now, I also clarified to say, within terms and conditions, it would be
vital that I would understand that one of the terms and conditions of use is,
if I hit submit to an EHR, what it means for something to become incorporated
into an EHR. But let’s not try to mix these metaphors. I do believe we need to
keep them very clean.

DR. GREENBERG: Would you get rid of that sentence also, that last sentence?

MS. MC CALL: I would dump the last sentence entirely, yes.

DR. TANG: I think the whole problem is with the last sentence, because it
says for PHRs that are basically views of EHRs.

DR. GREENBERG: I don’t think people know what that means, anyway.

DR. TANG: Right, so I think that would still help.

DR. COHN: So maybe we actually have come to a solution. Anything else on
security?

PARTICIPANT: Interoperability.

DR. COHN: Move on to interoperability, okay. We have a number of
recommendations. As I look through this, there are a couple of things that are
probably going to have to be moved around. There is one sentence at the top of
page 11 which I think is a good sentence but in the wrong place, which says,
until PHR systems are capable of widespread exchange of information with EHRs
and other sources of personal health record, their full potential may not be
realized. Great sentence; I’m just not sure that it fits right where it is. But
we will let Mary Jo look around, see what the right spot is.

DR. TANG: I think we have moved that sentence several times.

DR. COHN: I think we have moved that sentence several times, but it just
doesn’t quite go with the rest of the paragraph any longer.

Recommendation ten. Be aware that we are also going to need to decide
whether there are standards development organizations or standards groups or
whatever, but we will clean up that language also. Recommendation ten.
Standards development efforts should be expanded to take on issues related to
authentication, identification of data sources, non-repudiation, communication
to and from PHR systems, mapping to consumer oriented concepts and terms, and
the enabling of consumer/patient controlled access.

Recommendation 11, which is HHS, should encourage standards development
organizations to use standards accepted for EHRs for the PHR where the content
or context is the same.

Recommendation 12. HHS should encourage standards development organizations
to identify essential data sets for PHR systems using standards accepted for
EHR systems whenever possible.

Recommendation 13. For any HHS sponsored pilot projects, any contractual
relationships with CMS that any center undertakes with entities intending to
use CMS data in PHR systems, HHS should require that PHR vendors and health
care organizations adopt data content and exchange standards that are based
upon standards accepted for EHRs as a way of improving interoperability of
systems.

Recommendation 14. Private sector PHR vendors and health care organizations
should voluntarily adopt data content and exchange standards that are based
upon standards accepted for EHRs as a way of improving the interoperability of
the systems.

I think all of this is okay, but it is very redundant. I am trying to think
of some way to knock it down to two or three recommendations, but we don’t
necessarily need to handle that now. We could maybe handle that offline.

Yes, Marjorie?

DR. GREENBERG: As everyone knows, I am a great believer in standards.
However, and I certainly understand the issues of interoperability. I have two
questions. On the standards issue, are you really saying that the standards
accepted for EHRs, at least in the federal enterprise, SNOMED CT, LOINC, HL-7,
et cetera — maybe it is covered by mapping to consumer oriented concepts, but
would you really expect the patients to be entering information? If we say
physicians should be entering information, textual information using SNOMED CT,
are you saying that you would tell the patients to do the same thing?

We don’t yet have evidence that physicians will enter SNOMED. It might need
to be some interface, they put in text and then it maps. So aren’t we really
talking about mapping? I just can’t imagine putting a terminology standard on
patients that you might put in EHRs.

DR. HUFF: There are certainly reasons to have the consumer terminology. The
thing you are trying to prevent here is that the code that represents blood
pressure doesn’t become one code in PHRs and a different code in EHRs.

DR. GREENBERG: I understand that.

DR. HUFF: Well, then I didn’t understand what you said just before that. It
sounded like you wanted patients to not just have synonyms, but a different
terminology to represent their signs and symptoms, and it wouldn’t have any
mapping to any common standard that could be used for consumer terminology in
EHRs.

DR. GREENBERG: You have to have the mapping, obviously. People know what
the CHI standards are. I really think what you are talking about is, there has
got to be some underlying mapping or checkoff boxes or something. You want the
concept that it is interoperable, but how that — you are dealing with a
different thing with the PHR than the EHR, and how that comes about, I’m not
sure.

DR. HUFF: Somewhere mixed in there is the idea that somehow we don’t need
consumer terminology in EHRs also.

DR. GREENBERG: You do.

DR. HUFF: I think you need them both places. If you need them both places,
we want them to be the same, and that is what this says.

DR. GREENBERG: So you are saying you are going to have to add a lot of
consumer terminology.

DR. HUFF: You need consumer terminology added, but if you add it, you want
it to be used both in EHRs and PHRs.

DR. GREENBERG: I understand that, but the standards that have currently
been accepted don’t necessarily have that in them right now. So I don’t know if
people will make this connection between ten and 11, or if they will see this
as, the standards have been accepted for EHRs, now they have to be — without
enhancement, make them make sense for consumers to be used for PHRs.

DR. STEINDEL: It is well acknowledged that we don’t have a full set of
standards for the EHR. CHI,in particular in their full reports have
acknowledged many gaps in these standards that exist for use in EHRs
themselves.

So I think Stan is perfectly correct; we want the standards to be the same
when they are used for the same thing in the same context. If that means
developing consumer oriented terminology, which it is acknowledged that we need
to do in some areas for the EHR, so be it. We develop the new standards, the
new terminologies that are needed, and they are going to be expressed in both
places.

One of the keys here is, content and context is the same. When we are
taking information — when a patient is entering information about themselves
or we are capturing what the patient says about themselves, that is a different
context than when the physician is entering the information and translating it.

So 11 is a relatively key recommendation, in that it basically says when it
is used for the same thing, it ought to be the same standard.

MS. MC CALL: I like the way that these are laid out. I guess I am not clear
what concern you have.

DR. GREENBERG: I just think that the standards that have currently been
accepted for EHRs are probably inadequate for PHR.

MS. MC CALL: I would agree.

DR. STEINDEL: And no place in this report do we say what the standards are
that should be used.

MS. MC CALL: Or that what is good say for a clinical context is good for a
consumer context. I don’t see it saying that, because if that were the intent
of these recommendations I would have a problem. But I don’t think you guys are
saying that.

DR. GREENBERG: All right, well, if nobody else has that problem, I did have
a separate issue from that, if nobody else wants to discuss that one. I think
there are some assumptions here, that’s fine.

I am curious why — not that I am against it, but why you are recommending
in this letter to identify essential data sets for PHR systems when I am not
sure that the same was recommended for EHR systems. You seem to have resisted
it for the latter.

DR. COHN: I don’t think I can speak to that, because I resisted it for the
former, too. Do people have comments?

DR. HUFF: I thought we had killed it long ago.

DR. COHN: Well, it keeps coming back.

DR. DEERING: It is not a recommendation. I think we kept it in there,
because what we said is, we have stated it as what we heard.

DR. COHN: It is a recommendation, too, recommendation 12.

DR. GREENBERG: No, it is a recommendation.

DR. HUFF: I thought we voted 12 out of existence. I thought it was
redundant with 14.

DR. TANG: I have always felt that we should vote it out of existence, but
we never did.

DR. COHN: Well, what is the sense of the group? Marjorie, thank you. Do we
want to get rid of that recommendation?

DR. TANG: You are saying, get rid of the minimum data set?

DR. COHN: Yes, essential data set.

DR. TANG: We voted it out of existence.

DR. COHN: No, it is still here. We are actually talking about that right
now, Paul.

DR. GREENBERG: Maybe I shouldn’t have raised it, because I actually think
there is some merit to it. But I was just saying, it is inconsistent.

DR. DEERING: All I can think of is, I certainly don’t remember it being
explicitly voted out, so it could be my mistake that it was.

DR. COHN: The recommendation was weakened, I think, time after time after
time, but it survived as a recommendation. What would people like to see done
with this particular recommendation? Paul, did you have a comment?

DR. TANG: I think the whole thing is very duplicative. And because I can’t
count past three, I am going to list three that may survive. Unfortunately, I
thought 12 was one of them.

DR. COHN: We can’t hear you.

DR. TANG: I was going to suggest something like keeping, in order, 12, 13,
10, because it follows a path. Establish minimum data set standards for PHRs
that are consistent with EHRs, for anything where HHS has some authority over
it, like funded projects, they can enforce this. Third, that we need to expand
some of the standards that are developed to include things that impact the use
of PHRs. That was number ten. The other two seem to be subsumed under those
three.

DR. DEERING: I only want to point out that 13 and 14 are parallel to what
we had in privacy. If we had headers, that might make a little bit of a
difference. And 13 is specifically for HHS pilots and contracts, and then the
other is —

DR. TANG: But wouldn’t that be covered by 12?

DR. GREENBERG: I do think 12 is duplicative of 11, and it is better than
11.

DR. TANG: I am just trying to find ways to get rid of —

DR. COHN: It is better?

DR. GREENBERG: Yes, because it says whenever possible. This business about
when the content or context is the same, I don’t really know what is meant
there. I think everybody could interpret that differently. But when you say,
utilize standards accepted for EHRs whenever possible, then I am comfortable
with that. It wouldn’t be possible when there isn’t good consumer terminology
or something.

DR. COHN: So read how you would like to have 12.

DR. GREENBERG: I think 12 can replace 11.

DR. COHN: It talks about data sets, so I am just wondering —

MS. MC CALL: One seems to be more related to taxonomies vocabulary. Another
one may seem to be about the actual data set itself or themselves. They are
related, but they are distinct.

DR. COHN: Maybe it is essential standards.

PARTICIPANT: It is not the data sets. It is really the standard.

DR. COHN: If you change that, —

DR. GREENBERG: It includes the data sets.

DR. COHN: Well, that is arguable.

DR. STEINDEL: To me they are distinctly different recommendations. The main
thing that 12 is calling for is the establishment as Paul said of minimum data
sets for PHRs, and wherever possible, if we do establish one for PHRs, we
should be looking at the same minimum data set that we are using for an EHR.
Utilizing standards accepted for PHRs whenever possible.

I have problems with establishing minimum data sets and issuing a
recommendation for that, because in all the years we have tried to establish
minimum data sets, we have never gotten real consensus on what a minimum data
set entails.

DR. GREENBERG: We have had a lot of success with it over the years. I
disagree with that.

MS. MC CALL: It is a matter of interpretation of item 12. Clearly it is not
well written. My understanding was, if you jump up to the paragraph, the last
two sentences beginning on about line nine, we heard broad agreement that a
core or limited set of data is important. We heard that from several speakers,
although there was no consensus.

DR. COHN: Although there was no consensus.

MS. MC CALL: And that agreement can be useful. So the intention of 12, just
to tell you why I think it survived, is that we are encouraging others to
identify data sets. It is not that they should then impose that data set; it is
that once they have identified the data set, the standards that underpin that
particular data set should be used if they exist for EHRs.

DR. COHN: How would somebody like to handle it? We have heard the
rationale. I feel funny myself making a motion on this one, but —

DR. HUFF: I saw the things that happened that are suggested in 12 as being
an unnamed subset of things that we are encouraging in 11.

DR. GREENBERG: Yes, that is true.

DR. HUFF: I preferred to have it unnamed, so that people would have the
freedom to establish whatever standards they wanted for data sets or for data
exchange standards or whatever, without calling that particular item out.

My experience is the same as Steve’s. We haven’t been great at doing that.
Even though people have called for it, I am personally not convinced that it is
a good way to spend your time. So my preference is to keep 11, because I really
like what it says about content and context and using things the same. It
leaves what should be done to be the whole set of things, without naming
individual parts. So that is why I liked 11 better than 12.

DR. GREENBERG: But to have that last sentence before the recommendations,
or two sentences, and then say nothing about it to me is problematic.

DR. HUFF: I actually disagree with the sentence up there. I don’t think we
heard broad agreement. We heard some people who believed that firmly in their
testimony. I think you could have talked to Clem McDonald and others who would
have violently disagreed.

So the broad agreement, I don’t think you can put that. You can say there
were a set of people who really wanted that and that is certainly true, but I
don’t think broad agreement. It wouldn’t have been broad enough to include me,
let’s put it that way.

DR. GREENBERG: I suggest this requires more discussion, because this is
really a core issue when it comes to standards, and it requires more discussion
than we can do in the context of this letter. So maybe the group can just pare
this down to a few that capture what is here.

But those of you who say you are against core data sets also supported the
populations report that says you should be collecting race and ethnicity. Core
data sets are not minimum data sets. There are certain things you have got to
collect, and this is the standard way to collect it, unless there is some
overwhelming arguments for not collecting it.

That is what core data sets or minimum data sets do. They don’t say this is
all you can collect, but they assure that at least for a core of information,
you have standardized data. I don’t understand why — I have had this argument
with Don Dettmer, too; I just don’t understand why people are against that. I
know they are afraid that then people won’t collect anything else. That is not
the point. The point is that you can’t establish standards for everything, but
if you can at least for a core, you are ahead of where you were by establishing
none.

DR. WARREN: I am coming down on the side of Stan. I think we have done a
terrible thing of trying to identify minimum data sets. The first question I
want to ask is, from whose perspective? So do we go around and we have 20
different minimum data sets that we use for PHRs, or are we only talking about
one? And if we are only talking about one, who decides? Do we only put a couple
of people to decide what that is? I think that is why we have never come to
consensus on this. We haven’t even talked about the purpose of the data set.

DR. STEINDEL: Marjorie, our big problem with core data sets, minimum data
sets is, we have been reasonably good at getting agreement on name, rank and
serial number, the basics, demographic information. But once we go beyond that
and start asking for any type of clinical information, you don’t get consensus.
What people are asking for in the PHR is beyond the demographics.

DR. TANG: What about NEDS?

DR. STEINDEL: We are dictating there. This is where you get agreement.
Paul, I am being very specific. This is where we have gotten agreement. Any
type of minimum data sets that are proposed have come from organizations who
have gone through a deliberative — which NEDS has done — a deliberative
process with their partners. Once that deliberative process has finished, they
have put out a specification and said, this is what we agree to in the core
data set. You will find that pediatricians agree to a core data set.

DR. COHN: There are data sets, things like the billing forms, which have
been very successful because you are requiring them.

What I want to do is let Mike talk. I guess I am hoping that we can come to
some — I don’t know that we are going to be able to come to a conclusion here.
This section may have to go back to the work group for some work. Clearly if we
are going to get rid of 12 or do something to it, we need to modify the
sentences above.

Mike, do you have a parting comment on this one?

DR. FITZMAURICE: Two items of suggestions. One of them is that on
recommendation ten, where it says standards development efforts should be
expanded to take on issues, I would suggest take out the take on and put in,
address solutions to. Take on is too nebulous; it is address solutions to.

DR. GREENBERG: Yes, that is good.

DR. FITZMAURICE: The second suggestion I would make to the re-writers is,
whenever you talk about utilizing standards accepted, accepted by whom? Are we
talking about standards accepted by the Secretary for use of clinical
information? Who is doing the accepting? You have got to address that.

DR. GREENBERG: Yes, that is where I started.

DR. FITZMAURICE: I’m done.

DR. COHN: Good point.

DR. GREENBERG: He just said it better.

DR. COHN: Would the work group like to take this back and see if we can
clean this up and bring it back tomorrow?

DR. DEERING: We have an hour and 15 minutes, is all we have.

DR. COHN: I know.

DR. HUFF: We would be happy to.

DR. COHN: Should we move on to the remaining recommendations here? Federal
roles in PHR systems, internal and external. On page 12 there is a sentence
some people had a confusion about which I didn’t even understand, lines 16, 17,
18, at least on mine, says, these systems can be successfully deployed in an
environment of limited Internet connectivity through focused education and
support functions.

Probably true. I just didn’t know what that had to do with anything in
relationship to all of this.

Recommendation 15. Federal agencies should assess how they can more fully
explore and appropriately promote the benefit of PHR systems across their
respective roles.

Recommendation 16. Insurers in the FEHVP should identify opportunities to
offer interoperable PHR systems to their beneficiaries.

Recommendation 17. The federal government should identify and address
issues related to information technology access and use, particularly by
underserved populations, to limit the dissemination of PHR systems. HHS should
also address health literacy requirements that could limit the use of PHR
systems by the most vulnerable populations.

DR. STEUERLE: Can I just ask, when you say something like insurers in the
federal health benefits plan should do something, we are writing a letter to
the Secretary. Are we recommending the Secretary recommend to them? Is there a
transmission process? There is no responsibility here.

DR. COHN: HHS should recommend to OPM that they. Are you talking about
that?

DR. STEUERLE: You are asking the Secretary to recommend to?

DR. FITZMAURICE: The Secretary must be on a committee with OPM that
oversees the federal health benefits program. There must be a group that
provides advice to that program that includes HHS. So in advising the
Secretary, the Secretary I’m sure has avenues for that.

DR. STEUERLE: I am just trying to get the responsibility lined down. We are
making a recommendation. Who is going to make sure that recommendation gets to
OPM?

DR. DEERING: Can I tell you why I think it says it exactly the way it says?
We may not wish to stay with it, but the logic behind it was, remember, in both
privacy and security we have made recommendations directly to industry. We call
them voluntary. The prior NHII report made only a limited number of
recommendations directly to the Secretary, and made numerous recommendations to
other stakeholders.

So in the spirit of putting this directly in the hands of the insurers,
that was the parallelism. We did talk about addressing this directly to the
insurers, that not any federal agent. Now, we may not choose to go that path.

DR. STEUERLE: That is fine, but does that mean that we then transmit this
letter to the insurers and circle it? I am just asking, who is transmitting the
recommendation to the insurers?

DR. DEERING: We have got Blue Cross Blue Shield in the audience. They read
them. The report goes out after it is disseminated.

DR. FITZMAURICE: My thinking is that most always, we are recommending that
the Secretary do something for the Department, the Secretary acting for the
Department. So it is requires working for another government agency, then the
Secretary working with another government agency to help to bring something
about.

MR. HITCHCOCK: I think it could be rephrased, actually. The principle of
the thought is a good one, but it should say something like, HHS should explore
avenues with OPM to carry out the rest of the recommendation.

DR. GREENBERG: You think it should say that?

MR. HITCHCOCK: It should say that, yes, words to that effect.

DR. FITZMAURICE: That’s good.

DR. GREENBERG: I think it is a good idea. I agree with Mary Jo that the
committee has a long history of making recommendations to the industry or
others, and then we try to disseminate the reports. So I think that is a very
good point Gene has made, too. In fact, we are now working on a dissemination
strategy for the Populations report; the same thing needs to be done for this.
Certainly all the people you want to have voluntary —

DR. COHN: So I think we are talking about rewording this one. Any other
recommendations in this section?

The final one is on research and evaluation. We have, the Secretary shall
request that all agencies review their research portfolios and program
operations and report to the Secretary on the ways they could contribute to the
research and evaluations of PHR systems.

Recommendation 19. HHS should collaborate with OPM to help implement pilot
studies of PHR systems with payors and beneficiaries of the FEHBP.

Recommendation 20. AHRQ should expand its evolving health information
technology research portfolio to include studies of PHR systems, especially in
regards to health services research and metrics.

Recommendation 21. CMS should conduct pilot studies of PHR usage in the
chronic disease community to evaluate the utility and the cost effectiveness
for beneficiaries, providers and payors.

I think overall, the only question that I have is, 19 and 16 seem a little
— in one recommendation we say go off and do it, in the other one it says,
pilot studies. So we have two different strengths of recommendations here. What
would we like to see? Or are we comfortable leaving them both? Would you like
to remove 16 then?

DR. GREENBERG: Because that would encourage them to offer interoperable PHR
systems if you did the research.

DR. COHN: Are people comfortable with that? So we will remove 16 then.

DR. HUFF: Are we done?

DR. COHN: We have two other issues to talk about.

DR. ROTHSTEIN: I have a question about the text at the top of page 13. I’m
not crazy about the very first item, which is called market research. I have a
couple of problems with it.

Number one, market research is not something that is not usually undertaken
by the Department or federal agencies. It implies seeing what the market is to
buy new cars or a new brand of soap. We don’t really talk about that in the
recommendations, so I would recommend something like PHR adoption research or
something along those lines, because that is what we are suggesting here.

PARTICIPANT: How about consumer research?

DR. ROTHSTEIN: Anything other than market research.

MS. MC CALL: That term is essentially taken and has meanings to different
people that are completely different. So even PHR adoption research.

DR. ROTHSTEIN: The other recommendation that I would have is to consider
deleting the third sentence, the one that begins with the word when. I don’t
know what that adds.

DR. FITZMAURICE: What line number is that?

DR. ROTHSTEIN: In my copy it is line six.

DR. DEERING: I think the goal there was to say we are going to have this
taxonomy or matrix of different PHR systems and what they can do. Then you do
this audience research about who wants or needs what, how would they be likely
to use it, and you really need both pieces to most effectively both design good
products and, from the federal government’s point of view in particular, to
decide what actions to take.

DR. ROTHSTEIN: I think the second sentence says that. Then the third one is
superfluous.

DR. COHN: I think it makes sense to remove it. I’m not sure there is a
value added there. Mark, other things?

DR. ROTHSTEIN: No.

DR. CARR: Simon, can I just one other thing? The one about metrics, that
NCVHS concludes a series of metrics around PHR systems, usage, process outcomes
and impact should be identified and tested, monitor validity and all that. Is
that a secondary use? How are you going to measure the outcome if a person
entered certain information into their PHR, how did they change the outcome,
but you are going to have to know what they put in.

DR. COHN: That is Justine. You may be right, but we removed the word
secondary. I think as part of the research agenda though, there needs to be
some —

DR. CARR: It is part of research, but it does challenge that we are going
to need to know the content to know how it turned out. That really is a
research thing, it is not an ongoing metric.

DR. STEUERLE: If it just decides ex poste it is going to do a survey of
PHRs and it goes around to vendors and you said up a requirement that says we
can’t tell you anything.

DR. COHN: I hear what you are saying. I don’t think I have any comment
other than thank you. I think it is fine as it is, but I do hear what you are
saying.

DR. FITZMAURICE: I would suggest an amendment to recommendation number 20.
It currently reads, AHRQ should expand its developing health and information
technology research portfolio to include studies of PHR systems, especially in
regards to health services research and metrics. I would change it to support
health services research and the development of metrics to assess the impact of
PHR systems on quality of care, patient safety and patient outcomes.

DR. COHN: Okay. Can you give that to Mary Jo?

DR. FITZMAURICE: Sure.

DR. COHN: I think that is basically wordsmithing.

DR. FITZMAURICE: What the metrics are applied to.

DR. COHN: Exactly. Is everybody okay with that? I think that is fine.

So before we move on to the other two items that we need to talk about
before we can take a break here, number one, we are going to come back with
this tomorrow. What we will be doing is looking through the new sentences. We
will give you a marked-up version, because I think that is probably the best
way to handle it, so you can look at the changes. We will be focusing primarily
on privacy and security, along with — actually, security I think we handled,
so privacy and then the interoperability piece, because most everything else I
think there was pretty good agreement on. The NHII Work Group will focus
predominantly on the new wording for the privacy as well as whatever we do with
the interoperability recommendations, and come back with recommendations
tomorrow.

I am hearing overall support for most of what we talked about. I think it
is mostly wordsmithing, as well as some decisions on these recommendations.

Now, there are two other pieces that we need to review today. Hopefully
they are relatively rapid items.

Agenda Items: 2003-2004 Report

One item is the 2003-2004 report. This is something that we all reviewed
last time. It now has a forward, which I don’t think you get to vote on, since
it is from John and I. We now have a new looking ahead section that has
replaced the research section.

Now, we will take comments. I personally think that this is pretty well
done, and would certainly consider — if you have no substantive comments, what
I would suggest that we might want to do is to consider taking this on as an
action item for today, with the ability of the executive committee and Chair to
make some minor wordsmithing changes to it.

DR. ROTHSTEIN: So moved.

DR. HOUSTON: Second.

DR. COHN: Is there any comment about the changes?

DR. GREENBERG: My only comment is thanks to Sue.

DR. COHN: So all in favor then, aye?

(Chorus of Ayes.)

Agenda Item: HIPAA 7th Report to Congress

DR. COHN: Opposed? Abstentions? Our next item is the HIPAA report. This is
marked draft. It is about 20 pages long, actually 23 pages long. I would ask if
people have comments about the HIPAA report.

DR. TANG: Move acceptance.

DR. COHN: You move acceptance on that one. Any comments, any changes,
modifications? Is there a second?

DR. STEINWACHS: Second.

DR. COHN: All in favor, say Aye.

(Chorus of Ayes.)

DR. COHN: Opposed? We are running about ten minutes late. What we will do
is adjourn, give everybody a break for about ten minutes, and then we will
reconvene.

(Whereupon, the meeting was adjourned at 3:25 p.m.)