Department of Health and Human Services
National Committee on
Vital and Health Statistics
Full Committee
May 15, 2018
Hubert H. Humphrey Building
200 Independence Ave., SW
Washington, D.C.
P R O C E E D I N G S (9:00 a.m.)
Agenda Item: Welcome
- STEAD: We are not blessed with a gavel this morning, but I would like us to go on and start because we have a full, and I think, exciting agenda. So let us start with the roll call, starting with the members. I am Bill Stead, Vanderbilt University, chair of the Full Committee, no conflicts. Linda.
- KLOSS: Linda Kloss, member of the Full Committee, chair of the Privacy, Confidentiality and Security Subcommittee, member of the Standards Subcommittee and no conflicts.
- PHILLIPS: Bob Phillips, American Board of Family Medicine. Member of the Full Committee, co-chair of the Population Health Subcommittee. My conflict is that I run a national clinical registry.
- COHEN: Bruce Cohen, member of the Full Committee, co-chair of Population Health Subcommittee, no conflicts.
- STRICKLAND: Debra Strickland, member of the Standards Subcommittee, no conflicts.
- LANDEN: Rich Landen, Full Committee, Standards Subcommittee, no conflicts.
- CORNELIUS: Lee Cornelius, University of Georgia, member of the Full Committee, Population Health Subcommittee, no conflicts.
- GOSS: Good morning. Alix Goss from Imprado, a division of DynaVet Solutions. I am co-chair of Standards Subcommittee, member of the Full Committee and Executive Committee and currently no conflicts.
- COUSSOULE: Nick Coussoule, BlueCross BlueShield of Tennessee. Member of the Full Committee, co-chair of the Standards Subcommittee, member of the Privacy Confidentiality Security Subcommittee and no conflicts.
- ROSS: Dave Ross, The Task Force for Global Health, Emory University. Member of the Full Committee, member of the Population Health Subcommittee, no conflicts.
- STEAD: Thank you. I am glad to say that we have a quorum. We can now proceed with staff.
Rashida, would you like to lead off.
- DORSEY: Good morning, Rashida Dorsey, HHS, Executive Staff Director.
- HINES: Good morning. Glad you all could make it. Rebecca Hines, NCHS, Executive Secretary and Designated Federal Officer for the Committee.
- JACKSON: Debbie Jackson, National Center for Health Statistics, CDC, Committee staff.
- KANAAN: Susan Kanaan, writer for the Committee.
- BRETT: Kate Bett, NCHS, lead staff for Population Health.
(Introductions around the room)
- STEAD: Let me briefly review the agenda. We are going to start with an ASPE Update from Rashida. Then we are going to spend an hour on the Next Generation Vital Statistics Project, where we hope to first approve the draft Letter to the Secretary and the Hearing Summary Report. Then to get into a discussion about next steps.
We are then going to review the Letter from the Standards Subcommittee on the NCPDP Updates and hopefully take action on that letter.
Then we are going to have Genevieve Morris join us for an update from ONC and a discussion about our collaboration. That discussion will continue with the Committee itself, after lunch.
Then we are going to have a brief update on the CIO Forum and Predictability Roadmap. Followed by a deep dive into the Health Information Privacy and Security Beyond HIPAA, trying to frame up potential levers, challenges and levers from the First Use Case, which is data registries and to set up the Second Use Case. Then we will close the day with an update from OCR.
Tomorrow after brief Committee updates, we are going to look at the new website and provide further input on that. Then we are going to do a deep dive into Health Terminologies and Vocabularies, starting with the Environmental Scan Report and the plan for the July Roundtable meeting.
After a break, a brief discussion of how probably in 2019, we might provide advice to the NLM surrounding expansion of the Unified Medical Language System for Social Determinants of Health.
Then we will have a NCHS Update. Susan Queen is going to join us for that. Then we are going to have a discussion with the Pop Health team, Bob Phillips and Vickie Mays, around improving access to data.
Brief update on the Medicare Card Project – just to hear how that is going. Then an Update – we are pleased that Soma Stout is going to be able to join us in person to discuss the work that is being done to carry forward and to build out the measurements for the Measurement Framework Health and Wellbeing.
Then a period for public comment and closing remarks. That is the plan, if that is good for everybody.
With that, Rashida, take it away.
Agenda Item: ASPE Update
- DORSEY: Good morning, everyone. I would like to welcome you to the May meeting of the National Committee on Vital and Health Statistics. As Bill just went through the agenda, there is quite a rich agenda for this full committee meeting. As usual, I would like to thank you all for your service to the department and all of the work that you do through this committee. First and foremost, thank you.
I have a personnel update. I will start there on the ASPE front. Sharon Arnold joined the Office of Science and Data Policy as the Associate Deputy Assistant Secretary of Science and Data Policy on April 1st. Previously, since about June of 2014, Sharon served as the deputy director of AHRQ, where she oversaw the day to day operation of the agency and provided strategic guidance around its efforts to develop knowledge, tools, and data needed to improve the quality and safety of our healthcare system. Sharon also had several positions at CMS. She was also vice president at Academy Health, where she led the Robert Wood Johnson Foundation program, Changes in Healthcare Financing and Organization, and was a member of Mathematica policy research. So, she has joined the ASPE team.
There are a few other items I wanted to give you an update on, some departmental priorities and then I will share a little bit about what the Data Council has been working on.
First, I wanted to give you an update on Reimagine HHS. So, we have come to the one-year anniversary of Reimagine HHS. So, last spring, the White House asked every department in the federal government to compose a plan for optimizing the way we serve the American people, including reorganizing aspects of our work. Led by Deputy Secretary Hargan, HHS has been using this as an opportunity to reimagine how our entire department can better support the health and wellbeing of Americans.
Reimagine has been guided by six principles: engagement, empowerment, service, performance, stewardship, and sustainability. There are six strategic shift areas with one focused on data, specifically leveraging the power of data.
So, the focus of this initiative is to improve access sharing and integration of HHS data across the Department. In support of that, HHS has started the process to develop an enterprise-wide data management strategy with a focus on data governance and data sharing for the Department. There are a few opportunities that were identified that have guided this work.
An HHS-wide data governance plan will establish ownership and rules for data assets and improve data quality and uniformity. A streamlined data use agreement infrastructure will enable more seamless interagency data sharing. Developing an infrastructure that allows for secure and simple sharing of data assets will enable agencies and staff to collaborate on issues that affect multiple agencies.
So, this enterprise-wide data management strategy is being developed in several phases. Phase I included structured interviews with leadership and staff from across HHS operating divisions and staff divisions, representing 30 to 40 high-value datasets. Phase I interviews were designed to gain insights on data sharing and governance from data asset owners. This included assessing the functional and technical capacity to share data. At this point, Phase I interviews are 100 percent complete. Those findings are being synthesized to move into the next phase of the work. I will continue to give the committee updates on that.
The next update I just wanted to provide relates to the All of Us research program. The All of Us research program was officially launched earlier this month on May 6th. The All of Us research program is a historic longitudinal effort to gather data from one million or more people living in the United States to accelerate research and improve health by taking into account individual differences in lifestyle, socioeconomics, environment, and biology. Researchers will uncover paths towards delivering precision medicines or individualized prevention treatment and care for all of us.
So, just as an update, to date or as of about a week ago, almost 50,000 people have consented to be a part of this program. About 75 percent are underrepresented in biomedical research. There are over 125 sites enrolling in 18 states. There are almost 35 community and provider partners ready for outreach. NIH with their partners have developed a data warehouse to collect, clean, curate, and deidentify the data. The research portal will be open with initial public dataset in 2019. Children will be recruited starting in 2019 as well. Genomics work will begin in late 2018 and early 2019.
I am sharing this update because what would be of interest to the committee – one, there is certainly some privacy aspects related to this. There are certificates of confidentiality. The All of Us research program awardees, as well as all awardees funded by NIH to conduct research involving the collection for use of identifiable sensitive information are automatically issued a certificate of confidentiality. The certificates prohibit the disclosure of identifiable sensitive information collected or used in research in response to legal demands such as subpoenas. That is one.
The 21st Century Cures Act made the privacy protection of certificates mandatory. Cures provisions require that all data uses be posted on a public website. Section 2013 of Cures implements similar privacy protections on data held by the federal government that is related to the Freedom of Information Act.
There is also a major component related to electronic health records. At consent, participants will be asked to give authorization to share EHR data. Now, it is not required, but there is an aspect related to collecting biospecimen data from participants. Biospecimen data will only be collected from individuals who give consent to have their electronic health records shared.
From the data perspective, let me share a couple of things. So, there is a data warehouse that – a data research center that is Vanderbilt, Verily, and Broad Institute. For the data, it will be researcher-based access. There is no data removal. There is a tiered access approval. They will be using a data passport model. There will be broad access to researchers from all sectors, citizen-scientists, and so on. All of the research uses will be posted publicly. So, anyone who is using the Cures data for research – excuse me, the All of Us data for research, that will be posted on the website.
If the committee is interested, we can have a more detailed briefing on this, but there are many areas where I think the committee may be of interest or you might want to follow this. I just wanted to give you an update. It officially launched on May 6th.
The last thing I just wanted to share was just an update on some of the work of the Data Council. As you are aware, the Data Council serves as the principle internal advisory body to the Secretary for Health and Human Services data and statistical policy. It is the responsibility of the Data Council to periodically develop and implement a department-wide data strategy or data collection strategy. The strategy defines the visions, goals, and objectives for a wide range of data activities across the department to ensure that all relevant stakeholders are aligned to departmental priorities.
The Data Council is in the process of updating our data collection strategy. We have five priorities: improving access to HHS data, enhancing administrative data for research, increasing data linkages across diverse data assets, modernizing privacy protection, and increasing data policy coordination across the department. That is being developed. I will certainly provide updates on that. There will be something that we ultimately do post publicly as we complete that work. I wanted to share that as something that we are engaged in now.
The last piece related to the Data Council is connected to opioid data. So, combating the opioid epidemic is a departmental as well as an administration priority. There is also an agency priority goal for the department specifically reducing opioid morbidity and mortality. One area of that priority goal is to strengthen public health data and reporting. So, the Data Council is supporting data needs for this priority area. Our efforts will be designed to facilitate the collection, access, and use of opioid data to gain insights from the data, support decision making, and bolster the Department’s efforts to combat the epidemic. That work is early in its stages, but, again, I will give the committee more updates on that as we move forward.
- STEAD: Thank you, Rashida. Are there questions for Rashida on the update?
- LANDEN: Thanks for the update, Rashida. On the All of Us research program, you referenced consent for access to EHR data. Thinking about how decentralized my EHR data is across all of my different providers, what approach – can you tell me what kind of approach they are going to use for actually gathering that data? It sounds pretty labor intensive and one-off.
By the way, to respond, yes, I for one would be interested in an update on the project at some appropriate future meeting.
- DORSEY: I will have to follow up with you on that. Actually, I can arrange to have that briefing from – actually from our colleagues at NIH. They provided an internal briefing for us where they provided an overview. I don’t have all of the specifics of how they are going to get EHR data from each person. I believe they do have relationships with the major EHR vendors. They have been working in that regard. There is work that NIH has been doing with a broad range of partners. They are working with labs. They are working with universities. They are working with like EHR vendors and so on.
I can get more specifics about how that is going to work. That is part of how they have been – I think believe trying to do that coordination.
There is also a big like mobile health component that they are also – that is also being developed, as well, thinking about how this information will be shared.
- THORPE: Rashida, thank you for the outstanding presentation. A couple of questions. The first question is can you give us more information on the consent process? Is it a tiered consent process where the individual can consent to certain items and then other things they can opt out?
- DORSEY: Yes.
- THORPE: Do you know the rationale – maybe I misheard you. Do you know the rationale of why the researchers’ names would be posted on the website if they are using these data?
- DORSEY: I believe it is an effort for transparency. So, there will be data passports that are going to be provided to researchers. Access is granted at the researcher level, not a project level. So, in most cases, you would be able to see like what projects are being conducted using certain datasets. Well, with this, the research portal is going to show the actual researcher who is using the data. A big part of it is transparency, so people know how their data are being used.
- THORPE: Do we have this with NHANES and the other NCHS datasets?
- DORSEY: This isn’t an NCHS dataset. This is a very unique, one-of-a-kind type of a research project. This is – these are research data. These are clinical data. It is data coming from multiple sources and allowing researchers and also citizen researchers, not just academic researchers, to have access to the data.
In NCHS, they have a different set of rules because they are our principle statistical agency. That governs how they share their data, as well.
- STEAD: Bob and then Denise.
- PHILLIPS: Rashida, thanks a lot for this very timely update. One of the questions I had about the research data centers is I am wondering if there is a way to get kind of a cataloguing of which data have been moved into RDCs and specifically, which ones have been moved out of public use files into RDCs. If it is possible, it would also be helpful to know some of the reasons for the shifts. We have heard some confusing feedback about this. Some folks say that files have been moved to accommodate their linkage to non-public use files. Some folks have said they have been moved because there are statistical ways of identifying people within the datasets so they are not truly public use files anymore. Some of us on the population health subcommittee are still trying to understand what the reasons are. There may be a request down the line of asking if some of the public use files can be made public again. It would be helpful to know which ones that might apply to.
- DORSEY: I would like to talk to you a little bit more about that because – I want to look into this for you, but I want to make sure that I understand clearly what I am – what we should be digging into. If there is a – a file is considered public – are you specifically referring to a linked dataset that once was or are you talking about any public use files?
- PHILLIPS: It may apply to other files, but some of the MEPS, the medical expenditure panel survey public use files. We heard at one of our meetings they were moved into the NCHS RDC so that they could be linked to non-public files of NHIS, the bigger survey that MEPS is carved out of. The explained purpose was to facilitate research. When we asked a similar question about why those public use files couldn’t be moved back out of the RDC so that they could be used by researchers and graduate students, we were told that they were no longer public use because there was potential to identify participants.
So, we had a mixed message on why the move occurred. One of them could potentially allow the public use files to be public again and one of them would not. I am just trying to clarify. Across many of our graduate schools, there is a need to access some of those previously public use files.
- DORSEY: I will look into that. I am thinking as you are talking because if a file was – if it was a public use file, if it was a PUF, then if it were linked then perhaps that linked file might need to stay in the RDC. I am just trying to think about why a public use file would be – need to become a restricted file, in and of itself, without being linked and without adding additional variables that were removed. I am happy to look into this. Now that I know the specific example is the MEPS, I can reach out. I will see if I can find something while you are still here.
- LOVE: I am just curious is this the first HHS research project of this scope with the medical record? It seems like a big deal.
- DORSEY: Yes.
- LOVE: It seems like this could set the stage – okay, I am slow here. It seems like it could set the stage for good or for bad for the future. This is critical. Just what has been going on in the news with other private data banks. Yes, we are very interested in learning and watching this.
- STEAD: It is very different because, A, it is consented, and, B, it is consented for recontact. It is consented for giving the data back to the patient. All of those things make it quite different than anything we have done before.
Very good. Thank you, Rashida. That was really a very helpful update.
Now, we are going to move on to the Next Generation Vital Statistics discussion. Bruce and Dave, I believe you are going to lead the discussion of the action items first.
Agenda Item: Next Generation Vital Statistics
- COHEN: We have actually expanded to include Delton in this conversation, as well.
What we would like to do today is for the first half hour, at most, review where we are in finalizing the hearing report and the transmittal letter. I would like – the goal of this half hour is to achieve consensus among the committee to finalize the letter and the transmission to the Secretary. There might be some additional wordsmithing that I would like the full committee to agree to allow us to do rather than trying to do detailed wordsmithing at this particular juncture. I think we are in good enough shape that we can reach consensus, but there are always a couple details that we might want to see change.
The second part of the conversation I think is actually more important. Dave and Delton will lead that about what is next for us with respect to Vitals.
Let me just dive into the hearing summary and the transmittal letter. But before I do that, I really need to acknowledge Kate for an incredible job of really pulling all of this together and Susan Kanaan, who, again, masterfully wrote this hearing report. I had no idea how she would be able to do it because the hearing was so complex and rich. Dave and Bob and Rebecca and a lot of folks just really had their hearts in this and have helped move this final at least interim road mark project to this point.
So, I just put up for everyone’s interest in the next set of slides a sort of summary of the hearing table of contents. I decided not to go through in detail. If at any point people have questions about anything that they have read in the hearing summary, just chime in.
We start with the introduction. Just I really – it is important here, I think, we focused on some definitions, understanding registration, vital event registration and vital statistics and the difference between registration and statistics to create the vital registration system. We talked about the use of the data in the hearing.
Again, then we rolled into just I think very constructive and generative discussions about the challenges and began looking to the future vision of where vitals might be and where we would have ideas for the Department.
So, I thought it was just important – Bob had a great idea. I wanted to share that with folks as we design other hearing reports – to give an initial soundbite that sort of summarizes our bottom line. That is really “vital records are the foundation for essential functions at local, state, territorial, and federal levels, but the system is highly vulnerable. Federal leadership is needed to secure the vitals records and vitals statistics data collection network as a sustainable, reliable resource.”
So that – we thought it was very important. Given we don’t know who is going to read what and how much, we wanted to make sure we made a very clear and pithy statement about what our concerns and what the issues are for this whole project.
Again, I don’t want to get into details, but I think the hearing summary that follows the overview – again, we tried to divide this targeting different readerships. We will get to the transmittal letter in a second, which is our first effort to really have a very proactive transmittal letter. We didn’t, ultimately – as all of you I am sure recall, we couldn’t come up with specific recommendations, but the transmittal letter was our effort to describe what the issues are that we really feel HHS and the federal government should pay attention to and show leadership in.
So, we have the transmittal letter. We had the pithy statement. We have I think a very robust, stand-alone executive summary. We have the full report. Depending on who reads what, I think we have tried to target a variety of audiences in different ways to maximize the impact of I thought an incredibly wonderful and complex hearing.
Again, I don’t want to get into wordsmithing. Essentially, we came up with – based on the hearing and subsequent analyses, we felt federal leadership is needed to do these following things. We will talk a little more about this. Delton, in his I think excellent review of some of these materials, has come up with I think very valuable suggestions that would actually enhance the messaging for the hearing summary and for this work.
Let’s move on to the transmittal letter. Again, this was – this is a full team effort. This was Bill’s idea to really have a very robust and proactive transmittal letter to the Secretary. If, in point of fact, it is the letter that is the main thing that the Secretary and his staff reads, there is enough information in the letter that conveys the important messaging of the hearing report.
Again, the letter lays out first of all who we are, the National Committee, and what the scope of the hearing was and sort of a summary of the numerous testifiers that we heard. As we move forward, the key parts of the letter were identifying the initial findings. Essentially, they were re-emphasizing that vital records and statistics are foundational for surveillance and identity establishment, population estimates, and a variety of key functions at the federal and at the state and local level. Just a brief statement about trying to understand that the vital records system in this country is really the combination of 57 different jurisdictional practices all rolled up into one. We talk a little bit about the challenges around the quality, completeness, and timeliness that we heard discussed at the hearing.
We then make the case, which was brought up clearly at the hearing, people don’t – we really don’t have a complete grasp about understanding the long-term stability and viability, the business models, and the funding for vitals all the way from the local data collection through the national system. We really need to move forward as a priority in federal government to make sure that this is a sustainable and secure system.
We conclude if you keep scrolling down a little, Ruth. Our conclusions, again, provide direction directly to the Secretary and hopefully to other federal partners and other non-federal partners about what we need to do to move forward in this area.
I will certainly entertain any specific questions that folks have or general comments that we need to address for both the report and the letter.
- GOSS: I thought this was really well done. I am still amazed at the level of discovery we had during this session, especially considering the chops sitting around the table.
Around line 37/38, we reference the summary of the full hearing and is attached. Suggest maybe we include a footnote to link it to the website. It is just more easily discoverable if other people are looking for the summary because I think it is really good and I want to promote it.
That was my primary point, but then also – I am going to stop there.
- COHEN: That reminded me not only we are transmitting the hearing report with the letter, but also, as you recall, Gibbs’ phenomenal supplementary document that emerged from the hearing that really detailed some of the uses and issues around vitals. He did a great environmental scan. That will be also included when we transmit the hearing report.
- GOSS: Thank you. That is my hanging chad. I think we should include the URL for that one as well. It is in line 44.
- LANDEN: Like Alix, I think very, very well done and well presented. Just a ton of information there. I think the need is, indeed, critical. What I really particularly want to call out is that the report recommendations doesn’t call for federal takeover. It calls for federal leadership. I think that is a really, really good approach.
As a future add-on to the part that talks about new legislation, I would suggest we keep in mind the possibility of working with the National Conference of State Legislatures to actually craft some model legislation that might be built on the best practices that are identified in the future.
- COHEN: I think that is a great point. There is a model law that we have referenced that has existed for quite a while. I think as we move forward, whether this model law needs updating or it would work as the basis for jurisdictions to consider now to update their practices is something, again, that will be enhanced by federal leadership and the adoption of the existing model law amongst the jurisdictions.
- COUSSOULE: Just one comment – in the letter, it talks about encouraging the federal government to develop basically funding models without saying right a check, which I think is really important. It does highlight – again, you have to get into the report in the details about a number of federal agencies that benefit from this that may not get into funding. I think it is important to make that statement here without getting into you need to write a check because that is the way it is going to make it better. So, I think that is a really important part of this exercise that drives you into the details of the use cases that are in the subsequent report.
I really like it. I think it would be easy for us to default to you all ought to write a big check to fix this problem because that will solve all of the world’s problems if you just write a check. It doesn’t necessarily, but it does force you to recognize where the value is being derived to then drive some of the funding. I think that is a really important part of this letter in the subsequent reports.
- COHEN: Thanks. Any other comments? If not, I would like to – is there a motion – do we need a motion? How do we do this?
- STEAD: What I would suggest is we approve the report. Do we want to have a brief discussion about some possible wording changes to the letter before? Do we want to go on and do that – I am just trying to understand where we ended up, in terms of whether we want to – Delton, do you want to make a comment about how we might strengthen the letter with one or two word changes?
- ATKINSON: Yes. Let me say that I think the committee did a wonderful job of looking at a very tough issue, which is vitals in our country. From the standpoint of NCHS, let me say, number one, that we believe in a federated vital statistics system. I want to make sure that everybody understands that particular part. We recognize that that system needs to be strengthened and it needs to be modernized. It is important that when we communicate to the Secretary that we are communicating that the importance of the Secretary claiming that this is something that is a priority within this country and is a priority to us moving towards modernization. I think that is probably as much of a detail, in terms of it.
Now, I went forward to kind of describe some of the things that – when I think about modernization that I communicated to the committee. Those things –
- STEAD: I would like to try to – if we can, I would like to see if we can take the comment that you have just made and look back at the letter and see if –
- COHEN: Maybe we could just vote to approve it with the idea that we will add words.
- STEAD: No, this is substantive. If we are going to make this change, we have got to agree to it as a committee. This is not wording. It is a couple of words, but it is substantive words.
Can we get to the bottom? I think it actually would also ricochet into the report. So, we are looking at line 67, 68, and 69 in the letter, which right now say, to conclude, the committee would like to draw your attention to the following critical points. One, given the significance of the vital records and statistics systems, more federal attention needs to be paid to this critical infrastructure. Then it says federal – which I think we are good with. Then I think it says federal leadership is necessary to work closely with the state’s jurisdictions and agencies to – and there is a list. The question is do we want to add a small number of words that basically says recognize that modernization of the system is a priority. Those are the words that Delton would recommend that we add. Those are nontrivial words.
- HINES: Bill, I am wondering if we can add that in number one, where more federal attention needs to be focused on modernization of this critical national infrastructure and then we are done.
- STEAD: I think that –
- COUSSOULE: I think number two could cover that in a way by saying federal leadership is essential to effectively modernizing the system and working closely with the states and jurisdictions. I am trying to think of the language. I think that is the tone that you are trying to get to. Right?
- STEAD: I think Delton is actually trying to get slightly stronger. I won’t – but I think he wants – he is basically suggesting that we ask the Secretary to recognize that modernization of the system is a priority, period, without going into details of what that means.
- ROSS: I want to agree with you. I think the goal is to recommend that vitals be modernized. I think that should be – if nothing else comes out of the hearing, that is the watch word – U.S. vital records system needs to be modernized.
- COHEN: Why don’t we end this first – I agree with Rebecca. Excuse me, Dave. So, maybe the second part of that first sentence could be given the significance of vitals, it should be a priority for the federal government to modernize the system or something.
- ROSS: This also ties to the – that opening paragraph of the executive summary.
- COHEN: We could repeat that language there.
- ROSS: That language, but if you go back to that one, that one paragraph in the opening of the executive summary, the second sentence could read federal leadership is needed to modernize and secure the vital records data collection network as a sustainable and reliable source. That would be one suggestion that we just change that – stick those words in that opening.
- STEAD: This will be a good test for where the committee’s head is. Strawperson – show of hands – who would be comfortable with that addition to that bullet? If we are comfortable with that, we should be able to fix the rest. Is anyone uncomfortable, strawperson?
- THORPE: I am not uncomfortable. I just want it to be its own point like point number two, not put it within a different – I don’t want it to be 2A, 2B. I want it to be 2 if it is that important. Because it is a goal to me, I think it should be by itself, not up under a subgoal. That is just my approach – my uncomfortability.
- STEAD: I get that, Roland. That is fine. I think in terms of Dave’s point – well, I think in terms of the bullet text – the bolded text, the wording Dave suggested – let’s take this in pieces. The bolded text that Dave suggested, are you comfortable with that?
- THORPE: Yes, I am comfortable with that text.
- STEAD: We will come back to how to do this space.
- GOSS: I feel like there is a little nuance that I don’t know is really met by the suggested vision. I think I am hearing Bill say that Delton would like to see the feds specifically come out and state that they recognize this issue and they have made it a priority as opposed to we all agree we need to modernize it. I think there is something important there. We are asking for an action very definitively. We don’t know how you are going to fix it, but we need you to stand up and embrace it and make it one of those priorities.
- ROSS: You are saying the letter to the Secretary should say that we, the Committee, request the Secretary announce and declare a modernization initiative?
- GOSS: That they decide how they will articulate that it is one of their – they will assess and affirm its prioritization. I am not hearing us get to the point, which I thought I heard put on the table already.
- STEAD: The Committee recommends that the Secretary make modernization of the system a priority.
- GOSS: That works for me.
- COHEN: So, that is a recommendation that we can all agree on.
- STEAD: That would be a recommendation that I have seen we are good with. We are not going into details.
- HINES: The committee recommends that the Secretary make modernization of the system a priority.
- COUSSOULE: Just to make sure I am clear, is it kind of three distinct points? The first point is that we believe modernization is essential. The second one is that we think the Secretary needs to take a lead role in stating that fact. The third one is the federal government needs to play a leadership role. Those are the three distinct points? I am trying to make sure I am clear.
- STEAD: Yes.
- HINES: So the one we just stated is number two now.
- GOSS: It seems like it fits a lot with the update we heard from Rashida and the alignment of the data needs. It is the bookend.
- HINES: Are we making any edits to the first point or are we leaving the first point as it is?
- STEAD: Right now, we have given the significance of vital records and statistics systems, more federal attention needs to be paid to this critical national infrastructure. That is one. Two, the committee recommends that the Secretary make modernization of the system a priority. Three, federal leadership is needed – I am seeing a lot of heads shaking.
- LANDEN: I suggest that the initial premise of this letter was to transmit reports. We have now changed that from a report transmittal to a recommendation. I think it needs a little bit more restructuring. The opening line of the letter – this letter transmits two reports. That is not what we are doing anymore. We are making a recommendation. I think we need to restructure the approach a little bit more deeply than I am getting the sense we have time to go in for here. Just recommendation that it be re – that staff relook at it and make this a letter of recommendation rather than a letter transmitting reports.
- STEAD: That is a good point, Rich. My sense is what we might ought to do – my sense is we have agreed to the substantive change. We have put in two. Bruce has got a smile on his face. Delton does also. Kate does third.
I think we agreed to add two words to the bold text in the hearing summary.
It sounds to me like if Pop Health and colleagues could work on the wording, we could have a draft in the morning for final action, as we have commonly done when we have wanted to bring something back. We will bring it back in the update block. We will do that right at the start of tomorrow morning. It will just be to finally approve the text. We actually want to shift this thing out of here on Monday. We don’t want this to wait any longer.
I think we wait to vote until the morning. Do we go on and vote? I guess what we can do is vote on the principle now and vote on the final wording in the morning. Let’s also approve the report. Do you want to make a motion to do that, Dr. Cohen?
- COHEN: I am afraid to. I move that we – should we do the transmittal letter and the report separately or together? I move that we approve the report as amended with a slight change in the introductory executive summary statement.
- ROSS: Second
- STEAD: All in favor? Any opposed? Congratulations.
- COHEN: I also move that we amend the transmittal letter to include the concept about vitals modernization being a priority for the Department.
- STEAD: Any discussion?
- THORPE: I have some reticence about the motion. Why are we moving to actually amend something that we are going to adopt tomorrow and going to make amendments on? I think it would be more efficient just to bring it back tomorrow and just vote it up or vote it down.
- COHEN: I am happy to withdraw my motion.
- STEAD: That is fine. Then we will move to next steps.
- COHEN: Dave and Delton will – now that we have got all of this cleared up, the question is what role makes sense for us as a national committee to be playing moving forward in vitals arena. Dave and Delton will lead this discussion. The goal is not to finalize any decision now, but just to get a sense of the committee about, first, whether you think we should be doing more detailed follow-up from that hearing, and second, if the answer is yes, what are some of the priorities for us to consider about what we should be working on. Dave, do you want to start?
- ROSS: Yes. Before I start, I want to also – I just think we should – in addition to the committee members and staff that have made this hearing possible, those thanks, but also we have big thanks to the Robert Wood Johnson Foundation and its support of the Digital Bridge Initiative, which also came and testified and helped coalesce ideas. It is important to make that point.
When we talk about next steps, clearly, we have to await the Secretary’s response to the report. We will do that. I think we have committed that we should make sure that whatever we do going forward is not duplicative work. We need to put our heads together with NCHS leadership.
A number of ideas came out of the hearing discussions as options for us to pursue. That is I think what we would like to use some of this time for. Delton has kindly agreed to come and offer up some ideas.
I think we heard this overriding theme. I am glad that we are now inserting the word modernize. That is the meta-theme here. We have to modernize it. We all agreed and I think it has been resaid here, but I will say it again, that this is a federated public health system in the United States. We are not advocating an overthrow of the U.S. public health system in any way, nor are we asking that HHS merely just offer federal tax dollars alone as a solution to modernization, but modernization needs to happen. I think that was a theme that came out.
Nick pointed out so correctly that in that hearing we heard I think for many of us, some fairly surprising news. I have been in public health a long time, but I had no idea the breadth of use of these data outside of the formal public health system and the number of organizations, companies, and federal agencies that benefit by using these data. I think as we take next steps, bringing that to highlight, to me, is very important. In the ideas that surfaced about modernization was this idea of exploring the underlying, for want of a better term, business model, but how we finance getting these data. So many different groups benefit and yet, so few pay. I think there is an opportunity, in my view, that we figure this out.
So, we are saying right now, I think, put next gen vitals on pause until we get a little bit more clarity. For this discussion, let’s go forward to the next slide. As we have Delton offer up some ideas, let’s be thinking about, first off, sort of the breadth of all of this. We have got to decide within this committee taking next steps, our approach. Most of us are systems-level thinking people. You have got to look at vital records, statistics, and the vital events process. These are related, but as we pointed out in the report, not exactly the same.
We have got to think about the approach. Is it incremental? Do we add something like a model law? As we discuss about this, I will offer my ideas. We need to decide what our topic focus will be, whether or not we address certain portions of the system. If so, which pieces of it? We have got to come to a timeline. Let’s go on to the next slide and talk about sort of the vision for vital records and vital statistics modernization.
Delton, do you want to walk us through some ideas that you and your colleagues have had on this?
- ATKINSON: Yes, I would. These are just some things to begin to think about as we move forward with vital statistics. One is as we look at the performance of states around the country, they go from very, very good to absolutely horrible. Somehow, as we look towards the future, beginning to have nationally approved performance standards and some way of credentialing jurisdictions against those particular standards in an effort to create a floor for which no state or jurisdiction will get below.
Looking at our training programs for data collectors and providers and processes to increase data quality and time limits. We just released out of NCHS an electronic application for which one can download for their Apple environment and be able to understand how to complete the death certificate. There are some other things that have been done.
As was mentioned, we do need to have a nationally approved model vital records and vital statistics laws that states can use. I worked at a state. I can tell you it is always messy when you go and try to change your laws because you don’t know what is going to come out of that process at your state legislature. But it needs to be something that is done. That suggestion of working with state legislators and the association in how we do some of those things – I mean those are strategies that we really need to begin to look at in terms of moving forward.
Maximize the use of vital records while ensuring privacy and confidentiality. On June 19th, I am bringing together NIH and FDA. They are bringing down the developers from Harvard University, who developed FDA’s Sentinel system. It is a way in which for researchers to access critical bits of information without the data leaving the environment that it is in. So exploring some technology strategies and our universities can play a very critical role.
Business models to build and sustain a modern federated vital statistics system. One of the things I find – over the last couple of years, I have gone after funding to help improve vital statistics and vital records and been successful in getting somewhere around about $12 million over the last four years on sort of a piecemeal basis. Getting people interested and excited about where it is that you are trying to get to, getting their support, and then saying, okay, we need to figure out how we are going to sustain that once we get to that particular level. It has got to be a part of our strategy.
Evaluating and piloting alternative models for collecting, processing, and disseminating vital records and statistics data. We can’t just continue to do it the same way, as technology changes, as things improve. One of the examples in the state of Utah, they have collected the cause of death information to the electronic health record. So, when a physician – a person dies in the hospital, in their electronic health record, the cause of death information automatically comes up. They physician can complete it. And when he or she completes it, it automatically gets transferred to the state’s electronic death registration system. We are beginning to show that that has improved the quality of the information. So, we need to look at alternative strategies.
The last bullet that I have here is that vitals needs to be a near real-time vital statistics system. We have done a lot of work in trying to – through the work and the funding from PCORI, Patient Centered Outcomes Research Initiative, out of ASPE, we have been able to improve the timeliness of the records being transmitted to us, but we are not where we need to ultimately be. In fact, with this opiate issue, coming out of the Secretary’s office, there has been some discussions about having 90 percent of drug deaths being reported within 90 days. Vitals ought to be an active part of that thinking and that process.
- ROSS: Could I ask you a couple questions on these? So, on the performance standards, has there been any discussion with the Public Health Accreditation Board, PHAB?
- ATKINSON: Excellent question. We are now working with Public Health Accreditation Board. I am funding that out of my budget on a sort of piecemeal basis. We are doing some beta-testing of performance standards in about four or five states. Hopefully, within the next year, we can come to an agreement as to what some of those standards are. Then we have to figure out how do we make this nationwide. So, yes, we are working directly with them.
The other thing with that, to PHAB, is that when state health departments are accredited, there should not – vitals should not be left out, as the process we do right now. If it is a foundation of public health, it should not be left out. That should be a part of that accreditation.
- ROSS: So, is that likely to happen without any push from this committee? I am kind of looking through your bullet points here for the ones that may be items that get put on our agenda as we go forward. Is that likely to take care of itself?
- ATKINSON: Interesting question. I don’t know. That may be something where we have to kind of come back to the committee. It is going to involve the rest of public health. To say that state health departments are accredited, that you don’t exclude vitals as a part of that accreditation effort.
- ROSS: I guess I have the same question about like with the model law. Is there a model law drafted or being drafted?
- ATKINSON: There is a model law that has been drafted. It was drafted back in 2010-2011. However, that needs to be updated. As Bruce will tell you, there are lots of things that happens in that. When that is updated, that model law then is going to need to come back through the Department. It is going to have to be ultimately signed off by the Secretary. I could tell you that many states have said to me, Delton, we can’t move forward on anything using the model law unless the Secretary has signed off on it. Our department, our governor, will not touch it unless the Secretary has said this is the model law that you ought to think about.
- ROSS: So, that could be something that our committee takes under consideration as a possible next step. Is that fair?
- STEAD: If our committee is going to do something like that, we would actually – the scope of the project would actually be to hold hearings and to make recommendations about revision to the model law and then approval. We would have to dive into that in detail. It wouldn’t be one of many things. I think that is really the question we would have to answer.
- ROSS: I was just trying to tee up for the committee ideas about possible areas that we could consider. That might be one of them.
- KLOSS: I don’t see it specifically reflected here, but my recollection and my notes from that hearing called out a particular issue with lack of standardization of data content for both the birth and the death records. I do think that may be an area that is a sweet spot for the committee. We could dig in and at least say here are – here is minimal data content and areas for definition. It all starts there. Everything else that rolls up is either inconsistent or unreliable. I do recall that that came up strongly, at least for me, from the hearing. I don’t see is specifically reflected here.
- ATKINSON: There is one more slide. The last one here is related to systems. Obviously, we need to do quite a bit of work here. Our systems need to be statewide. It needs to include a preponderance of all the critical providers. It needs to be interoperable. That is – it has got to be interoperable with electronic health records, with medical examiners case management systems, with – even public health surveillance systems. There is too much at the state level where things are being printed out to paper and given to another one.
In fact, we have just received a $2.7 million funding from PCORI again. One of the activities there is the interoperability. We are beginning to work with five states where we are looking at the interoperability between electronic deaths, medical examiner’s case management system, developing the standards for those transfers, and how that is going to happen and so forth.
We need to be able to exchange information in a near real-time basis to authorized users. Our systems have to do more. They have to be able to recognize when information needs to be transferred from one place to the other. We have to figure out how to maximize collaboration across states to control costs and enhanced flexibility. Not to say that states have to use the same systems, but how do we maximize this? Right now, it is expensive when you start talking about electronic death and electronic birth systems. Most states can’t afford to pay it.
We need to be able to maximize the efficiency of the business workflows in collecting, processing, amending, and issuing death certificates. Our system should not be just something that mimics the existing process. How do we use the system to really maximize how business needs to be done? It doesn’t mean that we are just going to develop a system that does what we do now because that is not going to save us the time and the energy.
This is a critical one. We have to be flexible and accurate during crisis events. If you remember Puerto Rico and the hurricane, if you remember New Jersey and Katrina, if you remember Houston and its events, trying to determine how many people died as a result of that crisis event, we have numbers all over the place. There is no accurate numbers. Figuring out – that is more than just systems. That is really kind of a whole process that we need to really look at.
- ROSS: Vicki, you were next and then Bruce.
- MAYS: I think I have to introduce myself first. Vicki Mays, University of California Los Angeles, member of the full committee, pop, privacy, and the review committee. I have no conflicts.
Delton, thank you as always for these kind of years of insights that you have that are just full of wisdom. I really appreciate what you offer us to think about.
I want to talk about two issues. One is the committee’s reflections that I heard. The other is what I heard at the hearing.
The committee seems to be struggling with a model. What kind of model should we use to think about this? We talked about this federated model. I think that rather than talking about either finances or changes, alone, we might, as a committee, need to struggle with the proposal of a model. In thinking about that model of how these pieces work, financing becomes a part of it and thinking about like kind of where the checks and balances are in terms of quality control. So, I would like to make sure we put that on our agenda to kind of think about that.
The second thing is what I was struck by at the hearing. I mean it is a bias I have, but I was still struck by how much it came up. That is the focus on the mortality statistics. Kind of where you ended is a definite case for it in the sense of, you know, what happens during disasters, what happens in our islands and territories, what happens – we really have I think a lot of work to do in terms of improving our collection of data for the mortality record. Again, I am sure you know this even better than I.
Some of the quality improvement that the state of California is trying to do is to also make sure that it is getting good at making sure they know exactly the status variables about people. They are trying to improve race/ethnicity. They are trying to do it in more detail. They have moved to now including sexual orientation. So, quality improvement around some of this I think really should be on the table, in the center and front of our discussion. I think, ultimately, it is critical.
I think the last comment is what to me seems to keep being the stepchild here is the National Violent Death Report System, which is critical, I think, in terms of our views on mortality. Congress keeps wanting to know more and more about these violent deaths, particularly if they are opioid-related, particularly in terms of the increases in shootings and killings. We don’t, again, have a system that is fully organized around every state, same thing. Instead, we have kind of a broken system. I also want to make sure that we put that back on the table.
- COHEN: I will try to be brief here. A couple things. Linda, you mentioned standards. There actually is a process in place for identifying items that are collected by all states for all of the certificates. What has happened is a lot of states have expanded beyond that and there might not be standards for the additional data collection. There are core standards that allow interjurisdictional exchange and are required by NCHS for all of the jurisdictions to send data.
- KLOSS: My recollection was for the other things that get layered on.
- COHEN: For the hearing, we specifically excluded from the scope issues around content and quality because there was so much other stuff that we wanted to deal with. Vicki brings up the point should we now get more involved in content and quality, which is a question we need to address.
For me, the fundamental question is do we want a big project or do we want a smaller-scoped project? A bigger scope project would be redoing the model law. It would require experts from an enormous number of sectors. I am not sure I would know how to evaluate what they had to say. Or do we want a smaller project and one that seems to me that would benefit a lot of folks? Time and again, it was said we can’t identify when a death happens rapidly. It would be great to know it. If we decided to focus on an issue like rapid ascertainment of fact and cause of death to be used by a variety of users, what would we have to do to create a system that would benefit public health surveillance, commercial enterprise, researchers, and a variety of folks. I think then we might be able to get the level of expertise together to figure out suggested strategies and options to focus on solving a smaller problem. My preference moving forward in vitals would be to identify a specific solvable issue that would maximize benefit to a variety of the many users who testified at the initial hearing.
- LOVE: I really appreciate the work and the discussion, but I am going to come at it as a cousin – I guess a sibling or a step-sibling of NAPHSIS. So, NAPHSIS with the vital records, you know, we have similar issues with the hospital discharge data reporting system. So, when I hear credentialing, I think it is a good thing. I think there could be a draft of that that could bring other databases and registries along with vitals as the lead or the touchstone.
I am completely in support of what I am hearing, but I am not sure – just a broad PHAB credentialing, but for long – NAPHSIS and Trish and I and some others have felt that we need more of a public health data scientist approach to some of these data issues. That is data quality improvement, intake, turnaround, and release. I just wanted to lay that out because our workforce overlaps. If you did an environmental scan, about half of your members also are managing hospital and other database registries.
Modernization – I am assuming it is more than – I just wanted to say this clearly – more than IT. I am so bombarded with problems. One of them is getting any of these data from death, low birthweight, and others, at the subcounty level for geocoding for public health. I spent a week last week in Atlanta and I was bombarded with people pleading for help. This is public health pleading with public health. They aren’t sharing or they have such severe restrictions. That seems to me broken. It is almost easier to get the data out to the private sector than to another public health agency. I just wanted affirmation that modernization is more than IT.
- ATKINSON: It is definitely a lot more than IT. That is why I separated the two slides.
It was interesting – I spoke two weeks ago to a meeting of the health officers. Some of the health officers said to me, we have a lot of trouble getting data out of vital records. I would think they would not because somewhere Vital Records reports to them. Vital Statistics reports to them. But they talked about the same problem.
- LOVE: I heard plenty in Atlanta last week. That is a huge problem. Thank you for letting me – I feel like I am Captain Obvious today, but I still have to say it.
- LANDEN: I heard our comments. I commended the group in the way they are approaching this as the federated and the states will do different things. I am starting to see a little bit narrowing in some of the next steps presentation. I am a little concerned that we are focusing on solutions to specific problems, especially in some of the comments around the model legislation. There seems to be some hint of thought process that there is only going to be one way to do this. I don’t think that is a way that is going to be successful because throughout my career I have seen that if one state does it one way that is good enough reason for the neighboring state to do it a different way. The vision has to allow for different approaches by the states. Some of them are politically motivated. Others is because they do their own analyses and have their own funding mechanisms. They are just going to be different.
What I would like to see more of, at least we think about, is let’s set out what are the needs of the system? What is the data and the use it is going to be put to? From there, who are the users? Start to make the case of why this data is going to be important and how it is going to be used for the rest of the century and then back into models that will support that and not necessarily one model. I would just like to see more emphasis on what are we trying to achieve than appears to be in here about how do we fix what we have got now. I think there is a ton of great stuff in the reports that do give us that future vision. I don’t see it here and in the next steps.
- ATKINSON: If I may respond, I think that – that is not the message that I was trying to achieve. The way that we have funded states in the last couple of years, it has been focused on goals. What are the ultimate goals that we are trying to achieve? Then leave the how to the respective states. That way you still have different strategies, different ideas that are being put into place.
If you look at how we dealt with time limits, we did not put in the time limits contracts at all anything about an approach. We said our goal is 80 percent of the records being received within 10 days of the date of the event and allowed the states different options. Now, we have for educational purposes made states aware of what other states are doing, but still it is their option to choose this. So, I think as we look across these kinds of things, this is really figuring out where we want the system to be and then trying to put into place the funding to help them get there. But there has got to be the accountability for the goals.
- ROSS: We have time for maybe one last question.
- KLOSS: I would underscore what Rich has said. I do think we could press further on what a modernized system would be capable of, what would it look like at a high level, and that might help move this or give us an opportunity then to issue a second letter.
I think I would support where the subcommittee is going with this. This is too important just to be done and transmit these reports. Finding that sweet spot of where to go next is really important. It may be going higher rather than drilling down.
- ROSS: I think we have heard that the idea of rethinking – reanalyzing the business processes that drive all of this leading to a logical redesign effort, that leads to the modernization that would sort of in effect state what we mean by modernization. I would agree. I think we have to look at this comprehensively. I think we have some benchmarks to refer to.
If you look back at the last 25 years, what it took in the immunization registry business, which is actually a lot simpler than the complexity of vitals, they struggled to eventually get data standards and agreement on essential functions, then they struggled to get agreement on what ultimately led to a model law, but until that happened, you had states going in completely opposite directions with opt-in, opt-out legislation. They eventually evolved to a national agreement to where now every state has one and they all meet the essential functions, but that took us 25 years.
I would hope in the modernization effort with vitals we could accelerate that, but I would also suggest that we have one other thing to be able to say. That is that – I have heard people say this country was caught short with this opioid epidemic. That is the kind of thing – if our vitals system was modern as it should be, that should not have been a surprise to anyone. If we had near real-time data that is accurate – it has got to be accurate and timely. It can still be done by all of these different states doing it their way, but if we had accurate, timely data, this should not have been a surprise. We have a benchmark then to say, as we go forward and redesign this system, make sure we are not surprised by things.
- STEAD: Thank you. We will now take a break.
(Break)
Agenda Item: Standards Subcommittee NCPDP Standards Update
- STEAD: Call us back to order. I think we are ready for Alix and Nick to carry us through the NCPDP discussion.
- GOSS: Good morning, everyone. Thank you for being here today. We are very excited to bring to you the National Committee Prescription – NCPDP standards update. We are excited to bring to you a recommendation letter to recommend upgrades to the existing standards.
We are going to handle this presentation today twofold. First, we are going to have Lorraine give us a little overview of where we are at with the current standards and where we are going with this recommendation letter so you have some context. These slides were also included in your eBook. I apologize if this is a little redundant for you. Then Nick is going to walk us through a discussion around the short, sweet, and pointed letter. We do have a couple edits that we made since the version you saw in your eBook for consistency purposes. So, Nick will talk about that a little bit. We will certainly entertain questions as we go along.
- DOO: The National Council for Prescription Drug Programs, most of you participated in the hearing that we had on March 26th. That is the National Council. They are one of the standards development organizations from whom we adopt standards. They are responsible for pharmacy standards, so the D.0 that we have already adopted and the subrogation standard that we have already adopted in our current versions of the standards. They are obviously a membership driven organization. They have been named in the original HIPAA legislation.
We have gotten a recommendation – you have gotten a recommendation from them to adopt three new versions of the standards. That is what the letter is going to be about.
So, the last version of the standards that we adopted was in 2009. It does seem like high time that you would be considering new versions of these standards. They are – the ones that are going to be considered in the letter are F2, the telecom, 15 for D.0 and Version 1 Release 2.
I am not sure what you are seeing because I can’t see the same thing.
The telecom standards, they were adopted for the pharmacy retail drug transactions, claims, eligibility for a health plan, referral certification, and coordination of benefits. These are the ones, obviously, that are being used by providers and software vendors for real-time pharmacy claims.
I just have to make sure you are seeing what I am seeing. Okay, good. I just have to doublecheck. Okay, so you are seeing those. The next – so, you are going to be, yes. I am not sure how the slides are actually going.
So, these are the next set of standards that we are going to be adopting. The subrogation standard also that we have already adopted was only for Medicaid. The recommendation that we got is also going to be only for Medicaid and their role as health plans, as well as for other entities that are covered under HIPAA. It is not going to propose that we adopt it for other health plans.
The DSMO actually recommended that you adopt F2 along with the batch implementation guide for telecommunication standards. This would replace what we adopted before in 2009, which is D.0. This will enable the eligibility verification claims reporting prior authorization for pharmacy and predetermination of the benefits.
And then also the subrogation only for Medicaid, which would replace Version 3.0, again, which we had already adopted. I don’t think that we are planning to expand it to Medicare Part C and D on a mandatory basis, but it would be available on a voluntary basis. Other payors would be able to use it and be in compliance with other federal requirements. This allows for pursuit of overpayments.
Do you want to add anything to it?
- GOSS: No, thank you. I think the important point about subrogation is just for Medicaid.
- DOO: Medicaid. Voluntary for other payors.
- GOSS: I think it is really important that point was made very clear during the hearing.
- DOO: I know Medicare Part C and D did testify that they wanted to be able to use it, but, again, it would be on a voluntary basis.
Should I bring up the letter?
- COUSSOULE: Any questions in regards to kind of the process that has happened so far? There are not – I will walk you through the letter. I know many of you have seen this already. We did make a couple of what I will call editorial changes even this morning just to create consistency between the different parts of the letter. I will explain that as I walk along. What you will see up on the screen is slightly different than what we have kind of been through in the subcommittee or in the executive committee.
So, let’s get it up on the screen and then I will walk you through.
- GOSS: So, I think while they are doing that, I think, Nick, the key point that you made there is the substantive content has not been edited, the consistency. Hopefully, there are not a lot of concerns with the letter. I think it was really amazing the level of agreement among the pharmacy industry on advancing the standards. I really want to acknowledge NCPDP for their work in creating a strategic national implementation process of starting that dialogue with the end-users, the business, and those that use the standards early on before they came to a hearing, to really think about how they wanted to approach the implementation. They have learned from the pain of the past, and being able to create a level of consistency about how to move forward and to do it effectively.
- COUSSOULE: Let me walk you through the letter briefly. The intro is pretty straight forward that we are conveying recommendations that we received regarding the NCPDP standards, as Alix mentioned and Lorrain walked through. It is just a little bit of an intro to NCVHS and then down, starting on 18, reflects that we held hearings with stakeholders back in March in regards to the updated standards and codesets – I should say standards, sorry, not codesets, but updated standards. This letter represents the findings from that hearing from March 26th.
I do want to make sure that I reinforce what Alix just said. The feedback from the participants and the testifiers was, frankly, remarkably consistent. I think that is testament to a lot of work done well beforehand over a long period of time to get everybody on the same page in regards to the standards.
So, then the actual request – the request of the DSMO that we consider recommendations for the NCPDP to adopt updated three pharmacy standards. So, we held a hearing in March. The updated versions of the standards would replace those adopted in 2009, as Lorraine had indicated. This is where we made one – I will call it just a formatting change. You will see three new versions of the standards reflected there. We had two previously, but if you scroll down a little further to the end of the specific recommendations, the recommendations actually outline the three distinct ones. We were just making this consistent with the detailed recommendations and the summary views.
There are three different versions that would be recommended for adoption, version F2 to replace version D.0, as Lorraine had mentioned, as well, the formal name being the Telecommunications Standard Implementation Guide Version F2, the Batch Standard Implementation Guide Version 15, and the Subrogation Implementation Guide for Batch Standards Version 10 to replace Version 3. So, that is the kind of fundamental request.
Our observations at the hearing – so, skipping down to line – the hearing observations really just talks about the folks that were part of the hearing. So, it was independent pharmacies, small community pharmacies, large chain pharmacies, PBMs, pharmacy benefit managers, clearinghouses, software vendors, and Medicaid agencies. So, as you can see, the testifiers were from a wide swath of involved parties in regards to the standards, themselves. They were strikingly consistent in their support, as you see from the text here, as well.
In consideration of that testimony, in review of the written statements received, we also did get other written statements. They also concurred very much so with the testimonies that were provided live.
We are offering a high level overview of the testimony. So, here, in the next four bullet points, really, it is just a summary of what we heard during the hearing. One is that the updated version to the standards contain specific enhancements that could be used for addressing the opioid crisis. That becomes a key point because, as we know, over time, some of the industry challenges change. The existing kind of rules and standards don’t always support the new challenges. Given the very public and very national nature of the opioid crisis, that is an important thing to consider.
The second bullet point, the business requirements for the covered entities have changed substantially. Again, the industry does not sit still while the standards do, unless forcefully changed, and then business requirements just fundamentally change. The updated standards do support the increase in automation and require less manual processing. Another key point in that is if we are going to require or recommend updated standards, it should make things easier and not harder and make things more efficient, not less. These clearly do so.
The last bullet point – that the stakeholders shared consensus of the best time to implement the standards. The key point here is that not only did we talk about the need for new standards. We also talked about when and how this gets implemented, recognizing that certain times of the calendar year become much more difficult for this industry, in particular, around flu season as well as around the first of the year when lots of other changes tend to happen. So, the recommendation came also to do it in the middle of the year as opposed to at the end of the calendar year.
We then indicate in line 56 that the committee believes there is a compelling need and a strong industry consensus for the updated versions of the pharmacy standards and recommend that the Secretary supports adoption of the standards. That is the really the driver for the recommendations.
Recommendation one really is to adopt the updated NCPDP standards as HIPAA standards, including the three that I mentioned earlier. This is just in detail.
Recommendation two is the timing. So, the timing is – there is two pieces to the timing. One is that the testifiers did provide consistency – almost universal consistency in the time between the recommendation and the adoption, as well as the implementation. First is that the – that NCVHS supports the approaching timing offered by industry, understanding that HHS needs to publish the proposed and final rule. So, this is a recognition of the process. It doesn’t happen overnight, as we all know. We recommend for consideration to expedite the rulemaking. This is 2A, expedite the rulemaking to the extent feasible so the final rule is published by the end of calendar year 2019.
B is to provide for a two-year implementation timeline following publication of the final rule. Basically, that gives the players in the industry, the software providers, et cetera, enough time to recognize the approved standards from HHS, as well as build that into their operating models, their software products, et cetera.
The third is to require the updated version of the standard to be used by the compliance date, but allow both versions of the standards to be used for one year after the compliance date. So, this says the two-year period when we give everybody a chance to get up to speed and then we require that implementation, but allow for a transition period of 12 months after that compliance date to allow for a – what I will call a rational transition period for allowing different players to move to the new standards, as opposed to a kind of one-time cutoff and everybody goes, which we all know with something this big and complicated, the likelihood of success there. I will speak for myself, but other members I know believe would be very challenging.
Then it gets into recommendation 2D, which says require full compliance by the end of the third year, such that it is now no longer possible to use the older version of the standard.
So, to kind of summarize that, there is a two-year period by which we let all of the players get up to speed, all of the software get written and adjusted. Those pieces get implemented such that we can turn on the new standards. Then a 12 month transition period and then you turn off the old standard.
Any questions generally about the recommendations and the process there?
- LANDEN: Three comments. First, for those of you who heard earlier, I had some issues with how the three NCPDP standards were listed in the letter. Those have been corrected. I think we have got the structure right now. So, thank you.
Second, we make a statement in here about how the updates will support the opioid problem. Can somebody tell me how coordination of benefits supports that? More importantly, my question is we make these assertions on – there are three ways the standards support the opioid crisis interventions. Do we need to support those assertions?
My last question is down in line around 70 I think it is, where we talk about the dual use year, I think that language is still less than crystal clear. If I understand correctly, CMS staff understand that intent. As long as CMS staff are comfortable, what I perceive as a lack of clarity is not an implement to the writing of the rules, then I am okay with that.
Anybody on the COB question and opioid?
- GOSS: My sense is that this is tied to the partial fill of a prescription and passing that off downstream, COB, so people have a better view of what was actually filled versus prescribed.
- LANDEN: Thank you. Now I recollect that. The remaining question on that section is do we need to support those assertions, those three assertions?
- GOSS: It would be my recommendation not to try to elaborate in this letter. Should CMS have additional questions on that, I think we would be happy to entertain those. They also have all of the written testimony that backs this up as a part of our available resources.
- COUSSOULE: Any other comments from the other subcommittee members?
- STEAD: Just for the purposes of full committee, the subcommittee has gotten me comfortable with this letter as written. In that journey, there is a fairly obvious mismatch between this letter, which correctly represents the current industry view about the required timing and the discussions we have been having surrounding the Predictability Roadmap. Where they convinced me we should leave it is this is, in fact, the current view under the current processes. It is what the industry thinks will be necessary. I am hoping that we could actually use this as a relatively simple use case of what it might look like under the Predictability Roadmap.
Not as part of getting this letter out, but as we work through the CIO Forum and we work through the next steps and the discussion of the Predictability Roadmap, it seems to me that if this is, in fact, important to the opioid crisis, then the idea that we will issue a rule by the end of 2019 and then have I guess to the end of calendar – well, it would take effect in June at some point. So, I am sort of envisioning that this might actually become fully compliant in 2022, maybe 2021, best case. I would think that if we do think this is important to the opioid crisis, it would be a tailored case of why we would need a different result from the Predictability Roadmap. I just put that out there.
- GOSS: I certainly think it is a good lens for us to use as we take the feedback from the end user’s perspective in the CIO Forum on Thursday as a way to hone our thinking with the other fact finding, information gathering that we have done over the last year. It is sort of ironic that we are bringing that up since we did the Predictability workshop with the SDOs in this room. More to come. Thank you, Bill.
- COUSSOULE: Other questions or comments? Thanks, Bill. The only other statement I would make is that the last piece in the letter, which I haven’t highlighted yet, but it is on – look at line 80, I believe, which basically says the committee would like to reiterate that industry, specifically Medicare and Medicaid programs, be given sufficient time and encouragement for thorough end to end testing before any go live date. This is really just to highlight the need for complete end to end testing across the ecosystem for all involved parties, including the federal and state government programs to make sure that this works appropriately. We felt that came out during the hearing testimony. We felt that was important to reiterate as part of the recommendations.
Thank you for considering, et cetera. Any other general questions about the letter, comments, concerns? I will – just one thing. I will highlight Bill’s comment. We did have lots of discussion. I will frame it very simply. If it is important to the opioid crisis, how can you wait three years to get something done? Part of our Predictability Roadmap discussions have been about how do we get more rapid changes in place that are maybe not as big, but more rapid to respond more quickly to the challenges. I think this letter reflects the current world as it exists and the challenges that exist today, not necessarily an ideal world that we might like to live in eventually. I do not in any way want to diminish the work that went into this effort. That is not being critical at all of this. In fact, it is very supportive of the work that went into this, but also recognizing that as we think through new models and as part of the Predictability Roadmap and things that we will talk about on Thursday of this week, there certainly are opportunities for us to deal with a pacing differential.
With that, if there aren’t any other comments, can I get a recommendation to approve the letter as written with the minor edits that are in play?
- ROSS: So moved.
- MAYS: Second.
- COUSSOULE: All in favor? Opposed? I think we – abstentions? Thank you.
- HINES: Ruth, could you please put up document H please?
- STEAD: Do you want to walk through it?
- GOSS: Sure. I am just feeling the love all around NCPDP letter. I am just excited. It was a lot of work.
So, how do you want to proceed, Bill? Do you want to walk through this? So, everybody should have the scoping document within their eBook materials, as well as having seen this before it was disseminated to ONC. My understanding is that ONC has received the scoping document, which they asked us to take the first stab at because they were so busy. It was out of the discussions we had with them over the last six to eight months or so. I really don’t necessarily want to read this to everybody, but I want to make sure that we can kind of skim down through it to see if anybody has any clarifying questions.
- STEAD: I think what we might do is drop down to the essential questions towards the end. Just make sure people are parsing that. It is a lot of content that in many ways leads up to that question.
- GOSS: I think this is a good reference document if anyone is trying to understand how the two organizations work together.
- STEAD: Really tried to lay all of the pieces out.
- GOSS: I really want to acknowledge the work that Rich and Lorraine and Rebecca did on a lot of this to pull it together and then the input of all of the wordsmithing through the subcommittee as well as the executive committee.
- STEAD: There we go. The bold.
- GOSS: So, an essential question on the road to harmonization is whether it is in the best interest of patients, the U.S. healthcare business community, and health statistics and research to maintain an HL7, CDA, FHIR, XML system – if you need me to explain those acronyms, please let me know – system for clinical and an X12 NCPDP EDI system for administrative and payments.
So, essentially, we have been talking in our predictability conversations over the last number of years, especially around the attachments recommendations, that there is a convergence. The data starts with the patient -provider interaction. Right now, they are captured in either a clinical setting using HL7 standards or they are transformed from that environment into an EDI set of transactions as recognized under HIPAA covering our medical and pharmacy needs for administrative and payment or financial aspects in healthcare. So, I think there is a need and an opportunity for us to look at how those are all going to fit together as we move forward to gain the true spirit of administrative simplification and efficiencies and information exchange and how to do that and working with ONC to figure that out and how to advance the industry while we have an install base under HIPAA and HITECH is going to be a very important portion of our discussion. I would open up to the subcommittee members if they would have any other commentary.
- COHEN: At the end of this paragraph, you list some other systems challenges. I was wondering whether the integration of the systems or keeping them separate affects the answer to those challenges. Do those challenges go away with the –
- GOSS: Could you be a little more specific into which portion you are referencing?
- COHEN: Yes. You say other challenges include accurate identification of patients, how to correct data when errors are identified. Do some of those other challenges go away if you adopt one system as opposed to two? Do these challenges remain the same if you keep separate systems or have one system?
- GOSS: I think regardless of what standards you adopt, you will have the issue with accurate identifications of patients regardless because we are not permitted to have an individual identifier. I know, as an industry, we have been trying to figure out lots of ways to handle reconciliation of identity and make sure that Alix is really Alix in all of the various places. That issue I think is a hot potato that will keep outside of the standards being able to resolve that. I think there is a lot happening in that space.
The privacy aspects and security – the accuracy aspects of a patient will still need to be addressed. Part of that is accounting disclosures and really getting the patients to be more engaged in understanding their data.
The custodian issue – so, I think overall, no, I don’t think it will solve it.
- ROSS: Bruce, I think from a – as kind of a technical practitioner in a lot of this, having one model is always easier than two from a – just because any time you try to do a translation from one to another there is risk and challenge. Yet, I don’t know that this solves all of those problems. It would certainly be conceptually easier, but I am not sure it solves all of the challenges there just because the interactions – even if you have the technology standards and some of the models and languages the same, you still have lots of different players interacting with different use cases. I think – conceptually, it does become easier, but it doesn’t solve all of the problems.
- STEAD: From my perch, it has a little bit of the – of relationship to the idea we have discussed in Vitals around the fact that the mechanisms of recording the fact of death are different from the mechanisms for assembling the various statistics that might go along with that. So, if you look at the administrative standards as largely built around what I think of – it is push transactions. You have got a business transaction that you are moving from point A to point B.
The historic approach to the clinical standards has been similar. As the clinical standards have moved toward something that is more FHIR-like, it becomes more API request-based than transaction push-based. If you could coordinate these things, you could imagine that you could push a relatively thin transaction and request whatever information you needed. You could – that would be a very different world.
The other thing is I think you would think about whatever sets – whether we end up having one system or two or some combination, you would also want them sitting on common terminology codeset standards so that anything done to sort of regularize the information, if you will, shared common roots. That is at least my idea of how that might play out.
- COUSSOULE: Yes. I think, historically, they have served two very different purposes. Yet, those purposes, as they start morphing together because the business model is changing for them to come much closer together, it has really raised the issue of that interaction being more difficult because the standards are very different. It used to be that the clinical setting did the clinical activities and the rest was in relationship to authorization and billing and payment. Those are very different activities. Yet, in the advent of some of the changes from a population health management perspective and integrated care perspective – that line is becoming blurry, where it used to be relatively straightforward. Again, I am going way back beyond when I was even involved in healthcare.
- KLOSS: We have got kind of the standards world. In fact, these innovations with FHIR and other tools are just happening very quickly around us, more quickly than we have the ability to stay ahead of and accommodate. Sometimes it just feels like we are not shooting the puck or where the puck is going. It is going quickly. How do we bridge that gap or even understand what it is? I think that is my concern. When you look at all of the new ways that data is being moved and – it is so incongruous with the traditional standards process and the process we go through.
- GOSS: Building on that point, Linda, the whole idea of value-based care is probably not the last transformation or renaming of our business model in healthcare for paying for services. It is – disclosure, I am supporting the Da Vinci Project, which is a very innovative effort of payors, providers, and vendors coming together to define the use cases leveraging FHIR. It is giving me a lot of consideration about the broader brushstrokes of the process that we need to paint so that we can keep everybody on the rails going in a direction –
- KLOSS: Taking advantage of what is –
- GOSS: But also to address the culture we have around standards adoption in this country. If you don’t have the hammer, folks aren’t going to actually get on the right set of train tracks. How to find that balancing act to not be in the way or to be antiquated for business, but yet still have everybody going in the right direction.
I think the other aspect of your commentary that I am concerned about is we want more consumer engagement in managing health. The privacy security and the protection of that sensitive data and their role is something that I am particularly concerned about and how we – the consumer aspect is just taking off. I am hoping to hear some of that during our CIO Forum on Thursday.
- STEAD: Let’s let Rashida take a few minutes to share with us what she learned about MEPS.
- DORSEY: I reached out to our colleagues at AHRQ about your question about the MEPS. I think the dataset that you were referring to was the linked data file between MEPS and the NHIST that MEPS – that AHRQ did have publicly available on its website that you could download and use that they have since transitioned to being housed in the NCHS RDC.
I think the issue is that NCHS, upon review of the data, determined that there actually was some sensitivity to the data and it did need to be in the Research Data Center. So, I think, initially, I guess when the data were linked I guess the initial review and perhaps NCHS didn’t do their – that level of review, AHRQ was posting it publicly. Since NCHS did that review, they do need to host it in the Research Data Center now.
If there is something else that you need to know, I would be happy to follow up even more. I can set up a call with the appropriate people.
- MAYS: This part I knew. The question is whether or not there has been a change at NCHS. This is I think not the only instance of data suddenly becoming more secure. The question, which I hope Susan Queen can answer tomorrow, is are we seeing a change in how NCHS is interpreting privacy, confidentiality, and security regulations that they are operating under such that it is starting to impact the ways in which data is as open as it has been in the past. Do you know anything about that?
- DORSEY: That is a good question for Susan. I would say that it isn’t that the data aren’t open. It is just that the level – the method of access might be different. The data are still available. You can still access them. It just means that perhaps for privacy purposes, you have to use the RDC as the mechanism to access the data. If you want to – there could be something at NCHS. It could be that their reviews have changed or perhaps not. That is a good question for Susan. Now that I understand – but I did reach out to MEPS because it was a MEPS dataset. It was that linked data. It wasn’t an AHRQ decision. It was driven by NCHS.
- STEAD: Thanks for that update. What we are going to do – it looks like Genevieve will be a little bit late because her driver didn’t pick her up. Interoperability challenge. We are going to pull up the draft letter. It turned out not to be as simple to edit as we thought it might.
Maybe, Rebecca, you could sort of describe the change that was made and then we will pull it up to see.
- HINES: While the document is being pulled up, the meat of it was this point and we are calling it, if everyone agrees – the proposal is this letter is being – here, I will read the first sentence. This letter conveys one essential recommendation and two reports developed by the committee.
This letter conveys one essential recommendation and two reports developed by the National Committee. That is Rich’s point. What we basically did was left – there is the five essential findings – the vital records system is the foundation, you know, just going through those five points. Then there is the two critical points. Given the significance of the vital records and statistics system, more attention needs to be paid to this critical national infrastructure and federal leadership is needed. The point Dave made – given the urgency of the situation, the committee recommends that you make modernization of the system a priority.
- STEAD: The letter is addressed to the Secretary. We think the Secretary actually needs to do this.
- HINES: What we did, basically, we just changed the language there so that the committee would like to draw your attention to the following two critical points. Rather than saying in conclusion, we are saying here are the two critical points, which they were the same as the last version. The key point that was discussed this morning is given the urgency – scroll on down – given the urgency of the situation, the committee recommends that you make modernization of the system a priority.
- STEAD: Bold it. That works. If that approach works, then we can make sure the report matches.
- HINES: Which Kate has determined it does.
- STEAD: Okay. Good.
- COHEN: Does this language move to any place in the report?
- BRETT: This language was not – we didn’t have any recommendations in the summary because the summary was a summary.
- HINES: The report was the summary of the hearing. So, you have the summary of the hearing. You have the commissioned analysis afterwards. Then you have a recommendation.
- COHEN: The only change in the report was in that first soundbite.
- HINES: Modernize and secure. You have that in your email. Kate has asked you to look at that.
- STEAD: If people are good with the wording, can we have a motion to approve this?
- MAYS: Can I just – a couple of things. I just want to make sure because I know, Roland, you were trying to make sure it had the kind of prominence that you wanted. Does this change also give it that? Are you happy with that as well? Okay.
- ROSS: Move that we vote.
- GOSS: Second.
- STEAD: Any discussion? All in favor? Any opposed? Congratulations.
(Applause)
- HINES: Could you bring us Document I please?
- GOSS: So, this is kind of carrying forward some of our earlier discussion about the CIO Forum and Predictability that emerged from NCPDP recommendation letter discussion. Could you go to the next slide please?
I think at this point what we wanted to do was to give you an overview of what Thursday was going to look like – on that, we will pause and come back to this regular scheduled program.
- STEAD: Thank you for joining us.
Agenda Item: ONC Update and Committee Discussion
- MORRIS: Apologies for being late. Some logistics issues when you have to switch between buildings in the middle of the day.
So, I think I am just giving a brief overview and then I think it is committee discussion, which I am assuming includes some question/answer. I think we have a couple other ONC staff in the room to answer questions along the way as well.
So, an update on the Trust Exchange Framework and Common Agreement. So, we received public comments in February on the TEFCA, as we affectionately call it for short. We have been going through those comments. We received about 220 different comments, which is a fair amount for us to go through. Overall, just to give you some information around what we heard, most folks were pretty supportive of what we suggested with the framework, though, of course, there are changes on the edges that everyone asked for.
Largely, folks sort of understood the way that we are progressing forward, particularly as it relates to the recognized coordinating entity. I think even our FACA committee that did the review and the workgroup, they gave us 15 total recommendations, I think, 16, something like that. Again, agreed with the general, overall approach we were taking on the framework, but asked for some changes on the edges.
What we have been doing is working on those changes on the edges based on the comments that we received and the letter from our HITAC. We are also in the process of putting together a funding opportunity announcement for the recognized coordinating entity based on public feedback. We are trying to incorporate as much of that as we can into the funding opportunity announcement. A couple of things we have been pretty public about is everyone sort of indicated it should be a non-profit/not-for-profit organization, one or the other, which we happen to agree with and feel pretty strongly about.
Folks also felt very strongly that the RCE should not have a qualified HIN attached to it. We agree with that. We got a lot of comments around that. One of the requirements we are going to put out there is that if they become the RCE they can’t also have a qualified HIN. Background and some reasons for that is that the RCE – the whole goal of the RCE is that they can help us with putting together the full Common Agreement.
I did sort of just jump in because I am assuming you guys have all been tracking since this was an update and I only have ten minutes. One point of clarification I think is important to make, we, as ONC, released the Trusted Exchange Framework, which is Part A and Part B, which does not in any way include all of the legal terms and conditions you would need in a participation agreement between networks. Our goal was to really focus in only on those areas where the variation between network clauses causes a problem and causes networks not to be able to connect together. If any of you are familiar with the DURSA, the Data Use Reciprocal Services Agreement, it is – I don’t know what – like over a hundred pages at this juncture. I see nodding. That is about right. If you look at the length of Part B of the Trusted Exchange Framework, it is about like 20 pages. So, obviously, we did not include all of the terms and conditions you would need for a legal agreement.
Our goal in engaging the RCE is really to work both with the RCE and stakeholders to get the rest of those terms and conditions put into place, which would be the Common Agreement. The way that we have laid it out is Part B of the Framework would be the minimum set of terms and conditions that would be incorporated into the Common Agreement. The RCE would work with its governance structure, which includes stakeholders from across a wide variety of stakeholders, to build out all of the rest of the terms and conditions and incorporate in the ones that we put into the minimum. In doing that, they are not allowed to put in any terms and conditions that conflict with anything in Part B of the Trusted Exchange Framework.
The Cooperative Agreement allows us to work really closely with them to ensure that as they are updating the Common Agreement over time, adding amendments, adding use cases, that anything they do does not inappropriately disenfranchise any particular stakeholder, so they don’t put any terms in that make it so one particular stakeholder group can’t use the framework or they don’t put any terms and conditions in that would rollback interoperability. Expansion of interoperability – always good. Rollback, in our opinion, not very good. We want to work very closely with them on the Cooperative Agreement, which would be a three-year cooperative agreement, at which point they would continue on with the Common Agreement and, hopefully, at that point, be self-sustaining.
We have been working on playing together. That funding opportunity announcement, which will come out at some point this year – we have also been working to update the Trust Exchange Framework, which will also come out at some point this year. I can’t give specifics on the timeline at the moment, but the working sort of order of events is that we would have the RCE selected and in place, at which point, we would release to them and basically stakeholders because once it is released to them, everyone sees it, the updated Trusted Exchange Framework. They would then work to build the Common Agreement to incorporate those terms and conditions, as well as build out some implementation guides for the technical standards. That was another piece of feedback we got is that technical standards don’t belong in legal agreements, which is fair.
So, we would have the implementation guides. We would have the full TEFCA. At that point, we would post it out for public comment, possibly in the Federal Register, definitely on our website. At that juncture, we would get comment on the full Trusted Exchange Framework and Common Agreement, which takes us somewhere into probably 2019, if we are all looking at the calendar of where we are at right now.
So, that is kind of the working plan of what we have going on right now. Obviously, all of that is subject to change, particularly timelines can be quite subject to change based on government things that we are all very familiar with. So, I can’t give you specifics on that right now, but that is sort of where we are at in the process.
From our FACA Committee perspective, our HITAC group, we had one workgroup that was – that reviewed the framework and gave us their 16 or so recommendations. We had a second workgroup that focused on the U.S. Core Data for Interoperability. Their goal on the USCDI Workgroup was really to focus on the process for adding to USCD over time. So, while we, of course, want comments on what is in the current version that we proposed, we more than anything else need a process for prioritizing data and getting it into the USCDI. At the end of the day, we get a ton of stakeholders who come to us and everyone asks for different data. Depending on who you talk to, social determinants are the biggest, most important piece of data or administrative data is the biggest, most important piece. Honestly, we really shouldn’t be the ones making that decision as ONC. So, we got recommendations from that second workgroup around a process that we could set up. We are looking at those recommendations now and figuring out the best way to formalize a process around developing out the USCDI over time.
As far as our HITAC goes, I think next up on the docket for them is going to be looking at use cases, which was – they were asked to do under Cures. There is one other thing I am forgetting that I know is on their list that I just looked at yesterday. It is not coming to me. It is use cases and something else, but I think you have it in the overview document that I read yesterday.
So, that I think is all of my update in record time. Happy to answer any questions you guys have about where we are at with the framework or any other work. Although, if it is regulatory in nature, my answer is most likely going to be I can’t comment. That is how it goes.
- STEAD: Thank you. I appreciate the update. I thought that I would sort of start the questions focusing on the pieces we have been working back and forth together. First, how are you considering, in terms of Cures language, the comments and recommendations you received from us about USCDI?
- MORRIS: That will all feed into the process. I know, certainly, as NCVHS, you are going to have probably a different set of data elements that you think are the most important ones. Right? That is just kind of how it goes in our industry.
So, what we want to do is try to set up as equitable a process as we can to help prioritize those data elements based on need in the industry, current level of development of those data elements. There is I think three or four other criteria that the HITAC group suggested to us. In my opinion – and certainly other folks at ONC can disagree with me – I think the NCVHS recommendations flow into that same process, possibly with the level of prioritization that might be higher than other folks because of the Cures language. I think we have to try and be as equitable as we can across the industry to build on that over time.
- STEAD: Understood. At the end of the day, we elected to try to make process recommendations and not priority recommendations. We just thought it might be more helpful to you. I didn’t know if you could share with us how you see our recommendations as consistent with or different from the taskforce.
- MORRIS: I am going to have to be upfront and say I have not actually see your recommendations on the USCDI process. I am maybe looking at my special assistant to see if we got those or who they went to. So sorry.
I haven’t actually seen them yet. So, one, if you could make sure that we have them, that would be excellent.
- HINES: You already have them.
- MORRIS: Do you know who they were sent to?
- HINES: Your team – Elise, John, Zoe.
- MORRIS: So, in fairness, I will say I think most of you know I am on a detail to the VA at the moment and splitting my time between two agencies. So, it is quite possible my team looked at those and did not share those with me. That is more of a keep Genevieve sane kind of situation. We will make sure that we look at them.
I think as it relates to priority, I think both yours and the HITAC recommendations honestly probably hit close to the same priority level because I think it is the same kind of FACA structure, as well as multi-stakeholder collaboration. We will definitely make sure – I will say this. I think the recommendations from the HITAC group were good recommendations. We are considering them. I think we have to be very circumspect about how much bureaucracy we are adding to the process to ensure that we can move very quickly to add items to the USCDI. I think it is a bit of a balancing act between making sure we have vetting of data elements, but also not slowing the process down so much that we never actually add new data elements. As we look at both the recommendations from the HITAC committee and from yourselves, that is kind of the lens through which we are going to look at them.
I apologize that I haven’t seen them. Just totally unprepared today.
- LANDEN: In the taskforce recommendations number six, they talk about the patient engagement. First off, kudos for including that. Could you talk a little bit about how HITAC and ONC are going to approach the recommendations? What kind of use cases are envisioned? What formation of some group that really represents patients? What is that going to look like? That is always a challenge.
- MORRIS: It is always a challenge. When they presented the recommendations and even since then, I have thought a bit about this. I think we have to figure out how to strike a balance between the fact that we are all patients, technically. To say that you can’t represent – so, a good example on our FACA, one of our cochairs, she works for Mayo Clinic, but she is also on there as a patient advocate. She has a health IT day job, but she is also representing patients. I think that there are ways that we can be creative about putting folks into a committee who can have the voice of the patient but be health IT knowledgeable because we are all patients and caregivers at the end of the day.
We are thinking through how we could have folks sort of be the voice of the patient while also having that understanding. We are also looking at what groups we can reach out to in the industry who may not be a full patient advocacy group around health IT because I don’t think that exists, technically, but who may be representative of the patients, so folks that we have worked with before like AARP or the Center for Democracy and Technology or National Partnership for Women and Families. There is, I think, a new one called the Confidentiality Coalition, who represents patients. I think we want to figure out how we can incorporate them in as well.
It is very difficult to engage patients in this effort because, one, they all have day jobs, and two, health IT isn’t necessarily their areas of expertise. We are very open to other suggestions around how we can incorporate them in, but that is our early thinking around it.
- LANDEN: Thanks. My one reaction to that is in many ways it would – if someone – if a patient has knowledge about HIT, they are probably not the patient that you really need. There is enough of them. I would suggest you think about how to – I don’t want to be pejorative, but dumb it down. Think about the common patient, not the educated patient because that is the bulk of the population.
- MORRIS: I think that is fair. It is a balance. I speak for myself on this one. I am a caregiver for – partial caregiver for grandparents. I will be a caregiver for my parents. I have my own medical conditions that I manage. So, while I am a more engaged patient, I certainly – any time I am at the table, I am probably representing both sides of the coin, the patient as well as the health IT person. I think my comment is more that – not that you take what you can get because that sounds really terrible, but in the absence of having those other patients, I think we either have to go to associations or sort of accept that we are going to be pulling people from the industry. It is probably not a great answer.
- CORNELIUS: I just hear the word consumer in response or an organization like Patients Like Me. I hear what you are saying about IT. It is really that person you are going to meet in the marketplace.
- MORRIS: I agree with you. I think that Patients Like Me is a great organization that we can include, as well. I think what is going to be difficult – actually, this is fair across the board, not just for the patient groups, as we are looking at prioritizing these data elements – no one is going to be happy with the speed at which we are moving for their particular data elements. That is just at the end of the day where we are going to be. I think having enough health IT knowledge to understand why in some areas we are going to have to move slowly I think is helpful for a process where you are trying to prioritize data elements. So, I think we have to have some level of knowledge. It is very difficult. Any suggestions you have around better ways that we can incorporate the patients, I am more than happy to listen to. I think Patients Like Me is a great example that we can reach out to.
- KLOSS: I am Linda Kloss. I cochair our Privacy, Confidentiality and Security Subcommittee. I want to commend you on the great how to get your health record –
- MORRIS: I didn’t do the work, but ONC staff did a fantastic job.
- KLOSS: – that just came out. I think it is really helpful and well done. I think that indicates what initiative will be very helpful with people and outreach. It seems to me that this is something that I saw and have been talking about it. How do you really get this out there – I mean really get this out there? I think doing that would spark a lot of engagement because it kind of walks you through what your rights are. I know we have tried to do this in many different ways, but this is really well done. I would hope that you have got some resources to put some real dissemination, public service ads, other kind of horsepower behind getting this out, even to the provider community. I think these things get released and then they go somewhere.
- MORRIS: I won’t talk about how many resources I bill for ONC as a contractor that no one has ever looked at yet. It breaks my heart.
I agree. I always make the joke my parents have my business card and yet, they can’t remember what agency I work for. They are like super proud of what I have accomplished. So, how do we expect the average patient to know who the heck we are, what resources we have?
Again, I think this is where partnerships with other groups becomes really important. Even in the provider community, a lot of them don’t know who ONC is except possibly as a curse word sometimes because they blame us for their health It. I think we need help with that. I think the more people who can come to us and say we want to use these resources and help you disseminate them – I mean we outreach to people all the time to ask them for that. If you have suggestions on other organizations we can partner with, I am very interested in that. I think we have the knowledge to build the resources. Our team did a fantastic job on that particular resource. I looked through it myself and it was really, really well done. But we don’t necessarily have the budget or the inroads into those groups to release it. I posted it on my Facebook and Twitter pages for what that counts for. We need a little bit more than that. Suggestions around that, we would be very appreciative.
- KLOSS: I think this should go out to all of the provider associations and professional groups and health information management.
- MORRIS: We can definitely talk to all of the associations we work with a lot on the provider side to reach out.
- KLOSS: Just one other question if I may, how – we used to have kind of a FACA to FACA relationship around privacy, where a member of our Privacy Subcommittee would be on a tiger team or work on special initiatives. I wonder how that connect happens in the future?
- MORRIS: That is a great question. So, with our new FACA structure, we don’t have at the moment any particular tiger teams or committees focusing specifically on privacy. It is just not the new structure that we have. However, Kathryn Marchesini, who is our Chief Privacy Officer, who is also at OCR – I will say this if this helps you feel any better. Our collaboration with OCR is significantly tighter and closer than it has been in the past, in particular because Kathryn is honestly – you know, started with Devon and then when Kathryn came onboard and spans both, it has worked out really well.
- KLOSS: And Kathryn is the liaison?
- MORRIS: Yes, exactly. She is currently serving on the HITAC as sort of the attendee with the privacy information. I think the best way probably to link you guys up is to connect you with Kathryn and have her act as liaison.
- HINES: She actually gets the emails for the Privacy Subcommittee. She actually does, when she is available, is able to link in.
- MORRIS: We will make sure that it gets prioritized. I think she is honestly the best person to serve in that sort of capacity. I think the way it will work on our HITAC because we have the new structure is as new things come up, we will end up setting up sub-workgroups for items.
So, for example, when we go back into a comment period on the Trusted Exchange Framework, there will be another workgroup that will focus on that and we can make sure that if you guys want a privacy representative on that workgroup, that they are there. Likewise, when the regulation comes out and they are going to give us recommendations on that, too, there will be a workgroup for that, too.
I think what we can make sure we do is in any of the workgroups that have privacy and security-related information, one of your representatives serves in the workgroup even if it is just as an attendee.
- KLOSS: That is how we have done it over the last five to ten years. I was hoping that could continue as it is appropriate.
- MORRIS: We have been moving at a pretty fast pace, so it probably just got missed in the mix there a little bit. Apologies. We will make sure moving forward we incorporate that.
- KLOSS: No apologies needed.
- GOSS: Before I get into my original question, I want to first build on Linda’s point about the education aspect. It really would be nice if we could start to incorporate into grade school sort of the idea of what you need – what your role is, your data, your rights, to start to educate the kids because they also do a great job in educating the parents, and transcending some of those older generation dynamics, since a lot of those folks are not technology savvy. We don’t want them necessarily to be focused on technology. It is just more about the core principles of who am I, how do I fit in this ecosystem, how do I have wellbeing, how do I get my data, how do I become an empowered citizen. I think maybe the Department of Education would be a next stop.
- MORRIS: I actually made that exact recommendation to the state of Maryland about four years ago in a report for them on how do you expand use of health IT within provider practices. It is an excellent suggestion. We will take that back again. I don’t think we have done anything at the ONC or federal level around that. I know a couple of states have done some things around it. I am forgetting which state it is, but at least one of them actually incorporates that type of training into health classes at the college level.
- GOSS: One of the things I think we need to think about is how FERPA fit – I don’t remember what that stands for. I apologize. If someone does, please speak out. Family Education Right and Privacy Act. So, you have to opt in. There are restrictions on nurses and the care coordination. So, from that perspective and how do parents with kids who have sensitivities or certain diseases – maybe another way to kind of get the attention on why we need to educate folks.
That aside, the – Genevieve, you and I have been having conversations since you presented to Pennsylvania many years ago on the progress –
- MORRIS: It feels like a long time ago.
- GOSS: It was – on health information exchange, this idea of the data – getting it where it needs to be and getting it harnessed in a way that really enables us to transform our healthcare delivery and financing. The aspect of clinical and administrative data is really starting to come together and was a part of the scoping document that we put forth to ONC as a result of the number of conversations that we have had offline and the role of the two FACAs. We are really appreciative that Chris Muir is going to be able to participate in our CIO Forum on Thursday to bring ONC’s view on what predictability could look like. It is a great listening opportunity for ONC, but also a great way for Chris to bring forth some of the messages.
I didn’t want to preclude the opportunity for you to sort of talk about that convergence and where ONC would like to see it go. We know that we have a balancing act related to clinical and administrative, the 21st Century Cures or HITECH versus HIPAA world. Any comments on that?
- MORRIS: Yes, I mean one of the main reasons we changed the name from Common Clinical Dataset to US Core Data for Interoperability is so that we could actually put administrative data in with clinical data. It is – we are reaching a point where, particularly as the value-based payment models expand and we have larger patient populations in them, you have to be able to combine that data to get better analysis at the end of the data, like better population health management.
We do see a convergence – I don’t even want to say of standards because I think – let’s set aside the standards piece. I suspect that there is a war that will be fought there between folks with the X12 and EDI claims transactions and the clinical data side of things because that is just how stuff goes in our industry.
I think we have to figure out ways to bring that data together not only so providers can better manage the populations of their patients, but to save their own sanity. They have to provide clinical data all the time for administrative reasons. Asking them to use separate systems or fax documents or whatever the heck we are asking them to do is simply unfair.
I often – policy decisions and positions for me are often based on family experiences. I will give you this tidbit and this is why I think it has to come together over time. My mom had a major eye issue that just creeped up and needed to go to a specialist. Unfortunately, her particular Medicare Advantage plan had no specialists in the network at all that she needed to go to, which lucky for her means they actually pay for it still. That being said, they require a prior authorization before they will pay for it. My mom and her eye doctor had to fax all of her clinical data to the insurance company no less than I think five times, the same exact data, over and over and over again, to get that prior authorization approved. Even then, because they used the wrong code the first time, they had to do it again. The provider she was seeing had an EHR system where that data should have been able to come from in order to send it to the payor to get the approval. This is a large insurance company. This isn’t like mom and pop shop. This is one of the national folks. There was literally no other method for them to send that data other than fax or mail.
That is just unacceptable, honestly. It is unacceptable for patient care. My mom’s care was delayed by about three weeks, where she couldn’t see out of one of her eyes. That is just unacceptable to patients. I think we can fight the war over the transaction standards however we want, but I think we really have to keep in focus at the end of the day this is about making life easier for patients and for providers and physicians and their practices. If we don’t figure out a way to bring this data together, they are just going to keep drowning. We have to do a better job.
Over time, I would like to see – get to a point where a provider doesn’t have to do a fax or a log in to a separate portal or download a document from their EHR and upload it to another portal that has the clinical data. Rather they can actually just send the clinical data via their EHR system. That is just where we need to get to. My overarching goal is that as we look at things like the framework, while we are certainly starting on the clinical data side of things, I think we have to start accepting that clinical data is used for administrative purposes and figure out a way for us all to accept that we can use a network structure to be able to get that data to payors in an easier manor.
That was maybe a longwinded, a little soapboxy, but we would like to see this come together over time so that they aren’t consistently having to do different things for different purposes and we can actually just reuse the data for all of the different things we need to do.
Part of our attempt at doing that is, one, the USCDI. We can build on that over time. Two, the Expanded Permitted Purposes that we proposed were intended to allow a provider to use the framework to provide clinical data to a payor for payment purposes like utilization management without having to use a separate transaction set or a separate system. Certainly, there are the codesets under HIPAA simplification that are required around all of the payment stuff, but you know nothing is preventing a provider from sending a CCDA via their network to a payor to supplement for a prior authorization except maybe knowledge and the ability to be connected to networks.
That is kind of where we see it going. At some point, we can sort of make this all come together. That won’t be a tomorrow process. It is probably a lot longer process than any of us really want to think about, but in the next five years if we can start to see some sort of convergence where we can agree that we shouldn’t just all be using different systems I think that would be a good thing.
- COUSSOULE: Let me tell you one piece of information. I work for a midsize payor. We get over a million faxes a year. We try to get zero because we can take things electronically. The whole ecosystem, it just doesn’t work that way right now.
- MORRIS: It starts with every provider needs to be on an EHR. While our numbers are a lot better, we still have at least 10 or 20 percent, depending on which segment you look at, that don’t have an EHR system. We have to figure out – that is sort of the other piece. We have to figure out how to make this work for those folks on legacy systems while we are transitioning to the brave new world of technology.
- MAYS: Music to my ears, but I am going to ask a different question.
One of the strategic goals that ONC has is really about fostering research, scientific knowledge, and innovative. As you were talking about your data and it being kind of viewed as administrative data, I guess the question is what kinds of things are you doing or planning in order to make your data more accessible and usable and the extent to which you interact say with NIH or NSF probably, where you are encouraging that? Some of the issues that you know are primary are the kinds of issues that those agencies are actually putting out requests for applications.
- MORRIS: So, ONC does not have any data. I always have to say that because people think we do. We don’t actually have any data, ourselves. CMS does, of course.
We have a couple different programs with NIH, primarily around the All of Us research program. We are – I am guessing that you are familiar with that program. Those are our main initiatives right now is how do we implement the HL7 specs to make it easier for patients to be able to share their data with research programs when they want to.
As a whole, as HHS, we have a program called Reimagine HHS, which I think folks might be a little bit familiar with. One of the key items underneath that was figuring out how we better use data across all of HHS. Rather than what we have right now, which is a lot of different silos of data, how do we use that data, whether it be the Agency for Children and Families and CMS and all the data that they have or even NIH? How do we better make sure we are collaborating together on that?
That is a work in progress right now. So, there are a couple of priority items under that that are being worked on around data management. Off the top of my head, I can’t list them for you. I know we are actually just hitting our one year mark on it. So, they are moving forward on a couple of areas to try to figure out how we can better collaborate across agencies.
- STEAD: As you think about the development of semantics standards to support the additional data classes, how do you see the coordination of that work from the perspective of a data class with the development and maintenance life cycle of the related terminologies?
- MORRIS: That is a great question. So, part of what we want to make sure we design with the process that we set up for how something gets into the official version of the USCDI is setting up the right categorization of each stage. I will go with what we originally suggested versus what the HITAC suggested because I don’t have all of the six stages I think they said memorized. We suggested three. The way we looked at the emerging data class was a way to prioritize the data elements and signal to those vocabulary development groups like NLM and Regenstrief and all of those folks that they need to develop the structured vocabularies for those data elements or those data classes, noting that not all of them can actually get structured. Clinical notes, which is the first one we suggested, is obviously not a structured data field. Our goal with that one is make sure it is in the CCDA and the FHIR specs.
With the emerging status, we would anticipate that that would be a signal to those vocabulary groups that they need to develop the vocabulary for those data classes. As it moves into candidate status, that is when they would actually start doing the development work on the vocabularies as well as work that would come secondarily, which would be the CCDA and the FHIR. So, once you have the vocabulary terminology set, then you can build it into the CCDA and FHIR specs, at which point it can then move into the actual versioning.
We look at those process stages or those stages of process as how we signal to the industry and start to work with them on building out the right terminologies. Certainly, that candidate class is going to be interesting to watch because, you are right, there is life cycles not only for the vocabularies and terminologies, but also for updated CCDA and FHIR specs. You don’t just add a segment to a CCDA – well, let me rephrase that. You shouldn’t just add a segment and launch it into the world and say have fun. It needs to go through pilot testing, things like that. In that candidate class, we would envision that there would be some sort of life cycle that would be testing the vocabularies and terminologies while also testing the CCDA and the FHIR spec piece. Once that is all checked off that it is working, then it would move into the version.
I will say that is where things start to move slowly. We certainly want to use the USCDI process to signal to the industry where ONC is very serious about moving things along. That is going to be based on the prioritization that we get from the industry.
- STEAD: As you mention that – one of the points in our comments were that, in addition to getting alignment with the semantic standards, accurate capture at the source requires alignment of role, workflow, and the technology, in addition to the standard. Have you thought how that can be built into the process?
- MORRIS: So, I think we have to be cautious about ONC’s purview and level of authority and what we can and can’t control. We certainly have a lot of ability to push things in the standards development side of the world. I think we have less purview over what an individual physician is capturing in their practice, right. In the sense that we certainly have oversight into what health IT systems are capable of capturing, that is I think honestly where our authority ends. What providers are required to capture is a totally different story.
We should be very cautious about having too high expectations of what the USCDI can do. The goal of the USCDI from our perspective is to ensure that, particularly on the trusted exchange framework, that the data elements are available and can be exchanged. It is not to ensure that providers are capturing those data elements. I think you are right in the sense that there are probably workflow changes that have to happen. There are things that have to be built into screens on the provider side in order for them to capture those. I think we would look to other avenues for that to occur.
- STEAD: Do you envision in your purview or a different purview to ensure that whatever is exchanged has some level of accuracy?
- MORRIS: I don’t think that we do that now.
- STEAD: I agree.
- MORRIS: I think – there is an issue of misaligned incentives on this one. Don talks about this. I think I will use a personal example again. Providers are not paid to keep my problem list up to date, unless they are in a value-based payment model. When we are talking fee-for-service, they are not paid to like go through and clear out old problems that no longer exist. That is just not – that is not what they get paid for on their time. So, we do have some misaligned incentives that we need really good data quality, but yet we don’t really incentivize folks to actually input data in good ways or keep things up to day.
I think as we start to shift towards the value-based payment programs, certainly having that really accurate problem list becomes more important because I am trying to actually lower the cost of care for you. So, that is when you start to see incentives to keep things up to date and quality.
That being said, I, again, don’t know that that really falls under the purview of ONC. Our job is to ensure that the health IT has the capabilities it needs to have and works to the best – in the best way that it can. Our purview is not over physicians and how they use systems. I think while that is very important, it is probably a different agency that that should be discussed with, whose building you might also be in.
- STEAD: If I read the taskforce comments correctly, their emphasis on testing might make you have to back off of some of the current pieces of the USCDI in addition to affecting how one adds in. Have you thought that – where does the thinking stand on that, given the urgency you see to move quickly in addition?
- MORRIS: We are still evaluating the recommendations around that, certainly. I will say in the USCDI Version 1, it is the common clinical dataset plus two additional data elements. I don’t think we see any reason that we would need to roll back from the common clinical dataset, which has been out since 2015, which is now three years ago. I don’t think we intend to roll back from that.
Now, we did solicit public comment on those other two data classes, the provenance and the clinical notes. We received a lot of public comments on those. Most people – so, in the 220 comments we received on the framework, that includes comments we also received on the USCDI because most folks commented on both documents. We are still reviewing those and looking through whether we should add on those two additional data elements or if there are other data classes that we should add instead, in place of, or in addition to. We are still reviewing all of that at this point. We have only had the HITAC recommendations for about I think two or three weeks. So, we are still early stages of looking through this.
- KLOSS: Back to the vocabulary and classifications, one of the other areas we discussed very briefly in areas of overlap and possible collaboration is terminology and vocabulary. This committee is hosting a roundtable in July. I think someone from ONC is – John White is going to represent you. It will be interesting to raise – it will be a good opportunity to raise awareness from the vocabulary and terminology developers of this new cat in town that might be influencing the schedules, which otherwise are pretty much all done according to their own purview without as much external nudging as could happen. I think that is a good example where there could be some convergence of goals.
- MORRIS: Part of the goal of setting up this process for the USCDI is that what we found, even with the format standards under HL7, is everyone is sort of just working on their own thing. While that is okay in many cases and you see innovation, I think this is a particular area where if we can’t all work together as an industry towards common goals, we are just never going to get there. We are going to be stuck with the common clinical dataset forever. That is just unacceptable, one, because Cures mandates more than that, but that is just unacceptable for patients and their care.
Part of setting up this process is really us being willing to kind of take on the responsibility of saying we will run this process and we will prioritize this and then we need all of the SDOs, whether they be the vocabulary terminology folks or the format standards folks, to work with us and say, all right, we agree. You prioritized this. The industry said that this is where we want to go. Now, we are going to go that direction.
From our perspective, we are putting people into this and FTEs to try to support a process so that we can all work towards a common goal. I think, hopefully, that will – maybe it will help us move faster. I don’t know. Maybe if we are not all doing our own thing.
- KLOSS: I think we have an opportunity to do some awareness building in July. Our focus with that initiative is to really look at the development, maintenance, dissemination, coordination, or lack thereof, and these kinds of issues that could accelerate the process and use technology more effectively to disseminate updates and so forth. I am here to say today we are a long way from a responsive, well-coordinated effort.
- MORRIS: Yes, because you need a process first. In health IT and healthcare, in general, because of all of the issues in our country within the healthcare system, I think we are all sort of on the hamster wheel. That is where we have been for the past 10 or 15 years. While we have accomplished a lot, I think we could accomplish a lot more if we collaborate and have a process that we follow. That being said, certainly, while we are willing to put skin in the game on the process, if we are not the right folks to do that, we are very open to hearing that. We won’t take on extra work if it is not helpful. We think it is good to have at least someone who is willing to step up and put time and money into it.
- GOSS: This has been a really great dialogue. I hope it is going to be one of many, Genevieve. One of the things that I realized today, I learned that you are on a VA detail, which I didn’t know. So, it has complicated your world. I guess John is also on a detail.
- MORRIS: I think we are both basically working two full-time jobs, which is fine. It is how it goes.
- GOSS: So, there has been a lot of great conversation. I wanted to just kind of give you an opportunity for any hopes, dreams, wishes, asks that you haven’t been able to comment on yet that you might want to bring up.
- MORRIS: I think at the end of the day, there are two overarching things that really tend to guide my thinking and that I think we would all be a little bit better off if it is what guided all of our thinking instead of some of the competitive and money stuff. We have providers who are overwhelmed and burning out and get 10 minutes with a patient, which isn’t a lot, in an average visit, who feel like they are being asked to do things outside of clinical care because of our systems and because of lack of interoperability.
We have patients – while interoperability is significantly better than it was even three years ago, again, I will use myself as an example. Major health system in Maryland, between an ENT and an enterologist, who were in the same healthcare system, none of my records were shared. Then between the enterologist’s one location site and another location site in the same health system on the same EHR, they still couldn’t share my records. That is still the world that most of our patients live in. With the aging population we have, the conditions that we have, it is just going to get worse and worse and worse for patients.
I think we want to get to a point where the last thing patients or their caregivers have to think about is the data being where it needs to be. As we do that, we need to do that in ways that are easy for providers to use and are integrated into their systems. We also need to somewhat retrain providers into actually maybe using the data that comes from a different location, too. I have also had the experience of you have my data and you didn’t look at any of it and I am still telling you the same information.
I think from a larger vision, as we, at ONC, think about what we have been asked to do under Cures – which actually was really fantastic legislation. Kudos to the ONC folks who worked with congress on that. We have this open API infrastructure that is getting set up that is going to allow for app stores that let you build hooks into provider systems and provide really cool applications within their system to make usability better.
Then we have the Trusted Exchange Framework, which is to enable data liquidity, so data is actually moving where it needs to move. So, at the end of the day, I think the overarching vision is that at some point we can get all of this to work together, where providers aren’t having to do ten different things in order to get data exchanged, where they can just join one network and get that data exchanged and then use the app store from their vendor to pick really cool apps that do cool things in their systems that make usability ten times better for them.
That is the world that we want to get to. I wish it was tomorrow. I am not a patient individual. The fact that is still five or ten years away is I think a little sad to all of us. I think we have to continue to keep at the forefront of our thinking the provider and the patient, not necessarily in that order, just depends on the audience that you are addressing. Sometimes it is patient and provider. I think if we focus in on making life as easy for them a we can and we are willing to put aside some of the competitive and financial things that maybe keep that from happening, I think we can get to a world where a lot of this ends up coming together over time.
The ability to do everything out of your system that you need to do without having to fax – did you say a week or month on that? A year. It still just makes me sad. I think we want to get to a point where we can eliminate fax and I can do things from my system possibly by pushing buttons. That is maybe very much like unicorns and leprechauns and rainbows. I don’t know. Fairytale. I think that is the vision that we have to keep in place. I think if we can keep that as our vision, we are going to make better policy decisions and, frankly, we will be willing to work together.
I think the other vision that I have is that we, as an industry, have to stop working across purposes with each other and working in our little silos. We have to come together and coordinate better and try to all actually work on the same thing. I can’t tell you the number of times we find out about initiatives and there are like five different initiatives all trying to accomplish the same thing, but in different ways. Sometimes that is okay. Most of the time in health IT, I think history has shown that does not work well for us. I think we really need to have a significantly more collaborative spirit within our industry. As much as ONC can do in our role as national coordinator to make that happen, I think we are really committed to doing that.
- COUSSOULE: One of the challenges that we have in interoperability is the whole payment structure and model is somewhat disconnected from the care model.
- MORRIS: Totally is. Yes.
- COUSSOULE: So, what do you see either happening within CMS or within HHS more broadly, that may be either changes or thoughts around the whole payment models that might help this process out?
- MORRIS: We certainly have all of the initiatives under CMMI that encourage data sharing. If you are going to be in an ACO, you have to share data or you are not going to function. That being said – so, there are a number of initiatives. CMS had an RFI out where they asked for even more. I know they are considering some behavioral health-related programs, some more bundled payment options. There are a number of things going on there. We just got new leadership there with Adam coming onboard I think three weeks ago now, two weeks ago. So, he is bringing some really good thinking I think to that program. I think we will continue to see new items coming out of there.
I will say, interestingly, I was just talking to the state of Maryland yesterday, who, for those of you who don’t know, is under an all-payor rate-setting system. The hospitals – it is basically a capitated or a bundled model. The person I was talking to in the state said, it is really interesting, we don’t have the same data sharing issues other states have because our hospitals want to share data with each other because if they don’t, they are all going to end up providing care for that patient and it doesn’t really work.
So, models like that hugely incentivize data. The comment I made to him was like, well, that is true for the hospitals. You still have ambulatory in the state that is not sharing, by the way.
So, I think all of those models are really good. I think they start to push us in the right direction. That being said, there is never going to be a business model that makes interoperability in every single use case financially the thing to do. I understand what people in our industry are saying when they say if there is a business model, data gets shared. Safe care for the patient and lowering the burden the patient has to go through to get their data from one point to another, is never going to be a business case. There is no money in that – hard money.
Personally, I think the role of government is to provide consumer protection. To me, where there are not going to be business cases, it is our job to step in and make sure that interoperability happens regardless of whether it is best for your bottom line or not.
At the end of the day, it is reprehensible that patient data doesn’t get shared because it is more profitable for me not to share your data. That is so unacceptable. Aria Malek(phonetic) was just tweeting about this yesterday that it is just morally wrong. So, I think as the government, that is where we have to be really mindful of what are the areas where we need to step in because there is not going to be a business case and where are the areas that we can take a hands-off approach because the business case is really clear and they don’t need us to mandate anything. I think we have to continue to strike that balance. It is probably going to look different year to year.
- STEAD: Thank you very much.
- MORRIS: Thanks for having me. I appreciate it.
(Luncheon recess)
AFTERNOON SESSION
Agenda Item: Discussion: Collaboration with ONC and HITAC
- STEAD: Welcome back. Zoe, would you start with introductions?
- BARBER: Sure. My name is Zoe Barber. I am special assistant to Genevieve Morris, Principal Deputy National Coordinator.
- RICHIE: I am Lauren Richie. I am the DFO for the HITAC at ONC.
- STEAD: Thank you for joining us. We wanted to continue the conversation about how we collaborate between the two FACAs.
It seems to me one of the things we need to figure out is, we drafted the scoping document which is on the way that we work, the way we sort of frame projects and try to get agreement on scope and what we are trying to do. So the first question at least from my perch is how this would now make its way to HITAC and get the input or revisions that would make it a collaborative scoping document and begin to shape a path forward on the places where our responsibilities intersect, because we touch each other in a number of places while each having different overall focuses.
I didn’t know if you would share your thoughts on how we make that next step happen. Where we are so far is we all met and then we reported out to HITAC, and Genevieve’s coming to us was sort of a reciprocal piece of that. That is sort of where we are in the journey of trying to work out how to be most effective at the intersection.
- RICHIE: I will start with just a quick process point in terms of the draft recommendations that our HITAC just approved last month. Those will go to our National Coordinator for review, who has an opportunity to review and then come back to the committee if there are any questions or revisions, so that is still in progress and we will see what comes of that. If there is some additional editing that needs to be done that will obviously be done at the next HITAC meeting.
Once that is all settled and we have the final recommendations ready to go, then we can revisit that as a joint effort, if you will. Of course, we will want to confer with the co-chairs of the HITAC in terms of just a broader approach for — I don’t have the USCDI recommendations, but any other points where both committees are asking to look at topic areas. I imagine we could do something along the lines of perhaps a joint subcommittee or a panel style hearing where members from your committee will present, or vice versa, so there are a number of options that we could consider.
I think we will just want to confer with our co-chairs and then see where we are in the process of this current set of recommendations and then whatever is coming down the pike in the future.
- STEAD: That makes sense. It sort of mirrors what we did when we prepared our comments and recommendations on Version 1 USCDI and the Glide Path at that time because it was before the draft recommendations from the task force. We submitted them to ONC because, at least as we understood the language in 21st Century Cures, ONC was supposed to consider the input, so we are guessing that the point of harmonization, if you will, of recommendations would be ONC.
I think the broader opportunity is how we can leverage the work each of the committees is doing to not only move toward convergence but to divide and conquer where appropriate in that kind of way. We are obviously open.
- RICHIE: Sure. I will also just mention, in terms of what’s next on the horizon, as Genevieve mentioned, we have our set of priority standards that the HITAC under Cures has been asked to looked at, so perhaps that could be another opportunity. We anticipate kicking off that work this summer, perhaps June-July sometime. That would certainly be another opportunity where we could consider some type of joint effort or joint subcommittee of sorts.
- GOSS: Could you elaborate on what you mean by the word “standards”?
- RICHIE: I don’t have the language off the top of my head. There’s a certain provision within Cures that lays out a particular subset of standard priority topic areas, and, based on that language, we are still kind of sorting out how we’re going to tackle that. The idea would be to take those subtopics and perhaps do a sort of use case for one or all or some variation of that subset of priority standards. I can send you those.
- GOSS: That would be helpful since we also are somewhat focused around standards.
- BARBER: I will just add, to your question a second ago, that we did receive the recommendations from your subcommittee on the USCDI and those were passed along to the co-chairs of the USCDI task force and were considered when they were drafting their final recommendations.
- STEAD: So the next step will be they are responding to the input in an updated draft set of recommendations? Is that what I heard?
- RICHIE: I would say they have already considered the contents of the recommendations that came from this committee.
- STEAD: From us. But my understanding was there is now going to be another draft.
- RICHIE: Right. The recommendations that came from this committee were shared with the USCDI task force, and the task force then considered those recommendations into a final set that went to the full HITAC, and the HITAC then approved those for the National Coordinator to review. And that is where we are in the process.
- GOSS: Bill, I think you were indicating that you were expecting that, as a result of ONC receiving those recommendations, a new version would come out.
- STEAD: That is what I thought I had heard.
- RICHIE: I think that is what Genevieve referred to as what’s coming out later in the year.
- STEAD: Okay. It would help us to know when to expect that and we could begin to build thinking about it and do our own work plan.
- RICHIE: I’ll have to look to Zoe and see if there is a more approximate timeline than just later in the calendar year
- BARBER: I think we’re talking about the trust exchange framework and then the USCDI are two, kind of separate documents, so, for the trust exchange framework we are currently updating that, and then we plan to bring in the recognized coordinating entity. We have a notice of funding opportunity that we are hoping will go out soon, within the next couple of months or so, and then we plan to bring the RCE in later in the year, at which point we will draft the common agreement.
Then, sometime in the first quarter of 2019 we will be releasing the new draft of the trust exchange framework that includes the common agreement for public comment, and we will receive public comment on that and then we will release the full final version later in 2019.
- STEAD: And that is all relating to the trusted data exchange framework. Will the updates to USCDI be part of that or a separate work stream?
- BARBER: That will be a separate work stream, and I don’t have any comment on that.
- STEAD: Questions, comments amongst ourselves and with our colleagues about the opportunity to — or how to optimize the opportunity for the intersection of the two?
- GOSS: I think, as we evolve from today’s discussions, we have a couple reference activities or items that we use. We have our own work plan, we have the scoping document and we have in our hip pocket some thoughts around potential project areas. As we move forward through Thursday with the CIO forum, I think there may be a nice opportunity for us to have a re-group with ONC and the Standards Subcommittee leadership to really start to put a little finer point on it.
One of the things I felt today — You know, we’ve been dealing with John and Genevieve at a very detailed level, and I think right now they have two jobs, each of them, and that may be a little more difficult. So, who we should be playing with as we’re in — as you are in a transition period — and balancing things would be very helpful for us to understand.
But, as we look ahead to the work that we want to take on in designing a 2019 work plan and also finishing up our 2018 work plan, which really has a lot of predictability roadmap dynamics which are very much tied to this convergence topic, I think we need to find a way to be much more engaged with each other so that we are continuing the kind of ladder forward to the industry, each a little piece, so we can make some of the progress that we are looking for.
I don’t know that I have specifics about how to do that yet, but I think we need to get those on the books so we can continue to nudge things forward.
- RICHIE: First, there’s the near term. We are planning to kick off the standard activity this summer, like June-July, but then there is also the long term. So I guess the question I have for the committee is, is this scoping document something that you are willing to share with our co-chairs just as a starting point to build some ideas around more long-term collaboration between the two committees.
- STEAD: From our perch, it would be wonderful if you would share it with the co-chairs and get their input on how they would like to see it more. When we got together with Genevieve in January we just said we would — she asked us to take the first crack at getting it down. So we would very much love — It was our best take, but by no means did we view it as a prescription, so we would love to get their input on what they think would be most helpful.
MS RICHIE: We can actually do that. And perhaps even in the spirit of just looking at or planning for 2019 — I think our committee probably has their work cut out for them for the balance of the calendar year, but we can certainly look at this in terms of 2019 planning.
- STEAD: And one of our advantages is we have a little bit longer limbs, so that’s fine. And it is really the reason that we limited our first round of comments to the USCDI, because given the timing we felt it would be most helpful to provide input on the trusted data exchange framework as individuals through the various organizations that we are part of, and not try to pretend that we could force-fit that into our work plan in that timeframe. We were just trying to figure out how to optimize critical path.
Maybe that is really the next step in this conversation, if that feels good.
- KLOSS: Perhaps we add to the timeline just a touch point after the July terminology and vocabulary meeting, perhaps a time to confer with John when he’s there about what opportunities he sees in that area.
- MONSON: I also really like the idea of having a joint subcommittee or work group of some sort, because there is so much overlap between what we’re doing. My colleague, Dr. Steven Lane, is actually on that committee and he’s my physician champion partner, and in many conversations I have with him it feels like there is quite a bit of overlap between what we’re doing and what they are doing. I think we could mutually benefit from that possibility.
- RICHIE: I think Rebecca is familiar with our calendar, but our next HITAC meeting is June 20th. We currently don’t have meetings scheduled for July or August so, after the June meeting, our next meeting will be September.
- GOSS: You said you are resuming in September?
- RICHIE: The next one is in September.
- GOSS: It sounds to me like we need to have — maybe around your point, Linda — Around the July meeting when John is going to be in attendance maybe we could carve out some time for us to do a face-to-face with some of the ONC leadership like we have done in the past to try to home in on what we need to do. I know Rich and Nick have been a part of those prior discussions with Genevieve and John and others. There is a lot of overlap but there are things that are squarely in their house versus our house, especially the privacy aspects and the data stewardship considerations.
- KLOSS: I kind of also like Jackie’s idea of formalizing this a little bit. Maybe twice a year there’s a co-chair sit-down.
- STEAD: It seems to me that logically we formalize that after the co-chairs put their teeth into — after the HITAC co-chairs put their teeth into the draft we’ve put on the table. Then, one of the things they might be able to do is they can help us think about how we formalize it.
- KLOSS: Maybe it makes some sense to do that through a conference call with them.
- RICHIE: Just an administrative, kind of, sort through the weeds with just the co-chairs.
- STEAD: Why don’t we say the ball is back in your court?
- RICHIE: Absolutely. I will send this off to our co-chairs and will get back directly.
- STEAD: Very good. I think we have done what we need to do this afternoon and we are really grateful for you taking time out to stay over lunch and join us so we could have this closing conversation.
- RICHIE: Rebecca knows how to find me. We will be in touch.
- STEAD: Now we will morph back into the CIO Forum and Predictability Roadmap conversations.
Agenda Item: CIO Forum and Predictability Roadmap
- GOSS: Nick is going to be going over some of the materials that are on page 7 of 187 in your eBook.
- COUSSOULE: I’m just going to walk you through a little bit of the setup of the meeting and the agenda to get your comments. Hopefully, many of you are scheduled to make it to the Forum. Let me walk you through a little bit of the background and through the purpose of the Forum.
We have been embarking on a predictability roadmap journey, which I think you all would be familiar with, for quite some time. Some of the efforts that we have undertaken so far have been to talk to participants in the kind of creation and management of the standards and operating rules, so, lots of different groups, as well as some input from some of our federal partners. But the one piece of feedback we have not yet gotten formally is from users and consumers of those operating rules, on a more operating basis.
So we have convened a group, we’re calling it the CIO Forum. They are not all CIOs but they’re generally folks who either lead the technology organizations or have a significant enough vantage point over the organizations and technology, over both the current usage and the impact that has on their operations as well as enough of a vision about the challenges within their current work and things that are coming from an industry standpoint and their standpoint that would warrant or be impacted on by the standards and operating rules or whatever might come.
So, it’s both current issues and challenges that you have with the process as well as what’s coming and what are some of the challenging you see coming, and how might they be impacted by the ability to adjust or change the standards or operating rules and the process by which they are defined and adopted. So that is the general framework of the meeting.
What you see here is the agenda of the meeting. It’s a welcome and logistics review, pretty straightforward stuff. Alix and I will tag team on this with Lorraine and Janelle but there will be an overview of the roadmap, which really is trying to level set the participants in the room about what we have done to date in a bit more detail — to walk through all that.
Then what we do is we have each of the participants that have been invited — and there are roughly 18, 19 participants that are coming — and we give them a couple of minutes to tell us in their own words their take on this and to answer a couple of questions, which are: what are their current experiences and current challenges, what might be coming from their vantage point. So the idea is to create some amount of input into the room of issues, opportunities, challenges and thinking process from each of the participants. We give them kind of a one-on-one chance, not to go and talk to us for an hour each but to give us some highlights, ideally one slide, a handful of bullet points kind of model so they each get a chance to weigh in directly on what they think.
Following that, we will have five different interactive panel discussions with all of the participants. Each of those panel discussions will be led by one of the members of the subcommittee sitting here. Each of the five panel discussions will cover one of the themes that we have identified in the work to date as challenges and opportunities within the standards and operating rules. Those include governance, the standards adoption process, federal regulatory process, data harmonization, and third parties as covered entities. We have roughly 50 minutes or so with each of those topics to basically generate input and questions and issues and challenges and opportunities, et cetera, of each theme.
We come out of that with, hopefully, the participants’ and users’ takes on the standards and operating rules and the process and challenges, along with ways we might identify issues, address issues or challenges in those different governing themes. Does that make sense?
We will finish with public comments and wrap-up as we normally do, but that is the general flow of the meeting. We expect this to be a very interactive discussion. We purposely did not schedule 45-minute or hour long presentations from any one individual, and our real goal is to have roundtable discussions. But we did want to give people an opportunity to talk about what was important to them from their vantage point first to help also level set the rest of the group.
Knowing these people and roles because I am one, we should not have any challenge making these interesting and robust discussions. That is our intent. Hopefully, coming out of that the next steps will inform us as we think through recommendations of what we might try to recommend to the industry and to HHS as far as changes that could possibly be made into that process and the standards and predictability roadmap.
Again, our goal for the day is to learn about their experience, share what they are thinking about, again, how creative they have been to get around, if you will, in some ways the challenges that exist in the current framework and process, and then talk about what ideas they might have for improvement.
- ROSS: What degree of harmonization do you expect, or convergence, or do you think it will be all over the map?
- COUSSOULE: I think there will actually be both. I think we will end up with — I think some of the challenges will be pretty consistent, the way people address it and what they believe would change, to effect a different change. I think that will be more interesting.
Again, we have both people who work in companies that do this stuff — for instance, health systems and health plans and intermediaries — but, also, software companies that are a part of that ecosystem to drive that change.
- LOVE: The one concern I have is how much real flexibility do we have to affect the system. I think that is going to be a real challenge to address if they want to overhaul the standards-making system and the federal rule-making process. I don’t think that’s in our wheelhouse.
- GOSS: But we might have a forum for recommending those who can influence that to take that on.
- COUSSOULE: We have been through this exercise a good bit. I’m just responding a little bit to Denise’s question and then we’ll get to Jackie’s.
I think some of us have been doing this a lot longer than others and we come with sometimes jaded perspectives of how fast things can move. Others of us who are operators, it can never move fast enough. So, trying to figure out that balance, and understanding the needs as well as the challenges, and we expect to get some feedback. Not all of it may be practical, but the idea is we want to blue sky as much as we can and then we will pull that back into some thoughts and recommendations of both what might be practical next steps versus what might be ideal, things that we can look for going forward.
- MONSON: I saw that you put up the names of the companies. Do you also have the names of the individuals and their bios that can be shared in advance of the Forum?
- DOO: We have the names we sent out. I don’t think we got bios from everyone.
- COUSSOULE: We did not get bios. We have names and titles, companies and titles.
- GOSS: Maybe that’s a request for the future, Jackie.
- MONSON: I want to know their background so that if I have specific questions I can gear them to those individuals.
- COUSSOULE: Other questions? The idea of what happens to this is that we will take those findings and actually pair them up with what we have already discovered over the last 12 months from the other groups that we have been working with. Ideally, we would draft some recommendations, and I think the next step for us would be to take those recommendations and have another session to talk about those recommendations with participants from across the ecosystem.
We don’t believe — and this is really just coming from the co-chairs and staff — that what we’ll come out of this with is a set of recommendations that would generate a letter by itself at that point in time, but we will come out with a draft set of recommendations that we will want to bounce off of lots of the participants to get the feedback prior to making formal recommendations.
- STEAD: The Standards Subcommittee has been very patient letting me be a fly on the wall through a long series now of conversations about not only the CIO Forum but for the full committee, and it has taken real work to land on this framework for the Forum, and I think it has landed in a good place.
I sense, through all the conversations we have had around the Predictability Roadmap that we are challenged maybe by something that’s very similar to some of the conversations we have had around Vitals of I think a pretty — I think we came out of the original workshop back on eclipse day with some real agreement about the nature of the changes that needed to occur, the nature of them, as long as one stated them far enough out that they didn’t threaten an individual person or organization now.
One of the things you helped us do, Lorraine, was get that out far enough. And I think the work that has been shared with the full committee around themes reflects that, and that is really I think the level at which you’re thinking this will fit or maybe provide new thoughts depending on how it goes.
I do not yet see a path to the clear letter, so I think how we pull together what we’ve learned after this forum into a clear path — The idea that we have a hearing around it is a step in that journey, but I think we are going to need to begin to test alternatives for what we think you could say.
The reason I draw the comparison back to Vitals, we went all over the map with Vitals over the course of the last six months, and at the end of the day, we arrived on one sentence.
(Laughter)
It is a powerful sentence; it actually emerged this morning. I just think it’s a useful example of the challenge we face because I think, at large, the Predictability Roadmap is actually far more complex than Vitals, as dauntingly complex as Vitals is.
So I think we are almost going to need to begin to test some different straw persons, not so much trying to get the content right as getting an idea of what level you are shooting for, what level the group thinks is feasible. While we have some time — I don’t know what else you want to get done in the twenty minutes we have left in this block, but anything we could do that would help with that might turn out to pay dividends over the next few months.
Alix and Nick are looking at me like I had just sprung 10 heads.
- GOSS: It’s just a new idea so I need to think about it, and I am trying to think about how — it was a CIO Forum follow-up. We had originally wanted to have like an immediate half-day for the subcommittee to work. We weren’t able to do that because of a variety of logistics, but the team was really great and we are meeting for several hours on Monday to kick those tires. So, I actually was thinking about what you are suggesting and how that would be useful for Monday’s structure, and then you threw me a curve by talking about what we do in the next 20 minutes.
(Laughter)
- STEAD: If what we did in the next 20 minutes would be to help you think about how to help you with Monday that would be fine.
- GOSS: Absolutely. I am also trying to merge this conversation with the one we had earlier regarding the lens of the NCPDP upgrade. I would love to hear from other subcommittee members — Nick?
- COUSSOULE: I am probably the subcommittee member with the least history of this, so I’m probably a little more idealistic as far as an outcome potential, not having been in the middle of this process for a long period of time.
I think one of our challenges will be to try to identify opportunities for short-term gain that don’t require tremendous machinations to get accomplished versus things that are much bigger and more structural. I think it will be difficult for us to try to sort that out. I think that is part of what we will try to do after we get the feedback. Based on the challenges that we have and what we have heard, do we believe there are changes that can be made and different tranches of change, some that may require some legislation — which is kind of the far end — and some which may require just practices, on the short end, and then all in the middle.
I think we will have to start sorting through that, and how do we even break those kinds of things up into potentials for change.
- STEAD: This challenge that you’re facing — if it’s any comfort — we are going to face with TNV and we are facing with — we have already begun to face it with TNV and we are going to face it with Beyond HIPAA. One thing that we have had some success with is writing a report that describes the desired future, and you could do that without including any recommendations in that report. If you look back at the 2001 NCVHS report on re-thinking health statistics, that was 2001, and it’s 17 years later and it is actually becoming true.
So, you could think about a report that captured what the world might look like in 15 or 20 years, and it would get it down and it would hopefully at least have one memorable picture, and we wouldn’t have to deal with machinations. You then might identify three things that we ought to do in the next 12 months. Those two very different pieces would be one way to begin to paint our way forward.
PARTICIPANT: The 2030 vision, that’s a good idea.
- KLOSS: One of the ways of thinking about these kinds of complex things that I have found useful is some work by one of the management gurus. But think about a pyramid. It suggests that when you’re creating strategy, across the bottom you have a set of things that sometimes we call low-hanging fruit but they are really things that can be done within the existing context. We have all the tools to do them if we just rearrange how we are doing some things.
The next level means that you have to change some fundamental things but it’s not dramatic change, but it is longer-term.
And then at the top of the pyramid is sort of the Wow! If we had the $50 million it would take to redo the Vitals system, here is what it would look like.
I was thinking that, coming out of Thursday, we might be able to classify all those ideas and sort them into three buckets — things that really could be done, not necessarily strategic but a new way of thinking about the current process; a middle way that is really more strategic and is going to take some change, like the discussion we’re going to have around governance. That is not wow but it’s hard. And then some ideas that are really out there.
That may be a good way to think about a first sort.
- COUSSOULE: Yes. And I will just speak for myself. That’s how, when I was talking about the different kind of tranches, that’s the way I was thinking about it. I do like Bill’s idea of kind of framing out an ideal end state and then making sure that everything leads at least towards that if not on it on a short-term basis at least towards that, so that it was clear what the overarching end state would ideally be, and then talking about what you could do now and what you might do.
- ROSS: I had a friend who said a vision is something you can see. If you could put that 2030 vision together in a way that’s visible like that, then people can march towards it. That is a step forward.
- COUSSOULE: I do believe we actually even have a decent amount of input on that from the folks we have already talked to. Then we will get some more on the operator side of that on Thursday. I think that is certainly plausible for us to do and we will think about that.
- GOSS: And to that point, we have a number of things we have already produced or captured as a result of our information-gathering, and I think blending those prior artifacts with the Thursday input to maybe put into some of these buckets could be helpful.
But I do think that, as a part of Thursday, for those who have attended, we really need to firm up how we think we want to proceed so we hit the ground running on Monday during our couple hours’ discussion. It would be really nice to have this evolved to a level of maturity, at least internal working maturity within the Standards Subcommittee, before we go to the terminology and vocabulary session in July.
I really also see a lot of this larger visionary work — right now we’re just talking about the roadmap vision, but if you think about our coming HIPAA report to Congress, it needs to have the larger vision of all of Pop and privacy and transactions, so we’re going to need some time as we evolve our separate tracks to bring it all together. And maybe we should be thinking about who is writing that report so they can be on the journey with us and help us tease out that information.
- STEAD: Again, if there are those of you — I know we’ve talked about this with the Executive Committee but it may or may not have filtered to the full committee, but we need to write the 13th Report to Congress at the beginning of calendar 2019. It is going to be important to be far enough along with Predictability Roadmap, Beyond HIPAA, TNV and Vitals. I think we are already there for the purposes of that with Vitals. That report is one of our better chances to communicate broadly to Congress and others, and it lets us put it together. It has to have the things it can reference, because I think we know that report has to be at a reasonably high level. We have got to have deliverables that we can point to at that juncture.
It would seem to me, given our conversation, that it wouldn’t be unreasonable to have a 2030 vision and some handful of the lowest level first steps. If those two things were brought together we could then, as we have been doing with Vitals, have a conversation. Do we now want to do something else, which might build out that middle ground which is what’s going to be a lot harder for people, or not. One of the tricks to doing this is going to be to carefully control the scope to that end.
From the beginning of our work with the NLM our goal has been to have the environmental scan out, the roundtable summary out, and a first set of recommendations and, in essence, let us frame the work going forward. That is enough to get us past the boundary there. With Beyond HIPAA, we are going to have been through two use cases and we will have our thinking about the use cases and we will have either identified first levers or we will not have.
That still seems doable to me. And I think they really do work together. I think we would have a much more impactful report if we were able to bring them together in that way because, collectively, they really do paint a new vision.
- GOSS: Are you envisioning that somewhere, at the end of this calendar year and beginning of the 2019 calendar year, we will have a lengthy full committee discussion to make sure we’re weaving all of those pieces together to the larger 2030 vision? Do we need something like that?
- HINES: Are you saying we will start writing the report in January? If that’s the case, we could devote the January 2019 meeting to this discussion.
- STEAD: I am assuming we will use the same time line we used to write the 12th report, which is that we worked —
- GOSS: I don’t remember. I was there but —
- STEAD: Trust me, I remember.
(Laughter)
- STEAD: We managed to do this in a way — We did have Susan writing it.
- GOSS: May we have a staff writer for this, please?
- HINES: We may have a staff writer for this, yes.
- STEAD: I think the basic process we used of working out an outline and ending up with people filling in relatively short pieces kept this from being onerous to anybody but Susan and, to a degree, Rebecca and me. We did spend a fair amount of time on the phone, but we ended up with something that I think we finished up probably in February or closer to March.
- GOSS: So maybe it does work to have a January focus discussion to pull all the pieces, get that outline together and then —
- STEAD: I think it would work to have an outline together that made sure we knew what we wanted to do in the January discussion and have a substantive chunk of January focus on this. We are probably saying the same thing but I am trying to make sure we would go into the January meeting ready for that discussion.
- GOSS: A lot of moving parts but I think it is a good goal.
- STEAD: We cheated and did some of the NCVHS work plan discussion that we took off the calendar for tomorrow afternoon to make room for the Pop Health measurement framework conversation, so this was a good use of time. Is there adequate socialization, input and feedback for what was actually the subject matter, the agenda topic?
- GOSS: I think we are good.
- STEAD: Then we are at a point where we can begin to morph into health information privacy and security beyond HIPAA.
- KLOSS: We welcome Rachel to the table. We have some real roll-up-your-sleeves work to do.
- STEAD: Before you start, since we sort of wrapped up the major standards pieces, I was negligent. Lorraine and Janelle, the work that you all did in getting NCPDP dealt with in such a timely fashion, and, Rich, the way you stepped in and got the drafts going — awesome. Thank you, in addition to the rest of the subcommittee. This was dropped into the work plan and it was handled both well and with predictable speed, so thank you.
Agenda Item: Health Information Privacy and Security beyond HIPAA
- KLOSS: I don’t know that I have ever had this kind of block of time on the Agenda for all things privacy, but we are really going to run out the clock today with privacy discussions. I will go through what our agenda is in just a moment, but I want to thank the members of the subcommittee because they put a lot of work into getting us to where we are to be able to organize and convene the discussion that we’re going to commence.
I am going to just do a couple of set-up slides, remember where we are at in the process, and then we are going to dive into this discussion of registries as an exemplar.
In general, how our time is going to flow is that from now, 2:30, to about 3:10, we are going to have some discussion about what we learned about registries and the lessons and so forth. Then we have organized some structured questions that we’re going to take the group through. The first two questions are sort of strategic and we will try to get through those.
Then we are going to have a special guest. John Neiditz is going to join us on the phone and you will have some personal development time where you will learn some new things about the General Data Protection Regulation which we’re hearing a lot about, and we thought it really inserts well into the dialogue we’re going to have this afternoon. I will introduce John a little bit later, but he has agreed to do everything you wanted to know about the GDPR in 15 minutes so it will be quite a whirlwind. I think it will be really interesting, new learning for many and context, and we will decide if we need to go further with our learning about that in September, but it is pretty relevant. Then we will take a break.
After break we have a couple of process questions that we want your thinking about, and then we will talk about where we go next with this journey we are on. When we finish the Beyond HIPAA discussion Rachel is going to give us an update from OCR, and I know we always look forward to that and learn a lot, and that will be the end of our day.
Over the next 30 to 40 minutes we will talk about registries, then we will move to John, and then we’ll have a break and come back and do some more work. That is our general flow. Again, thanks to the subcommittee. We have really been meeting every other week since our last meeting just to get us to this point.
Remember what this is all about. Our original scoping document said that we are building on NCVHS’s past work and the work of other government and private initiates to consider a health data privacy and security framework for the 21st Century information challenges. I guess that really relates to the vision discussion we just had. That is what we’re trying to do, is look outside of today’s frame.
Our goal was four things. First, identify and describe the changing environment and risks to privacy and security. We did that in the environmental scan report that was approved at our last meeting, is up on the Web and I hope is being read and circulated. I have been involved in a couple of briefing opportunities on that document. I think it has generated some interest and I think it’s a document that will have some shelf life in terms of serving a purpose of having pulled a lot together, just as the Vitals is doing and certainly just as we will be doing with the Predictability Roadmap and other environmental scan documents and the one we are working on now in Health TNV.
The second bullet is lay out integrative models for how best to protect individuals’ privacy and secure health data uses outside of HIPAA protections while enabling uses, services, research — that is really what we are kicking off on today’s discussion. We’re turning the corner from the environmental scan to say, okay, given that, what are the integrative models. If you recall, we decided we could not eat the whole elephant and we would take an exemplar or two and see if we could identify some integrative models that then would apply more broadly. That is why we’re talking about registries, not registries for their own sake but registries as they function at the intersection of the regulated and non-regulated world.
We plan then to formulate recommendations for the Secretary and to prepare a report, and we will talk a little more about where we think next steps fall in the 2018-2019 work plan before we wrap up this afternoon.
I won’t go over what the environmental scan findings were again, a 70-page report, very well annotated, but just to remind you that we laid out two worlds there, and I think those two worlds, as Bob pointed out, the regulated and the unregulated, has been a useful way to frame our thinking, and I have heard others use those phrases, so I think that works. We learned that HIPAA certainly minimizes information definitional issues. It’s pretty clear what is in the designated record set and so on and so forth, but that clarity just dissolves as information passes beyond HIPAA.
We learned that giving consumers a greater say in the use of their health data is far more difficult to do in the unregulated world. It’s pretty darn hard to do actually in the regulated world, to some extent — our discussion this morning about how are patients going to get access to their health records for authorization in research.
Mechanisms such as sequestering privacy-sensitive data, de-identifying data and others — there are mechanisms, there are tools, there are new approaches to privacy by design, but they are not in full use and they may not be sufficient. We learned that HIPAA and other privacy regulations, including the EU GDPR, are built on fair information practice principles, and that is why we thought we would reprise and dig a little more deeply into that topic.
And consumer attitudes continue to evolve, but we didn’t really delve into consumer attitudes in the environmental scan.
We decided we would pick two topics for exemplars: the registries, and personal health devices is our second one, so we will tee up that topic a little bit.
It turned out that registries, based on all our research, is a really good place to start for four reasons. First of all, there are best practice models. Registries have voluntarily adopted sound governance and operation, so we can find examples of best practices for these registries that live in the unregulated world but are at the intersection and have adopted tight controls. You can also, of course, find many registries that have not done that, so we have a contrast.
The second reason this turned out to be a really good exemplar is that there are just a lot of guiding organizations working in this space and doing good work. I knew that, but I don’t think I fully appreciated it until Rachel did all of our literature research and pulled out all the guide books and other studies that have been done, so this is not virgin territory by any means. At the same time, there are a lot of stakeholders because it isn’t. And we had some interesting conversations with groups doing a lot of work and even launching projects such as looking at harmonization of data across registries. This is a very active area.
The third reason this is a really good exemplar is that the federal government already has a stake in registries. They made it a criterion, a part of quality measurement and research, and, of course, the list of registries that exist in the research domain in NIH sites is very lengthy, so the government is in this area. They have a role and, presumably, they have some levers to suggest some improvements in stewardship when we come to that, if we come to that.
Fourth, there is a robust literature and some authoritative reports and research that have been done. So it turned out that this is a pretty mature first exemplar to tackle.
I think what we’re going to find — although we are too early in this — is when we look to the second exemplar, the personal devices, it’s not going to be as well developed. It’s going to be much more Wild, Wild West, so we did the right thing, folks, is my conclusion.
In terms of sponsors — yes, Bruce, do you have a question?
- COHEN: You just reminded me when you were going through the list, ATSDR, Agency for Toxic Substances and Diseases Registries, has that in their title. I’m wondering — I don’t know whether Rachel or anyone has connected with them — if we’re going to be working in this area what they have done around stewardship and privacy.
- KLOSS: Thanks. We will add that to the list. We are discovering new groups as we go along and as we talk to people.
We thought this was a useful depiction that just looked at registries from the sponsorship or governance perspective. As our subcommittee talked about this we thought, well, probably for this purpose, we may exclude the patient and/or advocacy group registries in the first instance and look at those that are sponsored by public health, by professional societies, healthcare sources, payers, et cetera, but for our purposes now we don’t have to make that cut. This just underscores how many there are and how many sponsors and how big and growing this area is.
We thought we would not review with you the paper that we drafted or the references. Hopefully, you had a chance to read them or just scan them and you don’t have any basic questions about what a registry is or how it’s defined or any of those things, but we can assume we can jump into some of the questions about the strategic and what they say about the Beyond HIPAA stewardship. Denise?
- LOVE: Just so I understand, it looks like databases storing clinical information collected as a byproduct of patient care. So, would that include, say, a private organization that’s aggregating claims data from all over — customers, employers and others? How linked to patient care is it? Is it second area or tertiary collections, or is it direct as a product of — I think of shock trauma registry? Just how far afield from patient care?
- KLOSS: This is the more traditional registry definition, but certainly registries don’t need to derive from the medical record.
- LOVE: I am just saying like hospital discharge databases, by law — oh, there is a typo in there.
Just so I have my mind around the scope, that is helpful.
- KLOSS: I think we just need to remember why we are delving here. We’re doing it to look at the stewardship models, so, certainly there can be other definitions. We did not make an attempt to divine our own definition.
- STEAD: Let me just unpack what you just said. Our goal is not to be all-inclusive in registries. We made one run around the question of did we really want to figure out all things registry and where we landed is that registries are a good use case for us to look at to identify representative challenges and possible levers.
We want to have enough of an understanding that we know what we’re scanning, but, at the end of the day, our letter, or whatever it is, will be about challenges and levers in a broad space, not about the broad space itself. Is that fair as to where we landed?
- KLOSS: It is, except that the subcommittee also said if, in the course of looking at registries, we see something that kind of falls at the bottom of that pyramid we talked about, just an obvious improvement that could be initiated by the Secretary as it relates to this, we would not take it off the table of making a recommendation.
- STEAD: That would be a near-term lever. I wasn’t trying to say we wouldn’t — because we are hoping that we can make some recommendations. What I was trying to say is we don’t actually have to get the definition right other than to be directionally correct for where we are looking for challenges and levers.
- KLOSS: Actually, when we did the first draft of the review of the literature and pulled that together, I found myself — we started going down the hole of saying, okay, we need to have a hearing with all of these wonderful groups doing great things with registries, and we had a subcommittee discussion that said no, that isn’t our goal. Our goal is not to improve the state of registries. Our goal is to use registries as an exemplar or a use case for stewardship in this area beyond HIPAA, and a lot of work has been done and there are different models available. But that does not preclude that we might, before we are through, have a recommendation or two that we want to put forth. There is no need to go any further into that report or the references.
We are going to ask you a question later on, so have this in mind. Are there other groups or other documents that we should look at before we say we have done enough background study here in this space? Be thinking about that and that may come up as we discuss so we’re going to look to you for that.
If you are okay with this document then I think we will move on to our first area of discussion. Here is where we’re going to work.
- GOSS: Can you back up a second? When you say this document, are you referring to page 65?
- KLOSS: Yes.
- GOSS: Okay. I have a couple items that I will share with you later.
- KLOSS: Are they substantive to the discussion? If so, fire away, please.
- GOSS: No. Not worthy of interrupting the flow into Table 1.
- KLOSS: What we wanted to do is do some brainstorming around what is the risk or problems in the context of health data registries, problems that could arise form processing personally-identifiable information. We are using that broadly. It is not necessarily PHI, but we agreed as a subcommittee that PII is broader. It’s PHI but broader. Because registries may include data that is not health data, we’re using the broader PII term.
What is the risk here? Again, in the context of looking at what kind of controls should be in place when you do a privacy impact assessment or privacy risk assessment, and Jackie shared with us that they do those assessments in their organizations all the time. What we are trying to do here is really understand what the risk is of having registries with PII in them that are relatively unprotected. We thought that the first discussion needed to be about that.
Nick actually was going to help guide this discussion. If you’re not ready, we’ll co-tag team.
- COHEN: So, risk to whom? I think it’s really important to clarify that you’re talking about risk to the individuals in the registry as opposed to risk to the purpose and use of the registries or other kinds of risk. I think you need to be very clear about risk to whom.
- KLOSS: let’s capture that question, but let’s keep it broad. I think effective stewardship is both useful to the sponsor and to the person whose information it is.
- COHEN: I agree it should be broad but there are different risks to individuals and different risks to public health or clinical surveillance or treatment, so those should be explicit.
- KLOSS: Let’s take all of the ideas you have and we’ll sort them. Rachel and I are capturing what you say.
One of the problem areas — and this list on the left, we took this from NIST and the work that they have done. You can see the privacy engineering and risk management, so this is how they categorize the risks. Loss of trust — and we thought we would just walk through these four and see if you can’t identify some examples and then, as we talk about them, how likely are they. We are trying to size up the risk of the current state.
- GOSS: Do you want us offering examples like loss of trust to start, or do you want a free-for-all for all of them?
- KLOS: Loss of trust. I think we should do them one at a time.
- LOVE: As I read through this on the plane I thought of PII and unregulated, like what could go wrong here, and the real loss of trust in my world would be we’re pretty likely to have some bad things with PII out there in unregulated use. But the real risk is to the regulated databases that, in my world and government, it erodes the trust in the policymakers who are supporting population databases, and it’s really tough to separate out into legislators and others that what happens at Facebook or happens with Fitbit breaches or whatever does not affect the hospital or the claims or the vital records data. So, to me, that loss of trust on the unregulated side is a risk to the regulated databases as well.
- KLOSS: So the regulators aren’t distinguishing between —
- LOVE: It’s really tough. I talk to legislators who have asked me in open hearings, you mean the state collects personal health information on its citizens? Trust me — trying to discern that in an era of unregulated PII is going to be harder. It’s a challenge but I think a loss of trust in general.
- LANDEN: I guess my first question is differentiating between theoretical or potential risk and, given that registries have been around a long time, what does the evidence show about actual risk. What damages can we point to over the last couple of decades? I think that is important to understand, what has happened as opposed to what has the potential for happening.
- GOSS: Can I build on that one, because it ties into an example where we had an HIV determination or something printed in a viewable portion of a mailer — and unfortunately it was all over the news — from a top medical school — but that loss of trust to the person, the identity compromise, the social dynamics to me are also part of the loss of trust.
- KLOSS: Reveal of sensitive data.
- GOSS: I think that’s an example of something that has happened recently that might be a good case study to kind of understand.
- STEAD: My thoughts overnight were two examples. The covered entity discloses to a business associate for use for quality improvement, so they’re disclosing to a registry for use in quality improvement, which we do all the time. The business associate then combines that data that was submitted for the registry with other data to create an unrelated business process, resulting in data being collected for PPO being used for other purposes. I think that is high risk and happens all the time, is my guess.
- KLOSS: And the covered identity is not aware of how it’s being used, much less the individual.
- STEAD: Correct. And the covered entity hasn’t done something to prevent that.
The other is that the covered entity discloses to the business associate this de-identified data that’s being de-identified for statistical uses and provided as a statistical sample, not with PHI necessarily attached to it, and the BA combines it with other data and basically re-identifies it.
Those are two situations that I think are occurring quite regularly with some of today’s business practices.
- KLOSS: I think there is a simple one, too, of surprising people, whether they’re being marketed to or whether somebody is making a call to follow up. One of my first jobs out of college was to take over the cancer registry, and we were behind, as all cancer registries are, so you start following up to find a quiet way of seeing if somebody is still alive. Those are things that happen where you think how do you know about this when somebody is just following up at random and they’re getting a letter.
I think there is loss of trust from just people not understanding that these databases and processes are in place.
- COUSSOULE: Just one comment. I think there is a big divergence between trust and harm, because the loss of trust has almost nothing to do with actual harm; it’s a real perception question. If you are really into the Facebook kind of world and if you think about it that way, what’s the real harm? Most of these people have given their information publicly and willingly. It doesn’t mean that there’s not a huge trust issue and challenge associated with that, but measuring harm becomes very complicated and difficult.
I think you have got to get into that distinction. When you get into the regulated world, harm can be quite specific just because it’s a regulatory response to harm versus a perception of a problem.
- KLOSS: That morphs right into the next type of problem, which I think is things that are more clearly harm, either physical harm or loss of autonomy like identity theft.
- MAYS: I want to talk about harm just a little differently. One of the things that is not unusual to see is when people have had that loss of trust then they don’t come in. Some examples that I know of from the cancer registry were individuals who worked in a big academic medical center. The researcher was from this particular academic medical center and they actually sent out requests to participate so it just unblinded people that they worked with, and the result was they pulled themselves out of their healthcare there and started over and went to a different place.
So the loss of trust at like a community level, sometimes individuals then don’t go in to follow up. They don’t want to have anything to do with that particular entity. And the harm down the line is the late seeking of treatment.
- COUSSOULE: I guess I was more in the place where the loss of trust is actually worse, because that leads into all kinds of very bad things which may not be measurable harm in the sense of a fine or jail or something like that but could have very negative consequences.
- MAYS: Those are things that I think we need to start trying to associate with the loss of trust, because I think some people then say, okay, it’s a loss of trust; we do a marketing thing and we try and say everything is okay. But it really is about what happens to the experience of care.
- COHEN: I think the critical dimension here is whether these registries were created through active consent or passive consent. When people don’t know that they are in these registries, whether it’s the cancer registry or any particular group, and then all of a sudden they find out — what do you mean I’m in this collection of information that has been compromised or even exists — as opposed to people like in the Facebook example who have already agreed to actively participate. So I think it’s a really critical dimension when you talk about stewardship of data to reflect proactively on how folks got into the registry.
- PHILLIPS: Just to reiterate, this is an area where I have a conflict in terms of running a registry, but the conflict for me means I’m exposed to a lot of the opportunity and risk here.
A number of the clinical registries that I am familiar with were begun with passive consent from patients but positive consent from clinicians with the idea that it would give them benefit for measurement and for population health tracking, for a number of things.
There is a lot of pressure in this space to monetize data, though. In fact, a lot of the registries, being free, have increased pressure to monetize data, so there’s a real lively discussion about who owns the data, which is not settled for some registries. And what are the not just ethical but what are the ways of creating synthetic data or ways of protecting the passively included patients who are in these datasets that retain the value for understanding how the data can drive not just personalized healthcare, but how do you actually assess risk for individual patients based on big data elements — there’s a value there — without turning it into a marketing opportunity like Facebook where the data are used to market personalized healthcare to you.
There is a real tension there both for the registries in terms of monetizing data and for the data industry who wants to use it both for research but potentially down the road for marketing.
- KLOSS: And that tension probably we’ll find, as we look at other exemplars, other use cases, is probably occurring.
- ROSS: To what Bob was saying, I feel as though this framework is missing a row, and that is being explicit when you form a registry. The rules of the road — who gets access, how you get access, who benefits financially and in other ways — I don’t think we even have guidelines that govern that.
One other example from the world of immunization registries that affects policy. Over time, when those began there was every possible approach across the states; some opt in, some opt out, and ultimately it was shown that if it was an opt-out provision then that allowed the registry to grow. So I think how these things are formed and the policies around those are going to drive a lot of how well they can work. It’s not really captured here.
But back to the loss of trust, in the case of the immunization ones the trust was undermined when they could not integrate the immunization registry with vital records data because vital records data were so slow that then — say, like a community health nurse approaches a family whose child has died and is wondering why the kid hasn’t had a shot — you are doing, in effect, family harm because of the absence of information and the inability to properly link it. It undermines public trust in the government running these kinds of operations.
- STEAD: I was going to use the word ethics because I think that the purpose is a key lever so the risk-reward balance is different for different purposes; therefore, I think that is an essential part of thinking about it.
- ROSS: And making that clear upfront.
PARTICIPANT: And explicit.
- KLOSS: We wanted to start out with framing this discussion just to make sure that we all as a committee could conclude that yes, this is really worth working on, and I don’t know if we have done that. Have we done that? There are enough issues here in terms of problems and variability that there’s no question that we need to forge ahead.
If we forge ahead, what have we learned so far about ways to forge ahead, and Jackie is going to walk us through that. After that discussion, we will invite John to talk to us a little bit about GDPR, but you will see from her discussion why we have sequenced it this way.
- MONSON: Let’s start with number one. These are just ideas that the group came up with that we could potentially solve it, but they are not the end-all, be-all. You might have better ideas for us, and that’s what we want to talk about today.
The first one is the possibility of extending existing laws and associated regulations. We talked a lot about Beyond HIPAA and extending it beyond HIPAA. One thing is we have been talking about PII versus PHI. One of the challenges we might run into with that is it’s not actually expansive enough to cover anything that falls outside the scope of the definition of PHI, which is engrained within HIPAA.
The other opportunity — and I think we heard from FTC recently about their idea of wanting to expand the scope, which they have made very public, and the potential for them to potentially expand the scope over PII, including this area that would help govern it.
I think the basic idea around this one is just that there are not enough laws and regulations that cover, in the unregulated environment, registries. And we know that there are some registries who are very interested in being a covered entity, acting as one, protecting the data as such, and there are others that very much take advantage of the unregulated environment and decide not to do that. So that’s kind of the balance that we’re looking at with that model.
The second one is mandating PHI or PII data use agreements. What that essentially would do is it would formalize agreements that you would put in place that have certain provisions and terms around the use and disclosure essentially of the protected health information. Today, what we often see happen is, with registry agreements or when you’re a covered entity entering into an agreement with them, it’s always on their paper and it’s always on their terms. It is never at the discretion of the covered entity to really even have the opportunity to negotiate the terms. That is kind of the use case that we were looking at and how we could potentially manage that from a different avenue.
The next one is a data protection model. You will hear about GDPR which is the European model which goes into effect here in a couple of days I think — 10 days. The idea of that or another data protection model is that what’s great about GDPR, which you will hear from John, is that it really revolves around the individual more than it does about the organization. You see with HIPAA, HIPAA revolves around covered entities, so, healthcare clearing houses, health plans and healthcare providers. It doesn’t fall beyond the scope of that, whereas, GDPR expands much broader than that. It’s to any organization that is essentially managing or dealing with anybody who is a citizen of the European Union, so, much broader.
We currently don’t have anything similar to that in the United States, although I think California might pave the path for that real soon because they will have a bill on the November ballot that’s basically a replica of GDPR, so we are going to obviously be watching that. But the idea really is just around the concept of having a model with which everybody would need to follow those standards.
The last one is a mechanism to certify or accredit the organization to use the PHI or to use it in the de-identified form. I think we touched a lot on de-identification and what that means, and the scary idea of, in reality, a lot of things can be or most things can be re-identified. So this really focuses on is there a way we can certify or accredit the way that they are doing it in such a standard that they either can’t inappropriately use the data or they wouldn’t have the opportunity to re-identify it.
I think some of you cited earlier just the example of data is X and then we give it to an organization and they re-identify it by using other data that they have access to — just figuring out a way to do that, similar to a joint commission or something like that. I know a lot of people say they are HIPAA-certified, which is fake; there is no HIPAA certification. But the concept is a good concept to manage standards around it and make sure that people are following that.
- KLOSS: As we tee up those four, we do it saying maybe there’s a fifth — do nothing; hope it all works out, or some combination. I think HIPAA has a lot of pluses, so we are not saying replace it but we are focusing on this world that’s using PII that’s unprotected. That, again, is our focus.
- COHEN: Thanks, Jackie. In my mind, we have three buckets of approaches towards stewardship. One focuses on the organization that collects the data, one focuses on the individuals for whom the data is collected, and the third is on whoever uses the data. I think it’s really useful to think in those terms in stewardship models. I don’t know whether ultimately we will find for registries that one approach is better than the other two, but essentially thinking about protection really focuses on those three legs of the stool.
- KLOSS: That’s great. That is a really good way to think about it.
I think we are at a good spot for me to introduce John Neiditz to join us. Jon co-leads the Cybersecurity, Privacy and Data Governance Practice at the knowledge asset protection law firm, Kilpatrick, Townsend and Stockton, LLP. John is speaking to us today from Atlanta. He has been named a cybersecurity trailblazer by the National Law Journal, is listed as one of the best lawyers in America both in information management law and in privacy and data security law.
I have had the opportunity to work a little bit with Jon recently and I know he’s doing a lot of work in educating organizations in the United States about what this GDPR stuff is about. He focuses broadly on data governance and knowledge as it protects and helps his clients anticipate and obviate information risks, appropriately monetize information, comply with information laws, contain incidents and all of those other things that we’re talking about. And he is just a really nice guy.
Jon, you are on, your slides are up, and we are looking forward to hearing from you.
- NEIDITZ: Let me first thank you all for the opportunity to talk with you. Linda told me this morning that what I’m going to do is an overview of the whole GDPR in 15 minutes, so I am going to go very quickly and I’m going to try to emphasize GDPR for people who know HIPAA because there are very interesting points of comparison and contrast.
First let me start with page 2, which is whether it applies. I just want to add to what was just said that it’s not just for citizens of the European Union. Any of you who are taking a European vacation this summer will have the opportunity to exercise European privacy rights because it applies to all persons in the Union under the GDPR. Therefore, not just citizens, not just residents, but people who travel there, as all of my travel clients have found.
The entities that are covered by it are also much broader than under the General Data Protection Regulation — I’m sorry, under the old EU directive. The EU directive limited itself to use of equipment in an EU member state. Under the GDPR you have the establishment as traditionally defined in European law in Europe, but if there is no establishment, as with many U.S. businesses, if they are offering goods or services to data subjects in the European economic area or they’re monitoring their behavior, for example, with mobile apps or with a website, they may be brought under the GDPR. It’s complex, but that is just to give you an overview of the breadth, the extra-territoriality.
Moving on to page 3 — Linda, just interrupt me if this isn’t working because of echoes or something else.
- KLOSS: It’s working fine, thanks.
- NEIDITZ: Great. On page 3 you see some key EU GDPR principles. You all have these materials so I am not going to read all of these things because there isn’t time, but I want to emphasize some overlap with HIPAA.
You have data minimization there and other areas of overlap. But there is a need, partly because of the breadth, to establish the legality of any processing, and you don’t have something like TPO carving out a broad area for you in that regard. It is very principle-driven. The compliance works a little differently. One of my German friends likes to say compliance is an American concept. We are going to see how the GPAs enforce it.
Moving on to page 4, you can see the definition of personal data is a little bit like HIPAA but much broader because, of course, nothing needs to be created by or on behalf of or received by a covered entity, but you have no safe harbor, so you can’t take certain elements off and be comfortable that that information is de-identified. If there is any way to identify a natural person, then that is personal data.
And processing is defined very broadly, like HIPAA, to include things like storage and maintenance, so, processing is really any connection with the data at all.
If you turn to page 5, special categories of personal data are different in many respects and based on traditional categories of what are called pre-GDPR sensitive information under the laws of the various European Union member states’ political opinions, religious and philosophical beliefs, trade and union membership. But all of these categories that we would call health information are included, so, health information, genetic data, biometric data, and there is no inclusion under special categories of the financial information that we in the U.S. treat as confidential information.
On page 6, the key definition, the key entity that is covered by this — Although, as was said, it’s about individual rights, it governs entities just as HIPAA does — the data controller, and then it also governs the data processor now, much as HIPAA now governs the business associate. But controller and processor mean something very different from covered entity and business associate, and controller does not mean control in the U.S. sense. It’s the entity that determines the purposes and means of processing of personal data, and the processor processes the personal data on behalf of the controller, so you can see similarities there.
On the next page, page 7, if you look at the actual distinctions between controller and processor, you see a distinction between ends and means. The controller decides. So the controller need not have the data; the controller decides about the ends, more or less, and the processor can be involved in many of the determinations concerning means although the processor has responsibilities to obtain generally or specifically the consent of the controller for sub-processing and other things which are more stringent than HIPAA controls on business associates and sub-business associates.
Moving on to page 8, we talked about territoriality. If any of you have heard much about the GDPR you have no doubt heard about the 4 percent global turnover of fines, which have been drivers of lots of activity here in the U.S., along with it has been extremely helpful to GDPR compliance to have senior leaders of the current administration saying bad things to Europeans and increasing the extent to which U.S. companies are targets. So there is really a very pro-regulatory trend that the current administration has unleased from a GDPR perspective.
The data protection officers are needed in some cases and not needed in others. It has to do with the volume of sensitive or high-risk processing that’s taking place. Security breach notifications, as many of you have probably heard, need to be made to the regulators, the DPAs, in 72 hours. We’re dealing with that in the financial services world in the New York DFS rules, but obviously much more stringent than HIPAA. It remains to be seen how this will be administered.
You have no doubt heard about the right to be forgotten. It’s sort of a misnomer; it is really more of a right of erasure, and data portability, the ability to transfer personal data from one service provider to another more easily.
Then you have on page 9 changes in consent. There are major changes in consent. It’s taking a lot of what was German law on consent and applying it across the European Union through the GDPR, and that means that consents are generally not valid between the employer and employee. They are viewed as under duress if the employee is asked to consent to something. So you use a new basis between the employer and employee, lots of legitimate interest and sometimes performance of the contract as a basis.
The consent that we treasure in the United States with the adhesion contracts that people click on and so forth are not generally viewed as valid consents so there are many contexts in which other bases are being used on consent. And some people refer to the GDPR as the death of consent because the requirement for consent is so different from the way in which the Internet operates.
Processors have direct legal obligations placed on them under the GDPR. Previously, controllers were the only ones directly liable. Again, there’s an analogy there to the 2013 Omnibus rules in HIPAA.
On page 10, you note that one-stop shop. That is a misnomer as well. It has become very complex, but the idea is that everyone associates themselves with a particular data protection authority or DPA, and that is happening, and that DPA will have a lead role in the regulation of the entity to simplify things a bit.
Profiling is a very sensitive area, and so what we call in the U.S. big data — European law has always disfavored what it calls automated decision-making, and in that sense it is very different from HIPAA and from the FIPS generally, which were intended to imagine an electronic world that we wanted, a digital world that we wanted, and talk about the privacy and security. The GDPR is a reaction against the digital world that we have rather than envisioning the world that we want.
Automated decision-making that either produces a legal effect or significantly affects individuals is subject to very stringent restrictions, and that is going to result in a lot of litigation with the advertising industry that will be playing out.
After the GDPR comes the e-privacy regulation, which is going to also impose probably even more stringent requirements on behavioral advertising, so that is a very hot area and an area where a lot of the big data which is the basis of our digital economy is facing significant challenges.
Minors — The rules apply up to the age of 16, although countries have the right to define it themselves.
On the next page, a new principle added to the generally FIPS-based principles is the principle of accountability, which is the European equivalent, if you will, of compliance, so we’re going to see how that goes. One of the most important aspects of the GDPR is that there are records of all types of processing and establishing legal bases for all of those types of processing, because, again, you don’t have the TPO exemption generally.
On page 12, two critical concepts. One is privacy by design, and privacy by default. Privacy by design was invented by Ann Cavoukian in Canada as a concept but it is incorporated into the GDPR by law. Privacy by default is the notion that the privacy has to be baked into the design of the technology.
And DPIA is an area that we probably won’t have too much time to talk about, but there are some slides at the end about them. They materially change the way in which you evaluate processes for privacy in ways that lead to direct interchanges with the regulators.
On the next page you see just a listing of many of the types of rights. Let me go on to the following page on a record — stop me at any point, Linda, if I run over. We are almost done. A record of all personal data processing, that page.
The most important thing that the regulators will look for is this thing called a register which, before Linda told me otherwise this morning, I thought was what I was supposed to talk about. This register is a detailed document that establishes what you are going to use the information for, what the legal basis is for the use of that information — one of the acceptable legal bases under the GDPR — and how long you are going to keep the information. Unlike our minimum record retention schemes in the U.S., these are maximum retention schemes that they care about a lot for privacy reasons.
Going on to data protection impact assessments quickly, a DPIA is like our PIA but it’s any high-risk processing activity focusing on any of a natural person’s rights and freedoms, potentially others than privacy rights and freedoms, and large-scale processing of sensitive data. You are supposed to do this data protection impact assessment, and the GDPR spells out what’s supposed to be in that assessment. On page 16 you can see what constitutes high risk and you have got some similarities and some differences from what we would expect.
But on page 17 you can see the process of a DPIA. Are you dealing with high risk? Then you have to do a DPIA unless there’s an exception. Once you have done it, if there are still residual high risks, then you are required to go and talk to the data protection authority and figure out with the data protection authority how it’s possible to mitigate these risks if you can. We will see how this goes.
But it sets up quite a dialogue about privacy risks and our private risk assessment which, given that risk assessment is limited in HIPAA to the security rule and the risk assessment that you do in the context of a breach and so forth and there are some aspects of privacy risk assessment but it isn’t as much of a core process as the DPIA, so it will be very interesting to see how that plays out. I will stop there.
- KLOSS: Questions? I am going to start with one. You know that what our committee is grappling with is how to consider what sort of model might work for all of the PHI or PII that moves out of the HIPAA-regulated place to the unregulated world in the absence of any kind of general data protection rule. Are there elements here that you think could be useful for the U.S. to be thinking about, not to say that we change from a HIPAA model, but are there ways to layer on certain good and promising dimensions of this onto what we have, particularly in the area of data that is not well protected by HIPAA? That is our fundamental question.
- NEIDITZ: It is a really important question. As we all know, the U.S. is behind in social care and, as we used to say when we were rolling out HIPAA at the beginning, HIPAA is helpless in a lot of that. It doesn’t apply at all. The challenge that you would have — There are obviously many aspects of this very complex rule that I just scratched the surface of in this quick presentation. There are many aspects that are worth considering.
But my concern from a general incentive standpoint would be, to the extent that it is stronger than HPIAA, where you would be going if you applied a general GDPR-like framework would be we have a tremendous amount of freedom in the area of TPO for the sharing of information and then everything else is subject to more stringent examination. So, what would make sense from sort of a level playing field between the world of the covered entities and business associates, and the world beyond would be to look at aspects — it would seem like to look at regulation more like HIPAA for those other areas.
That said, this framework, the GDPR, is sort of winning globally. We used to say that there were two fundamental frameworks in the world. There was the harm-based framework that was represented by the APEC principles, which was very much like the FTC enforcement where you have, under the APEC principles, trust marks and enforcement when you violate those trust marks or as the FTC enforces deception with regards to your privacy policy, and then, on the other hand, the European rights-based approach.
Generally, what’s being copied in Latin America and Asia is the European rights-based approach, so, in that sense, it has sort of won. There are some exceptions, but globally it has sort of won. There are aspects of it which are inconsistent with our First Amendment and other aspects of U.S. law, but one might see, as we become more and more surrounded by GDPR-like regimes, more of a movement in that direction.
It is obviously a much bigger question than I can answer coherently.
- KLOSS: I know. I put you on the spot. We have a question from Rich Landen.
- LANDEN: As a rather insular American, this is all new and strange to me. What is the expectation of success? How likely is this to be accepted by all the players in the population in Europe, or is there a risk that it just won’t happen?
- NEIDITZ: It is certainly being accepted by all the players in Europe. For one thing, it’s in the interest of European businesses, and there are those in the U.S. who interpret it more cynically than as a system of privacy rights and view it as a way of favoring European over U.S. businesses. So it is very much embraced throughout Europe and it’s certainly being adopted within Europe, and the DPAs are gearing up for enforcement.
The legal community in Europe is delighted because they have been looking with envy at the U.S. where it seems to them that any harm can result in enormous class action litigation, and now there’s a very narrow group of harms which we don’t even consider harms. Many of the things that would lead to 4 percent of global turnover, which means revenue at the parent level globally, means that those things would not constitute harm under the existing Supreme Court law in the U.S. and would not be actionable, but they are subject to enormous penalties.
So there will be a lot of enforcement; there will be litigation between U.S. entities and European DPAs on the advertising issue I mentioned on various jurisdictional issues. At the same time, there’s adoption taking place in Latin America and Asia of very similar regimes, so, in that sense, it is certainly happening and likely to expand. It is certainly not like U.K., and it’s probably well beyond HIPAA in terms of the stringency of enforcement because you have so many DPAs gearing up for this opportunity that they have never before had to levy enormous fines on Facebook and Google principally.
- KLOSS: Any other questions?
- BERNSTEIN: Who gets to keep the fines? Does the DPA get to keep the fine, or do they evolve to the FISC of the member nation, to the commission?
- NEIDITZ: I think it probably varies by country. I know in Spain they certainly keep the fines, but I don’t know across Europe. I don’t believe that there is anything in — there’s certainly nothing in the GDPR that says it. In that sense, I think it probably varies by country. But in Spain they have been funded by the fines already.
- KLOSS: I think we are due for a break. John, I want to thank you so much. I will follow up with you by phone. We will make sure that the slide deck gets circulated, if you are good with that.
- NEIDITZ: Sure. Of course. I really appreciate the chance to do this. I am so sorry I’m not there. It is obviously hard to do it, and I’m also suffering from some significant allergies right now, so I hope it was okay.
- KLOSS: It was very much what we wanted and we will pick your brain further going forward if we may. Thank you so much.
I hope that was interesting and kind of eye-opening.
- PHILLIPS: Just briefly I want to say I am increasingly running into especially academic health centers that are being advised that this is applicable to them and they’re trying to gear up for it when there’s really no applicability so long as there isn’t some kind of cross-national patient exchange.
- KLOSS: Jackie has some perspective on that.
- MONSON: Your analysis is essentially right, from the way that we’re looking at it, from the healthcare provider perspective. There is probably some applicability, arguably, when you have somebody from the European Union coming over and being seen as a patient, but other than that there is not much applicability to the healthcare provider space.
I think where you see the space — I know the interesting one, we do our survey of the personal device aspect of this. Many of those organizations like Google and Facebook that he mentioned do have to comply with GDPR. Same with Microsoft. A lot of these organizations already do, and it will be interesting to see if there is any evolution with the personal devices as a result of that.
- BERNSTEIN: That’s interesting. I would have thought that it would have been the other direction. That is, an American who goes overseas and gets treated over there and then tries to bill their insurance back here, so the data is going from the EU back to the U.S., and then the EU member nation has some responsibility to figure out whether they can disclose to a nation that has not yet been determined to be adequate.
- MONSON: It’s both.
- PHILLIPS: I need your help understanding. An American going over to Europe and being treated, they don’t have any obligation to comply with HIPAA. A European coming over and being treated here is covered by HIPAA, not by GDPR. I am still not sure —
- MONSON: He would be covered by GDPR, too. It’s the broad scope of the regulation —
- BERNSTEIN: The Europeans will assert that it is covered.
- PHILLIPS: Good luck collecting in court.
- KLOSS: Let’s take a break and come back.
(Break)
- KLOSS: We are reconvened. We have just 15 minutes to wrap up our Beyond HIPAA discussion before Rachel gives us a long overdue OCR update.
I know we had some GDPR questions before the break. I think the best thing to do would be to gather up those questions. I will put them to John and then get an answer. And we have the option of doing some follow-up in September of kind of part two and drilling down into some pieces of this. I think the subcommittee felt that this is a big enough worldwide change or European change, but global direction that it needed to be on our plate as we think about models.
Anything right now burning on that? Should we move on? Vicki is going to take us through reviewing what we think are our next steps and getting some comment on that.
- MAYS: Let’s turn to number three, which is 81 in the e-agenda book.
What I would like to do because we just have a short amount of time is to kind of reorder the way these are laid out and kind of make some comments and get some comments.
One of the things that we spent a considerable amount of time doing in this committee has been kind of the stewardship framework. We have been very good at developing that. That I think here is something that would be important. I think the first issue for us is probably that of laying out the stewardship framework in an integrative model, in terms of how to best protect individuals’ privacy, secure their health data in these registries, while at the same time, making sure that we are enabling useful uses, services, and research. So, I am wondering if there are any comments on that as a goal that the subcommittee would undertake.
- KLOSS: And then the corollary question is how much outreach to key registry experts do you think we would need to do? Would that get us too much in the registry weeds? I think whatever advice you have on how our subcommittee might proceed with eating this elephant would be helpful.
- COHEN: Two quick comments. I would change integrative model to integrative models.
The other is there – not necessarily the folks who work in the registry, but as I recall, we had some really great privacy folks in the Department of Public Health who were responsible for dealing with privacy-related issues related to the cancer registry. I would think finding the privacy folks who deal with the issues related to the registries and their organizations would be very helpful, not necessarily the folks who run the registries, themselves.
- KLOSS: Good suggestion.
- GOSS: I also think on the first point about reaching out to key registry experts, I would try to focus on groups of experts, meaning where there is already consensus around the best practices or vetting that is being done. They may also have sort of the why they made the choices perspective and some of that would determine value for the effort.
- KLOSS: Thank you. There were a couple of experts that clearly have done a lot of thinking on governance and registry management in the writings that we reviews.
- GOSS: I am also concerned about getting to a very specific expert here or there. We might introduce bias. It may be good to make sure we have a couple of those, but to make sure we have a larger kind of check and balance output.
- PHILLIPS: I am just trying to get you concentrated value. Rob Porter, who directs the National Quality Registry Network, is kind of a legislative and legal policy guru for the registries. He might be a very good resource.
- STEAD: I guess I would advocate that we try to develop a version point one of some strawperson based on what we have heard from the use case. I view what we have been doing as looking to the use case. I would love to see what we think version point one might look like.
I think if we could do that, then we could decide who could help us vet version 1.1 or .1 to move it towards something. I sort of see us needing to do that without trying to (recording cuts out) mobile devices use case, see what – I would have us go in to the mobile device case with the – always wanted to have somebody who could turn me on and turn me off.
(Laughter)
- STEAD: We could then use the – we could then discover that – we could then discover that we tune it or that we actually identify some different levers for the different use cases. I am just trying to keep us focused on the levers rather than getting too far down the journey of the use cases.
- LANDEN: I would like to understand a little bit more about the areas – I guess call them financial models, revenue. Registries are expensive to develop and maintain. How does the funding work? Where does the money come from? How common is the sale of the data and what about secondary use sale? If we have to accept that there is going to be secondary – revenue from secondary use sales, we have got to think one way. If that is not part of what we need to think about, it is a different set of choices we will be facing.
- MAYS: I just want to make sure I understand because not all do this. Is it to understand it in terms of the way the future might be going or it is to understand it because of how it drives particular registries potentially?
- LANDEN: I am struggling because I don’t know enough about it yet. Let’s say there is a registry and I don’t know if it is 1 percent or 90 percent that sells data outside it primary purpose, so a secondary use, but that revenue is critical to the survival of that organization. Without it, it could not accomplish its primary purpose. Do we need to work around that – around that secondary use?
- KLOSS: I think the reason why you raise just a really, really important point is that we need to make sure that the model does address the fact that there is a – there is a business foundation to many of these uses beyond –
- LANDEN: I guess my primary concern is we can’t do anything that drives these organizations out of business.
- KLOSS: Right.
- STRICKLAND: The other thing, as far as how many, I think – as far as models, there should just be some maybe government models and private models and other – choose the models that are a little deeper like Rich was saying. So, different use cases of how they structure themselves because they have different security needs based upon how they do business, how they maintain the data, who they get their data from, who they interface with, and what kind of either APIs or information is coming to – how secure are they. Are they using T1 lines? Are they using secure FTPs? Whatever that kind of stuff is. You may see – unfortunately, you may have to poke into a couple of registries just to see how many different models there are. I think it might be an interesting thing to do to figure out how many different models you have.
To Rich’s point, if they do have a secondary like sales component, how are they securing that data? That may be a model in and of itself. Are they the ones responsible, the primary registry, responsible for securing that or do they put that onus on the next guy or event he next guy? That may be a model in and of itself.
- KLOSS: Good. Question number four was just are there other resources/experts the committee should confer with during this phase? You have given us a couple of names and directions to go in. If anybody else comes to mind, any other group comes to mind, please do let us know. That was just a general call out. Are we leaving anybody really critical off the table here?
- COHEN: I guess a group I don’t know whether we talked about was the consumers. They should be represented, folks who are in registries. I don’t know any organized way to do that, but that would be important.
- PHILLIPS: Some of the registries are actually envisioning a day in the near future where a network of registries service kind of an epi-EHR service for patients. So, on your mobile device, you can say, you know, I see Dr. So-and-so and Dr. So-and-so and Dr. So-and-so. It tells you they are in these four registries. Would you like to connect these so that your rheumatologist can see your information from your primary care physician? Trying to get around the data blocks that exist between EHRs currently, put the control in the patient’s hands. It would be interesting to have patients weigh in on their ability to control their data in registries to serve their needs.
- ROSS: Just a question, Bob. Great idea. The question I have always – we have struggled with at times, trying to get the consumer representative, who is that? Unless it is an advocacy group for a specific disease or something, it is very hard to get some group of people together who will say, yes, I am here speaking on behalf of all of the consumers. How do they do this? I think it is a responsible idea to say that consumers need – their voice needs to be heard, but how?
- PHILLIPS: There are several folks out there that have served that role well. I have even seen one patient who has tattooed a QR code on her chest. You can scan it and it pulls up her personal website and says these are my current end of life values and this is how you can access my legal documents. They may not know the registry world, but they know they want their data accessed and they want to be able to direct the control of that.
- MAYS: Actually, one of the places that you can find this is with PCORI. PCORI has their – I sat on something for them. There is an organization that is of kind of patient representatives. There is a woman that heads it up. PCORI also has managed to get these groups to be a part of PCORI to make sure they are represented. PCORI would be the – would open the door to this for us.
- SEEGER: ONC, OCR, and others across the Department are working with many of these groups, including the patient that Bob brought up. We would be more than happy to put together a panel in the future with folks who can bring the patient perspective on this issue to the table.
- LANDEN: I was saying something similar that HITSP and the successor FACAs all had advocacy groups as members, but those advocacy groups could turn around and tap specific resources for specific needs.
- KLOSS: The next document that we just want to know if there is any feedback on – the considerations for NCVHS discussion of personal health devices. This is a first cut that Rachel has prepared. We would plan as a subcommittee then to do what we did with registries and do a more complete literature review and pull together what we learned. Here, it is even more an issue of scoping and deciding what is in this use case and what is not. I don’t know if we want to look at this as an API issue or if that is going to be too narrow. Any thoughts you have on this would be most welcome.
- STEAD: I want to advocate keeping focus on situations in which data moves in and out of the regulated space. I would be looking at mobile device data that for some reason moves in and out of the regulated space. If we keep our work at that boundary for this round, that is a helpful guidepost.
- MAYS: Would you see the whole notion of what people sign, in terms of their knowledge base about what goes with that, as part of this? That is one of the big issues is the “service agreements” and then what happens in terms of other parties and people not realizing what they are signing.
- COUSSOULE: Just a comment on the device side. This stuff flows in and out of the regulated/not regulated space every day today. So, when you talk about carrying around some kind of device that measures steps and goes into a wellness program that comes right into a health plan. We get this stuff all day long through our wellness subsidiary, through our biometric devices, and other things. I can only imagine when you start putting things that are more health related. We do it with scales that we put in people’s homes that capture the data that comes into the health plan. So, this is very real and it is happening all of the time right now. My point is you don’t have to look very far for very good use cases.
- KLOSS: That is really helpful. Not so much the personal devices that people choose to use, themselves, for their own purpose, but for things that are deliberately going to –
- COUSSOULE: Just to clarify, even then – we offer a program internally where you can get credits, if you will, right, for doing certain activities. One of them is measuring steps. Take 5,000 steps a day or 10,000 steps a day and you get credits for certain things with whatever device you want to use that then integrates – a hundred different devices can integrate with our world. Again, it is not simply something that a regulated entity may provide you, but a way that you can take what you do normally or naturally and then feed that into a regulated entity.
- LANDEN: Not so much directly with the medical device, itself, but you mentioned the apps, the APIs. An earlier round of the Meaningful Use regulations by ONC, the rule opened up EHRs to access by any API, any app, of the patient’s choice. Despite a lot of industry comment in the public comment period about the risks of that – that would allow shall we say ill-intentioned actors into the EHR – ONC did finalize the rule with that open access. It might be an opportunity, again thinking back to our collaboration with HITAC and ONC, is to explore has there been any of that adverse event happening where patients have been victimized by their choice of allowing access through devices or third party apps.
- KLOSS: So, this is going to be an easy discussion in September when we come back together again. I like Bill’s idea of just doing this version point one. I think we kind of need to get a little more specific and at least have something we can bounce off of our ideas. I think that probably is the next thing for the subcommittee to work on.
In September, our plan would be to repeat this discussion, but this time focusing on personal health devices and having some kind of model to bounce off of. And then come to the September meeting as a subcommittee with a plan for moving forward so that we can start thinking about 2019. I don’t think it is clear yet what that will be. Do we do some kind of roundtable to work on – for the model development, for the hearings, additional exemplars, letter to the Secretary? I think that just is to be determined.
If you are all okay with that level of uncertainty, then I think we can ask Rachel to give us an update from OCR. We are happy to have the time on our agenda to do this. I know this is always very helpful to us.
Agenda Item: OCR Update
- SEEGER: I am just going to drill through these slides very quickly and maybe skip over some of them. Thank you for having OCR back to provide you all with an update on what we have been up to.
We have been busy with respect to policy developments since we last saw you. Much of our work has been focusing on helping to support the Department’s response to the nation’s opioid crisis. Really, what we have been doing is we have heard that there continues to be difficulty for healthcare providers in being able to notify patients’ family and friends when a patient has overdosed, reluctance to share information with family members and friends in emergency or crises situations, particularly when the individual might have a serious mental health illness or a substance abuse disorder, and confusion or uncertainty about how HIPAA permits sharing of information when a patient is incapacitated or presents a threat to themselves or to others.
So, what we have done is put out a series of guidances. One is a general guidance on opioid overdose in HIPAA that we issued in October of last year. We have done a tremendous amount of work updating our 2014 guidance and putting out new guidance on sharing information related to mental health. This includes 30 new frequently asked questions to our website and new materials that are segmented by audience. There is a specific new page for professionals on HIPAA and mental health and substance abuse disorder and a similar page for consumers that contain fact sheets for patients, family members, and healthcare providers, as well as information-sharing decisioning charts.
To support our mandate under 21st Century Cures, one of the things that we have been doing is working not only with our sister agencies across the department like SAMHSA, HRSA, CMS, and others to make sure we are getting all of this information out to the grantees, healthcare providers, and others who need this information, but also to associations and other industry groups. So, we have been very, very active in doing outreach and technical assistance and webinars not only here, in D.C., but all of our regional offices across the country have been doing a tremendous amount of work. Every single week, they are out there connecting with healthcare provider organizations and associations, states, and local areas.
So, here are some links that are posted to the website and where you can find this information. I would also note that we have – are beginning to work, likewise, with the Department of Education on updating our joint guidance that we have on HIPAA and FERPA.
A number of upcoming policy items on our regulatory agenda include the NPRM on the perception of good faith of healthcare providers. This is in sharing information with patients’ family when they are incapacitated. Unless there is evidence that a provider has acted in bad faith, this is a deregulatory item. An NPRM on changing the requirement to obtain the acknowledgment of receipt of the notice of privacy practices – so, we are going to be issuing this NPRM to solicit feedback from the regulated industry on this item. And then what we call an RFI, a request for information, on the distribution of a percentage of the civil monetary penalties or monetary settlements that OCR collects on HIPAA violations to harmed individuals.
Other guidances in the works include guidance on texting, social media, and encryption. This is what we call sub-regulatory guidance. That is posted to our website as FAQs and other guidances.
Just quickly going through some recent HIPAA enforcement and breach highlights. We have been very busy. We have had over 175,000 complaints to date with close to 26,000 cases resolved through what we call corrective action and/or technical assistance. Just like last year, we fully expect to receive 24,000 HIPAA complaints this year.
So, we, to date, have had 52 settlement agreements that have resulted in a monetary settlement, along with a very robust corrective action and three civil money penalty cases. Since April of 2017, about a year, you can see that we have had roughly eight cases that have totaled in 11.6 million. There really is a range here if you take a look at the settlement amounts here. Some of these cases involve very, very small entities. I will pick on Filefax, where the settlement was $100,000, and the Center for Children’s Digestive Health, where the settlement is $31,000. But we also have some of our largest settlements to date, Fresenius, the largest provider of dialysis and other kidney-related services, at $3.5 million.
Here is a little snapshot of those 50 settlement agreement and three civil money penalties through 2017. You can see we have had an uptick in our work. It really was a ramping up. OCR was not enforcing HIPAA and especially the security role was over at CMS. Since 2009, many of these cases really marry the privacy and security rules and now breach notification rules together.
A number of reoccurring compliance issues that we are seeing. A lack of business associate agreements in their entirety or a lack of current, up to date business associate agreements. We are seeing a lot of entities that just never did anything following the 2013 changes of the HIPAA Omnibus Rule under High Tech. Failure to conduct a risk analysis, either an enterprise-wide risk analysis – they may have only addressed risk analysis in the context of getting an EHR incentive. So, if the risk analysis is only looking at EHR and not looking at the rest of the institution or they have never even conducted a risk analysis and documented risk analysis since the beginning of the HIPAA security rule in 2005.
Can we go back to that slide, please? Lack of encryption. Lack of transmission security. Lack of auditing. No patching of software, which leaves entities vulnerable to ransomware and hacking and all kinds of cyber security issues. Issues with insider threats, where the issue isn’t a bad actor on the outside, but bad actors on the inside. We have had a number of many interesting enforcement cases that have settled lately related to this issue. Still ongoing issues related to impermissible disposal, a PHI, still on paper. A lot of issues with dumping of patient records at recycling centers or just in the garbage, in general. And insufficient data backup and contingency planning.
So, have I spoken to you since we have revised the breach notification tool? No. So, last year, one of the first things this administration did was make some significant revisions to the HIPAA breach reporting tool, which is our tool that reports all breaches involving 500 individuals – affects more than 500 individuals or more. This tool improves navigation for those looking at information. It also improves the navigation and ease of use for organizations reporting these incidents.
I can illustrate some of these changes for you. So, if you look on the left, tab one are cases that are currently under investigation. What we have done is streamlined this to indicate active cases under investigation within the last 24 months. The second tab, in the middle, is an archive tab, which includes all breach cases. On the end, on the right, is help for consumers that provides tools for individuals who might be looking for information on how to protect themselves from identity theft and brings them to some resources over at the FTC.
This is a snapshot into the advanced search functions of the tool. It really allows individuals to look at different types of covered entities, whether it is clearinghouse, the hospital, what not, search by state, search whether or not a business associate is involved, search by the covered entity or business associate name, and search by the type of breach or location of breach and by date.
So, through February of this year, we have had approximately 2,200 reports of breaches affecting 500 or more individuals. The majority of these involve theft and loss. These account for 46 percent of these large breaches. Hacking and IT now account for 19 percent of these incidents. Laptops and other portable storage devices account for a quarter of these breaches. Paper is still over 20 percent. Individuals affected are many – 177 million and more. Approximately 341,000 reports have been submitted to the Department affecting fewer than 500 individuals. At least the same amount of individuals affected as breaches affecting 500 or more individuals.
Here is a little snapshot from 2009 – September of 2009 when we began looking at these breaches – larger breaches – through February of this year. You can see that theft constitutes 38 percent of these incidents. Loss is 8 percent. Unauthorized access and disclosure is 28 percent. Hacking and IT is 19 percent. As I mentioned, improper disposal is 3 percent. Other cases are at 4 percent.
This will give you a snapshot of these same types of breaches, but from March 2015 through February of 2018. You can see there really has been a shift with hacking and IT incidents accounting for 34 percent of these cases. Unauthorized access and disclosure cases being 39 percent. Theft is at 20 percent. Loss is at 5 percent.
Again, here is the location of breach. From that period of time from December 2009 through – this slide says January. With paper records being 21 percent. Desktop computers are 10 percent in terms of location. Laptops, 16 percent. Portable electronic devices, 9 percent. Network servers, 17 percent. Email, 11. EMRs, 6 percent. Others, 10 percent.
- STEAD: Rachel, could you tell us what the trend lines would look like for each of those categories over the last few years?
- SEEGER: Yes. If you could go back to the slide before that please, you can see – we are going to toggle, if you would. Hacking and IT was 19 percent for this period of time. Now, when we are looking –
- STEAD: I am trying to get absolutes, not percentages. Sorry.
- SEEGER: Numbers?
- STEAD: I am wondering what the trend in the numbers in each of those categories are, in addition to the trend in percentage.
- SEEGER: We would be happy to get you the numbers. You could take a closer look at them.
- STEAD: That would be extremely helpful.
- SEEGER: We have all the hard data. I was just playing with it yesterday. I will be happy to get that to you so you can look at the numbers. Again, these are just the breaches affecting 500 or more individuals that are being reported to the Department, not all breaches affecting all individuals.
Really the intent of this slide is to show you that there has been an uptick in hacking and IT incidents, in particular. You don’t have to hear from us. You can hear from Verizon, Ponemon, anybody who is working on researching cybersecurity issues. The healthcare industry, in particular, is underprepared. Bad actors know about it and have been hitting our industry very, very hard.
- STEAD: What I am trying to get at in my own head – I am aware of that. I expect those numbers have been going up. I am also very curious whether the unauthorized access and disclosures are going up or down given the amount of education over time.
- SEEGER: Sure, if you could go back to the previous slide, please, you could see they were at 28 percent. We will get you the hard numbers. There is an uptick. Maybe we should just get away from the slides, but talk about what OCR has been doing to educate the community.
If you could skip forward, please – so one of the things we have done very recently is put out some cybersecurity guidance material. This is a little snapshot of an infographic that we put together on this topic on quick response: how to respond, how to report the crime, how to report threats, how to assess a breach.
We also put out guidance on ransomware and did a tremendous amount of work following the WannaCry ransomware attack to make sure that organizations that subscribe to our listserv and others are aware of our guidance and that OCR presumes a breach in the case of a ransomware attack.
We also have monthly cybersecurity newsletters that began in January of 2016. We have close to 30 of these newsletters that we have issued to date. Just a couple of topics – these are really picked based on the trends that we are seeing in the breaches that are being reported to us. One of them is on insider threats and termination of employees, best practices in how to ensure that an individual’s access is turned off when they leave. These are really based on cases that we see and enforcement actions that we have taken. Cyber extortion. Phishing. Contingency planning.
Most recently, the difference between risk analysis, which is a requirement under the HIPAA security rule, and a gap analysis, which is a requirement under the HIPAA privacy rule. How those two things differ. You know, we heard in the discussion of GDPR about risk, but I think many organizations often overlook the importance of gap analysis and really looking across the board not only at threats to your EPHI, but threats to the protected health information that you hold, whether it is paper or oral conversations, a complete profile of HIPAA compliance for an organization.
The fact that we are still talking about this in 2018 should give you some indication of the state of affairs. That is why so much of what we do does focus on small to midsize healthcare providers trying to put tools and guidance out that is accessible for them. We are certainly also seeing issues with some of our largest healthcare organizations in the United States. Many of those organizations – we have a number of enforcement actions with them that result in a monetary settlement in each one of those press releases that we write. We post every single one of the resolution agreements. It is so important. Each of those serves as an exemplar of lessons learned.
We really try to make sure that we are putting out best practices. One of the things that we have done is partnered, again, with Medscape to put together another module for free CME/CE credit for healthcare providers. This latest one launched in September. As of this month, we have had well over 22,000 providers who have taken this module for education on the HIPAA Right to Access.
We also have, as we have reported to you before, a special portal for questions and technical assistance for health app developers. This is at HIPAAQSPortal.HHS.gov. It is constantly being updated with scenarios, frequently asked questions, responses. It is a way for our staff to engage with health app developers so we know what questions they are grappling with with respect to their understanding of HIPAA and how they can ensure that they are developing a product that meets the standards of the rules when it is in research and development, before it hits the street.
I think the next slide is just for more information. So, that was quick. I am really trying to watch the clock here, but more than happy to, if I can, get you data. I am not certain that I can get the hard data for you, Dr. Stead. I am going to have to go back and ask whether – I am not sure if that is publicly available or not.
- KLOSS: I think seeing trends over time would be really useful. That would be a really good paper for you to write.
A special thanks to Rachel for all she does as lead staff to our subcommittee.
(Applause)
I always forget she has a real day job, too.
- SEEGER: It is a pleasure working with all of you.
- STEAD: Other questions for Rachel?
- KLOSS: I had one. When that notice of proposed rulemaking comes out, might that be something that we should comment on? Are we just too kind of close and cozy to do that? It seems like that would be – the topic we would be interested in.
- SEEGER: Absolutely. The more comments that we receive, obviously, the better. That goes, too, for individuals who – or organizations that you might be affiliated with that choose to comment on these proposals.
- KLOSS: So we will take that up as a subcommittee when it gets released. You will let us know, right?
- SEEGER: Yes.
- STEAD: Is there any discussion within OCR about whether there are aspects of the GDPR that should be being considered in this country?
- SEEGER: Across HHS, we have been looking closely at GDPR. At this time, we – GDPR hasn’t really hit the street yet. I think we are all waiting to see how it is received, implemented, and then we will go from there. As always, as the federal advisory committee to the Secretary, this is such an important issue. I know that many healthcare institutions are grappling with being able to understand how GDPR might affect them when they are seeing clients who might be EU citizens. It might be an area that you might want to take a closer look at, in terms of not only asking OCR to look at GDPR, but other agencies across the Department and how it is impacting U.S. organizations who may or may not be required to comply with these requirements.
(Comment off mic)
- GOSS: So, interesting question kind of related to that that Denise may also have some thoughts on. So, an Italian – sounds like a joke. I’m Italian so it’s okay – comes to the United States, goes to Roland’s esteemed facility. The data from that facility gets somehow rolled up into a registry and is either used at a state or a federal level. Do we even have some sense of how that – like when it is HIPAA, when it is not HIPAA? How would that use case actually pan out? Where does the EU law trump because now we have a citizen who has gotten care in at least one facility? From a public health – let’s say he has got one of those syndromic surveillance reportable things or he – how does this trip into our registry conversation? Yes, I had coffee at break.
(Laughter)
- COUSSOULE: This is real life both for travelers and ex pats.
- GOSS: I ended up in the French health system after getting medical treatment in Tahiti.
- COUSSOULE: My daughter did when she was in Germany last summer.
- COHEN: Has Brexit affected the adoption in the UK? Will it? Will Brexit be part of the adoption as they withdraw from the European Union?
- KLOSS: I think a lot of countries are – they are modeling their changes based on this, whether they are part of the EU.
- COHEN: The penalties and everything that are related to other countries that are part of the EU would no longer apply to the UK, I guess. I don’t know.
- STEAD: It depends on what businesses are doing. Google is now changing their way that they want you to interact with their privacy policies so it is compliant with GDPR. They don’t want to be dealing with more than one model.
- COHEN: So, all these e-mails I am getting about updated privacy practices is this?
- MONSON: I think the other issue that we have is telemedicine, too. There is lots of GDPR assessments.
- KLOSS: What about outsourcing? Transcription in India or something?
- MONSON: Well, it depends on – so far, India has not acclimated. Like I mentioned, we are preparing in California for it to happen anyway. Yes, there is all kinds of issues with telemedicine.
- KLOSS: Do you think it will actually be passed in California?
- MONSON: Yes, I do.
- KLOSS: Holy moly.
- STEAD: On that note, I think we have had a wonderful day. I appreciate everybody’s hard work. It has been a lot of hard work getting ready and active engagement today. I look forward to seeing you bright and early at 8:30 in the morning.
(Whereupon, the meeting was adjourned at 5:00 p.m.)