Department of Health and Human Services
NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS
Subcommittee on Privacy and Confidentiality
June 7- 8, 2005
Hubert H. Humphrey Building
Washington, D.C.
Meeting Minutes
The National Committee on Vital and Health Statistics Subcommittee on Privacy and Confidentiality was convened on June 7 – 8, 2005 in Washington, D.C. The meeting was open to the public.
Present:
Committee members
Mark A. Rothstein, J.D., Chair
Simon P. Cohn, M.D.
Richard K. Harding, M.D.
John P. Houston, J.D.
Harry Reynolds
Paul C. Tang, M.D.
Absent
Staff and Liaisons
Maya Bernstein, Lead Staff
Amy Chapper, J.D., CMS
Jeannine Christiani, Magna
Linda Fischetti, VHA
Kathleen Fyffe, ASPE
Marjorie Greenberg, NCHS/CDC
Debbie Jackson, NCHS
Susan McAndrew, OS/OCR
David McDaniel, VHA
Marieta Squire, NCHS/CDC
Sarah Wattenberg, SAMHSA
Kevin C. Vigilante, Populations Subcommittee (present June 7)
Others
LaRea Albert, Information Solutions, Inc. (by phone June 8)
Mark Brueckl, Academy of Managed Care Pharmacy
Benjamin T. Butler, Crowell Moring
Sam Charuer, FasterCures
Mary Crimmim, Center for Healthy Communities
Don Detmer, AMIA
David H. Flaherty, David H. Flaherty, Inc.
Angela Franklin, BCBSA
Lawrence Garber, Fallon Clinic of Worcester, MA
Frank Gile, ADA
Erin Grace, Primary Care Coalition
Adrian Gropper, Medcommons
Charlie Iovino, Aetna
Ib Johansen, Danish Centre for Health Telematics (by phone June 8)
Pamela M. Kirby, AANA
Frank A. Kyle, Jr., ADA
Kathleen Lanik, Winona Health
Anne Lennan, Society of Professional Benefit Administration
Tom Lewis, Primary Care Coalition
Marilyn Zigmund Luke, AHIP
Harry Lukens, Lehigh Valley Hospital and Health Network (by phone June 7)
Erin J. Matthews, ASCO
Jon A. McBride, II, Availity
J. Marc Overhage, Indiana Health Information Exchange
Brian Richards, Australian Dept. of Health and Ageing (by phone June 7)
Dan Rode, AHIMA
Edwina Rogers, ERISA Industry Committee
Janet Root, Utah Health Information Network
Phil Rothermich, Express Scripts
Paul T. Sheils, Aetna
Michael Sheridan, Canada Health Infoway
Samantha Silva, AHIP
David A. Slaughter, Thompson Publishing Group
Paul Speidell, AMA
Janine Ward, Australian Attorney General’s Department (by phone June 7)
Ericka Watson, Health Privacy Project
EXECUTIVE SUMMARY
ACTIONS No formal actions
Synopsis of Subcommittee Hearings by Mr. Rothstein The June 7-8, 2005 hearings, the third in a series on the NHIN, is focused on rules for inclusion, retention, and dissemination of health information for healthcare purposes; and disclosure to third parties for non-healthcare purposes pursuant to authorization. Panelists include representatives and experts on integrated health systems, health plans, international health systems, and regional health information organizations. The Subcommittee on Privacy and Confidentiality has previously heard from experts, representatives of consumer organizations, and healthcare providers. A fourth hearing Privacy & Confidentiality hearing (scheduled for August 16 -17, 2005) will include technical experts on health information network design.
All official NCVHS documents are posted on the NCVHS website.
PANEL I INTEGRATED HEALTH SYSTEMS
Lehigh Valley Hospital and Health Network, Allentown, PA
Harry Lukens (via phone)
Lehigh Valley Hospital is an acute care magnet hospital with a vision to operationalize a system that allows its physicians to share selected clinical data within EMRs. Lehigh Valley Hospital has already tackled complex issues such as the interface between systems yet cultural obstacles persist about data sharing. The hospital mitigates costs by having its IT Department host the EMR system. While short-term (learning curve) costs are higher, it is predicted that productivity will return in the long run because unnecessary tests (and possibly admissions) will be eliminated. The goal is to support predictive medicine and research on disease management.
Winona Health, Winona, MN Kathleen Lanik
Winona Health is a non-profit, community-owned integrated healthcare system that, with other medical sites, is developing a community-wide integrated and secure EMR that allows providers to share patient information. Three independent entities formed a single organization that aligned organizational policies, trained staff, and developed security and privacy measures. Instantaneous documentation and current information accessibility are at the point-of-care. Access is restricted, medical errors have been reduced, and better emergency care is available. Evaluations, patient satisfaction surveys, and input from a Patient IT Steering Committee inform the process. Working relationships with area clinics and the registration process have improved. Physicians see the new system’s efficiency and value. An evidence-based committee examines the computer physician order entry. Job functions are being redefined as the system moves toward becoming totally paperless and every department looks at performance improvement. Turn-around time for chart completion is the “gold standard.”
Veteran’s Health Administration David McDaniel
Mr. McDaniel provided background about the VHA and alarming statistics within the healthcare industry that are being addressed at the VHA via an automated information system that provides a single interface for all interactions. Data supports clinical decision-making (see transcript for examples) and a real-time order checking system is in place. The administration of bar-code medication addresses medication errors. Care management provides an automated method for tracking follow-up actions and tasks (see transcript for benefits). The Veterans Health Information Systems and Technology Architecture (VistA) imaging (which integrates traditional medical chart information with medical images) is operational at most VHA facilities. Privacy challenges include the need to comply with many privacy laws and regulatory barriers. The VHA coordinates these efforts in an environment of competing interests (e.g., VHA and Dept. of Defense). Federal laws must be reconciled with local and state laws. There is a fine line between protecting privacy by limiting access to records and disclosing necessary information to enhance accessibility and quality of care.
Panel I Discussion
Authorization strategies and a patient’s right to opt-out of information sharing were discussed by the three panelists. The VHA’s information retrieval system, privacy program, and compliance with federal confidentiality regulations were described (see detailed summary or transcript for specifics). The three panelists shared how their systems would work with the medical records of a pregnant woman example and they had a conversation about how their systems really work for patients. While it is recognized that information exchange must become part of the treatment process, cultural change will not occur overnight. Back-up and recovery systems were also described. A discussion about who “owns” the data ensued, followed by a description of how EHR systems transfer to smaller clinician settings. The relevance and use of personal health records (PHRs) was also raised. Other topics included security breaches and disclosure policies. None of the paneled organizations have technological software that allows them to send selected information. While such software could probably be developed, acquiring coded data is very costly and poses challenges (see transcript for example). This capacity does not currently exist and there is a question about whether the privacy protection would justify the cost. All panelists stressed the need to adequately address security concerns before health systems would feel confident about using the internet.
PANEL II HEALTH SYSTEMS
Availity, Inc. Jon McBride
Availity is an independent joint venture created in Florida in 2001 by Humana and BC/BS of Florida to provide a utilitarian internet solution to the HIPAA compliance deadline. Using a geographically redundant ASP model, the goal is to improve workflow and reduce healthcare costs. Availity’s beliefs and recommendations about the NHIN were presented, stressing the need for uniform application of laws and government leadership; the completion of HIPAA; creation of a clearly defined user model; participation by consumers; HIPAA identifiers; standardized data elements; and interoperability standards (see detailed summary or transcript for specifics). To achieve the NHIN goals within a viable timeframe, a plan for obsolescence of technology is necessary. Sunset and maintenance rules must be developed and used. A continuous 10-year rolling plan is recommended. DHHS should create a federated model of regional networks that make up the NHIN.
Aetna Health Information Solutions Paul T. Sheils, J.D.
Mr. Sheils described the efforts of Aetna and AHIP to help develop an interoperable EHR by encouraging health plans to leverage their claims data, health content, analytic capabilities, and existing relationships with providers and patients in order to build a claims-based, informatics-informed, patient-controlled personal health record (PHR). There was clarification about how PHRs work and why insurance plans are trying to provide them. Approved by the Board of the AHIP, PHR services (with interoperable standards) will be proposed to its membership. Systems must be built on compliance with HIPAA and state privacy laws. Base information on physician-accessible, patient-authorized PHRs that is standard and portable enhances physician engagement with members. Additional benefits and support tools include e-visits, e-messaging, and e-prescribing. While not as complete as an EHR, the PHR improves the quality of care by providing significantly valuable material to patients and providers that is a practical, near-term parallel effort to the EHR in the development of the NHIN.
Panel II Discussion
Patient control of data was again raised. It was noted that PHRs (whose pros and cons were discussed) do not protect privacy interests. The benefits and incentivization of self-reported data from voluntary health risk assessments (HRAs) were mentioned. There was also discussion about the impossibility of viewing claims retrospectively due to incompatible formatting. Some companies have tried to create virtual longitudinal records based on historical access to claims data but Aetna’s strategy is plan-based. Competition about information-sharing between companies is a big issue so it is important for the AHIP Board to recognize competitive advantages and differentiation between companies (other than for raw claims-derived data). It was recommended that the Subcommittee review the security and authentication systems of Care Keeper, which formats the PHR in discreet data sets that allow the patient to determine what components should be viewed by whom. Care Key and You Take Control are other vendors dealing with authentication systems and data segmentation. Business or operating rules must be built into the technology. A robust authorization scheme could address the various privacy laws although more individual agreements create an increasingly complex environment in which to develop a national system. A national governance that dictates a minimum set of authorization requirements that satisfied various state and federal laws, is preferable. Without this, interoperability becomes very complex. The internet has come a long way relative to security and communication. Leased lines (often not encrypted) are not as secure as VPN over the internet. The fine line between educating and marketing was brought up relative to the educational process and articles on the proposed PHR. Information exchange of lab values was also discussed.
PANEL III INTERNATIONAL HEALTH SYSTEMS
Canada Michael Sheridan
Overview Canada is examining how to improve access and reduce wait times for human health resource services; home care; national pharmaceutical and public health surveillance strategy; and aboriginal health. More broadly, accountability for expenditures and movement forward are priorities (see transcript for statistics related to health systems challenges). Canada’s electronic health program examines six basic drivers: demographics (registries); diagnostic imaging; lab results; drug profiles; immunizations; and telehealth. Canada’s agenda is national and its goal is to have 50 percent of all Canadians in an EHR system by 2009. An interoperable EHR system would save approximately $30 million/year (primarily in medical transportation costs). A savings of $3.4 billion/year is estimated for issues related to quality such as adverse drug effects; and a savings of $1.6 billion/year is projected for diagnostic imaging.
Canada’s Health Infoway (a non-profit corporation with shared governance developed as a “strategic investor” to foster the development and adoption of EHRs across the country) was described and its nine strategic investment programs mentioned. The Canadian definition of EHR and its architecture was presented. A recent survey indicates that approximately 85 percent of Canadians support the development of EHRs despite privacy concerns. Issues under consideration include: consent representation mechanisms; authentication and authorization techniques; role-based security and privacy; contextual access criteria to data; and trust models between systems. More progress has been made on security than on privacy issues to date although privacy work includes 13 sets of legislations. The jurisdictional governance of health records are at the provincial and territorial levels. A group of experts has been formed to address privacy and security issues by developing a conceptual architecture for standards and interoperability. This plan (to be published in summer 2005) will present requirements for an interoperable EHR. Automated audit and alert capabilities, which are being developed at a fast pace, will limit access. Progress has been slower than anticipated, partly due to lack of funding by the jurisdictions and to the challenge of adopting major changes in work flows and interactions, interface, and patient treatment. The $1.2 billion is only 25 percent of the total cost of delivering an EHR to 100 percent of Canadians (total cost projected is $10 billion).
United Kingdom Don E. Detmer, M.D.
The United Kingdom (essentially England and Wales) is engaged in a major effort to computerize their government-sponsored care system, which is complicated by the distinction between EU and UK law. The National Health Service is an intranet system that does not have a PHR health record interface. Because the UK has a universal state provision, only 10 percent of the population has private insurance. Many in the medical community believe that current privacy regulations impede biomedical research. The focus is far less on EHRs than in the USA. Unique health identifiers are not an issue and in general, there is much less media intensity on the concept of privacy.
The HORUS model (holding, obtaining, recording, using, and sharing) is used as a general framework. Ethical concerns are essentially parallel with the USA. Confidentiality issues are addressed by privacy regulations for government-held data. A common law of confidentiality allows for a person to be sued but not arrested for breaches. The Organization of Economic Co-operation and Development (OECD) has established principles, and pertinent acts and regulations have been delineated. A Patient Information Advisory Group (PIAG), developed in England and Wales, is likely to develop broad principles about purpose; consent or anonymization of data; and effective security, confidentiality, data retention, and disposal policies. Other relevant statutes cover laws mandating, permitting, and prohibiting data sharing and data subject access to data. Information Governance in Practice was developed to unite a number of related initiatives. A toolkit has also been developed to help acute treatment, primary care and mental health facilities, and general practitioner’s offices but these efforts are moving slowly. Healthcare Commission ratings evaluate compliance with regulations. Anonymization is not dealt with differently than in the USA.
Panel III Discussion
Canada is defining a common set of access and architecture that fits into the overall IEHR (report is forthcoming by fall 2005, which can be available to the Subcommittee). In the UK, most patients are not interested in having or seeing their data and implied verbal consent is often used. Electronic prescriptions and dissemination of genetic information were also discussed. Panelists responded to a question about their preference for the privacy laws of the USA, UK, or Canada. Because there is not one set of rules that everyone agrees to, Canada is creating a national infrastructure with local variation. Asked about the 87 percent acceptance rate (results of survey conducted by Statistics Canada, Health Canada, and Canada Health Infoway), Canadians conveyed that they were driven by a desire for better, quicker healthcare with shorter waiting lines. The 50 percent implementation rate reflects the parameters of what Canada can afford. With success stories, they can capitalize on expanding their system incrementally. In contrast, the UK put forth 16 billion pounds (equivalent of $18 billion) toward its EHR effort. The UK and Canada have central databases, which is “almost banned” in the USA (note recommended reading: Autonomy and Trust in Biomedical Ethics by Ohora O’Neill, Cambridge University Press, which contends that privacy erodes a sense of trust and can interfere with doctor-patient relationships).
PANEL IV REGIONAL HEALTH INFORMATION ORGANIZATIONS (RHIO)
SAFE Health, Worcester, MA Lawrence Garber, M.D.
SAFE Health (Secure Architecture for Exchanging Health Information) is a community-based project led by three leading healthcare organizations in central Massachusetts.
Committed to improving quality of care, patient safety and operations, SAFE Health is developing technology that securely stores, transmits, aggregates, consolidates, and displays patient-specific health information within a regional health information exchange network with a distributed federated master person index. Decision support is integrated into the network to alert providers to significant patient safety events. The impact of adverse drug events was raised and the fact that health information flow between healthcare organizations saves lives was acknowledged. Opt-in and opt-out approaches to patient participation were stated as were SAFE Health’s four opt-out alternatives, benefits, and challenges. To summarize, most patients want their physicians to have complete records and they want the protections already specified by HIPAA. Opt-outs could be offered to the minority of patients who want it. To facilitate the creation of RHIOs and the NHIN (which can prevent hundreds of thousands of injuries/year), HIPAA must become the national standard rather than the minimum requirement.
Primary Care Coalition of Montgomery County, MD Thomas L. Lewis, M.D.
The significant challenge of building a mini-safety net-oriented RHIO for low-income, uninsured people was discussed along Montgomery County’s Primary Care Coalition’s strategy. Factors specific to low-income populations were reviewed (e.g., multiple providers in multiple jurisdictions; use of emergency departments for primary care; frequent job and housing changes, among others) as well as the consequences of the historical and general distrust of the system by these populations. A national framework that could be implemented locally would help but HIPAA might not be the place to begin. A clearly worded document that outlines security measures, tough penalties, and benefits is recommended for use in the USA (note: The Open Health Records Exchange is a group that is experimenting with a variety of matching methods in an attempt to develop reliable algorithms for low-income, uninsured populations).
Utah Health Information Network (UHIN) Jan Root, Ph.D.
UHIN is a small non-profit company with diverse membership that securely transmits administrative healthcare information between entities through a central internet gateway for the purpose of providing healthcare consumers with reduced cost and improved quality and access. Information exchange standards have been developed and network participation in this RHIO is voluntary. Three important decisions contribute to UHIN’s success: defining the network as a value-added group that uses standards developed by the community; remaining active on the national scene; and using consensus in order to be a community-controlled group. Conducting approximately 50 million transactions per year, UHIN plans to incorporate clinical exchanges by extending its current network (see detailed summary or transcript for specifics, including challenges). Lessons learned include: 1) “health data is health data,” whether from a claim, prescription, or lab result; and 2) to maintain trust, RHIOs should not function as central PHI data repositories. In Utah, the central data repository is held by the Health Department. A Patient Advisory Group (primarily consisting of patient and low-income advocates) has suggested that educational programs are needed to inform patients about how the current system works to deflate fears. Standardizing privacy nationally is recommended for the goals of the NHIN. The hope is that national standards will be developed for how RHIOs should operate at a security level. UHIN recommends that RHIOs be certified by EHNAC (Electronic Healthcare Network Accreditation Commission), which works to establish high professional standards for clearinghouses and value-added networks. Using SSL (server-to-server keys) as a national standard is also suggested for greater ease in managing security. The presentation finished with further discussion on authentication and security concerns.
PANEL IV DISCUSSION
Concerns about opt-ins, opt-outs, and clinical data collection for RHIOs were raised and possible models for states to determine their own privacy policies were suggested. The function of clearinghouses was clarified. Relative to uninsured and low-income populations, it was underlined that people develop a better understanding and trust in the health system when community workers describe the benefits of data sharing. Education is the best tool for creating a receptive and comfortable environment that builds trust within and across the safety net and when linking safety net environments to mainstream healthcare systems. Trust is primarily built on a 1:1 basis within clinics rather than through advertising campaigns. Asked about the software that monitors adverse medication reactions but remains invisible in the background, Dr. Garber explained how SAFE Health‘s emerging production system works (see transcript for specifics).
INTERNATIONAL COMMENTS
Australian Government Department of Health and Ageing Brian Richards
Attorney General’s Department Janine Ward
A general framework for the Australian EHR System was described. As a federation of states and a national government, the eight state or territory governments are charged with responsibility for health care while the commonwealth government coordinates national activities. Most primary care and community-based specialist services (primarily delivered through the private sector) are subsidized by a national health insurance system called Medicare. Since legal frameworks apply, privacy is managed under a national Privacy Act as well as through varying state and territory legislation. Stakeholders of the project Health Connect recognize that privacy and confidentiality are central to public trust and participation in an EHR system. The current recommendation is for a single national repository of shared EHR summary data sets that would be managed by the Health Insurance Commission (HIC). Australia may end up with a federated system of records that provide patient choice about where records are maintained (with HIC as the default depository). These issues are currently being examined by the National Electronic Health Task Transition Authority (NEHTA).
Discussion
Issues of ownership and access to health records were discussed (see detailed summary or transcript for specifics). As the development of EHRs contributes to public debate about privacy and confidentiality, it must enhance privacy by using informed consent (Australia does not have legislature analogous to HIPAA). As multiple practitioners present challenges, Australia is exploring issuance by the primary provider of a copyright license for use by other practitioners. All health information is treated as potentially sensitive and there are laws that deal with discrimination for medical conditions or disabilities. Another topic covered is the difference between electronic information storage at the point-of-care and a shared electronic health summary. Between these extremes is a point-to-point transfer of structured, secure clinical messages between providers. Most opt-in, opt-out, and consent issues relate to the shared summary record. Also mentioned were the national pharmaceutical subsidy system insurance programs, the Health Insurance Act that oversees Medicare, and the Electronic Transactions Act. Public infrastructure provides highly secure encryption for health information on the internet in electronic form. For the purposes of Health Connect, patients are given identifying numbers, although the NEHTA is mandated to define standards and make recommendations about a national health identifier. The current draft proposal calls for HIC to manage a system of national health identifiers. These recommendations will be available to the public on the following websites: www.healthconnect.gov.au (Health Connect); andwww.NEHTA.gov.au.
PANEL V THIRD PARTY PAYERS
Pharmaceutical Care Management Association (PCMA) Phillip Rothermich
Background about the development of the PCMA was given. RxHub was created to develop infrastructure and transaction standards for e-prescribing, including the provision of drug history information by aggregators of prescription drug claims. The value of PBMs is their ability to provide drug history information to physicians at the point-of-care in order to avoid drug interactions or adverse events. Key premises include:
- Each piece of omitted information is a lost opportunity for providers.
- Systems cannot accommodate an individualized approach nor is it administratively feasible.
- A common denominator approach is needed.
- HIPAA is generally not an issue in that most potential uses of drug history information relate to treatment, payment, or healthcare operations.
- Varying and confusing state privacy laws make it hard to find a uniform approach.
- Lack of consistent approach among information sources can lead to misunderstanding.
The need for a uniform approach is important. Potential approaches include:
- Individual opt-in: not feasible to administer; many lost opportunities.
- Individual opt-out: not feasible to administer unless burden is left to clinician.
- Individual opt-out by drug class or other categorization: not feasible to administer and would not meet patient needs.
- Send everything for everyone: generally acceptable with existing common law and HIPAA protections but likely to make privacy advocates uncomfortable.
- Filter out certain drugs for everyone: best approach as long as agreement can be reached on common exclusion list.
- Send nothing for anyone: lost opportunities in quality and cost savings.
Balance is the key. There must be laws about misuse of information and discrimination. Individual privacy must be balanced again potential savings, safety, and efficiency gains. Any solution must be workable administratively without adding cost to the system. A uniform system across the country that requires standards and federal preemption is recommended.
ERISA Industry Committee (ERIC) Edwina Rogers
ERIC is a non-profit trade association that advances employee retirement, health incentive and compensation plans for America’s major employers, mainly fortune 100 companies. Major employers must address issues under the Employee Retirement Income Security Act (ERISA) and HIPAA. Major employers need access to electronic records and systems to continue to deliver state-of-the-art health benefits to employees. Challenges include the fact that current laws about medical data and benefit plans place a great burden on companies that voluntarily provide medical coverage to employees.
Issues involving ERISA and HIPAA were enumerated (see detailed summary or transcript for specifics). ERIC strongly argues for one national standard that includes ERISA plans and preempts all state laws. The role of employers was defined. For a successful transition to an EHR system, recommendations include helping employers comply with security and privacy concerns by creating uniform standards that are the end-line. Employers require clear, concise goals and rules to deliver services that their employees demand (note: ERIC is available to conduct a member survey for the Subcommittee, if requested).
Society of Professional Benefit Administrators (SPBA) LaRea Albert
SPBA is the national association of third party administration (TPA) firms that provide employee benefit management services to clients and benefit plans. Challenges were described to include lack of return on investment; issues surrounding stop loss or re-insurance carriers (see detailed summary or transcript for specifics); implementing disease management and what to do with information from HRAs; and burdensome state proxy rules. Payers need assistance from the federal government and incentives must be developed to encourage the use of HIT (an estimated $1 billion has been spent by payers thus far, as the cost of doing business). SBPA members wonder how the NHIN will work in the context of their internal systems. Questions about information sharing abound (see transcript for example). Members wonder if the current electronic systems will eventually be replaced by a new, incompatible system.
Indiana Health Information Exchange (IHIE) J. Marc Overhage, M.D.
IHIE is a non-profit venture backed by a collaboration of Indiana health care institutions for the purpose of: using health care information technology and shared clinical information to improve the safety, quality, and efficiency of care for Indiana’s citizens; creating research opportunities; and establishing a successful model of health information exchange that others can emulate. IHIE’s strategy, model, and clinical messaging service were described. Privacy concerns were defined to include patient authorization; data protection; data disclosure; privacy permissions; and research potential (see detailed summary or transcript for specifics).
Panel V Discussion
Relative to medication time restrictions, it was suggested that the industry develop a standard (uniform rules) for cutoff dates and transfer times to assure patients of a limit on medication history. Could Utah’s gathering of prescription drug information on every person with a license be done nationally? From a system’s perspective, it would be hard to exclude drugs that have already been included on the list; and there are adverse consequences to a person’s choice to withhold drug history from their physicians. Rules must be drug-by-drug or class-by-class but a decision must be made about whether specific drugs are on or off the list. The complexity of making and tracking third party payments was then raised. There were more questions about stop loss carriers; and “lasering” was defined. Some participants could not understand why individual identifiers (rather than names and other direct identifiers) could not be used. Mr. Rothstein added stop loss carriers to topics for a possible fall hearing. Three themes were then reiterated: 1) administrative benefits of uniform laws in all states; 2) secondary uses of information; and 3) other uses of PHI (i.e., wellness programs, HRAs, or disease management). Patient understanding of HIPAA, limited choice about consent, and common law rights were other topics of discussion. Concern about misuse of employee information and the “blurring” of information dissemination was reiterated and addressed. Two legal changes were suggested to prevent information leakage: 1) an unconditional release or authorization for all health information of all conditional employees (currently law in every state except Minnesota and California); and assignment of medical benefits numbers for companies that could be cross-referenced against eligible employees to promote identity protection during claims processing.
An “edge proxy” was defined as a structured, coded database that holds data of participants on their behalf. It was determined that privacy language is uniform across IHIE institutions and that most participants elect to have their information managed centrally. Since HIPAA, a determinist patient-matching algorithm has prevailed (versus a probabilistic method). The specifics of batch rates, gold standards, and secondary use of information for research were discussed (see transcript for specifics). It was noted that much of the privacy and security discussions serve as surrogates for trust.
Danish Centre for Health Telematics Ib Johansen (via phone)
The Danish Centre for Health Telematics is a public non-profit organization that is developing communication standards for the exchange of health information. In addition, it encourages private companies to implement and sell the standards in the open market. The Danish health patient network, run by local governments, was described (see detailed summary or transcript for specifics), including the fact that all health data is encrypted on the internet; all data is exchanged electronically; all documents are identified by patient identifiers; and all medication information is stored in a national database (noting that patients can access the last two years of medication history on-line).
Discussion
While it is not clear that costs in the Danish system have been reduced, errors have been “very much reduced” due to electronic prescriptions. A strict Danish data protection law mandates patient permission for data transfer. Health information can be blocked but not removed, although if a person changes GPs, the original physician cannot transfer blocked information.
SUBCOMMITTEE DISCUSSION
The specifics of upcoming Subcommittee meetings and hearings were delineated. Themes of this hearing’s testimony were reiterated. Several participants noted that cost and implementation questions go beyond technology (see detailed summary or transcript for specifics). Mr. Rothstein will propose a meeting with Dr. Brailer in the June 9, 2005 Executive Subcommittee meeting to discuss what kind and level of recommendation would be valuable.
DETAILED SUMMARY
DAY ONE: JUNE 7, 2005
CALL TO ORDER, INTRODUCTIONS, REVIEW OF AGENDA, OPENING REMARKS
Opening Remarks by Mr. Rothstein An anticipated benefit of the NHIN is an increased use of evidence-based medicine. Relevant questions include:
- What is the evidence that developing the NHIN will increase the use of evidence-based medicine?
- What is the evidence that the NHIN will reduce errors, increase access to health records, reduce costs, and improve efficiency?
- How can these benefits be maximized?
- How have existing health information networks balanced privacy and confidentiality interests of individuals with clinical and public health interests?
The focus of this hearing is on rules for inclusion, retention, and dissemination of health information for healthcare purposes; and disclosure to third parties for non-healthcare purposes pursuant to authorization.
PANEL I INTEGRATED HEALTH SYSTEMS
Lehigh Valley Hospital and Health Network, Allentown, PA
Harry Lukens (via phone)
Lehigh Valley Hospital is an acute care magnet hospital named as one of 38 of America’s top and most wireless hospitals. Its vision is for all physicians to share selected clinical data within EMRs. Phase Two discusses the creation of EMRs for residents of Lehigh Valley with other local institutions to ensure that physicians have access to critical clinical information, as needed. Using EMRs since 2002, Lehigh Valley Hospital has already tackled the interface between systems such as lab, health information, and radiology. Yet cultural obstacles persist because some physicians are reluctant to share patient data for fear of losing patients. Cost factors are mitigated because the hospital IT Department hosts the EMR system. Physicians don’t have to acquire or support this system although some cost is passed along to them. Lehigh is refining a system that informs physicians about medications and allergies. While short-term costs are higher due to a learning curve, it is predicted that productivity return in the long run because unnecessary tests (and possibly admissions) will be eliminated. The goal is to do predictive medicine and research on disease management for Lehigh Valley.
Winona Health, Winona, MN Kathleen Lanik
Winona Health is a non-profit, community-owned integrated healthcare system that has a primary care hospital, physician clinics, assisted living communities, a nursing home, homecare and hospice services. In 2000, the system began to develop a community-wide integrated EMR (with other medical sites in the community) that allows providers to share patient information in a secure setting. Three independent entities formed a single organization to maintain the EMR system. To ensure privacy, audit trails and a joint Notice of Privacy Practices were developed. In addition, organizational policies were aligned; staff training was institutionalized; and security measures were established. Unlike the more accessible paper records, EMRs are ideal for privacy and security because access can be restricted. Instantaneous documentation and information accessibility are at the point-of-care. Because patient medications and their interactions are listed on the record, medical errors are reduced. Better services are available for residents entering the emergency department and the most current patient information is available to providers. Evaluations, patient satisfaction surveys, and input from a Patient IT Steering Committee inform the system’s Information Steering Committee. Working relationships with area clinics are improved because of better insight about needs and an eye to the entire care continuum and best practices. The registration process has improved. As such, physicians see the new system’s efficiency and value. An evidence-based committee looks at the computer physician order entry. Job functions are being redefined as the system moves toward becoming totally paperless. Every department looks at performance improvement. Turn-around time for chart completion is the “gold standard.” Numerous awards have been given to Winona Health for these efforts. The national Baldridge application, which Winona Health has recently completed, was described (see transcript).
Veteran’s Health Administration David McDaniel
The VHA, serving more than five million veterans, is the nation’s largest national integrated healthcare system. A trailblazer in the field of EHR and management, the VHA believes that technology offers the possibility of better healthcare.
Alarming statistics within the healthcare industry include:
- One in seven hospital admissions occurs due to lack of provider access to medical records.
- Twelve percent of written orders are not executed as written.
- Twenty percent of lab tests are requested because previous results are not accessible.
- 98,000 Americans die each year from medical errors.
Since 1985, the VHA has been tackling the above challenges in a wide variety of settings with the help an automated information system that now provides a single interface for all necessary interactions. Data supports clinical decision-making (see transcript for examples). A real-time order checking system is in place. The Veterans Health Information Systems and Technology Architecture (VistA) imaging (which integrates traditional medical chart information with medical images) is operational at most VHA facilities. Bar-code medication administration addresses medication errors by electronically validating and documenting in-patient medications. Care management provides an automated method for tracking follow-up actions and tasks (see transcript for benefits). The VHA compares favorably with the best performers in the industry on 18 performance-quality indicators and has outscored the private sector in customer satisfaction and ambulatory care, inpatient care and pharmacy services.
Privacy challenges include the need to comply with many privacy laws and regulatory barriers. The VHA must coordinate and facilitate progress toward this goal in an environment of competing interests (e.g., VHA and Dept. of Defense). Federal laws must be reconciled with local and state laws. There is a fine line between protecting privacy by limiting access to records and disclosing necessary information to enhance accessibility and quality of care.
Panel I Discussion
Asked whether physicians obtain authorization, Mr. Lukens said that patients sign a standard HIPAA document as well as a document developed by Lehigh Valley Hospital that allows for information sharing between providers and for the development of a patient clinical database, the benefits of which are articulated to the patient. Ms. Lanik noted that while they have an opt-out procedure, no one has opted out to date. While Winona Health is looking at the possibility of scanning information, cost prohibits this procedure at present. While patients have the right to exclude information from their medical records, they do not participate in the health system’s IT Committee and to date, no patients have opted to exclude information from their records. Mr. McDaniel added that in the VHA system, patients can request the exclusion of information from their records.
Mr. McDaniel explained that the VHA system is able to retrieve information from other facilities but not as a single solution. If a veteran is seen in two different hospitals, the CPRS system is exclusive to those other facilities although they would have access to the records. Mr. McDaniel described a transparent employee privacy program at the facility level. The VA Privacy Program is an amalgam of all privacy requirements at the federal level (not state level, which they are not required to adhere to, with the exception of collaborating with business partners that must comply with state laws). Currently, the VHA is considering how to participate in sharing groups with its general counsel, which is complicated by how they incorporate state law implications into existing federal laws. Mr. McDaniel reiterated that redacting information is not standard practice within the VHA system. Ms. Lanik added that Winona Health does not send information electronically across state lines although patients can get their records on paper.
The VHA system integrates compliance with federal confidentiality regulations for substance abuse records. They also consider Title 38 regulations and sensitive issues like HIV. VA systems are built on business processes (how they use and disclose protected information) than on the system itself. They accommodate to Part Two and HIPAA before information enters the system via the consent process for Part Two (see transcript for explanation of how the three systems represented by panelists would work with the medical records of the pregnant woman example put forth). Both Lehigh Valley and Winona Health provide comprehensive information to the treating physician.
In response to Mr. Reynolds questions about how the presented systems really work for the patient, Mr. Lukens stated that Lehigh Valley does not do a good job of explaining to patients what they are signing. Since the onset of HIPAA, the VA has been working to understand that protecting a person’s information is just as important as medical care. This concept is a cultural change that will not occur overnight. Information must become part of the treatment process. Ms. Lanik said that Winona Health’s privacy statement is a few pages (down from 50) but that the system’s pledge to the patient is to keep information private (written in big bold letters on the front of the statement).
Asked about back-up systems, Mr. Lukens said that Lehigh Valley has a “hot back-up” or replication of the data that occurs in real time. All VA facilities have disaster recovery and back-up plans, though they are different for each hospital. Winona Health, which has never had an interruption in information, uses an ASP model and fiber optic cable. No organizations represented on the panel have EHR systems hooked up to the internet but Lehigh Valley is working to provide physicians with internet access within the next year. Asked about ownership of software and hardware for an ASP model, Ms. Lanik said that Winona Health owns the data and a non-covered entity owns the equipment and programming. The company cannot aggregate or resell this data; and in the event of a merger or bankruptcy, the data would be destroyed.
Mr. Reynolds wondered how these EHR systems transfer to smaller clinician settings. Mr. Lukens thinks that the ASP model will provide smaller practices with this technology. Ms. Lanik agreed that ASP is the only affordable model. Dr. Vigilante thinks that personal health records (PHRs) are the way that many people understand what EHRs are. In reference to a personal health dimension to the EHR, Winona Health Online is still in the testing phase as an alpha site to help the community understand their personal health record. The long-term goal is to have a comprehensive rather than a test site. Mr. McDaniel described the My Health Vet Program,which helps veterans better understand the EMR. Vets can maintain and manage information in their personal record but it is also essential to help them better understand the migration to electronic records. Lehigh Valley has started with a program called Physician Online, which allows patients to communicate with their physicians electronically but to date, there is no personal health record option.
Security breaches and disclosure policies were then discussed. Winona Health does not have disclosure policies and does not notify patients about security breaches unless first approached. Most breaches are by staff persons who review their own medical records on-line. These cases are referred to the Human Resources Department. Winona Health terminates employees with no right to review records after a thorough investigation. Lehigh Valley runs intrusion detection and auditing software. Like Winona, they only work with people who believe that their records have been compromised. An employee who is caught reviewing the records of another is terminated. Should this occur, the policy is to let patients know that their records have been compromised. To date, this has not happened but nevertheless, Lehigh Valley has corrective action policies to address exposure of a patient’s record by an employee. Physicians are sanctioned by the medical staff leadership and non-physicians are handled by HR policies. The VHA system aggressively investigates any possibility of breeched information but no system has been established to handle an information breech for a large numbers of patients. The VHA system has a standard policy for sanctions against employees and guidelines that map specific infractions. Mr. McDaniel further described insurances that protect a person’s identity. Asked about how systems like Winona Health send out information relevant to job applications, Ms. Lanik noted that restricted information does not get sent and that a company will be told that they are unable to provide certain information. Mr. Lukens did not know how Lehigh Valley handles requests for restrictive information. Specific information is often requested via forms. Winona Health relies on a policy to provide the minimum necessary for any release request. None of the paneled organizations have technological software that allows them to send selected information. While such software could probably be developed, acquiring coded data is very costly. How conditions are coded and where a person is treated poses challenges (see transcript for example). Mr. Rothstein acknowledged that the capacity does not currently exist and he wondered if the cost would be justified by the privacy protection.
Asked about use of the internet, the three panelists stressed the need to adequately address security concerns before health systems would feel confident about using this resource.
PANEL II HEALTH SYSTEMS
Availity, Inc. Jon McBride
Background Availity is an independent joint venture created in Florida in 2001 by Humana and BC/BS of Florida to provide a utilitarian internet solution to the HIPAA compliance deadline. Using a geographically redundant ASP model, the goal is to improve workflow and reduce healthcare costs. Eligibility and benefits, authorizations, claim statuses and submissions, and advice are securely available on-line at no cost to providers. With connectivity to payer-owners and over 1,000 payers nationwide, Availity has over 90,000 portal users and 400 vendor partners. There is more than 90 percent usage by provider sites (40,000 providers). Availity has a run rate that exceeds 100 million HIPAA-compliant transactions in 2005.
The NHIN The evolution of the NHIN should be incremental with a phased and structured approach. The NHIN must be open in standards and participation by all industry constituents. With enough payer market share, providers and vendors will modify behavior towards more efficient workflows. More patients will be covered by connected payers. Utilization will drive down costs. EHRs can be created by combining provider-based EMRs, the payer-based health records, and aspects of the consumer-based personal health record. Centralized record pointers provide locating and accessing services. A “real world” example of how sharing healthcare information can make a difference was given (see transcripts for description of “Amy”).
Recommendations on the creation of the NHIN
- Uniform application of laws and government leadership should be applied.
- Completion of HIPAA rulemaking.
- Creation of a user model to define who administers, controls, authors, accesses, and edits health records.
- Participation by consumers on NHIN governance boards.
- HIPAA identifiers are critical to helping evolve healthcare interoperability. Registries that securely manage digital patient identities, providers, payers, and medical staff are critical to secure operation and adoption of the NHIN.
- Usage and management of standardized data elements should be mandated by the NHIN governing body.
- Interoperability standards (including privacy and security) must be developed at the national level. The internet must be uniformly used by all public-facing government healthcare entities.
Further recommendations To achieve the NHIN goals within a viable timeframe, there must be a plan for obsolescence of technology. Sunset and maintenance rules must be developed and used. A continuous 10-year rolling plan is recommended. DHHS should create a federated model of regional networks that make up the NHIN.
Aetna Health Information Solutions Paul T. Sheils, J.D.
Purpose of testimony To describe the efforts at Aetna and AHIP to help develop an interoperable EHR by encouraging health plans to leverage their claims data, health content, analytic capabilities, and existing relationships with providers and patients in order to build a claims-based, informatics-informed, patient-controlled personal health record (PHR) that would be interoperable with the EHR.
Insurance plans are trying to provide PHRs because they access important data elements, tools, technologies, and relationships with stakeholders. Health plans have expertise about how to manage claims data; technology platforms, and sophisticated websites that interact with providers and patients. They also have significant analytic capabilities that provide decision support tools to patients and providers. Aetna has purchased a company called Active Health Management, whose core competency is the analysis of claims data relative to care gaps or contraindications.
Mr. Sheils presented a schematic demonstrating data input that plans already receive, including claims data, medical claims, prescription claims, and lab values. The goal is for patients to input self-reported data from health risk assessments and other areas into an interoperable member record. The PHR is a parallel effort that is interoperable with the EHR. A member-centric health profile is valuable for its raw data from transaction-based claims data (such as lists of medications, vaccinations, encounters, lab values and results). An additional claims-based value of PHRs has to do with evidence-based decision support tools. Claims can be run against a rules engine to determine clinical and therapeutic recommendations relative to certain national guidelines. A member-centric information platform also enables targeting of specific information or health content about particular conditions (see transcript for diabetes example).
A PHR mock-up provides a comprehensive view of a member’s physicians, medications, and diagnoses within a patient-controlled device. Information is printer-friendly and claims-based. The engine supporting the record uses analytic capabilities that plans can apply to raw data for personalized recommendations to the patient and, with authorization, to the provider. This patient-centric model delivers a limited data set that allows the patient to determine who and what part of the record to avail to others. Patients also receive specific articles about particular conditions and alerts about contraindications on drugs, care gaps, or contradictions as well as information about deductibles and disease-management compliance. These services have been approved by the Board of the AHIP. The goal is to enable the Board to propose this structure to its membership and to have the standards bodies ensure interoperable standards with EHR systems. Systems must be built on compliance with HIPAA and state privacy laws. Base information on physician-accessible, patient authorized PHRs should be standard and portable. These elements enhance physician engagement with members. Additional benefits and support tools include e-visits, e-messaging, and e-prescribing. While not as complete as an EHR, the PHR provides significantly valuable material to patients and providers and aims to improve the quality of care. It provides a practical, near-term parallel effort to the EHR in the development of the NHIN.
Panel II Discussion
Asked how patients should control their data, Mr. McBride said that patients have a choice about participating. If a patient “opts in,” there are rules within the NHII guidelines on privacy. The business or medical rules must decide what is appropriate to share. Mr. Rothstein pointed out that while PHRs help with health promotion and monitoring, physicians and third parties will probably want access to complete EHRs. PHRs do not protect privacy interests. Mr. Sheils pointed out that PHRs, which can be created quickly, are helpful to physicians with no access to EHRs. Responding to an example given by Mr. Rothstein, Mr. Sheils said that self-reported data from a health risk assessment (HRA) can be incentivized by a plan or employer. A separate claims-populated portion of the PHR is plan-populated. An employee contract indicates what use the plan or employer can put to the information. Mr. Rothstein pointed out that HRAs only have value if employees have not been coerced to fill them out. Mr. Sheils focused on the technical rather than ethical issues in restating that employees can participate in HRAs or not.
The benefit of HRA information lies in data analysis that helps employees with healthcare decisions. It is almost impossible to view claims retrospectively because they have not been created or stored in the correct format. Companies such as Verispan and NDC have tried to create virtual longitudinal records based on historical access to claims data but Aetna’s strategy is plan-based. Mr. Sheils believes that competition about information-sharing between companies is a big issue. It is therefore important for the AHIP Board to recognize competitive advantages and differentiation capabilities that distinguish what companies offer (other than the raw claims-derived data, which would not vary). Mr. Sheils recommended that the Subcommittee review the security and authentication systems of Care Keeper. This company formats the PHR in discreet data sets that allow the patient to determine what components should be viewed by whom. Care Key and You Take Control are other vendors who deal with authentication systems and data segmentation. Business or operating rules must be built into the technology. If a member of Aetna wants to set up a PHR, there are password protections and other levels of identification. To authenticate members would involve written authorization. While PHRs have lab values (via contracts with lab companies like Quest), they do not include the result of stress tests or MRIs.
Sensing that uniform privacy laws will not occur, Mr. Houston believes that a robust authorization scheme could address the various privacy laws. Mr. McBride thinks that more individual agreements create an increasingly complex environment in which to develop a national system. A national governance dictating a minimum set of authorization requirements that satisfies various state and federal laws, is preferable. Without this, interoperability becomes very complex. Asked if an alternative private network to the internet should be considered for security purposes, Mr. McBride said that the internet has come a long way relative to security and communication and he recommended its use. He stated further that leased lines (often not encrypted) are not as secure as VPN over the internet.
A discussion about the fine line between educating and marketing ensued, relative to the educational process and articles on the proposed PHR. Striving for independent evidence- based information based on claims data, Aetna has hired a former Editor-in-Chief of JAMA to ensure the integrity of its editorial process.
Relative to lab values, Mr. Sheils did not know the specific HIPAA issues on the use of information or regulations in the PHR but noted that their legal evaluation of the PHR would examine these data points. Mr. McBride stated that Availity’s exchange of information about lab tests is between providers rather than between payers.
PANEL III INTERNATIONAL HEALTH SYSTEMS
Canada Michael Sheridan
Overview Canada is examining a set of fundamental issues about how to improve access and reduce wait times for human health resource services; home care; national pharmaceutical and public health surveillance strategy; aboriginal health; and more broadly, about accountability for expenditures and movement forward (see transcript for statistics related to health systems challenges). Canada’s electronic health program looks at six basic drivers: demographics (registries); diagnostic imaging; lab results; drug profiles; immunizations; and telehealth. Canada’s agenda is national and its goal is to have 50 percent of all Canadians in an EHR system by 2009. Relative to access, an interoperable EHR system would save approximately $30 million/year (primarily in medical transportation costs). A savings of $3.4 billion/year is estimated for issues related to quality such as adverse drug effects, and a savings of $1.6 billion/year is projected for diagnostic imaging.
Canada’s Health Infoway is a non-profit corporation with shared governance that was developed to be a “strategic investor” that fosters and accelerates the development and adoption of EHRs across the country. Canada uses a 75/25 funding formula for eligible costs. Infoway’s capitalization, at $1.2 billion, will be depleted within four years, as it works toward the 50% EHR usage goal. The cooperative model (between jurisdictions) is generally working well. Infoway has nine strategic investment programs: innovation and adoption; interoperable EHRs; drug information systems; lab information systems; diagnostic; public health; telehealth; client-provider location registries; and an infostructure program of standards and blueprints. Canada strives for end-user adoption of EHRs in order to move their agenda ahead.
In Canada, an EHR is defined as a secure private lifetime record with key health history and care within the health system. The record would be electronically available to healthcare professionals and the individual (anywhere, anytime). EHR architecture includes domain repositories with lab, pharmaceutical, and imaging information as well as client and provider registry information. A repository would cover about 1.5 – 2 million people (see transcript for PAX imaging example). Providers inform registries, which are the single sole source of patient information and demographics. According to a recent survey, approximately 85 percent of Canadians support the development of EHRs despite privacy concerns about record access. Relative to these concerns, issues under consideration include: consent representation mechanisms; authentication and authorization techniques; role-based security and privacy; contextual access criteria to data; and trust models between systems. More progress has been made on security than on privacy issues to date. Work on privacy includes 13 sets of legislation. The jurisdictional governance of the health records are at the provincial and territorial levels. A group of experts has been formed to address 28 sets of privacy issues and 87 sets of security issues by developing a conceptual architecture for standards and interoperability. This plan (to be published in summer 2005) will present privacy and security requirements for an interoperable EHR. Automated audit and alert capabilities, which are being developed at a fast pace, will limit access. Progress has been slower than anticipated, partly due to lack of funding by the jurisdictions and to the challenge of adopting major changes in work flows and interactions, interface, and patient treatment. The $1.2 billion is only 25 percent of the total cost of delivering an EHR to 100 percent of Canadians (total cost projected is $10 billion).
United Kingdom Don E. Detmer, M.D.
The United Kingdom (essentially England and Wales) is engaged in a major effort to computerize their government-sponsored care system, which is complicated by the distinction between EU and UK law. The National Health Service is an intranet system that does not have a PHR health record interface with provider records. Because the UK has a universal state provision, only 10 percent of the population has private insurance. Many in the medical community believe that current privacy regulations impede biomedical research. The focus is far less on EHRs than in the USA. Unique health identifiers are not an issue and in general, there is much less media intensity on the concept of privacy.
As a general framework, the UK uses a HORUS model (holding, obtaining, recording, using, and sharing) for holding information. Ethical concerns are essentially parallel with the USA. Confidentiality issues are being addressed via the development of privacy regulations for government-held data. Legally, a common law of confidentiality exists. The Organization of Economic Co-operation and Development (OECD) has put forth principles. Pertinent acts and regulations include: the Access to Medical Reports Act; Access to Health Records Act (1990); EU Directive (1995); Data Protection Act (1998: key legislation); Human Rights Act (1998); Health and Social Care Act (2001); and the Human Tissues Bill that has been passed into law. Discussions are occurring about what these laws and regulations mean, which impacts the research community and movement forward (see transcript for specifics). A Patient Information Advisory Group (PIAG) was developed in England and Wales to make recommendations to the Secretary of State about guidelines and the mechanics of operating Section 60 (which allows for exemptions of some person-specific medical research information). The PIAG wants to avoid a major backlog. It is likely to develop broad principles that include consent or anonymization of data; a beneficial and proportionate purpose; and effective security, confidentiality, data retention, and disposal policies. Other relevant statutes cover laws mandating, permitting, and prohibiting data sharing and data subject access to data. The Common Law of Confidentiality is based on case law rather than written in statute. A person can be sued but not arrested for breaches. There are a variety of sanctions but very few cases have been relevant to medical records.
The many regulations speak to a government interface with organizations. Information Governance in Practice was developed to unite a number of related initiatives (i.e. Data Protection; Caldicott; Security; Data Quality; Consent/Confidentiality; Freedom of Information; Health Records Management). A toolkit was developed to help acute treatment, primary care and mental health facilities, and general practitioner’s offices but these efforts are moving slowly. Healthcare Commission ratings evaluate compliance with regulations. Anonymization is not dealt with differently than in the USA.
Panel III Discussion
Contextual access criteria will be driven by privacy requirements of particular jurisdictions in Canada. Role definition access, which is part of 28 examined security items, are set in broad terms to respond to definitions across 13 jurisdictions. Canada is trying to define a common set of access and architecture that fits into the overall IEHR. While a generic set will probably not work across all jurisdictions, it will get fairly close (report is forthcoming by fall 2005, which can be available to the Subcommittee).
In the UK, the general citizen does not discriminate between paper and electronic records, though that will probably change. Most patients don’t have a great interest in having or seeing their data although basic regulations are in place to allow for that. While 95 percent of general practitioners write electronic prescriptions, they are not necessarily sent electronically. Genetic information is the only area that generates a response in the media and, to an unknown degree, at the citizen level. The UK has a moratorium on the use of genetic information in life insurance underwriting.
Mr. Houston asked panelists whether they would prefer the privacy laws of the USA, UK, or Canada relative to the roles of patients, providers, RHIOs, or researchers (see transcript for specifics). Mr. Sheridan does not view the complexity of Canadian provincial laws as a barrier. Healthcare is defined as a provincial and territorial jurisdictional right under the Constitution and legislation. Databases are implemented in domains across a jurisdiction rather than into one huge database, providing a set of common services that permit people to select data from various domain repositories. In any case, the caregiver and patient must agree to exchange data and information profiles. The legislative prerogative for healthcare records rests with the jurisdiction. Because there is not one set of rules that everyone agrees to, Canada is working to find a set of reusable standards and, as such, is creating a national infrastructure with local variation. In the UK, implied verbal consent is often used. Both the UK and Canada have central databases, which is almost banned in the USA. Dr. Detmer believes that the USA has gone overboard on individualism and has lost sight of the collective good (recommended reading includes Autonomy and Trust in Biomedical Ethics by Onora O’Neill, Cambridge University Press). Europeans seem proud to be part of a collective and to maintain a sense of solidarity. Referring to Onora O’Neill, Dr. Detmer described her contention that privacy erodes a sense of trust and can interfere with doctor-patient relationships.
Asked about the 87 percent acceptance rate (results of survey conducted by Statistics Canada, Health Canada, and Canada Health Infoway), Canadians conveyed that they were driven by a desire for better, quicker healthcare with shorter waiting lines. The 50 percent implementation rate reflects the parameters of what Canada can afford. With success stories, they can capitalize on expanding the system incrementally. In contrast, the UK put forth 16 billion pounds (equivalent of $18 billion) toward its EHR effort.
PANEL IV REGIONAL HEALTH INFORMATION ORGANIZATIONS (RHIOS)
SAFE Health, Worcester, MA Lawrence Garber, M.D.
Background SAFE Health (Secure Architecture for Exchanging Health Information) is a community-based project led by three leading healthcare organizations in central Massachusetts (Fallon Clinic, Fallon Community Health Plan, and the University of Massachusetts Memorial Healthcare System).
Committed to improving quality of care, patient safety and operations, SAFE Health is developing technology that securely stores, transmits, aggregates, consolidates, and displays patient-specific health information within a regional health information exchange network that has a distributed federated master person index. Thus, there is no central master-person index or storage of demographic information. SAFE Health integrates decision support into the network to alert providers to significant events such as drug interactions or abnormal test results or medication levels that are overdue for monitoring, which is important for patient safety in ambulatory environments. A JAMA study by Dave Bates has shown that most adverse events are connected to inadequate monitoring of drug levels or side effects. Approximately 200,000 life threatening or fatal adverse drug events in the ambulatory setting and approximately two million adverse events due to “fumbled” handoffs at hospital discharge could be prevented with programs like SAFE Health. This is important because 60 percent of physicians practice in small groups of nine or less. Integrating office practices with hospitals, labs, and medication histories can save lives if patients allow their health information to flow between healthcare organizations.
Two general approaches govern patient participation. The first is “opt-in,” in which patients give informed consent prior to information exchange, which puts an onerous burden on the patient and practices to obtain and process consents from all providers. For one million patients in central MA, at least 10 million consents must be obtained, which is costly. In addition, patient records within the network will have unpredictable holes that can affect a provider’s ability to adequately provide diagnoses and treatment (note: the Patient Safety Institute’s Health Information Exchange in Seattle, Washington, which uses the opt-in approach, had only four of its first 400,000 registered patients choose not to participate in the network). An alternative authorization model, which SAFE Health will use, is an “opt-out” model. Following HIPAA’s approach, privacy notices will be updated, educational campaigns will be conducted, and patients will be instructed about how to opt-out.
SAFE Health is constructing four opt-out alternatives, to include the ability to block:
- Sensitive information (e.g. mental health, substance abuse, HIV, STDs).
- Information generated from particular providers.
- Certain facilities regarding certain patients (e.g., employees of healthcare facilities); or
- Decline participation.
Benefits include:
1) 99.9 percent of patients who chose to participate receive benefits when the network is established.
2) Physicians will feel more confident about the completeness of the data they see.
3) A significantly decreased processing administrative burden.
Challenges include the difficulty of blocking just sensitive information. Computers do not yet have the ability to screen out sensitive notes. Screening information based on specialty or billing diagnoses also falls short. In Massachusetts, three consent forms are presently required to ensure confidentiality. Other complications include the blocking of MAO inhibitors (anti-depressants that react severely with other medications). SAFE Health blocks the viewing of information while decision support is running in the network background that sees the full medication list. If a prescribed medication is going to interact with a blocked medication, the prescriber will be notified so that patient follow-up can occur. Patients must be told that blocking sensitive material is not 100 percent foolproof. HIPAA as the minimum requirement is often superseded by other state and federal regulations. For example, the federal regulation requiring prior consent for medication history is problematic for acute care services. In Massachusetts, sensitive medications include antidepressants, HIV-related drugs, diet pills, some cold medications, birth control pills, sleeping pills, most seizure medications, Zyban (for smoking cessation), and compazine (to stop vomiting). Differing state regulations (such as disclosure with or without prior informed consent) is also problematic and would undermine the NHIN if the country had to revert to restrictions of the most conservative states. If HIPAA was the accepted state and federal rule for operating RHIOs and the NHIN, specially-protected categories could be transmitted in the patients’ and providers’ best interests without the fear of lawsuits.
Summary Most patients want their physicians to have complete records, with protections already specified by HIPAA. Opt-outs could be offered to the minority of patients who want it. To facilitate the creation of RHIOs and the NHIN (which can prevent hundreds of thousands of injuries/year), HIPAA must become the national standard rather than the minimum requirement.
Primary Care Coalition of Montgomery County, MD Thomas L. Lewis, M.D.
Context Dr. Lewis’ testimony focused on the challenges of building a mini-safety net-oriented RHIO for low-income, uninsured people. Safety net challenges for privacy and the RHIO include: 1) data sharing is more critical; 2) building trust and confidence in data sharing is more difficult; and 3) automated matching is less reliable, such that database and analytic engines, master patient index, technologies, and algorithms are far less effective. Extra effort is required to maintain a patient-centric focus.
The approach in Montgomery County (which has several non-profit community hospitals, ten independent safety net clinics, and other affiliates) was to establish a Center for Community-based Health Informatics to determine if technology could be used for low-income, uninsured populations. Development of an EMR with data sharing among partners has its challenges. Disclosure of personal health data, which cannot be rescinded, can lead to social ostracism, job loss, and insurance questions. Safeguards are inadequate and sometimes data is used inappropriately (see transcript for Midwestern railroad example). Because HIPAA is not well understood, there is a question about whether it engenders or inhibits trust. The greatest cost of developing a shared EMR in Montgomery County has been for obtaining multi-jurisdictional legal sharing agreements among the ten safety net clinics.
Useful from the U.K. Despite a high level of trust in the National Health Service, a study has shown that only eight percent of people interviewed were comfortable with putting their data on a shared EHR. In response, the U.K. constructed a care record guarantee written in easily understandable language that defined the parameters of patient control, assent, and dissent.
Factors specific to low-income populations Patient factors are complicated due to a tendency to use multiple providers in multiple jurisdictions, which raises patient safety concerns and cost. Other factors specific to low-income clientele include: 1) reduced likelihood of having a medical home; 2) use of emergency departments for primary care; 3) care site-driven changes; 4) migrant workers; 5) frequent job and housing changes. What has worked is a voluntary approach, where providers take the time to build relationships. Even with different providers, a patient is likely to agree to data sharing when providers convey the benefits. Conversely, a top down approach doesn’t work due to cultural biases; immigration status; the difficulties of conveying trust; legitimate historical reasons to distrust the system; language and educational barriers. The consequences of distrust are that patients forego medical treatments that can require more costly care in the future. When appropriate information is not shared, there is a risk of the spread of diseases such as drug-resistant tuberculosis that is passed on from Central American migrant workers.
Automated matching has been problematic because, for example, there is no insurance identification. In addition, people may register under different names for different visits. There are frequent changes of contact information and unknown birth dates. There are false inclusions and exclusions. A national framework that could be implemented locally would help but HIPAA might not be the place to begin. Dr. Lewis recommends a clearly worded document that outlines security measures, tough penalties, and benefits. He noted that the Open Health Records Exchange is a group that is experimenting with a variety of matching methods in an attempt to develop reliable algorithms for low-income, uninsured populations.
Utah Health Information Network (UHIN) Jan Root, Ph.D.
Background UHIN is a small non-profit company that securely transmits administrative healthcare information between entities through a central internet gateway. Privacy and security are taken very seriously and information exchange standards have been developed. Incorporated in 1993, UHIN’s purpose is to provide healthcare consumers with reduced cost and improved quality and access. Network participation in this RHIO is voluntary. A diverse membership includes competitive payer and provider organizations as well as government and consumer groups. UHIN was originally a Community Health Information Network (CHIN). While most CHINs have not survived, UHIN has because of its focus on creating value and trust.
Three important decisions made early on include:
1) To define the network as a value-added group (rather than as a clearinghouse) that uses standards developed by the community.
2) To remain active on the national scene at X12, HL7, etc.
3) To use consensus rather than majority rule in order to be a community-controlled group.
UHIN, which has connections of 1,500 -1,700 end points (including 20 national clearinghouses and 400 payers) conducts approximately 50 million transactions per year. Community health centers are very interested in the fact that the plan will begin to incorporate clinical exchanges by extending its current network. A statewide master person index and provider/facility index will be developed (and probably a record locator service), and there will be no centralized PHI database. Challenges include finding ways to fund a business model for clinical exchange; creating or adopting necessary standards; addressing new privacy and security issues; and figuring out how to interact with patients as a RHIO. UHIN protects personal health information as well as information about members’ businesses. One lesson learned is that “health data is health data,” whether from a claim, a prescription, or a lab result. Another is that, to maintain trust, RHIOs should not function as central PHI data repositories. In Utah, the central data repository is held by the Health Department. A Patient Advisory Group (primarily consisting of patient and low-income advocates) suggests that educational programs are needed to inform patients about how the current system works in order to deflate fears about the dangers of an electronic system. Consumers seem to have a high level of interest in the exchange of health data.
Recommendations As a neutral third party, UHIN has grave concerns about the lack of privacy standards across state lines. Standardizing privacy nationally is recommended for the goals of the NHIN. While UHIN manages access, the hope is that national standards will be developed for how RHIOs should operate at a security level. UHIN recommends that RHIOs be certified by EHNAC (Electronic Healthcare Network Accreditation Commission), which works to establish high professional standards for clearinghouses and value-added networks. EHNAC has good security and privacy criteria. Using SSL (server-to-server keys) as a national standard is also suggested for greater ease in managing security.
To authenticate new members, an electronic commerce agreement is signed. Locally, UHIN addresses security concerns that are “in the pipeline” but does not take responsibility for security issues within member facilities. UHIN encrypts in compliance with CMS’s internet security policy and requires members to have a short list of browsers. They are working with the generic HIPAA security rule to create specific technical specifications for small provider offices that are “implementable,” reasonable, appropriate, and affordable.
PANEL IV DISCUSSION
Dr. Garber agreed with Mr. Rothstein that it is possible to obtain a single opt-in for each RHIO that could serve all of its physicians but the consent would still have to be verified at each location. Dr. Cohn asked if a possible model might be for states to be responsible for determining their own privacy policies while a different mechanism for patient decision-making is developed for use across states. One problem with this model is that many people get healthcare across state borders. Dr. Root believes that a patient-centric model (in which the patient controls and shares the information) is the best possibility short of completely reforming privacy laws. Dr. Lewis said that the sharing agreement between their ten clinics (framed as a collaboration rather than an adversarial proceeding) points to the possibility of negotiating suitable privacy protection agreements across jurisdictions without having to renegotiate and resign agreements at each additional setting. Mr. Houston mentioned a Canadian publication stressing the idea that most patients want to be asked before opting-in to a research registry. Dr. Garber noted that his program’s evaluation scrutinizes public trust issues by considering opt-in and/or an educational approach. In Utah, problems with an opt-in approach (e.g., with the Children’s Immunization Registry, when one parent opts a child in and the other parent then opts the child out) has resulted in the switch to an opt-out system. Dr. Tang noted that third party PHRs are not covered by HIPAA. While the Utah Department of Health has a legislative right to collect clinical data about patients, claims data can be used by providers as a way to ease reporting burden. Further, the Department of Health has had statutory permission to accumulate personally identifiable health information since 1990, with the rationale of improving quality and care and reducing costs for Utah citizens. Data collecting, which began with in-patient hospital discharge information, has expanded to include ambulatory care centers and prescription information from payers. The Morman Genealogy Project, now state-related, has been merged with the vital records of three to four million people.
Dr. Root clarified that clearinghouses are contracted to edit and check data for consistency. Data are not held in a VAN and in the case of lost data, the UHIN cannot help. Asked about the difference between the uninsured and insured relative to privacy, Dr. Lewis stated that uninsured people are much more hesitant to share data and again, much more likely to have multiple providers or to end up in an emergency room without access to records. Data they don’t want shared usually includes country of origin and social security numbers. In general, uninsured people are suspicious of any data acquisition process. Others are concerned about losing their jobs if information is obtained by employers. Though a longer process, people develop a better understanding and trust in the health system when community workers describe the benefits of data sharing. Education is the best tool for creating a receptive and comfortable environment that builds trust within and across the safety net and when linking safety net environments to mainstream healthcare systems. Trust is mostly built on a 1:1 basis within clinics rather than through advertising campaigns. Note that employers who can’t afford health care often send their employees to free clinics.
Asked about the software that monitors adverse medication reactions but remains invisible in the background, Dr. Garber explained how the concept of SAFE Health ‘s emerging production system works (see transcript for specifics).
INTERNATIONAL COMMENTS
Australian Government Department of Health and Ageing Brian Richards
Attorney General’s Department Janine Ward
General Framework for EHR System Australian Ministers for Health commissioned an EHR taskforce in 1999. In 2000, the taskforce strongly recommended that the Australian government develop an EHR system and the Health Connect Project was created. Australia is a federation of states with a national government and eight state or territory governments. The state or territory governments are charged with responsibility for health care while the commonwealth government coordinates activities nationally such that taxation and funding payers play an increasingly important role in development national approaches to health care. States or territories provide public hospital and many community services. Most primary care and community-based specialist services, which are delivered through the private sector, are subsidized by a national health insurance system called Medicare. Since legal frameworks apply, privacy is managed under a national Privacy Act (covering health services and information) as well as through varying state and territory legislation. Stakeholders of Health Connect recognize that privacy and confidentiality are central to public trust and participation in an EHR system. The project is moving into a national implementation phase that is starting with state pilots. These pilots have a single repository in each jurisdiction for health records storage. The current recommendation is for a single national repository of shared EHR summary data sets that would be managed by the Health Insurance Commission (HIC), an organization that is widely trusted as handling security extremely well. Final decisions about this architecture have not yet been made. Australia may end up with a federated system of records that provide patient choice about where records are maintained (with HIC as the default depository). These issues are currently being examined by the National Electronic Health Task Transition Authority (NEHTA).
Discussion
Australia does not have legislature analogous to HIPAA although it recognizes HIPAA’s impact on health services software development (e.g., international products must comply with HIPAA). Issues of ownership and access to health records were discussed relative to the Breen and Williams case, in which the High Court determined that ownership of health records rests with the medical practitioner. In response, several states and territories have passed legislation about access rights. Within the medical profession, it is now generally accepted that patients have the right to view, understand, and access their health record information although the right to correct information in medical records varies. While patients do not have a right to delete material, they can seek annotation in some jurisdictions.
The development of EHRs is contributing to public debate about privacy and confidentiality. It is incumbent upon the developers of the EHR system to enhance privacy. The development of the EHR revolves around the notion of informed consent, although there is debate about whether individuals should have the right to opt in or out. Patients must understand information usage and their degree of authority to control access. Ownership and maintenance challenges arise when information is contributed by multiple practitioners. Australia is exploring issuance by the primary provider of a copyright license for use by other practitioners who contribute to the record. All health information is treated as potentially sensitive as it is recognized that patients with substantial concerns are more likely to withdraw or not provide consent. Concerned patients worry about losing jobs or life insurance and about stigmatization or embarrassment. Australia has laws that deal with discrimination for medical conditions or disabilities.
Australia differentiates between electronic information storage at the point-of-care (the electronic clinical record maintained by the practitioner within the precinct) and a shared electronic health summary record (web-accessible data repository). Between these extremes is a point-to-point transfer of structured, secure clinical messages between providers. Most opt-in and opt-out and consent issues relate to the shared summary record. There is an increasing recognition in common law and in some jurisdictions that providers have an ethical and common law responsibility to ensure accurate records and use of information for clinical decisions (see transcript for example).
In addition to Medicare, Australia has a national pharmaceutical subsidy system called the Pharmaceutical Benefits. The large national health insurance programs are administered by HIC. The Health Insurance Act that oversees Medicare maintains requirements for claims benefits (see transcript for example). Australia also has an Electronic Transactions Act that permits an electronic document to have the same legal standing as a paper document. HIC has created a system that gives Medicare providers a digital certificate that equates to an individual signature or a practice or location certificate that equates to a non-repudiated letterhead. These digital certificates are increasingly used for: transactions between providers and HIC; signing referrals between practitioners; and between practitioners for patient care and point-to-point clinical communications. The public infrastructure provides highly secure encryption for health information on the internet in an electronic form. For the purposes of Health Connect, patients are given identifying numbers, although the NEHTA is mandated to define standards and make recommendations about a national health identifier. The current draft proposal calls for HIC to manage a system of national health identifiers. These recommendations will be available to the public on the following websites: www.healthconnect.gov.au [Health Connect – note report on legal issues relating to EHRs on this site; information on implementation strategy; and evaluation materials); and www.NEHTA.gov.au, NEHTA’s website, which provides information on standards and architectures for Australia’s EHR systems.
DAY TWO: JUNE 8, 2005
CALL TO ORDER, WELCOME, INTRODUCTIONS, AND REVIEW OF AGENDA
PANEL V THIRD PARTY PAYERS
Pharmaceutical Care Management Association (PCMA) Phillip Rothermich
Background In 2001, three large PBMs (including Express Scripts) formed RxHub to create infrastructure and transaction standards for e-prescribing, including the provision of drug history information by aggregators of prescription drug claims of approximately 150 million people. RxHub provides a record locator service with no central database of claim or personal health information. The value of PBMs is their ability to provide drug history information to physicians at the point-of-care in order to avoid drug interactions or adverse events. Drug/drug interaction checking is done at the pharmacy and again when claims are filed. PBMs are not direct stakeholders, except to help make prescription drugs safer and more affordable to its members.
Key Premises
- Each piece of omitted information is a lost opportunity for providers (see transcript for example of psych drugs).
- Systems cannot accommodate an individualized approach nor is it administratively feasible.
- A common denominator approach is needed but it is difficult to find consensus on whether or what to exclude because it is hard to assign drugs to diseases; drug claims typically do not include diagnoses; and off-label uses are common.
- HIPAA is generally not an issue in that most potential uses of drug history information relate to treatment, payment, or healthcare operations.
- Varying and confusing state privacy laws make it hard to find a uniform approach (HIPAA preemption is not always clear).
- Lack of consistent approach among information sources can lead to misunderstanding among clinicians.
Noting that drug histories are not foolproof, the need for a uniform approach is important. Potential approaches include:
- Individual opt-in: not feasible to administer; many lost opportunities.
- Individual opt-out: not feasible to administer unless burden is left to clinician (similar to HIPAA, with provider having option not to treat.
- Individual opt-out by drug class or other categorization: not feasible to administer and would not meet patient needs.
- Send everything for everyone: generally acceptable with existing common law and HIPAA protections but likely to make privacy advocates uncomfortable.
- Filter out certain drugs for everyone: best approach as long as agreement can be reached on common exclusion list (because common candidates for exclusion are often most relevant to clinicians, they would need to know what is missing).
- Send nothing for anyone: lost opportunities in quality and cost savings.
The key is balancing. If all information is provided, there must be laws about misuse of information and discrimination. Individual privacy must be balanced again potential savings, safety, and efficiency gains. Any solution must be workable administratively without adding cost to the system. A uniform system across the country that requires standards and federal preemption is recommended.
ERISA Industry Committee (ERIC) Edwina Rogers
Background ERIC is a non-profit trade association that advances employee retirement, health incentive and compensation plans for America’s major employers, mainly fortune 100 companies.
Overview of Issues Major employers must address issues under the Employee Retirement Income Security Act (ERISA) and HIPAA. Major employers need access to electronic records and systems to continue to deliver state-of-the-art health benefits to employees. Privacy and security concerns must be addressed.
Challenges Current laws about medical data and benefit plans place a great burden on companies that voluntarily provide medical coverage to employees. Companies may be subject to different laws in different states and which state laws are preempted by federal law may be unclear.
On ERISA To the extent that employer-provided health plans are subject to Title I of ERISA, ERISA 514 preempts state laws related to employee benefit plans. But laws relating to insurance, banking, or securities matters are “saved” from ERISA preemption under ERISA 514(a) and (b). The ERISA preemption power that allows the federal government to set the standards governing employer-sponsored benefit plans has been severely eroded by court decisions that have led to a distinction between partial and complete ERISA preemption. The law has evolved to see fewer state law claims preempted by what was once an expansive ERISA preemption doctrine (see transcript for example). ERISA law about preemption is convoluted and uncertain. With regard to electronic records, if ERISA is amended to mandate that employee benefit plans transfer health data electronically to health providers, there is a question about whether more stringent state privacy laws could bar or restrict this practice or whether ERISA would preempt. HIPAA’s privacy protections act as a floor rather than a ceiling on privacy protection, i.e., state laws cannot lower standards but can be more restrictive. Federal laws mandating health data transfer should have a ceiling; and inconsistent state laws should be preempted. Because the scope of ERISA is narrowing, ERISA’s current preemption provisions will probably not suffice to preempt state privacy laws once current case law interpretation is applied. ERIC strongly argues for one national standard that includes ERISA plans and preempts all state laws.
On HIPAA HIPAA provides a uniform base rather than a standard and as such, Americans employed by large employers constantly have their health plans threatened by overzealous state laws. The biggest barrier to a transition to an EHR system is in the varying state privacy laws (see transcript for example). Some are turning to accrediting organizations such as the Utilization Review Accreditation Commission (URAC) to help them achieve compliance with targeted privacy legislation. URAC accreditation demonstrates sincere efforts to meet HIPAA requirements and to assure customers and patients that appropriate steps are being taken to safeguard protected health information.
Role of employers Employers provide voluntary healthcare benefits to attract good employees and to retain healthy employees. To keep employees healthy, some companies purchase lifestyle, health, and disease management programs; and contract with fitness centers. Some companies offer their own pharmacies, drug therapy centers, smoking cessation and obesity management programs. This increases access of individual and aggregate personal health information by employers. Many employers use HIPAA-compliant third party vendors to ensure confidentiality of pharmacy and drug therapy records.
Conclusion The key to instituting a successful transition to EHRs is to include employers and to help them comply with security and privacy concerns by creating uniform standards that are the end-line. Employers require clear, concise goals and rules to deliver services their employees demand. ERIC is available to conduct a member survey for the Subcommittee, if requested.
Society of Professional Benefit Administrators (SPBA) LaRea Albert
Background SPBA is the national association of third party administration (TPA) firms that provide employee benefit management services to clients and benefit plans. Approximately two-thirds of all workers with non-federal plan benefits receive services from TPAs. TPA funds operate like CPA or law firms and provide continuing professional outside claims and benefit plan administration.
As a pioneer in converting to electronic systems, TPAs did not take into account the lack of requirement for providers to submit electronic claims: this has significantly reduced return on investment (see transcript for example). Because self-funded employers joining TPA firms contract with networks to get discounts, claims must be repriced against the database. TPAs sometimes outsource this function to a vendor to simplify their process.
Challenges The most challenging issue has to do with stop loss or re-insurance carriers. Most clients have additional TPA protection called “re-insurance” (ranging from $50,000 – 200,000). For TPAs to receive the best quotes, re-insurance carriers want to know who might press large claims. When TPAs can’t supply that information (as with new business because of HIPAA), quotes are affected. Other complications have to do with implementing disease management (such as COPD) and what to do with information from Health Risk Assessments (HRAs), especially when employees don’t want employers to know about their conditions. HealthFirst TPA of Tyler, TX, which has invested millions of dollars and reformatted business flow, sees decreasing return on investment (ROI) with each new law. State proxy rules are burdensome although there is currently limited state activity on privacy of protected health information.
States will focus more on proxy action because the cost of analyzing new rules (often hidden in unrelated legislation) is enormous. Payers need assistance from the federal government with this challenge. Payer incentives must be developed to encourage the use of HIT (an estimated $1 billion has been spent by payers thus far, as the cost of doing business). To date, the only incentive (useful to larger facilities only) is the threat of not receiving Medicare payments.
SBPA members wonder how the NHIN will work in the context of their internal systems. Questions about information sharing abound (see transcript for example). Members wonder if the current electronic systems will eventually be replaced by a new, incompatible system.
Panel V Discussion
Asked about a time restriction on information supplied to physicians for individual medications, Mr. Rothermich replied that software vendors (such as RxHub) can request date ranges within a two-year period. If a client moves from one PBM to another, the incumbent would transfer drug history information for at least a year of claims. He believes that the industry should develop a standard for cutoff dates and transfer time in order to assure patients of a limit on medication history. He stressed the importance of uniform rules. Ms. Albert added that prescription drug information on every person with a license is submitted to the state of Utah and she wondered if this could be done nationally (see transcript for examples). Mr. Rothermich stressed that from a systems perspective, it would be hard to exclude drugs that have already been included on the list. Physicians must know what is on the list: if they know that certain drugs have been excluded, they will know to ask about related drug interactions. There are adverse consequences to people choosing to withhold drug history from their physicians. Rules must be drug by drug or class by class but a decision must be made about whether they are on or off the list.
Ms. Rogers stated that the information gathered in wellness programs is voluntary and confidential. Employers use TPAs because many employees don’t want to give health risk assessment information to their employers. Mr. Rothermich clarified that the requirement to send pharmacies claim information even if the co-pay is higher is basically for record keeping purposes. Third party payers pay a dispensing fee to the pharmacy even if they don’t pay for the prescription. Patients can choose to pay cash and not discuss the status of their drug prescription plan membership.
Ms. Albert explained that stop loss carriers (which offer a specific level of re-insurance to employees) want to know the identity, diagnosis, prognosis, and treatment plan of at-risk employees. In order for a stop loss carrier to “laser” a person at high risk with a specific high amount on the net, they must have the individual’s name. Ms. Bernstein could not understand why the employee’s identity would be revealed. Ms. Albert said that this is just the stop loss industry rule. She would like to see a uniform databank throughout the TPA and stop loss industry and she would agree to a recommendation to replace individual names and direct identifiers with individual identifiers like employee numbers. Stop loss insurers are not health plans and are not covered entities under HIPAA although they must have employee consent. Employers must sign off on disclosure statements to indicate awareness of potential liability of stop loss carriers. Mr. Rothstein added stop loss carriers to topics for a possible fall hearing.
Dr. Tang reiterated three themes: 1) it would be administratively beneficial to have uniform laws in all states; 2) secondary uses of information, i.e., for a PBM, the primary role is to get a claim for medication to the right payer and adjudicate it; 3) other uses of PHI, i.e., wellness programs, HRAs, or disease management. Mr. Rothermich said that plan sponsors pay for letters to patients sent for business reasons. He believes that most people sign HIPAA and other forms without having full awareness of their impact. Commercial patients have very limited choice about giving consents if they want coverage and claims paid. When people sign up for third party payment for drugs or insurance, they are basically giving a blanket release for payers and providers to share information for purposes of administering that benefit. Ms. Rogers said that most of ERIC’s members are self-funded and need this information as they are “almost running their own insurance company.” Standard operating procedure, which was extremely hard to implement initially, places communication blocks for the employee’s protection. Mr. Rothermich added that there are common law rights of action that prevent people without authority from obtaining patient information. In e-prescribing, the PBMs give information about drug interactions rather than blanket histories to pharmacies. While Mr. Rothermich would agree to time limits on drug history, he can’t speak for others in the industry. Pilots would provide useful information about what would be lost in a one vs. two year timeframe.
Expressing concern about misuse of employee information, Mr. Houston fears that employment decisions could be based on medical disclosure of information, which can lead to discrimination. Ms. Rogers said that this is much more of an issue for small rather than major companies, most of which are under ERISA. But, she said, in order to do due diligence, actuaries working for insurance companies must have names. She mentioned that she worked on a genetic non-discrimination bill last year specifically designed to keep genetic information away from employers. Protections must be in place to ensure that people can’t use information against others to maintain patient confidence, which may mean carve-outs. Protections must also be in place at the macro level when for example, individual withholding of information results in a bad outcome that is costly.
Mr. Reynolds commented that information dissemination has become more blurred because employers have become more involved with employees and employees have more choices. Mr. Rothermich agreed that this was a valid concern. Ms. Rogers said that employers are not getting more information through consumer-driven health plans except through wellness programs which are very contained. There don’t seem to be many cases of employee discrimination due to health status. Consumer-driven health plans are gathering quality and efficiency data to help consumers make better choices rather than focusing on getting employee information to employers. It was noted that prior to HIPAA, HR Department staff had firsthand knowledge of all employee illnesses. Now, employees (who are generally better educated) must file claims directly (see example in transcript). Mr. Rothstein suggested two legal changes to prevent information leakage. One is to prohibit the signing of an unconditional release or authorization for all health information of all conditional employees, which is not the law in any state except Minnesota and California. He noted that the pending genetic privacy legislation would have no effect on this practice, because it does not affect information disclosure accompanied by valid authorization. If the law were tightened to mandate the disclosure of only job-related information, the genetic legislation would be unnecessary. The second is to assign medical benefits numbers for companies that could be cross-referenced against eligible employees, enabling identity protection during claims processing.
Indiana Health Information Exchange (IHIE) J. Marc Overhage, M.D.
Background IHIE is a non-profit venture backed by a collaboration of Indiana health care institutions for the purpose of: using health care information technology and shared clinical information to improve the safety, quality, and efficiency of care for Indiana’s citizens; creating research opportunities; and establishing a successful model of health information exchange that others can emulate. IHIE’s strategy is to wire healthcare in central Indiana first and then expand a common, secure electronic infrastructure that increases communication and information sharing throughout the state (see transcript for details). A sustainable operating model will require users to pay for products and services. The data sharing model was developed over 30 years by Clem McDonald at the Regenstrief Institute. IHIE’s clinical messaging service, called DOCS4DOCS, was developed by the Institute’s Dr. Mike Barnes to ensure electronic access to clinical results by providers regardless of where the results were generated.
How It Works Data from operational health care systems (e.g., lab, ADT, appointment scheduling systems, etc.) is sent to IHIE as HL7 messages or DICOM messages. These messages are “cleaned up” to bring them closer to IHIE’s standards and codes. Results are stored in specific vaults or edge proxys for that institution. A new service (to be deployed by the end of 2005) will provide data to clinicians about chronic disease management, preventive care and other population-based approaches to quality improvement.
On Privacy Health information exchanges create many privacy issues that IHIE has not yet confronted. Those that seem important include:
- With the advent of HIPAA, IHIE can no longer get patient authorization at the time of patient visits due to the burden it places on participants and institutions. Rather, consistent privacy language has been imbedded into a privacy statement of each participating institution.
- IHIE relies on strong certificate-based encryption of data as it is transmitted and stored. Data protection includes physical security and appropriate processes.
- IHIE has designed and tested a deterministic patient-matching algorithm at the heart of health information exchange. IHIE prefers to protect data over inappropriately disclosing or incorrectly matching data and is careful not to disclose unnecessary information. HL7 messages prove that a specific patient is under care by a provider at a participant institution. In general, business rules define the scope and duration of data that providers access (see transcript for examples).
- IHIE relies heavily on participants’ internal processes as well as a multilateral contract with every participant that ensures permission and privacy.
- IHIE has developed methods and tools that query the datasets anonymously to unlock research potential, especially related to the shared pathology informatics network funded by the NCI.
- Background The Danish Centre for Health Telematics is a public non-profit organization that is developing communication standards for the exchange of health information; and getting private companies to implement and sell the standards in the open market.
PANEL V DISCUSSION (CONT.)
Dr. Overhage defined an “edge proxy” as a structured, coded database that holds data of participants on their behalf. The data is controlled by the participants wherever they deem appropriate. Privacy language is uniform across institutions. Most participants elect to have their information managed centrally as opposed to locally. Since HIPAA, the legal recommendation is to ensure patient understanding of what is being done with their information without asking for explicit authorization. The result is a determinist patient-matching algorithm versus a probabilistic method. The specifics of batch rates and gold standards were discussed (see transcript for specifics). Asked about secondary uses of information from the central depository for research, Dr. Overhage said that all research is de-identified for medical care and IRB-approved research only. Dr. Overhage agreed with Dr. Cohn, who noted that much of the privacy and security discussions serve as surrogates for trust. The environments that have been most successful are those that began with a basis for trust in the community and trust by providers and patients. Dr. Overage added that every participant must be comfortable with how the information is used, including those in the middle who have “negotiated access.”
Danish Centre for Health Telematics Ib Johansen (via phone)
How the Danish system works Denmark has a health patient network run by local governments. Family doctors are the gatekeepers of the health data network, as in Canada and Australia. All 3,500 family doctors have electronic patient records that are interconnected with all labs, hospitals, and pharmacies. Everything is exchanged electronically, to include: prescriptions; discharge letters; referrals; lab reports; biochemistry, microbiology, histopathology, and psychology reports; and x-ray descriptions. Documents are identified by a patient identifier that is used for everything – taxation, driving license; and health. Both doctors and patients have access to patient health information. Medication information is stored in a national database that doctors and patients can access in a registered central database by using a national certificate. Patients can access the last two years of medication on-line. Since the information is locked and time-stamped, a patient can see who has looked at his file and for what purpose. Currently, all health data is on the internet. Encryption includes personal identification codes for all citizens at no cost. All health information from public hospitals is transferred through the internet to a national database. Prescriptions and lab reports are not encrypted but there has not been any misuse during the system’s 15 year’s of operation. To date, 80 percent of prescriptions, 99 percent of lab reports, all discharge letters, and most referrals are electronic. Call centers transfer information every morning to the family doctors. The health record that the GP has can be printed out for the patient but cannot be transferred electronically except if cases of provider transfer, where the data is securely sent.
Discussion
Asked about the Danish system’s experience with reducing errors and cost and improving efficiency, Mr. Johansen said that while it is not clear that costs have been reduced, errors have been “very much reduced” due to electronic prescriptions. A strict Danish data protection law exists that does not allow for data transfer without patient permission. Patients must contact the database owner to request an adjustment to their health information. Information can be blocked but not removed, although if a person changes GPs, the original physician cannot transfer blocked information. Mr. Johansen also pointed out that the investment in computers by GPs and dentists is not refunded by public monies.
SUBCOMMITTEE DISCUSSION
After the Subcommittee completes its work on the NHIN in the fall (with plans to submit to the full Committee in November 2005), a joint hearing will be held with the Standards and Security Subcommittee on the topic of “accurately linking patients to their information,” formerly known as “individual identification.” Other issues for consideration in winter 2005 include: notices and acknowledgements; request by patients to correct or amend their records; accounting for disclosures; health plan access to PHI under health care operations; minimum necessary; and stop loss coverage under HIPAA.
The fourth and final hearing on the NHIN will provide testimony from technical experts. Mr. Rothstein suggested consideration of such topics as: role-based user access; unique identification and identification in general; opting-in and opting-out; limited disclosures pursuant to authorizations (or contextual access criteria). Ms. Greenberg was uncomfortable with holding technical hearings as the final Subcommittee discussion due to potential confusion about what approaches are technically feasible and what users might or might not understand. Mr. Rothstein suggested an additional September meeting to put an agenda or an outline of a proposed letter together that could be reviewed by prior witnesses. Mr. Houston suggested the development of some use cases prior to the August meeting to help focus the technical discussions. Mr. Rothstein plans to supply the technical experts with a list of up to ten areas of consideration. Dr. Tang agreed with Ms. Greenberg that the issues encompass policy questions that are broader than technology. He encouraged a technical discussion about authentication (i.e., once information is on the database, how is it controlled and audited; and who sees it?). Application Service Providers (ASP) have loopholes that people are not necessarily aware of. Dr. Cohn added that it is important to look at critical issues like authentication because of interface with policy and risks in the system at different levels and to examine the issues of implementation. Mr. Houston added that the more the data is parsed, the more sophisticated the structure to deal with that information must be.
Mr. Rothstein hopes that the technology hearings will confirm whether the Subcommittee recommendations are in the “ballpark.” For example are opt-in or opt-out systems doable? Dr. Cohn pointed out that cost and implementation questions go way beyond technology. For example, savings are eroded and medical errors increase when significant numbers of patients eliminate some of their medications from their charts. It was agreed that the Subcommittee needs time to work through the complexity of issues raised by testimony as well as the role of the Subcommittee. There are educational needs and not much happening to raise the level of understanding. Lack of access to the health care system and employers issues are other real concerns. It was suggested that a breakout session be planned for June 30th that focuses on areas of inquiry for the August witnesses.
Dr Tang summarized three themes of the testimony:
1) Need for uniform privacy laws and regulations.
2) Secondary uses of legitimately acquired data.
3) Public education on what’s happening now and what the benefits of linking data are.
He suggested that the Subcommittee develop some tentative policy recommendations to check against the technology folks to see if they are practical and feasible. Ms. Bernstein wondered if the Subcommittee should spend its time on longer-term issues. Dr. Tang believes that the real issue is not technology but rather the HR expense of implementation. Mr. Houston wondered if there was value to reviewing the RFP summary publication in Dr. Brailer’s office. Mr. Rothstein plans to propose a meeting with Dr. Brailer in the June 9th Executive Subcommittee meeting to discuss what kind and level of recommendations would be valuable.
Mr. Rothstein adjourned the meeting at 12:15 p.m.
To the best of my knowledge, the foregoing summary of minutes is accurate and complete.
Mark A. Rothstein, J.D., Chair 05/25/06
(http://ncvhs.hhs.gov/lastmntr.htm) (08/08/05)