[This Transcript is Unedited]

Department of Health and Human Services

National Committee on Vital and Health Statistics (NCVHS)

February 18, 2016

Hubert H. Humphrey Building
Room 705-A
200 Independence Ave., SW
Washington, D.C.


CONTENTS


P R O C E E D I N G S

Agenda Item: Call to Order/Review Agenda, Clarifications and Updates

DR. SUAREZ: Good morning everyone. Happy third day of NCVHS meetings. We started Tuesday at 9, Wednesday at 8:30 and today at 8:10. If we have a meeting tomorrow, we will be starting at 6 a.m. Thank you, again, for joining. We are going to start our second day of the full meeting of the National Committee. We are going to start quickly with review of the agenda, which I think you all have received. Yesterday, we had a really very productive and intense day with discussion of two action items and discussion also of three major topics. It was a very intense day. This morning and this afternoon are going to be another very intense day as well.

This morning we have our Privacy and Security Subcommittee session as a full committee. Part of our session is going to be a review, an update from our federal agency partners, the Office of the National Coordinator and the Office for Civil Rights. And then we will talk about our Subcommittee work plan and some of the discussions that we had. And then after that we are going to go through action items, our Review Committee letter and Population Health Workshop Report.

We will take a break and then we will talk about the Workgroup on Data Access and Use and also discuss the strategic plan and update on the workgroup activities. And then we will finish up with – try to bring together all the work plans and the strategic plans that we have been developing into something that identify what are the topics that we are going to be working on through the next year or year and a half, what are the activities that we are going to be holding during this period, including workshops and hearings and those kinds of activities. Then what are we going to be producing in terms of letters or reports or both. We will try to bring together all that and have a discussion about it before we adjourn at noon. And then we will turn things to the Work Group on Data Access and Use, which we will be starting at 1 p.m. this afternoon.

I think we should go around and do quick intros for the benefit of those on the phone. If you could state your name, organization, and I think we will dispense of the conflicts. We just need really a quick introduction for everybody.

MS. LOVE: Denise Love, National Association of Health Data Organizations.

DR. RIPPEN: Helga Rippen, Health Sciences South Carolina, University of South Carolina and Clemson.

DR. O’GRADY: Michael O’Grady, NORC at the University of Chicago.

DR. COHEN: Bruce Cohen, Massachusetts Department of Public Health.

DR. STEAD: Bill Stead, Vanderbilt University.

MR. SCANLON: Jim Scanlon, ASPE, staff director for the Full Committee.

DR. SUAREZ: Walter Suarez with Kaiser Permanente.

MS. HINES: Good morning. Rebecca Hines, executive secretary to the committee with CDC/NCHS.

DR. MAYS: Vickie Mays, University of California, Los Angeles.

MS. GOSS: Alix Goss, Pennsylvania eHealth Partnership Authority.

MR. LANDEN: Richard Landen, QuadraMed.

MR. COUSSOULE: Nick Coussoule, BlueCross BlueShield of Tennessee.

MS. JACKSON: Debbie Jackson, National Center Health Statistics committee staff.

DR. SUAREZ: Do we have any members on the phone?

MS. MILAM: Good morning. This is Sallie Milam with the West Virginia Health Care Authority.

DR. EVANS: This is Barbara Evans with University of Houston.

DR. SUAREZ: Good morning. Anybody else on the phone? We are going to turn to staff and other staff.

MS. KANAAN: Susan Kanaan, writer for the committee.

DR. LAZARUS: Steve Lazarus, Boundary Information Group, representing the CAQH CORE.

MR. WALLER: Pat Waller, Cambia Health Solutions.

MS. KOCHER: Gail Kocher, Blue Cross Blue Shield Association.

MS. SEEGER: Rachel Seeger, detail to ASPE as staff to the Subcommittee.

Agenda Item: HHS Updates: Privacy and Security

MS. MCGRAW: I am Deven McGraw. I am the deputy director for Health Information Privacy at the Office for Civil Rights. Our authorities are all things HIPAA enforcement and policy. I am particularly thankful to be here. I have a special place in my heart for federal advisory committees having spent many years sitting on one, and also even before I did that, I watched the work of the NCVHS very closely and have always been impressed with the recommendations that have come out. Now I am fortunate of having the opportunity to brief you here and potentially receiving some of your recommendations down the line, which I very much look forward to.

I want to talk a little bit about what we have done on the enforcement side first because we have been very active if you have noticed some of our recent announcements. But we have also been active on the policy front. We issued a final rule at the very end of 2015. We have had some guidance that has come out. I want to describe all of that briefly to you today.

On the enforcement side, we have announced four settlements since Rachel gave her last report. Frankly, if I were here in another two weeks, we would be adding probably two to that mix. Our regions are very active in investigating breaches of health information as well as responding to complaints and opening compliance reviews. We have many cases in the pipeline.

Just to talk a little bit about those that we have settled recently. In November, we announced a settlement with Lahey Hospital and Medical Center of Massachusetts for $850,000 and also accompanied by a robust corrective action plan. All of our settlements involve the payment of some monetary settlement as well as entering into a period of monitored conduct governed by our corrective action plans.

In the Lahey case, they had a laptop that was stolen. It was a laptop that was attached to a CT scanner. It did have PHI on it. It was unencrypted. Although it did have a lock, but it had been stored in an unlocked area and subsequently was stolen. It also was not appropriately password protected. The administrator password had never been changed on the scanner for as long as they had it. We do find that these things do happen. And on top of that the risk assessment that they had done was incomplete and most importantly did not include these types of laptops and devices that are attached to larger devices frankly that then attach into the system’s network. We thought that was a very important case and that was back in November.

Then just on the heels of that, we announced a settlement with Triple-S Management Corporation of Puerto Rico for $3.5 million and again a robust, corrective action plan, widespread noncompliance with both the privacy and security rules, the instances of the covered conduct that we found them to be in violation or frankly too numerous to mention in a presentation that is brief. All of our resolution agreements and settlements are available online if you want to see the details there.

We have had a lot of security rule cases that we have been settling recently, but this one stands out because there were privacy rule violations too, including the first time that I am aware of that we have ever found an entity for not following the minimum necessary standard and making too much information available to a contractor then was required to do their jobs.

University of Washington Medicine settled in December for $750,000. This involved a breach of about $90,000 records after an employee opened an email with malware in it, which again does happen. But in this case, in looking at all of the circumstances, we found that this was something that could have been prevented had the entity taken the proper steps to do so. We do not penalize entities who do the right thing and nevertheless have something happen. What inevitably happens with our investigations where we pursue them to formal action is that there have been significant issues of noncompliance, the failure to do a complete risk assessment, for example. The failure to do respond appropriately and address the deficiencies even when a risk assessment is done. The failure to enter into a business associate agreement with a major contractor for the entity that is holding a lot of PHI.

The last settlement that I will mention is complete PT. In this case, the entity was uploading testimonials from patients onto its website without having secured a proper HIPAA authorization and we got a complaint from one of the persons whose information was highlighted in the advertisement. That one was a $25,000 settlement. We think it is important for a couple of reasons. One is that we pursue entities large and small. Number two, we do not push monetary penalties that are going to take an entity out of business. In this case, pursuing a greater monetary settlement than the one that we collectively agreed to with complete PT would have potentially made it unlikely that they could have continued doing this. We are not in the business of shutting people down.

We also got a motion for summary judgment in our favor from an administrative law judge in a case involving a home health care entity called Lincare. The investigation took place many years ago, but the employees routinely took PHI home. They are a home care entity, but they did not have policies addressing what employees were to do with information when they took it home. In this case, the employee moved out of the residence and left all of the information in the prior residence. Therefore, it was viewed by the other person who lived in the house. It also involved a domestic dispute. Quite a messy set of facts.

But nevertheless what we were concerned – our concerns in this case were that they had no policies to deal with the fact that they had people taking information offsite and yet that was routine.

The entity did not want to settle. They considered this to be a theft of information for which they should not be held responsible. The case went to an administrative law judge. The judge ruled in OCR’s favor for the entire amount of the penalty. The full amount of the civil monetary penalty usually in our settlements. It is a significant discount from the penalty that would otherwise have been charged to the full extent of our legal authorities. $239,800.

Now, we are still in the period where they can appeal that and we should know by the end of the week whether they are going to appeal, but the ruling is quite favorable on our side. The judge essentially found the arguments of Lincare to be without merit. It is the second time that we had issued civil monetary penalties and the second time in doing so we have been upheld by a neutral court. That is on enforcement.

I will mention that the second phase of our audit program as directed by Congress in HITECH for us to establish an audit program. We did a first phase several years ago. We are launching our second phase in this year. In fact, the meeting with our contractors to help us do this audit is taking place today and tomorrow. We are providing them with an orientation. We will mostly be doing desk audits, asking entities and covered entities and business associates to send us copies of their policies and procedures in certain areas, which we will then examine.

But we also will do onsite audits of a smaller number of entities. Those will take more resources. We are really testing desk audits as a mechanism to see how well they work in terms of figuring out what place they might have in a more permanent audit program. But that will happen this year.

On the policy front, as I mentioned, we issued a final rule that authorizes a small subset of covered entities that are reporters to the National Instant Criminal Background Check System, NICS, to be able to do reporting of persons who meet the definition of what is unfortunately called a mental health prohibitor, which is in another area of the law. Folks who meet that definition are not permitted to have a handgun or any type of gun. That information is entered into the NICS Background Check System and then entities that are subject to checking that system before they can sell a firearm will see that this person is disqualified.

There was a lot of confusion among a number of entities who both were reporters to NICS, but also covered by HIPAA about whether HIPAA would permit them to make those reports. What we did in the rule was to clarify that HIPAA does in fact permit again the small subset of covered entities who are subject to reporting to NICS to be able to report information. The information they are permitted to report is not clinical information, but merely identifying information so that it can be entered into the background check system. That was finalized in late 2015.

We have also put out guidance on the individual right to access health information under HIPAA. This was actually one of my goals in coming into this job, having worked as a privacy advocate for a number of years. I knew from that work that people often had difficulty exercising their HIPAA rights and also now that I am on this side, taking a look at some of the complaints that we get from people who cannot exercise those rights, it is clearly an enormous problem and a lot of misinterpretation of what is in fact required by HIPAA. HIPAA is mostly a regulation that permits certain uses and disclosures, but in a couple of instances, HIPAA says you must. Providing information to patients when they ask for it or in the case of payers, subscribers when they ask for it is a must. It is not if you want to provision. We wanted to make that clear.

In early January, we put out a comprehensive fact sheet. We are issuing a series of frequently asked questions that dive down into more detail on the scope of the right, what is covered by it, what is in a designated record set, for example, the right of the individual to get the information in the form or format that the individual wants as long as it is readily producible by the entity and readily producible does not mean if this is part of your processes that you have set, it is can you do it, not will you do it. I think there has been a lot of misunderstanding about that where patients are being shunted to some pathway that the entity has earmarked as being the way that they will respond to patient requests and it is not necessarily always what is most convenient for the patient.

Now, we also of course clarify that we are not expecting entities to go out and buy new equipment in order to meet every possible request that might come in from an individual. In a digital context, you have to have some capability of providing people with a digital copy of records, but it does not have to be in the latest or greatest format that the patient has asked for. The term readily producible does have some meaning for the covered entities in terms of what our expectations are. But at the same time, again, if it is something that you can do that the patient requests, you should do that.

We had FAQs again on this form and format issue that I just talked about on what is in the designated record set and what is not timeliness. Again, we could not go beyond what our regulations provide for. It is within 30 days under normal circumstances, it can be extended for one additional 30-day period.

We will be releasing some more FAQs by the end of the month on the issue of fees for access, which has been a big issue for people as well as the right of the individual to have the information sent directly to a third party, which has big implications for the mobile app community and their ability to have tools that consumers can easily use that, pull information from EHRs or claims records, for example, and make that into usable content for the individual. Stay tuned for more on that.

One thing about issuing FAQs is that when you think you have delved into all the questions and you put a big array of information, people still have more questions. We could be at this for quite some time. But we do foresee again this additional set of FAQs coming out shortly and then we will see how that goes and whether we need to do some more.

We have also been working on the President’s Precision Medicine Initiative. We were instrumental in developing the privacy and trust principles to govern that. Again, those are principles. I happen to think they are very good ones, but of course we are biased because we helped write them. But they were subject to public comment and they were finalized earlier this year.

There are some companion security principles that are currently being developed. I actually think the hope is that those will get released again before the end of this month, but they are not out yet and again there will be a public comment period for those as well.

We are continuing to work with an interagency group to develop more details around the policies that will govern the President’s Precision Medicine Initiative. These need to follow along in lockstep with other announcements about the PMI like what the cohort design is going to look like, et cetera.

We have worked with ONC to develop two fact sheets on permitted uses and disclosures that are pretty critical to interoperability in health care like sharing information for treatment purposes and care coordination and population health. I am going to let Lucia Savage when she gives her part of the presentation talk to you a little bit more about those. While we worked in companion on the content for those and we have co-branded them so people who look at them know. This came from the Office for Civil Rights and it says that HIPAA allows us to do X, Y, and Z so they can rely on that. It really was ONC’s idea. I do not want to steal her thunder on that.

The last thing I want to mention on the policy front is something that we have been calling our developer portal. When Jocelyn Samuels, our director, started, she sat down with a group of technology developers and heard loudly from them that we did not do enough to help them figure out whether they were covered by HIPAA under what circumstances they would be covered by HIPAA and if so what should they be doing in order to comply. These were a lot of new technology developers. People who had not been active as vendors in a HIPAA-covered environment before. They were really scratching their heads about when they were covered and they were not.

We had the idea to develop a web portal site for developers to ask us questions about HIPAA. The site is interactive. Developers can post questions. They can vote on the questions that they think are the most relevant and important for us to address, recognizing that we often do not have the resources to answer every question so which ones should we focus on.

They can also have dialogue in the comment box underneath the question. We do curate the responses to make sure that they are at least pushing the dialogue in a productive direction. But for the most part, we really have not had much of a problem with people trying to post things on the site that are inappropriate.

We recently uploaded what we are calling our HIPAA app use scenarios, which essentially walks through a number of case examples of a mobile health app and what it is trying to do and what audience they are trying to reach and what kinds of arrangements they have with a health care provider or a payer. In each circumstance, we analyze whether or not HIPAA would apply to that circumstance and why.

We hope that this is going to be helpful for developers and seeing the kind of thinking that they need to do or that they need to work with their attorneys to do in order to determine whether or not they are covered by HIPAA.

We rolled it out to the CTIA, which is an organization of telecommunications companies and had a good reaction from them. We are meeting with ACT, which is the App Association. I am not sure what the acronym with because it is called the App Association, but it is called ACT. We will have to find out on Friday when we meet with them to see what they think of it, to get feedback, to see if there are other scenarios that we should add. We are really trying to be as innovative as we can be as a governmental organization, using the web to reach out to web-based technologies to try to get more guidance out on HIPAA.

The last thing I will mention is cyber security. It is certainly an issue front and center on our minds as well as others. We of course are in a unique position among federal regulators that we enforce a set of very specific rules around security, which have enormous implications for cyber security. We are seeing hacking on the rise in terms of the large breaches that get reported and the reasons for those breaches. Certainly the stolen laptop, the lost device is still the majority of what we see. Hacking typically involves so many more records. If we counted breaches by number of records, it would out pace all of the other types of breaches that we see.

We are working with the Department on a number of initiatives that are still in development. I am not quite ready to share yet. But we are putting out monthly emails on cyber risks to our security list serve. In fact, in February, we put one out highlighting the dangers of ransomware. Please do not ask me what that is. It is just bad. My security experts would be able to tell you.

Apparently, somebody did not read the email, but we are doing our best to try to get information out to the community about things that we hear about, things that some of our federal partners hear about so that we can try to get information out earlier so that people can ideally take steps to try to prevent a cyber threat from taking.

With that, thank you. I am happy to answer any questions.

DR. SUAREZ: Thank you very much. We will see if there are any questions. Any questions from the phone?

MS. MILAM: Thank you for the great report, Deven. This is Sallie. We appreciate the guidance.

MS. MCGRAW: Thank you. The one thing that I forgot to mention is that guidance is very much aimed at our covered entity community so it is a little dense for the average consumer. We are working with ONC on some consumer-friendly materials because they were gracious enough to lend us some support to that.

DR. SUAREZ: I must say. I still remember back about two years ago maybe when Rachel first reported that OCR was releasing its first YouTube video. I think it was amazing to hear about an agency like OCR not traditionally engaged in this type of social networking to do that. And now to hear about the app portal is incredible.

MS. MCGRAW: Walter, we are trying.

DR. SUAREZ: You are ahead of a lot of other groups actually. I do have about four topics. I wanted to just mention a couple of things and get your perspectives on them. Cybersecurity. Clearly, a major issue. Most of you have heard about the most recent event just happening as of yesterday. The Hollywood Presbyterian Hospital being hacked and kept really in a suspended mode their system for ransom. They released this morning $17,000 to get the code back. They have to pay it in bitcoins. I do not know if you are familiar with that technology, but bitcoins is a new cybersecurity currency.

My comment was about this might not imply necessarily a breach, but it does potentially affect other important elements that are part of this. When we think about security, we think about integrity, availability, and quality. The scope of it. It seemed like this one was a major challenge for the availability part of the health information because it was blocking access to it.

From your perspective, what are some of the actions related to that type of events that are not necessarily breaches per se, but are becoming a challenge to ensure availability of health information, one of the core principles of security?

MS. MCGRAW: I would not necessarily conclude that there was not a breach there. An entity is supposed to let us know as soon as possible, but no later than 60 days just as they have that obligation to do so for the individuals. Keep in mind that the breach definition that is in our rule and which came from HITECH is a much stronger definition than some breach definitions that you would find in state law.

Essentially, any impermissible use of information providing access to someone who is not authorized to see the information hits our breach definition. Because we have such a broad scope of a breach definition, we will ultimately end up hearing about most incidents like this. Sometimes we hear about them in the press before they get officially reported to us and frankly under our enforcement authority, we can open up an investigation on the basis of a press report and have done so before.

The one thing I cannot comment on is with respect to that circumstance whether we are or not investigating it. A process involves a report to us and our process also allows us to act on other information.

The breach tool ends up being a much more powerful one than you would think because the definition is so broad.

DR. SUAREZ: The other one is about the portal that was for app developers and I presume also perhaps the medical device and mobile device and other types of home health device developers and tools to understand how they are affected or covered by HIPAA. At some point, we heard that there was an intent to develop a broader guidance and perhaps even a portal-driven guidance that would allow app developers and medical device developers to understand how other regulatory actions and authority and regulations apply to them. Particularly regulations come from FDA, FTC, and FCC.

At some point, I remember in an event mentioning how when you have a cell phone that has an app that is used for medical purposes, you have four or five different agencies affecting that. FCC regulates the wireless part of and the use of wireless and broadband technologies for health in this case and transmission of health. FTC is the Federal Trade Commission that regulates some of the privacy of the data as well and some of the use of information. FDA regulates the device itself. NIST has guidance around the protection of that. There is a mixture of regulatory elements coming together.

There was some discussion about a lot of or stronger coordination between OCR, FDA, FTC, and FCC. Could you mention some things about that?

MS. MCGRAW: In the pipeline is a tool that helps people figure out what legal regimes they need to look based on the functionality of the product. This is being driven by the Federal Trade Commission. Although we have cooperated with them in developing it as has the FDA and I believe also the FCC. I am not sure about NIST. It is a basic tool in the sense that it tells you where to look. It does not tell you what conclusions to draw up, but at least it helps some people in the right direction. It is very far along. It is in FTC’s hands to decide when it is going to be released.

We have also had some on the enforcement side, this is tangentially related to your question. We have had some discussions with FTC about how we can funnel to them some of the complaints that come in through our complaint portal that are non-jurisdictional for us, but that could in fact be further investigated by them. We entered into some of those discussions. We get a lot of complaints. We are on track to get about 17,000 complaints this year.

DR. SUAREZ: Rich has a question.

MR. LANDEN: Actually, I have two. The first is I appreciate the update and the enforcement actions and I am happy that they are happening. They are kind of anecdotal. Do you have a sense of where we are from a broader perspective? These enforcement actions. Are they outliers? Have we in the 20 years since HIPAA was passed – what is your comfort level with how well the industry gets the responsibilities? Are we at a good place or are we still climbing up the hill?

MS. MCGRAW: We are still most definitely climbing up the hill. There are some well-resourced entities that have full security and privacy compliance staff that tend to do a much better job at oversight, but even for entities. The list that I gave you. There was not the tiny practice down the street. They are entities with some resources. And what we find is that there is still not enough attention being paid to this issue in terms of resources and commitment. Just not doing risk assessments for maybe not ever for periods of years. You do one and then you do not update it or you do one and it tells you that you need to encrypt your portable media and then you take about five years to get about 50 percent of the way there. That is pretty much what we see.

Failing to patch software. Again, failing to do a business associated agreement in an obvious case where one is needed. Even where entities have business associate agreements with other contractors that they work with and they just do not. And then there is an issue. That is still happening. Lack of transmission security is another one.

Credentials and access. Again, I mentioned the fact that the entity never changed the password on the laptop. It was administrator or something like that or password.

Cybersecurity is aimed at hacking. But if you do not have a good security profile in your organization, you are going to be vulnerable to all sorts of things and hacking does more major damage in one strike. All of these other issues are what undermines the security of health data across the entire enterprise.

We try to send messages through these cases. They are not outliers necessarily, but we do not have the resources to go after everybody. We do not have the resources. We look into every breach of over 500 records that we get, but we do not necessarily have the resources to do the under 500 records. We have to be more circumspect in trying to choose those that are going to be the most high impact in terms of whether the resolution is going to be meaningful both for that entity, but as well as from a message standpoint. I wish I had a better story. It is ugly out there.

MR. LANDEN: My second question may or may not be related. In your opening remarks, you had a very effective teaser there saying that you might be coming to us in the future asking something. Could you talk about that a little bit more?

MS. MCGRAW: I have been in discussions with the Privacy and Security Subcommittee about some items that they were interested in and what might be a value to us. My understanding from speaking with Linda and with Rachel is that there are a number of items on the agenda that are going to be of high interest to us. De-identification and minimum necessary being two of them. I mentioned that we have had a case finally where we have found someone to be in violation of the minimum necessary standard. This was a really pretty obvious case. We have a lot of entities that we are not quite sure what they are supposed to do with that standard. We are required under HITECH to issue guidance about it and we have not gotten to it yet. We would really love some guidance about the direction we should be going with that.

DR. O’GRADY: You brought up before about complaints and compliance reviews and how those work. In the past, the agency has struggled. Correct me if things have changed over time. But complaints are kind of one offs. The public is coming to you and asking for address of a grievance. Whereas compliance reviews at least in the past the agency could use to deal with more systemic problems and get in effect from a management of the agency was often felt that it was a better return on investment for investigator time, et cetera.

But the agency also had things where there were so many complaints and they were under a consent degree at one point about how long they could take to resolve a complaint that they just – they were doing all the one offs. They were just doing close to 100 percent complaints and never got to this more systemic approach.

It sounds like you guys are doing both at this point. But you have that feel for is it a 50/50. How is that going with the idea of we have something systemic out there that it would be nice to have a precedent that we could point to that so and so tried this. We were not comfortable. The administrative law judge agreed with our investigators and therefore nobody should do that versus Mrs. Jones – they put her name up on the web and she did not want it.

MS. MCGRAW: We have a mix. I am not sure that it is easy for me to say it is 50/50. What you will see in the trade press and what you will see in our websites in terms of our major settlements, those are much more aimed at systemic issues most of the time. Complete PT, which I talked about was probably an anomaly there because that was one where we got a complaint from someone that it turned out revealed is a systemic issue. Fundamental lack of adherence to the rules around when you can use patient information for marketing. It is a complaint that turned into a systemic issue and those are the ones that we usually pursue to the monetary penalties and settlements and then to civil monetary penalties if we need to go that far because we think it is important to the public on a case like that that is high impact.

The complaints from individuals more than likely get resolved through what we call technical assistance. An individual access complaint is usually handled by a phone call to the entity to say you are actually supposed to give this person this information and you are supposed to give it to them within 30 days or you are supposed to give it to them with only a reasonable cost-based fee and $300 cannot possibly be right. That kind of advice. They close and they do not close in a way that the public is aware of. We close a lot of cases through that technical assistance. It is very much a mix.

I am actually trying to do some thinking with my staff and with the director about how we can make some of those technical assistance cases that right now fly under the radar for all but the entity and the individual involved to make them more public. Charlie Ornstein who is a reporter for ProPublic has through some FOIA requests put out some of our closed cases from technical assistance into a database that he makes available to folks. Ideally, that is not the way people should be finding out about what we are doing. We are exploring what are ways that we can be more transparent with the public about how we handle some of these smaller, individual complaints.

MS. LOVE: I am just curious. Do you have repeat offenders? Some of the business models are just pay the fine and do not fix the problem.

MS. MCGRAW: We do have repeat offenders, Denise. This is something that we are also developing a better strategy for handling. Our case management system while it does a lot of things very well. One thing that is does not necessarily help us too well with is proactively identifying repeat offenders. We have to go back and check. And the investigators do this most of the time, but do not do it consistently. A lot of our investigations frankly are because we have received more than one breach report or more than one complaint. We find an organization and then do we have the resources to go back and follow up with them. Certainly, I think we could do a better job about that.

We are doing some upgrades to the case management system. And top of my list is how to find a better way to proactively identify who the repeat offenders are. Sometimes it is hard because the complainants do not always identify them properly. Again, the system does not try to put things that look like they are the same together. If it is Lahey Hospital, Lahey Medical Center, it does not necessarily match. That feels like it should be fixable in this day and age.

MS. LOVE: We need another quality indicator to go along with the other performance ones is compliance with minimal security regulations.

MS. MCGRAW: I do not like the idea that repeat offenders just keep violating. It sticks in my craw. We will figure something out.

DR. RIPPEN: I guess with regards to the challenges that consumers face in sometimes getting their health information even though it is something that you are supposed to be able to get and having heard a lot of horror stories about it. What if anything is being done in that arena?

MS. MCGRAW: We hope that the guidance will be helpful and wake people up if their processes are not quite aligned with where our regulations are now that they have an opportunity to more fully understand what we mean when we say reasonable cost based for labor. But we are going to have to do some enforcement.

The first civil monetary penalty that we ever issued was against an entity that was refusing to give people their medical records. That is what brought us in the door. And then they refused to cooperate with us. They really got hammered from a penalty standpoint. They are not necessarily a cautionary tale because if you read about what they did, they were far more – most of our covered entities for the most part are trying to do the right thing. They are just not doing it well enough. This entity was a different story.

But since then again most of the complaints are that one individual complaining and we settle it through technical assistance and we do not always catch the repeat offenders. I think we have to come up with a strategy that backs up that guidance. I have had preliminary conversations with our regions that do our enforcement investigations. There is a high degree of interest in coming up with a workable strategy for investigating and pushing some of these cases.

DR. O’GRADY: One more quick one. In terms of just thinking evolving issues and where it will affect you guys and privacy, price transparency is becoming more and more a topic. At the same time, we have a development of medical especially in technology in some of the areas I work in where the devices can be quite expensive. An insulin pump now is about $5000. In a typical insurance policy, it is $1000 out of pocket for the patient.

A patient who calls their insurers who say there are five different manufacturers. I know you negotiate price discounts with the different manufacturers. The insurers are somewhat hesitant to reveal that kind of proprietary data of what size discount they have. In particular, on that kind of shopping around to try and reduce your own – you are happy the insurer is negotiating well, but you cannot tell whether you should go with manufacturer A versus manufacturer B to minimize your thousand dollars you would like to take down to 500. This will only come up more and more. Any HIPAA implications of that or is the price just totally off the table?

MS. MCGRAW: The price is not on my table. I think the ability for consumers to get claims data may help app developers build comparison tools. I had seen a few of them actually. They are pretty cool apps where you can actually look for who does breast surgery for cancer in the New York Metropolitan Area and you can look and see what the average price is and choose accordingly, but it is definitely outside of –

DR. O’GRADY: And those ones are normally full retail.

MS. MCGRAW: Reams of articles have been written about the difficulty of finding how much things cost.

PARTICIPANT: APCDs.

(Laughter)

MS. MCGRAW: That is right. When you de-identify data, you can still keep the prices on.

MR. COUSSOULE: We actually do that even for average prices now.

DR. SUAREZ: We have a new member on the phone. Ob, do you want to introduce yourself?

MR. SOONTHORNSIMA: I have been listening. Sorry I joined in late. Ob Soonthornsima, member of the Full Committee, no conflicts. May I ask a quick question? You talked a little bit about the maturity or lack of. Good practices should be in place like password and so forth. Is there a maturity model that you would advise or guide the industry from the basic having BAA and all those things all the way up to data loss prevention like data at rest, data in motion encryption?

MS. MCGRAW: We direct people to the NIST standards. Again, nobody but the federal government is required to follow them, but we think they are an excellent set of both safeguards and protections. They focus more on security, but there are privacy elements to them. They really represent the top line. And frankly if you follow them, all of them, you will be in very good shape in terms of the HIPAA security rule.

MR. SOONTHORNSIMA: Is there is a guideline that says you have to do at minimum X, Y, and Z.

MS. MCGRAW: Well, at minimum, you have to do what the security rule requires. We have these provisions that are called addressable specifications. Our expectation is that you also implement those. But on those you can in your risk assessment document if it is not reasonable for you to deploy those what your alternative safeguard would be. But it is pretty much a framework that if you followed it and did it, you would be in very good shape. The problem is that it is not done.

DR. SUAREZ: To follow up on that and this is a topic that we discussed earlier this week, one of the methods for authenticating and protecting communication exchanges is digital certificates such as X.509. That is a specific standard for that. Is that part of the addressable requirements? What is the perspective of the use of those?

MS. MCGRAW: We tend not to be that prescriptive in the security rule. What it says is that you have to have a methodology for permitting only authorized persons to access PHI. You have to have a system in place for doing that. You have to have an audit capability that you actually have to deploy in order to regularly test that. But we do not say thou shalt use X. Even in the encryption space, we do not specify that standard as part of the security rule.

Now what we do is in our breach notification rule, we provide a safe harbor for technologies that render data unusable, unreadable, and inaccessible. There is always a fourth adjective that I – decipherable, of which a specific motive encryption is indicated. The security rule tends to provide flexibility to entities about what they adopt. I think the NIST framework is a little more specific than that. It is probably better to ask a NIST expert about that.

DR. SUAREZ: One last question because this is another important topic. Since Lucia is here, this might be also a question for her. APIs. APIs have become a new technology approach. APIs meaning application programming interfaces. I know there is a taskforce within the health IT policy committee looking at this and in particular the security and privacy. There are issuing their recommendations. While the technology is promising, there are concerns around bring your own app to obtain your personal health information because you can imagine providers out there trying to deal with hundreds of thousands of potential apps that will be knocking at their door trying to access individual personal health information to extract it and then deliver it to the consumer.

What is your perspective on APIs at this point? I know there has been some guidance actually. As I read and particularly with the ONC’s certification rule, there has been some expectations about that. According to the guide, it was actually presented at the last joint policy and standards committee by OCR. Their concept that if the entity is ready to provide that technology and it has gone through their security risk assessment and found that it was appropriate that they must provide it, but if they have developed the capability. That was the understanding. I wanted to see if there are potentially some clarifications around that.

MS. MCGRAW: This is definitely Lucia’s question. They are looking at the issue of APIs. You will not find the term API in the security rule or as of now in any of our guidance. What we generally expect of entities is that they are responsible for the security of their paper and digital environments. They are expected to evaluate any connections that they make into their record systems and deploy whatever safeguards are necessary to make sure that they meet the security rule with respect to those connections. That is generally what our expectations are.

We would love to be able to say more about this. And what we hope will come out of the work that the advisory committees and that Lucia and her team are doing, which she will talk about is that we can then take that and issue additional guidance about what that means for the security rule.

We are really excited that they are delving into this. What we need to understand is when is a claim of no, I cannot do this because it is a risk to my system, a genuine one, and when is it I just do not want to bother? This is going to take some effort on my part and I really rather not. It is far easier and far safer to say no, but we certainly would like to empower entities who want to make those kinds of connections available as modes of transport to other providers, to payers, to individuals who are seeking to download information to apps, for example, to make that possible. We are going to try to say as much as we can, but we are really waiting for them to do their work.

DR. SUAREZ: Thank you so much, Deven, again for coming to the committee. We really appreciate your participation here.

Now, we are going to turn it to Lucia. Good morning.

MS. SAVAGE: We never plan those transitions ahead. Perfect segue. Good morning. I am really happy to be here. I just wanted to catch you up on a few things that ONC is doing and I know Deven has to rush out the door, but I am really glad Rachel is here because a lot of what we have done in the last six to nine months we could not have done without the technical support and encouragement of OCR. We are all really thrilled to be working together where we grapple with things that OCR wants more input on like the security of APIs. There is a great collaboration going on between the two organizations right now, which I think is benefitting all stakeholders.

In fact, we have our people on our team, technologists on our team, who basically have pieces of their portfolio, which is to be on call for OCR so that the people at OCR who are making policy can get the assistance on the way technology works that they need to make effective policy on a go forward basis. Really happy about that. Kudos to Rachel and the whole OCR team.

With that being said, I typically do not come with slides. This week is no exception, but I did want to talk about a few things that we had done. About a year ago, when we issued our interoperability roadmap draft, one of the things that we diagnosed as a hypothesis for the privacy in particular was that people just did not really understand the rules. We got a lot of positive feedback about that. ONC has some particular obligations to educate people about the rules, which are of course made and interpreted by OCR. It took us about 14 months, but we finally pulled across the line the two fact sheets that I have supplied to. Did they get circulated, the links to the fact sheets? Excellent. Those were posted early in February. There is a series of blogs. The third blog should be up already this morning or by 11. The blogs repeat the content of the fact sheets.

I want to tell you a little bit about how we developed those. Those of you who work in health care specifically will know that within the HIPAA privacy rule, there is this concept that information can flow amongst covered entities for treatment, payment, and health care operations. Those rules have been in place since partly 2000 and partly 2002. They are really quite well established rules for those in the know. They are media neutral. Those rules do not vary depending on the medium in which the information is stored. That is different for security and I am just talking about privacy.

Those rules have some really nice language in them that if you drill down into it, there are some great examples. HEDIS measurement is a reason you can disclose PHI. There are reasons related to public health oversight and health care oversight, which the APCDs have taken good advantage of. But they are buried in regulations. You have to read the federal register to get all this information.

We, at ONC, undertook to take the ideas embedded in the rules and examples that we found in the final rule preambles from 15 years ago and elevate them up into graphical illustrations, which we then vetted with clinical staff. We think care management is this. Is that right? Then we went through a long dialogue with OCR about the results of that discovery process and that yielded the fact sheets that we released earlier this month. We are pretty proud of them. We are really thrilled that OCR has co-branded them. They are blogging about them too. You will find them on both websites.

Because we think they really help an ordinary person understand what is possible, we are very cognizant about the fact that for interoperability, these rules exist and they are permissive. I had a commentary at another agency say they are not required to share. That is right because people have obligations to safe keep the data and we cannot require them to do stuff that they think is contrary to those other obligations. But they are allowed to when they think the conditions are right. We are trying to describe the clinical and health care conditions under the privacy rule that make it right. We are trying to move people to yes in further interoperability.

Back to the roadmap, after we did that diagnosis, lots of residents and people said you have a lot of stuff, but it is just not very easy to understand. That is our goal right now is to try to bring more things to market that make it easier to understand.

The fact sheets that we just released will play a large part in the work we do in the next year and hopefully we will be able to pull some more across on the line on some of the other issues that are nicely described, but kind of obscure in the original 2002 HIPAA regulations.

I wanted to point out two particular things about that because they are definitely a source of conversation about APIs and I will give you a brief peak into our API taskforce work, which is ongoing and not conclusive.

Both fact sheets like the access guidance that Deven talked about really tried to give people a look at the balances of liability. This is something we hear about a lot where there is a concern that if I am covered entity A and I am disclosing to Jim who is covered entity B and something bad happens on Jim’s watch, I am going to be left holding the bag. Now, I am lawyer and I will tell you that I have no control over what claims people make in court and how those claims get resolved. But we do know that what HIPAA says and Deven was just saying this is that for me as the discloser, my job is to safe keep it in my custody and disclose it under the obligations of the security rule. Once it across the table sitting in Jim’s lap and he is a covered entity, he has the same legal obligations. It is his job to keep it safe. There are some really specific illustrations of liability of that liability example in the fact sheet.

There is one about in the treatment fact sheet about what happens when two hospitals are sharing information because a patient is going to be transferred. These are unaffiliated systems and they may have completely different security environments. But in fact, the receiving hospital needs to know more about the clinical condition of that patient in order to provide adequate care and appropriate care and care that is cost effective and has a good outcome. We have to figure out a way to take what OCR has given us on liability and use it in our institutions and making our own institutional policies about how we are going to improve care in a delivery system reform value-based purchasing world and expect that people who have obligations will fulfill them.

I was thinking about what is a metaphor if I am talking to people who do not do this every day. It is kind of like driving. We all get in our cars. Everyone has minimal driving credentials theoretically because they have a license and if not, they get dinged criminally because they are driving without a license. We expect people to stop at stop signs and wait for pedestrians and sometimes people do not, but we have not stopped driving just because there are unsafe drivers on the road.

I think it is actually a good metaphor that can resonate with us every day. Of course, health care is not cars. But the idea is we are making decisions because it is more important for us to drive and get where we need to go than to stay in our homes with the doors locked for fear that somebody might run into us or we might cause an accident. Something to think about.

We have a similar example on the permitted uses. Treatment is pretty easy. It is less restrictive. It makes a lot of less for the people in the room who are on the line who are physicians. Permitted use is a little bit different because it is across different kinds of covered entities in the health care system. I just love that HEDIS example that is buried in that old preamble. This is the provision that allows payers and providers to collaborate together to ensure a better outcome for the people they both are responsible for financially and from an outcomes basis speaking of measurement. Again, the same liability concept flows. You will see that buried down in the permitted uses fact sheet.

Please take a look at those. Please share them within your organization. Obviously, we are always happy to get feedback. What about an example of this, et cetera? We will be pushing them out as much as we can educationally and I think you will hear more about them as the year goes by.

Where does that leave us with access APIs and that whole world? Interesting point there. One of the things about APIs that is so inspiring is that they automate data exchange in a way that we may have not been able to do certainly up to HITECH when everything was stuck in manila folders and fax machines and maybe even since HITECH because of the capability to create really precise exchange mechanisms.

We hope that these fact sheets will really help institutions who have to trade with each other, feel confident in taking advantage of the technology that is out there whether it is intra-institutional APIs. And those of you who are in big institutions right now, your systems are probably using application programming interfaces and internal apps to trade amongst your units. You may not even know that technology is in play. Or across institutional settings and across institutional boundaries where back to the Jim example – I always try to pick on people who are HHS employees.

If Jim’s organization needs to know the surgical records from the year before and I have a lot of records and they are not just about the surgery, an API is the way that he can seek out for me the surgical records only and leave behind records they may not need. Similarly, if you are in a payer situation and your payer/provider are trying to collaborate for the long-term care of a person that has chronic diabetes, everyone needs to have a complete diabetes record, but you may not need to know about other stuff and the API allow that level at their engineering.

Those fact sheets really help people because they help remove the concern that by using the technology, you are doing something wrong. The technology is just a means to put in place the permissions HIPAA already provides subject to the security rule.

Similarly, with access, I think all of you – just a show of hands. Are people familiar with the new – what we put into our 2015 edition cert rule relative to patients transmitting their data places. I know we talked about this sort of last time I came. That is done as a way of helping create automated paths for patients to take advantage of the right of access that OCR has done such a great job of providing clarity on. I believe they have more to come.

At the end of the day, we have to recognize that – it is interesting. In our API task force in our second day of hearings in late January, we had a panel of consumer and patient advocates. They were very eloquent on the fact that they are for the most part in fact grownups and can in fact make their own decision about security and the environments in which they place their health data. In fact, the P word for patronize was used. We have to be very cognizant of the fact that most of the people managing health information today for their families are competent adults and then they can make these decisions. We need to make sure they have the information necessary to make appropriate decisions, but they make decisions about comparable stuff in their lives every single day and health care from a consumer perspective is no different and in fact maybe even more important to let them make their own decisions.

That leads me to the API taskforce. I will tell you where we are in the process. I will just review some highlights for you. I think one of the links I provided was the Power Point summary at our last full taskforce meeting. We had two days of testimony comprising about nine hours at the end of January. We had witnesses from large Internet-based businesses like Google and Oracle and IBM. We had witnesses from organizations that have a business model of ensuring that APIs used in the rest of Internet commerce are done so in a secure way, talking about the security of APIs as an engineering concept.

Then we had a panel of provider and health care organizations, a pretty diverse panel. We had a panel of consumer and patient advocates. We had a panel of health care specific Internet-based companies that are trying to take advantage of this technology in health care specific ways. All of that is available online.

I will just read over some of the basic concepts that are beginning to take shape for the taskforce as it works through its recommendations and remind you of the charge. I am going to probably not give it to you specifically. You can look it up online. But in essence, we asked them three questions. One is help us identify privacy concerns about APIs that are unique to APIs and are not generic to privacy and health care and what should we do about them to address them. Help us identify security concerns that are not basic health care security hygiene but are special for APIs and how should we address them to take advantage of this technology. And the third part of the charge was what should we do at ONC to help consumers feel confident in using this technology. As Deven said, you can with an app as a consumer get your data from Dr. Savage and send it to Dr. Scanlon if that is what you need to have happen to it. And Dr. Scanlon and Dr. Savage are not behind the eight ball.

Here are some general ideas. I am going to leave room for questions because I know you had a lot last time and hopefully have more. There was general support for API adoption, but there were concerns identified. Probably the biggest bucket of concerns is what you might imagine for a consumer-selected app, which is how do you know the consumers who they say they were and how do you know that app goes with that consumer? Breaking that down, how do you the consumers who they say they were as an issue generic to credentialing people to access your system? It is not specific to APIs. How do you know the app goes with the consumer may be specific to APIs? That will clearer as we go through the process. ONC is already working on trying to identify best practices and identity proofing and this whole discussion will inform that work.

There was also a general consensus that APIs can be quite in fact more secure than less precise access to systems. They create audit trails. They deliver data and can deliver data in smaller bundles instead of big swaths of data. All those things are consistent with better security hygiene.

There definitely was a theme of do providers understand how APIs work. Do consumers understand how APIs work? Do people understand what their obligations are and where their obligations end as a disclosing provider? Do consumers have the tools they need to make the choices they are capable of making about where they send that data? There was a long discussion about should apps be certified. I have no idea how that will come out and I do not have an opinion about that. I am just reporting what was the content of the discussions. What would be the role of ONC or OCR in helping consumers and health care entities regulated by OCR and make sure they understand how the existing rules, which on the privacy side again are media neutral? How this technology and the existing privacy rules in particular work together or how does this technology conform to or cause risks under security rules of HIPAA? I am not sure that there are risks, but we will see more about that as it comes.

There also was a lot of discussion about the different – there were issues floated that had to do with the difference between a read API and a write API. In our 2015 rule, the criteria are only for read only, which means back to the Jim example. If Jim’s patient is using an app to come get my data, they can pluck it and take it with them, but they cannot add data to my system. That alleviates the need to address many complicated problems that we are still working on like patient-generated health data. What do you do with it? Provenance. You do not have to worry about where it came from because no data is arriving. Whether there is malware or other bad technical activity attached to the data that is trying to be contributed to a system. Write APIs is like a whole universe that is developmentally still in process compared to a read API. A lot of dialogue about that.

In addition, there was dialogue about do APIs, the ability for an API to be granular back to the surgical example that you can go and pluck the surgery data if you can identify it from an engineering perspective from 13 months ago and leave behind the baby that was born four years before that and the miscarriage that was eight years before that. The BCRAG. All that stuff that is not relevant to the surgical data you need. There is that capability, which saves a programmer or a nurse or an intermediary company the trouble of having to find that data in the record because the data is recognizable in an automated way.

There was a big discussion about consent. One of the things that I think the task force will be drilling in a little bit more. What is required by a way of consent if the app is bound to an individual and the individual is accessing their data under the HIPAA access rule? It is tautological if I am going to get my data presumably I have consented to the release of it to me versus I want it sent somewhere else or a third party acting on my behalf and you need to establish the agency the same way you might today need to get proof of a durable power attorney of health care.

Where are we in the process? The task force is slated to run through the end of April. I think there may be some interim reporting to the FACAs coming up later in March. If you are interested, it all happens in public of course. You can go to HealthIT.gov to the FACA calendar and you can click on a month at a time. It will say joint API task force and you can click on the dates. You can download an audio file. We are still waiting for the transcripts to be posted. All the materials are available online if you want to see statements and presentations by different organizations.

There may be more work to come. I think that for health care to really take advantage of the advances in engineering and it is very hard for us to keep up with what the engineers are cooking up, but we are trying desperately. More work may be needed. We will just have to see how that goes over time.

Lastly, there are a number of items for the API task force that are out of scope. There is a whole host of legal and business issues like indemnification, licensing fees, all that stuff goes behind the scenes in engineering. Our task force is really focused on privacy and security relative to the engineering. But I think the business and legal issues start being solved by other work ONC is doing like the fact sheets, like OCR’s work on access, like clarifying in fact what the legal capabilities and the legal obligations are that should help clarify and make easier to overcome some of the perceived legal barriers to letting this engineering help us automate health care.

The last thing before I take questions. You guys had some questions earlier about encryption. I will just make my pitch for the certified EHR technology. You know that certified EHR technology is required to enable the user to encrypt at rest. That means the user has to take advantage of that capability, but the capability is not the tool. If you think about security hygiene and best practices, one of our jobs as health care stakeholders is to make sure that we are actually taking advantage of all the security capabilities we have that do not interfere with the other national need, which is get the data moving so care can improve. I am happy to take some questions.

DR. SUAREZ: Thank you so much. Any questions?

DR. MAYS: It is always exciting when you come in terms of movement of things. I enjoy your presentations. There is a space in which some of the issues that you are talking about in terms of APIs are being discussed and that is in the program called Smart and Connected Health, which is at NSF.

The person that runs that program is Wendy Nilson, who is actually part of our work group. They run several training workshops and they actually talk to the developers. They usually bring in the researchers of the developers together. In talking about the development of a lot of this work, these issues come up. They are discussing this and that would be a perfect place for you to be able to tap into what it is that they are doing and the discussions they are having. The engineers often ask, what do I have to do to make this HIPAA compliant? Any information that you can get to them that they can then pass on to these individuals I think would actually help solve some of the problems.

MS. SAVAGE: That is a great point, but I am going to delegate to OCR because I know Deven talked to you about the APPs and the BA challenge. That was definitely an issue that came up in the API task force. If you want to hear more on that, the OCR will be coming to the task force I think on February 23 to talk about many different features.

The wiki site that OCR has set up is specifically designed to take questions. I think that guidance comes from – the dominant question the developers were asking is if I write this tool and somebody downloads it from the app store, am I now a business associate and hence the OCR guidance, which is great guidance and actually quite understandable. Although I think developers sometimes – they are engineers. They want a to-do list. Sometimes we cannot give a to-do list because we are from a federal agency. I really challenge the developer organizations to take that guidance and figure out to make it meaningful and bring it to life for their stakeholders.

MR. LANDEN: I am Rich Landen. I am with QuadraMed. We are an EHR developer. Much as we agree with the objective and will support the endeavor, this is one of the things – the APIs are one of the things that keep us up at night. We have just been talking to OCR. We have heard about breaches. We have about hacking and intrusion. There are security issues. We live in a system where in the 20 years of HIPAA we do not have a solution to cross enterprise patient identification. We have some other limitations. We do not have a robust system of computable consent management and yet despite not having all those things, we need to go forward with the API access. I understand the value of that, but it is high risk. The devil is in the details. We very much support the effort of the joint task force and are looking forward to hopefully a good outcome that will benefit the patients.

The only other concern I need to mention is in some sense is we seem to be intermediating the patient provider relationship by putting direct access to the EHR and via these APIs at the same time where the MU and the clinical governors in the patient-client relationships. It allows the provider to redact certain information if in her or his opinion the patient should not have access to that. I know there are some safeguards in there, but it just makes it very complex. The APIs then work with patients. The patients authorize representative, the providers HIT system, the vendors, the app developer. It is a lot of moving parts, a lot of unrelated third parties in there. It is complex. Basically, we will do it, but it is keeping me up at night.

MS. SAVAGE: Thank you. A couple of things about that. We actually are working on – we have a process. I cannot talk about that in detail right now because the work is such a long stream. Under PCORE funding, we are actually working on trying to identify standards for documentation when consent is required.

But what I would say is we have to start with how much can we make the system interoperable, improve care, support delivery system reform where consent is not required. That is the focus of the fact sheet. As a system, we need to take advantage of the rules we have.

We know from surveying that most people think that doctors are moving the data and they are frustrated when they have to move it themselves. The system was designed to allow the data to move in ordinary ways for health care. Imagine a world where you all had to go online and give a privacy control setting in order to let your provider bill your health insurance company especially if your family is in crisis and you are just careening around. You cannot even figure out which is the right rehab facility for your sick mother. We have to just really think about a system where yes there are definitely people who want to really take this bull by the horns personally, but the vast majority of people probably just want the system to function in a way that improves their health.

Secondly, on the security, that is in fact what we hope the API task force will help us identify as things about APIs that are security challenges we need to address that do not already exist ordinarily in health care. We know there are security issues related to health care and we can do some things about it and some things the stakeholders need to do.

Security hygiene and health care. I think nobody in this room would be surprised, could be improved. That is something that – obviously, at HHS, we have our own data systems and we have to have good hygiene for them. But for each of us who works within an organization, that organization has to have good hygiene that also hits these other goals of improving health care for people.

The (indiscernible) meeting physicians from the patient. We have heard a lot of testimony about that one way and the other, and I think it is so idiosyncratic to the physician-patient relationship. It is not really ripe for any kind of blanket approach. I think that there will be patients if this technology matures and is widely taken up, who really want to take advantage of it and there will be patients who do not. There are large places in the country that do not – everyone has cell phones, but they do not have high-speed lines between the institutions, making data transmission a challenge. There are people I know today who choose to go to a physician who does not use an EHR because they want everything to run on paper because of their own values. It is very idiosyncratic.

The last thing I will say is of course the API task force happens in public. Public comment is solicited always at the end. Feel free to listen in on the public line and take advantage of the public comment section and/or submit public comments through that process whenever it happens.

DR. SUAREZ: Any questions from the phone?

DR. RIPPEN: Just to reinforce, I know that security hygiene is always a challenge. I guess I just want to stress the increasing sophistication of hackers and things like that that will always be higher than the security capabilities of many systems. We know that because government has been hacked, DoD, and that sort of thing.

I think, again, as we think about how does one enable technology, I think we also have to have the brightest minds involved and how do you enable building that infrastructure and security together. I guess I do not want to just punt it to if everyone did the right thing on security that that is everyone’s fault. I just want to reinforce that.

MS. SAVAGE: I do not disagree. I just think that there are things that we do not do in health care that we could that would improve our security hygiene that actually APIs help. We have a system where we build hard shells around our systems. If you get through the shell, maybe the data is not segmented inside. Maybe we are not sharing cyber threat information quickly and rapidly enough. Those are features of the health care system and its security hygiene that are not unique to APIs.

DR. RIPPEN: The other nuance is the cost with regards to and the sophistication as far who supports what. It is actually an interesting question. I do not think we should forget that.

DR. SUAREZ: I want to ask a quick question actually on a different, but related topic. I do not know that you have – and that is patient-generated health data. Basically, the ability and expectation now and in the future to allow data generated by devices that the patient carries, Fitbits and other home health devices and other tools as well as apps and others to connect to an EHR system, for example, and upload personal health information. I know there are some activities going around that.

MS. SAVAGE: First of all, talk with Provenance. We do not use the S&I Framework per se anymore. But under the S&I Framework, one of the last projects we started and had started before I joined ONC was to try and develop a standard for Provenance. That is tagging the data with its source. I believe there are actually a couple of slots left for institutions to volunteer to test the Provenance standards. Please email me if you are interested in being a test site. That work will go on this year and then there will be findings. Again, it is the old S&I Framework. We develop a standard and then we pilot it and then we analyze that and then we figure out the next steps from that. It is kind of a long process.

We also know that out in the world at large, people are developing Provenance standards. Apple apparently has one for its health kit. When an individual with an iPhone sends their data somewhere, it arrives at its location tagged with its original source. This came from a Fitbit. This came from one of the Nike shoes that check your running. Whatever non-FDA equipment is tracking your health or from an FDA device that connects to a health kit. They have an example.

I think there is a lot of activity in that regard. I think that there are some great opportunities for the health care community to take what we come up with from the Provenance pilots and run with it in a way that makes sense for them.

Secondly, on patient generated health data. Same sort of thing. We have interesting dialogues with people where they talk about patient-generated health data, the things that might be coming out of a tracker and trackers have potential accuracy issues versus what comes out of your mouth versus what your physician observes. It is all coming from the patient’s body and life. It is all from the patient.

But there are organizations that have processes. We actually heard some interesting stuff from Kaiser in our API task force about how they are going to use their API in a patient-generated data context. That was the first day, the 26th. Anyway, you can go back and look that up online. The second day. That would be January 28th, for those tracking.

And then we have a PCORE funded project to develop standards for patient-generated health data. That project started at the beginning of this fiscal year and it runs through 2017. That is not in my shop, but I am happy to work with the staff to maybe at a future meeting update on what are all the PCORE projects we are doing. There about eight different task lines.

DR. O’GRADY: I guess I would like to just put in a little plug. There is sort of what I – kind of the Todd Park effect on the department over time. And that is fine. Fitbits are one thing, but most of my research is in diabetes. We now have monitors with electrodes under the skin that is giving a glucose reading every three minutes. There is nothing sexy about it. It is nothing glitzy. But that idea that at this point patients who are very compliant who do this – before they go to see their endocrinologist, are sitting there at the printer trying to do a couple of – you know, that there is not a clean way at least in common usage, for that kind of technology to be able to link to the patient’s records right now unless you have a particularly sophisticated physician. Just some of that stuff.

MS. SAVAGE: You are really talking about an FDA device and is the data that device is generating – say this particularly thing would be FDA regulated – interoperating for lack of a better word, and I know that is a hackney phrase, with the EHR. I think it is a mixed bag. I will say that we have a very close working relationship with the FDA particularly on the security side because we do have the Internet of things and health care and have had for some time. I know that the FDA – that is like really more on the standards side of the house. Not really my wheelhouse. But again, if that is something you guys are interested in knowing more about, we can T up whatever work we are doing on that. It would be somebody else within ONC.

DR. O’GRADY: I would only make a plug to say that there is less high profile really practical uses here that will never be on an iPhone, will never do those sorts of things, but just in terms of care and taking the management of things like chronic disease up to the next level. It is important.

MS. SAVAGE: Right, but what ONC can do is we can help identify standards for the technology by which that all functions, what the EHR has to do, what the device has to do, where they meet technologically. We can help people understand why receiving data from an FDA device, which is going to fall within a certain range of accuracy, is not a privacy violation. We definitely have people say you cannot give me that data about yourself because it violates HIPAA, which is completely not understandable to me, but nevertheless it is said.

But the health care stakeholders have to want to take advantage of those technological features. We just do not have the capability, the budget, the resources, or the mandate to make people do that. Again, there are going to be patients who choose to go to physicians who keep records on paper. There are going to be patients who – I had a patient who texted me, why did my radiology center give me the radiography on a CD when my physician’s computer does not even have a CD reader anymore? I said, ask your orthopedist to refer you to a different radiology center.

There is the patient piece of this too, which is the patient who wants to take advantage of that technology should find a physician who is going to partner with them about it. Back to your point. The patient and the doctor have to partner to take advantage of the technology.

DR. SUAREZ: Thanks so much, Lucia, for participating in our meeting today. The benefit of actually being here. I think you are physically located –

MS. SAVAGE: I am across the street these days.

DR. SUAREZ: That is very close.

MS. SAVAGE. But I have a meeting downstairs in a couple of minutes. I am always happy to come when I can physically. Thank you so much for having me.

Agenda Item: Subcommittee on Privacy, Confidentiality and Security

DR. SUAREZ: I wanted to really take advantage of having certainly Deven and Lucia here and give a little bit more time for that discussion. We are now going to turn to our Privacy, Confidentiality and Security Subcommittee report. I am acting on behalf of Linda’s role as chair of our Privacy and Security Subcommittee. I have met with Linda and talked to her and talked to Rachel. We will discuss the priorities and the work items for our Privacy, Confidentiality and Security Subcommittee.

This is our current Privacy, Confidentiality and Security Subcommittee. We are very excited to see all the people listed here and be part of our subcommittee. We are extremely excited also to know and have heard and I think we have reported this last time, that Rachel has been tasked to the subcommittee as lead staff pretty much on a full time or almost full-time basis. This is for the next few months through May, I believe. We are fortunate.

Maya, who had been the lead staff – she is on detail and so she is not able to continue for a little while to support us. So we are very fortunate to have that and really appreciate that, Rachel, your participation, engagement and leadership are always appreciated. Our connection to OCR is very significant, too.

MR. SCANLON: I should say that Rachel is officially now detailed to ASPE. She will be wearing the ASPE T-shirt.

DR. SUAREZ: Even better. Thank you very much for telling us that. That is great.

The priorities that the subcommittee identified – working also, and I know Linda met with Deven and Rachel to talk about what are some of the areas where OCR would appreciate guidance and feedback and recommendations on. These are the areas.

The first one is minimum necessary. I think we covered a little bit of this last time. Really there is a need to look back into this topic, this provision in the HIPAA privacy regulation that we must use the data that is minimally needed. Only minimum amount of data needed to achieve the purpose for which the data is being used, accessed, disclosed, and requested. This was highlighted also in the HITECH guidance. This is one topic we are going to be focusing on.

I wanted to connect it to something else because this is not just – this is privacy and security, but it is tied to a number of other activities that we do. To give you a concrete example, there are important discussions about how the minimum necessary applies to areas like the administrative transactions. We have been working on that for the last 10 to 12 years, since the implementation of this and have some defined approaches.

With the discussion around attachments, that opens up a new set of interesting questions about minimum necessary, because sometimes when you send attachments as a provider to a payer, you sometimes tend to send everything you can that you think is important or necessary for the payer to execute the payment and sometimes it is more than what is needed. There is going to be some important considerations around minimum necessary and attachments in the administrative type. But also, we are going to not just focus on those. We are going to focus really on the larger scope of minimum necessary across the spectrum of requests of data, collection of data, uses, disclosures, access, all that.

The other topic is de-identification and re-identification guidance. We mentioned how this was an important area to provide some feedback and to help OCR develop guidance around this. There has been a lot of work around this and I know a lot of entities nationally and regionally, have worked around the methodologies for de-identification, the policies, and then the challenges around disclosing or releasing data that is supposed to be de-identified that can be potentially re-identified and the risk for re-identification. We are going to focus on that.

I should mention that we have already and I do not know if it is in this slide, but the upcoming hearings around this. With respect to the two topics, the minimum necessary and identification, we have already scheduled hearings. That is part of what we are going to be working between now and the time of the hearings. The first hearing is in May. We are going to hold a two-day hearing in May, focusing on de-identification. The first part of the hearing will be really focusing on policy issues and the second part, technical. I think that is the way we separated the two topics. We are going to begin to work on laying out the agenda of course for that, and identifying testifiers and people that will be invited to participate. We will be engaging everyone in the subcommittee and the committee around this.

Day one will focus on the scope and policy. We have a little bit of documentation about this. This was included in –

PARTICIPANT: Rachel sent it last night.

DR. SUAREZ: This is what we got last night. I will just mention it. This was coming out of our planning calls – we created two task forces, one focusing on de-identification within the subcommittee, and one in minimum necessary. On de-identification, we will have the hearing on May 24, 25. Now, it has been confirmed. It is going to be here in this building. The space has been reserved.

Day one will focus on the scope and policy around de-identification and re-identification. Look at the Safe Harbor policy in HIPAA. Look at population health and other areas that are not covered currently under HIPAA with respect to the requirements – not being covered entities necessarily.

Policies and methods and other areas. We have started to collect potential witnesses and testifiers. Again we will certainly look for advice from all of you. I know Denise, you have a lot of experience and have worked on this for years. Day two will focus on the methodology and technical controls. We will get into more of the technical elements around how to achieve de-identification and how to control for potential risks for re-identification.

We have identified some potential witnesses that involve people in the technology space. We are beginning to collect all that in a set of testifiers.

The Minimum Necessary hearing will be scheduled the day before, I believe, the June meeting, which will be June 16.

PARTICIPANT: Actually, I think it is the day after because we did not want to have people travel on Sunday.

DR. SUAREZ: We are meeting Tuesday and Wednesday as a Full Committee. This will be a Thursday hearing in May. It will be a full day talking about minimum necessary. We will be working on framing the hearing itself. We usually prepare a one-page description of the purpose and goals and then describe the agenda and then actually lay out the questions that we would ask the testifiers. We are working. We do not have those documents yet laid out, but we will be working on those.

The focus of minimum necessary is the current policy and practices and challenges and needs for clarification within the industry. That will help advise OCR on which topics to include in their guidance.

That is the two main activities that we have on privacy. Future initiatives. We have also talked about a third important activity that the Privacy, Confidentiality and Security Subcommittee would want to work on and that is really taking a step back and looking at what is the state of affairs, and more importantly, what is the future that lies ahead with respect to health data privacy in the context of all the new developments around of course EHRs.

We heard a lot about mobile apps and mobile technologies, APIs, all this new world in which we are – did not even exist back when HIPAA was actually structured. We are really having an opportunity to step back and look at this in a more comprehensive way and again provide advice to OCR and perhaps even other federal agencies around what we see are the next generation, if you will, next phases of the development of privacy and security policies in the context of a new health information environment.

I think the work we are going to be doing in here is more towards the second part of this year in quarter three and four, where we are going to be framing the issues around having brainstormed. We have not defined yet whether there is going to be hearings or workshops or both. We are looking at perhaps hosting a workshop at the end of the year to help frame a lot of these issues around the next phase of privacy and security. That is part of the work we are going to be doing in quarter three and four.

And then a lot of the work will be done really in 2017. Compile the findings, frame the issues, perhaps even call a second meeting and then draft and prepare a report that we expect will be coming out in the second part of next year. Those are the major activities for Privacy and Security.

Let me stop there and ask Rachel if she has any additions or any other comments. That was quick. Any questions? Bruce.

DR. COHEN: I am interested in the de-identification workshop hearings. Are you going to focus on data linkage issues as well? I am particularly interested in impacts of probabilistic linkage because that is emerging as a real issue related with large data sets. I would love to have that as one topic.

MS. SEEGER: Barbara Evans had already stressed the importance of that topic as part of our task force. It is on the list.

MR. COUSSOULE: That is part of the reason why there are two days. One is policy and the other one is technical and there are all different kinds of aspects of technical issues in regards to de-identification and re-identification —

MR. SCANLON: Similarly, de-identification — you remember that we had a contract and workshop on the mosaic effect and on the potential for re-identification whether it is linked or not linked. We focused mostly on federal, statistical and research disclosure. There actually were some interesting ways of approaching. We will try to get a witness there who worked on that. I think, Denise, you were there as well. We have the folks who say anything can be re-identified.

There was an interest in actually putting some responsibility on those who re-identify rather than making it harder to get the data. We might want to look in terms of future strategy. Do we have authorities? We have for research programs where we give people access to data. You agree on a set of conditions if you violate that and re-identify or make an attempt. There are penalties. You do not get any more research grants. You do not get access to the data. There are things not necessarily fines.

The idea is to put the responsibility for re-identifying on the people who were trying to get used to the data and give them a penalty if they do. That does not mean you do not take all the necessary precautions and due diligence on providing the data. Put some responsibility on folks who think they have a good idea about re-identifying some of that. We will get some experts there as well.

DR. SUAREZ: Other questions from anyone? Anything from Sallie or Barbara or others on the phone?

DR. MAYS: One of the things I was going to say is that I think this may be a space that the Work Group can also be helpful in terms of whom and what is going on, and what have you. Part of when I do the presentation, we want to talk about is this convergence issue and getting a sense of where we can be helpful to the committee kind of thing.

DR. RIPPEN: Depending on how you are approach things and are you always approaching it in one way. The other thing to consider is how good of a match do you really need for research purposes versus some other purposes and to being able to quantify that. The expectation of 100 percent for certain purposes may not necessarily be required. At least thinking about the balance too as opposed to just one way.

MS. HINES: Just a quick comment. I sit next to a whole group at NCHS that does nothing but that. At some point, maybe we should bring in one of those data linkage people.

DR. SUAREZ: There are two big concepts around this. One is the de-identification including the risk and controls of brute force re-identification. That is one aspect.

And then a separate thing is really the opportunities for record linkage to do research. I think we are going to have to balance the two. During the same here, we might be talking about how do we de-identify completely and consistent and what is the next generation. Most people are saying that safe harbor is not really anymore helpful or useful and all those things. How do we do that in a way that achieves the purpose of the de-identification and the controls and risk for re-identification?

A separate discussion will be when do want to do re-identification for record linkages for analysis, what are the appropriate ways for doing it? Something like that. Rachel, from OCR and from your perspective if that is something that is important to keep separate.

MS. SEEGER: I think coming out of the hearings what will be important are recommendations for future guidance by OCR on this topic where areas of confusion exist where additional areas of clarification are needed and how the landscape has frankly changed. Even when we conducted our hearings in 2012 and then again the tiger team did their work in 2014, big data has really exploded. I think it is important to look at this issue with a fresh lens.

MR. SCANLON: A quick point on the future views. I think that is well timed. It is later in the year, number one. Number two, Lucia was telling me that we have within HHS a report that is being reviewed and cleared that deals with some of these issues as well. You may know more as well. It has taken a while to clear. But I think the report probably would be available by then so we could see where the report – you probably know more, Rachel, where that is.

MS. SEEGER: — on the non-covered entity report. Definitely, this is an area that from all of our work in looking at the FTC, with the FDA and others. We are all aware that our space is changing dramatically from the time in which the regulations were first promulgated. Again, after the Omnibus Rule created additional modifications, that was in 2013. If we are looking at doing this future view in 2017, the landscape just changes so rapidly.

DR. SUAREZ: We are bumping time and time again against the challenge of having this dual world of “covered” entities, entities that are covered and subject to HIPAA by virtue of the definition of covered entities in HIPAA and then a whole host of everybody else that is not covered under HIPAA. You probably remember that there was through regulation and through legislation an extension of the applicability of HIPAA to business associates. Now, it is almost like covered entities are providers, clearinghouses and health plans and then business associates by extension through the contracts. There is a wild, Wild West out there of activities and entities and organizations and products and services that are not covered by HIPAA in many ways. We are bumping against that on the privacy side. We are bumping against it on the administrative simplification side when we deal with HIPAA transactions. I think we are going to begin to see this call for why are we creating these two worlds of covered entities and non-covered.

DR. RIPPEN: From a technology perspective, now people instead of doing the MPI, because nobody wants to share the information to get a common MPI, they are using other technologies, developing hash keys based on the personal information so that the personal information is not actually being shared, but there is matching based on the key. Again, I am not sure if this is something that you will be covering from the technology side, their implications, because that is like record matching, linking. The question again is for what use and what is good enough for what.

MR. SCANLON: Just to close the circle completely on privacy and others, remember that – remember, HIPAA was passed largely in a batch processing world in the early ’90s I think. That is why it was so important to have principles for privacy and for security and for the transactions so that as the technology changed and the landscape changed, that principles were still there.

In the original HIPAA legislation, it had a convoluted process of how recommendations would be made. This committee actually, as the first step provided an overall set of recommendations for privacy and principles, which actually covered everyone – personally identifiable information and then it had the framework of the consent as needed, except for the following approach.

And then that report was made to the Secretary of HHS who based on that and other deliberations you will all remember provided the basis for recommendations that Congress, which were similarly brought. There would not be non-covered entities. There probably would be because everyone who held personally identifiable information would have been subject to those. Again, there were degrees. It would be much more fluid and flexible in terms of what would apply. But it applied to everybody who held personally identifiable information.

And then because the Senate could not then – because Congress could not quite agree on an overall approach like that, we went to the default where we had to take what was left in HIPAA for privacy and sort of weave something together and very creatively I might say. But this is as far as it would take us where we have covered entities.

And now of course the question rises again. There are even more covered entities, more situations, more opportunities and more challenges. It is just that we have a framework, somewhat dated framework. But the concept of covering everyone or at least more covered entities was part of the original formulation. I do not know that there is any stomach at the moment for expanding on the Hill, but at least that concept is there.

MS. JACKSON: Adding on to that and looking at the historical reference and framework with the committee in the Wild West, Mark Rothstein – I always enjoy sending out his material. He has Citizen Science on your smartphone, covering a lot of these same areas. As Jim has always said, just because you rotate off the committee does not mean – we can always pull you back in to serve. I am looking at him as a resource and so many others – Rachel knows that it is an ambitious agenda, but I think at this point with everyone pulling together, we can pull this off.

DR. SUAREZ: Okay. Any other questions? Anything on the phone? We are going to take a break until 10:30 and then at 10:30, we will come back and do the action items. That will actually give us time to prepare. We will start with the Review Committee letter and then go to the Population Health Workshop Report. And then after that, we will go to Vickie’s report. Let’s take a break until 10:30.

(Break)

Agenda Item: Complete Action Items: ACA Review Committee Letter and Population Heath Workshop Report

DR. SUAREZ: We are going to get started again. We are going to start with a review of the letter from the ACA Review Committee. I think what we are going to do is we are going to display the modifications that we made based on the discussions yesterday. A big part of the modification is of course on the introduction. I know Alix is going to cover those.

I do want to say a couple of things. Number one, as with every other letter, we always have the ability and since the chair is the signatory of this – have the ability to work with staff to make the final formatting. Sometimes the indentation might not work or we might want to do a bold in some places or things like that. I will take the opportunity to mention that we will have that ability to do final minor edits. Nothing that is going to change substantive language.

I think it is important to point to this letter and the discussion that we had yesterday and open up another very valuable point. I know the amount of work that went into this letter. I want to emphasize that we really appreciate and acknowledge and certainly take into account every feedback that everybody gives. I think it will be valuable.

A couple of things. One is we want to make sure that what Michael and Bill mentioned yesterday of maybe we should consider in every letter having a very simple intro paragraph that highlights the summary of it. I think we should consider doing that in all the letters, as I think Bill suggested it and Mike, I am sure was pointing to it as well.

The other thing I want to say is if we want to do this kind of modification, it would be great to alert us to them a little bit early in the process so that we can actually make those types of modifications as we present them and they can be actually included even in the package. I am putting a plug for people reviewing some of these materials ahead of time particularly those that are going to be of action or that we are going to take action on because they are really important certainly the most critical elements in all the things that we are going to be doing during the meeting. I just wanted to say those couple of points.

Certainly, I appreciate and take all the comments. We have attempted to – I have to take off my hat to Alix and to Terri and Ob who worked yesterday in between the meeting and then in the evening to craft an introduction and some modifications to the introductory part of the letter. Most of the rest of the letter you will see as highlights and changes that have been discussed as well. I will turn it to Alix to cover some of those changes.

MS. GOSS: Thank you. I also want to acknowledge your further editing this morning in support, Walter. Also, we received some further suggestions that I have hopefully woven into all of this just to give an idea. I am going to run down the track changes. I am not going to discuss it, but I want to philosophically address what was discussed yesterday. I am going to give you an overview of the amount of track changes and then Ob will walk through the overall document in a clean version just to give you some sense.

But effectively what we did was we tried to weave in everybody’s comments as Walter indicated to make this a stronger letter with a little more punch up front. A lot of what we tweaked was for strength, not for content shifting because we felt a lot of support from everybody, but we wanted to make sure that the letter was likely to be better received in the end.

We moved some content up front. We changed the number. Instead of using numbers, we have used English for describing what we affectionately refer to as the 834 and 820 standards for enrollment and premium payment.

DR. SUAREZ: The bullets of course are the headings of each of the eight recommendations. You were going to say that.

MS. GOSS: I was, but thank you. Let’s call it now. There were approximately eight high-level recommendation categories. We have placed a short descriptor of each of those categories within the substantive part of the letter, but we have summarized those here to hone in the view on what we are trying to accomplish.

MR. SOONTHORNSIMA: Alix, I am not seeing that displayed on the screen.

MS. GOSS: I look to the AV folks to help me with the display ability. It is not being displayed on WebEx.

MR. SOONTHORNSIMA: Just send me the latest version.

MS. GOSS: We will. From a process perspective, we are going to hopefully get through this letter, get everybody’s approval and then the final version will then be taken off this USB, given to our trusted staff to distribute wide and far so we can get the final edits and have it submitted.

PARTICIPANT: Can you email him this version now?

MS. GOSS: He has effectively a version minus three little changes that I made ten minutes ago.

DR. SUAREZ: There is Barbara and Sallie also on the phone that do not see this. I do want to see if – is the WebEx going to be able to be —

MS. GOSS: Ob, would you do us the honor of forwarding to Barbara – she has it. Anybody else on the phone who is going to need a copy of this to track with us?

To recap, the opening has now a summary of the core recommendations with a streamlined introduction of who we are and what we are trying to accomplish in this specific letter. We did leverage heavily. Bill’s suggested text yesterday and I see him thinking through it right now.

DR. SUAREZ: It was right there in the middle of the paragraph.

MS. GOSS: We did move up. We created then a background section to give the context of the information a little bit more about the organization, but really to also include a problem statement about health care’s rise, kind of give the value proposition of why the letter is there – you will see struck out is just stuff that got moved around and reused in other places.

We did have to make a few changes since we moved the sequencing around. In order to reference HIPAA and acronyms and those kinds of things, there is a tweak throughout the text. We also did update the reference to being designated by the secretary as the review committee.

We made a change to include EFT within the transactions that are more widely implemented based upon confirming the volumes of usage with CAQH CORE. We thank them for that input.

We also addressed the aspect of transitioning into new paradigms, which was brought up yesterday.

And then getting into the body of each of the recommendations, we have the short title that leads into each of the paragraphs. Expanding the definition of covered entities is now Recommendation 1 with no further changes proposed yesterday. Recommendation 2 is now broadening education. Recommendation 3 is ensuring consistency. We reorganized a bit of the recommendations. We deleted what was 3.4. We made what was 3.2 is now 3.1 and slightly enhanced the examples on 3.2 for some clarity and strengthened our ask of beginning discussions with the SDOs as part of 3.3 recommendations.

Recommendation 4 is now enforce compliance. Recommendation 5 is titled adopt acknowledgement transaction and to make sure that it is clear that we really want them to act on this as a recommendation that we have already recommended, we indented in as 5.0. It may not be as technically accurate in the world of bulleting, but felt that it was a critical component to call out. I think we all know that we want acknowledgements.

DR. SUAREZ: I should say. Shana yesterday during the presentation mentioned that the intent this year is to move quickly in responding all the previous recommendations from NCVHS. This is one I highlighted too. I think it is very valuable.

MS. GOSS: Recommendation 6 is to provide some predictability. We adjusted 6.1 a little bit in the flow. We had some feedback from BCBSA that we incorporated to just as to give some flow clarity, but also to strongly encourage the coordination a little bit for HHS with the stakeholders.

Number 7 is now increase utilization. I realize we need to – I will make a note. Instead of fixing it now because I did not catch that we needed to add the English into this part instead of using numbers. We just for formatting made consistent 7.1 and 7.2 as recommendations.

Recommendation 8. Evaluate the use of prior authorization transaction and that brings us home. In case your eyes are all glazing over, I am going to change this to a home version or a clean version and can go back through it. But what I wanted to show you was that content really did not change. We made it stronger. We heard your feedback and we have incorporated that.

With that said, I think we need to do some due process possibly of questions and voting to —

DR. SUAREZ: Exactly. Let me ask if there are any questions about the changes that we made.

MR. LANDEN: I appreciated the red line version. I went through that. I think the red lining is an excellent job. It reflects the suggestions and conversations we had. Kudos to all involved on that.

The one remaining concern I have is if you could go up higher, Alix, that RE line. To me when I read that, it is gobbledygook. I read review as a verb initially. I am putting myself in the role of an outsider. My suggestion would be, number one, delete it. It does not add anything. It actually detracts. But a format for some reason requires this. Just say NCVHS recommendations.

DR. SUAREZ: Great suggestion. It is becoming a full paragraph. Thank you, Rich. Any other comments?

DR. O’GRADY: I think I should just thank you very much. I think it is hard to measure these things sometimes, but I think what you have done has greatly enhanced the likelihood that this would be used, viewed by the people you would like to view it and that it is more than – you want the people above Jim, not many that are above Jim, to not just check the box. This actually is going to catch their attention. They are going to digest it and it will not all fall to Jim to convince them that this is an important topic that they should pay attention to.

PARTICIPANT: It makes it more accessible actually.

DR. SUAREZ: Thank you also, Mike, for your comments. Anything from the phone?

I will entertain a motion to approve the letter with the changes made.

MS. GOSS: I would love to make that motion.

DR. MAYS: Second.

DR. SUAREZ: Any further discussion on the motion?

MR. SCANLON: Can I make one? This is a friendly amendment. Again, I think the law says that the Secretary has to act on these within 90 days. Just think about that we have not created any traps in here for the Secretary that the language we are using is consider, initiate adoption or consider —

MS. GOSS: We worked really hard to do that and Terri has been a tremendous asset in ensuring that we stayed on the straight and narrow path for that because we were very concerned about that aspect. I am hoping Terri is on the phone.

DR. SUAREZ: I was going to ask. Terri, are you on the phone?

MS. DEUTSCH: I am on the phone.

DR. SUAREZ: Do you have any comments? Now, that we have a motion to approve.

MS. DEUTSCH: No, I think that getting feedback from those that were not involved in the process is helpful because that is an objective reader and getting the feedback from an objective reader is very helpful. I will try to make sure that future letters that did not get out to the committee early enough for them to have an opportunity to review it, please let me know and I will make sure that you get it in enough time to be able to have your feedback so that we can incorporate it and present the letter and not take up everyone’s time. I just want to thank everyone for their feedback. I am glad that it was all captured.

DR. SUAREZ: We in turn thank you for all the terrific work. Thank you so much, Terri. We have a motion and a second. We have another comment.

DR. RIPPEN: Can you show me 3.3?

PARTICIPANT: Do you want it clean or dirty?

DR. RIPPEN: Dirty is better.

MS. DEUTSCH: Can I just something? She is asking about 3.3. 3.4 was deleted.

DR. SUAREZ: It is being shown on the screen now. 3.4 is deleted. Thank you. Ready to vote? Everybody in favor say I. Anybody opposing the motion? Any abstentions? Motion is approved. Thank you. Thanks especially to Ob and Alix and Terri for leading this.

We are now going to go to the next action item and that will be the Population Health Report.

DR. STEAD: We hope this is brief. We presented the draft report yesterday. We asked if there were any suggestions for further changes. There were not. Should we entertain a motion for approval?

DR. SUAREZ: Yes. I will entertain a motion to approve the report as submitted for publication by NCVHS. Can we have a motion?

DR. COHEN: So moved.

DR. SUAREZ: We have a motion. Can we have a second?

DR. MAYS: Second.

DR. SUAREZ: Any questions or comments about the motion and about the report?

DR. RIPPEN: I think it was a great job. I want to thank everyone.

PARTICIPANT: Hats off to Susan.

(Applause)

DR. SUAREZ: Let the record show that we were applauding. I think this is another example of incredible amount of work done by the committee, by the chairs, and the staff in developing this product.

I do have a question. I assume that before or by the time we publish it or when we are going to publish it, we are going to have a formatted structure like a cover and all that. We will probably develop the final – beautify the elements of the report with a cover and maybe a table of contents.

MS. HINES: The other minor formatting thing is that I do not think that the roadmap came across well in the version that was distributed. I would like to talk to the visual department at NCHS about fixing that.

DR. STEAD: I had one minor change to it. I will post to make it clearer.

DR. SUAREZ: By the way, this points to that too. I mentioned with the letter we will have whatever minor changes we need to do by me and the staff. We will do the same working with the chairs with this report.

We have a motion and a second. Any other questions? Ready to vote? Everybody in favor say I. Anyone oppose? Any abstentions? Second action today. Thank you everyone again.

We are next then going to Vicki for her report. I should note that this was done in a record time, less than 15 minutes. I appreciate all that.

Agenda Item: Work Group on Data Access and Use

DR. MAYS: What I want to do is to talk a little bit about the work group. Some of this I am going to go over quickly because you have seen it before. We are in the same place with it and move a little bit more to talk about the three things that we really want to focus on.

One of the things about the work group. I do not think we have a lot of newbies still in terms of the work group. But one of the things about the work group is that we have seven charges. These charges are pretty comprehensive.

What we have done in our November meeting was to try and spend some time going through these charges to really determine what we are equipped to really be able to handle, what it is that we need to recruit members to do and what it is that we are being asked to do. We are trying to match our capacity with our charge.

One of the ways, which is a little different than I think the committee’s work – one of the ways that we actually can get capacity is that people that are on the workgroup are actually “consultants”. People come in and out in terms of working with us. If we have a particular task, we can invite the people with that expertise to come in for that task. And then what you will see is that they may fade and not be on some other task. People like to hit and run with us. They like to come in, be a problem solver, and then after that we do not hear from them or it is not quite their area of expertise. They kind of fall by the wayside.

One of the things we really need to continue to do is to figure out of these seven things what the order is of what we need in terms of from both the committee, in terms of the NCVHS convergence when we talk about it and then the other is from HHS. Usually our customers are – Jim will tell us things that he needs help with and Damon will tell us things that he needs help with.

We still need to try and figure out how to get ourselves fully operational. Our problem with getting fully operational is that we also have to do that on the staffing side. From the staffing side, I think what it really means is the same thing. We have Lilly that works with us. Many of you will remember Lilly. But I think part of what we are going to make a request to do is to be able maybe to get a couple of students who can be like interns or something for us. As we have particular demands on our time, students love doing this. It is something that I probably have easy access to. I just have to go and ask my colleagues if I can get a few bodies.

But I think what it really solves is also they are really up to date on all of these issues. We have been trying to get staff and I think part of what we struggle with is that sometimes there is no one staff person that can cover the full range of technology demands that exist in the workgroup. I figured if there is no any problems with doing that then maybe what I will do is try and recruit a couple of students and see if they cannot give us some assistance. If we are good with that, we would love to be able to do that and get some additional help.

The other thing though that we need to try and figure out is when we give feedback here to the committee, we need an interface so that the recommendations that we give that, there is an ability to be able to carry them out. We are not quite sure exactly how to do that.

I will give you an example. One of the NCVHS convergence activities was to work with the privacy group on how to get their toolkit out using social media. We talked about doing something called Thunderclap. There were all these different ideas that we have. But in receiving those, we are trying to figure out how to get you the expertise to do it. That is one of the things we would like to have a little bit of discussion on today is we can give you ideas, but we want to see how to get them implemented on the side. The workgroup does not quite want to be in the position of trying to implement everything, but it does want to be in the position of giving you lots of advice and seeing if you can push it out. We want to get to that.

Anyway, we will work on these charges and capacity. We are trying to get up to capacity, but we will only do that as there are requests to do it so that we can stay pretty fluid.

Here are the three things I want to focus on today. In terms of talking about our work plan, in 2016, what we really want to focus on is trying to help HHS agencies to increase their use and usability of their data to a broad constituency. Let me show you where we are beginning on this.

We have talked about this before. We are trying to come up with a framework. We are going to steal Bill’s word. I am afraid to use the word framework. An approach maybe. But we are trying to come up with an approach in which to be able to give guidance. If you an HHS agency and you have a data set, how to put that data set out in the public domain so that it is more accessible and more usable. Sometimes what that means is that we really have to – and this is something we are going to spend some time on is talking about constituencies. In thinking about constituencies, data sets typically have built-in users. Usefulness is one of the criteria.

We are trying to make sure that as we make recommendations, we talk about what is the constituency for which this recommendation will enhance either access or usability. We want to help HHS agencies to understand who they are serving and who they are not serving. As they understand who they are not serving and maybe that it was never designed to serve that particular group. There are points in which consumers are not going to be able to go into some of these data sets and get an answer to a question. But I think it is also useful to see can we begin for the HHS agencies to give them advice of how to expand, which would be maybe the person is not accessing the data, but they are accessing reports. Maybe the person is not accessing the actual analysis section, but think about whether or not they want to set up something in which there is an easy way for people to do data queries.

I think yesterday when we were talking about ways in which for the community to begin to think about accessing data, I did not say it, but I was thinking about data queries. It would allow people to do very simple tables, sometimes get answers to questions they might have. Again, it is not for us to mandate any of this, but it is for us to give suggestions to agencies.

And then I think at the end of giving suggestions to agencies, it really is do we see from the perspective of having looked at several of these websites that there are some general advice that we would want the secretary to take a look at that then is something that the secretary thinks about whether or not – the data council would probably be the group that would carry it out, but whether or not there is a framework, an approach, a data stewardship model that HHS agencies that are providing data would want to adhere to. Again, we are advisory.

When we do our recommendations, we have decided that we want to try and have four use cases. One is researchers who are used to accessing this data. The other would be the entrepreneurs. We really want people to come in, people running data warehouse, et cetera. We really want them to come in, package data, develop apps, et cetera that will make the data both accessible and more usable.

We also want to think about – Bruce this should make the Pop Committee very happy about community users. We are thinking about these community agencies that have some level of expertise, but not necessarily are going to be at the level of the researchers and the entrepreneurs, but yet they want to be able to use the data. Their use may be a little different in the sense that they are thinking about it at a more granular level. We want to see whether we would be able to do that. We will bring up the issue of the consumers, but it may be in many instances these large data sets are not going to be designed for consumers to get their answer.

DR. COHEN: This is a phenomenal framework. It is a phenomenal conceptualization that we can use to apply as we move forward in our population health work to see how useful the data would be for communities. And one use case that I would love to suggest is – mentioned how important ACS data are for populating a variety of sociodemographic variables or indexes or indicators that communities use. Maybe one of the use cases that we can work on with the data workgroup would be ACS applied to community-based organizations, how they access it, what they need to do to use it. I would like to throw that out for consideration.

DR. MAYS: We will put it on the agenda, but our focus is a little narrower. ACS does belong to the Census. It is a different way of getting access to it. There are a lot of different things between the Census and some of the HHS data sets. As we provide the structure, you can do a plug in to figure out maybe some of this.

MR. SCANLON: I think when you look at the use case, you can look at – I would like to see the vital statistics and maybe some of our state surveys or something. But I think the use case idea would enable us to deal with those things.

DR. MAYS: I do not think we have actually gotten to the point in terms of vitals and the state data. Once we develop this framework, our hope is then that we just get ourselves into a process by which we just go one data set after another. We can do that based on also what the requests are.

One of the things that Damon brought up, which I think is very reasonable for us to consider is we want to as we do this work, do it in conjunction with the data owner because not every agency is in a place where they can make a lot of changes. Coming in and doing that and then they cannot do it because they have either already spent their budget or they are not due for changes for another two or three years. We will try and figure out a schedule by which to do this. But really what we have to spend time doing now is really coming up with this framework. I keep using that word. We are not sure what we are going to call it. That is going to be for us in 2016 a big piece of the work.

The kinds of products that we expect that we would generate would be a template. Along with that template, part of what we are going to need to design is a questionnaire that we would want to give to the data owner first and say can you answer these questions for us. That would be part of the consultation process. We also would want to design what our feedback is going to look like. We need this frame. We need an assessment going into the analysis and then we need a feedback.

What this becomes is pretty much I do not want to say mechanistic, but pretty easy to do once we can get it underway. I would say that in our last meeting, there was a lot of – I think our last meeting was probably one of the best that I have seen us have. It is just that we fall off afterwards because we do not have the power to continue it. I think that the people at the table were people for whom this is really an issue that they can see the benefits in doing it. We had Helga there as a new member. We had a lot of expertise around the table. I think we really can. If we can just get our support mechanisms in place, we can really move this through. That would be our big piece for 2016 is to do this.

We will at the work group today be discussing this. We will also have, which was unbeknownst to me until yesterday, the pro bono work that was going to be done on looking at one of the websites from a consumer perspective. She wants to present that today. We will give feedback on that. It is on the SAMHSA one. She had her students look at SAMHSA. We will see. I think that we are on target. We just need to get ourselves structured in a way in which I think that we can meet these goals.

That is part one. The dissemination of methods, practices, approaches, and tools for access and use of data. That is probably our next issue. That will be specifically how once we do this are we going to be able to disseminate it.

It is also a question though that I want to put before us as the full committee because the issue of dissemination is something that it is not just a one-way street in the sense of we put this out, but we need to help the committee, I think, to be able to disseminate its materials and its things through the use of social media, through methods that we come up with. Bruce, I am just going to call this out. I was talking with Bruce about the fact that when we looked at the report, it is like can we get an infographic. This is where we could tell you do an infographic, but we need the committee to figure out is there a staff person that can help get that infographic out. I think it is like we want – even though our focus is on data, our results, which the committee is generating, we thought if we could be more helpful with trying to push those even further out then the secretary’s office that that would be useful. I think that is something where the committee should tell us if they really want us to do that.

Our third thing is talking about convergence activities. Again, in terms of the convergence activities, the two things that we had was the framework. We have talked about your roadmap framework with Damon. Damon thinks that it has a lot of uptake for his – he calls it the idea lab. But they have a group that meets. He wants to have a meeting where you do a presentation to them about that framework and see how that will work. We will work you to facilitate that.

MR. SCANLON: That is our data leads group — this is in the context of data.gov and open data, data deliberation, healthdata.gov. We have a group from each of the agencies in HHS that talks about – remember, this is the data that goes up on data.gov. It is really for anybody to use. It has to be available in machine readable form. I think that was one of the early principles obviously. But this is a group that has SAMHSA, NCHS, ASPE, and CMS and so on. They are the group that tried to feed the new data sets or the new data into that process for data.gov. That would be very helpful. Meet every other month.

DR. MAYS: Part of what they would like is that we need to have a little smaller meeting with Damon and there was someone else in his office that he wanted to include, talk a little bit further and have them give you also their feedback about the framework and then to have a presentation with his data leads. That was what was on our convergence activities. The other was with the toolkit in terms of helping.

And then after that I think it is we want to hear from you what it is that you think you would like us to do to be helpful because we have to be able on our work plan to plan it in and to figure out our capacity to be able to do those things. There are things that came up in the meeting. Walter, I am going to assume that what is going to happen is when we do the work plan that some of those issues will come up. We will talk about with you like what we think that we can do to be helpful, but we just need to know because we are kind of a small group for our charges. We just need to know so that we can make sure that we really can do what we are committing to do.

I am going to stop there and take questions and comments at this point.

MR. SCANLON: I would just make the general point that I think the conceptual plan is very useful. I think we often make a mistake here at HHS and other places where the data is data and it really does not mean – big data has been around for a while. But data is really a lot of specific things and identifying what the nature and who exactly is the user. Asking consumers to go to the HIS data set is not helpful. On the other hand, giving people directories of behavioral health clinics in their area. That is not necessarily statistics. It is meant for consumers and others. I think that stratification, Vickie, is very helpful. Throwing data out there and seeing where it sticks is not – that is sort of what you do at the beginning, but I think we have to be more sophisticated than that.

DR. MAYS: One of the things that we want to do is to help the agencies to think about what they can do in the background in terms of looking at their algorithms and getting a sense of who is it that comes in, who breaks off. Can you get a better sense of who is being able to use this? Are you getting a lot of consumers, for example, coming in? There are ways in which we can make suggestions to the agencies. That is where we think that maybe at the level eventually making a set of recommendations to the secretary will be about having these analytics in the background to be able to refine both changes to how the data is presented as well as getting a sense of who it is that actually wants greater access to the data and figuring out a way to give them that data in a format that they can use.

MR. SCANLON: For future reference again, it may not be the highest priority, but for the folks you have on the team there, I think they are probably well suited. Even from all the social media data and qualitative data and so on, beginning to see analytical tools. More than just counting and so on. There is apparently an array of analytic tools for analyzing and measuring sentiment through the various social media, but they are actually analytic tools that make some sense for that kind of – it is not statistical necessarily though it can be. Down the road maybe would be the best thing at that area. What is the range of tools? What are the approaches and so on? Not to invent anything new. You have all this data. You read it. You are trying to make sense of it sort of a qualitative way. But there are actually ways to look at it analytically. If there is a possibility – I think the framework is most important, but after that, how do you analyze some of this?

PARTICIPANT: (off mic)

MR. SCANLON: People are doing that. I do not think people know about it.

DR. STEAD: I was just saying that can play into our discussion yesterday about attitudes about insurance and other approaches to health care and people’s different situations.

DR. RIPPEN: To build off of some of the things that your working group is doing. I volunteered actually to lead an effort to try to do a crosswalk between the population group subcommittee and especially the preliminary report that I would like to actually get access to with regards to what are the indices and measures and then also the organizational construct from a usability perspective and then also what we may want to ask the appropriate agencies to at least see if we could find out what is available.

I know there are a lot of directions that are coming together at one time. It would be nice for them to be orchestrated so that way we have what might be good indices that are related to determinants of health or would be important to communities. We have these ability constructs and the API components in that. But then what are the tools or what is the data elements that might be available that match up with them? Jim, you had highlighted then what tools. We have information or data of the tools and then what are the needs of the community that might be relevant. Again, it is the question of timing because I have stepped up to say I could at least try to put together construct to maybe move forward on that.

DR. MAYS: The other thing is that we want to take advantage of what some of the agencies are doing. You just reminded me of that. Mo just sent us an email yesterday. CMS, for example, has some consultants. Those consultants are really translating their data for broader use. He asks us if we wanted to hear a presentation by them. We just cannot do it today. But that is the kind of thing that when we have it, if it is not going to be in the meeting, but it is going to be in between, what we would like to do is invite the entire committee to listen so that you can get ideas about what can be done in terms of specific things that you are working on as well. We probably will hold that in between the meeting because we really would like to see what CMS is doing. We are excited about identifying work already underway.

MS. GOSS: — the idea of meeting in between. One of the things that you and I discussed last night in our walk to dinner was the use of infographics and how to translate some of the policy information that we are doing now as thought leaders and how to make that more easily consumable. I think as far as engaging all of the full and understanding the tools and opportunities there I think that in and of itself is a one meeting topic for everybody. I think we could all benefit on how to better and more easily represent —

DR. MAYS: You know what we might do. We could see if – the last day of the meeting if we could get some of our members to come in earlier and see if we cannot do a presentation to show you. As a matter of fact, one of the new people that want to join us is someone from Esri. In terms of data visualization, they are very good about that. Let us see what we can do about that.

Again, this is how I think we can try and put things back into the Full Committee. But at the same time what we need to figure out is that – Rebecca, I think this would probably be with you. Is there an NCHS or person that then if you want to have an infographic that goes with the report that actually could do it?

MS. HINES: You saw the roadmap. That is what they can do. If you like the way that comes out, that is what the team is capable of doing.

DR. MAYS: There actually might be a way to think about when you have reports to have a couple of other things that go with it. It may be good. I think Chris Boon would be good at this and the Esri person, to actually talk about some of the ways to —

MS. GOSS: Some of it is also the staff support after the main policy choices or approach is recommended solidified by the committee. We might find other ways to be able to translate into visual aspects and tools.

DR. STEAD: For point of clarity on Rebecca’s comment, we had to sketch that out. We had to have the concept.

MS. HINES: They knew they wanted a roadmap and then the people turned a pencil and paper, a PDF scan into a road. It was a give and take and we probably did about ten iterations, or more accurately 20. Once they get it, they cannot read out minds. It was a process, but it was fine.

MR. SCANLON: This is true. You will find that doing a good infographic is not all that easy. The public affairs folks. They do not know the subject, but they know they want an infographic. You are asking the subject matter as experts, to put it together for you. If there are some designs or conceptual ways —

DR. MAYS: There are a couple of things. I think, again, we can at least do the presentation about that. As you go through, you can be thinking about it. By the end, you can say, too much work, we are on to the next thing. Or if you knew it going into it, you might be able to present a series of things that would help.

When I have done it for research, I know the research very well, so I can say I want to show this and this and this. Then they are able to help us to actually put that into a visualization. But Esri also has some software things that can be helpful in terms of doing this because my students are doing some mapping stuff that they are using to illustrate what is going on the community. It is actually part of the software.

Anything else? I know we want to get to the rest. Is that it?

Agenda Item: NCVHS Strategic Plan and 2016 Work Plan

DR. SUAREZ: Thank you so much. We are going to turn into our next and final topic for the day. This is about the work plan. This is the interactive part of the meeting, a new interactive part of the meeting. I think we are going to be able to display the document, the one that I emailed you. Bear in mind that this is being edited on the fly. There are many things that – all of it is really up for discussion.

What you will see is a template of the work plan that we have been using now extended through the first two quarters of next year. And what I did was plot into – I divided this document into three major parts. One is the topics. Another one is the activities, including workshops and hearings. And another one is products, including letters and reports.

My thought is we start with the activities and products part. We will have to go back and forth between the two. I want to show you for the document.

(Getting computer set up)

DR. SUAREZ: Here is the way it is structured. For those on the phone, you probably will get a copy in the next couple of minutes. It is basically the same things that we have used in the past, divided by quarters in the columns – one through four this year and then Q1 and 2 next year. And then we have the Full Committee, the Standards, the Privacy, Populations and Data Access. You can see that I am still working on it. But this is the topics part. I started filling in some of that. But I concentrated mostly on the activities part and products part just to get us a sense of where are we going to have hearings and workshops and where are we going to have letters and reports. That could lend into discussing the topics.

I want to mention during today and yesterday and in the last several – we have identified a number of topics that we have started to be interested in. We heard about APCDs. We heard about SAMHSA. Now we have heard about patient identification systems. We heard about 10109 ACA. All these new topics I have tried to already put them in based on some of the discussions we had in the last couple of days. This is the activities that I have so far. Please add because I have not finished it so we have not yet completed these. And certainly we can switch back and forth and move things around.

As a Full Committee, one of the topics that the Full Committee will be looking into is the patient identification system.

PARTICIPANT: We are not seeing it on the web. We are still seeing the work group on data access and use.

MS. GOSS: Terri, I think our understanding is what Walter is presenting is not capable at this point of being putting on the web. That is why Janine is emailing us.

DR. SUAREZ: Let’s start with this part. Up here we have the activities. This is quarter one standards. We just had the hearing on Phase IV Operating Rules and Attachments. We were talking about on the standards side whether we do a workshop on payer’s claim databases. We thought initially of public health workshop, but we thought it might be early or too soon and APCD is something we can certainly do and is a priority topic.

MS. LOVE: I started drafting an agenda.

MS. GOSS: Thank you, Denise. It is an excellent addition in Q1 activities. We should add that we are going to put the scope document together for APCDs to help us inform the actual hearings so we could put goals, objectives, and just really put pen to paper on a one pager. Thanks for starting that. I am not sure to what level of granularity you want to get into this chart.

DR. SUAREZ: Only two words.

MS. GOSS: Two words would be new line. You may not want to have standards and review committee all embedded in one unless you make some – either add a new line or you add the title of review committee with standards. They are not identical people or functions. They are very different.

DR. SUAREZ: We have given standards the responsibility to operate as a Review Committee. This hearing is – are you saying the Review Committee stay here?

MS. GOSS: No, what you did in the first cell was great. That took care of my concern.

DR. SUAREZ: That is a good point. Great. The Review Committee should be there.

DR. COHEN: I would add to Q4 as a Full Committee workshop or hearing on vitals improvement because I really think it is a Full Committee activity. Folks from all the different subcommittees who are interested in it.

MS. GOSS: I agree. It should be a full activity. But my question then is whose lead.

DR. COHEN: We can work that out.

MS. GOSS: I agree we can always work it out, but the question is how do we plan if we do not know now who is going to be on point because there is a lot of leg work we wanted to do. If we make it a joint effort, it would be great.

DR. COHEN: A joint effort between Standards/Review Committee and Pop Health.

MS. GOSS: I would do it Standards and Pop.

MR. SOONTHORNSIMA: For what quarter now? I forgot.

DR. SUAREZ: This is Quarter 4. You should be seeing –

PARTICIPANT: We see it now. Thank you.

DR. SUAREZ: You are seeing now the original document. You are not seeing the edits. The problem is if I go there and I do the edits, you will not see the edits. We will tell you the edits. Ob, what we did was change – in Q4 originally under standards there was a hearing workshop on public health standards. We move that to Full Committee, the row of O. It is a Full Committee activity led jointly by Standards and Pop Health.

The Privacy has two hearings scheduled in Q2, de-identification and minimum necessary. And then a workshop scheduled for Q4 on the future view of data privacy. Those are the two activities that we have identified.

MR. COUSSOULE: We talked yesterday. We talked about the APCD hearing. Was it going to be in the second quarter or the third quarter?

DR. SUAREZ: It is in the second quarter.

MR. COUSSOULE: I am really trying to get to a work load —

MS. LOVE: Ideally, I think quarter 2 would fit. My only concern is if we have a lot of federal agencies and panels, making sure that the schedule is aligned for that.

MS. HINES: And just to throw in in terms of the budgeting, we are actually going to have a lot less to work with in FY17, which starts October 1. There is only enough budgeted for each subcommittee area to do one workshop or hearing. Already privacy has had two. We do not have a separate budget I do not think for the Full Committee to have a hearing. That has to count towards somebody. Just keep in mind that the budget is not there to do all of this.

MS. GOSS: Thank you for clarifying that. Could you add one more clarification? Does that mean standards encompasses review or the standards and review committee? Do you have separate buckets?

MS. HINES: When we budget it, it is just one.

MS. GOSS: Walter, that is going to be a notable constraint to the objectives you may be trying to achieve.

DR. SUAREZ: Unless we do this virtually too and consider the virtual opportunity to do hearings, which we have done.

PARTICIPANT: It can work.

MS. HINES: And to tell you I have just done with Katherine’s leadership an autopsy of the budget. A lot of the cost does not have to do with travel. It has to do with all the stuff you do not see going on.

DR. SUAREZ: Which would not be applicable in a virtual hearing.

MS. HINES: It actually would because the whole AV system has to align.

DR. SUAREZ: Let’s just put it this way. Good points. We will have it in consideration. This is right now the conceptual planning. Population health. We have a workshop scheduled for Q3. I do not know if we have any activities scheduled for data access and use in terms of a workshop or hearing type activities.

DR. MAYS: No. Possibly, but it would be each time we want to join you. If travel is not the issue, there are points at which we want to intersect with you. I do not think that we are ready for any kind of hearing.

DR. SUAREZ: What we would do is include certainly you in the appropriate other work items throughout the schedule.

DR. MAYS: But I think what we want to do is hear now, for example, when you talk about de-identification. Are you interested in methods and tools to do that? If that is the case then we have people who can help you with that.

DR. SUAREZ: Absolutely. The plan for that, for example, is in the next week or so. We are going to develop a template of the two hearings for de-identification and meaningful necessary and all those — anything that we develop for any of this work will be shared with the entire committee for feedback at the point where it is enough.

So far we have then this – let’s just say through the end of this fiscal year, federal fiscal year, which is – we have a hearing that we just completed. We have a potential workshop on LPCDs for standards. We have the two hearings on privacy. And then we have a workshop of the population health and a potential hearing on patient identification systems. That is the amount of work through the end of this federal fiscal year.

Then starting next fiscal year, which is Quarter 4, we have the workshop hearing in Quarter 4 on public health and the workshop on privacy on the future view of data privacy. And then it gets a little less specific. The only other things that we have identified is certainly the 2017 review committee hearing in June – and then a possible workshop or hearing on prior authorization as was discussed.

MS. GOSS: — that we are confirming or all agreed upon.

DR. SUAREZ: Just ideas plot in.

MS. GOSS: Sometimes good intentions. We capture it and all of a sudden it becomes gospel. I am just trying to understand.

DR. SUAREZ: This is not gospel. This is good intentions so far.

MS. GOSS: Great because I think we need to really right size resources. I am very concerned about the prior auth timing and what we might – some implications related to prior auth work if we hold a workshop in Q1 2017 as it relates to the advancing of the next version of 7030. Maybe there is a separate function for the industry to take on now and maybe WEDI and other groups could help support that. That could be the showcasing of the lessons learned. I do not want to wait until 2017 to look at prior auth because we have some opportunities to make it better. As long as the underpinning standard can support it, they can put it into 7030 version.

DR. SUAREZ: The 7030 version by X12 – we are getting into the details.

MS. GOSS: No, the standard, but not the TR3 is not done is my understanding. It is later in the queue in 2016 for being brought for public comment.

MR. SOONTHORNSIMA: Alix, are you proposing we move prior auth —

MS. GOSS: I am proposing that we need to consider it a little bit more. Maybe do some further outreach to talk to folks like Stacey Barber and others about how do we identify opportunities now that may need to be reflected in the TR3 7030 version versus what other things we need to do for education awareness, et cetera. I am trying to think about how we line up some of the things.

MR. SOONTHORNSIMA: It is not definitive right now.

DR. SUAREZ: No, none of this is definitive. Let’s just say starting Q4 of this year, which is a new federal fiscal year, is a lot fussier I guess in terms of the topics. But what we are trying to really do is queue one, two, and three because that is what really drive the next several months.

Let me ask if there is any other activity between now and the end of October or the end of September we have planned besides the hearings that are listed here. Phase IV we just completed. There is a possible workshop on APCDs. The hearings from privacy and de-identification and minimum necessary and then a patient identification systems and a community health. That is basically the items right now. Anything missing?

MR. SCANLON: The only thing is let me check on the due diligence.

DR. SUAREZ: Absolutely. That particular one – it is all dependent on the discussion. Again, we will come back and bring it back.

MS. GOSS: This may fall into what Jim just said about due diligence check. I have a note regarding Helga’s suggestion from yesterday about data models. I am not thinking I am missing where it fits, but I was not sure if we are caught in due diligence or we just needed to figure out a place to put it on the chart.

DR. RIPPEN: I appreciate that. I do think we may need it. I would say it would probably be in the projected years, not necessarily this quarter or this fiscal year.

MR. SOONTHORNSIMA: I am sorry. I am not understanding the context.

DR. RIPPEN: The question is we have to do due diligence first, which is what does it mean for NCVHS to explore the concept of a data model. The question as it relates to data models is if you follow some of the work that is going on with PCORnet, with the CDM Version 3. If you are looking at the precision medicine activities, there is a question of other data models. The question is if we are talking about information data that might be available for a variety of use cases and we are trying to promote the use of standard tool approaches, again, possible value base and the cost associated with different data models and recreating them in many different ways, there might be an opportunity to explore that. Again, it is preliminary. That is why no guarantee as far as is this something we want to explore. But it is a pretty significant issue in many different fields that touch on health information.

DR. SUAREZ: It sounds like this is Full Committee activity as I recalled we discussed. I plot it right now into Q1 of next year. This particular line or area is really about the specific hearings. During our meetings, we can have people to come and discuss with us concepts. There is that other element. The previous page has the topics. I am beginning to plot in the type of topics we want to bring into meetings because that is another place where we actually have the opportunity.

MS. GOSS: Thank you for that segue because on that chart that you just scanned, we had a note yesterday about macro MIPS rule and implications and wanting a placeholder on that for topics.

DR. SUAREZ: Just to highlight, now that you mentioned it, we had our APCDs. We had SAMHSA. That is an important item that we need to discuss in a minute. Patient identification systems, data models, macro MIPS. I think those were the bigger topics. We also had public health discussion. One thing, for example, we mentioned was inviting someone from the data council or someone that can present about the recommendations on the four areas that you talked about yesterday. We talked about several other topics, some of which can come back to the National Committee. That is another place we have to plot some of this topics into.

Let me jump to the letters.

DR. MAYS: Walter, there is one other thing. I do not know if it goes there or not. But we have been asked again to participate in Datapalooza. Datapalooza is usually in June. It is in May? That is even sooner.

DR. SUAREZ: We have had a formal activity identified for us to do during the Datapalooza this year.

DR. MAYS: We will have to see. Damon, for example, wanted a co-person for something. But I am just putting that up there as we need to think about if we have to prepare things. I am just making sure since this is our workload.

DR. SUAREZ: Certainly, this afternoon we will discuss a little more about that possibility. Great suggestions.

The products. Let me just go to the products, which are again primarily letters and reports. This ties back to the workshops and hearings. This quarter – the main products are the standards, the letter, the Review Committee, which got approved, the Population Subcommittee, the report that got approved. In Quarter 2, the only items that we have are the letters from the hearings that we just had, the standards hearing, the operating rules and the attachments, and then the Review Committee report. We had today the Review Committee letter. We have a larger Review Committee report. Those are the three major products that we have identified.

In Q3, we have the letter or a report of the APCDs coming out of the Q2 workshop or hearing. And then we also have potentially depending on how things evolve and how quickly we can – the letters on de-identification and minimum necessary. Some of this might actually spill into Q4 depending again on how quickly we can review and produce letters that can be presented and discussed with the committee.

DR. COHEN: For pop health for a product – that is a workshop report. There is not going to be a workshop report.

DR. SUAREZ: Rebecca, this is in the block of the workshops. It is already there. Now, we are moving to the block of product. This is not a product.

DR. COHEN: A product for Q2 will be the environmental scan?

DR. STEAD: And then for Q1, put the workshop report and recommendation. Q1 of 17.

DR. SUAREZ: Anything else that you can see here? If we were to have something on patient identification systems and patient matching, we might have a letter coming to the National Committee or some sort of a report. Now that we have made some changes – on Q1, there could be a letter on the hearing on public health standards. We usually take a quarter to do those. If we had the hearing in the Q4 timeframe, we have a letter in Q1 2017.

DR. COHEN: Again, I think we need to – given the bandwidth, we might need to be flexible and push everything back a quarter.

PARTICIPANT: Four to five months.

MR. SCANLON: I would say keeping my bandwidth of the committee members and staff, resources and other events around Q1 2017.

DR. SUAREZ: We can spread this farther. We also mentioned yesterday the HIPAA report to Congress. We would move it. First of all, this will be a Full Committee activity, not a standards only activity. And then secondly, we mentioned we would move it to Q2 of next year or at some time around Q2. We move it down that way.

MR. SOONTHORNSIMA: Walter, may I suggest something regarding HIPAA? If you think about it, we are going to be doing a Review Committee in June of 2017. I wonder if that report, the HIPAA report, the Full Committee report, could come in the third quarter of next year. That way we can encapsulate or include some of the findings from the RC as well. Just a thought.

DR. SUAREZ: We can think about it.

MR. SOONTHORNSIMA: It is going to be maybe in third quarter. That way we will capture some information from the hearing.

DR. SUAREZ: We could. We want to have the Review Committee report be totally separate from the —

MR. SOONTHORNSIMA: We do, but there is a lot of insight that we gain from the Review Committee that we can incorporate our HIPAA report.

DR. SUAREZ: Good point. Given the time, what I want to do is – we will be finishing and cleaning this up and sending it to everyone. You all will have the ability to go back to the subcommittees and the work group and discuss your roles, if you will, and see where things might be fitting better. And then we will have an Executive Committee call to finalize this and have it as our plan for the next at least 18 months or so. That is the plan with this. Thank you so much.

MS. HINES: How much time do the co-chairs need so we can get that call planned? Would you be able to logistically in fourth weeks, sooner, later?

DR. SUAREZ: The Executive Committee.

MS. HINES: Yes.

DR. SUAREZ: I would say within the next four weeks.

MS. GOSS: I just want to make sure that the co-chairs are all okay with that because I know that has been an issue.

MS. GOSS: I am unclear what I am being to agree to whether I can take this updated draft, vet it and get committee feedback and then have a call and make it to the Executive Committee. I am clear. I think Ob and Terri and I need to confirm. We do not have calls scheduled with the committee. We have the Review Committee report. We have got the two other letters. You want a work plan. We have to prioritize this work load. I cannot at this point ,in good faith, commit.

MS. HINES: We are going to hold off scheduling that Executive Committee call until we hear from the co-chairs next week when you would be ready. I will send you a Ping so you can let us know and then we will get that scheduled.

DR. SUAREZ: The steps are going to be – subcommittees are going to work on this and report back and have it ready for an Executive Committee meeting. We will schedule then.

DR. MAYS: Can I just ask a question? Because Privacy is not here so I was just trying to make sure the issues that were talked about in privacy, like the mental health and there was one other issue I thought. Can you still include new things or is it just what is up there?

DR. SUAREZ: No. This is open to be added. You mentioned that and I think we need to make an important decision, which is the SAMHSA regulation. We have until April 11th to submit comments. The question is whether we want to review.

DR. STEAD: I suggest we do as we did with the interoperability roadmap and do that as individuals, not as a committee.

DR. SUAREZ: I would second that.

DR. MAYS: Okay, I am outvoted on that one. What I was going to say is that if it is a matter of pulling a letter together and seeing whether or not depending on when we are going to have our call, whether or not if some of us volunteer to draft a letter where the Executive Committee can look at it.

DR. SUAREZ: It will require Full Committee review and it will require Full Committee vote. This will be a letter of the National Committee.

DR. MAYS: I was thinking it could go through the Executive Committee. But if it is Full Committee then —

MS. JACKSON: With the Federal Register Notice notifying of a meeting.

DR. SUAREZ: The challenge is that. When we have to respond this quickly, you can only do it if it is urgent. I think Bill’s is very good. We all should be and I am sure everybody is looking at this.

DR. MAYS: I can actually help you maybe with some text because I am going to work with one of the organizations. There may be some text that I can just share that helps you write your letter.

DR. SUAREZ: Sharing comments internally within the committee. I think that is fine.

We are about to finish. Of course, we have public comments in a minute. I just wanted to first of all express again my appreciation to everyone for joining. This has been a very productive, valuable, important meeting. We have laid out some very significant work and completed work. We are going to lay out some very important plans in the next several months. Thank you again so much for joining us today.

I want to see if there are any comments from the phone about the meeting. If there are any notes that people want to make before we conclude about the meeting. Anything on the phone?

Anything here? Anyone want to express any comments or points about the meeting?

MS. LOVE: Thanks to Alix and Ob for putting up with all of our revisions.

MS. GOSS: My pleasure. Thanks for all your great feedback.

DR. SUAREZ: Thanks to the staff also for all their support. It has been incredible. We are fortunate to have our new staff, Kate from CDC, to join us in the Population Health Subcommittee. That is exciting. Of course, we know that Rachel is joining and has joined Privacy and Security. Very exciting. Thanks everyone again.

With that, I think we are going to open it for public comments.

Agenda Item: Public Comment

DR. SUAZREZ: Anyone here in the public that wants to make a comment?

(No comments from the public)

DR. SUAREZ: Anyone on the phone? We are adjourned. Thank you.

(Whereupon, at 12:00 p.m., the meeting adjourned.)