[This Transcript is Unedited]

Department of Health and Human Services

National Committee on Vital and Health Statistics

National Health Information Infrastructure Workgroup

July 28, 2005

Hubert H. Humphrey Building
Room 800
200 Independence Avenue, S.W.
Washington, D.C. 20001

Proceedings by:
CASET Associates, Ltd.
10201 Lee Highway, suite 180
Fairfax, Virginia 22030
(703) 352-0091

TABLE OF CONTENTS

  • Welcome and Introductions
  • Discussion of Draft Letter to the Secretary on Personal Health Records – Workgroup

P R O C E E D I N G S [8:40 a.m.]

Agenda Item: Welcome and Introductions

DR. COHN: Good morning. I want to call this meeting to order. This is our second day of meetings of the National Health Information Infrastructure Workgroup of the National Committee on Vital and Health Statistics. The National Committee is the public advisory committee to HHS on national health information policy.

I am Simon Cohn of Kaiser Permanente and chair of the Committee and Workgroup. I just wanted to welcome everyone and just remind everybody to speak clearly into the speakers provided. We are not on the Internet, but we are being recorded.

With that, let’s have introductions around the table and around the room. Obviously, if there are any issues that are coming before us today upon which you need to recuse yourself, please do so in your introductions.

Bob.

MR. HUNGATE: Bob Hungate, Physician Patient Partnerships for Health, a member of the Committee and the Workgroup. No conflicts.

DR. HUFF: Stan Huff, Intermountain Health Care in the University of Utah in Salt Lake. I don’t think I have any conflicts with anything we are discussing today.

DR. BAUR: Cynthia Baur, Office of Disease Prevention and Health Promotion, HHS. No conflicts.

MR. HOUSTON: John Houston, University of Pittsburgh Medical Center. No conflicts.

MS. WILLIAMSON: Michelle Williamson, CDC, NCHS. No conflicts.

MS. FISCHETTI: Linda Fischetti, Veterans Health Administration. No conflicts.

DR. DEERING: Mary Jo Deering, National Cancer Institute, lead staff to the Workgroup. And it is my understanding that staff don’t have to worry about conflicts.

DR. COHN: I think we have Steve Steindel in the back on the phone..

Obviously, before us today we have a significantly modified version of a fax. Mary Jo, thank you, and, Cynthia, I presume this has your input also. Thank you for your pizza party last night. It went well. And, obviously, Linda and Michelle and others, obviously, thanks for your help in terms of moving this forward.

Now, obviously, we were talking some about sort of next steps and which we will reflect on. The meeting today will go — we are starting at 8:30. John Paul, you have like a 1 o’clock — 1:30 flight. So, we should try to finish by about 11:30, I think would be the intent to give people the opportunity to get out of here.

Obviously, we will talk at the end of the session about next steps. So, I think we are already sort of proceeding with there is likely to be Honeygate(?) or something like that, a need for a conference call. Before that, we will send out the next version to everybody on the Workgroup to get additional comments.

We can look through, we can sort of propose it and with that much advance notice, they can make themselves available. I am from California. So, 4 o’clock Eastern time on the 8th sounds — is that okay for others who are on the Eastern time? Stan, that is 2:00 p.m. your time. I think it is two hours.

The way we talk, there is no need to talk unless it is two hours scheduled.

DR. DEERING: I will have Jeannine set out a — Jeannine, we are going to ask you to send out an alert to the Workgroup that there will be a two hour call, 4:00 to 6:00 p.m. on August 8th and if you would also send out a dial-in number.

DR. BAUR: Those of us, who will be on annual leave, do you want us to just e-mail comments to Mary Jo ahead of time then if we have anything?

DR. COHN: We are going to be asking that regardless.

We are going to be expecting everybody to provide input.

Now, I think what we are — I was expecting Mia(?) to show up for the privacy conversation. Maybe what we should do — should we walk through the security section first? John Paul, do you want to lead us through the security piece? I think you have discussed already that you are continuing to suggest some modifications to include potentially non-repudiation.

MR. HOUSTON: I think that was the only one. Do you want me to read it or do we just want to go through it?

DR. COHN: Why don’t we just read it silently and then we can go through chapters, paragraph by paragraph to see if people have substantive issues? Is that okay?

MR. HOUSTON: Sure.

DR. COHN: So, let’s just take a minute to read quietly here.

First of all, I want to thank you for obviously providing some thoughtful input, which I think is overall very good. I do have some questions, but let’s sort of go paragraph by paragraph and see if people have comments, changes or otherwise and then let’s reflect on what is sort of not here that needs to be.

Agenda Item: Discussion of Draft Letter to the Secretary on Personal Health Records

MR. HOUSTON: Maybe I can give you some of the rationale behind some of my changes to the different paragraphs, too.

The first paragraph, I thought, when we were talking about security, probably the overarching issue with security is when it is — because we do have a discussion of PHRs, both in terms of the VSB drive to other forms that would be in a control of the patient, where I don’t think security is as import or people are not going to be as concerned about the security if it is accessible by the Internet. So I wanted to make sure that we clearly articulated the fact that Internet security was a key issue here. So, that was — you know, that security, though, is also important to ensure that individuals will have the confidence, you know, that their information will remain secure and private and that they will then be willing to use these systems. So, unless you have adequate security, we are not going to get the consumer confidence of people willing to use PHRs.

So, that was sort of the tenor of the first paragraph.

DR. COHN: Does anybody have any comments, changes, additions, violent disagreements?

MS. FISCHETTI: With the first sentence that the security is an important component, I think that you just said it stronger, that pretty much the —

MR. HOUSTON: Critical.

MS. FISCHETTI: Yes, it is a precursor.

MR. HOUSTON: We could say critical component of the PHR.

DR. HUFF: One of the things that — I don’t disagree with this — one of the things that is hard, though, is that because it is a spectrum of things, anytime you make a statement and then you think, well, what does this mean that this is a PHR that is hosted by a hospital versus one I am keeping on my home computer versus one that is held by a third party. I don’t think the statements necessarily apply equally across that whole spectrum. But I don’t know how to fix that because if you tried to take it case by case, there would be too much stuff that is said.

MR. HOUSTON: I think we generalize first that security is important and then we said — and by the way, it is really important because of the Internet. So we sort of don’t ever dismiss security as being important in those other forms of PHRs. I think the thought was — and it was to focus it on the area where people seem to have the most sensitivity today, which is with the Internet.

I agree with what you just said because that was a major stumbling block is how you deal with the other forms of PHRs.

DR. COHN: I am not sure how to do this either, but I know where you are going and now I understand even better where you are going because I read through this and I have got to say that the Internet chapter — of course, this is 10 point type that we are looking at in all of this, but this was not said in a way where it sort of says, boy, we are really talking specifically about the Internet. It is just sort of a sentence that sort of flows in the middle of a paragraph. I don’t know whether we italicize it. It should be one way or we do something in terms of the first sentence.

DR. BAUR: Can we just move up the sentence, so it is sentence 2 and it comes right after the change to being a critical component?

MR. HOUSTON: And then say this is an especially important job?

DR. COHN: Now, that would solve the problem. Great.

DR. DEERING: Just flip sentence 2 and sentence 3.

MR. HOUSTON: The only reason why I think, as I recollect, putting this sentence after the second sentence was because the greatest risk of unauthorized individuals getting access to patient information seems to be with the Internet. I agree. You were sort of — I mean, it is in your control and, you know, people feel much more comfortable even if there is any security in hand to that.

DR. DEERING: Here would be my push back, that the first two sentences are valid. They are valid. As you say, they are your overarching statements. These are concerns. This is important. I don’t care where it is. It is important that minimizing the risk of unauthorized individuals could gain access to a patient’s information contained in a PHR. I don’t see why that is any less important —

MR. HOUSTON: But I think in the next —

DR. COHN: I mean, somehow making it stand out I think is all I am asking for is the piece there and we could certainly —

MR. HOUSTON: Because I think I did move that sentence around a couple of times and said, okay, where do I think it —

DR. COHN: I have no objection to where it is. As I say, I just found it sort of lost in there. So, this will — I mean, somehow we will emphasize it then.

DR. BAUR: But you can also then in paragraph 2 because then you make that distinction between the different types and where the whole thing might happen, but then you can even add a little sentence that says in these ones that are sort of more individually based, like smart cards or whatever, that security requirements are going to be different than the ones that are networked or whatever. Then you can just make that distinction clear in the second paragraph.

DR. COHN: Well, maybe that is a second sentence, where it says large majority gets confused and we somehow in that sentence, we are talking about all the things that are connected by Internet and we need to say — tease the word “Internet” with that sentence to specify that — because I think that is really what you are talking about there. We know that. The reader may not.

Let’s finish up with paragraph 1 before we move on to paragraph 2. Do people have anything else that they

are —

MS. FISCHETTI: I would like to just thumb back up to the title for the technical people that read this. They are going to be looking for the 4 A’s and we do address authorization. So, we should probably put authorization in the title as well. Security has the four golden A’s and we do address that.

DR. COHN: Good point. Thank you.

MR. HOUSTON: I took out one. I forget what I took out at this point in time, but there was something that just didn’t make sense in the title.

MS. FISCHETTI: Access, authorization, authentication and audit.

MR. HOUSTON: There was something else in the original title and I pulled it out.

DR. COHN: That is fine. I think we are happy with what we are seeing so far. Anything else on the first paragraph?

DR. DEERING: I just want to confirm then that non-repudiation is not an element that needs to be elevated to a section title. I mean, I don’t understand enough to know whether that can just imbedded in the text of a section.

MR. HOUSTON: We could argue the part — I think it really is a separate concept. I would not put it in as a title. I wouldn’t.

DR. COHN: And at that point it allows us to say security features, security requirements.

MR. HOUSTON: You can also say that.

DR. DEERING: Requirements for security.

MR. HOUSTON: Security requirements is shorter.

DR. DEERING: How about just security requirements?

MR. HOUSTON: Or security? You said privacy before.

DR. COHN: Okay. So, okay with the first paragraph? Maybe we can sort of look back and sort of see where we stick non-repudiation or we can go forward.

So, second paragraph, I think we were — I was just sort of talking in terms of the second sentence. Do we need to say something where it says the large majority exists as using duh, duh, duh, duh, duh? We somehow need to include that sort of Internet concept because that is really what you are talking about here.

And I don’t know exactly how we add that.

DR. DEERING: Well, virtually all of them do include Internet access.

MR. HOUSTON: Can I say one thing. I think I messed this up a little bit because I said the same thing twice. It says the large majority exist as views into an EHR and then down below I say as part of the provider EHR or a health data account. I think I intended to say that as part of a provider EHR because it really is the same as the very beginning of the sentence, which is —

DR. COHN: Oh, as a health data account.

DR. DEERING: Should I just rip out as part of a provider EHR?

MR. HOUSTON: Yes.

DR. DEERING: Because what you are trying to say is there is basically three categories. There are views into an EHR. There is part of a commercial hosting venture or a health data account.

MR. HOUSTON: Right.

DR. COHN: And it is really views or —

MR. HOUSTON: When we say the part of the PHR —

DR. COHN: I am trying to describe it because part of it is views, but there is also — most of these things have some functionality. I guess the point that I am making is that in many cases it is sort of a portal plus. It is a portal and then there is typically some sort of additional patient specific, so it is more than just —

DR. DEERING: It is a portal with views into the EHR?

DR. COHN: Stan, help me. Is portal going to reflect that —

DR. HUFF: I think portal — I mean, to me at least portal has that implication that it is tailored to a particular use of —

DR. COHN: Okay. Why don’t you —

DR. HUFF: It is specific to the —

DR. COHN: To the functionality. Okay.

MR. HOUSTON: Why don’t we say — a portal in each case, though, is relevant to each one of those three types. Correct?

DR. DEERING: Then maybe the important message in that first category is that these are offered by providers in relation — that these are provider offered, because the other two are commercial or —

MR. HOUSTON: We could say Internet-based portals and — because I think what Simon’s earlier comment was was that we are talking about primarily Internet-based things. And it is a portal and then we say — then there will be three types, which would be then Mary Jo’s first comment, which would be — how did you say it because I thought that was good.

DR. DEERING: Well, actually I am backing up a little bit here because this is less about — are you talking about sponsorship here or the form?

MR. HOUSTON: I think it is — actually, this is the measure of the concept that is already in the letter. So, I was trying to adapt it. So, I don’t have a lot of pride and ownership of this sentence, other than I tried

to —

DR. DEERING: I guess what I would suggest is that we back up and say in the concept of the sentence and of the section — I am sorry — in the context of the paragraph and of the section. What is the important piece of information that we are trying to convey here? Is it the sponsorship, all of which are sort of Internet-based? In which case then, we might end up — then the last health data account might need to be changed, too, because actually there aren’t very many health data accounts. I mean, there are actually more insurance provided health —

MR. HOUSTON: I think what we were trying to do here was describe the different types — just generally describe the different types of PHRs. The first sentence talks about ones which are within a control of the consumer, such as, you know, smart cards and thumb-drive systems. There is one and then there is this other class, which is the Internet-based —

DR. COHN: Internet-based systems, which

include —

DR. DEERING: — are Internet-based systems which include —

MR. HUNGATE: Let me try a wording on you and see if it holds.

The large majority exist as personalized adaptations from provider EHRs as part of a commercial hosting venture or a health data account, all of which require Internet security.

DR. COHN: No.

MR. HUNGATE: Okay. That is not right?

DR. COHN: No, because we need the Internet at the very beginning of that sentence rather than at the end.

DR. DEERING: So, the large majority are Internet-based, and may be provided by a health care provider or maybe sponsored by —

MR. HOUSTON: Or such as.

DR. DEERING: Such as those sponsored by a health care provider, part of a commercial hosting venture and then I would substitute or an insurance plan. So, the large majority currently exists as — are currently Internet-based.

MR. HOUSTON: The portal concept was — I think —

DR. DEERING: Internet-based programs, applications.

DR. COHN: Employee Internet-based access.

PARTICIPANT: I am not tied to portal.

MR. HOUSTON: I just thought he was — that was a good term because it does tend to —

DR. DEERING: A large majority are Internet-based.

MR. HOUSTON: Okay. Let’s leave it at that.

DR. DEERING: Such as those sponsored by —

DR. COHN: Okay. I think I sort of like the rest of it, especially you taking this back to the security role, which I thought was actually a very good concept in tying it there.

MR. HOUSTON: The security role sort of seems agnostic when it comes to technology and I thought was important because if we make any firm recommendations here and then how do you justify — what is the best way of justifying not really making any really hard recommendations, firm recommendations. It is because like the security rule doesn’t tell you how to do these things.

DR. COHN: Let me ask the question then, which I think we are also reflecting on in privacy, which is is that obviously, the HIPAA security rule only applies to covered entities. Do we need to put a sentence here towards it at the very end here that says, of course, it should be noted that the HIPAA security rule only applies to HIPAA covered entities.

DR. DEERING: How about as noted elsewhere because I think —

DR. COHN: Yes, as noted elsewhere.

MR. HOUSTON: My only reason for bringing up the security role was —

DR. COHN: Well, it is a great framework. No, I think it is very good. I just don’t think some of the stuff actually parallels the privacy piece, where what we have is actually not bad. It may also reflect in our recommendations, similar recommendations, that — there are sort of holes there or at least things that need to be explicitly stated or otherwise.

Mary Jo, are you okay on that? Steve, did you have a comment or — no. Okay.

Anything else? We want to move on to the next paragraph?

DR. DEERING: The first sentence — gets some possessives in there. I think what you really mean to say is cover its employees’ and affiliated staffs’ access to.

DR. COHN: Where are you at?

DR. DEERING: The very first sentence of the third paragraph. Unlike a health care provider’s control over its employees and affiliated staffs access to a patient’s information —

DR. BAUR: Can you just say unlike a health care provider’s access to?

MR. HOUSTON: What we are really saying is the individuals have the access and its controls over those individuals, you are asserting there, which is sort of problematic with regard to PHRs.

DR. DEERING: In which case just a — this was what was a — I think what I would like to say instead of just saying control over their access, since the point here is about authentication, could we say something like unlike a health care provider’s ability to authenticate its employees and affiliated staff, who have —

MR. HOUSTON: More than that. It is not just authentication but a provider also has the capability to provide some level of control over what the staff accesses and providers sanctions and things like that in the event that somebody does something inappropriate with data. So, it is the whole class of things that an employer can do and if you look down at the — and the other reason —

DR. COHN: So, this is showing authentication and access control.

MR. HOUSTON: If you look down at the bottom, the last sentence, I do try to talk about the fact that employers also have the capability to employ other advanced technologies, which is that is the reason which not only control access, but —

DR. COHN: Let me just stop you for a second. I think I agree with you that this is more than authentication, though after the comma, you only reference authentication and I am wondering if we are really talking at the very minimum, authentication and access control because I think that is what you are talking about.

MR. HOUSTON: I was just trying to keep it — the only reason why I — to me access sort of is simplistically as authentication, but I agree with you. I mean, we could put all four of the A’s in here if we wanted to.

DR. DEERING: How about ensuring security or authentication and other security measures?

DR. BAUR: It is really two ideas. I mean it is trying to have it as a single sentence and maybe the first sentence should be just something like ensuring authentication and access control in the context of a broader community represents a major challenge because that is the main idea of the challenges around ensuring those two things, right? Then you follow up — you take the clause that introduces that sentence now and says currently in a health care provider controlled environment, you can do those things in this way, but when you move out in the community, it is much different.

MR. HOUSTON: Right. I agree with that.

DR. BAUR: And kind of break it into two —

DR. DEERING: So, you start with ensuring authentication and other security and access control. Are those the only two things that you want to address?

DR. COHN: I think that is all of it, isn’t it?

MR. HOUSTON: It is all — but the access controls and the authentication because the audit ability sort of is an offshoot of access controls, I guess, in a way. So, I think that is what you were sort of — those two were the two keys in your mind. Correct?

DR. BAUR: That is what it seemed like from the discussion.

DR. COHN: Do we want to come up with the four A’s? This might be a sentence to put the four A’s in.

MR. HOUSTON: We could put all four A’s in here. We would have to sort of recraft the sentence a little bit.

DR. DEERING: Here is what it would read then. Here is how the first two sentences would read then. It would begin, ensuring authentication, access control, auditability and authorization and whatever way you want to put them, including AAA and A in the context of the broader community of patients and consumers represents a major challenge period.

Unlike a health care provider setting where the provider can control employees and affiliate staffs access to a patient’s information in the EHR, it may be common for a multiple individuals, such as family members and caregivers to be able to contribute patient information.

DR. COHN: I like that a lot.

MR. HUNGATE: Is there a distinction between covered entities and uncovered entities at all useful in this discussion as well?

MR. HOUSTON: I think we are doing that implicitly because when we are talking about providers, I guess, I am thinking of that as being a covered entity. When I am thinking of PHR, we have already sort of defined PHR as being outside the scope of —

MR. HUNGATE: The control system is very different. The balance between what the system has to do and the individual has to do is different.

MR. HOUSTON: I don’t think it is a matter of the distinction between covered entities and a non-covered entities. I think it is a matter of — part of what I think I was wrestling with is is that when you are dealing with a provider community on the Internet that has disparate technologies after disposal, max and a lot of people won’t have thumb print recognition or smart card reader, things like that. The technologies that can be employed in that environment are entirely different than if you have a provider or a covered entity that has the capability to say to all its users, okay, any external assets you are going to secure — is what my organization does or whatever.

So, we have the technologies because the consumer runs it through her own PC is, I think, sort of dramatically what I was trying to get at here so that there are — it is not based on covered entity or non-covered entity.

MR. HUNGATE: I am struck by the mix of things in there, too, because the validity of the information relates to whether it was secure in the first place.

MR. HOUSTON: Agreed. And that sort of goes back to the non-repudiation issue, too.

MR. HUNGATE: Well, it does. That is why I was starting to think about there is other stuff that is important there that is germane to the larger picture and I didn’t know what to do with them. I just felt it.

MR. HOUSTON: I think here is a way to add this in. The next sentence, where it starts with additionally, it says additionally patients will — patient information will come from multiple sources and provide EHR’s external laboratory systems providing results, et cetera, and then put a comma, all of which — the validity of which must be ensured.

MR. HUNGATE: But must be identified in some —

DR. COHN: Must be assured.

MR. HOUSTON: I think validity is much — that is what goes to non-repudiation issues then, which is okay. That is what non-repudiation —

DR. COHN: So, we put in parentheses non-repudiation.

MR. HOUSTON: Right.

DR. DEERING: I didn’t get any of that down. So, we need to start again.

MR. HOUSTON: I can’t remember what I just said.

DR. COHN: It is additionally patient information will come from multiple sources and be provided to EHRs. They will provide results, et cetera, all of which —

MR. HOUSTON: All of which must be ensured. Then put in there non-repudiation.

Stan, do you think that is accurate?

DR. HUFF: Yes.

MR. HOUSTON: That will tie then the repudiation as a recommendation.

DR. DEERING: I am going to say i.e., non-repudiation.

DR. COHN: What do people think of the rest of the paragraph. Actually, I like it, but do others have other additions, comments?

DR. DEERING: I know what I wanted to ask. The wide scale adoption of such technologies for PHRs will likely be problematic. I would like to ask you why you say that.

MR. HOUSTON: Because, just as I said, whereas, in provider environment — I will use mine by example. It is a requirement in our environment that anybody, who is going to look at patient information through one of our clinical systems by the Internet must use strong authentication using secure ID. I can pose that in my environment and I pay the cost of it.

In a PHR environment, you couldn’t wipe the wide scale secure ID token or smart cards, things like that because of a number of reasons. One, there is a cost to it that consumers may not want to bear or they may not have smart card readers, especially if they went from place to place or they wouldn’t have, you know, thumb print — what do you call them — devices. So, the point being is is that you almost — I think the banking example already where people want to do on-line banking has demonstrated that we are almost forced into the lowest common denominator, which is SSL. Some banks are starting to say, hey, we are willing to provide to either our high end customers where people are willing to pay a cost.

We are willing to provide an additional level of secure ID or something else, but frankly the adoption of that is infinitesimally small and there hasn’t — as far as I can tell, there hasn’t been a big call for it.

DR. COHN: I would say that this makes very good conceptual sense to me as one who — my office computer, obviously, is armored. My home computer doesn’t even have a virus protector on it. Probably has viruses on it. I have a Mac at home.

DR. DEERING: What prompted my question was that a lot of commercial entities will certainly want to do and be able to tout as a marketing —

DR. COHN: Not so far.

MR. HOUSTON: I use banking as the analogy.

DR. DEERING: No, you persuaded me and —

MR. HOUSTON: — I don’t think we dissuade people from if you want to go out and say, hey, consumer, I am willing for $15 a year, I am willing to provide the secure ID. I think what can happen is most people are go to the lowest common denominator, would take it for free, and the fact is that you have the population is disparate. So, putting PHRs out there where you say you must have a smart card or you must have, I think is almost — is impossible for wide scale adoption.

DR. STEINDEL: I have been relatively quiet so far. I think this discussion has caused me to stop being relatively quiet. I have a bit of a problem with this section. The problem I have with this section is there is a presumption that the individual with their PHR want the same level of security or require the same level of security that the EHR has.

MR. HOUSTON: We think we have heard that, though.

DR. STEINDEL: No, I don’t think we have heard that. As a matter of fact we have heard the opposite in some of our early hearings. We heard about this project that was put in place in Minnesota, where originally they put strong passwords, multiple levels of security, et cetera, and the people would not use it until they went to very simplistic password protection. We have these things about requiring non-repudiation on material coming into the EHR from external labs, et cetera, but we don’t — right now we are not even using that requirement in the EHR.

MR. HOUSTON: Well, but let me say this. Let me say there is a difference, though, and I will tell you what the difference is in non-repudiation side and I think Stan said it yesterday, is a provider is going to be more likely to rely upon clinical information where they can ascertain the validity of it than if they can’t

DR. STEINDEL: Well, the validity of the information now is coming in like from an external lab, from an EHR. The validity of it is determined by the connection.

There is just an underlying presumption in all this and it becomes very strong in the sentence that we are discussing right now and that people want the same level. You just gave a perfect example from the banking industry, where they don’t.

MR. HOUSTON: You raise a good point. Actually I think what we were really saying here is twofold and I agree with your statement because there is the desire for — individuals want to have secure — they want to have their information remain private and they assume security, but they are not willing to invest themselves in taking additional steps. That I think is a sentence that we can — and I would tend to agree with that because I sure had — when I do on-line banking, I don’t have a secure ID. I don’t have any — I figure out this is good enough.

DR. STEINDEL: I don’t have a major objection to what we are — you know, the wording up to this point and everything. I just want to make sure that we understand the implication of what we are saying.

DR. DEERING: I think what we could do is — and I don’t have language for it yet, but it is really — I would push back a little bit a little bit. I think that the prior two paragraphs are okay. I think it is this paragraph — and I think what I am hearing you say is that on one hand the heart of what we have here substantively is correct, that these are the ideals. This is what we would like. It needs to be framed either from the introductory sentence or from the concluding sentence that says that it gets at what you are stating, that we are not trying to impose these or imply that there is an expectation that anything short of this is deficient.

DR. COHN: Yes. And I think there was a recommendation to state that. I think that we are — let me just make a comment here on this one. You would have thought this would be marketplace failures. This is like — the best analogy I would use on this one is is that it would be sort of like — it is an insurance issue or an FDIC issue. Everybody would assume that their money is safe in the bank until the bank fails. And everybody goes around screaming. They don’t care until there is a problem.

I mean, security is like insurance in that respect and a lot of people don’t have insurance as we see.

MR. KAMBIC: CMS had an open door forum. Some people were there. These types of questions, I think, were raised on the committee by other people. There was a young woman there, I can’t remember, from the government that talked about the need to do research. She really made a very strong statement about we really don’t know.

This is exactly the type of thing that needs some data.

MS. FISCHETTI: We need to know what security levels are palatable for the —

MR. HOUSTON: Can I make a suggestion that we add a sentence here that I think addresses Steve’s — prior to the last sentence here, starting with as a result, why don’t we add this sentence, additionally there is some question regarding whether consumers generally are willing to accept the burden or cost associated with the application of additional security technologies.

DR. STEINDEL: It gets the point in the section.

MR. HOUSTON: I agree with everything you are saying. Then, when you read the last sentence, it does pull together that — you want to read that off again, or do you have —

DR. DEERING: I have got it. Additionally, there is some question as to whether consumers are willing to —

MR. HOUSTON: Whether consumers generally, but it will be a specific consumer who will say, oh, my God, I want this — generally are willing to accept the burdens or costs associated with the application of additional security technologies. Wordsmith it. I am not sure whether application is right or not, but that is the only thing I could think of when I was writing.

DR. STEINDEL: I would just use security technologies.

DR. DEERING: Enhanced?

MR. HOUSTON: Additionally. We could do without SSL, which everybody would scream about. We have got sort of SSL, which is sort of the de facto minimum standard we are talking about on top of —

DR. STEINDEL: I mean, consumers don’t choose SSL.

MR. HOUSTON: Except that, excuse me, me being from an institution that got written up in our local newspaper because somebody forgot to put SSL on a simple form and we got — you know, it was sensationalized. The point being is is the expectation is is that there is a base level security inherent —

DR. COHN: So, we are talking about enhanced.

MR. HOUSTON: Enhanced. SSL is the baseline.

DR. COHN: Okay. So, we are talking about enhanced security.

DR. DEERING: I have a slight reorganization to the structure here for flow that I think gets at what you are trying to say here.

DR. COHN: That, which is the last sentence, which as a result security for PHRs will likely be limited —

DR. STEINDEL: I don’t see why we just don’t leave any modifier off security and just say security.

MR. HOUSTON: Because SSL is — base security is an — or base is nothing. SSL is accepted as being sort of the minimum standard for anything we are going to be doing here. So, I am saying —

DR. COHN: In a sense, they may talk about advanced technologies.

DR. STEINDEL: The problem I have with this is SSL is a full sense of security.

MR. HOUSTON: No, it isn’t.

DR. COHN: It is not ultimate security but it is a piece.

DR. STEINDEL: All it does is protect the movement of the information from the point it leaves your computer or your system until the point it arrives at the firewall of the other system.

MR. HOUSTON: It doesn’t prevent key logging. It doesn’t prevent a bunch of other things, but it is —

DR. COHN: But, Steve, I mean, people use IDs. That is security. I mean, you know, they use two level — there is all sorts of security things that are in pace. I think what we are trying to make a differentiation is how far you go. I think it is fine. I would make that decision for you in advance, as opposed to just saying to people all security features because I think that is ignoring the reality. It may not be adequate.

MR. HOUSTON: Advanced security implies what you are saying, which is what is there isn’t necessarily the ultimate or penultimate solution. It is something.

DR. STEINDEL: But the person is not choosing to use the base security features that are there.

MR. HOUSTON: No, but it is inherent. That is what I am saying here, though.

PARTICIPANT: Aren’t you comparing it to the previous sentence —

MR. HOUSTON: — the next sentence, which is as a result, security for PHRs will likely be limited to technologies that are generally available for desktop operating systems. There is a consumer expectation rather than choice and, again, I just lived through that a month ago because of the local paper. It is an expectation, honestly that SSL simply is there. So, all I am saying, though, is we should consider SSL to be a level of security and all I am saying is —

DR. COHN: We don’t say that anywhere here.

MR. HOUSTON: I don’t think I need to.

DR. COHN: Well, that is fine then.

MS. FISCHETTI: Can we reword it in terms of meeting consumer expectations for baseline security while providing options for enhanced security that can be used at the request of the consumer or are available for the consumers.

DR. COHN: I don’t see it. Is that a recommendation or —

MS. FISCHETTI: No, no, just for the sentence. I think that we are making assumptions about what the consumer wants, the consumer thinks that we need the basics. The consumer is going to want more. We have heard from all over the board — I am not winning Simon over — so if we reword it in terms of keeping options available for the consumer —

MR. HOUSTON: That is why I said in that sentence I just read off, consumers generally, we do know there will be a subset of consumers that will as soon as you say I can give you secure ID. Great. I want it. I don’t doubt that that exists. I think it is the general population that — sort of what Steve is saying. There is that general population that doesn’t have or doesn’t want or is unwilling to invest in it, that is, I think, what we are trying to say here.

DR. COHN: Yes. I am taking about wide scale adoption.

DR. DEERING: Here is an organization that may or may not — it is just a way of inserting your phrase at a slightly different point. Instead of making a standalone sentence, I would break up the preceding sentence. Further, while health care providers can employ a variety of advanced technologies which just occur in EHR, including X, Y and Z, there is some question as to whether consumers are generally willing to attempt the burdens and costs associated with enhanced security technologies.

As a result, the wide scale adoption of such technology for PHR will likely be problematic, and security for PHRs will likely be limited to — so, it is both of those — they are going to be problematic and they will be limited to desktop operating, to what is currently available because of what we have just said.

DR. COHN: With that, shall we move into recommendations?

MR. HOUSTON: The recommendations, there were none in this section. So, I put these together as a straw man.

DR. COHN: Now, do we have those — I guess we would have a standards framework for — and you missed four A’s. You only have three A’s. So, there are 4 A’s in the first paragraph.

MR. HOUSTON: I will add another one at the non-repudiation, which I have written out here.

DR. DEERING: Move 5 to No. 1?

DR. COHN: — a lot of privacy recommendations. How is this different because —

MR. HOUSTON: It is different because it talks about — this is a place where you would talk specifically about what you employ in order to protect the information.

DR. COHN: So, this is security terms and conditions —

MR. HOUSTON: Exactly.

DR. STEINDEL: It is essentially the same, except that security is —

DR. COHN: Okay. That is fine.

DR. DEERING: So, 5 currently reads PHRs should provide consumers with the terms and conditions of use, including the type of security employed through PHR?

MR. HOUSTON: Well, actually, it should say regarding the type of security for the PHR period. Everything in addition to the other terms —

DR. BAUR: I just have a comment —

MR. HOUSTON: You might take out the last part of the sentence as well as how information in PHR may be used by the organization that sponsors the PHR because that is a privacy and secondary use issue. So, we might take that out.

DR. DEERING: So, 5 currently reads PHRs should provide consumers with the terms of conditions of use, including the type of security employed for the PHR.

MR. HOUSTON: Well, actually we maybe just simply say PHRs provide consumer with terms and conditions regarding the type of security employed for the PHR period. That is what we are talking — it would be in addition to the other terms, but this recommendation relates to security employed.

DR. BAUR: I just had a comment about the framing of the recommendations. These things aren’t really for HHS to develop the standards framework or is it to promote the standards framework or work in collaboration with other parties to develop a standards framework?

MR. HOUSTON: Probably the latter.

DR. DEERING: Collaborate with other stakeholders or other relevant organizations.

DR. BAUR: I mean is HHS really — do you really want HHS developing standards framework for this —

DR. DEERING: Well, they will just turn to Simon and the security committee.

DR. COHN: So, basically we recommend that HHS work with the relevant stakeholders to develop and promote?

DR. BAUR: I am proposing — I am just checking to make sure you really mean that —

MR. HOUSTON: Work with relevant stakeholders.

DR. COHN: I think, Linda, you were talking about 5 being moved to 1. Is that right?

MS. FISCHETTI: Yes.

DR. COHN: Okay. Good. Five has gotten better. So, that is good.

MR. HOUSTON: I do have another one that is on repudiation, after we are done with all of these —

DR. COHN: We have got one about control, one about audit, one about authentication. The PHR should be based on industry standards, security —

MR. HOUSTON: Should we on No. 3 back — talk about additional security measures? Should we say something like this would not preclude PHR vendors from adopting additional security or employing additional security by an optional basis, by consumer, something that says that we can — it would be a baseline and that it doesn’t mean that there wouldn’t be room for the adoption of additional security.

DR. COHN: Isn’t that what 4 is?

DR. DEERING: I think he means the old 3, which is the new 4.

[Multiple discussions.]

DR. COHN: It sounds like you just said No. 4.

MR. HOUSTON: The one that says decision to adopt additional security technology was really — the reason why I put that in there was to make sure that people didn’t go off the wall and say, oh, my God, we should definitely say that secure ID or smart cards have to be employed on all of these things because the reality is that we have to look at the environment, which we are putting them into, which is a widely disparate, you know, operating systems and what people actually have available to them. That was sort of intended to be a recommendation to ensure that —

DR. COHN: Okay. So, you are saying — okay, now I understand 4. So —

DR. DEERING: Maybe we blend them. Maybe it is PHRs should be based at a minimum on industry standards, security and authentication approaches and then a second sentence in the same one. The decision to adopt additional should take into account. That in a way I think —

DR. COHN: No, I think your second sentence is this should in no way preclude vendors and others from making available advanced solutions.

MR. HOUSTON: Advanced solutions at the discretion of — at the option of the consumer. So, I think that is even what I am saying now is, you know, if you go to — I forget what it was — e-trade or one of those, if you are either highballing a customer or you want to pay for it, it will actually give you a secure ID file to use with your e-trade account, but it is not something that is required for use of their system. It is something that they will give you. If you do enough transactions, they will give it to you. Otherwise, you have to pay for the thing.

DR. DEERING: This should not preclude vendors from making available additional security protections. And was there more?

MR. HOUSTON: At the option of the consumer. Are we using the consumer or — yes, consumer.

DR. COHN: I think it is all getting very good. Now, the question I would have —

MR. HOUSTON: I have got one more.

DR. DEERING: Now, let me — just stick with that — do you then still want to keep the old 4 separate or do you want to add three of those sentences together in one chunk? We have got the old No. 3. We have got the new sentence I just read and then you have the old No. 4.

MR. HOUSTON: I think maybe we pull it together because regardless of what happens, you have got to make sure you have put something in place that has portable —

DR. DEERING: I think that strengthens your —

MR. HOUSTON: The other one I have here and I am not sure — this is going to take some wordsmithing — is PHRs should provide functionality related to non-repudiation to enhance the use of PHR information for clinical decision making.

DR. COHN: So, what does that mean?

MR. HOUSTON: Well, I think that Stan’s prior comment from yesterday, the clinician can’t ensure — if he is unsure or she is unsure of the accuracy of the information, he or she may be less inclined to want to rely on it for any type of actual clinical use. If there is non-repudiation and you can tend to rely upon the source of the information —

DR. DEERING: I think that is the highest — I think this in particular strikes me as an example where you are asking a higher standard, perhaps, than exists for EHRs.

DR. STEINDEL: This is actually —

DR. COHN: This is a difficult area.

DR. STEINDEL: The issue of non-repudiation is extremely difficult and touchy, especially when we are talking about transferring information.

MR. HOUSTON: Exactly, because it is for information coming into something —

DR. HUFF: — is, again, we are talking about two different use cases. If I am thinking of the use case where this is a disease specific thing that it is held on my home computer, you know, the lab data is going to come in. I don’t care. You know, I am going to trust it because it came from the lab or whatever.

On the other hand, if this is a record that I am trying to take to a second or third physician, another provider, then, you know, if that is the real use case that you are going to have another physician use it, then non-repudiation becomes a big issue.

MR. HOUSTON: That is what I was trying to say —

DR. DEERING: There is one story point that is not quite there but PHRs should provide as optional functionality the assurance of non-repudiation for those PHRs where there is an exchange with a health care provider is expected —

MR. HOUSTON: No, it is not just — it is for an exchange.

DR. COHN: This is very complex because I think even — you would have to get down to use cases. If you saw this was very complex with e-prescribing and I am sort of trying to think, well, gee, if you have got a portal where somebody is holding the data, you don’t need PKI, which is really what we are talking about with non-repudiation, at least as far as I can tell, but on the other hand, under those circumstances where it is actually being held on your drive and you are intending to take it to your provider to show them, then, yes, in that case you probably do need PKI for that provider to believe that — we are getting way down into very specific —

DR. DEERING: Let me also, of course, back up, specifically within the area of crime disease management, where we are the furthest along with the data flowing from the home to the providers. The health hero, the health buddy is one little home monitoring device that seems to have a life with it right now. I would like to ask how much non-repudiation is built into that because people like it. I mean, the people who actually deal with home — so, again, you see, I think that providers aren’t necessarily requiring it. I think they can have —

DR. HUFF: Oh, no, no. Again, it is just the issue — it is so detailed because you are right, if you are bringing me your spirometer readings for asthma or something else, I am going to believe you. I mean, you have no reason to lie. On the other hand, if I am a cancer specialist and you are bringing me your records, I am going to say huh, how do I know this is —

DR. COHN: So, how do we sidestep this whole thing?

DR. DEERING: Can we have a single sentence, not within the recommendations section, which just raises this as a complex issue?

PARTICIPANT: Don’t we have it already?

DR. DEERING: Well, maybe it is already there.

PARTICIPANT: Is that the one with —

DR. DEERING: Well, we already say must be ensured and, in fact, if anything then our sentence is too strong because it says multiple sources, including laboratory systems, et cetera, the validity of which must be ensured, i.e., non-repudiation — optimally would be ensured or something because I think that is —

DR. STEINDEL: Simon, we talk about in the privacy section, you know, that we are going to look at future things and one of them was potential liability and actually non-repudiation is tied in with the liability —

DR. COHN: So, shall we say this is the one that we —

DR. STEINDEL: I think we should just tie in in this technical section that we will be exploring the issue of non-repudiation.

DR. COHN: I think that is actually a —

DR. STEINDEL: — to handle in this letter.

MR. HOUSTON: I agree with you. Opening it up for discussion, leaving it out, putting it out there —

DR. STEINDEL: We have to, yes.

DR. COHN: Let me ask one other question here and I guess I have jumped to a slightly different topic. It is a different recommendation and it just is a mirroring of what I am seeing as privacy here, where we talk about HHS sponsored pilots near page 8, about the middle. It says for any HHS-sponsored pilot projects any contractual relationships, duh, duh, duh, duh, duh. Do we want to put something like that to mirror here?

DR. DEERING: What we would probably do is put it up in the body — first of all, we really put it around here until more — until there is more widespread use. We can only offer the general recommendation that we develop and promote a standard framework. Is it a second recommendation that says in those cases X, Y and Z, the above principles should be required? Is that how you want to do it? Because right now this sort of says we want you to go and work with stakeholders to develop this framework.

DR. COHN: I guess what I am talking about, I guess, is — just read this, for any HHS sponsored pilot project, any contractual relationships that CMS undertakes with entities intended to utilize CMS data in PHRs, HHS should require that all PHR systems provide security features equivalent to minimal HIPAA security requirements. Am I off on —

MR. HOUSTON: Consistent with HIPAA security.

DR. COHN: Consistent with HIPAA security is what I think we are saying.

MR. HOUSTON: For contractual commitments, I would say yes. For pilots, I think — for contractual commitments they should be consistent with HIPAA security — I am just thinking that part of the — is evaluation of appropriate security in the context of these recommendations, in the context of evaluating these recommendations. Pilots are different in my mind. When HHS is making a contract with somebody, I think they have the right to just impose —

DR. COHN: Well, this is an HHS sponsored pilot. That is a contractual relationship.

MR. HOUSTON: It says HHS sponsored pilot and in contractual relationship. I am sort of reading these two things separately. Contractual relationship that CMS might make related to PHR might be a third provider, who is going to actually provide a PHR for some segments of its population — all I am saying, though, is that when you put an and in the middle of it, that recommendation, it says to me there is both pilots, as well as something else that are contractual.

DR. DEERING: Not all pilots — I think many pilots are grants.

MR. HOUSTON: Right, but all I am saying here is when I read this first recommendation —

DR. COHN: No. 1 says HHS. The other says CMS.

MR. HOUSTON: Okay. Let me give you an example in that recommendation. A contractual relationship that CMS undertakes, okay, might be a production PHR that it deploys rather than simply an HHS-sponsored pilot. So I think that my point is that they are two different things. In the latter, I think the CMS should indicate that if it had a contractual relationship to have an actual production PHR, that they should require that whoever is running that PHR has security consistent with the HIPAA security rule. Okay. We can impose that. Where there is a pilot, I think they should — the pilot should evaluate security in the context of these recommendations.

DR. COHN: Oh, that is fine. Okay.

MS. BERNSTEIN: If CMS is running such a thing as described, they are a covered entity.

MR. HOUSTON: I guess CMS could —

MS. BERNSTEIN: They are covered both by the privacy act and by HIPAA because they are covered entities.

MR. HOUSTON: But could CMS in that context decide to carve the PHR functions out of its covered function?

MS. BERNSTEIN: I am not aware of an entity that can carve out functions that are covered by laws.

MR. HOUSTON: You could argue that this is not —

MS. BERNSTEIN: I mean, just by contracting out, you can’t get around a lot —

MR. HOUSTON: That is not my point, is that, you know, a covered entity can separate itself in covered and non-covered functions so that it does not cover its entire

— the entire entity does not have to be a covered entity. Hospitals do that. I mean, we do that in order to do certain functions and my point being is that CMS could say we are going to provide a consumer PHR that we are only going to use for the benefit of those individuals and we are not going to use this data for any other purpose. We are just going to give this PHR to individuals so that they can use it for their own health management but CMS itself is not going to rely upon the data. It is not going to look at the data for any purpose.

For that reason, we are going to make ourselves into a hybrid entity and we are going to allow that to be carved out. We could do that.

DR. COHN: Maybe even a better example without carving is if CMS decides on a contractual basis with appropriate disclosures and approvals by patients to send data to a non-covered entity that is maintaining and managing PHRs.

Now, this disclosure has been covered and now this is a non-covered entity. Isn’t that how that works?

MR. HOUSTON: My point is —

MS. BERNSTEIN: This is about it would make that disclosure in the first place because they can’t just give over the data outside of the agency, right?

DR. COHN: With disclosures on a patient —

MR. HOUSTON: No, I disagree with you. I think there is an argument to be made that a covered entity whether it be CMS or a private — or a hospital or whomever could develop a PHR, which it intends not to use for any clinical purpose, make it part of a non-covered function —

MS. BERNSTEIN: — making a disclosure from a federal agency outside of the borders of that federal agency, it is personally identifiable information of the sort CMS is covered not only by HIPAA but by other laws.

DR. COHN: And so the patient has to agree that they are making that disclosure.

MS. BERNSTEIN: No, but I mean in some cases. There are other ways to make that disclosure, but it would be covered by other provisions of the privacy act, including one that covers contracts and —

MR. HOUSTON: Let’s go to the next level then because we are talking specifically about security here. This section is specifically about security. All the recommendation says is regardless of what other obligations there may be vis-a-vis or with regards to privacy, using HIPAA is the minimum benchmark for security. The HIPAA security log, the minimum benchmark for security I still think is an appropriate recommendation.

DR. COHN: Do we need to talk about privacy and then go back to security on this?

MR. HOUSTON: But I agree that under the — there is the privacy component is a separate and distinct component of all of this.

MS. BERNSTEIN: And also other than the HIPAA security rules, which I agree as a — they could separate themselves and not have to use — and not be required by law to be subject to the HIPAA security rules — I shouldn’t say I agree because I haven’t — but presuming that what you are saying is correct — but there are also other security laws that a federal agency is subject to, so there are other things that would already be required of the agency because it is a federal agency.

MR. HOUSTON: Now, could there be — let me ask you — let me spin this a little bit differently —

DR. COHN: I want to get out of this one and have a break.

MR. HOUSTON: Let me just ask one other question. Could CMS under other programs not contract for its own use but underwrite the cost of other organizations developing PHRs that would be used in order for those organizations to write PHRs are managed —

MS. BERNSTEIN: Now you are talking about funding issues, not my area. I can’t really speak to that.

MR. HOUSTON: — for pilot purposes but for production purposes and in that case, if those types of relationships occur, then I think that we also — I think it is fair to make this recommendation.

DR. STEINDEL: I think the recommendation is important because there are certain types of arrangements that can be done, especially in terms of funding external programs that they can bypass the federal lacks.

DR. COHN: So, it sounds like we have a recommendation that talks about contractual negotiation, I mean, can reflect on this in the privacy pieces. But I think we have something that —

DR. DEERING: — borrow the language. We have used the percent language twice now because I did add it to the standards area as well. So, you will see it there. We will use the same language and should provide security protections consistent with the HIPAA requirements.

MS. FISCHETTI: — recommendation and it says the last sentence —

DR. COHN: Can I give everybody a break for a couple of minutes before we move to privacy?

Why don’t we take a ten minute break and then we will get started again. We will get started at 10:00 a.m. By that time we will have had, hopefully, everybody have a chance to look through all of the edits.

[Brief recess.]

DR. COHN: Maya Bernstein, thank you very much for joining us. We are going to start talking about privacy. I think one of our federal members is ready to leave the meeting soon is what is going on.

Let’s talk about privacy and we have obviously deferred the conversation on this section to this time. This is a section I think that we have worked on some. We had a fairly substantial call where we sort of redid the recommendations. So, shall we just take a minute to read through what things look like here and then we will talk through sort of paragraph by paragraph and then jump into the recommendations.

I don’t know if it good or bad, but I see lots of writing on Maya’s version of this document. There is lots of writing on everybody’s version of this. This is why we have these meetings to go through them.

So, shall we talk about the first paragraph?

MR. HOUSTON: My thought is the first paragraph just needs a little bit of wordsmithing, rather than changes en masse or anything of that sort.

MS. BERNSTEIN: Yes. The only thing I really had to say about the first paragraph is that in the — four lines up from the bottom or five lines up, it says the principle of consumer/patient ownership — I am sorry, the following sentence. Some noted the difference between legal control and ownership on the one hand and consumer control/ownership on the other. It sort of implies that we all know the difference. I am not sure what the difference between those two things is or what exactly is being referred to, but it sort of implies that anyone reading that will naturally understand that there is a difference and what matters about that difference.

I am not sure I understand it.

DR. DEERING: Is there an issue that there maybe a difference that that —

MR. HOUSTON: I agree with that.

MS. BERNSTEIN: I don’t know if I have also already had the discussion with you guys about the use of the word “ownership,” which causes real problems for me just because when we talk about ownership, it implies — it will imply to the lawyers that a whole group of laws having to do with property and, you know, sort of it brings in a whole body of logic you may not want to really implicate. Polly Griffin and I have had lots of conversations back and forth on this. For example, in the context of HIPAA, those of you who are familiar, we sort of did not address the issue of ownership per se because the idea that a patient would like to say that they have ownership because it is their information in the record.

The provider would like — you know, would argue that it is their record because it is their intellectual work that has created that record. The insurance company that paid for it says, well, we paid for it, you know. It is our record. And the hospital whose facilities, you know, were there to enable the creation of all that information would say, well, it should be our record. So, there are lots of people who have legitimate interest in calling ownership of a record by — in HIPAA what we did was we just said, well, it doesn’t really matter who had physical custody or ownership. That is not what really matters. We are just going to regulate what can be done with that record if you have control over it or what you can do with the copy of it that you own.

You are shaking your head?

DR. COHN: Because there may be multiple ownerships.

MR. HOUSTON: I think it is more than just that. State laws often conflict or differ on ownership of the medical records. Pennsylvania state laws are very clear that the hospital owns the medical record.

MS. BERNSTEIN: It owns the copy it has.

MR. HOUSTON: No, it owns the medical record.

MS. BERNSTEIN: If I have a copy of my medical record at home, what — it owns the copy it has. It can’t own the one I have, if I have a copy.

MR. HOUSTON: I agree with you in that regard, but what the law really states is that in terms of its entirety — it is more than just ownership of a copy. There is a concept of ownership and custodial duties and things of that sort for — and what you have is actually a copy of the record rather than us having a copy of the record. I think state law — Pennsylvania State would say you don’t — the institution doesn’t have a copy. It has the medical record. It has the custodial duties with regards to the medical record. You have a copy of the medical record. You may augment it. You may throw it away. You may give it to others and you are correct in that regard.

But because of the varying state laws, the whole issue of ownership short of has been —

DR. STEINDEL: The question that I have is what does this have to do that conflicts with anything that we stated here?

I mean, we have stated this particular issue. I mean, what we heard very clearly that groups claim ownership and we have also heard that ownership is very complicated and we have also heard that it sort of overlaps with the perception of also the word “control” and they may or may not be used interchangeably and that is basically what this paragraph says. I don’t think we can decide any question and order this paragraph to just any decision on ownership.

MR. HOUSTON: Maybe what we should do is simply state in a short sentence here, you know, ownership of the medical record is a complex issue.

DR. STEINDEL: The principle of consumer/patient ownership of their personal health issue was also raised by some speakers. That is what —

[Multiple discussions.]

That is a factual statement — some noted the difference between legal control and ownership of the institutional medical record on one hand and consumer control ownership of personal information and as a PHR on the other and suggested clarifying the respective rights and liabilities. That is a factual statement.

MS. BERNSTEIN: And I disagree. The way we think of that, you know, when you work in a hospital and you think about record retention and then that falls within the domain of the health information management professional. With the health information management professional, they do use that term, “ownership.” Now, when you are talking about HIPAA, I believe — and correct me if I am wrong — you are talking more about the sharing of information and then things change slightly. The health information management professionals this week put out something and they clearly say that ownership is by the individual or designee and that it is not owned by any third party.

So, I think that it is fine to say that this is still ambiguous. I mean, we have heard from these guys. Other people think something else. I support the sentence, but I don’t think that there is a clear one way or another on ownership right now.

DR. STEINDEL: Linda, we also heard it from your people from the V.A.

MS. BERNSTEIN: I understand that we have heard this. What I am saying is we did not hear that there was a dichotomy and that there are two sides, that there are individuals and that there are consumers. There are lots and lots of parties and particularly in the section we are talking about those third party, you know, private sector companies that are going into the business of creating PHRs. When I read institutional medical record, I am thinking about hospitals, but that is not who we are talking about. Our concern is about secondary uses by people who are creating —

DR. STEINDEL: No, I think what we heard was —

[Multiple discussions.]

— this dichotomy.

MS. BERNSTEIN: It is not a two part thing.

DR. STEINDEL: No, I know it is not a two part thing, but what we heard —

DR. DEERING: How about adding a sentence that says moreover a concept of control and ownership extends even beyond the issue of EHRs and PHRs to other sponsors and providers of EHRs.

DR. COHN: I think it — I mean, this whole thing has gotten very complex and confusing and I think we somehow need to say that. Let me put it that way. And turning a dichotomy into a — what is a tri or quadrotomy or whatever it is.

MS. BERNSTEIN: There are multiple parties with multiple interests and this makes it look like there are two. That is my —

DR. DEERING: How about NCVHS concluded that the issue of ownership and control is highly compressed and recommends further evaluation and assessment of the issues.

DR. STEINDEL: I think we say that later.

DR. DEERING: Well, let me tell you when we get to the research section, I am going to push back. The whole policy research section was taken out. And policy research was exclusively saying let’s study these issues. Let’s devote the —

DR. STEINDEL: I forgot we put it in here.

DR. DEERING: I am not sure it really is in here.

MS. FISCHETTI: I think, though, with multiple entities having multiple perceptions of ownership —

DR. DEERING: That is my point.

DR. COHEN: I think that that — I would agree with you. At that point I can sort of understand the issue.

MS. BERNSTEIN: And some people think that ownership is innocuous. You have control of the issue. It doesn’t matter — I mean, in the sense — what I am saying in the sense of HIPAA, it doesn’t matter who has physical control of records. If you are covered and you have the type of information that is covered, you have certain duties and responsibilities. It doesn’t really matter whether you own, quote, unquote, that record or not.

DR. BAUR: I thought one of the things that we were trying to be very clear about is the extent to which PHR sort of exists outside all of these established practices and ways of thinking that people have, whether it is HIPAA, whether it is HIM practices or whether it is any of these sort of bodies of practices or laws. I think that might get lost in the statement, sort of this reworded statement about there is a lot of confusion and ambiguity. I think there are some groups that are clearly laying down the principle, PHRs are about the individual, whose information is contained in that PHR. End of discussion. Whether you talk about control, ownership, whatever, but that is the principle that is embodied there. And it is not even necessarily in relationship to a medical record. They are not drawing that dichotomy or distinction. They are just saying this is about PHRs.

MS. BERNSTEIN: You just said it is about — you just said two different — about the patient.

DR. BAUR: Not patient. You are in a consumer role. That is the difference.

MS. BERNSTEIN: What the information relates to is not the same as what — who gets to control the information and how it is used in the —

DR. COHN: You know, the issue I am having here and I — you remember Mel Moyers(?), obviously, but I hear ownership. There is also the concept of exclusive ownership as opposed to multiple ownership and I am beginning to conclude that, well, it is like a xerox machine. You know, you have one copy of a thing. I guess I own this and I make a hundred copies and distribute all to you. You also all own that copy of the thing because I gave it to you.

MS. BERNSTEIN: But I don’t know the content of the information in it.

DR. COHN: I am just trying to make some sense out of it.

DR. BAUR: I guess all I am saying is that if we get rid of this —

DR. DEERING: We are going to add something. We are not going to delete.

DR. BAUR: We are going to reference those ambiguity and the fact that —

DR. DEERING: We are not going to delete anything.

DR. BAUR: Okay. But I think it is more than just the principle of consumer/patient ownership and control was raised. It was clearly articulated as a founding idea of what PHRs are about. I think that is the idea that has to be communicated to the —

DR. COHN: Well, you know, I am just not sure about that one. I hear control. I heard some other people using ownership. I was never clear what the difference was between the two. And people seem to be sort of choice of wording more than anything.

DR. STEINDEL: A key example is in the definition for that wire for the CMS open house, where they used that ownership was a key principle of the PHR.

DR. COHN: Gee, I thought the control was.

DR. STEINDEL: No, it was ownership.

MS. BERNSTEIN: People are using these words interchangeably, they are not interchangeable.

DR. COHN: No, I agree with you but remember I am not a lawyer and it becomes very easy for non-legal — I mean, I don’t what people mean by all this. So, I mean, I am having trouble.

MS. BERNSTEIN: That is my point.

DR. DEERING: We will come up with some sentence that — and I can work on it — that captures what we are trying to express about the complexity of the situation. Then I would like to reelevate a more clear recommendation about policy research and analysis in this area because no one has actually dedicated the legal brain power and mind power, professional expertise. They are really thrashing through it, coming up with some white papers and really — so, let’s put it on the table.

DR. COHN: Put what on the table.

MR. HOUSTON: The RFPs that Brailor(?) put out, though I know they are related to NHIN, not this particular issue. Is there anything that — I am trying to recollect in those RFPs that might assist in this regard because they do talk about this issue, the analysis and things like that.

MR. HUNGATE: Let me try some words. Take out some noted the difference and put in testimony revealed wide differences in understanding around legal control and ownership of the institutional medical record, et cetera. So, just changing the front to make it not a dichotomous, but a range of —

DR. BAUR: And I guess I am saying why raise the issue of the medical record at all. We are not talking about the medical record. We are not —

DR. DEERING: I think it should be in there because people actually — that was a confounding issue. People’s initial — health care providers initial push back is that is a non-started because we own the record. So, until people sort of move forward with all the understanding of the differences with PHRs, I mean, we — you know, providers got reaction as well, that is a non-starter. The hospital owns it. End of story.

PARTICIPANT: There is real confusion about, you know, not only differences in understanding but confusion about —

DR. COHN: Yes. I mean, the problem here and just let me remind you of how all of this sort of steps on for those persons who don’t understand ownership, especially physicians, when there is control, then there is ownership and control of the personal health record and some of you have the ability to modify at will and then you hand it to your next provider and you have stripped out three or four of the diagnoses or you invented some and you have added some of your own lab data that you have made up and then what does the provider do with it.

So, it all sort of winds up in the sort of liability. It goes off in various different directions and that is, I think, that what I was hearing was a concern and if you think about this, there are probably reasons to be concerned. I personally don’t know the differences between control, ownership and the ability to determine what a person may or may not see. So, I think they are all sort of related or changed.

MR. HUNGATE: I don’t think we are going to provide an answer.

DR. COHN: No, no. And I think we are offering to delve into that one maybe assuming we have enough guts to go into it.

MR. HUNGATE: I want to suggest another change —

DR. DEERING: I really will be on annual leave when you hold those hearings.

MR. HUNGATE: We say users want to be able to control access to their PHRs as much as possible. I never heard the as much as possible. I only heard they want to control access to the PHRs period. I think we put a qualifier on it. They didn’t. So, I think to be factual, we ought to stop with the — we ought to strike as much as possible.

DR. DEERING: What we heard is they want control. We didn’t hear any qualifiers from the testifiers.

MS. FISCHETTI: Do we consider secondary use to be the same as control access? So, if somebody is gleaning deidentified secondary — is a secondary user of data elements, is that different than control access and, therefore, do we need to put it into this paragraph??

DR. COHN: I think this can get very confusing if we start adding —

[Multiple discussions.]

MR. HOUSTON: I think secondary use is a major topic.

DR. COHN: And it is covered in future paragraphs.

MR. HOUSTON: It is not covered. It is mentioned.

DR. DEERING: So, can I just summarize? I mean all I have heard or where I have heard it to date is — and here is a suggestion on just a way to handle this stuff, starting with the one, two, three — the principle of consumer/patient ownership and control of their personal health information was also raised by some speakers. Testimony revealed differences of opinion, even confusion, about legal control and ownership of the institutional medical record on one hand and consumer control ownership of personal information of a PHR on the other period.

Then we could say NCVHS concludes it is important to clarify — or this raises the importance of clarifying the respective rights and responsibilities.

DR. STEINDEL: I don’t know if individual testifiers expressed confusion on this issue.

DR. DEERING: It was just that as we heard there were certainly differences of opinion.

DR. STEINDEL: And I would say instead of — it sounds to me like the testifiers expressed confusion and actually we are concluding confusion.

DR. DEERING: Okay. And differences of opinion about period. Then what do we do with the last phrase? Clarifying the respective rights and liabilities. Are we saying —

DR. COHN: We have to say we observed that there was a significant confusion, right?

DR. STEINDEL: I think we can add that statement. I think that is an important statement.

DR. COHN: That is just an observation.

MR. HOUSTON: Can I make a suggestion about the last word, liabilities? I am wondering whether obligations is a better word than liabilities.

DR. DEERING: I think a liability was what some people were getting at.

MR. HOUSTON: A liability is the result of an obligation, an unfulfilled obligation, I guess is my — so, it is an effect rather than a —

DR. COHN: I think what we are talking about is respective rights, obligations and any resulting professional liabilities.

DR. STEINDEL: That would be a better way to say it.

MR. HOUSTON: Somewhere I think obligations — rates and obligations to me is — and I agree with you.

DR. COHN: Because that is what the liability —

MS. BERNSTEIN: I wouldn’t put professional liability in there. I would just say liability. Any resulting liabilities.

DR. COHN: Let me ask earlier on because I think I am sort of going along with what we are saying here. Do we want to describe this as the principle of consumer/patient ownership or is this the concept of physician/patient ownership? I mean, principles are elevating it maybe — I guess that is a question I would have for people. I mean, principle is stating it as a principle.

MS. BERNSTEIN: It is the ownership part that I have a problem with.

DR. COHN: No, what I am saying is that I think it is —

PARTICIPANT: I think it is a principle.

DR. COHN: You think it is a principle. Okay.

MR. HUNGATE: But is it ownership or is it control?

MR. HOUSTON: I agree with it. We still have this tension about ownership and control, but it is the principle of that, which I think Simon — we still have the ownership and control. I agree with that. We are dealing with — the overarching principle is ownership.

MS. BERNSTEIN: What is the question you are asking? Are you wanting to put that word in somewhere?

DR. COHN: I think somehow principe to me means things that this has been settled as a principle and I am just not sure — and all I heard — I mean, a lot of people espoused this, but there was also — I mean, just the same way with control. The reality is is that there is a — this almost felt to me like one of those act things, where there was lots of control and ownership others had and much less.

DR. DEERING: How about taking off the principle of and just starting, consumer/patient ownership and control of their personal health information?

MS. BERNSTEIN: How about starting with some speakers raised the issue —

DR. COHN: Okay. Good. Thank you

Now, Maya, you were still talking about — you have issues about the word “ownership.” You sort of commented that you had issues about the ownership. Is that because you don’t want us to mention that or you basically, you just realized it is quite mild?

MS. BERNSTEIN: I would prefer we didn’t because it is a quagmire and because it brings in all kinds of legal ideas that may or may not even be relevant to the question.

You know, someone asked me at one point when we were discussing this, well, can you just write me up a short something on ownership of records and I am saying no. I know where it can — in less than two years, I mean, because you have got issues with — I mean, it is incredibly complicated. What it means in terms of owning the copy, about copyright, about intellectual property.

You know, there are different kinds of properties that may be invoked by use of the word “ownership.” Are you talking about intellectual property? Are you talking about the chattel, you know, that is in my hand? Or are you talking about the — and, you know, property has this long, involved history of common law and statutory law. I am not sure how of it applies to this and I don’t really want to undertake that analysis.

MS. FISCHETTI: Does the AMA employ the lawyers to work on exactly these issues?

MS. BERNSTEIN: Yes. They are going to have the same problem and we are not going to get to an answer about this kind of thing. What we really care about is what rights and responsibilities pertain to this type of information and this type of record. My view is instead of just gathering altogether the long history of property law and figuring out what is right, let’s look at exactly what we have here and apply — if we are going to apply rules to it, apply the rules that intend — we can create our own, like we did with HIPAA, if rules are appropriate at all —

MS. FISCHETTI: Is it such a thing as like medical record copy law?

DR. STEINDEL: All previous discussion about ownership was involving the confined entity, the paper record, which existed physically in a doctor’s office or in a hospital.

MS. FISCHETTI: — lawyers and they are spending a great deal of time on this. So, I would hate to try to usurp a professional domain that a colleague owns and that they are spending a lot of money, a lot of time, a lot of late nights working on right now.

DR. STEINDEL: And they haven’t created an answer.

MS. FISCHETTI: Well, do we know that definitively?

DR. STEINDEL: Well, no, we don’t know that definitively. What we are saying in this is, you know, we need to look at that and see if there is any type of answers. But that is future. That is not going to be expressed in this letter.

DR. COHN: I guess what I would observe is, you remember, the recommendation that comes out of this is the fact that we will provide a forum for — that is the limit to where all of this information goes. I mean, we are not making a specific statement about ownership principles, control principles, anything else. So, I just wanted to make sure that we realized how this is being set up, at least as of this point.

I mean, there may be something else here that I am missing but —

DR. STEINDEL: That is my understanding —

DR. COHN: So, we should be all aware of that.

MR. HOUSTON: In the interest of specificity, I would like to add a sentence in here, which says the need for consumer/patient control of personal information introduces contention about ownership.

DR. COHN: Unfortunately, Mary Jo just completely missed that.

MR. HOUSTON: Resolution of such ownership issues will be an ongoing process.

PARTICIPANT: Exploration —

DR. STEINDEL: I don’t know if that is necessary because this is like what Maya was saying earlier. When they were putting together the HIPAA privacy, they decided we are not even going to approach the question of ownership. We are just going to approach the regulations from the question of control.

MR. HUNGATE: Well, then we had better strike the word “ownership” from all the text.

DR. STEINDEL: No, no — well, we have heard all sorts of issues about ownership. The way they decided to handle it on a practical basis was change the issue to control. What may be decided with regard to the PHR, which is what Maya indicated earlier, is that this becomes a very complex issue and we do need something like regulations to resolve things. We may just take the exact same approach and just turn it into an issue of control. And it doesn’t matter who owns the record.

So, you know, I think introducing your statement introduces a level of confusion. Now, we have to resolve the ownership question before we can resolve the PHR question. That is not true.

MR. HUNGATE: We can just say we are going to deal with control and that is the issue.

DR. BAUR: I mean new technologies always introduce questions of ownership and control. I think the thing is is that is truly the issue is that these are issues that emerge. They are not being settled by this letter, but they are issues that were raised by testifiers. The committee has discussed them extensively. There is a great deal of interest in seeing these issues further discussed and coming to some kind of common understanding about how they will — whether it is through regulation, whether it is through law, whether it is through voluntary — I mean, I think it is also equally dangerous to even presume we know what the mechanism is to sort of resolve all these issues, too.

MS. BERNSTEIN: I agree with most of that. What I don’t agree with is the part that suggests that this issue of ownership somehow emerged with the new technology. She was talking about the fact that we had a paper record in a hospital. You still had the problem of the hospital versus the doctor versus the patient versus the insurance company all being able to claim ownership over that information. This is not a new issue. That is what I am trying to say. This is a very longstanding issue that is —

DR. COHN: Do we need to then hear about — well, it has a new face to it.

MR. HOUSTON: As long as we had a paper record, it was settled typically under state law. It became an issue because now you have — you have this idea of the border sort of going away, varying state laws, people now adding information. When there was only a patient record that was part of the hospital, the patient record was only in the hospital. Now if you are going to say patients are going to be adding to what could be a combined record, you do have —

DR. COHN: I want to remind everybody that we are trying to frame this as a — this is an issue. We don’t have a solution. We think there needs to be a forum for further conversation within NCVHS. We may want to make recommendations that this gets reflected in a research agenda or even include that just as a research recommendation in this area and thereby avoid a research agenda in the research area.

But I guess the question I would have is — I find this thing to be sort of dense myself and I hope it is going to get a little clearer as we sort of move forward. But is there any value for us to observe that the issues of ownership are longstanding issues with medical records and does that help but now pose — but there are now new issues as —

PARTICIPANT: More significant to them based upon those new paradigms.

DR. COHN: The new paradigm and whatever. Is that a useful sentence to say?

DR. DEERING: The issue of ownership

specifically —

DR. COHN: Yes, the NCVHS observes that the issues of medical record ownership — is that the right way to describe it.

DR. DEERING: Health record ownership.

DR. COHN: Health record ownership are not new, but — I guess the question is — it sort of elevates it as a more important issue that we may want to have, but maybe to take on —

DR. DEERING: — take on added dimensions and —

DR. COHN: With the new technology and personal health records. I don’t know if we want to say that, but that is what everybody is sort of talking about. I don’t know, Maya. Does that help us or does that hurt us?

DR. DEERING: And then we recommend further exploration and clarification of these issues.

MS. BERNSTEIN: The very important part is that we are not resolving — we are just identifying and we are going to —

DR. COHN: Steve, thank you for joining us and have a safe ride home.

MR. HUNGATE: Should we make any statements that it should not stand in the way of implementation of PHRs or it shouldn’t hold up the control of the issue?

MS. BERNSTEIN: I don’t want to suggest that it might hold — I wouldn’t want to suggest that it — obviously, they are out there already. It is not holding it up. There are these things in the market already.

DR. COHN: I don’t think it is saying here anywhere that this is really holding it up, I don’t think. We don’t want to open that issue.

MR. HUNGATE: I am just asking questions.

DR. BAUR: I just want to ask about modifying that second sentence though so there is a period after PHR users must be able to control, period.

DR. COHN: So we are done with that first paragraph, at least for this conversation until privacy gets it. We are going to let them see what they —

MS. BERNSTEIN: Just trying to head them off.

DR. COHN: No, I mean I think that this is something I am actually hoping that the Privacy Subcommittee can provide us valuable additional — there are other lawyers on the Privacy Subcommittee and this is — I think more and more we are discovering that we need help from all the committees to create the whole —

DR. DEERING: There is a reminder. I mean, what you had said all along is that it would be — this version that emerges today that will be sent to the Privacy Subcommittee formally for comment.

DR. COHN: Well, either that or — yes, I mean that or what comes out of the — some combination of A and B, but we certainly might want to send this one out to Mark for an early read.

MR. HOUSTON: I would think since the privacy committee is going to be together in San Francisco, it might be good — obviously, make sure we have a version of it by then, but see if Mark can earmark an hour or so at that meeting to try to — we have already talked to you about that.

DR. DEERING: Yes. You are all on the same page.

DR. COHN: Absolutely. That is why we were talking about trying to have a conference call soon after that.

Increased consensus. So, let’s move to the second paragraph, which —

MR. HOUSTON: I have some wordsmithing. I am not sure whether it makes sense to throw it up, at least from how we are going about things now. Should I just give them to Mary Jo?

DR. COHN: Well, if they are truly just ways of saying things better, you can just give them to Mary Jo.

So, we really bring up in the second paragraph here this issue of these third party secondary use — holders of the data, secondary uses. Is there anything substantive that people disagree with?

MR. HOUSTON: I have concerns about the meaning of the last two sentences. I understood the first part of the second to last sentence, consequently, there may not be regulatory control over the privacy policies or practices of third part PHR providers. The second half I am not sure I understood — whose policies and procedures for holding and sharing personal health information are often not transparent in the way that HIPAA prescribes for covered entities. I am not sure what no transparent means.

MS. BERNSTEIN: I think I can help, although I didn’t write this. Transparency usually refers to notice in sort of the privacy parlance. So, what it means is HIPAA requires that when you walk into your physician’s office, you get a notice about their privacy practices and procedures to acknowledge that you have gotten it. So, when you begin a business relationship with a physician, you get the notice about that.

When you begin a business relationship with a physician, you get the notice about that. When you begin a business relationship with one of these third party organizations that are providing PHRs, you may or may not get something like that. It is not transparency what they are doing with your data. I think that is what this is referring to.

MR. HOUSTON: I understand what you are saying when you say it.

MS. BERNSTEIN: It may be a buzz word, but it is the word used to kind of open government notice, you know, free information about what is happening in that world.

MR. HOUSTON: Whose policy and procedure for holding and sharing personal information are often not provided to the consumer in a way that HIPAA prescribes for covered entities? Isn’t that really what we are saying, though?

MS. BERNSTEIN: Disclosure has more than one meaning. I mean, it could refer to —

MR. HOUSTON: HIPAA says you must provide the notice. I just think that that makes it clear that that is really what this is intended to do —

DR. COHN: It makes it more transparent. Sorry.

DR. DEERING: Often not provided to consumers in the way that HIPAA prescribes for covered entities.

MS. BERNSTEIN: And even in where they are — I mean, my issue is even where they are notified, you know, you can notify them over your practices and your practices can be — you have no control over —

MR. HOUSTON: But now this goes to the next sentence. In addition, patients have little control over secondary uses if any that third parties may employ. My argument to that would be that the patient does insofar as they don’t have to contribute or use the PHR, but they don’t. They really don’t have a response —

MS. BERNSTEIN: Then there is no secondary data.

MR. HOUSTON: Well, there is no data at all. So, what I would say here is simply in addition by any patient deciding to use a PHR, they may then have little control over the secondary use, if any, that the third party may employ or decide upon. I don’t know if “employee” is the right word either.

All I am saying is that an EHR — there is a difference because with an EHR —

DR. COHN: So, basically in addition consumers, once they choose to use one of these EHRs or PHRs may have little control over secondary uses.

MR. HOUSTON: Exactly. Because they really do have the right to say no, I am not going to use the PHR. IN the EHR setting, that is probably not the case. When they walk into a hospital —

MS. BERNSTEIN: On the PHRs, I have no problem. EHR is a covered entity.

MR. HOUSTON: I just think it is clearer if we make that distinction. That is my only comment

MS. BERNSTEIN: My inclination would be that — I mean, I think Jeff was particularly concerned about this issue, you know, Jeff Blair — that it is I don’t want to use the word “coercive” because that is too strong a word, but the idea that you are drawing consumers in with all the wonders of a PHR and how much, you know, information they can get about themselves and manage their health and so forth and tell them, you know, to say that they have a choice not to use it, the point is that their choice is not informed by full information about what is really happening. That is the issue that we are concerned about.

DR. DEERING: I think that is up earlier in the paragraph.

MR. HOUSTON: I just think it clarifies. I think the intent is still here. I think my comment or my suggestion change is due to simply clarify when somebody was reading this anew, I think they are going to —

DR. COHN: I think this is sort of wordsmithing you are describing. So, we would certainly welcome that.

DR. DEERING: I think that point that you just mentioned again is up earlier in the —

DR. COHN: I was just going to comment on this one. I actually had the occasion for this open door forum to review the published privacy pieces from at least a couple of the available PHRs. That was 16 to 17 pages and I had to wake myself up a couple of times working through those. After I read them I was —

MS. BERNSTEIN: Would you consider that legitimate informed consent?

DR. COHN: I don’t know. That was sort of what caused me to wonder.

MS. BERNSTEIN: You know, a parallel example that maybe you are all more familiar with is the notice you got with your credit card under the Gramley(?) Bliley(?) Law. Every year you get a thing. It is got writing about 4 points, you know, and it goes on for quite a number of pages. How many people actually read through that, understanding —

DR. COHN: Of course, this is a common issue of HIPAA or otherwise. I mean, it is just a hard issue. I don’t have an answer to this one. I did think as I printed this stuff out and pages after pages and —

MR. HOUSTON: Maybe what is part of a recommendation — and by the way, you know, it is interesting because a lot of the — well, the recommendations are all couched in terms of secondary uses, but providing — somehow ensuring it is a concise notice of uses, the issue of conciseness needs to be maybe incorporated in a recommendation.

DR. DEERING: Actually this is a good place for a plain language privacy —

MR. HOUSTON: By the way when you are on line, it makes it real easy. You know there is a privacy practice, this piece of paper. It is difficult because it is 13 pages, but if you had as a single page, here are overarching agreements that we make or here are the overarching tenets of the notice and the person could click on any one of them and it would — down into the more detailed discussion. It would make it much more —

DR. COHN: I think in their defense I think a lot of them have that. The problem is is to get to really read through all of it.

[Multiple discussions.]

DR. DEERING: I would like to somewhere — I think this is an important point and I would like to find a home somewhere for a sentence that may not necessarily be under the recommendations, although it could be, that really does get at this concept of meaningful communication of privacy practices, that this becomes particularly important in this area of consumer PHRs. I will try and —

DR. COHN: Yes. I think we are fine with that. So, are we — I mean we are okay so far. Maya. Paragraph by paragraph. So, we are okay with that paragraph at this point with the wordsmithing and all that? Is there anything more — okay.

The next paragraph is —

MS. BERNSTEIN: I didn’t say I was done with the paragraph.

DR. COHN: Oh, well, that is what I am asking. Tell us more what —

MS. BERNSTEIN: My feeling about this paragraph may be more generally, which is that it is very — models may be predicated on this business case and there may not be regulatory control. There are existing models that are predicated on secondary uses. We know that they exist out there because we have seen them. That is why we have this concern. We know that there are companies who are providing PHRs and who are making secondary uses of the data.

We are — you know, it says it is not clear whether consumers can make an informed choice, right? It is clear that the consumer cannot make — in my view and this is a tone issue, which, you know, maybe it is out of my purview to recommend, but it is clear to me that the consumer cannot make an informed choice without full disclosures of the policies and practices of these companies. It is a matter of tone, but it is too —

DR. DEERING: So, it is the committee’s concern that — are predicated and that it recognizes there may be beneficial uses but it believes that we have — the wordsmithing has to match the first part of that sentence, which begins the committee recognizes and then it believes that consumers are currently unable to or not able to —

MR. HOUSTON: I have some wordsmithing that I think absolutely fits what she is saying.

DR. COHN: Okay. So, we are fine on that.

MS. BERNSTEIN: The other thing I noticed is where we talk about the PHR vendors not being HIPAA covered entities, whether they are — and then it goes on to say consequently there may not be regulatory control. I mean, I think you can make that stronger if you would add a sentence that says we are not aware of any other — I mean, what you are basically saying is we added HIPAA. There are no regulations and it may be that that is true. It may be that there are some state law but you can say we are not aware of any other law, which would cover these things and consequently there is no federal regulatory control — we do know that there — if it is not covered by HIPAA, there is no federal regulatory control.

Now, if the Federal Trade Commission would like to step in and do something, they have not yet done so. You know, they might or might not have the authority to do that, but basically as I understand their authority, since we mentioned that in the recommendations, if a company provides a privacy notice, for example, on its web site, but also on paper about its practices and then does not follow that practice, that would be an unfair trade practice under the Federal Trade Commission Act. They have started to use that authority more recently on many things.

But there is nothing that requires a company to come up with a notice that we have been talking about and that is the issue that we are addressing. We want to encourage or perhaps if we decided — you know, if somebody decided it was necessary to require somehow the creation of those kinds of notices because until they are required to be out, there is no real regulatory controls.

So, again, this is a matter of tone about, no, it may not be, we don’t know, you know, we could be stronger or you could be stronger and say more clearly that we know that there is no federal regulatory control over these things without HIPAA . If you add something — as long as you add the caveat that says we are not aware of any other laws that would cover this, and that is the whole thing.

I want to make a marker about this point just because when we get to the recommendations, there are several places — secondary uses should not be allowed except where permitted by law. That phrase, except where permitted by law, guts the entire recommendation because we know the law permits anything right now that they want to do. That is the exact problem that we are addressing.

MR. HOUSTON: I agree with you and it is funny because I had the same thought that you had to pull the new concept in, you know, with expressed patient consent.

MS. BERNSTEIN: We can get that, but that is why I wanted to make a not about this because it directly — you know, what we are talking about in the text is tied directly to what we have in the recommendations on this particular point.

MR. HOUSTON: I think we probably need to move, but I agree with — I think we are all on the same page.

MS. BERNSTEIN: When we get to the recommendations, but — see, that has an important meaning, too, if we strike that.

DR. COHN: Well, let me explain to you why we put that in. Maybe we said it wrong, but I think that we — this was permitted by HIPAA is what we are talking about here.

MS. BERNSTEIN: That is not the same, but also HIPAA doesn’t apply to this. That is the whole point. HIPAA does not apply — these are not covered in anything that HIPAA doesn’t apply, may not apply.

DR. COHN: Well, this applies if they are a covered entity. The recommendations don’t —

MS. BERNSTEIN: — made the division that John was talking about before, then it may be covered. But most of the ones that we are concerned about, I think — covered entities, we are not concerned about them because —

DR. COHN: Okay. I think we need to somehow — I think what we were intending to say here — and, obviously, I think you are hitting us — you are making the point that we are not saying it well — was is that we thought HIPAA was a good basis on this. So, gee, you know, HIPAA actually has rules about all this stuff. So, covered entity, you basically — there are disclosures that you are either permitted or required to do.

DR. DEERING: How about preceding that phrase where in those instances where HIPAA does not apply, secondary use should not be permitted.

[Multiple discussions.]

MS. BERNSTEIN: Something that I don’t think that this committee has considered is whether you should recommend that these things be covered entities.

MR. HOUSTON: I thought we were steering clear of that.

MS. BERNSTEIN: Okay.

DR. DEERING: — in those instances where HIPAA does not currently apply.

MS. BERNSTEIN: Right, because there is another way to — you know, you are saying we should apply similar rules of HIPAA if it doesn’t apply.

DR. COHN: That is what we are saying, yes.

MS. BERNSTEIN: And you could say the same thing by saying, well, they shouldn’t be covered and then we wouldn’t have to drag out all what the rules are —

DR. COHN: This was, I think, part of the issue we — this was —

MS. BERNSTEIN: I am not saying that it is likely to happen but whether —

DR. COHN: This was sort of the issue we brought to the — and I will apologize. When we last met with the Privacy Subcommittee, I had probably the second migraine of my life and, thankfully, I had my first one evaluated, so I don’t have to go back and have that again, but that was the point we were bringing to the Privacy Subcommittee about whether or not it should be voluntary privacy safeguards, whether HIPAA was the way to go. We sort of talked back on this one. This is something that we would want to get input from privacy again on about whether this is really — whether this is a legislative action, whether this is voluntary.

These are things — remember, Jeff spoke very strongly the idea of voluntary full disclosure and all of that and, you know, truthfully, you know, I looked through all these things and I noticed we are not mentioning things like your act certification, all of that stuff, but that is a lot of voluntary activities that are in place and —

MR. HUNGATE: I was going to argue that if we are going to seek voluntary action to be compliant with the intent, then we have got to be fairly clear on what kind of things need to be volunteered.

MS. BERNSTEIN: And I also want to point out that two of the recommendations, one of them says there is the voluntary action and the other one says we should look into regulatory action. You know, if you are going to go the voluntary action route, you shouldn’t at the same time go the regulatory action route.

MR. HUNGATE: I would argue that we should present that there are two alternatives to deal with this issue. There is a voluntary path, which if it didn’t work, it might have to move —

DR. DEERING: I think there is also a temporal issue that we all know that if you go down the regulatory path, it will probably 2015 before there is actually in effect — if tomorrow the department started the whole process of examining the issue of broadly regulating secondary uses, it would have to convene the staff. I mean, from the moment that you —

MS. BERNSTEIN: I understand that it is a non-profit, but if you expect that the voluntary — if you expect the voluntary controls to work, then you don’t need to go down that path. So, if you want the private sector to basically self-regulate is maybe too strong a word. I don’t want to invoke the kind of FTC or whatever —

[Multiple discussions.]

— but, you know, if you are talking about voluntary controls by the industry on itself, if you expect them to work in — you don’t want to go down the regulatory path.

DR. DEERING: Okay. So, how about we do two things. First of all, we take what is currently the 5th recommendation, which is about industry volunteerism and we move that up to No. 3 and —

PARTICIPANT: There are four recommendations.

DR. DEERING: Okay. No. 4 becomes No. 3.

DR. COHN: So, we switch those.

DR. DEERING: That is only step 1. By the way, in its last sentence does begin in those instances where HIPAA does not apply, there should be no blah, blah. Then the new fourth one, which is the current third one, we should say, you know, HHS should monitor voluntary practices in the industry and assess whether any further appropriate action is possible or something —

DR. COHN: That falls into sort of the new recommendation we have about consumer protection on page 7.

DR. DEERING: Well, except remember that you specifically said that your consumer protection one was not so much about privacy. You wanted to leave to the privacy recommendation, privacy section, everything that was strictly privacy related.

DR. COHN: Okay. That is fine.

DR. DEERING: So, all I am saying is that the new last recommendation should we say HHS should monitor industry practices with regard to the disclosure, et cetera, et cetera, and assess whether there is a need to take any appropriate — any additional action.

MR. HOUSTON: I guess I should ask, I mean, is this and HHS should monitor, NCVHS will monitor, who should monitor?

MS. BERNSTEIN: You are an advisory group. I am not the staff that can monitor this.

DR. COHN: Can HHS monitor — I guess they can.

MS. BERNSTEIN: I would not give a specific recommendation to which office should do this work. Let the Secretary figure out where —

[Multiple discussions.]

DR. COHN: So, is this getting better? Maya, have we handled some of your handwriting — now, is there anything big that we are missing that is like a Mack truck running through that we are sort of —

MR. HOUSTON: We sort of jumped two paragraphs and went to some recommendations. Correct?

DR. COHN: That is right. I guess we did, yes. Do you want to go back to those separate paragraphs?

MR. HOUSTON: The third one down.

DR. COHN: The forum one or the secondary uses?

MR. HOUSTON: I see that is the forum, yes. I just have a thought here that the last part of that — the sentence, which is actually in the second to last in the last line, where it says in potential liabilities associated with data within a PHR, I would say take out the and and say potential liabilities associated with use of data within a PHR and notice provisions or something about notice provisions.

MS. BERNSTEIN: It should be a separate semi-colon issue, separate from liability.

MR. HOUSTON: I think there needs to be —

DR. COHN: Is that the clear notice?

MR. HOUSTON: — the notice provision. We just talked about it, about having informed notice, things of that sort. What it would say would be NCVHS will provide a forum on several issues that arose from the initial hearing. The ownership of data within the individually controlled PHRs, the ability of PHRs to obtain data from external sources, such as provider systems claims clearinghouses, health plans of similar sources, now storing identified PHIs, potential liability associated with the use of data within PHR and notice provisions associated with a PHR because what we have been just talking about, I think we are all —

DR. COHN: Sure. Okay. And I think it is probably something we might want to hear URAC and e-Trust and find out of what their recommendations —

[Multiple discussions.]

MR. HOUSTON: PHRs now or for —

MS. BERNSTEIN: Not — but for non-covered activities. So, the communication issues and notice issues and our office was very heavily involved in the plain language —

MR. HOUSTON: I was just thinking that —

DR. COHN: That is fine. So, we can add that.

MR. HOUSTON: — is really unique here now. It is obviously, not settled because you are talking about it.

DR. COHN: I think that is fine.

MS. BERNSTEIN: This is the place where I would use the word “transparency” that you don’t like, but that is when invoke all of those issues having to do with —

MR. HOUSTON: — other provisions as described above; those provisions within a PHR —

[Multiple discussions.]

MS. BERNSTEIN: Okay. That is fine.

DR. COHN: Do you want to change that — how we are describing them. Is ownership the issue or is it ownership control?

MS. BERNSTEIN: It is an issue for some people. It is not an issue for me. It is obviously an issue for some people, but I think control is really the issue.

DR. BAUR: Is it the ownership of the data or the ownership of the PHR because it is stated as the ownership of the data?

MR. HOUSTON: Ownership of the data I think is really the issue. PHR is owned by any — PHR is an actual property owned by somebody. So, it is really the data in the PHR —

DR. DEERING: But just because we have acknowledged that previously we are going to have language about that, about ownership and control again, of data within PHRs and take out the individually controlled PHRs there.

MS. BERNSTEIN: I would just control. If you want to deal with ownership — the result of that is that you know somebody decides that the way to properly control is to give ownership, then that is a solution, but it is not —

MR. HOUSTON: Let me just say this. I have not looked at all 50 state laws and I guess the question I would have, though, would there be a state out there that has a law that says patient information is owned by the patient?

DR. DEERING: I believe that there is a state — more than one state that actually says that.

MR. HOUSTON: So, we do have differing then state laws describing the ownership of patient data. So, ownership and control has — both of them are still needed, to be dealt with in the framework of the 50 states having their own separate —

DR. DEERING: I think to get away from the word because people are using it, again — we have noticed already that it is confusing, but there are issues surrounding it and I would say that we are going to explore it, and control.

MS. BERNSTEIN: We have a major example of a place where you could have a solution that doesn’t deal with ownership. HIPAA.

MR. HOUSTON: Why don’t we say the concept of ownership and control of data.

DR. COHN: That sounds fine. That sounds even better.

DR. DEERING: — several issues, it is already labeled an issue. So, is the concept an issue or is —

MR. HOUSTON: Well, that gets to Maya’s point if it is real or whether it is perceived there is a concept of an issue.

MR. HUNGATE: Let me take the discussion a little bit further. We haven’t been very precise in saying what the secondary issues are. There are some secondary uses which people perceive have value and if they are going to sell the benefit from that secondary use, then ownership becomes an issue. Patient responds to a particular drug vis-a-vis another drug.

MS. FISCHETTI: — a new drug on the pharmaceutical company, contacts me and says, Mrs. Fischetti, may we please monitor your diagnoses, lab values and any temperatures you may have for the next 18 months and we will give $20 a month for your data.

DR. DEERING: The whole you take control model is predicated on a business relationship that is giving the patient ownership so they can sell the rights and actually receive monetary compensation or benefit in —

MR. HUNGATE: I want to pose a question that the issue of control of secondary data also raises questions about the validity of that data supply because you have to verify the correctness of —

PARTICIPANT: Because I am going to go get on as many drugs as I can.

MR. HUNGATE: There is a lot of conditional stuff in here that is buried in a term we use easily, but it covers a lot of stuff. So, I am just worried about where we are here.

DR. COHN: Other comments? John or Maya?

MR. HOUSTON: Some people will perceive there are good secondary uses and bad secondary uses. What is interesting, though, you look at some of the papers that John Sanding(?) has circulated here regarding research and patient’s desire to have — consenting to research. Sort of this interesting phenomena, which is is that patients wanted to be — patients wanted to be asked if their data could be used for research, whether it be deidentified or identified. Most people wanted to be asked. But almost everybody once they are asked said yes.

MR. HUNGATE: They just want to know they are in.

MR. HOUSTON: Exactly. I guess the point being is that even if it is good secondary uses or bad secondary uses, it is almost irrelevant because in my mind because patients probably pretty much want to be asked regardless. Now, whether they agreed with it or not is a — the ban, you know, is something else. They may say, no, I don’t want to be contacted. That makes it real easy. But I think the overall concept of having approval is something that I think is —

MR. HUNGATE: I am raising a different issue.

MS. BERNSTEIN: Right, which is that secondary to what, right? So, that is a term I use easily, but when I know what I mean by it, which is a secondary use is a use which is other than that for which the data was originally collected and for which I already had notice of — or something else that came up late. But it could be something of which I have, but it is not the purpose for which the information was originally collected.

MR. HOUSTON: Can I recouch that in different terms? It also could be secondary use to some people would be it is a use that doesn’t involve me, like if I got some benefit out of it, it would be a — then it would be — if somebody contacted me in the context of a PHR if there is some alternative therapy or some problem with the therapy that I am on, versus if the secondary use was someone was selling data to a third party, I never even knew what occurred. There was never any direct — there was never anything that connoted to me in terms of a benefit. It is just people are selling data because —

DR. COHN: Okay. I don’t mean to stop you all. We have 17 minutes left. We can talk about this particular issue for 17 minutes. If there is something that relates directly to this letter, to these paragraphs about what you were just talking about, tell us. Otherwise, let’s move on to something else.

MS. BERNSTEIN: The question is we think it is important to put in some definition of what we —

MR. HUNGATE: What I am worried about is I think that the personal health information is going to be of increasing importance in the medical information system over time and I don’t know what kind of boundaries need to be put on that in order to make sure that it is reliable, valid, the whole process around secondary —

[Multiple discussions.]

And I don’t know whether we are setting precedents here that I am going to worry about later. That is all I

am saying.

DR. COHN: I don’t think we are talking about quality of data here, I don’t think.

MS. BERNSTEIN: Are you suggesting that we should be talking about accuracy rather —

MR. HUNGATE: I think we have to worry about it. Whether we should talk about it here or not is another question.

MR. HOUSTON: Can I make one suggestion and one comment? I think it would be valuable to define by way of example a few secondary uses so that it is clear what we are talking about. Some individuals will say for secondary uses, they don’t care about the accuracy. If it is 85 or 90 percent accurate for whatever the use is, we will accept it. So, part of the decision on the data accuracy is going to be that when somebody goes to use that data for a secondary use, they may say, you know something, I understand this is provided by the patient. It may not be accurate. I am going to accept it.

DR. COHN: I want to table the quality discussion only because I don’t think it has relevance to the privacy area. But I do think we need to have some examples and —

[Multiple discussions.]

MS. BERNSTEIN: Accuracy is extremely relevant to the privacy discussion as a general matter, I mean, and secondary — I will give you the example that comes to mind is are you happy with 85 percent accuracy in your credit record. Yes, the credit bureau doesn’t give —

MR. HOUSTON: You misunderstood my point.

MS. BERNSTEIN: — for their purposes, but it is going to affect you if decisions are made based on that.

MR. HOUSTON: You misunderstood my point. My point is simply that if somebody decides to take data for a secondary use, okay, if this PHR company decides they are going to contract with some third party who wants to see that data for some purpose, some commercial purpose, so there is a secondary use there. It is up to that PHR company, host, and that third party to look at the data and say how much confidence do I have in that data for the use that that third party wants to use it for, which is a secondary use, and then decide from that whether that is an acceptable level of confidence in the data before they use it. It is like research data.

Hear me out. Wait, wait, wait, you are missing the —

DR. COHN: So much for my time check.

MR. HOUSTON: You are missing my point. Data accuracy the patient supplies is only as good as the patient data that they supply.

DR. COHN: Okay. Everybody, listen, I just don’t know where — I mean, maybe you guys are going to some major recommendation. Bob, if there is a sentence that you want to be put in this section or some other section that somehow relates to something about all of — I don’t have any objection.

MR. HUNGATE: I don’t have something I could put in.

DR. DEERING: I would like to just make the observation that I think that this is important because we have already outside of the health field been talking about the commodification of information. That is a known principle. Information is now a commodity. It is being bought and sold. Maybe in the value section somewhere there is room for a statement that says in the era, in the information era, when information is recognized as commodities, this is especially pertinent in the field of health information and we need to be mindful of the implications or something just in that effect.

MS. BERNSTEIN: I mean, it goes to some more sort of global issue that I have with this section, which is it deals very specifically with disclosure for secondary uses, but it doesn’t deal with — and it deals with notice. I guess those are the two things that it deals with, but there are many other aspects of privacy that it does not deal with, including whether the information is accurate, relevant, timely, complete and maybe if it is — you know, the patient is —

MR. HOUSTON: I tend to agree that accuracy is important, but not — in the context of privacy I think we are talking about other things. I think there could be some discussion in this letter about the need for data accuracy, completeness, but you know part of the problem we have here is your source of data.

MS. BERNSTEIN: I am not arguing that.

MR. HOUSTON: You may not have accurate data because it is coming from the patient and it might be their view of the world, which may not be accurate.

[Multiple discussions.]

DR. COHN: Linda, do you have a way to get us off this?

MS. FISCHETTI: I would like to see you suggest some wording. I am not getting it yet. I don’t know what quite you are saying. So, if we could resolve it by maybe just an e-mail with suggested wording and wrap up the meeting in time so people can get on their airplanes.

DR. COHN: Unfortunately, we have somehow gotten off on these tangents. So, the question is comments about recommendations.

MR. HOUSTON: Well, I have one other — there is another paragraph here that I think the next paragraph is a concern about secondary uses of — I think that is redundant because we talk about secondary uses above substantially.

DR. DEERING: It was specifically clipped to be put in there. That was explicitly — I was instructed to put that in as a separate sentence.

MR. HOUSTON: And the reason why — but I think the problem here is I think our recommendations are going the way of not simply being related to secondary use. This paragraph was to set up the recommendations that — the ones that are listed here all relate to secondary use. The way I understood it, our discussion of the recommendations, I believe that our recommendations are in addition to — there are some recommendations or discussions in our recommendations about things that are not considered secondary use, that are more general.

I think the whole concept of a notice is just simply not a notice of secondary use, but it is a notice in general about practices and privacy —

DR. DEERING: Where do you see notice?

MR. HOUSTON: I thought we were talking about —

DR. DEERING: But that is in the text, that we added it to the text and that is where we say we are going to explore that in the future.

MR. HOUSTON: But I thought we were going to — maybe I am wrong, but —

MS. BERNSTEIN: The first recommendation talks about HHS requiring all PHR systems to provide full disclosure in secondary uses. That full disclosure, even though I missed it so far, it is dedicated to secondary uses. That is talking about a notice up front to the patient about practices of the company. So, there are two things that are basically — you know, that we focus on and one is notice to the patient, what secondary uses are going to be made and the notice that has to go to the patient to tell them what secondary uses there are, if any.

MR. HOUSTON: I agree.

DR. BAUR: In that case the notice is narrow for secondary use. I just thought you said that notice should be broader than secondary use.

MR. HOUSTON: Well, I thought we talked about making it broader, but maybe I misunderstood what we — or misheard what we talked about.

DR. BAUR: Well, I guess this is not a recommendation at the moment that talks more broadly about

— that talks about notice covering issues beyond secondary use. So, are you — there should be a recommendation on —

MR. HOUSTON: I think there should be. I think we should make it a general recommendation about the need to have notices related to privacy considerations for PHRs.

MS. BERNSTEIN: Well, we do say, for example, in the last recommendation that the private sector should voluntarily adopt strict privacy policies and practices.

MR. HOUSTON: To include —

MS. BERNSTEIN: And to include full disclosure of secondary uses, but we could just say of those policies and practices, including secondary —

DR. COHN: Okay. Good.

DR. DEERING: So, instead of to include, we want including?

MR. HOUSTON: Including, yes. Because the last recommendation sort of assumes that there are privacy policies and practices and notices and the reality is is that there really isn’t anything today that requires that. So, we need to make the recommendation that those things exist.

MS. BERNSTEIN: I am just not aware of what those laws are. I haven’t explored them. So, what we are saying is not just saying including but then they should adopt privacy policies and practices and should provide notice to their customers, I guess — consumers — about those policies and practices including disclosure of secondary use of the —

DR. DEERING: And should provide clear notices of those policies and practices, including —

MR. HOUSTON: Because if we go through the second paragraph, we talked about the fact that there may not be regulatory control over privacy policies and practices. So, we need to get the concept down —

MS. BERNSTEIN: We haven’t said anything about what those policies and practices should be. We leave it up to the private sector to figure out what they should be.

MR. HOUSTON: So, we do need — well, back to that paragraph then. The first sentence says NCVHS is concerned about secondary uses of personal health information in PHRs without the express consent or the knowledge of the individual. I think we need to make that sentence more generalized. Then the next sentence says we, therefore, recommend a series of actions by the department and the industry.

DR. DEERING: So, we are concerned about privacy policies and practices related to PHRs, including clear notice —

MS. BERNSTEIN: We are concerned about policies and practices with respect to PHRs.

DR. DEERING: Can I work on that for a little while? I do want to — I hear that you don’t want it to focus exclusively on

DR. COHN: Including duh, duh, duh.

DR. DEERING: But I don’t want it to delete it.

DR. COHN: Sure. That is fine.

Now, do we have comments about these — I am sitting here struggling with — we have got five minutes left. How do you want to use it? I mean, is that basically — we haven’t gotten into these recommendations. We seem to talk about everything but. Actually, that is not true. We talked about 3, 4. Shall we take a minute or two to talk about it and then we are going to have to think about whether given the fact that we haven’t reviewed really all the changes we made from yesterday, whatever other additional comments about recommendations?

DR. BAUR: I was just suggesting in the first one to sort of a more broad one, not just a secondary use one. And I would just strike the word “campaign” because campaign has a specific connotation.

Campaign has a specific kind of —

DR. COHN: Other recommendations here?

MS. BERNSTEIN: Just to remind you about the point I made before, which is in the recommendations, the second one and the fourth one, where it says permitted by law. There is a large issue around that, use of that term. Taking it out does not resolve the problem and changing — required by law also does not solve the problem. So, I

mean —

DR. COHN: Well, I think we talked about HIPAA

MS. BERNSTEIN: — discussion about that, which I don’t think can be done in five minutes.

DR. COHN: Maybe I can ask you and Mary Jo to work on the appropriate —

MS. BERNSTEIN: This goes to the heart of what it is that the committee wants to recommend. You know, the problem with — everything is now permitted by law because it is now unregulated.

DR. COHN: I think we had already talked about that.

MS. BERNSTEIN: But the question is what do you want to put in there instead.

DR. DEERING: Here is what we did. We began the sentence — there are two places where that occurs, right? And in each of those instances the sentence now begins, in those instances where HIPAA does not apply, and then we strike except where permitted by law.

DR. HUFF: What was our intent? I thought this was really to permit or in fact require disclosure for public health and infectious disease —

DR. COHN: That is what HIPAA does.

DR. HUFF: I know that is what HIPAA does.

MS. BERNSTEIN: In law enforcement and emergencies and —

DR. HUFF: Those laws are separate from HIPAA. I mean, I was required to report diseases —

MR. HOUSTON: HIPAA supports that disclosure. The point here being was that when we said required by law or then you said, okay, everything is required by law if it doesn’t fall under HIPAA. So, therefore, it is sort of a field day. You can do what you damn well please. The point here being is that if it is covered by HIPAA, then HIPAA applies. Otherwise if it is not covered by HIPAA, then you need authorization if there is going to be some other use for disclosure. You couldn’t read this to say that —

DR. COHN: I think we should let Mary Jo play with this.

DR. DEERING: See what that looks like when the whole section is teed up. It may still not be there, but —

MR. HOUSTON: I think we are on the right track with this. I think it addresses —

DR. BAUR: Do you want to just give me one minute to talk about —

DR. COHN: Why don’t we give you one minute and then I am actually mulling about whether — how we deal with between now and August 8th and what we do.

Why don’t you tell us very quickly what you did here?

DR. BAUR: Well, I did combine the existing facts that were there and to create a new introduction. What I did was view the committee or NCVHS more clearly — I am a little uncomfortable in the document in general with NCVHS as a committee believes or feels. I think those are pretty weak verbs. So, I tried to choose verbs like, you know, estimates or concludes or — you know, I think there needs to be stronger verbs throughout the paper in some of those places because I don’t feel like the committee — it is sort of weak to say the committee feels or believes things, I think.

So, I tried to do that in the opening. So, that is really an amalgam of the two. Then it was framed in terms of the committee identifying these broad areas of research. So, just to be sure, to Mary Jo’s point, policy was — I took out policy in that string because Steve did not have policy and my instructions were to build off of Steve’s category. So, if you want to have policy back in, you know, just — it is not mentioned anywhere now.

I didn’t do a lot to the individual categories. I clarified some of the points in there, but I did add three entirely new recommendations that were more global because if you just went with the two recommendations that were there, there were no recommendations from the old text that we were reviewing yesterday and Steve only had two recommendations, one for AHRQ and one for CMS.

So, based on the yesterday, I formulated three more global recommendations that are brand new that people might want to consider. One is based on that statement that was early on in the old text where it was about recommending the data collection and things like that. So, that has kind of been reformulated now as an explicit recommendation.

I thought realistically, I mean, you can say HHS can direct AHRQ to do this, but I mean I think it is more powerful if you say AHRQ could do that or you could say that AHRQ ought to report to the Secretary, I mean, because, you know, if you just say HHS but you really mean AHRQ, you should probably just say AHRQ or if you want CMS, you should just CMS.

DR. COHEN: Let’s just take a quick look through the recommendations. You requested all agencies review their research portfolio and program operations and report that they — so that was that first one we had talked about yesterday.

DR. BAUR: Right. And I think it is that reporting or accountability, if you just say HHS ought to, whatever, but there is no reporting or accountability, it typically won’t happen.

DR. COHN: Hopefully, everybody is okay with that at least for our conversation on August 8th.

DR. BAUR: That is kind of global thing so that could service other areas, like maybe that is — you know, could pick up policy issues or other research and evaluation issues that were not discussed anywhere above.

DR. COHN: Then HHS should begin to identify, standardize and collect data in PHR systems and their impact on health and the health care system.

DR. BAUR: That is a reformulation of the statement that was in the old version yesterday where it used the verb recommend in the text, but it wasn’t pulled out as a recommendation.

DR. COHN: Okay. The third recommendation here is HHS should collaborate with OPM to help implement the pilot studies of PHR systems with payers and beneficiaries of FEHBP.

DR. BAUR: That builds off of the discussion that was yesterday.

DR. DEERING: And for your information, under federal rules we have teased that out and there is a recommendation under federal rules that ensures in the FEHBP to identify opportunities to —

DR. BAUR: But this wasn’t a part because I was picking up on the theme that the committee wanted research and pilot studies. I didn’t know if you wanted to actually just go straight to implementation or if you wanted the pilot studies first.

DR. DEERING: But the point is that Blue Cross-Blue Shield is already rolling them out in certain regions. It may well be that at some point they come to the Mid-Atlantic Region and without anybody doing anything, they just extended it and if you are a federal employee and you are a Blue Cross, then you have got it.

DR. BAUR: I am just talking about some of the questions the committee wants to answer. I mean, the pilot study says that there will be some investigation of how that is working. That is all.

DR. DEERING: That is why I am differentiating it from the federal role area here.

DR. BAUR: Okay. It sounds like if it is already existing in some regions that there will be federal employees who are on this.

[Multiple discussions.]

DR. DEERING: Any given health plan has a different program for the Federal Government than it does for other people. So, it is not a given.

DR. BAUR: I didn’t know whether there was going to be a summary statement between that sort of transition from the research to the conclusion or it just ended because it sort of just ended in our version.

In conclusion comma —

DR. COHN: I think these all look relatively good to go. Now, I would certainly — I know Mary Jo was speaking strongly about policy agendas. I don’t know whether it is here or in the privacy section or whatever. I think we need to look at that and sort of see if it needs to be — I am not sure that it is — I worry about a global policy research agenda.

DR. DEERING: It wasn’t very global. It was very specific.

DR. COHN: Well, whether it fits here or does it fit in one of the other sections.

DR. DEERING: Let me circulate it again and people can take a look at it.

DR. BAUR: One other thing to point out is, you know, there had been this category of market research, but there is no recommendation about market research. Those comments were made at the same open forum. We are not very well organized to do market research and it doesn’t exist for us even to buy or to — so, I don’t know if you want to say that HHS should somehow stimulate or encourage or I don’t know, but I think it is worth thinking about rather than just raising the question of market research —

DR. DEERING: — it was in there and it was targeted to CMS. There was a market research —

DR. COHN: And we sort of jumped that a little bit.

DR. BAUR: I think actually it pertains to everybody, not just CMS.

DR. COHN: Now, as John Paul begins to leave, let me ask the question here now. We obviously have something that we have worked on very hard yesterday and today. I want to thank you all. It was not the easiest way to sort of do things, but it is the way we do things. However, there are recommendations here and lots of changes that we have not really had a chance to look through in a hard fashion.

We have obviously a conference call scheduled on August 8th and we will probably try to arrange one, depending on when Maya’s Privacy Subcommittee finishes, either at the end of that day on the 18th or the beginning of the — at the end of the day on the 17th or the beginning of the 18th, the privacy aspects and all of that.

DR. DEERING: Is this on their agenda, do you know?

DR. COHN: Yes, it is now on the — since I have talked to Maya, it is now on their agenda.

MS. BERNSTEIN: After August 8th, they are going to provide something.

DR. COHN: If we could give it to Mark, I think that would be great. I think we would have whatever our agreed to version is for circulation to the Privacy Subcommittee on the 8th.

Now, my question for all of you is —

DR. DEERING: Can I just clarify that statement? Are you saying that one way or the other I will pull together what we have heard today into the version that we are working from that we didn’t get to those changes. We will have a new document that reflects changes made today and tomorrow. That is the version that we will send out for discussion on the conference call. Is that the version that you are going to ask the Privacy Subcommittee —

DR. COHN: No, no. I was actually going to ask the subcommittee, along with asking Mark to take a look at it, just as a quick heads up, but they would look at the one after that.

MR. HOUSTON: Can I make a suggestion here.

DR. COHN: But I was thinking about between now and —

DR. DEERING: — look at until the 18th.

DR. COHN: We are talking about the 8th.

DR. DEERING: But the Privacy Subcommittee isn’t meeting before the 8th.

MR. HOUSTON: — and, Simon, you are on the Privacy Subcommittee. I am on the Privacy Subcommittee. The only person who is not part of this committee who is on the Privacy Subcommittee, I thought was Mark. Who else is on the Privacy Subcommittee — I thought Richard Harding was on this committee.

DR. COHN: Oh, yes, he is supposed to be. That is right.

MR. HOUSTON: So, my point is the only person that is out of the loop on this is Mark.

DR. COHN: So, if we send it to Mark, we sort

of —

[Multiple discussions.]

DR. DEERING: Basically only Harry and Mark.

MR. HOUSTON: Why couldn’t we in order to facilitate bringing this to closure is to send this to them now saying this is our next good draft of this. Much of your committee is on this workgroup. Can we include you in our round of review on this, specifically related to privacy so that we can try to facilitate getting this to closure? Because if we wait —

MS. BERNSTEIN: I think when you get the other two in the room, the conversation is going to change.

DR. DEERING: What I am hearing is that we send them this when I send it out to our workgroup and we ask for feedback by the 8th?

MR. HOUSTON: My point is is that two-thirds, three-quarters of the Privacy Subcommittee sits here in

this —

DR. COHN: But they haven’t been part of this conversation.

MR. HOUSTON: I understand that, but if we do — hear me out — if we do what we are doing now and then all of the sudden after we are done with what we think we are satisfied, we get it to them, it is going to invoke a series of comments potentially that is going to extend us trying to get this done. If we include them earlier, since most of the Privacy Subcommittee is already sitting here, I think that all we are doing is we are shortening the time —

DR. COHN: I think I am agreeing. The question I have for you all is there has been large parts of this that we have not reviewed.

MR. HOUSTON: I am just talking about the Privacy Subcommittee.

DR. COHN: But I think they are going to want to review the whole thing. I don’t think just sending in the privacy section is going to be adequate. What I am saying is I am looking around the room. There have been large parts of this we have not reviewed. Now, are we comfortable reviewing this on the plane going home, providing any additional comments to Mary Jo in writing before she sends it out to the full subcommittee, plus Mark, plus — and Harry and that being the process, do you feel we need to have some sort of a conversation about it before it goes out to everybody else in that group? What is your preference?

DR. DEERING: Could I make a third option, which is where I thought we could have gone, which is to treat these two days as a unit. Don’t give me any comments to what I have put in here yesterday. Just leave that there for now. Let me incorporate what we have done today. What you have is a text, comments from workgroup meetings, 7-27 and 7-28. That way those will both be equal sections. They will have no more, no less massaging or finalization one or the other.

DR. COHN: I guess the question is is are you all comfortable with everybody receiving some of these things that, obviously, we didn’t review after we talked about and then we will all just send comments back to Mary Jo and have that conference call or do we need to do something else? That is really just the question I am asking everybody. If everybody is comfortable with this — and we have all been sort of paging through it. I didn’t find anything really terrible about it or anything like that. There is where I think we need to further improve.

MR. HOUSTON: I think it is a luxury because we don’t have a luxury of time. I think we do need to look practically at doing that.

DR. DEERING: Our call is the 8th. I don’t know that — are you asking them to give me comments well before the 8th that they then reincorporate so that the 8th call is on yet another version or is the 8th call going to be on this version, I mean, the new version that I am going to send out?

DR. COHN: Well, I obviously am thinking practically of what might make sense and the question is do you want to see things where people have written things up and responded, that we can all talk about? Because I am not sure if this is to automatically make changes based on everybody’s comments.

MS. BERNSTEIN: I just meant to ask — I am sorry. I didn’t mean to throw — I just meant to ask when we would have a copy that incorporated what we just talked about and whatever happened in the last few days.

DR. DEERING: Part of it depends on the sequence of how many more rounds you need — before the 8th.

DR. COHN: The next version will go out —

DR. DEERING: No later than Sunday night.

DR. COHN: That goes to the wider distribution, which is to Mark and others. That is the only question we were just asking, I think. So, that is when that will go out. I guess what I am hearing is the other piece, which I think Mary Jo was asking is should we be asking people to send back red line versions. I don’t think there is time to turn around another version, though I think it is desirable, but I think if people have improvements or whatever, it would be nice to know about.

DR. DEERING: My only observation is that we will need to focus the discussion on the 8th very precisely because two hours is not long enough to —

MR. KAMBIC: [Comment off microphone.]

DR. COHN: We spent a lot of the time yesterday on research.

MR. KAMBIC: You did. Okay. I wasn’t here.

DR. COHN: This is the next version.

DR. DEERING: So, one of the things, just to recap what was suggested I think late yesterday or maybe early this morning is that, okay, they will get the whole document and they will read the whole document. The phone call itself focuses only on the recommendations and on the language of the recommendations, so that we hammer those through. They can if they wish refer back to the text. Then afterwards, when we have agreed on the recommendations, we also want to call their attention to does the text support the recommendations.

MR. HOUSTON: Then I would suggest this then, rather than people red lining the document, because of the fact that it gets very complex, what if we simply say you will provide an e-mail that if you have a concern about a specific recommendation or section, you will name the section and numerically number your concerns about the section, just describe your concern. So, what that can do is be compiled into some type of cohesive bisection list of

— agenda of issues to be discussed. Keep the document in the performance you will send out and it will allow us to evaluate.

Then once we get done with — if there are substantive concerns, then we can wordsmith the final product, but if we start to wordsmith now, as well as talking about substantive concerns, we will get so — things get so wrapped around the axle you will never figure it out.

DR. DEERING: I would only modify that by saying we suggest that for Monday, the 8th, that they do get it in a two-tiered approach. They focus on the recommendations.

MR. HOUSTON: Absolutely.

DR. DEERING: And they put any of their concerns about the recommendations in writing. To the extent that they want to have read the text and have some comments, they can hold those in reserve because they may change if in discussing recommendations we come up —

[Multiple discussions.]

So, we don’t want them to expend or waste it. So, the focus is really on the recommendations and we want to receive them in an e-mail or Word, just a list.

MS. BERNSTEIN: You are going to have time to create an agenda for that phone call either Friday or Monday or whatever — if you get everybody focusing on one recommendation and having a problem with it and some people have no problems with any of the other recommendations, your agenda is not going to be to go through recommendations. It is going to be to focus on that —

MR. HOUSTON: We can’t do it until we know that.

MR. HUNGATE: I think it would be helpful if the recommendations were numerically numbered.

DR. DEERING: I will send out two files. The second file will be recommendations only, numbered, with a line —

MS. FISCHETTI: Actually, I would like to see the recommendations as a separate document because you know as soon as this letter is put in, if it is picked up by the trade press or if we put it into any of our slides or whatever, only the recommendations are going to be pulled out and the text will be used —

MR. HOUSTON: But this is only for internal discussion.

MS. FISCHETTI: But I feel like if we see the whole of the recommendations, then we would be able to sort of add — if we have any holes that trucks could drive through. I want to see what are our recommendations and look at — are we missing something —

[Multiple discussions.]

DR. DEERING: I will do one of two things. I want a minimum number of the recommendations just for discussion purposes and No. 2, for this next — I am actually going to add line numbers to the next version.

MR. HOUSTON: But I think again comments should be by section, title and then by recommendation number.

DR. COHEN: Okay. So, is everybody okay. We have got an action plan. I want to thank you all for some very hard work.

I am reminded there is a reason why we don’t write 80 page reports generally.

The meeting is adjourned.

[Whereupon, at 11:50 a.m., the meeting was concluded.]