[This Transcript is Unedited]



August 1, 2007

Wilbur J. Cohen Building
300 C Street, S.W., Room 5051
Washington, D.C.

Proceedings by:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax, Virginia 22030

Table of Contents

P R O C E E D I N G S [9:05 a.m.]

Agenda Item: Introductions and Overview

DR. COHN: Okay, good morning. Will everyone please be seated. We’re going to
get started. I do want to apologize. We’re running a couple minutes late. I’m
going to call this meeting to order.

This is a meeting of the Ad Hoc Workgroup on Secondary Uses of Health
Information of the National Committee on Vital and Health Statistics. The
National Committee is a statutory public advisory committee to the U.S.
Department of Health and Human Services on national health information policy.

I am Simon Cohn. I’m Associate Executive Director for Health Information
Policy for Kaiser Permanente and Chair of the Committee. I want to welcome
Committee members, HHS staff and others here in person and also welcome those
listening in on the Internet and remind everyone to speak clearly and into the

I do just want to take a moment and obviously welcome one of our former
chairs, immediate past chair, John Lumpkin, to join us today. So, John, thank
you for joining us. Okay.

With that, let’s have introductions around the table and around the room.
For those on the National Committee, I would ask if you have any conflicts of
interest related to any of the issues coming before us today, would you so
publicly indicate during your introduction. I want to begin by observing that I
have no conflicts of interest. Harry?

MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield of North Carolina, no

DR. CARR: Justine Carr, Beth Israel Deaconess Medical Center, member of the
Committee, no conflicts.

MR. BLAIR: Jeff Blair, Lovelace Clinic Foundation, no conflicts.

DR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention,
Staff of the Ad Hoc Committee, Liaison to the Full Committee.

DR. VIGILANTE: Kevin Vigilante, member of the Committee, Booz-Allen &
Hamilton, no conflicts.

DR. DEERING: Mary Jo Deering, National Cancer Institute, Staff to the NHIA

MS. PATTERSON: Wendy Patterson, The National Cancer Institute Technology
Transfer Center, thank you.

DR. LUMPKIN: John Lumpkin, Robert Wood Johnson Foundation. I live my whole
life conflicted, but none with this meeting.

DR. LOONSK: John Loonsk, National Coordinator.

MR. SCANLON: James Scanlon, Health Policy R&D, member of the Committee,
no conflicts.

MS. GREENBERG: Marjorie Greenberg, National Center for Health Statistics,
CDC, Executive Secretary to the Committee, and I would have to say that
Margaret is very happy to have the current and former Chair here.

MS. AMATAYAKUL: Margret Amatayakul, contractor to the Workgroup.

MS. JACKSON: Debbie Jackson, National Center for Health Statistics, CDC,
Committee staff.

MR. ROTHSTEIN: Mark Rothstein, University of Louisville School of Medicine,
member of the Committee, no conflicts.

MS. THORNTON: Jeanette Thornton, America’s Health Insurance Claims.

MS. OCHS: Lisa Ochs, Impact Medical Systems.

MS. BUEHLE: Allison Buehle, American Health Information Management

MS. FRANKLIN: Angela Franklin, American College of Emergency Physicians.

DR. COHN: We welcome everyone, and especially for this hearing and with
these microphones, I just to remind everybody we need to be very careful and
really do need to sort of bend over and speak into these microphones. They seem
to be very tricky for whatever reason, and we obviously want to have people on
the Internet be able to hear us.

Now having just said, of course, I have no conflicts of interest, I was just
looking through the agenda, and did a think need to declare that later on this
morning, one of the presenters actually is from Kaiser Permanente. So while I
don’t think there’s an absolute conflict, I do want to publicly disclose that.
We actually also do have a couple of copies of written testimony that we do
want to note, one from Deborah Collier, President of Patient Advocates and

There also was an additional written document from Group Health Cooperative,
Group Health of Pugent Sound. And just once again to disclose interest, Group
Health Permanente, the physician group actually is a Permanente Medical Group,
which is the group that I work with, so just by full disclosure.

Today marks the beginning of the second set of hearings of the Ad Hoc
Workgroup on Secondary Uses of Health Information. Specifically, the National
Committee has been asked by HHS and the Office of the National Coordinator to
develop an overall conceptual and policy framework that addresses secondary
uses of health information including a taxonomy and definition of terms.

We’ve also been asked to develop recommendations to HHS on needs for
additional policy, guidance, regulation and/or public education related to
expanded uses of health information in the context of the evolving and
developing nationwide health information network.

Obviously, we’re talking about this and have been. The initial emphasis,
though, is on uses of data for quality measurement, quality reporting and, most
importantly, quality improvement which is something that tends to at times get
a little de-emphasized in our efforts around measurement and reporting.

Also, I should comment that part of our work is to talk about approaches,
and by approaches I include things such as tools, technologies to help minimize
any sort of risks that we may identify as we consider the area. I am leading
the Workgroup, but I do want to thank Harry Reynolds and Justine Carr who have
been willing to serve as co-vice chairs. I think, as you all know, I am
depending on them significantly, and they really have been instrumental, I
think, in putting together, I think, what’s being some very interesting

I also want to thank members of the Committee for their participation, and,
of course, our liaisons and our representative from the Office of the National
Coordinator, John Loonsk, thanks for joining us, Steve Steindel, Mary Jo
Deering, of course Debbie Jackson has been instrumental as well as Marjorie
Greenberg. And, of course, there’s been staff support with Margaret A, Aaron
Grant who I don’t believe is here today, and Christine Martin Anderson who once
again we may see at these meetings, but of course we’re dealing with summer
vacations and such.

Obviously, I want to begin by thanking you all for your willingness to
participate. I think we commented previously that there is a lot of activity
this summer. We have a lot of work between now and when we’re out the beginning
of August and what we hope will be a nearly complete report by the end of
September. So I want to thank you for donating your summer vacations to this

In all, we have planned for six to eight days of hearings, and we’re about a
third of the way through now with additional time for public discussion and
review of our draft recommendations and framework. And, of course, as always
this is going to be a very open and inclusive process.

Today we’re going to start out with testimony talking about sort of the
higher level framing issues and indeed the tension and discussions throughout
all these hearings have been moved from high level down into specifics and back
again trying to make sure that we’re not missing anything. And we’re obviously
very pleased to have John Lumpkin, whom I’ve already thanked for his
participation, and Wendy Patterson from caBIG, and thank you very much for
joining us.

From there, we’ll be talking about perspectives on uses of health data,
first talking about quality perspectives and then, after lunch, talking about
secondary and I think a new term from our last meeting, tertiary uses of health
data which I think we may find a useful way of beginning to talk about the

Finally, this afternoon we’ll be talking about public health and statewide
planning perspectives. As we decided last meeting, we will have an hour and a
half for discussion today, and we’ll have time tomorrow afternoon for
discussion and then also on Friday morning.

Just to remind everybody, as hard as it was getting here at nine o’clock
this morning, tomorrow’s starts at 8:30. So, now with that, and I know John has
to leave, I think, relatively quickly after the session. But John, I think
we’re asking you first up to sort of give us some of your, I think, sort of
broader insights around secondary uses, and again thanks for joining us.

Agenda Item: Key Opportunities and Challenges in
Framing Uses of Health Data

DR. LUMPKIN: Great. It’s great to be back to see the work that the Committee
is doing. I think this is the right issue. It’s the right time. We’re now about
11 years post-HIPAA, and it’s amazing how often the issue comes up. But some of
the key issues I think that need to be discussed about HIPAA, I mean, health
information technology and the implementation of that relate to privacy. I
think the Committee has been right on in looking at key issues particularly in
those areas where when we initially looked at privacy that we didn’t think
about and expanded uses of health data. Personal health records, your letter on
personal health records, I think, was also very useful in drawing the right
attention, and now on secondary data use, a critical point in our nation’s
history as we begin to look at what’s going on with health.

We have a political environment where health and health care is increasingly
being a focus. No matter who gets elected come November of 2008, the issue of
health will be high on the agenda of the nation. And I’ve heard a prediction
actually from both sides of the aisle that the basis for fundamental change in
relationship to health care may be even greater now than it was in 1993.

And so the work of this Committee in thinking through some of these
significant thoughts prior to that debate occurring looms as very likely that
the deliberations of this Committee will impact those discussions, particularly
as they frequently do, the secondary uses of data get thought about sort of as
a last minute as someone’s going to conference committee having a document that
they can pull out will help guide those discussions. So thank you for doing

To highlight my point about where health care is, there’s a survey that’s
done funded by the Foundation that’s called health tracking. And, yes, Mary Jo,
if you put it near the microphone, I’m sorry, I couldn’t pass that one up, that
this survey is done, there are 12 sites around the country, and they go out and
conduct over 1,000 interviews with various key leaders in those communities.

When they talked to businesses in this survey, one of the important issues
related to health care, and this is shown in public polling, is the issue of
affordability followed by coverage for all and then quality.

The interesting thing, though, is when they did the survey in these 12
metropolitan areas, they talked to leaders in health care, and what they talked
about was that they saw a further evolution, that there was going to be
increasing tiers of care. In other words, you have people uninsured who are
going to get one tier of care; you have people who are going to be on Medicaid
who are going to get another tier of care. Perhaps those who are in self pay
health savings accounts kinds of things may get a different level, particularly
if they have a high deductible, and then those who are fully insured. They see
increasing tiering of care, different levels of care being available. The
health leaders also see that there’s mostly going to be substantial cost
increases and, because of that, a reduced ability to cross-subsidize
uncompensated care, all putting pressures upon the health care system.

But they’re all looking at health leaders as significant expansion during
this time frame, looking at from the period of 2005 until the end of the
decade. That’s important because they’re looking at building, they’re looking
at buying new toys, all of these which are going to be further drivers for

But the most important finding, I thought, of this survey was when they
asked all these leaders of health care organizations, none of them had any cost
control strategies. The issue of cost control sort of had gone out of the front
of their mind attention.

But when you talk to the public, and this is just very recent poll data,
after the war in Iraq, health care has now become the number one domestic issue
— in fact, the number two overall issue for the people in this country. So we
believe, and certainly when you look at the positions of each of the
presidential candidates in both parties, they all are addressing the issue of
health care. Some are addressing the issue of universal coverage. Some are
looking at Medicare reform. Some are looking at tax reform, but all with the
goal of trying to confront this issue of increasing cost and Americans’
increasing fear that they’re going to be unable to afford health care for
themselves and their families.

What’s also clear is that, as the various leaders from both parties begin to
address this issue, health information technology falls on their radar screen
as something that needs to be done to address it. Increasingly, we’re being
able to get them to the point of realizing that HIT is not a magic bullet, that
it is necessary but not sufficient to enable the changes that need to occur.

So many of the big questions they’re addressing is who pays and how. Now put
this within the context of another recent poll which found that 62 percent of
Americans believe that if they’re admitted to a hospital that something bad
will happen to them. We know that there are significant studies, the one by
Beth McGlynn, that was done in 2003 is perhaps the one that has gotten the most
attention and still is the most striking. She’s doing some work to follow up on
that. But I do want to mention that because it does set the context.

This study, a fascinating study if you haven’t looked at how it was done.
About 6,700 people – more than that were contacted, by 6,700 people agreed
to have the Rand team look at all their medical records. So, you know, hello,
I’m from Rand, I want to look at your medical record. When they looked at their
records, compared their treatment to standards of care, that’s when the report
came that roughly half of all care, half of patients are getting the care that
would be appropriate for them.

The cost of this study was $15 million, a very startling study, but it had a
dramatic impact upon policy. But did it really have any influence on individual
care. I point this out as being one of the very important studies which has
helped us come to the conclusion that we receive the right care only about half
of the time. But the other argument is that much of our health care spending
has no value.

Many of you may be familiar with the work of Jack Lindberg who now has
retired, and Elliot Fischer’s taken over at the Dartmouth Health Atlas, another
very costly venture but one which is yielding significant results that have

Variations in cost between the red ones which are the high cost regions
versus those that are white which are the low cost regions represent 30 percent
of the Medicare dollar. And to put that in perspective, if you apply that
across all the health care, you have more than enough money involved in that
variation to cover all of the uninsured, no matter whose numbers you look at
what the cost of that is.

But this system is primarily driven by Medicare claims data, and it’s
relatively old. But there are significant uses that may occur for this data.
This is the same one that showed that when you look at all medical conditions
and you put them in a graph and you compare it to the number of acute care
beds, that there seems to be a direct line correlation. The more acute care
beds you have, the more people get discharged from hospitals.

So that this utilization of care is not driven by need – you can
compare it to, on this chart, you can see the hip fractures at the bottom.
There’s no decision involved with a fractured hip. Somebody falls, they
fracture their hip, you have to fix it. When you go across the communities, and
they range from one to six for the number of acute care beds per unit, and I
don’t remember the unit of population, you can see that the rate of discharges
for fractured hips is straight, no difference from region to region.

But when you look at those discharges where there’s some decision making
involved with them, utilization is based upon the availability of resources.
This methodology enables them at the Dartmouth Health Atlas, they can now link
patients to hospitals. And so they now can compare how hospitals are performing
from region to region, from city to city.

So you take the 25 best hospitals and look at how they compare in cost, the
number of consultants they have in the last six months of life, and there’s a
dramatic variation between the 25 best hospitals across the country, again
reflecting significant variation that occurs in health care.

But when they look at it on the basis of the health atlas and they compare
the cost versus mortality of those same hospitals ranging from one to lowest
cost community and using that as the index to the highest cost community, and
that’s a range from one to 1.8, mortality is no better at the high cost region.
Adherence, in fact, to certain guidelines such as aspirin at discharge is in
fact worse in the high cost regions.

So more care doesn’t equal better care. And the ability of using data like
this to better understand that’s going on in the regions and to drive quality
improvement, of course, is the holy grail that we’re looking to go towards.

One also has to note that there are significant inequities in health care.
This particular slide was for me a turning point in my understanding of this.
This is from David Narenson, some of the work that he’s done in Michigan. An
important part of this slide is it compares adherence to the guidelines which
is children 5 to 17 years old after an emergency admission to the hospital
ought to be followed up by the managed care plan, and the rate for
African-Americans is half that of those who are white.

What struck me is that when I first saw this at a meeting, one of my
colleagues leaned over to me and said, you know, John, the problem is that both
of them stink. And so that when we look at the issue of inequities in systems
based upon race and ethnicity, we have to look at it two ways. We have to look
at the issue of bias. Bias becomes very important for us to understand because,
as we think about that, much of what I believe is engaged in bias are
unconscious decisions that are being made.

So a clinician sees someone before him with HIV. They’re African American.
So they make the assumption, not intentionally but in trying to give the best
care, that they don’t have the social resources to use multiple drug therapy.
And we all know if you’re not on multiple drug therapy regularly, you begin to
develop resistant strains of HIV.

So the assumption is made quick look, I’m going to make an assumption about
that person, they’re not going to put them on prescribed levels, so they’re
only going to put them on one or two drugs to treat their HIV. We all know that
with health information technology and decisional support, the system could
say, oh, by the way, doctor, this patient meets the criteria for multiple drug
therapy because the system would know that they live with a relative, they’ve
got all sorts of supportive networks.

That’s one of the ways that health information technology can address it.
The studies that we’ve looked at indicate that this is only a component of the
disparities that exist in health care. A much greater factor in the disparities
that exist in health care are because not of who people are, although that’s a
component, an important component, but it’s where people go for care Eighty
percent of minorities in this country are cared for by 20 percent of the
providers. And those same providers tend to be in the safety net. They tend not
to have the resources to hire consultants and related to do quality
improvement, and they tend to be less able to meet the guidelines.

We funded a study for the last – a project over the last two years
called Expectant Success: Excellence in Cardiac Care where we worked with ten
hospitals that are roughly inner city hospitals that serve a high percentage of
minority patients. And over a period of about 18 months providing them with
that kind of technical assistance to do quality improvement, we’ve dramatic
improvement and adherence to cardiac guidelines across the board.

So it begins to be a factor not only of where people – how bias exists
in the system, but identifying where there may be areas that you can have
specific focus, and this has to be data driven.

We also have a system where people are disconnected from the cost of their
health care through much of their encounters. So what this chart shows, it was
a study that was done by the Wall Street Journal and Harris Interactive. They
asked people what they thought their health care cost, or the cost of certain
kinds of treatment.

So, for instance, they asked what do you think it would cost to treat high
blood pressure. The average actual cost was $93. People estimated it was $153.
But here’s where it really becomes significant. They asked them what was the
cost of spending a night or day in a hospital. The average person thought that
the estimated cost was about $1,000 per night, when the actual costs were over

And so we have people who are disassociated from the quality of their care,
but they’re also disassociated from the cost of their care.

So our strategy in trying to address this, and this is one that we’ve done
in some coordination with the Secretary and the Department of Health and Human
Services in other areas is to begin to look at how we can fundamentally change
the way that health care is being done from a quality perspective.

And so our work is looking at developing a regional approach. We’ve done a
lot of work with sort of, you know, here’s an improvement project at one
hospital, and that across town there’s another project. But when you look at
care overall, we’re not seeing dramatic improvement. How do we make that
dramatic improvement.

We believe that doing this at the regional level is an important component,
that the first component of this is that building coalitions and funding
coalitions of consumers and purchasers and payers of care to drive towards
transparency. Public reporting of quality and price information.

Now this is important to enable a couple of things to happen. One thing is
it enables consumers to be able to make better choices. A good example, a good
friend of mine worked for the Chamber of Commerce, and she was in a HAS. So she
had a health savings account, so she had $5,000 in stuff that came out of her
health savings account, and then everything else was the high deductible plan.

She needed a caesarean section. There are four or five hospitals that were
in her plan. None of them would tell her what the outcomes were of their
C-sections, nor would they tell her how much it cost. Without that information,
how can the consumer have any influence or involvement in the way the system

So public reporting of quality and price information can enable consumers to
have direct engagement in the system. The second component of this is that I
believe in all my experience and the people I know tell me that providers want
to do a good job. And by and large, they don’t have a clue how well they
perform. And given information on their level of performance, they would
identify where they have their gaps. You know, the various studies to look at
when you ask providers have they recommended eye exams to their patients who
are diabetics and you ask them if they do it, and they say, yes, I do it 80
percent of the time. And you look at their records, and they do it 20 percent
of the time. Well, that’s a gross exaggeration, but roughly that’s the way it

Giving feedback to providers about the level and quality of their care will
have a dramatic impact. And what we believe is that we’ll drive the adoption of
quality improvement, and the adoption of quality improvement methodologies.

And so we are committing at the Robert Wood Johnson Foundation significant
resources over the next – in the 2007 and 2008 about $112 million to fund
programs related to this regional approach, and over a five-year period about
$300 million. We want to see this drive improve patient outcomes within these
regions. But the key issue is transparency, and one of the key obstacles, even
if you use transparency based upon administrative data, one of the key
obstacles to doing this is our structure of how data flows in this country.

When I talk to regions, I just talked to a group of people who were meeting
in a similar process up in Providence, Rhode Island, and there’s a group of
collaboratives mostly based around Medicaid in North Carolina, in Providence,
Rhode Island, and I forget where the third site is. The number one issue that
they raised is what I would call misinterpretation of the HIPAA privacy rules
as barriers to trying to do the sort of transparency. We believe that what
needs to be done is to figure out how to aggregate data that’s meaningful and
reliable at the provider level. That means individual clinician. And we’re
actually funding approaches to do it. We’re hedging our bets, and we’re funding
top up and bottom down. Bottom up and top down approaches. One is to do
aggregation at the national level working with organizations such as, well, I
can’t say that until after my next meeting. Anyway, working with some national
organizations –- we haven’t announced that. Looking at merging health plan
data and Medicare data, coordinating with ARHQ to be able to look at
methodologies to do that, coordinating this with the Value Exchange Initiative
of the Secretary, but to develop at the national level through national data
sets to then aggregate the data at the regional level to begin to measure the
quality. And from the bottom up approach, each one of the regions – and
we’ve identified 14 regions across the country, and they range in size from the
State of Maine and Wisconsin, Western Michigan, Western New York State to
cities like Memphis, Detroit, Seattle, Minneapolis, all the way down to a small
town like York, Pennsylvania. And we’re looking to expand to areas,
particularly looking in those areas that have a higher concentration of
minorities so that we can begin to, as part of our strategy, not only look at
using transparency to drive quality improvement, but also using – looking
at how we can begin to address the issues of disparities and go across the
spectrum of care.

We’re going to be expanding into some of the other communities across the
country. Roughly our goal is to have about 20 communities and to provide them
with the resources to develop the infrastructure to do transparency, public
reporting of quality and price information, and at the back end develop the
infrastructure to do quality improvement.

We don’t know what that infrastructure looks like, but we’re going to fund a
number of different models. It may be hospital centric, it may be health plan
centric, it may be professional society centric. But a key component of this
will have to be the roll out of health information technology to enable this.
And there are models for doing quality improvement. We funded one in North
Carolina working with the American Board of Medical Specialties, North Carolina
and Colorado to develop models of getting out quality improvement technology in
the individual ones and threes physician offices and using and developing a new
kind of specialist called the quality improvement coach who actually goes into
these small offices. We’re currently working with 50 practices in North
Carolina and another 50 in Colorado, and we’ll be expanding that program in the
coming future.

So all of this is geared to try to improve the quality of care. It drives
key components of the chronic care model that you may be familiar with, with Ed
Wagner. But a key component of that is that if this is going to work, you need
to have an informed activated patient. And part of that patient being informed
is having the information that enables him to make those kind of decisions.

This all ties in with the work that you’re doing and in many ways goes back
to the earlier vision of the Committee, the national health information
infrastructure, that may not be the common phrase, but we all kind of go back
there, and the interfaces between the health care provider, the population
health and the person of health domains.

With your work, the work that you’re doing here in developing this taxonomy,
I think it’s very important to understand a couple of key issues, and then I’ll
say a couple last things and wrap up.

Research is not public health, although some of public health engages in
research in order to gain new knowledge. Quality improvement is different than
research, although some of quality improvement – Beth McGlynn(?) is a
perfect example, engages in research to gain new knowledge. Where we run into
problems is where we’re not very clear, and, as we have learned from HIPAA
privacy, people will many times take regulations to the extreme and will not
try to understand the subtleties of it. And so it’s important to have at least
some place that you can go for the subtleties.

And I could basically stop here, but I’m going to spend about three minutes
and then quit on one other aspect of looking at the issue of these different
spheres of using secondary data, and I liked the grid that you sent out to the
various people. I think that those are really the important questions. So I’m
just going to add some, not to change your grid, but maybe a slightly different
way to think about it because that’s all I could do with your doing so much
good work, I didn’t have anything else to add. And that is to look at some of
the basic principles of biomedical ethics and approach this problem maybe from
that perspective.

There are four components of that: respect for autonomy which means to
acknowledge the decision making rights of an individual, that relevant parties
need to consent to any action that’s taken, and do they acknowledge and respect
others that may choose differently, the right to refuse.

Beneficence, which this is action, do benefits to others, and a weighing of
the balance of the good versus the harm. Non-malfeasance, which is primum non
nocere, or above all do no harm, and then finally justice, which is an issue
that’s a little bit hard to tease out of this not so much in justice in the
sense of are we equally applying resources, but are we identifying where the
inequities in the system occur.

And we know with TPO that autonomy is fairly well handled in consent. A
patient comes in for treatment, they give consent to that treatment. They can
refuse to have that treatment. The purpose of this is for the good of the
patient. When the patient agrees to be treated, are they going to be treated
appropriately. How do you prevent harm? Through security and privacy, through
non-release of data that shouldn’t be released. And some of the roles we talked
about through the justice is are patients getting equitable care. And, of
course, that can be determined under TPO.

Let me talk about in respect of quality, and I’ll go through the three of
them very quickly and I think it just bears some discussion or some thought
– not necessarily discussion. Under quality respect for autonomy, you can
do that in a way that you focus in on the provider and not the patient. And so
the patient’s autonomy, the right to make their own decisions, are preserved.

However, quality will improve care for the patient and society. So there’s
clear benefit. It has the potential to prevent harm, so the prevention of
error, and you can use de-identified data to reduce harm, particularly in
public reporting.

But the key component to that is that if you’re going to improve quality to
assure that vulnerable populations are protected, the importance of collection
of race and ethnicity data is the only way that you can assure justice in the

The public health system has taken the issue of autonomy has been subjected
to the public good. And I think the key important component here is that this
is not determined by those who are practicing public health. This is determined
by our societal system that it’s driven by laws, that when you subjugate the
public good, the individual rights to the public good, that it not be done
willy nilly but in fact be done through a process that we use in our society
and our democratic society is through our democratic mechanisms.

That there are public benefits and, in some cases but not all cases, there
are individual benefits. So an individual who is on a cancer registry that’s
determined by state law to be an important public good likely will not benefit
from that registry, but other patients will. Other people will.

These systems have legal protections of data, and they vary from state by
state. For instance, in Illinois a report of a disease like Syphilis is
protected and cannot be released into court – into a court hearing. So
there’s a higher level of protection because there’s a higher level of
subjugation of autonomy. Someone who has a sexually transmitted disease can be
treated based upon that report, and equally as important, their partners can be
treated. All are treated equal under justice, and they’re designed to protect
the most vulnerable.

And then under research, here I think the issue of respect for autonomy is
key, that there has to be a consent and an obligation and an understanding of
the right to refuse. Society might benefit because you don’t know the outcome
of research. The individual might benefit if they’re in the right side of the
randomized control trial, and there’s protection from harm. IRBs, full informed
consent which means they fully understand what the risks are, and the studies
are designed to minimize harm.

And there are two components of justice which need to be evaluated. One is
equitable benefits, and the other is selection of study topics and subjects,
and there’s been a lot of discussion about the fact that studies on
cardiovascular disease until recently tended to exclude women and other groups.

So this is all sort of a biomedical approach to looking at some of these
issues, and I just thought I’d toss it out. But the important thing is to look
at each one of these circles of research, quality measurement and reporting in
public health in their own right. These are very important. What is a talk
without quoting Octo Barnett(?) and to point out that we must concern ourselves
with the quality, efficiency and effectiveness of the practice of medicine and
the provision of medical care, and looking just at quality without
effectiveness and efficiency is not good enough, given the current political
environment. Thank you.

DR. COHN: John, thank you very much. Now let me just do a little time check
with you, knowing that you – you’re not quite double scheduled, but you
will be soon. Would your preference be that we go to the next presenter and
then have a conversation or would your preference be that we just take a couple
of minutes and engage you in conversation at this point.

DR. LUMPKIN: Well, I apologize for going long. But – so if we could do
the conversation first.

DR. COHN: So you can go to your next meeting?

DR. LUMPKIN: Yes. I apologize. The Quality Line Steering Committee that is
engaged in some of the activities I talked about is meeting at ten, and I’m
supposed to open that meeting. I won’t do that, but I would like to get there
as soon as possible.

DR. COHN: Okay. Well, why don’t we just open it for questions maybe for the
next ten minutes or so, and then we can go on to our next presenter. Wendy,
thank you for your forbearance on this one. But first of all, John, thank you,
and I actually want to thank you for your focus on quality improvement just
because I think that, as I said, in many of our testimonies and conversations,
there’s been so much focus on measurement and reporting that that last piece
sometimes gets not thought about quite as insightfully. So we appreciate that.

Any questions or comments? Bill?

MR. SCANLON: Thanks very much. That was quite impressive in terms of all
that you covered.

I’d like to go back to link what you were talking about earlier on with
respect to the Winberg(?) work and the over-utilization of particularly the
supply side set of conditions and talk about how we can think about addressing
those. I mean, it’s easier to understand sort of the feedback to the providers
and providers wanting to do the right thing, but they’ll increase their use of
particular services. But there’s a question of whether they will decrease their
use of services. And it’s – I mean, I was talking about these are these
people’s income that we’re talking about in some of these circumstances. And so
the question is how do we both develop the information which is maybe just a
research task, but then can we get it to the point where decisions are being
made through HIT that will be effective in terms of dealing with the
realization which ultimately a big driver in the cost problem that people face.

DR. LUMPKIN: I remember it was a lot easier being on the Committee asking
the tough questions.

MR. SCANLON: My apologies.

DR. LUMPKIN: This is really the challenge that’s facing us. I think we have
to address it in a number of ways. One of the positive things that make me
think that we’re moving in the right direction is that when you look at low
utilization regions, Minneapolis, they’re also one of the regions that have one
of the most sophisticated public reporting systems. So there’s hope there.
Maybe not enough hope.

One of the areas that our foundation is going to be investing in is
development of the concept of episodes of care which are looking at cost
experiences of not looking at what it cost to get a diabetic ulcer treated, but
what are the cost experiences of people like me with diabetes looking at the
system, connecting different care experiences.

So looking at ways that we can reform the payment system and the reporting
system in such a way to give us a better handle on effectiveness and
efficiency. Will these work? Don’t know, but I think we have to find out. Cost
is driving the system, and there are components of cost which I think we as a
society would think are good, and those are the costs that are driven by
advances in health care, advances in technology. And one of the foundations of
our system is that we want to have access to them.

On the other hand, there is a fair bit of waste in the system through 30
percent of kids who get antibiotics for their ears, you know, 30 percent of
those antibiotic prescriptions for ear infections are deemed to be of no value.
A significant portion of back x-rays for people who have low back pain are
deemed to be of no value. Health information technology with decisional support
can help us reduce some of those by giving warnings. By the way, this patient
doesn’t meet the high yield back criteria. Are you sure you want to get an
x-ray. Enabling the reporting so that the systems can look at those clinicians
who are having patterns of care. You know, not every patient’s the same, and
you’ve got to order back pain because sometimes you have a gut feeling. But if
you have too many gut feelings, then maybe you need to re-examine how you’re
approaching the patient.

DR. COHN: Kevin, then Harry, Justine. And Mark, did you have a question? No,
okay. So we’ll do that, and then we’ll probably let John wander off at that

DR. VIGILANTE: Thanks, John, great presentation. One of the things that came
up in testimony last time was these, as you effectively argued, there’s a very
compelling use of secondary data to enhance quality and efficiency of care.
Once collected, though, and in the possession of a provider or provider
organization, there is the possibility that that data – de-identified data
may be sold to a commercial entity, and it could be the sale of it that
actually subsidizes the ability to collect in the first place. What do you see,
having been on this Committee, sort of the role of this Committee or the
usefulness in sort of addressing that white space that appears to be white
space at the moment in terms of providing guidance or observing what the land
mines might be in what we’re starting to call this tertiary use of data once
it’s collected.

DR. LUMPKIN: Early on in my training, I’m reminded of a guy who I studied
under, Peter Rosen, one of the grandfathers of emergency medicine, and at the
University of Chicago where Peter was the head of our department, we developed
a set of Rosen rules that I’m not sure if Peter ever knew about. But Rosen Rule
Number Two is when all else fails, do what’s right for the patient.

And I think that’s really the charge of this Committee is that within the
context of what HIPAA was originally set up to do and based upon transactions,
as your letter aptly notes, there are areas, blind spots in relationship to
privacy. There are blind spots in relationship to once the data gets aggregated
and sold, are there ways that it can then subsequently be disaggregated, and we
know that there are ways, and can we protect against that.

Well, if that secondary group doesn’t have the same obligations, we have
concerns. I think having concerns around personal health records that are being
managed by non-health care entities is another area. And one of the important
roles of this Committee as AFA(?) goes out, identify them and I think make very
reasoned and important recommendations for change.

MR. REYNOLDS: John, thank you. I especially thank you for adding to our
chart – parts of our chart. One clarification, and then a question.

You may a statement, research is not public health, but public health does
research. And right after that, you made another statement, but some of us
can’t write fast enough.

DR. LUMPKIN: Well, the same thing about quality. In the field of quality,
they do research, but quality is not research; it’s really a mechanism by which
the improvement occurs. And so you have to look at that piece of it

What I didn’t say and I should say is that when you look at the hierarchy of
the tests that need to be looked at getting access to the data, I think the
highest test is for research. And to the extent that you look at it for quality
improvement of public health, that where they’re doing research, they need to
meet the higher test.

MR. REYNOLDS: So the question I have, you, obviously as a group we’re
looking at the privacy; we’re looking the NHIN, and we’re looking at this. And
you’ve touched on autonomy and consent and so on. So when you add in the EHR
and the NHIN and then what we’re doing here, do those change your feeling at
all? Because you are changing the procedure on individuals, and we consider at
some point transferring them across the NHIN, and you see the patient at one
point, and then all this starts to happen including secondary uses. Does all
that together change any of these for you, or is that a new category for you,
or does everything still play the same?

DR. LUMPKIN: I think it plays the same. I think that for what purpose is
that data being used. If you are flying to Minneapolis to harvest a heart, you
are charged not only with the surgery to remove that heart; you’re also charged
with safe transport and then safe transplantation. I think that the health data
is very similar. It’s data at rest and data in motion, and you’re charged with
taking adequate and appropriate safeguards.

MR. REYNOLDS: But if a person has made a decision to keep part of the data,
block it, parse it out, do whatever, does that play in this at all?

DR. LUMPKIN: I think that’s where it gets complicated, not that you don’t
know. But let me particularly go into where I think it goes – the two
areas where the answer is different than, let’s say, health care treatment or

Can a patient with multiple drug resistant TB choose to prevent that data
from being shared? I think we would all say no, that shouldn’t happen because
that’s the public good. But the basis of making that decision is not based upon
an individual clinician or practitioner making that decision. That’s a public
decision made through democratic processes.

Similarly, in quality I think we need to have the same sort of democratic
processes and structures saying that quality information is a public good,
although the difference, of course, is that quality data can be de-identified,
and public health data, if you’re going to have that kind of impact, needs to
be associated with an individual. So you kind of have public health data,
clearly defined protections to keep it identified to move through the system,
public good, but also much higher level of responsibility to protect it.

DR. COHN: John, you’re eliciting some comment here. I think Steve wants a

DR. STEINDEL: John, did you actually mean to say that a person with multiple
drug resistant TB should be identified. It seems to me what you’re saying there
is the person should carry a sign around and say I have multiple TB. I think
you meant that he should be known to public health –

DR. LUMPKIN: Identified to the public health agencies.

DR. STEINDEL: Yes, thank you.

DR. LUMPKIN: Who have then the responsibility and authority to protect their
identification – their identity as they’re engaged in public health

DR. STEINDEL: Yes, and it actually involve release of the person’s
information in cases of real need. But that’s not a general case. Thank you.

DR. COHN: I guess I should ask, John Loonsk, did you have a comment on this
one, or did you just wanted to make a – have a question or comment later

MR. LOONSK: I have an additional question.

DR. COHN: Steve, then Marjorie and then John Loonsk, and then we’ll wrap up.

MS. CARR: John, thanks for a great presentation as always, but I actually
want to follow up a little bit along the lines of what Harry was saying
because, as we talk about addressing disparities, improving quality, and then
we also balance local privacy and the concept of masking elements of the
medical record and making the control of that a decision of the patient,
whether the physician can have that information straight on up to whether it’s
available for research, I wonder if you might comment both at the micro level,
so masking data elements from the physician in your point about making
decisional support, in other words, having information blocked, how do you
implement decision support and then on up, how do you look at disparities or
other needs, public health or quality needs, when that option of masking data’s

DR. LUMPKIN: Well, again, I’d rather ask this question than answer it. I
guess I have some fundamental beliefs that masking individually identifiable
data, the best example is my dad who would go into a doctor and would never
tell them that he had a heart attack at age 39. Part of his response was, well,
they’re a doctor; they’re supposed to know these things.

You know, that doesn’t work. Clearly, there are certain aspects of the
medical record for which we already currently hold separately, medical health
components, and others, and the electronic health record has to reflect that.
It also has to try to protect clinicians, or our system needs to protect
clinicians who are trying to make the best decision that they can and perhaps
don’t know that there’s information that could have an impact upon their

So it begins to get even more complex in that regard. Once you start taking
that data and aggregating it, there may be a few people who will completely opt
out of the system. But when you look at the volume of data that we can have to
build the decisional support to measure disparities in health care, I think the
small percentage of people who will opt out won’t skew the results of those
systems. So I think that we can tolerate a little bit of fuzziness in the data.

The final one is, is there’s an obligation on all of us to inform the
patient. A very important study that we did in relationship to attitudes of
minorities in relationship to collection of race and ethnicity data, we made a
mistake in asking the question, and we learned a lot about it. We got halfway
through the study, and we found out that 60 percent of the population’s
predominantly African Americans who are opposed to the collection of race and
ethnicity data in relationship to health care – 60 percent opposed, 40
percent in favor.

We looked at the question, and then we expanded the sample size, and we
asked would you be in favor of collection of race and ethnicity data to reduce
disparities in health care delivery, and it flipped. It is not 60 percent in

We have an obligation, those of us who engage in policy, to explain in ways
that people can understand and to use data in ways that they can see can have
an impact and improve their lives.

MS. CARR: Great. Thank you.

DR. COHN: I think Marjorie and then John Loonsk, please.

MS. GREENBERG: Thank you very much, John, for coming and speaking and, as
always, giving us a lot to think about and birth the big picture and sort the
bottom line. So we weren’t disappointed.

I have a slightly different question here than the line that’s been going,
but that is that you describe the three general quality improvement model that
RWJ is funding, and I think we all know that RWJ has been as important a
contributor to our health care and health system as really probably the many
aspects of the federal government, and we’re appreciative for that.

But when I look back, you know, when you’re as old as I am, and you look
back on some of the initiatives over the years, and many of the initiatives
over my entire career have been regional approaches, and they have had mixed
success, particularly a number of the information sharing and information
technology approaches. And I wonder what is different about this new initiative
of yours. Is it the focus on transparency and public reporting? Is it the fact
that health information technology has advanced to an extent that we really can
share more relevant information and learn more from the experience? I mean, I
don’t know if you get my drift, but I mean, you know, we’ve tried this – I
mean, I go back to the PSRO Program, that’s where I got started in health data.
So what makes this different.

DR. LUMPKIN: Well, I think what enables us is the fact that we are able to
collect even administrative data in ways that we couldn’t 10 or 15 years ago,
that’s one piece of it. The second is that we’ve had two decades of significant
improvement in our ability to understand and measure quality in health care

And the third, which I think is the transformative piece is transparency,
public reporting of quality and price information, because it drives, you know,
in health care we’ve always talked about, well, what’s the case for quality.
And we know that if you’re a hospital and you improve quality, your length of
stay goes down, so your revenue goes down. So why is that a good thing.

And then we say, okay, let’s make the business case for quality, and that
becomes even more difficult because the people who benefit from quality
improvement aren’t the ones who have to fund the quality improvement efforts.
What transparency does is take all that off the table, and it makes quality
improvement of business imperative, just as GM and Ford and Chrysler address
the issue of quality in the ‘70s in competing with the Japanese automobile
industry. It no longer became an issue of what’s the case or the business case;
it became a business imperative to stay in business.

And we believe that public reporting of quality information will put
providers in the position for two reasons, they want to do well, and second
because people will be asking questions. Their information will be public, and
they will begin to adopt quality improvement as a result of market pressures
and as a result of a professional desire to perform well that will get us over
the hump of moving into quality improvement – widespread quality
improvement adoption of which HIT is one piece.

DR. COHN: John Loonsk.

MR. LOONSK: Thank you, and thank you for your testimony, John. I thought a
particularly compelling statistic about the way in which quality information
may be useful, but race and ethnicity example I think was highly relevant to
this group and compelling in terms of the importance of communication.

I wanted to clarify one point with you. I thought I heard you say very
specifically that you’re addressing this issue from two extremes, working
bottom up and top down, and that from the bottom up perspective, I think, you
referenced data residing in the clinician’s office, or at least I may have may
misunderstood. And then you talked about episodes of care. And how are you
approaching in terms of the funding consideration getting the necessary data
for supporting episodes of care or thinking about getting the supporting
information when it’s clearly not a top down activity, it’s much more specific
data than those, but also may not reside specifically in a particular
clinician’s office.

DR. LUMPKIN: Then if I said that, I misspoke. We’re looking at a region like
York, Pennsylvania or Minneapolis doing their own aggregation at the regional
level, using data that’s available at the regional level but they collect and
then aggregate as opposed to another effort which is looking at national
databases, Medicare, for instance, database and then aggregating that so it’s
relevant to that particular region and making it available to them.

The obvious advantage of regional aggregation is you don’t have this huge
large database which some of us feel uncomfortable with. The disadvantages is
that it’s expensive to do data aggregation. There may be some economies of
scale. And I think those are lessons that we need to learn as a country and
then make policy based upon that.

Episodes of care are going to be – most of that work will be done on
some of the larger databases at the national level, and then when – if we
think we have a viable model, then we’ll test them out at the regional level
with the data collection. All of this is being done in a way to create products
that will be in the public domain that will be open source so that they can be
tested by others and not held proprietarily by any one particular organization
or operation.

DR. COHN: Well, John, I want to thank you for joining us. I particularly
want to thank you for two pieces here. One is I think you obviously will know
the history of the NCVHS. Reports such as these obviously aren’t created in a
vacuum, and I think your reference back to the NHII work from work that we did
together, I think, were very useful in helping setting the context of the

I think the other piece is that we’re in the process obviously of developing
frameworks about how to all think about this, and I think we have certain
elements that you’ve described, but I think the basic principles that you
described, and particularly the justice piece that I think you brought forward,
I think it would be very helpful to help us flesh that out.

So I want to thank you. It’s a great pleasure to see you again. I’m sorry
you can’t join in for the rest of the day.


DR. COHN: John, thank you. Now I do want to before Wendy starts and really
my apologies. You can tell we’ve completely deconstructed the agenda today, and
we will rebuild it up. I do want to remind everybody (a) that the next session
after this only has two presenters. So we’re really not far behind, as well as
the session right after lunch, I think, to my understanding, has actually one
presenter. So we really do have a fair amount of time for these conversations.

This may require some adjustment of the lunch hour, but so if we start at
12:15, that may not be the end of the world.

But Wendy, thank you very much. I appreciate your forbearance on all of
this. Please.

MS. PATTERSON: I apologize in advance if some of these material is
repetitive. I don’t know how much you all know about this program. So I’ll try
to spin through some of it a little quickly.

First of all, I want to thank everyone for the opportunity to speak today on
behalf of the Data Sharing and Intellectual Capital Work Space of the NCI’s
Cancer Biomedical Informatics Grid.

My name is Wendy Patterson. I’m a senior advisor in the National Cancer
Institute’s Technology Transfer Center where I provide guidance on data sharing
and intellectual property matters. One of my responsibilities is to serve as
the NCI facilitator for the DSIC Workspace. Our members represent a wide
variety of perspectives on many issues, including some of the ones we’ll
discuss today. Discussions in the Work Space are conducted in a frank and open
and transparent manner. We don’t always reach consensus in our positions, or at
least not right away. And I’d also like to point out that the views that I’m
expressing here today are those of most members of the Workspace and are not
the official position of the NCI, NIH or the various institutions with which
our members are affiliated.

I’d like to set the stage for my remarks within the overall context of the
transition to personalized medicine where we will soon see unique level of
characteristics of the individual patient that are driving the prevention of
disease and the delivery of health care. This paradigm will require the
synthesis of multi-dimensional data and the joining of multiple diverse
communities including researchers, care providers, and data repositories in
order to direct care that is based on the molecular characteristics of disease.

This approach is not without precedent in the cancer community. Treatment of
childhood cancers today relies on a model that joins such communities to direct
care that’s based on these characteristics. And this model arguably is
responsible for the tremendous successes that have been observed during the
past several decades as is soon to be the case in adult cancer, childhood
cancer is the chief cause of death by disease in children between the ages of
one and 14. However, unlike adult cancer, mortality rates have declined nearly
50 percent since 1975. The pattern of care that’s associated with childhood
cancer differs remarkably from that of adult cancer. First of all, childhood
cancer is treated in a context that blends care delivery and clinical research.
On average, more than 50 percent of children receive treatment in clinical
trial setting for treatment of acute lymphoblastic leukemia (ALL). This number
is nearly 85 percent. ALL in children is also treated with consideration of the
individual child’s bio markers that are believed to reflect the molecular
origin of the disease, and these molecular markers are currently used to tailor
the intensity of therapy to minimize toxicity.

So in order to deliver on the promise of personalized health care, we need
to be aware of a number of challenges. First of all, there’s the biological
complexity. There’s the isolation of researchers, the technology disconnect,
the health information tsunami that’s confronting us with the overwhelming
volume of data, multitude of sources. Obviously, reaching our goal of
harnessing all of this information is going to necessity, but not easy to
enhance cancer research.

Finally, there’s the informatics tower of Babel which is at the heart of the
barriers to better science. Sciences in different fields use the same terms for
different meanings for different things. They use different terms for the same
concept. Our own NIH community demonstrates this in many different areas of
domain expertise. And while this diversity may bring outstanding results in a
given, it’s currently impossible to bring it all together.

And finally, we haven’t really progressed radically from the 17th
Century model of scientific information dissemination which relied on
professional meetings and journal publications. So with all of this in mind,
NCI recognized the strategic importance of using information technology and
biomedical informatics to advance the goals of personalized medicine and
therefore it has launched caBIG to create the full cycle of integrated cancer
research that extends from bench to bedside and back again.

So caBIG is NCI’s platform for molecular medicine, and it’s designed to be
the next generation web for biomedical research. It’s a virtual web of
interconnected data, individuals and organizations. The intent is to redefine
how research is conducted, care is provided, and how patients and research
participants interact with the biomedical research enterprise. It’s intended to
address the complexity of cancer by integrating biological and clinical silos,
IT infrastructures, software and data institutions and people.

The enterprise itself is trying to bring different communities together
through IT using a common infrastructure of vocabularies and tools so that each
individual institution can connect it and resources in a way that will
categorize discovery and advance the practice of oncology.

Just a brief note. There are four fundamental principles on which the
enterprise is organized: open source which John Lumpkin referred to in terms of
the development of software, tools and applications. I would point out that
those tools are made available on a non-bio basis so that end users are free to
take the derivative products that they make using our tools and wrap them in
proprietary applications or not. Open access – resources need to be
available, open development so all of our products which range from tools and
applications to some of the things we’ll talk about later are developed in an
open and participatory way. Anyone can be on a caBIG teleconference. We have
many people hold AHRQ. I never know who’s there, but that’s part of the process
of making it open and transparent.

And finally, federation which is something we’ll talk about in more detail
further on, but it’s basically a network of networks so that access to data is
controlled locally.

In terms of the operational structure, we function in – we have domain
work spaces where we have communities that work on specific topics of interest.
We have cross-cutting work spaces that support the basic infrastructure, and we
have strategic level work spaces that address issues of concern to the entire
community. And so the DSIC Workspace is a strategic level work space. It
facilitates data sharing. It’s intended to facilitate data sharing and address
a number of challenges, legal, regulatory, ethical issues, policy concerns,
proprietary issues, which won’t really be the subject of what we talk about
today, but they loom large. And by necessity, we have a diverse membership. And
I will say that, you know, in the first year just wanting to talk to each other
was quite a challenge. Getting the lawyers and the IT folks to talk to each
other was quite a break through, but it is interesting, and I think it’s been
illuminating on both sides.

And so obviously a number of data sharing challenges that I’ve alluded to
and that John also mentioned. There are varying obligations under federal and
state privacy laws, different IRB requirements both as they interpret things
and also different policies and different cultures, academic considerations,
concerns about protecting intellectual property, patient safety issues, and
last, but certainly not least, public perception which are key.

And you know our view is that the maximum utility of this infrastructure
depends on the ability to address these barriers, potential or perceived, and
that we need to reconcile the needs to protect these concerns both in patient
information but also in proprietary information in a way with controlled and
secure access. But you know, also with the knowledge that – and I use this
word advisedly, excessive restrictions, and who’s to determine what’s
excessive, but we’ll get into that, is going to choke the flow and impair the
ability of researchers to leverage those silos. Yes.

DR. COHN: If you could just be a little closer to the microphone because I

MS. PATTERSON: I’m sorry.

DR. COHN: I’m hearing most of what you’re saying, but occasionally – no

MS. PATTERSON: So with that in mind, from the start we’ve recognized the
entire caBIG community, not just our workspace, that in order to accommodate
the needs of diverse stakeholders, we really needed to take kind of a
three-pronged approach to addressing these issues, and I’ll talk about them in
a minute.

But the first is a federated architecture, the second is an analytical
framework that will enable continuous and consistent analysis. And finally, a
sort of a technical approach to developing standards, tools and infrastructure
that are broadly available.

So turning to the first prong, let’s just talk a little bit about the
architecture, and I also would want to make a full disclosure. I’m not a
technically trained person, so bear wit me. But I certainly get to you much
additional information.

The technical infrastructure is based on a set of technologies that we call
caGrid, and it allows systems that are constructed according to a series of
technical compatibility guidelines to interoperate with each other and with
properly authenticated and authorized end users. The security infrastructure is
federated, so users are authenticated at their local institutions and local
providers have the flexibility for addressing proprietary and regulatory
concerns about particular data resources. Institutions and individuals that
make data available through this infrastructure are responsible for complying
with applicable laws, regulations and policies including any requirements for
informed consent, patient authorization and needs for protecting intellectual
property or restricting data access for proprietary reasons.

This slide is intended to depict a series of federated grids that are based
on a common technical infrastructure. The NCI instance, and that’s a tech term
that spawned from the language of software design, we call that NCI-caGrid. The
federated and distributed nature of the caGrid technology stack allows for the
interconnection of a series of networks that are managed independently but are
interoperable with the NCI-caGrid. This flexibility allows, therefore, an
individual medical center, cooperative group or other entity to set up its own
instance of caGrid that can operate behind a firewall, with different security
requirements than those of the NCI-caGrid. However, the participants in a local
caGrid installation can interact with participants in the NCI-caGrid so long as
there’s an appropriate trust agreement. Similarly, participants in the
NCI-caGrid can interact with other large scale implementations of caGrid that
are expected to be compatible with caGrid standards such as the upcoming
cardiovascular research grid or the United Kingdom’s NCRI oncology information

Turning to the analytical framework, this is our strategic approach, and
this is a framework, and I apologize. This is hard to read even from here and
in a public raw data I would have brought a much larger version. It is
reproduced at the back. If you have copies of the written testimony, so we
actually brought updated versions that have the appendices. So I don’t know if
those were – okay, that’s Attachment 1 at the end of page 15. It’s a
little easier to read, but not enough.

But in any case – I’ll get to that, but the point is that this
framework is based on sensitivity of data and access controls that are
appropriate to level of sensitivity, not per se on the uses of the data. And
this approach recognizes that there are varying levels of sensitivity of health
information, and that many data changes require agreements, validation of
users, authorization of intended uses and so forth.

And I would say that we appreciate that some data are highly sensitive and
should never be shared without individual permission. Because this
infrastructure is premised on the concept of federation, and I’ll say this
again, individual entities that control access to data are responsible for
assessing the risk and the consequent protection that’s required for data to be
shared. So institutions determine who’s authorized and under what conditions.

So this framework is grouped – we use basically four inputs to try to
make the analysis, and those are the four coupled columns. And that first
column talks in terms of economic proprietary concerns of researchers and
research institutions. The second column talks in terms of federal and state
privacy and security auth regulations, the third column speaks to ethnical
considerations that are reflected in explicit consumer and IRB imposed
constraints on data sharing, including restrictions that may be specified in
informed consent documents, and the last column focuses on contractual
restrictions that are imposed by research sponsor which often come from
industry but may come from foundations or even from the government.

Once this analysis is completed, we think that a number of the barriers that
we’ve talked about before can be reduced or even eliminated for some subsets of
the data. So let’s move on to the next page, if we could.

So in terms of actually implementing the framework, we’re not trying to move
forward to develop web-based terms of use and standardized contractual
provisions for trust agreements that are designed to facilitate data sharing
that would be consistent with HIPAA and other applicable privacy security laws,
and also with human research protections and accreditation standards. We’re
also looking at modeling which for applications that are submitted to IRBs to
educate their members regarding caBIG and the NCI-caGrid. It talks then about
the benefits and the risks of data sharing and the various mechanisms that are
utilized in various caBIG tools to mitigate risk.

And we’re also working on model language from informed consent and
authorization documents that’s designed to encourage consumers and patients and
research participants to participate in the caBIG initiative in a manner that’s
consistent with requirements specified in the Common Rule FDA Regulations
Accreditation Standards and HIPAA.

Another workspace the caBIG tissue banks and pathology tools, for example,
has developed a tool that we call caTISSUE Core that tracks the extent to which
individual patients or research participants have given permisson for their
collected biospecimens and related data to be used for research purposes. And
this tool allows users to track different tiers of consent, for example, as
well as decisions by research participants to withdraw consent for the use of
specific specimens.

Finally, we have the caGrid Security Working Group which is staffed by the
caBIG, the DSIC Regulatory Group. We have two groups, a proprietary group and
the regulatory group, and also our architecture workspace so that, as we are
developing the functional requirements for security, that the technical aspects
can be built into the procedures.

So areas for recommendation here are going to involve security policies
regarding federated authentication, certificate management and provisioning,
group-based authorization, protection of sensitive data, user security policies
and procedures, also implementation procedures for the various providers of
data which we also refer to as Nodes or grid facing components. And then
finally procedures for periodic security risk assessment for the infrastructure
and also for the nodes that are making data available through the grid.

We’re currently focusing on a set of baseline policies that will allow a low
barrier to entry of data via the grid, particularly for systems that are
carrying non-sensitive data. We will then turn our attention to developing
policies and procedures for more sensitive information. We recognize that’s
going to take time. This working group, like other work spaces within the
community, are populated by a diverse number of stakeholders. We have, as I
mentioned, the two work spaces, DSIC and Architecture who are standing members.
We have community members from the domain work spaces, clinical trials,
imaging, tissue banks and our genomic systems biology group. We also have
patient advocates. All the meetings are open, so again anyone can participate.

So let me just come to the thrust of our concerns here. I think from what
you can see, we view research as being an integral component of the health care
delivery system. And our concern is that conceptualizing data use in terms of
primary or secondary activities may imply a value judgment that doesn’t make
sense within the current environment, you know, where clinical care, quality
improvement and research are often integrated and where in many instances, as I
referenced earlier, research data can be as important to clinical care delivery
and vice versa.

Obviously, there’s a balance of interests that needs to be achieved. I think
we would all agree that there are various opinions on the adequacy of HIPAA in
terms of protecting privacy. As I mentioned earlier, there don’t appear to be
many protections, if any, for PHI that’s maintained by various commercial
entities. It’s our understanding that HIPAA’s not geared to research in
particular. I mean, there are mentions of it in the Rule. But given the
projectory of personalized health care medicine, there’s a concern that the way
the regulation’s currently structured is that it could become outmoded and be
outstripped by the expectations that people have for health care in the
21st century.

And so we would hope that the Committee could consider a middle group to
recognize research as central to health care delivery if it’s conducted in a
manner that’s consistent with informed consent or appropriate exceptions such
as an exemption from IRB review or an IRB approved waiver.

But I think before we even get into that discussion, I think it’s important
that we as a society and this group in particular need to agree on priorities.
I mean, do you value privacy, privacy in the name of patient autonomy to the
exclusion of other concerns, or do we – and the other thing that I think
needs to be resolved, and I think that first question is rhetorical because I
think we all value a number of things besides privacy, and privacy is
incredibly important to our group, too. So I don’t want to convey that
impression at all.

The other, I think, question that is often unasked, and I just want to put
it squarely on the table, is can patients make an informed choice. Do they
understand that withholding information for clinical care, quality improvement,
outcomes evaluation of research can contribute to a reduction in the validity
of results and potentially negatively impact their own individual care. And you
know, I was listening to some of the comments before, and I guess the answer to
that question is it depends. It depends on the number of people who withhold
their information.

If we can – we need to be able to maximize the number of people whose
information is made available for research and quality improvement in a manner
that respects patient autonomy and privacy. I mean I don’t think that we want
to see this as mutually exclusive; I think that’s a false dichotomy. But I
think it’s incumbent on us to develop ways to enable both objectives.

So in conclusion, we’ll just say that we think that personalized medicine
offers an opportunity to improve our ability to deliver effective prevention
and treatment to patients, and that research is an integral part of the
personalized health care paradigm. For the standpoint of access to data, it’s
our view that treating research as a secondary use is artificial, you know, as
highlighted, for example, on the case of childhood cancer where those have been
combined, and that we would be concerned about an unintended consequence of
leaving research as a secondary use because it could disrupt the extension of
this paradigm into new areas.

Obviously, health information technology and health information and
electronic health information initiatives offer huge opportunities, and we
would encourage the Committee to recognize the role of research and quality
improvement activities in the 21st Century biomedicine paradigm when
considering privacy policy.

And I would be remiss if I didn’t acknowledge the work of my colleagues in
the room as well as those elsewhere who have been instrumental in helping me
develop my views and shape my remarks, and the members of our workspace who
reviewed drafts of the document on a very tight timeline.

So with that, I’ll take questions, and thank you for indulging my rapid fire

DR. COHN: Wendy, thank you very much. Thank you for indulging our changing
the agenda around and all of that this morning.

Obviously, you covered a lot of area, and I know there’s going to be a lot
of questions. I already see Steve Steindel raising his hand and wanting to make
a comment. Obviously, we’ll let others ask questions, and then I’ll make a
comment. Steve?

DR. VIGILANTE: I actually should have looked at the agenda more carefully
before I made my opening comments. I don’t believe there’s any conflict of
interest, but in the interest of transparency and full disclosure, Booz-Allen
is a contractor that supports CAB(?).

DR. COHN: Kevin, thank you.

DR. STEINDEL: And thank you for fascinating description of the great work
that NCI is doing in moving this project forward. I also really was
appreciative of the very closing remarks that you made towards the very end. I
think that gets more to the heart of what this group is looking at and

And what I was very impressed by was, as we move into this future world of
personalized medicine, it seems to me that you were discussing there is a
blurring between the research and actually what care decisions that you would
make. And one area that there appears that this might be occurring in real time
today is in the area of childhood cancers in particular where you said 80
percent of what was it, ALL patients who are now in clinical trials.

And so what it seems to be today, they’re trying to practice this idea of
personalized medicine by going through the IRB approaches and the full blown
protection, and what you’re saying is in the future we probably should consider
moving to a less rigorous way of doing things.

MS. PATTERSON: I don’t think we’re saying to remove IRB approval.

DR. STEINDEL: That’s why I used the word less rigorous.

MS. PATTERSON: Okay, okay. So I think we want to retain that protection. I
think that the concern is that there may be additional and potentially –
I’m going to put this word in quotes because it’s a question, superfluous
layers of protection, and that, you know, we certainly think that if someone is
not otherwise regulated that the existing regulatory framework within HIPAA to
the extent that it covers should be applied.

But in many cases we wonder if it’s really necessary to have the HIPAA
framework for research that is under the watch of an IRB. Is it a bit of belt
and suspenders. And also there’s – and I think someone else made this
point, I mean, there’s tremendous confusion out there in the real world as to
what applies and what doesn’t.

There was recently an article in the New York Times that talks about
it’s basically easier to say no, the way the system is geared. And it’s just
had a very chilling effect on the things that could be done. So I don’t know if
that addresses your concern or not.

DR. STEINDEL: Well, just as a quick comment before I address your comment,
one of the key people that was interviewed in that article is sitting on my

MS. PATTERSON: Right. I’d just like to point out that members of the –

DR. STEINDEL: He’s too modest to say so.

MS. PATTERSON: And that article received broad attention. My father made
sure that I saw it right away.

DR. STEINDEL: Mark made the comment to me on the aside that the reporter who
wrote the comments said this was one of the most commented on articles that the
New York Times received comments on, et cetera. It really hit a nerve.
So I think we take your point to heart.

What I’m really concerned about is from the Committee’s point of view –
the Ad Hoc Committee’s point of view is should we look at, when we talk about
other uses for health care data, really consider the move to personalized
medicine in a different sense than what we’re considering a lot of the present
aspects of research, et cetera. It sounds like we should make some specific
note of what you’re discussing.

MS. PATTERSON: Yes. But I think what we’re saying is that from the
standpoint of personalized health care that considering research or quality
improvement data as a secondary use or public health data as a secondary use is
not necessarily meaningful. I mean, if these objectives are realized, and I
– again, I’m not a medical expert so I can’t say, you know, sort of assess
what the promise is that it will be delivered. But if it comes true, you know,
it could be that in the process of a patient encounter there would be a
research effort that is conducted in real time, and admittedly there would be
other factors that would come into account. I mean, there are other sources of
regulations that might have you view information differently.

So, for example, diagnostic test data from a research test might be viewed
differently if it’s completely unvalidated. But if you’re on a phase three
clinical trial in pediatric cancer and that’s the only source of care, you
wouldn’t want the doctor who has access to the patient as a doctor to suddenly
be denied access or have a much more onerous ability to combine information
when he logs on in the role of the researcher.

DR. STEINDEL: Thank you.

DR. COHN: Margaret.

MS. GREENBERG: Thank you, and I also really appreciate your presentation.
It’s fascinating and thanks to Mary Jo also for calling our attention to this
important work. I thought, and I think Steve mentioned this, but one of the
really interesting sort of additions at least you gave to my understanding is
this example of the childhood cancer treatment where research and treatment
really are inexorably related, and I think it’s those types of sort of nuances
are somewhat different than what we typically think of as the dichotomy that
are very helpful and, of course, make this all the more difficult.

But I guess I was just struck by something that is, although I would be
interested in your response to this as well, but something that John Lumpkin
mentioned and, of course, you mentioned and I have been hearing over many, many
years that I have been working with this Committee, and I just since, well,
I’ll be gone much of August and may not be able to participate in all of your
discussions, I just hope that the Subcommittee or the Workgroup will really
give serious consideration to is this tremendous need to, well, it’s sort of
patronizing, I think, to say to educate the public, but to engage the public
and public opinion at all levels in this dialogue about what the benefits are
and what the risks are. And to be honest, I mean, often we – and we all do
this. We spin things. We want people to see all the benefits, and we like to
minimize the risks or the negatives.

But I think there is such limited information in the general public about
how information is being used, about the different types of research, about who
benefits, who, you know, where the costs are, and we’ve been saying this for
years, and we’ve been recommending it to the Department. I mean, my colleague
across the aisle here certainly has written a number of letters, and I think
all of the information. But somehow we aren’t penetrating, and I think this is
just such a critical point, and I think it’s something that I’m sure ONC is
very aware of as well. It has to do with public trust, but it has to do with
knowledge and we just have to do a better job of this, and it really will make
a difference, I think, if just some of the resources would go into a really
concerted effort at education and dialogue. So I just encourage the Ad Hoc
Workgroup to keep that on your radar screen.

And my question to you is of what – are there innovative things that
this project is doing to try to engage the consumer and the public.

MS. PATTERSON: I couldn’t agree with you more, and I think we’re very aware
of that. And as we begin to build out the tools, and I have to say I was a
little uncomfortable coming here today. I would have loved to come in six
months when we had all of the supporting documents, and I could have given you
five or ten attachments to the testimony.

But at the end of the road, what we’ll be doing is dissemination of
information at different levels. And you know, the NCI website does a pretty
good job, I think. They have a lot of information’s geared to patients as well
as to physicians. And I would see us as also, and Mary Jo’s very aware of our
communication efforts, preparing those kinds of materials. So that’s sort of a
static method, if you will, putting it on the website.

We are also getting out and pushing out information to various groups, and
we’ll continue to do so. And then I also think a really, really important piece
of this is really sitting down and working with IRBs which are tremendously
overwhelmed by all kinds of, you know, their day jobs and then there is what
some people allude to as mission creep in terms of having to get into lots of
other issues.

And so we really want to work with them. We want to be – I want to say
this about us and I want to say this about them, that we want to be part of the
solution, not part of the problem. And I think it does nobody any good not to
talk about risks but also to talk about the full flavor of benefits. And when
we talk about risks, I think – and excuse me if I say something that’s not
PC, but I think, you know, I’m always reminded of the expression, you know,
trust in God but keep your powder dry. The security infrastructure is really
important. And so we are really working carefully to develop that part of the
piece so that when people are told, are sold on how wonderful this all is, that
they have some trust in the ability of these systems to keep information that
they believe safe to be safe. Otherwise, we will still be able to use the Grid,
but for a fraction of its intended uses.

DR. COHN: Oh, please, and then we have Justine, Kevin, and then I’ll try to
wrap up so people can take a break.

MS. DEERING: I just wanted to call the workgroup’s attention to a printed
submission that you have here which is from in fact a patient advocate. This is
what it looks like. And I think what you’ll find is that – this happens to
be a patient advocate from NCVHS who has actually been intimate whose name was
acknowledged up there. But I think what you’ll there is that it’s not just a
statement of the patient’s interest; it’s also a technical analysis, and she
knows a lot about what happens to this data.

So I do hope that members will take a look at this and understand from the
patient’s point of view. I think it gives good arguments for the language that
can be used about the value of it. So it should be in your stack. It should be
in the pile that was in front of us. This is not one – it should have been
in your pile. In Deborah Collier’s? We’ll get it. Thank you.

DR. COHN: We’ll dig through and find it. But Mary Jo, thank you. Justine and
then Kevin.

MS. CARR: Yes, I’d like to respond to your observation that secondary use
has a higher hierarchical and potentially unintended implications, and I’d like
to suggest to the Committee that we think not in terms of secondary uses but
perhaps a term like expanded uses of health data because I think, as we’re
hearing this morning, as we expand moving to greater expanse of benefit, and
perhaps that would delete some of the hierarchical element.

DR. COHN: Kevin?

DR. VIGILANTE: So Marjorie, I think I’ve come up with a bumper sticker for
your campaign. Instead of saying donate your body to science, you should say
donate your information to science. So, so, you know, this taxonomy of primary
and secondary data has been a troubling one from the get-go because it does,
secondary has this sort second class sort of value rating, it’s sort of
weighted, right.

But on the other hand, it is, you know, if you’re – whether it’s a
lumping or a splitting, sometimes it’s useful to split to sort of analyze
things, and there are some differences here that I think we want to preserve so
that – to make sure we in the course of discussion we identify what’s
different about it.

And I think, you know, in the case of, say, the 80 percent of kids in ALL
being enrolled in clinical trials, I mean here clearly there is a therapeutic
often experimental intervention that’s being conducted in which, you know,
consent is mandatory and IRB approval is essential. And a primary use of the
collection of that data as articulated in that study is to conduct that

And so, you know, in that case, it’s different than sort of data that was
collected with no particular trial or research intent in the beginning, but it
was collected when the patient was seen. And then after the fact, and we
believe that – even if you believe in the beginning that someday this data
will be useful for some clinical problem and ought to be available to be mined,
it still seems to me that it’s different in the sense that but for the desire
to seek care, were it to keep you well or to make an intervention to make you
better, that data never would have existed. That is really that desire to seek
care from a provider that was the motivation to yield that data, and that the
fact that it may be used for other purposes, whatever we call it, is different
than sort of the IRB setting, and it’s different than the intent for which it
was originally collected which is partly to care for the patient.

And there is some special case here that I think needs to be preserved,
carved out and thought about separately. And I don’t think we’re any of us
disagreeing. What we call it, I’m not really sure. But there’s clearly a
continuum going on here that –

MS. PATTERSON: Yes, I would agree. There’s definitely a continuum, and just
sometimes the lines are blurred, and it can be used for different purposes. And
what we’re arguing, I think, here is for the recognition that in many cases,
not in all cases, but in a number of cases this data that’s collected in IRB
regulated research does constitute – is used for primary purposes to use
that taxonomy.

DR. VIGILANTE: There were two primary purposes in that case, right.

MS. PATTERSON: Right, exactly, fair enough. So I think we all, at least in
our group, feel that an extra level of protection is required which is why we
would be concerned about not having IRB jurisdiction, if you will, and that

DR. VIGILANTE: Not having IRB jurisdiction over the case that I just talked
about, in other words –

MS. PATTERSON: Yes, in other words –

DR. VIGILANTE: You come to see a doctor. There’s no trial going on; there’s
no research planned, but there –


DR. VIGILANTE: And I think most of us would probably agree.

MS. PATTERSON: Right, right. In most cases, that will require some consent
which I think we all know is in many cases it will require IRB consent which it
may, as we would all agree, is not just simply a piece of paper that is
designed to protect institutions, but is a process. And I think we feel very
strongly about that. But there are other cases where re-use of data will be
exempt from IRB review if there are sufficient protections, or will be subject
to waiver. But in any case, the IRB gets to make that call.

DR. COHN: I want to thank you for the presentation. I am reminded, I think,
and Kevin sort of began to ask the questions that I was trying to get into
about this sort of how somebody uses work. I guess I am reminded, and whatever
we call this research area, one has to recognize when we’re talking about HIPAA
or any other framework, it’s talked about a little separately because it does
have IRB, yet there’s obviously a structure there.

However, having said that, I am reminded that there’s actually a whole world
of research out there that to my knowledge doesn’t really go through IRB or
anything else. I mean, you’re talking about really a world that would be
described as, and I’m not a researchers, so I may be inarticulate in this
description, but it’s federally funded sponsored research that has very robust
safeguards overall, and yet we’re all sort of aware out there sort of in the
back of our minds that there are other things going on which may not have the
same protections you’re describing, and I think you would agree with that

MS. PATTERSON: Yes, absolutely.

DR. COHN: Which is probably another way of making that another
differentiation that needs to be addressed.

MS. PATTERSON: Yes absolutely.

DR.COHN: I guess I should ask, I mean, do you worry at all in all the work
that you’re doing that – I mean, you talk about patient perceptions, you
talk about the structure you’re creating that trust may be undermined by some
of this other pieces that are sort of outside of your control?

MS. PATTERSON: Oh, absolutely, for the very same reasons that Marjorie
indicated. I think the public doesn’t really distinguish between all of these
different kinds of activities. And one bad apple spoils for everyone. Our view
is somewhat narrow at this juncture because we are dealing largely in the world
of federally regulated research.

But I think that ultimately if things take off the way people are
projecting, there will be many, many different uses of data by people who are
otherwise unregulated, and I think that needs to be examined very carefully.
I’m not saying that they are by definition harmful, but it at least needs to be
examined and appropriate safeguards need to be put in place. But what we’re
just concerned about is, you know, unintended consequences of overbroad
regulation areas that have been subject to what many would consider to be a
pretty good system already. And at least from reports in the field, there’s a
lot of confusion. And if there’s confusion as indicated in the New York Times
article about what providers can share, you can imagine the level of confusion
in the research world.

DR. COHN: Well, Wendy, I want to thank you. I have the sense that we may go
into some pieces of this as we continue to deliberate and talk, and I will
– I hope I’m not warning you, but we may be calling you back or asking you
additional questions.


DR. COHN: And I hope you don’t mind.

MS. PATTERSON: Right. We’d be delighted to. I just wanted to point out that
I too will be out of the country in parts of August. But we will get you
information one way or another.

DR. COHN: Well, we appreciate that. Thank you so much. Now’s it’s 11:15. As
you know, we’ve deconstructed this day, and we’re reconstructing it as we talk.
We’re going to give everybody a ten minute break. We’ll get back together at
11:15. I suspect that session will go probably until about 12:30, and then
we’ll start up again at 1:30 p.m. So thank you.


DR. COHN: Okay, we’re all going to get started. If everyone please be

At this point, I’m actually going to turn the session over to Harry
Reynolds, our Co-Vice Chair to run the meeting. And I obviously want to thank
our presenters for coming in and being willing to testify. And I do want to
thank Scott Young, and I presume you’re on the phone? Is Scott Young connected?
Do we have a line? Oh, okay, good.

And as I commented before, I do want to just again publicly disclose that
Scott Young is with Kaiser Permanente which is my organization. Then with that,
Harry, I will turn it over to you, and what? No, he’s formerly with the
government, but he’s with Kaiser Permanente. I guess this is Simon Cohn, would
the people on the phone please identify yourselves.

MR. YOUNG: Good morning, Simon. This is Scott Young.

DR. COHN: Okay. And is there another person on the line? Scott, I’m just
turning this – who is that? That’s still Scott. Scott can you hear us?

MR. YOUNG: Yes, I can.

DR. COHN: Okay, good. I was just in the process of turning the chairing of
the session over to Harry Reynolds. But I did just want to thank you for being
willing to participate.

MR. YOUNG: Oh, my pleasure.

Agenda Item: Perspectives on Uses of Health

MR. REYNOLDS: Okay, the next session is having to deal with quality
perspectives, and the first speaker’s going to be Joel Goldwein from
Alliance/Elekta. So, Joel, if you’ll please proceed.

Agenda Item: Quality Perspectives

DR. GOLDWEIN: Thank you. First, I really truly appreciate the Committee’s
indulgence in inviting us to discuss our oncology data alliance which is
perhaps at the point of care one of the models of data utilization that may fit
in terms of the satisfaction of both HIPAA and Common Rule, and I’d like to
take this opportunity to describe what this program is and what it entails and
how it’s evolved and what kind of things we’re able to do with it.

But first what I’d like to do is discuss the company that employs me just to
give some background and perspective.

Impact Medical Systems was established in 1990. It was literally a Silicon
Valley company that started in the garage of one of the three founders and
evolved first from information technology and electronic medical record systems
in the radiation and oncology space to medical oncology to cancer registry to a
number of other oncology related disciplines using information technology to
support patients and practices and populations at the point of care.

The core product of Impact is an oncology specific electronic medical
records system that is used primarily in ambulatory and hospital-based
facilities for ambulatory patients who are being managed with perhaps one of
the most difficult medical maladies, cancer. And, therefore, this particular
system needs to involve a number of different very complicated modules in order
to support everything that happens with the patient from the time they walk in
the door and get registered all the way to late follow up when their physicians
are seeing them on some yearly or less or more basis.

The system itself includes a number of substantial reporting capabilities,
pulling data out of the EMR system that helps the practices manage the patients
both directly and indirectly. It has numerous interfaces to external health
information systems, to billing systems, to medical devices. We have a number
of regulatory regulated devices that we interface, too, and we have regulated
modules within our software. We have interfaces to cancer registry products,
and we own two cancer registry products that we directly interface to from our
EMR systems and a number of other resources that this pretty complicated
program needs to interface to.

Primarily, the system is designed with patient safety, practice
administration, data management and all components or modules or aspects of
cancer care in mind. Our oncology data alliance which is the program that I
came to discuss today was a quality assurance – is a quality assurance
initiative that was established for our customers about two or so years ago,
actually less than two years ago. So it’s a relatively new program. It’s still
a program in a tremendous amount of evolution. We have perhaps a couple
handfuls of customers who are participating in this program, and it was a
program that was actually sparked out of interest on the part of our customers
to help improve the quality and utilization of our system and to help them
better use the electronic medical records to prepare for some of the pay
performance initiatives that are coming along in all aspects of medicine, but
in particular right now are active from the part of CMS and other providers or
insurers for oncology practices, and that includes both radiation and medical
oncology. And it allows our customers to leverage the community of other
practices who are participating in this program.

They also leverage a data aggregate which is a byproduct of this particular
program, and I’m going to describe how that is constructed in a few moments.
The program for our customers is optional. It’s transparent to them. They know
everything that is happening to their data. They have access to their own data.
I’ll explain that in a few moments as well.

There is no additional direct charge on our part to our customers for this
data. But I ought to have put zero dollars cost in quotes because there is a
not insignificant cost on the part of us to vendor and the part of the customer
in terms of administering this system. The customers need to have more active
processes in place in order to enter the data, some of which is not necessarily
entered as well as it can be. They need or often do have data managers or other
people who are involved in the care of the patients being interactive with this
particular system, and we as a company also have to have or incur costs in
terms of managing the data, in terms of making sure that the data is acquired
properly under the proper constraints, regulations is aggregated and
de-identified and detached properly. And we have a regulatory department within
our company that helps oversee and audit these types of issues. Currently, the
cadre of customers who are participating in this program are our medical
oncology customers. We have roughly 250-300 total medical oncology customers.
But I would say roughly about 10 percent of those customers are participating
in this program. And the implementation of this program involves not just
providing them with software, but also providing them with training in
processes and procedures and supporting them in the endeavor.

So we train our customers very actively in best practices for data entry,
making sure that customers are entering data in a way that both achieves the
goals of this particular system, but also allows them to have some, if you
will, conformance with other practices. So that, for example, if they’re
entering a lab value or acquiring a lab value or entering the weight of a
patient or other data that we may or may not be abrogating, that they do so in
a way that is in compliance with how other customers who are participating in
this program do that.

The software that we provide them then in effect collects the data
electronically over the Internet for us. It does so in a way that’s secure, and
I’ll describe a little bit about that in a few moments as well. And then we
take that data and we de-identify it. We completely detach it from any
identifiers, and we aggregate it with the group of customers’ other data that
are involved in this program. And then what we do is we take this data, and we
feed it back to the customers in a de-identified manner so that they can use it
to benchmark their practices to understand where they set relative to their
peers, where they can improve the quality of their programs, and where they
excel compared to other customers who are participating in this program.

The subset of variables that we collect fall into four categories listed on
this slide. And as you can imagine, there are obviously identifiable parameters
that we are pulling from the data sets that the customers hold. But over the
course of this process, that data either gets removed or de-identified using
processes that, for example, will turn dates or date ranges into ages that will
pull out something like an age that’s 93 years old and say simply that’s 89 or

The same thing goes for virtually every identifier that we could be pulling
out of this group. So that if there is a zip code, for example, we de-identify
it at the level of the requirements for HIPAA, and if there’s laboratory data,
as long as that’s not associated with the patient, we obviously pull that out
and clean that up and do what we need to do in order to be compliant with both
Common Rule but moreover with HIPAA regulations under which we believe fall. So
no names, city, state or zip codes of staff are ultimately collected, and
select treatment dates are collected, but they are shifted, as I just described
in various ways to disenable anyone who is looking at the aggregated data from
identifying in any way a particular patient out of the group.

Date of birth is used to calculate age only. It is also not recorded in the
aggregate. The benefits to our customers are wide ranged. We believe that we
provide them with quality reports at their request that help them in a variety
of different ways. One of the key and initial reports that we provided them is
simply a report telling them what data is missing from their data set that
helps them to improve their practice.

As an example, something around initially 30 to 40 percent of our practices
were not entering stage in the constrained data fields that in a cancer EMR
system you would have to have in order to actually do the kinds of things that
you need to do to support your patients and practices and manage your
populations of patients better. So we provided them with a mechanism to
identify what patients were missing these different parameters that would allow
them to go back and, if you will, it was a feedback loop that improved the
quality of their care of their patients by showing them what data they needed
to enter into their systems. And this, again, is something that and our
customers believe would prepare them for some of the quality and pay
performance initiatives that currently exist.

We also provide our customers with access to a secure website that allows
them to view the aggregated de-identified data sets, and compare their local
facility data set which they have access to as well so that they can benchmark
their practices and understand the populations that they’re treating and how it
compares, again, to the other members of the group.

We also have external commercial partners that we take the scrubbed
de-identified data and sell to, and these are consulting and health care
research firms that have significant interest in real time patterns of care and
the management of cancer patients. And our program members are cognizant of
this, and they fully participate in this partnership.

This program was created as a vehicle to collect, aggregate and de-identify
quality related oncology data, and as a result of this, we as a company are
learning how to improve our products to better support our customers and their
patients. As an example, we completely redesigned our TMM, our cancer staging
module to allow our customers to enter the data in a more consistent,
controlled and easier way. The interface and the usability of that has
increased tremendously as a result of information we received from this
program. For our customers, they’re able to do quality comparison against the
aggregated baselines of data, and they have access to other data quality
reports and trends that they wouldn’t ordinarily have access to unless they
participated in this program. And our position about this is that it’s
permissible as covered entity health care operation for our customers to
disclose the data to impact in order to improve their health care operations.

I alluded to a regulatory department that we have. That department is
charged with managing the program from a HIPAA and a regulatory standpoint.
They ensure that compliance is in place. They audit our process, and they
ensure that there’s proper management of legacy data including data protection,
the audits and the intended data destruction.

In terms of where we see this program going in the future, we believe that
this is a model for use of data that approaches real time. Right now, the data
set that we’re pulling from our EMR is limited to about 40 to 50 different
parameters and is fixed. The path that we are moving towards is the ability to
pull more data out, if you will, to open the faucet and adjust which parameters
are required depending on what quality initiatives need to be performed by our

We also are improving the interface from our EMR to our cancer registry
products, the thought being that cancer registry which now is a system that is
almost by definition at least six months behind real time is a system that can
evolve to being a real time system, particularly as more and more practices are
going electronic and are being introduced to EMR systems and information

We also are evolving our feedback loop to our customers so that we’re
refining the kinds of reports that we’re providing to them to help them improve
their practices, and we’re facilitating the time line for providing those
reports so that they are done more rapidly and can be more responsive to our
customers’ need.

So that is the concluding slide, and I’m open to any questions at this point
or to whatever you would like.

MR. REYNOLDS: Joel, thank you very much. And what we’ll do is we’ll hold the
questions until we finish Scott’s presentation, and then we’ll ask on both of
them. So Scott, can you still hear us?

MR. YOUNG: I’m here. Can you hear me?

MR. REYNOLDS: Yes, yes. You can go ahead and start your presentation. I’ll
let you know as soon as it’s up and ready to go, and then you can begin,

MR. YOUNG: Okay, great.

MR. REYNOLDS: You’re all set, and if you would mention next slide when you
want us to move it, that would be good.

MR. YOUNG: That’s good, okay. Are the slides up?

MR. REYNOLDS: Yes, they are.

MR. YOUNG: All right, well, great. Well, let’s go. Good morning, my name is
Scott Young, and I am the Senior Medical Director and the Co-Executive Director
for Kaiser Permanente’s Care Management Institute, and thank you for allowing
me to spend a little bit of time with you this morning. Let’s go to the second

I really want to spend some time this morning on kind of five key messages,
a little bit of background about Kaiser Permanente. I would like to tell you a
little bit about our quality drivers.

Thirdly, I’d like to talk about some of the data sources and issues with
secondary data used by Kaiser. We have five critical focus areas for secondary
use at Kaiser: clinical management, performance measurement, accountability,
patient safety and finally research, and I’m going to talk to you briefly about
all five of those. And lastly, I’ll spend just a moment talking about future
directions. Let’s go to the third slide.

Kaiser Permanente is America’s largest non-profit health care program and
integrated delivery system. It’s around 8.6 million members, you know, in eight
regions that span nine states. We span six time zones. You know, you can see
the other statistics there for yourself. We’re a fairly large organization
which has critical data needs, you know, driving much of our operations. Fourth

Data strategy. Some of our key drivers are at data use. One of the things
that we see data as critical needs for, one is a growing chronically ill
population. We need to better understand that population and deal with the
trends and understand what the tendencies are in that.

We’re seeing a demographic shift. You have the baby boomers and the elderly
unfortunately are merging. The baby boomers and the elderly. I have to count
myself as one of those. You know, we need to understand more about this
population and the shifts in that. Advancing medical kinds of technology, you
know, post-marketing surveillance, these sorts of things, we have an increasing
need for performance information and transparency within that.

And finally, an emerging trend, transitions between care settings and how do
we track data between those. These are really a lot of the drivers behind sort
of the initiatives that you’re going to hear about today. Fifth slide.

KP Quality Strategy. It’s data driven. Data, as you can see, is a key
attribute of our quality systems improvement, and I’ll say that since I’ve
joined Kaiser Permanente, I’ve been impressed at how robust that data system
is. Data to us must be actionable at multiple levels, and we take that all the
way from the national view right down to the provider view.

It’s fine to have an academic view of data, but to us it really has to have
an actionable component as well. We’ve used common metric either JCAHO, et
cetera in our data strategy. There’s very few custom matrix within it. And
finally, you know, data comes to us as many other folks from multiple sources.
There’s internally developed data that we get from clinical care. There is
member developed data that we get from our personal health records at KP.org,
and that’s becoming more and more prevalent.

And finally, there’s external data, you know, medical records, these sorts
of things which flow into Kaiser Permanente and are incorporated into our data
systems. Next slide.

You know, let me talk for a moment about the secondary data aggregation, not
only sources but issues and concerns. I just want to spend just a moment on
this. There is a critical need in our mind to standardize how data is
exchanged, and the technologies and the standards underneath that exchange.
HL7/SNOMED-CT and we would include CDA and CCD for data transmission between
systems. You know, this is critical for us both internally and critical for us
to be working with external partners to see the standardization issues

Another is the expansion of currently collected data. I mean, you know, now
we do health risk assessments, HRA health care status data that we get
essentially from members and bringing that into our data warehouses, and we get
a better sense from the state of health of a member, for a population, and what
we can do to critically impact that.

Incorporation of data from chart notes is problematic. I mean, natural
language processing technologies are there, but they are not in our minds at
scale or in a way that we can actually deploy in a real way. So we need to make
the chart notes into some way machine readable enough that we can extract
critical information from that.

And finally, and I’ll just put this out there. Issues of attribution with
data remain critical for us. Is it a provider that we attribute to outcomes and
data, too, or is it a care team. You know, with some things it’s maybe pretty
straightforward like surgical outcomes. On in others, you know, care of a
diabetic patient or somebody with coronary artery disease, these sorts of long
term engagements that require attribution that’s much less straightforward. And
we would recommend to the Committee and the workgroup that this is an issue
that takes some consideration. Next slide, slide seven.

Secondary uses of data. Remember, I talked about those five areas before,
and let me talk about those briefly separately. Clinical management, this is
really an area that we in care management spend a lot of time on. Secondary use
improves primary clinical and patient care. Now this includes target
populations, diabetics, coronary artery disease, predicted and simulation
modeling, merging technology and care processes where we might have panel
support, too, where we can actually kind of see care gaps in diabetics, and it
allows us to discover and test innovations in care and to improve preventative
services, you know, automation.

Some examples, at Kaiser Permanente include a population care information
system where a provider can see a panel of his or her patients with chronic
diseases like diabetes and actually see a care gap in there, and, you know,
what we’re working to is actually move directly from seeing that care gap into
generating orders, you know, checking hemoglobin, A1C and those sorts of

Predictive modeling is the next thing. How can we predict who in a
population is going to maybe have a bad outcome or require increasing services
and actually try to intervene in that individual earlier. We’re actually doing
that now.

Archimedes, which you’ve heard about before, is actually a synthetic
modeling system where we can actually do trials, if you will, inside a
computer. One example of that is the aspirin-lisinopril-lovastatin program,
ALL, that we have at Kaiser Permanente we’re rolling out to all eight of our
regions, giving patients at risk for coronary artery disease, if indicated,
these three medications. We’re seeing an improvement in morbidity and mortality
in this group.

Now we trailed ALL inside our Archimedes. It went from the computer to a
field. Next slide.

Performance measurement and management. We needed to develop and provide
actual measurements(?) for our operational leaders and our providers and, you
know, we needed to aggregate this both clinical and non-clinical sources.
These, as your previous speaker, talked about need to be as close to real time
as we can get them, and we’ve actually developed a dashboard which we call Big
Q that measures safety, clinical effectiveness, service, resource stewardship
available at a variety of levels.

Now when you go to the next slide, you’ll that dashboard and what that
actually looks like. I’m on slide nine now. The Big Q dashboard lists the
clinical effectiveness, safety issues, service issues and finally resource
stewardship issues as well, and this shows the national level. But inside the
electronic products, you can actually drill down into different regional views.

Slide ten is secondary data use around accountability, and this really
offers a view of diverse lists of operational needs, you know, all the way from
finance to regulatory issues. It helps us understand the utilization pattern of
KP members so we can best provide services for them.

One example would be mammography utilization rates. If the utilization rates
are starting to accelerate, then it’s how do we provide mammography services,
radiologists, these sorts of things in a place that’s convenient for our

Slide 11 is really talking about our fourth use for secondary data, and
that’s outpatient safety. In Southern California, the pharmacy outcomes
research group there noticed an alarming trend in adverse cardiac outcomes
among patients using COX-2 Selective intake. They actually developed some
preliminary data, contacted Dr. Graham at the FDA. And as you can see, it
started a wider investigation of the impact of ultimately Vioxx adversely on
our members. This is the kind of thing that we do because we have such powerful
databases to look across our membership and allow us to do that.

Slide 12 is secondary data use for research. We have research centers
established in all eight Kaiser Permanente regions, and the topic ranges are
broad and diverse. We’re able to leverage, you know, our clinical data from our
membership around that research agenda. An example of that where we cooperated
with the Veteran Affairs Administration, the TRIAD Study. Now there is a very
clear firewall the way we manage data on the clinical side and on the research
side. I mean, the Common Rule is the rule of the day and anonymization is
paramount within that.

Slide 13, the future. For us, we’ve just come through installing an
electronic health record through Kaiser Permanente, the epic platform, and we
call it KP HealthConnect, and we think this will enhance the availability of
accurate and actual secondary data. That’s our hope and our dream, and we think
that that will become a reality very soon.

You know, for us I think for any kind of an integrated system, whether it’s
real or virtual, we’ll have the ability to learn from our clinical and
population outcomes. And to do that, we have to best know how to manage
secondary data to actually ask actionable questions, propose hypotheses, and
understand how best to improve the care of our patients. But that has to occur
within some sort of an integrated environment.

Finally, you know, we think data driven feedback will become more and more
real time. I mean, as things get farther and farther away from the event or
from the action, enough other interventions and an active managed health care
environment are occurring, they really muddle the data that you’re looking at.
For us, we really need to move data acquisition and reporting as close to real
time as possible.

Finally and in conclusion, this is slide 14, you know, secondary data will
be increasingly available from multiple sources. I think you’ve seen that from
your prior speaker, and you’ve seen it from us. You know, we and other
integrated delivery systems are aligning and using lots of data for multiple
purposes in quality. You’ve seen our five parameters. Standardization is
critical, and I can’t over-emphasize that, and lastly, EHR in my mind remains
our key tool. It’s how we’re going to get to the data. You know, we have to
either train our data collection or train our EHRs to be interoperable one to
another. This really provides us a platform finally, a platform to provide
evidence based medicine and to test that evidence based medicine against data
and outcome. Thank you for allowing me to spend a few moments with you this
morning, and give you our perspective. I’ve left you some information and some
ancillary slides that are behind there discussing internal sources, our views
on quality improvement and regulatory structure. So I’ll pause there.

MR. REYNOLDS: Okay, Scott, thank you. And now I’m going to open it to the
group for questions. I’ve got Justine, Marjorie.

MS. CARR: Thanks, Scott. Thanks both of you for great presentations. I have
a question for Scott, and that has to do with the differentiating quality
improvement from research, and I’m thinking in particular of the Vioxx, the
kind of pharmical viligence of what’s going on. But when you had discovered
something that needed further drill down, it then became a study and, you know,
published for the greater world.

So this is something that we hear a lot in terms of where on the continuum
does quality improvement become research. And you mentioned you have a tight
firewall between the two. So how is that invoked.

DR. YOUNG: Yes, that’s a good and interesting question. I think, you know,
the tests on research are – a lot of them are pretty common, I mean, when
you start out, we’re going to do pure research, it’s, you know, is this going
to be published, is it generalizable, is it possibly supported from other
sources, those sort of things. So you kind of know where the research is over
in this corner, and then quality improvement, you know, the Vioxx study started
out as quality improvement. People said, hey, you know, there’s something going
on in one of our populations here, and we have to understand that and improve
how we do our therapeutics over here, to direct that one. I mean, at some point
in that discussion, you know, we said, look, we at Kaiser Permanente are going
to make a change in how we manage individuals for arthritis, for individuals
who take insulin. We’re going this off the formulary, we’re going to change
this from our formulary, and we’re going to hand this – we think this is
interesting enough we need to hand this off to somebody else to have a broader
look at it.

You know, I think that for us, you know, we try to be disciplined and where
did we cross that bright line into stop and say okay we’ve now completed our
quality initiative, and we’re now maybe asking a broader question, and that
might entail bringing in partners.

One of the – and let me tell you that’s a minority event that occur
like that. I mean, 90 some odd percent of the time, more than 90 percent of the
time it’s either a quality or a research agenda that’s being pursued, and it’s
pretty pure one or the other.

But you know, we want to defend and know where that bright line is, and when
we cross it, becomes a research project and it goes into attributes of the
Common Rule.

MS. CARR: Thanks. And I think it sounds like you have very clear definition.
But I bring it up before the workgroup to say that there are millions of
examples along this continuum where it’s not clear what is the definition of
research and how we’re there. So I just bring it up so that we incorporate that
into our thinking.

MR. REYNOLDS: Okay, Marjorie.

MS. GREENBERG: Yes, my question was along the same line, and I guess Justine
asked the difference between how you differentiate between quality and
research, and I’m wondering how you make that differentiation also with
operations in an integrated system such as Kaiser.

Not even, you know, going the next step, whether it is quality or research,
but you know, is it just part of, if not treatment and not payment, then at
least operations. And whether secondary uses is a useful term from your point
of view or from your vantage point there at Kaiser, or whether there’s some
other type of terminology that we should be thinking of in building our
definitions and taxonomy.

DR. YOUNG: You know, it’s interesting. When we sat down and were looking at
this and your workgroup allowed us to look at our definitions again and to test
them, you know, there’s secondary uses to improve care, and that’s the
Archimedes thing and that sort of thing, and then there’s the dashboard that we
use, the quality dashboard. And then there’s that accountability side of this,
which is what I think you’re talking about and kind of where is the boundary
between, you know, quality of care for mammography utilization and
accountability for mammography utilization and actually how do we buy radiology
equipment and staff it up, and where do we put that stuff.

And those areas, you know, are separate. We have delivery system leaders who
are the operational leaders, and we have quality leaders which sit in the same
room and have the same discussion about trying to make care really great for
Kaiser members, but they look at it differently. I mean, you know, and it’s
such a big and complex operation. I mean, it really is daunting. We really need
to parse it out a little bit. We have, and we’re going to spend a lot of time
looking at quality and a lot of time looking at safety, and we have a lot of
people say I really need to know, to effectuate affordable high quality care,
where do those utilization parameters need to be, how much money do we need to
charge people, how do we need to pay people, where do we put this operational
system up. So they’re in the same room. They are focused on the same outcomes.
They look at the same dashboards, but they have different responsibilities in
getting there.


DR. STEINDEL: Joel, I’d like to address my first questions to you. These are
just nitty gritty questions, so please don’t, while they may sound somewhat
judgmental, please don’t take them that way for information, and I think people
will know where I’m going to.

First of all, you said this was primary between — your impact network was
primarily between your customers. Can people outside your customer base join?

DR. GOLDWEIN: No. It’s limited to just the customers, and they need to have
our software in order to use the system.

DR. STEINDEL: Okay. Now as you went on, it was clear that you are selling
the data de-identified, et cetera under all the HIPAA requirements onto third
parties who are using it to make judgmental thing. That it also sounded like
the people who are part of the network, the institutions are aware that you’re
selling this.

DR. GOLDWEIN: That’s correct.

DR. STEINDEL: Is there any information at the patient level that this is
going on either internally, passed on to you or then sold to third parties.

DR. GOLDWEIN: And I don’t know the answer to that specifically. I can tell
you in general terms I’ve seen some general consent forms that stipulate that
data is being utilized for various purposes within the context of the care of
the patient. But I don’t know whether patients know directly or indirectly
whether that’s –

DR. STEINDEL: Thank you. And the reason why I said this was not judgmental
is because one of the things we’re trying to get at is what is the transparency
of patients’ knowledge in this area.

DR. GOLDWEIN: And it’s an excellent question. And frankly, were I on the
other side, I’m not sure – were I on the patient side or the provider
side, which I was on five years ago, I’m not sure what the right answer is. And
part of the reason for that is that it is so confusing even to us in industry
and even to the practitioners as to what is required and what is fair and what
is right.

But I do believe in Rosen’s first rule which is basically do what’s best for
the patient. We heard that Dr. Lumpkin today. And secondly, do no harm, and I
think that both the providers and the vendors and frankly everyone in the
system wants to be make it better.

DR. STEINDEL: And that’s why I was asking the question because I think it’s
general in the Committee we don’t know where to draw the line or define it yet.
We do know it’s a question that we have to look at.

And Scott, I’m going to turn around and ask you somewhat the same question.
What is the transparency of the knowledge that Kaiser’s using as patients’
information at the patient level when you have patients join the plan, et
cetera for your quality programs.

MR. YOUNG: Transparency to – tell me a little bit more about your

DR. STEINDEL: Basically, is there any explicit consent that they’re using
for operations or quality, or are they informed in any way like assignment this
may be used for quality purposes, et cetera within the Kaiser system, and I’m
basically assuming the answer is no because generally speaking that’s the case.
But as I said earlier, this is not judgment; this is just background.

MR. YOUNG: You know, let me forward that information. I don’t want to speak
on the specific consent that occur when somebody signs up for membership.

DR. STEINDEL: Simon’s looking confused at me.

MR. YOUNG: So let me find out that information, and we can forward that to
the Committee.

DR. COHN: And Scott, I’m looking puzzled from Steve Steindel’s question only
because I was thinking this would likely be included in the HIPAA –

DR. STEINDEL: No, it’s a privacy, in all probability, yes.

DR. COHN: And so that was what I was expecting it to be, though, certainly,
Scott, please check. But that would be the –

DR. STEINDEL: Yes, and that was basically, like I said, this was an
information question, yes.

MR. YOUNG: I just need to find that out, and we’ll get that to you.

MR. REYNOLDS: Okay, Paul, then Debbie, and Mary Jo, then Mark, then me.

DR. TANG: Well, thank you both for your presentations. One technical

DR. COHN: Paul, could you just introduce yourself and disclosure issues.

DR. TANG: Paul Tang, Palo Alto Medical Foundation, member of the Committee,
no conflicts. One simple technical question. You said you upload patient data
from your customer bases at support over the Internet, and is that encrypted?

DR. GOLDWEIN: Yes, it’s encrypted. The SSL and I believe that the data set
itself is also encrypted. So the channel over which the communications is made
is encrypted, and the data is rolled off and encrypted, as I understand it.

DR. TANG: Then along the lines of actually all of the previous questions, do
you know whether any of your sites participating use this data for research?

DR. GOLDWEIN: I don’t know, I don’t know. I suspect it all depends on what
we would call research.

DR. TANG: Do any of them publish their information? That might be another

DR. GOLDWEIN: No, I don’t believe. This is a fairly young program, and I
don’t think that any of them have gotten to the level this point in the
program. You know, they’re honestly getting to the level of being better at
actually entering the data that they’re required to enter in order to
participate. And there may be less than a handful of centers that are doing
that so well that they could actually use it to publish some information that
would be research oriented, and I’m pretty sure those particular centers have
not done that.

DR. TANG: So do you have a limited data use agreement with all of these

DR. GOLDWEIN: Well, we have an agreement with the center. Limited data use
is maybe a term of art that I’m not familiar with. But I know we have an
agreement with those centers, and chapter and verse in terms of what we are
doing with the data is in there. So presuming that that is something we’re
doing with their data, it would be in the agreement.

DR. TANG: So I think one question is you also probably don’t know what the
recipients of – the customers who you sell the data to are doing with the
data, either.

DR. GOLDWEIN: It’s going to intermediaries who are aggregating it further
with other data sets in some cases that they have. What they do after that, we
don’t know. We suspect that it may go to pharmaceutical companies. It may go to
vendors trying to figure out where and how and when to implement changes in
different systems within particular regions. But we don’t know exactly what’s
happening to it.

DR. TANG: Well, I guess one of the questions is Steve was asking about
transparency to patients, and I think that’s certainly a very fair question.
Another is it sounds like since you don’t know a lot, there’s probably some
room for research to be conducted either at the sites, maybe not right this
instant, but in the future or the people you sell it to.

DR. GOLDWEIN: But just to clarify, any research that could or would be
conducted after we’ve processed the data is with de-identified data sets.

DR. TANG: And I understand that a lot of research even in an organization
happens after it’s de-identified. But the IRB or the Common Rule, the oversight
of the use of it’s basically subject, protection of subjects governs the
process by which you take PHI into its future form, whether it’s de-identified
or not. And so the question is whether that is something that’s covered in this
whole relationship as data moves from your customers to you to customers that
you resell the data to. I mean, it’s still along the same continuum. We have to
figure this out.

DR. GOLDWEIN: I don’t have a good answer for that. I don’t know what the
right answer would be, but we regard the data once we’ve de-identified the data
as not necessarily, and we may or may not be right about this, but it’s
regarded by us as not falling under the Common Rule. But that may or may not be

DR. TANG: So I guess the line, and again something just Steve’s question, we
have to figure out. So because you’ve got the data in one of your slides
because you said you’re using it for health care ops, I guess we have to figure
to trace the data and figure out what is it really being used for, and what
oversight should apply to it. So that’s what we have to figure out.

MR. REYNOLDS: Put your microphone on, Mary Jo. Nobody can hear you.

MS. DEERING: A clarifying point. As was said previously, the Common Rule
applies to federally funded research. My understanding is that most of your
clients are small to middle-sized private practices, is that correct?

DR. GOLDWEIN: Medical oncology.

MS. DEERING: Yes, I just wanted to state that for the record.

DR. TANG: I don’t think that excludes federally funded grants or the people
you sell –

MS. DEERING: But at the point of data collection was my only point, is that
the point of data collection if these are patients in private practice, then
there is no research being conducted at that point, and those practices are not
conducting, I don’t believe, federally funded –

DR. GOLDWEIN: No, I understand the issue here, but you know, kind of one
thing I think that this points out is that there’s a lack of clarity as to
where the Common Rule starts and where operational improvements end. And so if
that is something that can be clarified, I think that that would help vendors
like myself, ourselves, our customers and ultimately patients and patient

MR. REYNOLDS: Okay, Debbie.

MS. JACKSON: That clarity really kind of hits to what I was thinking of
because of you, Scott, I wanted to pick your brain, having come from various
perspectives of circling in the clouds of policy and now being in an integrated
health system, two of your slides really spoke to me, one dealing with the
critical need to aggregate data spanning clinical and non-clinical sources, and
then towards the end, you indicated the integrated delivery system aligning and
utilizing data for multiple sources. There’s this amazing fluidity of data. And
coming from your perspective, this sort of policy and then federal work and,
from what I understand, VA, and you’ve got this amazing mass of background, I
guess I would be remiss if I didn’t ask you to just offer some of your insights
and comments and any ah-hah moments of having come to now, in a situation of
one of the premiere data systems, but you’re carrying with you the
understanding of what we’re trying to accomplish. What advice would you give to
the Ad Hoc workgroup in dealing with secondary use?

DR. YOUNG: Mary Jo, that’s a broad question. Let me – I think the one
thing that has struck me has kind of a common thread through all of these
discussions and all of these different entities is a desire to improve the
health and welfare of an individual.

And at the same time, trying to be vigilant and privacy protection, you
know, these sorts of things. The one thing that really strikes me in this
because these are all, you know, organizations that we either talk about today
or you have just referenced are like minded aligned with what I think are good
actions. But the one thing that strikes me is really a need for us to think,
you know, clearly about what a complexity in gathering this data and
standardizing this data and protecting this data and finally utilizing this
data. And I’m struck with just how very difficult that is to do.

We at Kaiser Permanente are able to achieve some of those attributes, but
only with tremendous effort and tremendous complexity, and we’re aligned. I
mean, and we don’t have nearly the kinds of barriers that sit outside of this
aggregated health care environment, and we are working hard to standardize and
to aggregate and to check for accuracy and those sorts of things.

So the one thing that has struck me in coming from the health IT policy
environment and then coming into the Kaiser Permanente is just how difficult
this is to do really on the ground. And I think for policy makers like
yourself, it’s that kind of realization and really, you know, trying to align
standards, really trying to align the kinds of vehicles and allow the
development of the kind of vehicles, whether to help information exchanges or
whatever, that are going to try and lower those barriers.

So I guess my take away is that I often say that I believe it takes a system
of care to be able to pull together data in a real way, in a way that’s in any
way useful, and that system of care can be bricks and mortar like Permanente or
Mayo or Dicenger(?) or Inner Mountain Healthcare, or it can be virtual. But it
really does have to have a system, and I think it’s our job to put together
policies and programs that allow those systems to come together.


MS. DEERING: Just one observation and then a question. You also have in
front of you testimony from the Group Health Cooperative, and I would call your
attention to the fact that I would guess it would be about page five. They have
a handy little chart for their soul searching on what is the difference between
not research, hybrid overlap and research. The Group Health Cooperative, Dean
Hart and colleagues out of Group Health Cooperative.

And so I –- here’s another piece of testimony that I hope the Committee
will take a look at. It will be very interesting, and Wendy, you might be a
little bit of ours in what is the easy pass system versus what isn’t. But
anyway, you can pick this up over there. It will be on the table.

My question to Joel, and I actually don’t expect you to know the answer to
this, but I guess I’ll put it out there then as sort of a rhetorical question.
At the AMIA Secondary Uses meeting, GE Centricity gave what could have been
exactly your slides. I mean, the numbers might have been a little bit
different, but GE Centricity is doing exactly the same with its customers. And
at a meeting of the American Society of Clinical Oncology where they had an EHR
vendor because Zasco(?) is trying to push EHR vendors to get more active into
the oncology space because actually impact has been sort of out there in front
for quite a while. I know that this is where frankly we first became aware of
this practice, and all of the EHR vendors are doing this.

So the rhetorical question is we now GE Centricity is doing it proudly.
You’re doing it. I mean, it’s really a very robust program. And so the question
that’s out there is are indeed all EHR or clinical systems vendors doing this?
Is there a subset of them? Who among them are, how would we characterize those
who are. But I think just getting a feel for the scope, depth and nature of
this practice would be very interesting. So I don’t know, do you know who else
is doing it?

DR. GOLDWEIN: You’re correct. I do not know the answer to that question, but
I suspect that as especially in the oncology sector vendors become aware of the
opportunities and of the need, and I probably should flip flop those, the need
being on the provider side, that they will start to figure out that there are
secondary uses that can help support the programs on the provider side. And
what I mean by that is and I said this in one of my slides, and probably I need
to highlight that now. It’s not inexpensive to implement this kind of program.
It takes a lot of dedicated time, effort, resources, training on both the
customer provider side and the vendor side. And it does really in theory and in
practice improve the operation, but it’s at a cost. And somewhere that has to
come out of some bucket, and this is just not an easy bucket but one of perhaps
others that I think vendors will be looking towards in order to support
implementing these very complicated systems. In oncology, these systems are
totally new. The oncology market right now for EMR type and EHR types of
systems is maybe five percent penetrated. Oncologists are not kind of natural
in front of a computer. And as I look around this room and I can say that
because I’m an oncologist. As I look around this room, I see maybe 10 percent
of the people taking notes on laptops, and this is simple compared to the kinds
of data that oncologists are collecting.

And so we are expecting them and their practices to come to speed very
quickly with something that is a total paradigm shift for them, and we’re
looking as vendors for every way we can help them to do that.

MS. DEERING: I just want to add one note that, again, this wasn’t the AMIA
meeting. GE enables the provider customers to share in the benefits in that
they receive a proportion of the sales to these intermediaries. It’s a fixed
percentage pool that’s then shared among them. And so, again, somewhere along
the lines these activities, if they’re deemed beneficial, have to be paid for.
And so GE laid out a fairly crisp path of financing these activities.


DR. ROTHSTEIN: Thank you, Harry. My question follows up on Steve’s inquiry a
little earlier on transparency. And with regard to my understanding of what
both of you described, I’m fairly certain that what you’re doing falls under
health care operations under the privacy rule, and therefore it is permissible
without getting any sort of patient authorization or consent.

But I think an argument could be made that the health care authorizations
provision in the privacy rule is overly broad and somewhat open ended,
especially with regard to thinking about the NHIN and all the possible new
health care operations that could be going on.

So my question is for each of you in turn. Suppose it’s in some manner the
health care operations provision were tightened up, however that might be done,
to require that these programs that you’re describing had an element of patient
permission attached to it. Either they had an opportunity to opt out, or they
had to expressly opt in or consent or authorize or something like that. What
effect, if any, would it have on what it is you’re doing. Would you consider it
burdensome, expensive, interfere with your basic research agenda. Do you think
many patients from your experience would elect to not participate.

I think that’s an important question as we try to think what we might

DR. GOLDWEIN: Well, I can answer from two perspectives, from the provider
perspective because not long ago I was a provider. We covered this, and frankly
if I were a provider today, I would be covering this in either a HIPAA or a
general consent form. And the degree to which the program was described would
be variable, I’m sure. But I think that that would probably satisfy the burden
that you’re actually suggesting.

DR. ROTHSTEIN: What I’m suggesting is that that’s perfectly acceptable now.
But what I’m saying is, if there were some requirement that there were a
separate consent required or an opportunity to separately opt out, how would
that affect –

MR. REYNOLDS: Before you comment, Simon had a question to make sure we

DR. COHN: And Mark, I’m just asking you for clarification regarding your
question because I heard two things going on in this case. I just wasn’t sure
whether you were referring to all of them or one or the other. I heard things
that fall very clearly at least right now under health care operations. But
then I also heard a secondary sort of repurposing of the data. Are you
referring to both of them together, or are you making a differentiation?

DR. ROTHSTEIN: Well, I’m not trying to parse things out.

DR. COHN: Okay.

DR. ROTHSTEIN: As to the specifics of what each does, especially where it
gets into research. I’m just saying a lot is covered now under health care
operations, and the sort of quality improvement activities that are being
described, I’m curious to know what effect a change in the rule would have,
whether it would be burdensome –

DR. GOLDWEIN: I think that that is an excellent question of ask of
providers, and it’s difficult for me to answer that right now. In my former
life, I was a pediatric radiation oncologist. I would spend approximately two
hours getting a consent for treating a child with cancer with radiation.
There’s a lot of side effects; there’s a lot of morbidity or potential
morbidity. It was very, very complicated.

They had to sign perhaps one other consent at that time. I think the more we
add to that, the less likely it will be that that will be meaningful in cancer
care. I mean, I’m not saying that it’s the wrong thing. I’m simply suggesting
that we can overload them with these things, and it may not benefit the care of
the patient to do so.

From the vendor’s perspective, it’s a little bit more complicated in that if
you develop an interface to pull out all the data and then suddenly say, well,
there are going to be patients who are going to have to be given the ability to
opt out. Well, simply doing something to the software and the system that
you’ve set in place so that you can have an opt-out flag so that you don’t pull
that data up. And beyond that, there’s probably not a level of difficulty that
is extreme from the vendor’s standpoint.

MR. REYNOLDS: Joel, the oncologist to my left has a question.

DR. YOUNG: This is Scott, if I could jump in on this. I think that there is
a real danger with the election bias, and you know, skewing your cohort. I
mean, I should take that Vioxx example. You know, we talked about it earlier. I
mean, if by some fluke all of the Vioxx patients had decided that they didn’t
want to participate in the kind of surveillance that we had, you know, we
probably wouldn’t have seen it.

And you know, how much of that would have put future patients at risk. I
mean, you know, actually there’s this balance point between consent, between
really being a good steward of this data, and between being able to have a
scientifically valid way of looking at the population. And if you skew the
cohort, you skew the population. It gets really hard to tell a story that’s
based in fact.

MS. CARR: This is Justine. I wanted to just add to that. So if I think I
understand what you’re saying, Mark. If a patient has an opt out opportunity
and they can say all right, you can use it for operations; you can use it for
institution-based research, but you can’t send it out, and you can’t sell it,
then just as Scott was saying, the utility of that data set may erode.

What you found is a meaningful observation within Kaiser, say, in the case
of Vioxx. By the time you took that data set to send to the FDA, they may say,
well, there’s nothing here. So it’s just sort of taking it to the extreme.

MR. REYNOLDS: Joel, I have a question for you. We, one of the things that
we’ve identified as definitions. So you use de-identify, scrubbed de-identified
which may be, I guess, is better than de-identified, but I’m not sure. But then
as you look at individual records, an individual record can be identified. But
if you’re going to do an episode of care where you’re linking a patient’s
pharmacy and laboratory and all these other things with them, if you go by
strict de-identification, I don’t see how you do that.

So in a lot of cases, when you put those things together, if you put a tag
on it to do episodes or doing these other things, so help me with when because
these definitions are really important to us because one person’s de-identified
may be HIPAA, and one person’s anonymized, and we’ve heard all these things.

DR. GOLDWEIN: When I say de-identified and maybe I should just restrict my
language to that term as it’s defined with the 18 or so parameters that are
considered to be elements of identification by HIPAA, that is what I’m

In terms of how our system manages the aggregations of disparate data sets,
they’re all ultimately collected in the records of particular cases within the
EMR systems that reside at our customers’ sites. So they are in effect the
episodes of care are all aggregated under one case record there before we pull
it up. And whenever we do a refresh of the data, I am not exactly sure if this
is true. But my assumption is that all of the previous data that we had is
tossed. It’s just completely thrown out. It’s however from a standpoint of
whatever we need to do. However it is scrambled and thrown out, we do that, and
then we refresh it with completely new data from all of the centers who are

So we don’t need to match with anything that’s previously there with any

MR. REYNOLDS: So you used another term, case record.


MR. REYNOLDS: You used case record as another term. So as you sell your data
for research and you sell as cases in some places, can that case record
identifier ever get back to the real data?

DR. GOLDWEIN: No. There is nothing that links. If and when it gets sold, any
identifier, any kind of record, number that we would put on it would be
completely new and untraceable to the original record. Does that makes sense,
and did I use any terms there –

MR. REYNOLDS: No, we’re trying to understand the term.

DR. GOLDWEIN: I understand.

MR. REYNOLDS: With that, I’d like to thank both of you, and I’d also as we
continue these hearings, I think what’s a lot of our questioning is very
focused. So it’s not personal, it’s not, but we’re getting people that are
doing the things that you’re doing are very important to us as we review it. So
Scott, thank you for being on the phone with us, and Joel, for what you did.
And with that, we’ll break until 1:30 on that clock, 1:35 on that clock, and
we’ll be back then. Thank you.

[Whereupon, the meeting adjourned for lunch.)

A F T E R N O O N S E S S I O N (1:30 p.m.)

MR. REYNOLDS: Okay, we’re going to go ahead and start the afternoon. We’ve
got a few members that will be joining us again shortly. But we do have a
quorum, so we can continue.

First thing this afternoon is we’re doing to have Jean Chenoweth, and the
panels we were going to have was commercial perspectives, secondary, tertiary
uses, and so Jean, we look forward to your discussion.

Agenda Item: Commercial Perspectives:
Secondary/Tertiary Uses

MS. CHENOWETH: Thank you first of all for inviting me to present our point
of view. And secondly, I am employed by Thompson Healthcare which is a division
of Thompson Corporation which is an $8 billion in revenue company, kind of in
the news today because of Reuters and Thompson going against Rupert Murdoch,
something I never thought I’d be a part of.

But Thompson Healthcare’s a small division of Thompson. We have 2,100
employees. But more importantly, we serve over 3,000 hospitals and physicians,
140 large employers, over 100 health plans, the government itself, AHRQ, CMS,
CDC, Homeland Security. We run the INCHA(?) system, and we serve nearly all
pharmaceutical companies. I myself have been in this business for many, many
years. I was President of the Commission on Professional and Hospital
Activities which are located in Ann Harbor and was the first discharge abstract
system in the country and served 2,800 hospitals since 1954 in ROI ICD-9-CM and
built most of the rules for the UHDDS in the ’60s, but I’m not that old, thank
you very much.

Our customer profile is very broad. And as a consequence, we bring a very
broad perspective to the need for confidential data, the protection of
individual patients’ identity, and the protection of hospitals. And from our
history forward in the ‘50s, our company never released the identity of a
hospital nor the identity of a patient.

Furthermore, we needed written authorization from the hospital to ever
release its data even to its own medical staff. We have consistently worked
with aggregated data to serve all of these entities. For us, the definition of
quality is pretty broad. We believe that hospitals and health systems and
employers and insurers are all seeking directly or indirectly the improvement
of not only the quality of clinical care, but also the efficiency of care to
improve payment of care and to improve the operations of the health care
providers and the payers. As a consequence, we kind of subscribe to a
definition of quality that goes back to Donna Abedian(?) from the University of
Michigan — of course, we’re from Ann Harbor, so what else would we think, that
quality equals efficiency and effectiveness. And, therefore, our applications
focus on doing the right thing at the right time in the right setting for the
right cost to get the right outcome.

And that’s broader than just looking a patient’s treatment record. These are
a list of some of the things that we do with data and use aggregations of data
to support these needs. We help employers who are self-insured to design
effective benefit plans. We target and evaluate the effectiveness of preventive
medicine programs and disease management programs.

We attempt to work with hospitals throughout the industry to improve
clinical care, the efficiency of care and outcomes, build more effective
provider networks, improve financial and efficiency using detailed operational
data, evaluate and manage risk, develop strategic plans for hospitals to meet
the needs of communities. It’s a very broad range, and it would be impossible
to list all the possible things we do.

This is a schematic of the kinds of data that come into our organization,
everything from consumer surveys to public data sets. We receive proprietary
individual patient billing records from hospitals. We receive 1500s from other
kinds of providers. We have evidenced-based medicine systems and compare
adherence to those evidence-based systems for hospitals in their electronic
records systems.

We do a range of things from assessing eligibility to tracking adverse
events. We also develop for our customers matrix for measuring the performance
of hospitals. People from our Med Step Division have worked with AHRQ to
develop the patient safety matrix and a variety of others as well as the
Commonwealth Foundation and others.

So we have a broad range of data. We have a broad set of applications, and
first and foremost we also provide comparisons so our customers can get a sense
of how they stand. As you can see, a part of our data management process starts
with privacy protection. The government data that we receive is either carrying
no ID or has an encrypted ID.

When we receive data, most of the data that we receive from hospitals has no
identifiable patient data other than the medical record number, which we
encrypt. The one thing that is important is the first thing we do is to protect
the privacy of the individual patient. We still to this day, except for the use
of publicly available data, ask the permission of the hospitals and build that
into our contract to get their written permission for release of the hospital’s

From that point on, though, the availability of the data at its lowest
common denominator allows us to integrate data, to standardize it for effective
and valid comparisons, the development of benchmarks to customize it for a
particular need of our customer, whether that’s government or private payer or
a hospital, and to add value to that data by building in computed matrix and
applying methodologies to make that data more comparable.

This really says essentially the same thing. I mention that one of the first
things that we do is the encryption of identifiers that are received. All
employees have access to data on a need to know basis. We’ve had federal
audits. We’ve had external audits from private companies. All employees wear a
badge and have to be checked in. Our data center processes and controls are
quite secure.

One of the things, though, that I wanted to bring forward was that since
HIPAA’s passage, legitimate uses of data are no longer possible, and I’m not
sure that this group is even aware of that. The real reason is why are really

One is that the law itself bows to the most stringent standard. So if a
state has a stricter confidentiality requirement than HIPAA, the state law
supersedes. We’ve accommodated that as we have over the years accommodated the
different authorizations and data elements that were censored by state hospital
associations and state governments.

But what it does, as we face the need to improve the quality of care from
REOs() who will be distributing data as a severe impediment that needs to be
studied carefully because when you have a patchwork quilt of confidentiality
laws all across the country when what we need is faster understanding of the
difficulties or the complications that arise from uses of drugs, that can’t be
identified until a population is using those drugs.

When we’re trying to develop greater efficiency of care across settings and
want to use episodes of care to hasten evidence-based medicine across settings
of care, that patchwork quilt will be a much bigger problem than for a company
like us who’s used to building into its systems all kinds of oddities for
different organizations.

Secondly is the interpretation of HIPAA itself by collectors of data. And we
have seen hospitals believe that transfer of core measures would be against
HIPAA, transfers of core measures data which is patently ridiculous. But let me
use CMS as an example because CMS is such an important source of data, it is
the only source of publicly available data that reflects care of all hospitals
and all providers across this country. We depend on that to build national
norms and national benchmarks so that we aren’t left with mediocrity by people.
In 50 percent of the states, half of the care will be in the lower half of the
country, and half will be above, by definition every single year as you measure
by mortality, complications, length of stay, et cetera.

National benchmarks are needed and norms are needed to raise the boat. And
that’s why CMS is – I’m using CMS as an example. In the public limited
data files when I try to figure out what we could and couldn’t get, and I talk
to HIPAA experts in and outside of our company, it was very difficult to nail
down what MEDPAR does and doesn’t have.

All of the people in the research department said we cannot compute
readmission rates. We cannot compute a 30-day mortality rate. We cannot track
market share. After tracing the facts through, MEDPAR in its limited data file
which is intended to enable organizations such as ours to use data for valid
improvement of care, valid improvement of payment of care, and improvement of
operations limits the cells to 11 patients. That’s not a problem, but does not
provide a patient ID or an encrypted ID. Many of the experts were very confused
by this and thought, yes, there had to be an encrypted ID. That’s what it says
on the lock. That is not how it’s implemented, and therefore you cannot track
any readmissions in the MEDPAR file.

There also is no readmission indicator. As a consequence, you can’t tell if
a patient is going from one hospital to another because they received bad
treatment. And the absence of dates is not so bad in the actual MEDPAR file
except that you only get quarter of discharge.

So even if you could track, if you had an encrypted ID, you wouldn’t be able
to track a patient and tell when they came in and where they were treated
first. That becomes an even greater problem when you consider the standard
analytical file which is designed for longitudinal analysis of patient care.

And there, while you do get an encrypted ID across settings, you get only
quarter of discharge. So if you want to compute a readmission rate, you can’t
do it on the standard analytical file either, nor can you track a patient from
a doctor’s office to a hospital to post-hospital care. You can’t compare a
variety of things.

Monitoring hospital and physician service for local and regional
populations, for example, looking at the access of the poor to health care
facilities is not possible as a result of no-patient zip code. It reduces the
ability of traditional epidemiologic and demographic data analysis.

And while the government can do this or a university researcher can go to
the IRB, a commercial company which traditionally provided this to hospitals,
to universities, to many, many different organizations including those
organizations of many of you sitting here, we can’t do that any more and
haven’t been able to do it for a number of years.

We can’t analyze the distance patients must travel for access to care,
general or specialty. We cannot compute market share for hospitals or
physicians. We cannot identify pockets of underserved population which are of
great need in local communities. We cannot identify pockets of high incidence
of disease.

We are dependent on the government and anybody from a university who gets a
grant to identify a Love Canal or a pocket of disease. That did not use to be
the case. Variances in readmission rates across geographic areas and payer are
not possible, and the dates of service are perhaps the most difficult because
it precludes any sequencing of care.

Sequencing of care has been absolutely crucial for moving forward to
understand the impact of general care, hospital care and post-hospitalization
care. But those benchmarks and norms cannot be produced at this stage because
those data elements are missing.

And we can’t create norms and benchmarks for high quality cost effective
longitudinal care for chronic care either except for non-governmental data. By
living by the rules of the insurers, which follow the letter of the law, how it
is written, we are able to produce episodes for that. However, for the public
benefit, using public databases, it is not possible.

So those are the things I wanted to bring out, and then I’m open to any

MR. REYNOLDS: Jean, thank you. I’d like to open it for questions. Kevin?

DR. VIGILANTE: This is a very quick question. So when Fischer and Lindberg
et al created Dartmouth Atlas and they tied patterns of care to that area of
HSAs, they are trying to successfully tie it to 6,000 different counties in the
United States. So help me, I’m obviously missing something here. Tell me why
they can and you can’t.

MS. CHENOWETH: Jack is a researcher at Dartmouth, and the Dartmouth Atlas
was begun as a research project in conjunction with the federal government. As
a commercial company, we would have to go to an IRB and get a single purpose
use. We serve thousands of customers, and there’s a difference between a single
use by someone who has a record of contracting with the government. We happen
to have a division that contracts with the government, but what customers need
are often broader application, and that’s the difference.

DR. VIGILANTE: Thank you.


DR. TANG: So if there’s all these things that you can’t do, how is it that
you’re still in business.

MS. CHENOWETH: Because we can do many things that we can do, Paul. What I’m
trying to look forward to and nice to see you again, what we’re trying to look
forward to in particular are the needs of the hospitals to make effective use
or improve on core measures.

A very simple example is pneumonia vaccine. Now that metric, only hospitals
like Bellevue in New York City do well in, and that’s because they treat the
poor and they give the vaccine to almost every patient. But if you go look at
Presbyterian or you look at a private hospital in Chicago like Northwestern,
then you see that they don’t score well on that. And that’s because the
physicians in private offices like to give the shot to their patient and
collect the money for it as well, and the patients don’t want to receive it in
a hospital clinic. So what you have to do to be able to do well on that is to
bring data together that reflects physician office treatment and hospital
treatment. It’s the hospitals that are required to report on it, not the
doctors, and those needs are cropping up all across the country.

The hospitals want to get ahead of the game and start looking at episodes of
illness to improve their efficiency because even in the poorest performing
hospitals, I’ll tell you an interesting thing. Our latest research shows that
the announcement by Dennis O’Leary and Carolyn Clancey(?) and Rich
Ombudstock(?) of AHA that hospitals are improving in core measures is only the
tip of the iceberg.

Our results for the last five years trending hospital improvement over those
five years shows that significant improvements have taken place not just in
core measures but in mortality, length of stay, patient safety measures as
measured by AHRQ, profitability and cash deduct. That’s unpublished data, but
we will be issuing it, I think it’s next week. And by looking at data like
that, it’s important to know that the industry is moving.

We also know that the poorest performing hospitals are improving by shifting
patients to outpatient faster than the rest of the industry. They need to know
how good that care is. We can’t track it any more. We used to be able to tell
at least in the hospital clinics.

DR. TANG: So I’m going to use Steve’s perk. This is not a judgmental
question we ask.


DR. TANG: I’m going to try to figure out – and were you hear for an
earlier testimony in the morning?


DR. TANG: Okay, so there was a company, a software company that can get all
the data that you’re asking for and resell it in de-identified format. So I’m
trying to reconcile or figure out how to think about the fact that here’s an
unrelated software company that get all this information and do the things that
you said you can’t do. So what’s the difference.

MS. CHENOWETH: Okay, the difference is, and I don’t know, is that a company
that is an electronic medical record company? And they provide the electronic
medical record in the physician office and the hospital as a combination?

DR. TANG: In the office, yes.

MS. CHENOWETH: Well, then they could string data together. We can string
together commercial insurance patient data because we work with – we serve
as an administrator in one division of our company for self-insured employers,
and we also are an administrator for Blue Cross in many states and for
Medicaid. Okay. But in those instances, we can string the data together.

What I’m talking about explicitly – let me go back, is CMS, the one
provider of data for all patients, all Medicare patients in all hospitals, that
is the gold standard for epidemiologic studies. And what I’m saying is how
HIPAA has been interpreted and rules have been applied, even within the
government which intends to do good with these, has had crippling effects on
very good uses.

DR. TANG: So I think I have a theme that we have to probe further in
figuring out where we come down and what we can recommend. So interestingly,
she pointed out exactly the thing that we heard this morning which is if they
get access to data for another reason, that is the way that they’re getting the
data in useable format because you mentioned the way you got it from your
claims side of the house and the software vendor got it because they run the
software product. So I think that’s part of the crux in there we have to
somehow –

So she’s saying, and correct me if I’m wrong, she’s saying she cannot get
access to data to do a lot of these useful analysis when you want to just go
out and get data that’s relevant to this analysis. But she can where another
part of her company has access to, in this case, claims data.

MS. CHENOWETH: Yes but let me be clear about one thing. One is from the
federal government’s interpretation of HIPAA. The other is from the private
vendors and the hospitals who have gotten those authorizations for release of
data, have signed the HIPAA acknowledgment form and have encrypted data and
sent it to us.

DR. TANG: It’s a use thing. Okay, and then in the other case, it’s the same
thing. So this software company has access to customers who use its product and
then use it for what they said is the QA benchmarking, but also use it for
other things. So this is the intersection I think we’ve been really struggling


DR. TANG: And this is just another example.

MS. CHENOWETH: And it’s complex. But hear me what I’m trying to say. I’m
trying to say that the danger as you go forward in your deliberations is to
underestimate the needs of the providers and the insurers to improve care. That
it’s already been impeded not by what the law says, but by organizations that
are overzealous and don’t recognize the necessity of these kinds of uses to
monitor chronic illness, to improve care, to get care in the right setting.

And so I want you to make that fine point of differentiation.

DR. TANG: Yes, I think there may actually be at least three different issues
that are being discussed here. One of them is about use and the use of who’s
receiving the data. Another may be about a point of aggregation and the ability
to, depending on how the data are accumulated, whether they can be linked
because of their status and who originally accumulated them, and then the issue
of interpretation.

So I’m not sure we’ve teased out all of the subtleties of those different
layers of issues, but they’re all potentially at play here.


DR. ROTHSTEIN: I just have a brief disclosure for the record that another
division of Thompson is publisher of several of my books. So conceivably I’ve
got something to disclose.

MS. CHENOWETH: I think we sold it. No, the publisher.


MR. BLAIR: Jean, some of the things that we’ve been discussing in these
hearings is what is an appropriate definition of secondary use of data, where
are the boundaries as to when something is primary or secondary, and whether
even the phrase secondary use of data is the most useful, most meaningful way
for us to protect privacy and still have data available for appropriate uses to
improve quality and operations.

I’d love to know your thoughts about whether the term is appropriate, and if
it is appropriate, where you think the boundaries are and any relevant thoughts
that you have surrounding that topic of secondary use of data.

MS. CHENOWETH: Well, I don’t know if I would get into a definition of terms.
But I do believe that there is a construct for thinking about what the REOs
propose to do. When you have a regional collector of information, a lot of
people, including us as we were looking at what are these things, what are the
opportunities, what are the problems, et cetera, we had to carefully separate
what those organizations do. And in my mind, you have a collector, and you have
a user because the collector is responsible for gathering disparate pieces of
data, it may or may not add all of the things that we do to data. But that
collector is basically a commodity, isn’t it, and it serves the same function
as, let’s say, a phone company or a cable company because what it’s doing is
transmitting information from one point to many others. And that’s why it
should be a commodity, and that’s why it should be incented to be a commodity
because what you want is the most efficient way to distribute that data as
safely and accurately as possible.

MS. BLAIR: So it becomes a commodity once it’s de-identified, is that what
you’re saying?

MS. CHENOWETH: I think that the commodity function, if you look back at even
the history of all data collection goes back to the CPHA days when Blue Cross
ran all of the discharge abstracting systems and was the only source for most
hospitals to get data. They served in a business that kept being diminished
over time, and they mostly went bankrupt after Medicare laws came in, the DRG
law came in and they just plain disappeared except for what’s now left in
Thompson or CPHA.

The reason was that was really a commodity business. They were collecting
data from many sources and then transferring it back in generally one format.
Today’s needs, so whoever’s the most efficient in collecting that data is one
kind of business. But those who add value to that data to meet the needs of the
physicians, the hospitals, the government, the Homeland Security, et cetera, et
cetera, et cetera, those are all specialized far advanced applications today,
and no one organization could serve all those needs, not us certainly, and
we’re huge.

There are many organizations that use data to help support the health care
industry and patients. That’s the value add and that’s where the expense goes
into the research and the development. Once the wires are there and the data’s
flowing, it’s who’s the most efficient in protecting that data and getting it
out efficiently.

MS. BLAIR: You’ve said something that might alter my perception here, but I
want to get it clarified because I’ve tended to think in terms of PHI,
protected healthcare information. It related to a patient, and you’ve referred
to data as a commodity, and I’m trying to understand clearly when does it
become a commodity and not PHI.

MS. CHENOWETH: It doesn’t. I’m talking about the business structure. The
data transfer business is a business that is a commodity business. In other
words, the incentive in a commodity business is fastest, cheapest. In a value
add where you’re converting a commodity or raw resources into a valuable
application, then you have a very different business and smartest, best, most
effective, two clicks to value, those kinds of things apply.

And I think they’re radically different businesses. I grew up with the
business called CPHA. It did both. The way the world’s evolved, those that
tried to do both are no longer there, and you don’t see an HBO who designs
patient record systems or a server who designs patient record systems excelling
in comparable data applications, do you, or providing epidemiologic data. Well,
there’s a good reason for that. There’s a different mentality today. The way
the whole industry has evolved, Jeff, is first there was a separation of the
hardware guys like you guys at IBM and the users of the data like Simonj, okay,
and the government people here and my company.

And that’s been evolving for the last couple three decades. And now we’re
faced with a way to make distribution, that commodity part of the business,
very, very efficient for the benefit of reducing cost and improving care across
this whole country and perhaps around the world.

But I think if you’re looking at how do you do that, right, you have to look
at, those are two different kinds of businesses, and you have to act
accordingly. You have to make sure that the collection of the data is efficient
as possible and serves its customers which are the people who will add value to
that data and not get in their way, but at the same time assure that we have
epidemiology somewhere other than just in the university when somebody’s lucky
enough to get federal funding. That’s what we’re limited to.

MR. REYNOLDS: Good. Bill?

DR. W. SCANLON: Yes. It relates to John’s point about use being sort of one
of the key dimensions here, and I guess I’m wondering if CMS is really
misinterpreting HIPAA or deciding that they want to control use.

My grants from CMS’ predecessor are pre-HIPAA grants, so they were obviously
only of a historical nature, not nothing that’s sort of current. But if I
remember them, there was both sort of very careful delineation of what you
could do. There was provisions that you would have to destroy anything that you
got after you did it, that you would agree to go to jail if you released it, I
mean, those kinds of things.

And then there was even a point in time where they said the grants weren’t
strong enough from a legal perspective to enforce these things. So they became
cooperative agreements which were closer to a contract, but not quite a

So there was definitely sort of a very conscious effort to control the use.
And I guess part of my question is your commercial sources, is there the same
sort of level of control, or, because I guess from what we heard this morning,
it sounds like once the data are turned over and not to be judgment, once the
data are turned over, then there are all kinds of applications that then become
feasible and that they may occur.

And to put this into some context, I mean, in another sort of setting, the
issue of CMS sharing Medicare data has come up, and there’s been some
resistance to it because of the idea that there’s concern that providers are a
community that CMS needs to have good relationships with, and not so much
hospitals because hospitals in some respects don’t have a choice in terms of
participating sort of in Medicare, but other provider types do.

And the issue is do you know that when you participate in Medicare, we’re
turning your data over to others, and they may use it whatever way they will.
And just this last, I guess it was about a week ago, a little over a week ago,
we had an article in the Post about physician profiling and some of the
controversies about that which is that a lot depends upon the profiler, and
that two different profilers can take the same position and come up with very
different results. And the question is what’s the valid sort of measure here.

So there’s this issue of control of the uses of data. There’s an issue of
sort of fear of some kind of negative response if you do sort of let data out
on the part of providers. And you know there’s a question of whether all those
uses of data are mature enough that a provider of data can feel confident about
turning it over.

MS. CHENOWETH: We have to annually get data use agreements from every
hospital as a part of using the MEDPAR file or the standard analytical file. We
automatically in compliance with the law encrypt all of our data. We’ve been in
business since 1954 and have never released a patient’s name because we’ve
never collected it, nor have we ever identified the patient.

That has to count for something in the history of the use of health care
information from its inception. So legitimate use of data is there. The
question is can the government preclude legitimate use of data that serves the
needs of the public through all hospitals, through employers and others that
the government doesn’t serve. And that’s, I think, what you have to balance.

Now we submit our applications, even the 100 top hospital study is used by
CMS as a very valid use of public data. We have worked with AHRQ and its PR
agency by undergoing their review of our applications so that they know data is
used. We don’t have any problem with that. We don’t have any problems with
useable encrypted Ids.

What we have a problem with is not being able to have enough information to
do epidemiological analyses and to create strings of episodes to assess the
efficacy and efficiency of care across settings which is necessary for where
we’re headed and will be even more important as you go ahead and try to deal
with the transfer of electronic patient record.

And I think that that’s the real issue. Patient confidentiality is honored
within the vendor community because we’ve all signed agreements, and I see
nothing wrong with contracts. Contracts protect the confidentiality. What I see
a problem with is restriction of data to the point that even legitimate uses of
data for the past 40 years are no longer possible.

DR. W. SCANLON: Would there be any issue then if there were contracts that
specified that this is the use for these data, and that once that use has been
sort of satisfied that the data cannot be used for anything else?

MS. CHENOWETH: You know, we had that restriction years ago in CPHA, and what
it did was it protected CPHA’s business from its competitors, speaking as its
former president.

The problem with that is that when you serve thousands of customers, how do
you do that without – how do you do that without eliminating the business.
Perhaps the best way to do that is to allow, and I’m just speculating off the
top of my head, is to allow the general uses but have an audit, you know. There
are audits for financial reports from hospitals. Why not think along those
lines, rather than create enormous bureaucracy that you can’t do much about or
that really adds to the cost of health care in ways no one really wants.

If we can think of ways to facilitate what will be need and still protect
patient identification which encryption does quite well for organizations like
ours that aggregate data. We have no interest in tracking patients. When you
limit maybe the use to aggregation but allow the encrypted data and the date of
discharge and the zip code to allow market share analyses, to allow all of
those traditional uses, then you perhaps thought part of the way. What you have
as a challenge to you people, I think, is the challenge of thinking up what new
uses will be very important to individual patient care as a greater detailed
data is available and it needs to be transferred, and it’s a big challenge.

MR. REYNOLDS: Jean, I have a question. With some of your clients, are you a
business associate?


MR. REYNOLDS: And are those the arrangements that work fine for you versus
the other ones that you say don’t work fine?

MS. CHENOWETH: Well, yes, I mean, that’s what we’ve signed with everybody,
and we follow all of the government rules and get the DUAs signed, et cetera.
We follow the rules.


MS. CHENOWETH: Because we want to stay in business.

MR. REYNOLDS: Right. But you were mentioning you couldn’t get data from CMS.
So you’re not a business associate of CMS?

MS. CHENOWETH: No, we would – I don’t think so. You know, I honestly
don’t know because there are so many divisions of Thompson. It’s possible that
some other –

MR. REYNOLDS: Well, no, I’m trying to understand the difference between, you
seemed satisfied with your relationship with some, and you seem dissatisfied
with your relationship with others. And I’m asking the question about covered
entities because, I mean, business associates, and they have certain rights
under all the ways the laws are set up. Whereas, if you’re not a business
associate, then I doubt that some people would give you some of that data. So
I’m trying to understand exactly what –

MS. CHENOWETH: And I don’t know how to answer it because I don’t recall the
explicit definition of the business associate. I know that that’s how we serve
all of the hospitals. We are an agent operating on behalf of the hospitals or
on behalf of the insurance company or on behalf of the employer. When we buy
the Medicare files, I know that we have to sign the DUA, we have to get a DUA
from every hospital, but I’m not sure whether we also sign a business associate
agreement as well.

And I don’t know that because sometimes we’re working on behalf of the
government, and sometimes we’re not because we have a large government
division. Maybe you can help me.

MR. REYNOLDS: No, no, that’s fine. Again, you posed an issue and you posed
that sometimes you get what you want, and sometimes you don’t, and sometimes
you – and so we’re trying to go through and say what’s in place that
allows certain things to happen, and what isn’t. And I was just trying to
understand clearly because you had a point where some people you like what
they’re giving you, and others won’t give you stuff, and I’m trying to figure
out what to do.

MS. CHENOWETH: Right, and what I’m trying to say is I don’t think that has
to do with the business associate agreement. I think that has to do with the
interpretation of how data can be released which is a completely different
level. It’s an interpretation of what confidentiality is under the HIPAA law.


MS. CHENOWETH: And I think that’s the best I can answer it. But –


MS. DEERING: Thank you very much. When I mentioned this morning when you
weren’t here that at the AMIA Secondary Uses Conference, GE Centicity described
a process of getting data that was very identical to the one that we heard this
morning and that people have referred to. And whether this was – and what
I can’t remember is if Thompson came right after, and they spoke sort of as a
pair. And what I can’t remember is whether Thompson was a client of Centricity
and was receiving data from it. Actually I sort of got the impression that they
were, but let’s just leave it on the table whether that relationship existed or
not. But the proposition is clearly on the table that, of course, the vendors
would be selling their data.

And I think one of the things that I’m trying to understand is that data to
you is an input. Let’s say you are –- it’s one of many inputs. And as you
think of the NHIN and everyone focuses on the bright shining horizon of all of
this data collected once at the point of care. But I guess what I’m trying to
understand is, and this may be an absolutely meaningless question or
non-question, but I’m trying to figure out there are so many ways that data is
acquired and made accessible. If you looked forward in time and the regulatory
environment was hospitable from whatever way you needed it to be hospitable is
the collection of that data and a fairly direct path via the NHIN, the only
model, would that supercede all other ways in which you could ever acquire
data, or would there still be – are there other sources. Now one of the
things that I’m asking myself, for example, is we heard a couple weeks ago that
it appears that the law may pass both Houses, and the FDA will go ahead and set
up a hundred million person database under contract to continue to collect
information for safety from the VA, from CMS, from, did they mention some of
the big integrated delivery systems.

And so if the government which, by law, has the right to collect it for one
purpose for the FDA, is there a scenario whereby Congress and/or the regulatory
process in its wisdom could identify additional uses of that body of data
available for quality purposes. Right now, I believe it’s only for patient
safety purposes and monitoring. But if the government is paying people to
collect and aggregate that data to certain standards, then is there a scenario
in which through that effort the kind of data that we’re talking about, GE
needing individual patient consent for this other feed your PHI through the
pipeline scenario, it’s fuzzy in my mind whether we’re talking one and the same
thing. I just don’t know. So if you were looking into the future, where would
you get your data from and how would it –

MS. CHENOWETH: Okay, let me share with you what happens today. I can’t tell
you what will happen in the future; I could speculate, but I don’t know.

We collect data directly from hospitals under contract that preclude us from
identifying a hospital, a doctor or a patient. That is the way it has been
since the conception of the company in the ‘50s. And what we do with that
data is clean that data, standardize that data, apply methodologies for risk
adjustments, severity adjustment, et cetera, and then provide that hospital
with comparable information from our data bank. So source, the hospital. We run
state hospital association and state government data banks. We receive the data
on behalf of the state government or the hospital association, and we do the
same thing, but we apply additional restrictions from that state government
like North Carolina or Rhode Island or any of the states that we operate in,
and we add in their restrictions on data as well.

When we put it in our centralized national data bank, that data is encrypted
so that we don’t know who the patient is, and at that point it’s absolutely
irrelevant to us anyway because what we use that to do is build benchmarks to
compare, okay.

Then we can buy data from public sources that we don’t operate such as CMS
or a state government. We can buy data in aggregated form from other companies
that have rules as Byzantine as not only do you not get the data directly, but
you get the data directly, but the data’s encrypted, and if you ever have to
know the identity of a hospital, you have to ask a third party who is an
independent party to validate that there might be a problem with the data and
go back and ask the original vendor a question of the hospital.

So what I can tell you is in the information business, patient
confidentiality and hospital confidentiality and client confidentiality is
taken very seriously because our reputations depend on our maintaining that and
adhering to the letter of our contracts, and it’s very serious business. We
have nothing but our trust.

So there are other ways. Now if you had a situation where all data for the
whole community were coming through one spicket, then the most important thing
for that company that was running that spicket is to be the most efficient and
most effective receiver and channeler or distributor of that data. When that
data hits other organizations, would there be a way to get data from a hospital
separate from that spicket? Yes, because the hospital has a right to its own
business information.

The expense, however, of collecting that data is enormous, and it goes back
to the very reason why the CPHAs and the Blue Cross systems, the
not-for-profits were the only ones willing to collect data for maybe 20, 30
years. And then, when it became a byproduct of other business processes in the
hospital, they disappeared. Now that’s why I say it’s important to separate
those two kinds of businesses as you go forward.

MR. REYNOLDS: Jean, thank you.

MS. CHENOWETH: You’re welcome.

MR. REYNOLDS: Very compelling testimony. Thank you very much.

We’ll take a break until 2:50 on that clock, and then we’ll start the next


MR. REYNOLDS: Okay, our next panels going to give us a look at public health
in statewide planning perspectives, and it’s going to be David Carlisle from
the California Office of Statewide Health Planning, Leslie Lenert from CDC, and
Vickie Hohner from Fox Systems. So David, can you hear us okay?

Agenda Item: Public Health/Statewide Planning

MR. CARLISLE: Yes, I am on the line, thank you.

MR. REYNOLDS: Okay, well, we’ll just go in order of the agenda. So if you
would please start your slide presentation. Your slides are up, and if you’d
just say next slide whenever you want to move forward.

MR. CARLISLE: Thank you. Share I begin?

MR. REYNOLDS: Yes, please.

MR. CARLISLE: First of all, my sincere regrets for not being there. On the
East Coast, as you know, California is without a state budget, and we are
restricting payments to various beneficiaries of state programs, restricting
hospital and physician payments imminently, and this does not fit within our
travel criteria at the present time, so my apologies under those circumstances.

But thank you for inviting us to participate in this very important meeting.
We’re looking at slide number one, and I am the Director of the Office of
Statewide Health Planning and Development within the California Health and
Human Services Agency.

If you move to slide two, you basically see the hierarchy of health programs
within the California government. OSHPD is one of several departments in the
Health and Human Services Agency that have responsibility for health care
functions and health policy. There are a total of 14 departments within our
agency, and six specifically have healthcare functions.

Moving to on to slide number three, I just wanted to share with you some of
the reports that we have prepared dealing with hospitals and, most recently,
physician outcome. If you look at the top lefthand report on the slide, that is
a report from our coronary artery bypass graph surgery outcome reporting
program. We just released the first report west of the Mississippi, first
report for California that includes surgeons’ outcome in addition to hospital
outcome, and that is now available via our website. We’ve used our data for
other reports on preventable hospitalizations, on community acquired pneumonia,
on heart attack mortality, and race and ethic disparity, and continue to make
information available to the public.

Our mission is to make as much information available to the public and to
consumers as possible. We do not view reports with a hospital that are not
available to the public.

Moving on to slide number four, you see a summary of our databases, and we
basically have five different types of data that we collect and report. The
first are financial data, i.e., revenue and cost for a variety of health care
programs. The second would be utilization data, the number of total aggregate
visits per year and types of visits. And then we have patient level, individual
patient level specific discharge data. And finally, we have clinical data.

The clinical data are focused specifically on our coronary artery bypass
graph surgery reporting program. We have trained data collectors who actually
go to hospital facilities, abstract the medical records, report them to the
office and generate the database.

Returning to the financial data, we basically collect, as I mentioned,
revenues, gross revenues, net revenues, all sorts of financial parameters. Our
hospital data set here is perhaps, I think, one of the most complete in the
nation. In fact, compared to data that most other states collect on hospital
financial performance, this is an extremely comprehensive data set. It is
highlighted here as a limited database because not all hospitals in California
report individual hospital-specific data to us. We have an exemption in
California called the Kaiser exemption which allows a hospital within the
Kaiser system to report their data as a system instead of as an individual
hospital facility.

As a result, we don’t get data from hospitals that are, specific hospitals
that are run by Kaiser. But we do collect individual and hospital finance data
from all other hospitals within the State of California. We also have some
limited less comprehensive data financially on long term care facilities, on
ambulatory clinics within the State of California, and recently on ambulatory
surgery centers.

If we move to utilization data, California also requires all health care
facilities that are licensed by the State of California to report utilization
data to OSHPD. And, again, we have fairly comprehensive utilization data on
hospitals, emergency room facilities, emergency departments, on hospices and
home health agencies, and recently ambulatory surgery center.

We also collect utilization data from long term care facilities. In the area
of clinics again, we have an exception in the State of California. Some of our
large public municipal and county run clinic networks do not report clinic
level, specific clinic level data to OSHPD. Going down to the discharge data
set, our hospital discharge data set, I think, has been recognized as being
relatively state of the art, very comprehensive, very complete and has been
around for over 20 years and has generated, I think, we would say in excess of
probably 1500 peer review scientific articles in the literature since the
data’s been available

We have just recently added similar level data, individual patient discharge
data from emergency departments and also from ambulatory surgery centers to
this portfolio, and we expect that data to also be as rich and as useful from a
policy and utilization review as the inpatient data set has been.

Then finally again I did mention the clinical data that is abstracted from
medical records specifically support the CABG outcome reporting program. Moving
on to the next slide, I’m going to share with you more detail about a patient
level data set, and this is, I think, the data set where a lot of the questions
for testifiers really drive – that they drive to.

The hospital data set has about four million individual records or
observations per year, and these can include more than one hospitalization for
an individual patient. The emergency room data sets, one of the new data sets,
has almost nine million observations or discharges per year that are captured,
and we have about three million discharges per year on our ambulatory data set.

We collect very expensive demographic data, age, gender, race and ethnicity.
We also collect patient zip code which is mentioned below. In terms of our
clinical data and the data sets, patient diagnoses up to 24 are included, up to
24 procedures. E-codes, external cause of injury codes, are collected. DRG
classification is collected. These are all – I should mention that this
data set is based upon billing data financially. Because of the existence of
billing data historically, we were able to move forward in generating and
collecting this information.

Finally going on to the final bullet, zip codes were mentioned already. This
is the patient five-digit zip code. And I do want to make the point that we
actually collect from the facilities the social security number of patients. In
California, not every patient who is discharged, especially on the pediatric
and delivery side of things, has an SSN. But we collect the social security
number. We then transform that number into OSHPD records linkage number, so in
comes the SSN and out goes for all virtually intent and purposes, a scrambled
record linkage number based on a very complex but reproducible scrambling

We collect admission source, disposition, payer, that is, the type of
insurance company or whether the patient is self-insured. We collect charges in
California, and we have a hospital ID number.

I want to come back to charges, and this is actually one thing that’s very
important. A lot of attention, I think, has been placed in the media recently
about the cost of health care, and I think a lot of the reporters are having
trouble differentiating cost data from charges data.

Not too many states actually are able to capture and report cost
information. California at the level of the individual patient or unit of
service does not collect cost information. We do collect charges data, but
those can sometimes be a factor two or even three removed from the actual cost
of care or actually what is being paid by payers for services. That’s just one
important point that I wanted to make.

Moving on to slide number six, again, with regard to our patient level data
sets, the discharge data, as mentioned we do collect this information from
hospitals, emergency departments and ambulatory surgery centers. We then
categorize the data set into two broad categories. The first is the public data
sets, and as you see near the asterisk, the public version emphasizes the type
of data that would not be able to be utilized for violation of patient privacy.

We basically include all of the records, all the observations, but we use
age categories instead of specific ages. We do include the five-digit zip code.
So we use masking for a variety of elements that could be specifically used to
identify an individual such as race, diagnosis and procedure.

The masking is generated by or is related to the level of geographic fields
that is used. So for instance, if you use a zip code, some zip codes in
California have very few residents, and some have quite a few, probably ranging
from a couple hundred or fewer even up to many thousands, 30,000, 40,000,
50,000. Small zip codes require masking, and if we had an African American
individual who had undergone a CAVICH(?) and was a resident of a very small zip
code, simply those two fields might allow one to identify that individual if he
had knowledge of people residing in that specific zip code. So we might mask
those particular data elements.

Moving on to the non-public data sets, we basically have two types of
non-public data sets. We have a fairly standardized non-public version that is
kind of packaged for specific users. I’ll speak to that in detail later. But we
do have some specific users of non-public data that could include hospitals,
public health departments in the State of California, and we do have fairly
standardized packages available for them.

But we also project-specific IRB reviewed request for non-public data, and
again there’ll be more detail on that later. But for those users, we basically
produce custom non-public data sets, and they are dependent upon the project
that is anticipated and envisioned and are designed to fit within – I
apologize, we’re across the street from the fire department. This may not
happen – this probably will happen one more time, we’ll see. But yes, that
is our project specific non-public data set.

Moving on to slide number seven, we are aware and very cognizant of the fact
indeed that patients are not necessarily – they don’t know that the
information about their discharge may be reported to the State and may be
reported by the State to others. It is expected that, again, individuals whose
data are being used don’t know about this. But on the other hand, we do not ask
for a consent or authorization from individual patients prior to reporting
their data to the State. This is part of our Data Act in the State of

We, however, do know that hospitals and clinicians who are reporting the
data are aware that the data are being collected. As a result, we do use very
strict security measures to make sure that the data remain confidential or

And moving onto slide number eight, the legal constraints on disclosure of
non-public patient level data in California are several. We basically are
guided by two specific laws. Our California Information Act says that we are
able to report the data for research purposes to non-profit educational
institutions, i.e., universities, California state universities, University of
California campuses within the State of California and others such institutions
within the State of California and elsewhere.

We have a Data Act that basically extends the access of the data to local
and federal public health agencies. So we share our data with the California
Department of Public Health, the California Department of Health Care Services
that runs our MediCal Program. They use our data for reports of billing and
rate setting functions.

And we also share our data with use of the federal government. Certainly,
the CDC receives data from us, as does the AHRQ, and our data go into national
discharge databases that are then shared with researchers. But they’re used
also to support other federal functions, as I’m sure many of you know.

Moving on to slide number nine, we have certain constraints on what we share
with the public. Again, designated users have limited data sets. Although we’re
not a HIPAA covered entity, we comply with HIPAA regulations in terms of data

As I mentioned, we collect from the facilities the social security number of
an individual, but we do not report direct identifiers. Again, we do not report
the SSN. We would not report a patient’s name, which we do not collect,
although we would not report a patient address also, for instance, if we were
to collect that.

Data that we report that is non-public must be limited to the minimum
content required to fill a specific purpose. And data that are used by
researchers has to be for a specified purpose of research, and we have a data
agreement that establishes the permitted uses and who is permitted within, say,
a given research entity or shop, who is permitted to actually utilize the data,
so we are very proscriptive in terms of who can use the data and what it can be
used for.

Going on to slide number ten, the recipient then agrees to use the data only
as specified. They have to use appropriate safeguards to prevent misuse or
disclosure. They have to report to us any disclosure not provided by the data
use agreement, and they have to ensure that agents or subcontractors agree and
comply with the same conditions and restrictions.

They have to basically also agree to never contact or identify individuals
as a result of using the data that we provide to them, and actually this has
been something that’s come up a couple times before the State IRB, and once
again the researchers must promise never to contact or identify specific

Moving onto slide number eleven, yes, we do have a committee for the
protection of human subjects, or essentially an institutional review board
within the California Health and Human Services agency.

Researchers and data users including OSHPD’s own outcome program have to
have protocols reviewed by a CHPS or IRB. Protocols actually get reviewed. We
do this pretty aggressively. We have a committee comprised primarily of Ph.D
level individuals and others who are very familiar with the use of data for
research who make up the membership, and the IRB reviews our research by
virtually all of the state agencies and private universities that might be
utilizing our data.

Moving on to the next slide, within OSHPD we have a highly secure internal
information technology environment. We use very sophisticated encryption
techniques. Our staff data sets that the data sets are basically comprised or
held on secure servers. And we’re very rigorous, using locked facilities behind
an IC firewall to basically prohibit access.

Again, we don’t disclose SSN numbers, and we don’t disclose other
identifiers, and we use very strict data use agreements with all users that
don’t have direct access such as the Department of Public Health to our data

Moving on to slide number thirteen, we actually are also rigorous in terms
of our data stewardship. Our patient data discharge section collects and
performs quality testing. We have electronic mechanisms for data reporting
within the State of California. Virtually all of our data at the individual
patient level are reported to us electronically. The data are heavily edited
using the various electronic algorithms that are updated. And then we have a
data management office that has responsibility for warehousing the data. Again,
it’s a secure private repository that also is able to link and match our
various data sets together. And then we have within OSHPD a health care
information resource center whose job it is primarily to review all data
requests and is able to generate custom data products for various users of our
data sets.

Finally, we then close with the last slide, slid number 14. This has contact
information for OSHPD. One can go to our website at oshdp.ca.gov to view our
data set and contact us directly for your health care information resource
center. We have an email address for the center at the bottom, but also a
telephone number.

And why don’t I stop there. I know we have other panelists who are eager to
present. I don’t know if you want me to take questions at this point or after
their presentations.

MR. REYNOLDS: I have a question for you first.


MR. REYNOLDS: Since you have the budget situation, and we heard sirens in
the background, do we need to ask you the questions now, or would you rather
wait until the rest of the – can you stay with us through the rest of the

MR. CARLISLE: There’s never a dull moment here in Sacramento, and sometimes
that’s preceded by fire sirens. But I’m here with you and can be here for the
duration of the panel.

MR. REYNOLDS: Okay, well then we’ll just continue through the agenda, and
Simon, I think you want to make a brief introduction, and then I’ll let you do

DR. COHN: David, this Simon Cohn. I first of all just want to thank you for
your presentation.

MR. CARLISLE: Thank you.

DR. COHN: I was struck and probably ought to publicly disclose as Chair of
the Committee that I actually am Associate Executive Director for Kaiser
Permanente, and we obviously do appreciate the forbearances you give us in
terms of our data submission to you as part of OSHPD. So, and we do very much
appreciate that.

MR. CARLISLE: I should mention that we have a variety of technical advisory
and data advisory, Ford Commission committees, and Kaiser is a consistent
participant in each of them. Thank you very much.

DR. COHN: Yes, certainly it’s not by way of public disclosure, but I thought
I should at least comment. Thank you for joining us.

Now I did also want to take a minute just for introduction for Les Lenert.
Les, we’re obviously very pleased to have you joining us. Les is the new
Director for the National Center for Public Health Informatics, a post that I
understand now that you’ve had now for ten days. So we know there’s been
actually a very extensive search for this position, and obviously I should just
comment that for those of you who know the new structure of the CDC, the
Centers are obvious collections of, I mean, basically I guess collections of
the various agencies and organizations within CDC do report up to these
national centers which include, I think, the National Center for Health
Statistics. Am I wrong?

MS. LENERT: Actually, a cluster of centers report to a coordinating center.
So NCHS and CPHI and the marketing center are all in the same cluster.

DR. COHN: Okay, so it’s sister, that’s right, another aspect of the cluster.
Okay, well, that teaches you how much I understand about how CDC works. But
having said all of that, what? Oh, Vickie, are you on the line?


DR. COHN: Okay, thank you. We were just introducing Les Lenert who’s going
to testify in just a second, and you’re following her.

MS. HOHNER: Correct, I’m here.

DR. COHN: Okay and thank you for joining us. Well, anyway, now that I’ve
completely mangled that introduction, I just wanted to thank Les for being
willing to participate and come up on relatively short notice. I want to thank
Steve Steindel for helping to facilitate your appearance and presentation. And
obviously, we look forward, I think, to a long and close relationship working
with you. The NCVHS is a department-level federal advisory committee, but
obviously we have very close relations with CDC. The Executive Secretary is
within CDC in the National Center for Health Statistics. Obviously, we have
very close relationships with them, and obviously we also work closely with
ASP(?). So we’re obviously very happy to have you here.

DR. LENERT: Thank you. I want to give you a brief background on myself and
who I am. I’m a medical informatics researcher. I have done work in a variety
of other areas before joining the government. I have training as a general
internist and a clinical pharmacologist, and I also received a Masters degree
in Medical Informatics from Stamford concurrent to I received doing a
fellowship in clinical pharmacology.

I have worked in a wide variety of areas in medical informatics from use of
secondary data sets such as OSHPDs to evaluate the effectiveness of critical
care near the end of life to development of public health intervention
strategies for the Internet such as smoking cessation and behavioral change

And most recently, I’ve worked on technologies that allow first responders
at the site of a disaster or a terrorist attack to use electronic hand held
medical records wirelessly and to track location of victims and to get
telemetry from wireless instruments and other sorts of advanced technologies
and evaluated that.

But I tell it’s my pleasure to really tell you about public health and its
potential role in informatics. I have to do so with a great deal of humility,
being in the public health world really only for ten days and having such
outstanding contributions from people in the public health world to this
Committee so that I’m pleased to be able to do that.

So if there are other questions that you need further advice on different
things, Steve is available to add to this as is Tom Savelle(?), my chief
science officer, and we’re happy to fill in what I can’t answer now.

My task today in talking to you is to give you an overview of what the
National Center for Public Health Informatics, and then I’m going to talk in a
very general way about public health use of clinical data and what the
implications are for that, what are the different models and strategies,
particularly with regard to what’s going on at the CDC. And then I’ll also talk
a little bit about future states and what we will be doing and give you a brief
summary for that.

Public health informatics, it’s the systematic application of information in
computer science and technology to public health practice, research and
learning. This should really be nothing new to you. As we’ve heard already that
NCPHI as we call it, the National Center for Public Health Informatics, resides
within the Coordinating Center for Health Information in service, and that our
two sister centers, the National Center for Health Marketing, National Center
for Health Statistics that we work very closely with on a weekly or daily

So our focus is really on this use of informatics and technologies to
improve science and service in public health. We see public health clinical
data being used in four different areas, for developing and promoting the
science of public health informatics, for supporting the necessary research and
work for its bases for growing this discipline, and for establishing strong
leadership partnerships, and then really working to establishing strong
representation for public health at all national IT initiatives including this
one. And so we’re very pleased to be here.

I might just skip over that. To get to the heart of the matter, the public
health has a substantial use for clinical data, and our perspective is that
this is not secondary use, but this is really a societal primary use, that we
have to think about the notion of a society having the needs for protecting
itself from infectious agents or other health threats, environmental,
toxicological. But we can focus on the bacteria as a threat and other organisms
as a threat to public health, and that’s really where the legacy of public
health and the CDC come from.

So the four different cases that we’ll talk about really are surveillance,
the idea of case and outbreak management, and then population health assessment
which we have heard a little bit about already today, and then our population
health interventions or the specifics of trying to improve the health of the

Giving health care is a public health function, but the federal government
has a public health agency, the Indian Health Service, and it has other
agencies that provide direct health care, but the CDC does not really provide
direct care unless there’s a national emergency. We are here to organize health
care processes in the system until we are invited to perform direct activity.

So to talk about public health surveillance when it’s one of the uses for
public health purposes that we think is most important. It’s often the only
item that can appear to people on our agenda. Indeed, the focus is really on
this notion of infectious disease, but it really extends beyond that to health
related effects and environment and other types of exposures.

Infectious disease surveillance is our cornerstone. It really developed the
public health system. Until the late 20th Century, the control and
elimination of infectious diseases was the major focus of mankind.

With the advent of antibiotics in the mid-20th Century, we’ve won
part of the war with the microbe, but we are in a continuing battle against the
resistant organisms and often face challenges from the reproductions of these
microorganisms that are adapted to the modern environment of microbial. However
people perceive less threat than there is now, and we need to move forward with
continuing to be vigilant.

Almost any morning, we see on the news that we are far from a state of
relaxation, though, that there are people are constantly bringing threats,
whether it be from the Harry Potter series where you’ve maybe heard of the mad
eye moody, the need to be constantly vigilant, and that people are afraid. The
news media or other sources may be putting fear into people.

Almost all organizations do monitor for the induction for the new strains of
microorganisms, and this issue of resistance. But as you can tell, this is a
difficult task. And even as our recent experts were trying to determine whether
certain types of TB organisms can be treated with antibiotics, it’s at least a
difficult question.

Small wonder public health surveillance has a special place in this
discussion. We are fortunate to have a public that recognizes and accepts the
role of government to detect threats and grant special authority to allow us to
do so. While there are no federal laws regarding the reporting of infectious
disease, these laws are common at the state level and at the local level, and
that good practice by public health practitioners and really the culture of
public health winds up with these reports being aggregated for the common good.

HIPAA itself recognizes the public good of the function of surveillance by
allowing passage and information into public health entities during health care
delivery without consent, the so called Public Health carve out for HIPAA
allows disease surveillance systems, disease registries such as those for
cancer, immunization registries and several other vital tasks.

Providers unfortunately have had to bear the burden of this process so far.
That is to say that when you see an infectious disease, you have to pull the
yellow card and report it, or when you see an adverse drug reaction, you have
to report it. And that this process goes on without compensation largely
through professional self-regulation standards.

But in the future, we’re going to need to have approaches to automate this,
to ensure that it’s done more reliably, and done more completely.

I’d like to talk a little bit about this and the notion of a matrix of
different activities for the four dimensions. So in public health surveillance
and the other areas, we’ll discuss, we’ll talk about accountability,
transparency, the permissions required, what we’re doing for identity
protection, oversight, the laws and regulations, the standards and the

Right now, the accountability to report in this is based on civil
requirements. It’s not really enforced so that there really isn’t any setting
that says that health care provider or a covered entity is penalized for not
reporting. However, professional practice has rendered us with some capability.

Transparency, our activities are transparent to those who know the HIPAA
law, but they’re not necessarily transparent to the public at large.

Permissions, well, the permissions are granted by statute or the authority
of the state and local governments so that they’re not necessarily required.
The identity protection is cultural, and it may also be part of the statutes.
But the primary protection is that public health practitioners have a very
strong culture of patient confidentiality, and there’s a history of success
from this tradition.

Oversight, while public health is a government body and there are
governmental procedures for self-oversight, other local and regional government
bodies that overlook what we’re doing to ensure that the practices are
appropriate. However, I think that the main factor is to see that there’s no
financial motivation and that these organizations exist for the public’s good.
And to the extent that they’re corrupted in those things, all public processes
have been corrupted.

Laws and regulations, state and local standards processed. NCPHI’s, one of
its largest roles is to advocate the use of standards in reporting and to
develop systems such as meds and other platforms that can enhance the use of

Public health statistics, again, I’m a little bit hesitant with it. I don’t
care to talk about the collection of public health data, but as you can see
both the states and the CDC as a part of data use agreements or statutory law
collect data on the health of the nation, and that this activity is an inherent
one to government. People want to know how we are doing with the health,
baseball statistics. We look at averages. We want to know whether health is
improving. We want to know what the areas are of risk, and that this allows our
nation to monitor this.

The roots of this go back to the National Census and other areas. And that
there are many different issues that come up with this. Inside the CDC, the
National Center for Health Statistics is our designated national statistical
agency for health care, and NCDS is tied very closely to this.

At the federal level, we really gather data at two sources. The states
report data that is collected to us, then there’s direct data gathering. The
states bring us data through specific use agreements and other activities.
You’ve heard a little bit about some of the state activities from OSHPD and how
they then transmit select data to the CDC for further analysis where it’s
treated with the same care as it was treated at OSHPD.

The amount of security in surveys such as the NHANES is extensive. In fact,
it’s so secure that restrictors have to travel to special centers to access the
data, and that there are significant limitations on different types of data
that are available.

So, again, to look at our matrix on this that the issues of accountability,
there really are not people measuring how well we’re doing with this and
reporting to the public. However, we have been good stewards with this, and we
stand ready for the public to inquire into our processes.

The transparency, the public may not be fully aware of the state activities
and the ability to know and be aware of what’s going on with CDC varies
depending on the particular program. Permissions, well, again, we’ve had the
sort of same issues that either we have statutory programs or we have programs
that require IRB permission. The CDC does operate IRBs and does collect data
that requires human subject approval.

Identity protection, the primary rule is individual de-identification with
regard to the potential for re-identification by a different means and tied to
some of the other issues that have been raised within the comments by the folks
from OSHPD.

The issue of oversight, data stewardship, ownership and control that we are
stewards of data, but not owners. When we receive this type of data at the
state level, and that we do own and control federally collected data, but that
we take good care with that.

I think you can look over the remainder of this sort of grid as you can see
here. And I’d be happy to answer questions or refer them to Steve.

The last area is specifically funded programs, systems such as BioSense or
data repositories such as the Cancer Registry. We collect the data directly
into federal systems such as BioSense which collect data on ER activity in a
number of hospitals to be able to monitor the nation for evidence of outbreaks
related to bioterrorism or to influence other rapidly transmitting infectious
diseases. For this program, the CDC actually has servers at the interfaces of
clinical information systems at a number of hospitals around the country. The
level collected varies. Right now, there’s about 350 systems where we’re
collecting data up to every 15 minutes that has been pseudonymized. There are
very strong use agreements in place that are similar to HIPAA agreements that
define our requirements for processing of this data, and that BioSense was
approved by the Office of the General Counsel of the CDC and by the CDC’s IRB.

Other data collection from clinical systems is emerging around our
longstanding hospital infection program and that there the National Health
Collection Surveillance System gathers data on health acquired infections and
is tracking those and helping us understand the patterns that are there as well
as the national health care safety network for reporting adverse events. These
are anonymous systems for case reports.

The CDC funds many registries. These are activities such as Cancer Registry,
the national program of cancer registry that the NPCR. There are a wide variety
of other activities that are done under IRB approval but may have patient
information in them by content and following HIPAA regulations.

The last major area would be public health research. Essentially, all CDC
programs have a basic research component tied to their mission. The laboratory
programs develops tests related to these related programs. We do research on
public health entities and the new diseases. All these programs have IRB
approval, and they may have patient specific data if it’s relevant to the
program, and that has all been obtained with patient consent.

I certainly must have left off several examples of CDC activities. That’s
because of both the scope of these activities, they’re enormous and my relative
newness to the program. But I hope that if you have specific questions, we can
clarify those, and that there are programs and environmental impact
occupational safety and toxic waste measurements that also deserve note and
your attention.

So to kind of go over specifically funded programs, again many of these do
not have accountability for how people are using the data beyond the sort of
IRB review. Transparencies, there may be issues with that permission.
Generally, we sort of require consent, but BioSense does not require consent
for participation.

There is indeed protection in these areas that is appropriate to the level
of consent obtained, and that there is direct oversight by the agency
controlling these, and that we think are related to our mission. And while some
of our activities such as BioSense draw heavily on standards, others are hardly
compliant at all, particularly certain types of disease registry activities,
and these may not use any types of – may not use relevant medical
informatic standards.

So I’d to with that move on to the future. The future is not known, and I
would be the first to say that NCPHI and other CDC programs are in a state of
review at this time. In fact, the Director has just called for presentations
from a variety of centers to either assess our state and develop our systematic

We do have many data collection agreements in place that follow the law.
There are many manual processes that we’re attempting to automate, and I think
that the future efforts will look to see case reporting in particular automated
through integration which will help carry information systems, and we have
demonstration projects obviously within one of our centers for excellence, and
also we have one of our divisions of integrated systems has a demonstration
project on automated reporting for this purpose.

We have to look to new data sources particularly for BioSense and to look to
protect our nation against epidemics and other outbreaks. These data sources
will be regional. They will integrate with the National Health Information
Network. We will be attempting to try to create situations where public health
monitoring is a byproduct of participation in the network, and that where we
are not required to purchase the data or purchase the connectivity, but we try
to have people attracted to us by the services we offer to them for the
software that we offer. We need to find new ways of doing this because we
simply do not have the resources to pay to connect everyone everywhere.

There remain to be significant data linkage issues for the CDC and for local
public health. Our focus in collecting data is also changing this area. Local
public health and statewide public health is a priority for us, that our data
collection efforts will not be independent of those sources, and really will
drive their activities and we’ll be pushing data to local authorities as we
collect it through CDC programs.

We’re actively engaged in research through enhanced confidentiality through
our Centers of Excellence program. So our future state will allow linkages from
multiple data sources, using richer data tests capable of extending knowledge
and productivity that we have to balance this with potential unexpected
consequences of inadvertent release of confidential data.

I believe that as we move forward, we’ll move away from a central repository
mode to grid computing approaches and to distributive approaches which will
minimize these risks or compartmentalize them, and that that will be another
element of those programs.

We cannot go too much further in our description of what’s going on. We have
just commented on this to the Secretary and others, but I will be glad to take
your questions. There’s a great societal need to detect and control infectious
diseases, and there is an unquestionable willingness to do this.

We are faced with two devils, the devil of the organism which –
microorganism which continue to threaten our society, both man made and
naturally occurring, and that we also have a devil that is in the details of
management of data and the production of confidentiality, and we must balance
these two as we move forward.

To summarize, the CDC sees much benefit in data sharing, and we want to work
very closely with this Committee, and we’re happy to support it in whatever
ways we can. We see a productive future in our efforts for data requirements as
we retask the electronic data collection through the National Health
Information Network. We see new but workable and predictable challenges in this
effort from the perspective of society and public health, and many refer to the
problems of ensuring privacy and confidentiality of the world. We support
patient confidentiality and privacy. We also encourage patients to understand
the benefits of a collective societal approach to health and to recognize that
infectious diseases are an ancient threat that we must deal with as a
community, as are many other hazards to our health.

And I really thank you for allowing me to speak on the subject today.

MR. REYNOLDS: Les, thank you, and I can’t wait to hear your presentation
after you’ve been there three months. That was pretty smooth.

So Vickie, are you still with us?


MR. REYNOLDS: Okay, if you would proceed, and then just mention next slide
whenever you want the next slide put up, okay.

MS. HOHNER: I will do so, thank you. My name is Vickie Hohner. I’m with Fox
Systems Incorporated, and I appreciate the chance to come and talk with you

All of Fox Systems works in the area of health care consulting primarily
with public sector entities, primarily also in the aspect of business
operations and health care technologies, and a lot of my experience has been
primarily with doing HIPAA assessments for a variety of public agencies and
programs, primarily those outside of the Medicaid arena. So behavioral health
and other non-traditional or smaller public programs. So I have a lot of
experience from the side of looking at their assessments, you know, what their
practices are and what the needs and compliance barriers are.

Slide one would be, or the second slide with the bullets on it. I also want
to go back and say that in my previous life I did act as the hospital data
products manager for the Washington State Department of Health, and that was a
role very similar to what you heard from the California OSHPD presentation. So
my goal will be to kind of go over some of this quickly but just to revisit
what my role was with the State and then how I’ve been able to take and flip
that around in the consulting perspective and see what other entities have had
to deal with and where some of the complexities and confusion arise.

I also have longstanding associations with the National Association of
Health Data Organizations which is the organization that works with all the
state agencies or state associations which may also be hospital associations
who collect hospital discharge data or other large scale data sets like that as
well as a founding member of the Public Health Data Standards Consortium where
I served as the co-chair of their Privacy, Security and Data Sharing Committee.
So I just wanted to let you know in terms of my affiliations where I also have
connections in that sense.

Also in my role with the State of Washington, I – before I left, I was
the HIPAA Coordinator for the State Department of Health, and the later on
moved to be the coordinator for the overall State government efforts in looking
at HIPAA compliance across not just the Department of Health which was the
public health agency but also with the Medicaid agency and a variety of other
agencies that were impacted by HIPAA requirements. So I just wanted to give you
that background as I preface all my comments today.

So when I was working for the State Department of Health as a data products
manager with hospital discharge data, my role was really to be the gatekeeper
for requests for that information for any secondary uses of the information. We
had requests from both public and private sector, and I just gathered these up
really quickly for you, but to see some of the extent of what kind of requests
would come through the door.

So public sector uses included both internal and external to the agency and
internal and external to state government as well. Sometimes they would cross
to other state governments and also to other countries since in the State of
Washington we border with Canada. We often also had data change with Canada as
well for the intersection of where people would cross the border for various
kinds of care.

In the public sector, we sent data out epidemiology purposes, program
management and evaluations, grant writing, and rate rebasing, mandated
reporting, research, planning efforts among all varieties of the government
sectors, mapping, indicators of measurements and outcome measures as well.
Public sector uses included planning, marketing and research, and that also
began to move into the measurement area with HIE and other areas as I was
leaving that particular position. So the California presentation had a little
more extensive description of some of these uses, but obviously they’re very
similar in terms of what kind of secondary uses would be facilitated by the
hospital discharge data and other similar data sets.

Since you did hear from California, I’ll try to do this fairly quickly.
Washington State disseminated hospital discharge data with the goal to release
unless explicitly prohibited by law. So the goal was to try as much as we could
to get that information in the hands of the public and other requesters.

There was a legally mandated public data set which mirrored a HIPAA limited
data set, and that was actually mandated by law that there should be a public
set that would be provided to persons on request.

Again, we often responded to some of the data requests by creating
customized data sets in which we could then use the minimum necessary criteria
to create specifically what people needed whether it was a data request or data
sets, or whether it was indeed some kind of custom analysis which also was
requested through some of the requests that we received.

The trust issue really has to do with dealing with hospitals who are the
mandated reports. And obviously when you start a situation where you have to
turn over data, you cannot start from a strong position of trust. So trust has
to be developed through building relationships and by working in partnership
and consulting with the hospitals as much as they possibly could. So it really
was a relationship built over time, and I find that that is not unique to just
being in this particular role. But that a lot of the trust issues have to do
within an industry more with developing relationships and building
relationships rather than with looking at exchange purposes or just being able
to relate upfront that this is an okay exchange to conduct. It has more to do
with whether they feel comfortable that that information will be used correctly
and handled appropriately and protected in the correct ways. They want to make
sure they have that.

I apologize. This is on slide three. And now go ahead and move to slide four
which is actually a continuation of some of this as well. So the Department of
Health had a mandated stewardship and dissemination role. And so that was our
job primarily to just get that information in the hands of those people who
requested it. The State had originally mandated the collection under a cost
containment program which was sunsetted about the time I came on board, and
therefore the information was collected without a specific purpose in mind and,
therefore, the goal was actually to try to maximize the ability for others to
use that information rather than collecting it over again for other purposes,
but instead to facilitate use of the information that was already in the hands.

Same or similar information was also collected by other entities, and I
believe still is. The State Hospital Association was doing it in Washington,
but as a voluntary effort, and I think there was some role in them trying to
get that information out a little sooner, but in much broader forum. So there
were some different approaches that we were trying to use in order to get
information. That information would be available, of course, only to the
Hospital Association membership.

And I already talked about the mandated reporting and the trust factor. So
let’s move on over to slide number five. In terms of the confidentiality laws,
this data will have public participation. Obviously, and I’m sure most of you
know from your own personal experience, if you work in this field and you talk
to friends and family or other people in the industry, you often find out that
of course what people know about how their information is used is pretty
limited, and they’re not really aware of the information used beyond use for
their own particular treatment and payment.

I have found the HIPAA name awareness is out there, but just because people
know HIPAA they don’t really understand what that means. And so in terms of the
public understanding, I don’t know that we’ve gained a lot other than they know
that HIPAA’s there and it has something to do with protecting their
information, and that’s about as far as it goes.

Within the State of Washington, part of the role I had was creating
information from the hospital discharge data that would be useful to the
general public. So we did try to also have as part of our role as to make sure
information could be created that would be useful to consumers. So we did
create things such as average charges and produce those in print form and later
on through the web for people to be able to access so at least give them
guidelines if they were going in for some of the more common conditions into
the hospital, they could get a guideline for how to see what they might either
have to pay or what their co-pay might be if they had insurance and a variety
of other things they could use to make some choices if they have the luxury of
being able to do so before they went into the hospital.

Public participation in Washington was and is required in certain activities
so that when there are major changes made to the data collection effort or data
elements, those all had to go through a public meeting process, and whenever
there were other feasibility studies or other activities that went on, we
usually try to include some kind of consumer representation or consumer
interface to be sure that there was some feedback from consumer groups to be
able to add that to the information we collected in trying to make decisions
about enhancing the data, improving the data, enlarging the data scope of the
data collection activities.

Slide number six, confidentiality laws in Washington are relatively
straightforward for hospital discharge data, and the State has a comprehensive
law for research requirements. Confidential information requires IRB approval
if for research or a data sharing agreement if it was for use for other
authorized purposes.

There was no re-disclosure of confidential information allowed under any of
those mechanisms without explicit approval from either the Department of Health
or from the IRB that would have made sure to contain any re-disclosures or uses
that were unknown and therefore would potentially be outside of the realm of
legally allowed uses.

Again, we use customized responses to data requests as well as to research
requests whenever possible so that we can minimize the information that was
done outside and put just the information that was necessary in the hands of
the requester.

What we did also do in the State of Washington which I don’t have indicated
on the slide here was we were responsible in my particular area of creating a
series of linked databases which we linked certain other information to the
hospitals discharge data collection which California also is doing. Often that
was vital statistics data, but sometimes it involved other proprietary data
such as Medicaid data, a variety of other things that people would come to us
after a while and ask us to create these data sets.

The complexity came in trying to blend more than one confidentiality law and
coming up with how would we than be able to disseminate information from these
blended databases when we have to look at multiple laws that affect these
particular systems.

Sometimes that could actually be more complex than you would think when
you’re only blending two data sets, but it did sometimes take a lot of work
before we could figure out how to do that and be in the clear for all the laws
that applied.

Normally what happens is you would apply just the strictest requirements
from whichever law has the strictest requirement and apply that to the overall
data set that’s unapplied. The reason these were – this kind of work was
done was because we created these linked databases on an ongoing basis. And so
it’s so much like the hospital discharge data, they were also used in really in
a similar fashion, and again we provided the gatekeeping for those particular
data sets.

With the recognition of how difficult it was sometimes just to blend the
laws that applied to two data sets together, this obviously shows that when
you’re talking about engaging in a comprehensive health record or health
information exchange effort, it can get overwhelmingly complex with all the
laws that are out there and applied. So it’s something I did want to raise and
have that experience of doing it on a small scale just to be able to add that
to the perspective of what’s necessary and certainly the HIPAA project has
pointed this out as well about the complexity of the variety of privacy and
confidentiality laws that are out there and how piecemeal they all are.

Moving on to slide seven, most of the rest of my remarks I’m going to make
now rather than from my perspective as being the data products manager for
hospital discharge data in a State to my experience in moving to the other
perspective and doing consulting for a variety of organizations that have this
kind of information and were on a regular basis sharing this kind of
information whether or health care purposes or for other purposes where the
issue of understanding the complexity of the laws created a lot of challenges
for them.

So I want to address first the issue of quality versus research. And most of
the work in establishing standards for privacy in health information exchange
has to do with finding problems and commonality of understanding terms.
Obviously, HIPAA introduced a number of new terms or old terms with new
definitions, and this has been a major contributor to misunderstandings of the
requirements and has a lot to do with the tendency of many players to refuse to
share information. I know that we’ve heard earlier people talk about barriers
that a lot of folks put up and said we just don’t’ share information. And it’s
not even so much from not wanting to share the information, but I believe that
everything is so complex that in lieu of not understanding the full, you know,
what everything means and when you apply what when, people have retreated into
let’s not share information. So that also has a lot to do with the stance
that’s being taken among many players in the industry.

We have the same issues with the terms quality and research. They’re not
used consistently in the health industry. Quality tends to be a term often used
by the insurance payer perspective and more often in the private sector. But
when you move into the public sector, the term quality’s only beginning to be
used, and it really is not a term that’s been in existence within any of those
programs for a long time. They may look more at things like evaluations or
outcomes or some other terms that might be more synonymous with what they think
what quality’s meaning in terms of the industry right now. But terminology,
again a big, big issue.

The same thing in research. There are many people who use the term research
or many organizations and agencies, research is what they call their own
internal analysis, and I’ve heard that over and over again, and some of those
entities may never engage in what HIPAA calls or what the IRB statutes call
research that never has to be peer reviewed. But yet they use the term. They
may have a group of people that just does statistical work, and that is their
research people as they see it. So, again, no commonality in understanding and
therefore lots of confusion again.

There may be some overlap in those terms, but I think that most people may
see them similarly. If you talk about you’re doing analysis and that’s your
research, it may also have quality impact. So there’s no bright lines of
boundaries between these terms and how people understand them.

So I think a lot of the effort are just coming up with the barriers, and
people really feeling like they understand what is being talked about and what
is being asked of them when terminology shifts or when certain terms become
dominant in the conversation.

The only thing I have to say about the differences in the terms quality and
research has to really do with who’s it for, who benefits, and where it is,
that activity takes place. So research from the federal perspective really
speaks to something that’s not just for a single entity but has more
applicability for the industry, for consumers, for a wide range of
applicability within health or health care, whereas quality or non-research
efforts may have to do more with internal, although we are now moving quality
to be broader than that. So that will also add to the confusion about how
people split up research from quality. So understanding, I know, is a key
barrier that has to be factored into how do we communicate, how do we make sure
that people are involved and cooperative and correctly implementing along the
lines of what the industry’s anticipating.

Slide eight, obviously there are a variety of useful new data sources and
availability of data that’s out there already, new advances in health care
knowledge require the ability to look at care over time, progress in
controlling chronic conditions, effectiveness of various treatments. All that
requires looking at information beyond a single system or beyond a single point
in time, and that’s the area where I think health information exchange efforts
or electronic health records could help facilitate that.

Right now, those efforts take a lot of time and effort. You’re looking at
different databases that may not have much in the way of comparability of
coding terminology, definitions or anything else. And so kinds of efforts now
take a lot of work and certainly standards and ways to consolidate information
or create common rules for health information exchange would greatly improve
the ability to look at that information over time and across systems.

However, and that’s where we enter the next slide, page nine, while these
efforts to simplify access to and use of the health information for secondary
uses, it should not be overlooked that the data’s most reliable and easiest to
use after it has been cleaned, aggregated and stripped of key elements.

That’s where entities such as OSHPD and the State Department of Health work
have their value in being able to take the raw information and then create it,
strip it and put it together in such a way that is much more easily used by
people who are involved in statistical uses, analysis, research and all those
other efforts.

When you talk about having nationwide electronic health records and some
standardized exchange, there has to be a balance somewhere between being able
to share raw information and being able to pull out useable information. So
somehow those efforts have to make sure that there is an ability in there,
factor in the ability to have some process that takes care of the information
and puts it into a form that’s more easily useable for people who are actually
wanting to further investigate various avenues through use of that information.

And slide nine or slide ten, a lot of this has to do with work that I’ve
done more in the consulting term. Obviously, I came across some of it in
working with the State. But my experience in working with a wide variety of
public sector entities and the private sector as well has shown me that there’s
a lot of common issues that are creating problems for implementation on the
ground or for understanding or for people to be able to share with some kind of
comfort level even information for treatment purposes.

I just got back from doing some work in doing assessments for a substance
abuse agency, and I find this often true that in many areas where they often
have a variety of services and not just a single service, they actually go and
get authorizations to release every and anything. Substance abuse, of course,
has a little higher standard. But I have also seen this in other agencies that
are not so much subject to substance abuse confidentiality requirements, but
they just have patients and clients authorize every single exchange of the data
including for treatment, including for payment, including for pharmacy,
including for everything, and they are not required to by state law. But I
think it gives them a comfort factor that they are not somehow missing a
requirement to get the patient’s agreement before they send information. So
what is done instead of create less paper, I think it’s created more so that
people, because they don’t understand exactly, it’s too difficult to apply
exceptions, that people are just applying authorizations and consents as a

So one of the things I’ve found is that, of course, the legal, privacy,
confidentiality and reporting requirements are narrow and scattered, may
conflict and contradict and very few organizations have resources to do this
work. Very few people have the knowledge base to do that work adequately, and
very few statewide efforts are truly comprehensive in their scope.

Therefore, what happens is it comes down to each organization is trying to
figure this out for themselves, and that is a huge barrier because it takes
time, it takes somebody with a good understanding of the regulations and the
rules, and it’s really created a huge burden and has stopped a lot of people
from progressing. And that’s part of why I think some of the smaller entities
especially have not progressed in terms of their privacy or security aspects,
that it is just a show stopper right there. They don’t understand the laws that
they have to comply with to begin with, and then trying to add other things on
top of it, there’s just not enough publicly available information that tries to
pull that together or to use some of that work for them, and it’s a huge, huge

Even if they understand privacy and confidentiality requirements, they’re
often undefined or poorly defined and not specific. So if a law says this
information shall be considered confidential, blah, blah, blah, and that’s all
it says, how do they interpret that. What does it mean you actually do to make
that information confidential. And I found a lot of people in health
organizations often thing that if you call it confidential, somehow it is and
has difficulty being able to say what they actually did in terms of behaviors
to make that information confidential. So they need some more specifics, they
need more behavioral, you know, what is it that you do that creates
confidentiality, creates privacy. It is very, very, again too loose, and many
people, if you’re a health professional, health professionals do get
professional ethics training, but that can be different from profession to
profession. And many organizations hire people who are not health professionals
who then, I think, are assumed to have a similar knowledge base, and therefore
confidentiality is very variable within a single organization in terms of how
people view it.

So that again is another barrier, and leaves inconsistencies in approach and
whether the common thing of where you call and ask for information from one
person who may not release it to you, but you might ask another person, and
they might is another big issue.

Privacy and confidentiality are often assumed rather than assured which
means they just think that if you call it confidential, it’s good. Yet they
don’t actually engage often in active training or in follow up to make sure
that people are complying with practices or even have standard practices or
procedures for dealing with confidential information. And I guess I talked
about the last bullet already about health professionals adhere to professional
ethics and often lack knowledge of state laws and also fail to then communicate
those to people who are not health professionals.

I often use myself as a good/bad example because I came to work with the
State Department of Health without any health care background. But I went to
work with the hospital discharge data and was not told that the information was
confidential and what that meant. So it took me about six to eight months of
working there before I really figure it out, even though I was in charge of
handling that information and also disseminating it to some extent at that

So that’s a common situation, but it doesn’t facilitate our ability to
effectively share or engender trust in terms of the use of the information.

Slide eleven, to facilitate secondary uses, we need to balance strong
privacy protections while providing for access for legitimate uses. What’s
necessary is more bright lines and more clarity, privacy and in particular
confidentiality are such a muddled arena that without some really, really clear
guidance and procedures and policies or whatever, it’s going to remain that way
or some consolidation of the laws into a single aspect where people can
actually look at one thing and understand everything that has to apply.

So consolidate, synchronize and simplify confidentiality and privacy
requirements. Facilitate that with standardizing the definitions of
“confidentiality” and “privacy” and specify what actions or
behaviors are required to make it confidential or make it private.

Provide guidance and assistance to bridge the gap between the letter of the
law and operational practices to help implementation of good privacy
protections. So, again, the bright line. People need examples. They need
specifics, and they’re searching very strongly for these defining very clear
voices that are able to help them out.

So I appreciate your time, and I hope that this was helpful in understanding
at least what I’ve seen, again, primarily in the public sector, but I don’t
think it’s unusual in the private sector as well. And I just wanted to make you
aware of the things that I’ve seen over and over again, but I think are
something that these scripts could help address. Thank you very much.

MR. REYNOLDS: Okay, thank you. We’re going to invite Ed Sondik from NCHS to
join us at the table as we go through this, and you can make any comments as we
get questions and so on. And so with that, I’ll open it first with Paul with
any of our presenters.

DR. TANG: Well, thank you, all three presenters or four for the education
about what the public sector is doing with this data and how you handle data
requests. One comment on what Vickie said about the quality and research, and,
boy, have we sort of hit on that today.

But I certainly like the pragmatic approach that at least that was described
which is, well, just figure it’s more – be the stricter version in sort of
most of the things of research as long as it’s going anywhere outside the
organization, and that’s one operational way which could be something we

I want to ask one qualifying question and then pose a what if. So the
qualifying question is how quickly are data requests turned around by the
various public agencies at the state or agency or CMS federal level. Is there a
comment, is it like, is it reasonable, is it way too slow? What’s your sense?

MR. REYNOLDS: Is this to all three?

DR. TANG: To all three.

MR. REYNOLDS: I’m not trying to direct it where you – I just want,
because there are two people who are on the phone that can’t see you. I want to
make sure we’re clear.

DR. TANG: Yes, that’s right. Well, at the state level and the CDC level, how
quickly could you turn around external requests for data, and then if anybody
could talk to CMS, on behalf of CMS, that would be useful.

DR. CARLISLE: Well, perhaps, this is David Carlisle from OSHPD in
California, and maybe I can go first. There is a front end of data requests
which is the lag between the close of our reporting period and the time that
data can become available potentially for reporting. And in California now, we
have that down to less than 18 months for our various discharge data sets and
hope to have it even reduced further in the future via electronic data
submission. But there is a front end, and that is somewhat a source of
frustration historically, but I think it’s true probably of all the secondary
data sets.

Then in terms of receiving a request, our IRB meets on a monthly basis,
excuse me, two-month basis, and so in terms of getting an IRB reviewed, there’s
that period. And actual data preparation could add a few more, a couple more
months perhaps to actually getting data into the hands of researchers. So we
may have a period of about two years or so before somebody can actually access
data from the time that it is actually collected or the reporting period.

MS. HOHNER: This is Vickie Hohner, and I can speak from when I was working
in the State of Washington. It’s similar to OSHPD. It was variable. What we did
was try to, similar again on availability, is to have information available.
But on the end front, what we spent a lot of time upfront was trying to work
through what people needed. So we tried to nail that down first and make very
sure we were very clear about what the requester was looking for. So some of my
role was to speak to them and make sure we could provide what they were looking
for. Some requesters are very knowledgeable and can provide exactly what they
wanted, and others were not. And so a lot of that was just really nailing down
upfront what the request was for.

A lot of simple requests we could turn around pretty quickly, maybe within a
week or so if they were from data that was already available. Some of the more
complex analyses or research requests might take longer, but normally, well, I
should say, some of the data requests or research requests we got were to do
data linkage. Obviously, that took a long time. But a lot of them that were
just providing information were not usually not extensive. So once we had
solidified the data need, then all of the applicable agreements or research
criteria had been met.

A lot of times, the data turn around was fairly quick. I’d say most of the
time we could, they were probably within a week or two more complex perhaps
within a month unless it was something really extensive like a linkage project.

DR. TANG: So NCHS would be –

DR. SONDIK: Well, I think that what Vickie said is probably along those
lines. But you know, it raises the question of what’s data in what you said.
For example, I’m assuming you mean something that goes beyond the data that’s
already been designed for public use.

DR. TANG: Well, actually there’s this preparation time as Dr. Carlisle was
talking about. So they have a lag of 18 months built in on the front end. And
then there’s the processing of the request side for something that’s already

DR. SONDIK: But we spend a lot of time and effort producing public use data
sets. So a lot of the requests that we get are for people who need some
interpretation and help in guiding them to the public use data sets and so
forth. And then we get a range of things from people who want information that
they want derived from the data. That can be very fast. In other words, they
want analyses. That can be very fast, or it can take longer. And we have people
who use our research data center. That requires in almost every case the
preparation of a data set that they will use which is drawn from the
identifiable data. They then get an identifiable data set that’s a subset of
the main data set. And, depending on how busy our staff are, that could take
too long, okay, which would be on the order of perhaps months which would be
way too long, or it could be much more expeditious than that.

We have a staff that actually works in our research data center whose job it
is to produce those data sets. But sometimes it gets complicated, and it can be
longer than that. But I would just say our drive is to make the data as rapidly
available as possible and not to have what anybody would see as inordinate
delays in receiving it.

DR. TANG: So I guess my what if question was, because we’ve heard from the
public sector there’s really a fairly comprehensive and, I think, trusted
method of dealing with requests and understanding the uses and understanding,
the terms were up in all those slides minimal, minimum necessary. I take that
as a given, I happen to trust that. So

DR. SONDIK: Well, I don’t.


DR. TANG: So I guess my what if question was because we’ve heard from the
public sector that there’s really a fairly comprehensive and, I think, trusted
method of dealing with requests and understanding the uses and understanding
and the terms were up in all those slides, minimal and necessary. I mean, I
would take that as a granted. I happen to be one of those that trust that.

Then I ask, well, isn’t turn around one of the problems. So the what if is
if public trusted authorities, holders, stewards of data could be funded at a
level that could produce timely turn around, what’s the down side of that?
What’s the pro and con perhaps from the agency point of view and perhaps on the
consumer point of view because then you do have someone who can deal with take
the analysis, perform the analysis on the PHI, the identifiable data set and
render a reliable de-identified aggregate analysis. What’s the down side if it
were funded and staffed, or is that not possible?

DR. SONDIK: Well, I don’t see any other hands up, so I – for those of
you on the phone, I think you just need to jump in.

MR. REYNOLDS: You’ve got a definite home court advantage.

DR. SONDIK: That’s right. I don’t see any disadvantage. I mean, the issue
that there is a question of the art of making a data set as de-identified, to
use that term, as you can. And we have research going on in the Center now to
try to make it less of an art, particularly when people are actually requesting
tabular data. Larry Cox, who is one of our associate directors, is a major
expert in that.

But a lot of the data we’re asked for is not in that form. It really is some
abstract of records, and I think it’s really an art at this point. We’re not
talking to this point, but I think it’s really an important one. We really
don’t know how to take data and make it balance the amount of information
that’s in it against the probability that it would be able to be identified.

Now clearly, we aggregate it. We can all look at that and say we’re not
going to have any problem there. But it doesn’t take all that long to get down
to the not-so-mythical dentist with nine children in North Dakota, for example.
But I don’t see any down side to this other than leaving that there’s got to be
some time for the analysis, which in the end is probably going to be a judgment
call on the part of the stewards that this data set can be released.

The other thing is we also need to have an appropriate set of penalties. As
we have more and more of this information and it becomes more and more
available, we have all of these other allied data sets. We’ve got to have an
appropriate set of penalties, which I’m not prepared to speak to today as
whether what we have is appropriate or not. But it’s got to be tough to
dissuade people from playing with other people’s lives.

MR. CARLISLE: Yes, David Carlisle here again. We recognize that there are
costs to making the process more expedient. One very important cost, at least
as reported to us that we’re not able to really quantify but we do appreciate,
is the cost to the reporting facility. We could probably shorten our data end
phase if we were to increase our data reporting cycle in terms of their
frequency. Instead of having data reported semi-annually, it could be every
quarter, every month, every two weeks, something like that, and that would
greatly accelerate data availability. Plus there is a certain cost to the
reporting facility if we go that route.

Right now, we probably have achieved, I think, a bit of a happy equilibrium
at this point because we have shortened our reporting cycle. As I mentioned, we
do use electronic data reporting systems. But then we also have issues or
complexities that surround our data stewardship issue in terms of making data
available. As everyone else mentioned, we do negotiate and design custom data
sets before something would go to our human protection committee for
evaluation, and that’s a time period there. I’m not sure that we could
accelerate that process necessarily with more resources because it is a pretty
time intensive process. We may or may not have it queued, depending on volume.
It’s hard to anticipate as far as that’s concerned. But certainly data end is a
constraint for the reporting facilities, and they would certainly say, I am
sure, that if we wanted to make that period shorter, they would bear increased

MR. REYNOLDS: Simon, do you have a question?

DR. COHN: I have a question that maybe is a little off from what we’ve been
talking about today. I am, as you reminded, I may actually sound like Mary Jo
Deering for a minute or two without the higher voice, but I’m reminded at the
last session we had some conversation about are we talking about health care,
are we talking about health. I guess I would add to that are we also just
talking about the patient perception of health through the provider, which is
really what secondary data uses are all about. Or are there occasions or
circumstances in which we want to hear more directly from the actual patient
consumer about their experience.

Now as I think about this one, I’m actually glad Ed’s at the time because I
think Ed has probably more experience with the issue of survey, which is
actually a way of actually getting directly to a consumer than some of the
other methodologies we were providing. And so I’m trying to think in this
world, and I actually get a little confused because I don’t know whether it’s
primary or secondary or what we talk about when we talk about this one, but I’m
not sure where this fits into this vision.

Actually, I’m also curious from Les about as you move into this sort of
vision of the future of public health informatics about whether there’s any
place to hear directly from the person rather than the provider in all of this
stuff. And where is, I mean, where are we thinking about out there. And I guess
I’m also curious about the states, knowing obviously the states have these data
sets about whether there’s any perception around all of this. And I just want
to bring the issue up, and I’m sure Mary Jo would be much more eloquent around
all that. I think I’ve been hanging around Mary Jo too long. But Ed, do you
have a thought on this one?

DR. SONDIK: Well, you know, when I was responding to Paul’s question, I
really sort of lapsed into thinking that the survey data that we were
collecting is health data, is in effect primary health data. And I think I
mentioned this to you once before, I think, when I knew this session was coming
up. It’s that I really don’t know what secondary means. Actually, I think I
know what secondary means; it’s the primary that I probably have difficulty

I just don’t think that it’s easy – I don’t think this is very good
terminology, and it would really be helpful – I am being serious about it.
I really think it would be, I don’t know if it came up earlier in the day, but
I really think it would be helpful to have something that puts the uses sort of
at the same gut level, if you will, because secondary sounds like it’s just not
quite as important and sort of removed from the other which is the more patient

But I think that there’ll be, as we have more and more records, there’ll be
more and more opportunity for us to have information directly from the patient
and to talk, if you will, directly to the patient. So the survey data that we
collect is not collected as – well, it’s not collected as one would
normally think health data. It’s not health data, per se, and it’s not being
aimed directly at that individual to turn that back and to say this is what
your health state is.

But on occasion in NHANES, for example, we do receive data, and we use that
to refer patients to their physician because we see an issue. So in the sense
of the data that we get from surveys, that doesn’t go back, at least as it
stands now, to the individual once it’s processed. But the fact is that if you
go through NHANES, when you leave the NHANES mobile exam centers, you’re given
a print out that are your values on a variety of different measures that are
specifically yours. So that clearly is your — in that sense is your health

So I’m not sure that I’m directly answering your question. But I think that
survey data is really aimed primarily at what we would think of as the
secondary uses to give us pictures of populations. The variety of other health
data that we’re talking about needs some other things added to it to give us a
picture of, I think, an appropriate framing in secondary use.

So, for example, if you take just a fraction of hospital discharges, for
example, that’s not, you need to have some framework for that, whether it’s
something that happened on a particular day or whether there’s the demographics
associated with it in terms of catchmen(?) are as people used to call it, or
whatever it is. But you need something in order to interpret it in terms of
that secondary use.

Another difficulty I had was in quality versus research. I actually never
thought about that differentiation. I mean, I thought if you’re developing
information on quality, you use research methods, whatever they are, to do
that. But if it – it would seem to me you’d know whether something is
quality in terms of whether there was a particular standard that that
information met. That’s what you’re going to compare it against as quality.
Whereas, research is the more general investigation, so to speak.

MS. HOHNER: This is Vickie Hohner. Can I speak to that issue, too?

MR. REYNOLDS: Please do.

MS. HOHNER: I think, once again, we’re looking at perspectives and
terminology because secondary and primary to the consumer, if we’re going back
to the original question about consumer, would mean nothing. To a consumer,
they’re probably more concerned about the information that flows through their
physicians than through their care providers rather than something that might
be collected through a survey.

So research perspective sometime primary data is given some elevated status
over secondary because it comes from the source. But we also know that sources
can error. We also know that when you collect some surveys, one survey and how
those things are defined is very different from another survey to another to
another, whereas some secondary sources you may have more standardization if
it’s with the hospital discharge data. So there’s some sort of, I think,
perceptions and perceived notions and plusses and minuses about the various
types. If you’re going back to the original idea of the consumer, looking at it
from the consumer, they also participate in the surveys voluntarily whereas you
don’t voluntarily do that with your physician. So I think they would probably
have more concerns over the use of their information as it travels through the
health care system and then goes beyond their control rather than the other

MR. CARLISLE: If I may, Dave Carlisle here also. We know that the various
local entities, public health departments, hospitals collect the data, and they
use the data more for a population based methodology. But they may also be
looking for specific outlier situations where they may identify the potential
to intervene using secondary data sets.

We’re currently actually about to shift into kind of a new era by adding
some additional clinical to our administrative data set, and this might include
laboratory values, prescriptions, things that aren’t administratively collected
historically but actually represent true health parameters for an individual,
and we might, for instance, have abnormal labs that might identify people with
specific pathological conditions that might require subsequent intervention.

So I think we’re moving toward measuring health with our “secondary
data.” Of course, California has a number of, has several direct surveys
that are collected from individuals for our health care department. We have a
health insurance survey that can capture some health measures also from
specific individuals.

DR. SONDIK: If I could say one more thing, there’s also a kind of a cycle
here that I guess as we’ve seen in the past, but I could see that we could have
more of this, kind of a cycle, say, where you go from survey data which gives
you a picture of something and maybe gives you, I don’t know, a set of measures
from which you pick out a county, and then that data gets linked to
surveillance data which would then be used to try to identify perhaps
particular outliers or the like. And that, I think, really gets to, starts to
get at issues of the appropriate use of the information by whom.

But we, the point I want to make one point related to survey data, is that
we treat that as primary health data with all the confidentiality that that
would have as if it were in the medical records.

DR. LENERT: I don’t want to debate this, the issue of personal health
records and as electronic personal health records are created, especially by
independent vendors, there needs to be standards for how the data will be
combined over them by those people for secondary use, for advertising, for
other sorts of commercial services. It could just be governed by a complex
legal agreement between the person who is working with the vendor and the
vendor who’s providing the service. But I don’t believe that a consumer may be
able to make a fully informed choice on that.

Second, consumers may wish to allow their records to be used for medical
research from personal health record repositories and to have a checkbox or
something where they do that, and then that kind of secondary use may create
some interesting opportunities but would also need to be, have come with some
sort of regulations to protect the consumer in that setting.

MR. REYNOLDS: Okay, Mark, final question.

DR. ROTHSTEIN: I just wanted to comment in terms of definitions and that it
might help clarify the research problem if we focused on the fact that research
is a term of art, and it’s defined by federal regulation in both the Common
Rule and the privacy rule in a very specific way. And so that refers to human
subjects research or research on human subjects, as opposed to the more
descriptive term about manipulating information which may satisfy sort of the
intellectual definition of research. But if the information is, say, anonymous,
then it wouldn’t satisfy your definition.

So as we go through this, we might want to not just use the term research
when we’re talking about research on human subjects and use a more complete

DR. COHN: Yes, I was just going to mention since we’ve been having this
ongoing dialogue, I think, for all four days of hearings now on research versus
quality, I think some of us were wandering through some of the written
testimony, and one thing I’ll just sort of point out is Group Health of Pugent
Sound actually has a little set of boxes which I think we should at least look
at or things like that to see if it may be an approach that might be useful for
the quality versus research conversation and maybe actually have you think
about whether this begins to fit into, if it’s a useful way to help separate

Agenda Item: Committee Discussion

MR. REYNOLDS: Okay, with that, I’d like to thank this panel very much, very
interesting discussion, continues us on our journey and thank you. And with
that, we’ll move right into Committee discussion, and the floor is open, or if
there are no takers, maybe we’ll go around the room a little bit like we did
the last time.

Well, let’s just open it for comments because just remember this is part of
what we tried to do today is leave a little bit of time at the end of this to
discuss this because, as we move on to the next day and the next day and on our
journey, we want to make sure that we leave that appropriate time. So does
anybody want to start off the conversation.

MR. CARLISLE: Okay, Dave Carlisle here. I just want to say thank you very
much for allowing us to participate.

MR. REYNOLDS: Okay, thank you so very much. We appreciate it.


MR. REYNOLDS: And thank you, Vickie.

MS. HOHNER: Thank you. It was wonderful.

MR. REYNOLDS: Jeff, you have a question.

MR. BLAIR: I thought the purpose of this Ad Hoc Task Force began with
protected health information. Can you hear me? Okay. I thought that the
definitions had been set forth with the primary use of protected health data
for patient care. If it’s a patient care, that’s the primary use of protected
health information. Secondary use of protected health information could be for
any of the other purposes we’re examining, whether it’s research or
reimbursement for public health purposes or whatever. But if you don’t have the
word use, primary use, secondary use as related to protected health
information, then I think you lose the anchor. And I thought that was what was
happening this last hour.

MR. REYNOLDS: Well, it’s actually been a significant part of the discussions
since we started the Committee because I think, yes, we started out with a
structure. And I think as we have heard more and more definitions and then you
overlay the HIPAA’s and you overlay the covered entities and you overlay who’d
doing quality and where does quality fit and what does it mean, what we’re
finding is that, that I think Ed said it well and this is his first time with
us, primary denotes one thing; secondary denotes another, and that’s blurring
in some cases as we’re going through this.

So part of our deliberation is to make sure that we recognize that that was
one of the premises that we thought about going in, but not completely tie
ourselves to that especially, and one of the reasons we have such diverse
panels and are really doing this on a fast track of significant different
opinions is to make sure that we understand the spectrum. We can always go back
to that. We can always use that as the anchor.

MR. BLAIR: What I thought I was hearing was that the reason it was blurring
is because the word primary was out there without the rest of the two key
elements, that it was primary use of protected health information or secondary
use of protected health information. But, you know, maybe there’s other

MR. REYNOLDS: Other comments. While I’m waiting for anybody else, if they
want to jump in, I think definitions still continues. I think we are finding
that no matter who testifies and each of them are experts in what they’re
doing, the words that are put out on the same subject, the same information,
you know, whether – so, for example, today again and Justine and I were
making a little list. So, you had masked and you had de-identified which
sometimes was called confidential, or maybe it wasn’t called confidential.

And so it appears to me continually as we go through this, if there’s not a
good clear set of some kind of definitions that we can use that are not only
that match everything that’s out there but also help the general public as we
consider whatever we’re going to set up some kind of trust model, if we don’t
get to some kind of reasonable set of rhetoric so that everybody that looks at
it doesn’t look at it their own way and say it their own way, which then adds
to the confusion, it’s a topic that I know that I’m trying to put because you
want to make sure you’re hearing the words using some kind of a structure, and
they get harder and harder as everybody kind of comes in with their own way of
saying it.

For example, scrub de-identified is not a good or bad term, but it’s an
interesting term. De-identified has a clear definition under HIPAA, and it’s
about as scrubbed as you’re going to get it. And if you scrub it further, what
does that mean. That’s just an example, not to point one out as good, bad or
indifferent. But just to point out. Justine, you want to make a comment.

MS. CARR: Well, I just have been making notes on themes. I think when we
started out today, John Lumpkin’s comments about cost and, well, about the
common good and the importance of data availability, aggregation, integration,
and that’s a theme that we heard also in terms of public health is the societal
primary use.

And I think that just as we’re getting into what’s primary and what’s
secondary, I think that that’s a theme that continues to come through over and
over again. There’s a concern that primary and secondary implies a value
judgment, and a question about the common good as a legitimate primary use
whether research, public health and quality.

The other, I think we continue to hear confusion about HIPAA versus IRB,
what applies, and we heard that the default that is easiest is to just say no,
and that this has had a chilling effect on work that could be done. So the
other theme that came through again is the overlap of research operations and

I think we’re hearing a couple of interesting parsing of the data about do
we call it internal versus external, I think Paul said, or differentiating
research on human subjects versus other research. Anyway, those are just some
of the themes.

MR. REYNOLDS: Paul, Bill and Simon.

DR. TANG: I think some of the themes are really carryovers from the previous
days of testimony. And one of the things that I feel there’s a lot of trusted
acceptable and accepted uses of health data. When they explain it to you, it
stills sounds acceptable and accepted. In public surveys, it sounds acceptable
and accepted, and those are public health, clinical research, surveillance.
There’s just some very quick, and it almost seems like we shouldn’t keep
raising something that is already okay and making it most costly which was
Wendy’s point, so that’s point one.

The other theme that happened both the previous hearings and this one is the
central issue is when you repurpose data for sale without transparency with the
patient and sometimes even the source of the data, that just doesn’t arise in
any kind of acceptable or accepted level on any surveys, and maybe we need to
really focus on that.

The other thing that’s sort of clear and this most recent panel, I thought,
brought that out, all of the policies, procedures, the way they think about
data in the public sector seemed very not only acceptable, accepted, but robust
to my way of thinking. So, again, we know sort of how to properly handle data,
how to properly be a steward, and we even have agencies that could do it. Now
whether they can do it and all that kind of stuff, that was my what if

So less of a question in my mind is, are there ways to handle confidential
health data appropriately to serve the public and individual goods? I think the
answer is yes, and I think we need to delve into how, and one of the early
– the software vendor said, you know, I don’t really know whether we’re
doing it right or not, is what he said, but I’d really love to have rules. If
you could actually hand me rules, maybe we can find a way to do it in a more
acceptable and accepted way.

So I guess the – and I’m just sort of digesting and summarizing and
then also if anybody wants to challenge it. It seems like we know where we have
to focus both on behalf of the public and even the people who are handling
data. How can we make clear the conscience and do an appropriate in all
regards. That’s where I’m left to hearing testimony.

DR. W. SCANLON: I’m actually very much in agreement with Paul. It seems to
me that there are uses that are for the public good, and things that are
distinct from uses that in some respects are proprietary in use, and you could
take the same data and you could do “research” on it, and you could
keep the results confidential for whatever your enterprise is and take
advantage of them. And those, if it’s going to be identified data or I would
ultimately create a category of identifiable data that there should be a higher
standard for use for proprietary purposes.

The idea of sort of identifiable data is, and this came up when the
Population Subcommittee was talking about linking data sites, and there was
this issue that as hard as you work to make something anonymous, there’s the
potential that we find the dentist in North Dakota with the nine children and,
lo and behold, we’ve identified somebody.

And there’s actually times when you need the level of detail that would
allow you to identify that dentist or somebody. You know, one of the
discussions in the Population Subcommittee was that there’s a real loss of
information in terms of trying to make things anonymous, particularly from a
health services research perspective where the environment in terms of the
market place that people are operating in matters. And so, therefore,
eliminating things like all sort of identifying information for any place that
has low density populations, I mean, that’s a real loss. If you’re only going
to be told that people are from the western region, that’s not very informative
in terms of what kinds of situations that they may take. So the purpose of the
activity, I think, is critical in terms of saying what’s the threshold that we
should have in terms of an acceptable use.

The other issue that relates to the idea that we potentially can identify
something or someone and their information is I think there’s an interaction
here which we haven’t talked about much between sort of privacy and security
and risk, and the fact that the attention devoted to security changes the
nature of the risk or the extent of the risk and, therefore, we might think
about this in terms of what’s acceptable from a privacy perspective and a
confidentiality perspective as different if we specify simultaneously what the
security requirements are going to be for information because that will
influence sort of the ultimate sort of risk.

And I think that Paul’s trusted agency we were talking about earlier today,
this issue of sort of turning data over for a purpose versus turning data over
for future unlimited use are very different kinds of things. And I think that
when you can identify sort of acceptable purposes and that’s going to be
approved, that’s very different. And that’s actually the way the data centers
are, that you have to have an accepted purpose before you can access the
information that is potentially going to be confidential. Thank you.

MR. REYNOLDS: Did you want to comment?

DR. SONDIK: I was just about to say something actually very similar to what
you said right at the end. It strikes me that we talked about confidentiality.
But when we do an agreement with people who are going to give us data, there’s
two aspects to it. One is that we pledge the confidentiality. But the other is
we also tell the person as to how the data will be used. We give a set of
purposes, and we say, we pledge that the data will not be used for other

So I think we have to, it seems to me, in other words if you have both
pieces of it and it gets back to secondary uses as to what the scope of those
secondary uses actually is.

MR. REYNOLDS: We have Simon, Marjorie, Steve, Jeff and Mark.

DR. COHN: I think we’re making progress, and I actually like a lot of what I
heard Paul say as well as Bill, I do want to annotate and sort of comment.

Number one is Paul, it was interesting that you didn’t mention quality as
you talked about public health and research, and I think I would add quality
and probably operations into all of that just in terms of, I think, and in
reality I think that it’s from a public policy perspective. Anything that we
can do to help support quality improvement, I mean, it’s a very clear societal
good, and I think we all have to sort of recognize that.

I do like Paul’s sort of, I mean, there’s somehow and we need probably to
get a little clearer about it, this issue of sort of repurposing and sort of
like how does, you know, whether that’s just part of disclosure of fair
information practices, is he actually doing that, or as others would describe,
centered, I mean, exactly how that plays, but clearly it needs to be handled
not just surreptitiously, and I think that’s the issue that we’re all concerned
about and we’re all actually talking about.

And I do think that we are beginning to sort of more closely differ between
quality and research which is useful. I also think that – we seem to begin
to see the difference in quality and research? Yes, I mean I present that graph
that I pointed out earlier, but it may or may not be right or wrong. But we
begin to help, and these are sort of guidance’s that would be helpful to
everybody if there were ways that we could begin to suggest that they think
about it in a uniform fashion.

Now as Bill was talking about security, I’m actually was reminded that we
were talking about approaches, tools, techniques to minimize identified risk,
and you’re actually beginning to jump into some of that. I would add on top of
these, though I’m not sure I think about it as security, we still haven’t heard
a whole lot about the risks of re-identification. And whereas on the one hand I
worry a lot less about a really streamlined single encounter HIPAA data set,
de-identified data set that doesn’t much of anything in it, I do begin to
wonder as you begin to create case files that have 18 different counters all
linked together that it could be completely HIPAA de-identified. But once you
get sort of that bulk of information together which is really what sometimes
people need, I think, although it may be my ignorance of HIPAA. I’d want to
hear from the security experts about the risks of re-identification which may
cause us to think about some of these sort of repurposing of data areas maybe a
little differently. But I’ll hold my comments until hopefully we can get a
little more from some of those people.

MR. REYNOLDS: Marjorie.

MS. GREENBERG: very, very interesting day, and thanks to those who put
together the agenda and great mix of speakers and very thought provoking. What
has just been said by the last three speakers resonates with me considerably.
But I want to go back first to this whole issue of primary versus secondary, et
cetera, and trying to think outside of the box or just, you know, how to frame
this. And we’ve heard from every, you know, if secondary is sort of in the eyes
of the beholder, and we heard about childhood cancer treatments where there
were probably, you know, two equally maybe important purposes going on, and it
all depends on if you’re the parents of the child, the most important purpose
is the child’s health, of course. And as a health care provider, you do, as
John said, you not only do no harm, but do what’s best for the patient.

But the whole reason it’s getting all this public funding of this type of
research is to try, is really more population based, is more to improve health
in a population sense. So, again, it’s kind of in the eyes of the beholder as
to what’s primary, what’s secondary.

And I think that it’s not always just one or the other. Often, there are
mixed reasons of why information is collected, even down to the data elements.
And I think I’ve raised this before. But I mean, you may not be collecting the
person’s race and ethnicity, certainly not totally for that person’s benefit,
but maybe if there’s certain genetic or other conditions that are associated
with a particular race, ethnicity or country of origins, and then you may need
it just for that purpose. But it’s more for a population purpose. And yet it’s
part of what you’re collecting as the intake or as in the patient care context.

So instead of calling it secondary or primary or what have you, it seems to
me that at least we should go back to various basics as to why are the data
being collected, and it may be single purpose, but it may be multi purpose, and
why is the person providing the data. And there, we get to the education

I mean, I know and I’ve heard very responsible people report to this
Committee, not this work group, but it more the Privacy Subcommittee kind of
lamenting the fact that they are having to give the patient more information
than they used, and of course their goals, the purposes they have are not
nefarious by any means. But the more people understand maybe how their data are
going to be used, the less likely they might be to provide it.

And yet I think, you know, from the point of view of, as someone raised,
what is really consent, people do need to know how their data are being used,
not down to every analysis that’s going to be done, but it needs to be done in
a context. And just getting a piece of paper or five pieces of paper that tells
you all these ways that either scare you off or you just don’t read them.

But I think that if we’re going to do definitions, we need to get back to
why data are collected and then why people are providing the data, or what
people need to understand about why they’re providing the data. And then
certain uses really are not the purpose that the data was collected for or
within the persons’ consciousness that they’re providing the data, but may be
acceptable uses if consent is obtained or another approach. Maybe that starts
being secondary, then, I don’t know. But I’m just suggesting that we instead of
using those, throwing those terms around, we think about those two issues.

The one place, a few places I would differ with Paul just in his
conceptualization is that I don’t really think it’s simply proprietary versus
non-proprietary. There are uses that aren’t really proprietary, but and maybe
it just gets back to what I was just saying, but the person didn’t think their
data was going to be used that way, and they feel a certain invasion.

I know somebody who is very highly respected person in the health policy
field. This is not an ingénue. But when this person had a type of cancer
and then got something in the mail that basically was a spin off of the data
having been provided to a cancer registry, this person felt violated. I mean,
intellectually the person understood all these purposes and very knowledgeable
about it, but it was a sense of violation. I mean, it didn’t go to court or
whatever, but we don’t want people to feel violated as part of the health care
process. That’s not positive. But what she got in the mail was not a
proprietary thing. It was maybe even offering some counseling or something like
that, but from a public agency, you know. It’s not just the proprietary versus
not proprietary. It’s what people’s expectations are.

And then I think there’s so, this gets back to public education which I
talked about this morning. Then there’s the issue of stewardship which you
mentioned, and I’m very curious as to what’s happening with that HRQ RFI on
stewardship, but I think it’s a critical thing we have to factor in.

And I would also say one size doesn’t fit all. But I think at the end of the
day, and you were starting to raise that, Paul, you’ve got to recognize that to
do this right does take resources. For NCHS to really be responsive in the data
center, and this is in the letter or whatever, it really does take resources.
You cannot do this right on the cheap. And I think that’s something that people
often don’t recognize also.

DR. TANG: But actually just from the point of framing things, I loved John
Lumpkin’s slide on basic principles of biomedical ethics. I thought that was
with four very good points that we should think about when we discuss other
uses of health care data and using that as a framing thing. And as for respect
for autonomy, beneficence, non-malfeasance and justice.

Have we respected the patient, autonomy, what good did we do with it, are we
using it for good things, and is there any penalties, et cetera, involved with
it. I thought those were four very good framing points in this discussion.

And Vickie Hohner’s slide on to facilitate secondary uses, balance strong
privacy protections while providing for access for legitimate use, consolidate,
synchronize and simplify confidentiality and privacy requirements, standardize
definitions of confidentiality and privacy, and specify what actions of
behavior are required and provide guidance and assistance to bridge the gap
between the letter of the law and operational practices to help implementation
of good privacy practices.

I thought between the two of them, they found, one formed some nice
principles of operation, and the other formed some nice principles of behavior
and thought. And I thought we could frame a lot of the discussions between
those two points.

Like everyone else, I heard a lot of the themes that came forth from the
last set of hearings about the word secondary use is bad, you know, there’s a
continuum. Unlike Simon, and that’s why I asked the question to ask what you
said, I’m still not sure I heard a very clear definition between quality and
research. I have looked at the Pugent Sound definitions earlier in the day and
felt it was good for people who like boxes and like to put things in boxes,
yes, it was very nice. But I didn’t know if it actually clarified it.

I like what Marjorie said a few minutes ago about really what to do is to
look for what the data is being used for and start thinking about it that way.
And if it’s being used for quality purposes, whether that quality bin comes
under the domain of TPO and operations or whether it comes under the domain of
research, you know, I still think it’s quality and that we’re using it for
something that’s good. And I think one of the comments that we probably want to
focus on is this issue of operations and, you know, both the vastness of that
definition and sometimes the confining nature of that definition and how it
conflicts with the way people think about what research is and how they blur.
And I think we do need to have some discussion about that. I still haven’t
heard much clarity there.

Those were the main points that I synthesized in just this last few minutes.
I’m sure we’ll come up with many others.

MR. REYNOLDS: Jeffrey.

MR. BLAIR: Some of the things I hear is I’ll hear one person talk about the
fact that we’re concerned about the trust of patients and whether they feel
violated or not. And to me, when you talk about that, you’re talking about
protected health information. Because if you’re not talking about protected
health information, we’re not concerned about trust, we’re not concerned about
privacy, we’re not concerned about people being upset.

And so I wind up saying that makes sense. But then I’ll hear someone right
after that refer to secondary use of health data, and they may even mean the
same thing. They may be saying in their mind when they say health data that
it’s protected health information. But a third person, when they hear health
data, they think of surveys which is not protected health information and has a
completely different scope and context and usage.

So that is why – pardon, okay. That is why I think – oh, I’m
sorry, he’s got the phone, okay. That is why I believe that we start to get on
solid ground when we talk about primary use of protected health information and
then anything else is secondary use of that if the primary use is patient care.
That, at least for me, that gives me a construct where things can fall into
place, and I can begin to wind up sorting things out. If protected health
information, if that phrase changes to health data, I’m lost. Or if the word
primary or secondary refers to primary data or health or secondary data, I’m

So, it’s just the way I’m able to sort things out.


DR. ROTHSTEIN: In the HIPAA privacy rule, the world is split into TPO and
non-TPO, and there are different rules for each. We have heard people question
those definitions that are in the HIPAA world, maybe health care organizations
or research or public health or whatever. My impression is, and I know John
will speak shortly, is that we’re not being asked to rethink the HIPAA world
and the way the world is broken down in the privacy world. We’re being asked to
think about the NHIN world where information is going to be available in a
different manner. It’s going to be, as we all know, increasing drastically in
volume, in scope, it’s going to be comprehensive, longitudinal, interoperable.
And so the question, I think, that we would be remiss if we didn’t address or
the series of questions, how is the world going to change. What new
opportunities are there going to be for the linking of data for non-clinical
purposes, if you will. What are the threats to privacy and confidentiality and
security raised by this new type of accumulation. What does the public need to
know, what do health care providers need to know, what do all these other
entities who are going to be involved in this, how can we set guidelines and
rules so they have a clear understanding of what they’re expected to do and
when they need to some sort of permission and so forth.

So I think those are the unique challenges that we’re being asked to
confront. And I think we need to make sure that that’s on our to-do list.


DR. LOONSK: With acknowledging Simon’s point, I think there’s been a lot of
really helpful testimony, and that this is – progress is being made. I’m
still in a very unsettled place, and I’m in an unsettled place because I see
both, I see professionals who don’t agree over definitions and who describe
things in many different ways and just keeping thinking about how the public
can navigate this when the professionals don’t.

I see people talking about definitions, and, you know, it’s absolutely fair
that some of these definitions are very fuzzy. And when you try to nail them
down, they just get squirmy, and you don’t find them very useful any more. But
it’s hard to talk about these things without having more specific definitions.
And I feel like we’re going to have a little bit of an unsettled time with this
until some of the things are better defined.

It’s an odd place. We have what has already been defined; we have what HIPAA
defined from a terminology standpoint and what it represents, and then we have
what needs to be defined to move forward to be specific in the world that Mark
alludes to, and the possibilities for what that can and needs to be.

I think we haven’t really grappled with commercialism completely. We’re
still arguing about it. We sort of know what it is when we see it, but I don’t
think we could put that – Paul made a suggestion for that. I think that
where there are in the country we live in, where there are commercial ventures
that are doing public good, that’s a complicated application and difficult
thing to sort out.

The concept of repurposing and use is still difficult from a definition
standpoint. Clearly, one way you can look at secondary data is to look at data
for being used for that which it was not originally recorded. That would put
primary data as being the surveys that Ed talked about where the person being
surveyed definitely knows for which their data is intended. But I’m not sure
we’re agreeing on all that, and I’m by no means suggesting that secondary use
is a good term to go forward with.

I think we’ve had adequate testimony about pejorative assumptions as
associated with secondary in this context. That doesn’t mean that we don’t have
to get to a delineation though. And I’m not sure that it’s two levels, frankly.
You know, it might be three.

So I’m going to stay unsettled, I think, until we have gotten to some
definitions that we can build from instead of deconstruct, and I just don’t
think we’re quite there yet.

MR. REYNOLDS: Simon, you had another comment.

DR. COHN: Yes, actually it was well said for John, comments. John, I think
first of all obviously I would be if we had all the answers, we’d be done with
the hearings, and we’d have our paper written. I absolutely agree with you
about the tensions and the uncertainties.

Now I’m not going to address them. I actually just am and at the end as we
wrap up, we’ll talk about tomorrow and the next day. I did, however, just want
to make two comments about somebody I had forgotten to mention earlier. So it’s
very limited.

One is just sort of a big reminder about, I think we heard over and over
again and many commented about this, about the important role public education,
provider education, user education, or whatever is going to play in whatever we
do because a large part of what’s going on right now just has to do with the
fact that people don’t understand, they haven’t figured out even what’s going
on now. So that’s a piece that we need not to forget.

The other piece, and I think it’s a general thing that keeps coming back to
what I’m saying, the other piece I just want to hold a placeholder on this one
because I had forgotten to mention it before. I just came away, obviously we’re
trying to delve into quality, and I recognize that that’s something we
absolutely have to do and get done in the world of the NHIN.

We’ve heard a lot about research, but I just want to continue to refine our
terminology a little bit because I think we hear a lot about federally funded
and supported research upon which there is what feels to me like a very robust
set of protections around. I’m holding my judgment on non-federally funded
research, and that may be an area where we really actually need to say some
things about because it seems to me that there’s sort of this, that’s like a
gray area there even though we continually talk about research, and I just want
to hold that as a placeholder for further conversation. John, did you have a
comment you want to come back to me on?

DR. LOONSK: Yes, thank you, Simon. I just wanted to add to your comment
about public education, public consumability is an equally important part of
this, and that has – and I’m not sure that what has been done before has
met that bar. So that was the comment.

MR. REYNOLDS: Mary Jo and then Kevin.

MS. DEERING: I guess it is good timing because, as you’d expect, I’ll pick
up on the communication. Can you hear me better now. Okay, I will pick up on
the communication issue.

And one small thing, it seemed to me, that again words do count, and I don’t
know whether our client would permit us to change our own name, but I would
suggest that, at a minimum, substituting a single word in our title already
helps a lot. Instead of being the work group for secondary uses of health data,
it would be optimizing health data. So just get rid of it.

But then specifically to the issue first of definitions, I sense that the
work group will strive very hard to work toward definitions and to present
them. And, again, purely from a communications point of view, what occurs to me
that what would be helpful when we do that is not just to lay out our new
glossary and definitions, but make a sort of, it could be characterized either
way, present and future, legal, non-legal, whatever it is, not just a single
sort of data point for the definition when you have a word so that anybody
reading it recognizes that there was maybe an original construct for it and we
are in a course of evolutionary trend or we’re now planting our stake in the
ground and using it differently.

So, again, I just recommend that we always present it that way.

And then finally getting to this issue of both the public education
information and the professional, I think this was part of my wrap up comments
the last time, and I’ll say it again. In my 20 years, the federal government
has never devoted adequate resources to that effort, and I don’t believe they
will, nor do I believe they have the expertise to do it.

And so harking back to our original 2001 NHII Report where we issued
recommendations to others outside of the Secretary, and we had recommendations
to other stakeholders, Margaret and I were canoodling a little bit earlier that
maybe this is one that we secretly target to John Lumpkin and Robert Wood
Johnson Foundation or something like that. But be that as it may, I think that
we need to recognize that the federal government should not be the definitive
source of all that public education, both either to consumers or professionals.
They’re just never going to do it, or they won’t do it right, and they
certainly won’t sustain it.

So I think that it’s really not a helpful proposition for us to just say and
the Secretary should.


DR. VIGILANTE: With regard to the taxonomy issue and I don’t specifically
have a problem with the term secondary data. What we call it is personally I
don’t really – I’m not concerned with that much. But as long as we have
the same understanding of what it is we’re talking now, whatever label we give

But I do think it matters. You know, actually I think secondary is not
inappropriate because it’s relative to – it’s about intentionality, the
intentionality of the individual whose autonomy we’ll respect. So you have two
people go to the emergency department with fever and productive cough. And
their intention is to go get care, to be made, to take care of their fever,
take care of their cough and go home. And yield up information based on that

And the data that’s collected at that time is primary data that would not
have otherwise been collected unless they sought help. And it is their
expectation that that data is going to be used for those purposes.

If it’s going to be used for other purposes, then that is the secondary use
of that data which was collected for the primary purpose of patient care, and
there are very legitimate uses. In one case, the person may just have
Pneumococcal pneumonia and get hospitalized and get antibiotics and go home and
be fine. The other person may have TB, and that person will be hospitalized.
But because their smear comes back positive, that will be reported to public
health. And there will be some secondary use of that data from a public health
perspective which is secondary to the primary intent of that patient which was
to seek care.

The reason they came was not to serve the public health need. The reason
they came was to seek care. We as a society would like to use that for other
purposes. If that data is then used from a quality perspective to look back and
see which patients got antibiotics within four hours or six hours or eight,
whatever it is these days, well, then that’s a secondary use of that primary
that was collected for that primary intent.

So I think the intentionality of the person whose information it is and
their understanding of it is paramount. And then it’s their understanding of
the intentions of the person to whom they’re giving the data. I’m giving it to
you to take care of me, okay. If it’s a survey of NHANES, I’m giving this to
you for survey purposes in which the primary purpose now is research and survey
data, which may be public health.

So I do think sorting it on that basis does seem appropriate to me.

MR. REYNOLDS: Any other comments? That’s why we left time today.

MS. CARR: I just want to respond to Kevin. I understand what you’re saying,
that it clarifies, but it doesn’t operationalize what we do. So knowing that
something is secondary doesn’t then dictate a path of –

DR. VIGILANTE: No, I agree with you. But if it weren’t for the issue of the
perception of the patient, the understanding of why they’re giving it, we would
not be here talking about it. In other words, it wouldn’t be a sensitive issue
if the individual yielding up the data completely understood and agreed with
the fact that I’m going to give it for primary purposes, but it’s also going to
be used for public health, and it’s going to be used for research, and it’s
going to be sold to all these different companies.

If I understand that and I go with that understanding from day one that it’s
going to be used in secondary manners, we would not – and nobody had a
problem with that, we wouldn’t be here talking about it. It would be a

It’s that secondary use that makes it worthy of this discussion that we’re
having. And, depending on how it’s used, the intentionality of the users,
whether it’s really for public health purposes with a community benefit,
whether it’s to publish a paper so they can get tenure, or whether it’s to sell
so they can make a profit, I think, would matter to the individual because it
gets into this issue of agency. Is this person’s interest aligned with my
interest when I’ve given my information or not.


DR. STEINDEL: Yes, I think Justine picked up a little bit of what I was
thinking of when you were saying that. Let me just be a little bit
argumentative on it. On those two patients that went into the emergency room,
you have a lot of emergency room docs, and I’m sure all of them realize this
never happens.

Let’s say one of those people was homeless and it happens to be raining and
cold outside, and the reason they came in is because they wanted a warm place
to stay. You know, what is the secondary use of their data in that case.

DR. VIGILANTE: Well, the point is they didn’t come in to do a sociological
study. They came in to be taken care of.

DR. STEINDEL: No, they came in to find a warm place to stay.

DR. VIGILANTE: That’s right. That’s exactly – taken care of means a
place to sleep and food to eat, and that’s exactly appropriate.

MS. CARR: But the other thing, though, we heard today is – I mean, this
would fit into a grid. It looks great. But as we’ve heard with the Kaiser
discussion when they were doing their surveillance and they noticed that there
was an association of Vioxx and adverse outcome and that was part of their
operations and so on, and then they had a discussion with other people, and
then they involved the larger group, and then that data went on.

You can’t – what would you tell the patient when they came in and got
Vioxx. You might –- all these things might happen.

DR. VIGILANTE: No, no, no. All I’m saying is –

MS. CARR: It might end up being research.

DR. VIGILANTE: All I’m saying is that collecting that information and
learning something about Vioxx is a very, very good thing. The research that’s
being done is very good, and the public health information is very good. All
I’m saying is that when the patient first came into the ER with their MI on
Vioxx, they didn’t come there for the purpose of gathering, they came with the
intention to be taken care of. And that’s the primary – that’s why I’m
saying that’s where the fault line is here between distinction between primary
and secondary.

And I’m not saying it’s a bad thing. I’m just saying it’s a distinction
worth having because it’s their understanding of how data’s going to be used
that makes this a sensitive subject that brings us to the table.

MR. REYNOLDS: Mary Jo, and then that’s it.

MS. DEERING: Well, again, I’d like to put us forward into the new world.
This doesn’t exist it, granted. And I’d also like to put us forward in the
world when perhaps someone, we know not who, has accomplished some of this
public education that we’ve talked about. And I would assume that, by
definition, if successful, that public education would have left in the mind of
the consumer and citizen from the get-go that there are multiple uses of their
data. That would be a successful outcome of the communication effort in my

Secondly and entirely different, I would simply like to put out the concept
of meta secondary uses if we are going to keep it at all, meaning that –
and meta data sources, and I keep coming back to this image of the fact that,
gee whiz, and I know I’ve already mentioned once today and getting back to Lynn
Etheridge’s, is FDA going to have a million person database there from all
these people? Is that database going to exist and be available and have been
created according to all these strictures that the government will have imposed
upon it? And if so, is that something or that concept worth focusing on as a
means of accomplishing some of these meta secondary purposes.

Since you’ve already got, let’s just use that one for those purposes and
stop putting the burden on the individual Mrs. Jones walking into the emergency
room to accomplish some of the other purposes.

MR. REYNOLDS: Concluding comment from one of our guests. Because obviously
remember every day we’re going to have some discussion, and if we’re start
returning to a debate, we’re not establishing everything.

MS. PATTERSON: So I think this has been a fascinating discussion. I’m sorry,
Wendy Patterson from the National Cancer Institute and Cancer Biomedical
Informatics Grid.

So this has been a fascinating discussion. And being trained as a lawyer, of
course, I find definitions to be very important. That said, in this context I
think while there are legitimate reasons for differentiating between some of
these uses and why the patient is seen and ultimate reuse of the data, I wonder
if, although that’s an important issue, we should think about in some cases so
what, because depending on what the need for reusing that data is will
determine the level of protection, whether consent is required before that any
subsequent use can be made of that data, or whether in some cases no disclosure
or consent is required if it’s a public health purpose.

If it’s in reference to a patient has Tuberulosis, if it’s in the context of
a clinical trial and there’s an adverse event or some other situation that you
referred to in terms of Vioxx, I’m not particulating this at all. But I would
just urge the group to think about even if you do distinguish between different
kinds of uses, and there may be very legitimate reasons beyond the work of this
group, to just think about, even if you have those distinctions, what are the
consequences and how do you essentially build into safeguards to protect
patients and public for those eventual reuses of data.

MR. REYNOLDS: So to close it out for today, we had great testimony. The
other thing is, as we consider structure and final explanation of what this is,
the more we can hold our value judgments on anybody protecting that something
may be secondary, I think, will be very important because we’re liable to hear
a whole different set of perspectives tomorrow. which are going to take us to
new and different places than we were last week and where we were this morning,
but continuing to think about the structure of discussing it and being able to
explain it to whomever may help with that. So thank you.

DR. COHN: You don’t get to close. You know, I think we’ve actually had a
very good conversation. This is not the end of this conversation, and I did
sort of like Wendy’s so what comment. So we probably just need to keep that.

And the so what in all of this, of course, is what best tells the story. I
mean, what makes it all understandable. So that may be the so what, but we’ll
need to figure that one out.

Now to get real here for a minute, I want to remind everybody it’s eight
thirty tomorrow morning that we start again. It’s not nine o’clock. So for
those of us in California who like working the end of an overnight department

Now tomorrow is going to be a little different in the sense that I think
we’re ready to start the conversation. So what’s going to happen tomorrow is
that we hold hearings in the morning. By mid-afternoon, we’re going to be
talking, and the good news is that Margaret has begun to put together some
framing pieces. I mean, be aware that there are other decisions we have to make
other than how to describe primary versus secondary, or what sort of framing we
use. We really actually need to be talking about the framework for
recommendations, where there are holes, what we need to think about them, and I
think actually Margaret may even have some taxonomy and definitional pieces
that may help us through some of these issues. So I think that may be very
useful. I mean, it’s very timely. I think we’re ready for that conversation.

Now we’re going to go through the afternoon and conversations around all of
this. I think hopefully Margaret’s information helping through some of all of
this. Friday morning, we again start at eight thirty. This is just all
discussion on our part. We are not having any testimony Friday morning.

Now for those of you making plans to travel, I do want to tell you that my
intent is that we will finish no later than eleven o’clock. So we have a twelve
o’clock publish time; we will finish by eleven o’clock. And once again,
hopefully by that Friday morning we’ll be talking about the agenda for the
August final set of hearings and conversations. We’ll be continuing on our
conversation about some of these framing pieces.

Now with that, we are, at least according to our clock on the wall here, it
is now five thirty Washington time, so we will adjourn until eight thirty
tomorrow morning.

(Whereupon, the meeting adjourned at 5:30 p.m., to reconvene tomorrow