Transcript of the August 16, 2005 Subcommittee on Privacy and Confidentiality Hearing

[This Transcript is Unedited]

DEPARTMENT OF HEALTH AND HUMAN SERVICES

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

Subcommittee on Privacy and Confidentiality

Hearing on Privacy and Health Information Technology

August 16, 2005

Hotel Monaco
501 Geary Street
San Francisco, CA 94102

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax, VA 22030
(703) 352-0091

---

Participant List:

• Mark A. Rothstein, J.D., Chair
• Simon P. Cohn, M.D., M.P.H, FACP
• Richard K. Harding, M.D.
• John P. Houston, J.D.
• Harry Reynolds
• Paul Tang, M.D.
• Maya Bernstein, J.D.
• Beverly Dozier-Peeples, J.D.
• Marjorie Greenberg
• Mary Jo Deering, Ph.D.
• Debbie Jackson, Ph.D.
• Steve Steindel, Ph.D.
• Katherine Jones, Ph.D.
• Karen Trudel
• Audrey Burwell
• Dr. Rob Weinzimer
• Susan Kanaan

Speakers:

• Nicholas Terry, J.D.
• Leslie Francis, Ph.D., J.D.
• Pam Dixon, J.D.
• Dan Rode, M.B.A.

---

TABLE OF CONTENTS:

• Introduction and Opening Remarks – Dr. Mark Rothstein, Chair
• Panel I:
  • Dr. Nicholas Terry
  • Dr. Leslie Francis
• Panel II:
  • Dr. Pam Dixon
  • Dr. Dan Rode

P R O C E E D I N G S (1:40 p.m.)

Agenda Item: Introductions and Opening Remarks

DR. ROTHSTEIN: I am Mark Rothstein, and I am the Director of the Institute for Bioethics, Health Policy and Law at the Louisville School of Medicine, and Chair of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics. The National Committee on Vital and Health Statistics is a federal advisory committee consisting of private citizens, that makes recommendations to the Secretary of HHS on matters of health information policy.

On behalf of the subcommittee and staff, I want to welcome you to today’s hearings on the National Health Information Network. We will begin with introductions of the subcommittee staff, witnesses and guests. Subcommittee members should disclose any conflicts of interest; others need not do so.

I will begin by noting that I have no conflicts of interest. Richard?

DR. HARDING: I am Richard Harding. I am chairman of neuropsychiatry at the University of South Carolina, a child psychiatrist, and a member of the committee and subcommittee. I have no conflicts of interest in this matter. DR. REYNOLDS: Harry Reynolds, Vice President, Blue Cross Blue Shield of North Carolina, member of the full committee and subcommittee, and no conflicts.

DR. HOUSTON: I’m John Houston with the University of Pittsburgh Medical Center. I’m a member of the committee as well as the subcommittee, and I do not have any conflicts.

DR. FRANCIS: I am Leslie Francis. I am the Alfred C. Emory Professor at Law at the University of Utah, and I am also professor and chair of the Department of Philosophy at the University of Utah.

DR. TERRY: I am Nicholas Terry. I am the Chester M. Midas Professor of Law and the co-director of the Center for Health Law Studies at St. Louis University.

DR. GREENBERG: I am Marjorie Greenberg from the National Center for Health Statistics, CDC, and Executive Secretary to the committee.

DR. PEEPLES: I’m Beverly Peeples. I am the privacy officer from the Centers for Disease Control and Prevention in Atlanta.

DR. HUNGATE: I’m Bob Hungate, member of the full committee. I am in Physician Patient Partnerships for Health, Chairman of the Quality Work Group of the NCVHS.

DR. BERNSTEIN: I am Maya Bernstein. I am the privacy advocate of the Department of Health and Human Services, in the Office of the Assistant Secretary for Planning and Evaluation, and I am the lead staff to the subcommittee.

(Whereupon, the remainder of the introductions were performed off mike.)

DR. ROTHSTEIN: And just in time to introduce yourself.

DR. TANG: Paul Tang, member of the subcommittee. No conflicts.

DR. ROTHSTEIN: Thank you, and welcome to everyone. This afternoon from 4:30 to five, members of the public may testify for up to five minutes on issues related to the topic of today’s hearing. There will be no public testimony tomorrow. If you want to testify, please sign up at the registration table.

Invited witnesses have been asked to limit their remarks to 20 minutes. After both witnesses on our panels have testified, we should have ample time for questions and discussion. Witnesses may submit additional written testimony to Marietta Squire within two weeks of the hearing.

At this time, if anyone has their cell phone in the on position, or any other electronic device that would interfere with navigation at our hearing, please turn it off.

Unlike most of our hearings, I guess all of our hearings, we do not have Internet capability at the hearing today, so we will not be broadcast live as in other hearings. However, we are being recorded, and we are being sent by telephone to people who are calling in, so I would ask you to please speak clearly and at a level that can be heard.

The hearings this afternoon and tomorrow are the fourth and presumably, hopefully, final in a series of hearings held by the subcommittee dealing with NHIN. The first round of hearings in Washington in February, we heard from experts on privacy and confidentiality, as well as representatives of consumer organizations. At our second round of hearings in Chicago in March, we heard from a range of health care providers. At the third round of hearings in Washington in June, we heard from representatives of and experts on integrated health systems, health plans, regional health information organizations, and health systems in other countries.

The hearings today and tomorrow will begin the subcommittee’s process of bringing things together, drawing conclusions and starting to draft recommendations to propose to the full committee. After review, revision and we hope approval by the full committee, the recommendations will then go to the Secretary of HHS this fall.

In advance of the hearings and to focus our discussion, the subcommittee distributed to each of the witnesses a list of six questions, some or all of which we hope and expect the witnesses will address.

The questions, in case any of you have forgotten them, are as follows. Number one, with respect to the design of an NHIN, do you prefer a model based on a RHIO, a model where individuals carry their own personal health information on some sort of device, a trustee model or something else? Why? What implications does your preferred model have for privacy and confidentiality?

Two. What are the implications of permitting individuals to control whether their records are part of the NHIN? If permitting this option is appropriate, what mechanism should we used to obtain individual consent or authorization?

Three. What information if any should individuals be able to exclude from their EHR or the NHIN? What if any limits should apply to these exclusions?

Four. What limitations if any beyond those of the HIPAA privacy rule, should be placed on access to personal health information in the NHIN? How should such limitations be developed and applied?

Five. Should individuals have the option of having their health records maintained all in paper form?

Six. What other measures are needed to protect the privacy and confidentiality of personal health information and to build public trust in the NHIN?

We expect not only answers to all these questions, but for you to do so in 20 minutes, so I don’t think you should have any difficulty whatsoever.

Agenda Item: Panel I

Without any further delay, I want to welcome both of our panel members, this won’t disqualify you, long-time friends and colleagues of mine. I appreciate your coming, and I look forward to hearing your testimony. We will begin in the order listed on the agenda, so we will begin with Professor Francis. Oh, I will go by the updated one. Professor Terry.

DR. TERRY: Mr. Chairman, members of the committee, thank you for this kind invitation.

I begin by paying tribute to the continuing leadership of NCVHS in recognizing and promoting the vital role of health information technologies, HIT, in reducing error, improving efficiency, and better involving patients in the health care process.

In the course of this narrative, I sought to answer the questions posed by the subcommittee. In an appendix that is attached to my testimony, I include specific, hopefully more detailed, responses to those questions.

I begin with some comments relating to patient and physician perceptions of electronic health records. I use electronic health records in the most generalized meaning at this point, and I will explain some of the ways I cut that area down.

When it comes to patient and physician perceptions, medical literature, fairly recent opinion polls, UK and Australia EHR experiences and, dare I say it, our own professional interactions suggest that both patients and physicians are skeptical about the privacy, security and safety of HIT systems. After all, we consumers are told on an almost daily basis that our computers, our personal computers, particularly when attached to networks, are pathologically insecure. Physicians, we know, continue to push back on safety technologies and remain deeply suspicious, even resentful, of the HIPAA transactional and patient privacy constructs.

Recent media reports — these are all from the last three to five months, have informed us of stolen laptop computers containing medical data. The theft of a computer disk containing medical and financial information relating to 200,000 patients, the hacking of several HIT systems, a disgruntled ex-employee of a managed care corporation linking her blog to the medical information of 140 patients. The fact that computer backups contain the personal information of 57,000 health insurance customers. Hospital executives and security guards running through the streets of Cleveland to retrieve 3,000 patient records that fell from a truck and blew away. And the targeting of hospital and nursing home patients by identity thieves.

A rational policy maker may view these issues as merely transitional or as aberrations that are statistically insignificant. Yet public and professional perceptions of an EHR system are far different and potentially corrosive.

The very nature of such a system, let alone its positive implications, is extremely difficult to convey to the general public. A public perception of an EHR as a governmental Big Brother is to my mind extremely probable.

Recently HHS’s Office of Civil Rights added the following question to its HIPAA privacy FAQ: Quote, does the HIPAA privacy rule create a government database with all individuals’ personal health information, unquote. OCR’s cogent and straightforward answer to this arguably paranoid questioner was, quote, no, the privacy rule does not create such a government database, or require a physician or any other covered entity to send medical information to the medical government for a government database or similar operation, unquote.

The difficulty I suggest that we face is that once a fully interoperable electronic health record is in place, the answer to that question will of necessity have to be somewhat nuanced. Our director, Dr. Carolyn Clancy, has testified before Congress, quote, unlike the baseball field in the movie Field of Dreams, we have dramatic examples of the building of health IT systems whose designers found physicians and other clinicians neither came nor played, unquote. If patients do not trust our EHR construct, they will hide even more information from their doctors than they do today, and doctors will reduce or become more circumspect in their charting.

I would now like to talk a little bit about the various types of EHR architectures which have split up primarily to assist my thinking as to their privacy and confidentiality implications.

As the members of this itself an acronym subcommittee are all too aware, the journey into the world of HIT is hindered by overlapping terminologies, a journal that is certainly not eased by the alphabet soup of acronyms that litter the topology. For the purposes of examining issues of privacy and confidentiality, I believe it is helpful to distinguish between five different EHR architectures. I label these as personal, second, shared, third, trustee, fourth, system wide and fifth, interoperable. This final category, the electronic interoperable health record, and no doubt I too will sink into the dreaded acronym EIHR for it, that category to mind captures both RHIOs or a NHIN.

I discuss these architectures in an ascending order that reflects what I believe to be their impact on personal and patient privacy.

First, the personal EHR. In this scenario, the patient is the dominant custodian. It is a patient-centric model. The data may be added to a web-based system by the patient and/or supplied by way of data export from something like the continuity of care record. One way perhaps to conceptualize a patient’s future interaction with such a system is to think of the financial software, Quicken or Microsoft’s Money, that millions of us use to organize our checkbooks and view our overdrafts.

Say the consumer has 11 different bank accounts which after all is the average number of siloed health records that U.S. residents have. Only the consumer can download, view, combine or process all of these records using this model. In the EHR context, the patient would then be able to choose which records or parts of records he or she would export to, for example, a requesting physician.

Secondly, the shared model. Here, I think it is the physician who primarily retains control over the record silo. It is more of a physician-centric model, albeit one that likely will involve consultation with patients. The silos, these individual EMRS or electronic medical record systems, are not interoperable, much like what we look at today. A physician, probably in consultation with his or her patients, and subject to the as yet not discussed large pallet of opt-ins, opt-outs, consents, et cetera, could transmit all or part or a summary of such a record to another physician or to a data warehouse containing a centralized record.

The most obvious example of this type of EHR is the Australian Health Connect system. Health Connect does not create a true longitudinal record, but aggregates elements extracted from a patient’s existing electronic medical records. These elements extracted, as members of the subcommittee are all too aware, are known as event summaries, themselves defined as quote, an electronic overview of a visit to a doctor or hospital or some other health care event containing only the information that is relevant to the future health and care of the consumer, rather than the comprehensive note that the doctor may keep as a record of the consultation, unquote.

Health Connect utilizes a push model, whereby data is sent, the initiation of the data transmission is at the local EMR, where the doctor in consultation with the patient makes the decision to push the data to a centralized Health Connect record. This is in contrast to a pull model, which is generally associated with discussions of EIHRs, including RHIOs and NHINs.

The third model is the trustee model. The trustee model I view as an offshoot of a personal EHR, in that the data is in the control of the patient, who then pushes all or some of the data to a trusted third party. The trustee could be either a data warehouse or a pointer repository. The patient would set the terms of the trust, instructing the trustee about the management of that information, including to whom it may be disclosed, how long it may be kept, and who may add to the record. Such a model could also be an offshoot of a physician-centric architecture, in that the physician in consultation with the patient could initialize the push directly from his EMR to the trustee.

In this trustee model, I find it unclear how the dissemination or processing of the patient’s data is controlled or limited after the trustee, after the trustee makes an authorized transmittal to the patient’s next caregiver.

One model for example would be for the information to then flow into that doctor’s record. This is the subsequent physician. From a liability standpoint, one would assume that the physician would need to incorporate that into his own EMR. So we are breaking the trust to an extent when we do that.

One way of handling that, I suppose, would be to limit the data to read-only, as we used to call it, before we had the technology to add sophisticated digital rights management, which would basically mean that the control of the data remains with the trustee and so within the terms of the so-called local trust agreement.

The fourth model is a system-wide model. A system-wide or institutional system is not an EHR in the strictest sense. In fact, it is an EMR, but one that is very large. It is probably a system-wide EMR. It is an information silo, but it is a huge one. For its long term patients, I will suggest that it will capture longitudinal data that equates to the data in an EHIR or a NHIN.

Examples would include perhaps the Kaiser Permanente Health Connect system that is being built at the moment, or perhaps the Department of Veterans Affairs Vista-A system.

Such systems, these very large EMRs, may have a couple of unique characteristics that it is worth putting on the table. First, the data in such a system is of such immense value to that system that it may not be willingly shared, given after all the relatively small benefit that would be flowing into the system with receive data through a NHIN.

Second, if we assume that these very large EMRs have extremely good security and very good internal restrictions based on confidentiality as the data processing and distribution, these highly sophisticated, very large systems may actually view opening up their EMRs to regional or national interoperability as reducing their data confidentiality model essentially to the level of the weakest link elsewhere in the train, privacy costs that I think would overwhelm any benefit to — likely could overwhelm any benefit to those very large EMRs from importing data into their systems.

The fifth, and the one that I suppose we are concentrating on the most, model or architecture is the EIHR, a fully longitudinal interoperable electronic health record, whether operating at a regional or national level. To me, this has the most fundamental implications for patient privacy, confidentiality and security.

EIHR discussions suggest that a RHIO and NHIN could utilize either a data warehouse or a point of records locator technical model. To my mind, RHIOs and a NHIN probably have different security implications, the choice between those two basic models, but to me they pose almost identical privacy and confidentiality issues, so I tend not to distinguish between them.

Now, an interoperable EHR is premised on three factors, one, the integration of existing EMR silos, two, common data standards and three, both to improve usability and, I suggest, to maximize the return on EMR/EHR investments, very sophisticated data mining tools.

These three characteristics, aggregation, common standards, data mining, these three characteristics suggest the privacy advocates’ perfect storm. Making patient safety information available to all health care providers that are even tangentially involved in the patient’s care renders the level of privacy and security accorded that data a function of the weakest link in the system. Fully interoperable data is also immeasurably more valuable for secondary uses such as marketing, and I believe is likely an irresistibly tempting target for commercial aggregators. I would now like to talk very briefly, although I understand if there is skepticism about a law professor speaking very briefly, but I would like to speak very briefly about our current privacy and confidentiality laws.

When you simplify things down, you reduce things down, basically the U.S. legal and regulatory systems have two models for the protection of personal information, privacy and confidentiality.

Privacy concentrates on control and collection of data. Confidentiality deals with controlling the disclosure of that information. A privacy model places limitation on data collection. Such a model could for example prohibit all collection in certain circumstances, for example, could prohibit the harvesting of genetic information by life insurers, period, the end. Or it could for example limit collection via a proportionality rule, for example, only information necessary for the purposes of treatment may be collected.

In the health care arena, U.S. limitations on data collection are less than robust. For example, the restatement of torts black letter law of privacy fails to articulate any general or comprehensive right of privacy, and is no more than a listing of modest protections, nominate and discrete tort actions applicable under a narrow range of circumstances, rather than any fact sensitive applications of a general principle or theory of privacy. Of these nominate actions that we force upon our students, only the protection against quote, unreasonable intrusion upon the seclusion of another is in any way applicable to the patient-provider relationship, and this action has very seldom been used in the health care domain, and its doctrinal elements have limited its applicability to outlined cases.

The second protective model is to place limitations on data disclosure. For example, hospital records may be disclosed to physicians but not to drug companies, once they enter the system. In contrast to collection-centric rules, this protective model whereby limitations are placed on data disclosure is well established in U.S. law. Although frequently described in terms of privacy and privacy law, the legal protections applied to patient health information by the common law, by state statutes, and by the HIPAA federal standards have very little to do with either privacy or privacy law.

The modern law of health privacy resides in the far narrower disclosure-centric doctrine captured in cases, statutes and regulations dealing with breach of confidence. A patient exercises his right to privacy when he chooses to provide information to his physician. Thereafter, dissemination of that information by the physician is limited by legal standards of confidence. Today, when courts and regulators speak of medical privacy, they are usually in error, mislabeling obligations of confidentiality.

Long before the promulgation of the HIPAA federal privacy standards, I use quotes around privacy, most states had developed common law and statutory protections applicable to the confidentiality of health information. Languidly, the courts articulated a course of action for breach of confidence. The development of the common law of confidentiality has been, shall we say, distinguished by quite arcane discussions as to the correct doctrinal basis for protecting patient confidences, including such theories as implied contract or breach of or abuse of a relationship. But it is only relatively recently that courts have recognized breach of confidence as an independent cause of action founded in tort.

Generally, state statutory models have been more successful in reflecting at least the realities of modern health care delivery and the particular problems posed by information on privacy. Those are still generally limited to a disclosure-centric approach, and unfortunately therefore, once again also mislabeled as going to privacy rather than to confidentiality, these statutes have tended to be more comprehensive and coherent than their common law progenitors. Such statutes are frequently more explicit in extending the duty of confidence to the myriad of providers and insurers involved in modern health care delivery. The state privacy statutes however have generally not supplanted the common law actions, at least one reason for that being that most of those state statutes do not permit a private cause of action for breach of confidence.

The HIPAA federal standards, as we are all aware, apply to a broad range of covered entities, including for example health but not life insurers. These providers such as hospitals, physicians and health plans, are subject to the privacy standards, if they transmit health information, quote, in electronic form in connection with a HIPAA EDI transaction.

The federal standards place limitations on the disclosure of protected health information, including information that relates to the past, present or future physical or mental health or condition of an individual, and identifies or could identify the individual. Thereafter, the provider may only disclose private health information as permitted by the federal standards.

Modeled as those standards are on existing state statutory protections, the HIPAA standards do not protect health privacy, because they place no limitations on data collection. The standards are in essence a federal confidentiality code.

Now let me talk a little bit about some of the models that perhaps could apply to these various types of EHR that are on the table, how can we protect privacy and confidentiality and in EHR world.

The first general category that could be looked at I would describe as a general data carveout. Our privacy and confidentiality model in this country has generally — this goes beyond health information — has generally endorsed the approach that any and all personal information, financial, medical, whatever, may be collected, processed and disseminated if the data subject consents to or authorizes the same. That is the model that we have used.

The primary operational objection to this approach is that consent processes are extremely imperfect in situations involving parties with radically different bargaining strengths, and who are in informational asymmetry regarding the implications of any such consent or authorization. Even if you are a skeptic, as I am with regard to the doctrine of informed consent, at least there are some circumstances where we can recognize that the patient is given a choice between two options, so consent means something. It is very hard to find those kinds of consent meanings when it comes to authorizations with regard to information collection.

So the first type of approach we could look at would be to move away from this long-held U.S. approach, and actually use legislation to carve out some forms of data collection or dissemination, with a view to improving trust in the EIHR.

For example, federal legislation could prohibit employer or insurer access to patient specific genetic information. We could for example pass a piece of federal legislation that would say that no RFID data may be tracked from patients once they leave say the health care facility. We would for example pass a piece of federal legislation that prohibits the secondary use or commercial aggregation of patient specific information.

The second type of model that we look at would be patient specific non-participation. By this, what I mean is that an EHR system could permit patients to decide whether or not to participate in any way in an interoperable EHR. While an opt-in model is probably most consistent with patient autonomy, the practical processing implications of an opt-in model likely would overwhelm any system. Therefore, an opt-out model likely would be more operationally friendly.

Legislation or regulation again may be required to eliminate discrimination against patients who opt out, and deal with the question of exactly what the quality of care is they will get having so opted out.

The third category that I would like to discuss I refer to as patient specific data carveouts. Here, the scenario I suggest is that a patient has opted into the system, or set up the other way, has declined to opt out from their EHR. But nevertheless, the patient could still be given rights to carve out certain types of data or uses of the data in the system.

There are three models that could be adopted, a secure envelope limiting disclosure by context, and an access edit model. The first, the secure envelope type of approach, basically gives the patient the opportunity to select out of his record some data that for example he views as highly confidential. That data stays in the record but is shielded from general view unless say some condition is met, for example, to be opened only if I am unconscious in an ER.

The second type of carveout is a contextual disclosure, whereby different layers of data are utilized. For example, ob-gyn related data may be only available to that sub-class of providers, or existing prescription of certain classes of medication such as psychotropics would only be disclosed to say treating psychiatrists.

The third type of model here is what I call an access and edit model. Envelope storage or context restrictions generally are discussed in the context of restrictions placed on the data at the time of the input. However, similar rights could be given to patients using an access edit model similar to that used by HIPAA or some state statutes. Thus, a patient could be given the rights to access his record and remove specific data or maybe move data into a secure envelope.

The fourth broad type of limitation is a proportionality limitation. As I have already mentioned, existing U.S. confidentiality provisions do little to limit the dissemination of patient specific health information within the domain. That is, once the data is entered, it is freely available to health care providers.

Patient confidentiality may be better served if the data and its dissemination were subject to a limitation based on necessity or proportionality. For example, a privacy rule could limit the collection of patient data to that required for contemplative procedure. Equally, a confidentiality rule could limit the dissemination of the patient data to those providers directly involved in the patient’s current treatment, in other words, restricted to the circle of care.

Mr. Chairman, I don’t know how I am doing on time.

DR. ROTHSTEIN: You have blown past your time.

DR. TERRY: I have blown past my time. I do have in my written testimony some specific observations on the existing HIPAA regulations which I think create issues. I know this is not a particular piece of barbed wire that we are not necessarily going to grasp, but I think those are some specific issues that do need to be addressed in the context.

I conclude therefore very quickly with the statement that there is little doubt to my mind that a well-constructed, secure electronic health record can improve the quality of our health care, reduce medication errors and provide a platform for patients to better understand and participate in their health care. However, progress toward these laudable goal has so far reflected institutional interest and priorities. We have in short been watching inside a baseball that is focussed primarily on architecture and technical standards. As the debate is broadened to reflect the interest and participation of patients and physicians, a principled, autonomy based and simple privacy and confidentiality structure must be articulated. Without such a structure, patient and physician participation in the endeavor will be jeopardized.

I thank you for your tolerance in going over my time, and I hope that I can explain or clarify some of this with your questions.

DR. ROTHSTEIN: I’m sure you will get that opportunity. I thank you for your very thoughtful testimony.

Our next witness is Professor Francis.

DR. FRANCIS: I am Leslie Francis. I am professor of law and philosophy at the University of Utah.

What I am going to say is drawn from at least four experiences that I have had recently, it is informed by that. One is that I was a member of the executive committee of the Medicare coverage advisory committees that made national coverage recommendations for Medicare, and participated in drafting some of the evidence based medicine guidelines that NCAP adopted.

Secondly, I have been a member of the State of Utah’s health data committee for the last few years. I also was a member of the Utah State judiciaries committee that looked at how to put court records in electronic form. Finally, I helped implement HIPAA at my own institution, a dubious one.

I think there are great advantages to electronic health records. Principally though, I would recommend focusing on the advantage that these records give for patient care, in the sense that they are likely to be more accurate if they are done right, and they are easily searchable for issues like management and conformity with evidence based guidelines for things like drug information and so on, allergies and so on in the past.

For me, the difficulty is to figure out how to design a system and a regulatory regime that is appropriately protective of patient confidentiality and patient privacy before even confidentiality, and that can yield these advantages. I think that is a huge dilemma, whether it is going to be possible to develop a data system and a regulatory regime that is adequately protective, that captures what for example in the VA system, which has system wide electronic records, are regarded as helpful in patient care. So that is the way I am going to see the question.

As I see it, there are four basic questions of design that people are going to have to answer. The first one is — and this is somewhat like the way you categorized things, Professor Terry, but not quite — the first question is whether what we are going to have is an all-in information model with some stuff taken out. So for example, a full record like a chart would be in electronic form, and then put in a general electronic health record with perhaps some information taken out of that, and the risks then are compromising the integrity of the record if you do it that way. Versus an information opt-in model, in which there would be specific fields of information that different providers would put information into, for example, prescriptions, reactions to prescriptions, whatever people wanted to have in the relative kinds of fields.

So the first question of design is whether this is going to be thought of in an electronic health record as something that essentially takes all the information that is in what would be a paper patient record and puts it together, or is a separately constructed item in which certain forms of information get affirmatively entered and meanwhile, physicians keep their own full charts on patients just like they have always done in the past. That is number one.

The second question of design is who enters the information, patient, provider, third party redacts charts; those are possibilities.

The third question of design is who controls access, that is, who gets to say who can look at what has been entered in.

Then the final set of questions of design are who protects and maintains the data, is it the patient, is it a trustee, is it the government. There are private models, there are public models of who gathers and protects the information.

I am not going to rehearse anything more about advantages, but I do want to underline what t are some different features of electronic health records that really need to be attended to as you make these choices of design.

The first one is that cut and paste is easy and fun, and somebody has got to be able to figure out who to deal with that, how to make clear what has been entered, what kinds of alterations. There are conventions that we have about paper records, that they are entered in and everything is dated, everything is signed. The equivalent of those conventions are going to have to be worked out for electronic health records.

What is more, if different people all over the country are entering information into electronic health records, people who have been used to regulatory regimes at state law level — after all, medical records right now with the exception of HIPAA, the regulatory regime that governs medical records is essentially a state law regulatory regime. That incudes things like who owns them, who has access to them, all those kinds of questions. So that is one issue that is going to have to be solved.

A second issue that is going to have to be solved is that electronic health records, at least if they are in the form that is likely to be most usable for the advantage of patient care are going to be searchable. That means that stuff got buried back there, but maybe was inaccurate, but maybe got stuck in the record and there wasn’t any reason for it to have been, could turn up very easily and very readily, if electronic records are in a form that is readily searchable.

Now, at least with a paper record, you have got to read the whole thing to find something that was buried in there 25 years ago. With the electronic record you don’t have to do that. All you need is a key and a punch key.

A third challenge is linkability. That is one of their great advantages in terms of coordination of care, but patients may not want to have records linked. Of course, there are issues of patients not wanting to have people know that they have gotten certain kinds of care, mental health care, various kinds of reproductive care are primarily examples of that, but consider a patient who wants to get a second opinion, not entirely clear whether he or she is happy with what is going on with current — if everything that every provider — if all the electronic records that a provider maintains gets entered into the electronic health record and every provider that you ever see has access to it, your primary care physician or the first physician that you see would be able to look at the effort that you have gone to to seek out a second opinion. So that is just one of the kinds of challenges with linkability.

Another challenge that electronic records pose are the ease with which they are duplicated. If you want to take a paper record and duplicate it, you have got to go to the paper record and run a xerox machine. But think of all the ways that electronic records can be copied. Just a flip of the key, and sorcerer’s apprentice, go with the brooms everywhere, and you may not even know where they have gone, or the way in which they are being carried — CDs, diskettes, those cute little things that you stick into your laptop when you are taking your top wherever it is you are taking it. That is a lot of different ways.

I know that is one of the things the court committee struggled with, especially because if a document filed in one court could get downloaded, somehow taken somewhere else, and nobody knew where it would even go once it is out the door.

Then the final thing is, after duplication, another challenge is how do you even know where they have gone, or how well or how difficult is it to retrieve something when it has gotten out if a hacker gets in.

Sure, there are issues with paper records. If you make a copy, maybe somebody else makes a copy and somebody else makes a copy, but the ease of multiplication of electronic records makes a problem with tracing and finding out where they are going.

So I think those are some of the core challenges that you face as you go to answer some of the questions that you pose to us. I am going to spend the rest of my time on your questions.

Do I prefer a model based on a regional health information organization, where individuals carry their own personal health information on a device, a trustee model, or something else? I think a model where individuals carry their own personal health information on a device, while it looks like it is the most protective of individual privacy and confidentiality, because after all, the information is with the individual, I think it is the riskiest for privacy and confidentiality. Devices can be altered, copied, lost or stolen. Even if they are little tips embedded in you, all they have to do is rip them out.

Patients may not be the best protectors of their own data, as they are not very good protectors of their own laptops or Ipods. A regional organization has the advantage of potential protection, and it meets some standardization of practices in entering and protecting data. But depending on how it is designed, it is not bringing forward the full advantages of mobility when patients go out of the region. If patients do see providers outside of the region, there need to be methods for answering questions about access and entry of data outside the region.

There is also the difficulty that in our mobile society, patients may not even know which region maintains their records, or what we are going to do if the patient moves permanently, should the record move with the patient. Think about people who spent six months in Florida and six months in England, for example.

If different regional organizations have different standards, as for example the different local coverage areas for Medicare do, patients might get seriously confused about which standards govern their records.

I think trusteeship is important, because it provides guarantees of protection. I think it should be a single trustee at least for any given patient on a national basis. I actually think there should be just a single trustee, because common standards could be developed and we would only need to solve the problems with protection once.

Second question. What are the implications of permitting patients to control whether their records are part of the NHIN? Again, at first glance, permitting patients to decide whether they are in or out altogether of the NHIN gives patients the most control. Patients can simply decide that they want to stay local. They can say that the records should stay at their own doctor’s office, siloed, and then consent would take place at the level of any individual provider. First the patient can say, I’m not going to be in the NHIN at all, and then the patient could say, I am going to only let this information from you in.

I would prefer at the outset a trial period in which patients could say whether they want to be in or out, and patients could say for any given provider they see whether they want information from that provider to be in or out.

I do think it is very problematic, however, to have only some information from a given provider entered if it is an in-everything model, because you run a risk of violating the integrity of the medical record. The alternative would be to say, we are just going to have something with a set of fields and from this provider it can get entered into one of those fields. The difficulty with that though is that that is going to be expensive for providers, because they are going to have to enter the information. If patients enter the information, it is not going to be really useful for patient care; you’ve got the question of whether it is accurate information.

What information if any should individuals be able to exclude? I think individuals should be able to decide whether a set of information from a given provider is included or not, basically everything from this provider of the kind that is going to go in.

I also think there should be full informed consent before information is entered into the NHIN. The patient should be told what it is going to be and what is going to be entered in.

I am going kind of quickly here. What limitations beyond the HIPAA rule should be placed on access to personal health information in the NHIN? How should these limitations be developed and applied? The HIPAA privacy rule seems to me — and it is deeply flawed as Professor Terry discussed, but it is also inapposite in a way. The way the current HIPAA regime works, its basic category a covered entity.

What we are talking about is information that is going to be outside of the covered entity. So we have got to think about the implications of all that, not the full covered entity basic structure of HIPAA.

What I would propose at least for an initial trial period is that to the extent that electronic health records are put together, they should be used only for patient care, not for billing, not for trying to figure out whether care is cost efficient, which is something it can be used for, not for identifiable data, not for looking at what percentage of people are being managed appropriately. You don’t have to have patient identifiers to figure out what percentage of the folks nationally are getting standard of care for hypertension, for example. So for identifiable health information, I think it should be used only for patient care.

Should individuals have the option of having their health records maintained only in paper form? I just don’t think that is practical. I think the only thing that is practical is siloed. Basically you have got to have one way of maintaining information in a health care provider’s office. It has got to be either paper or electronic.

Also, I think that electronic health records are likely to shift how physicians practice, because you can take an evidence based protocol and look at it in conjunction with electronic. As physicians come to rely on doing that, as that helps them be better practitioners, the paper record-managed patients just aren’t going to be managed as well.

What other measures are needed to protect the privacy and confidentiality of personal health information and build public trust? I think the most important thing there that nobody has mentioned yet is, there should be a requirement not only of informed consent on the patient side of access, but also there should be a requirement that if there is an access of your electronic health information, you know it.

That is something that has really mucked up trust in credit card companies, because people don’t know whether their information is protected.

DR. ROTHSTEIN: Thank you very much. You have given us a lot of stuff to think about. My guess is that there may be one or two questions from our subcommittee members. So we will go counterclockwise, beginning at 10 o’clock. That would be you.

DR. HOUSTON: I appreciate the testimony, first of all. It is interesting to listen to different perspectives.

I want to throw in a little cynicism here, just to provoke a response. Not that I genuinely believe as I listen to you speak; I do agree with a lot of your concerns and the like. But one of the concerns that I have when I hear people talk about having mechanisms in place to restrict what data providers can see is the whole issue of liability. I think there is a demand from patients that the people that care for them are perfect. We are trying to reduce medical error rates and improve outcomes and all of those things, which seems contrary to this concept of limiting information that providers can see.

I think you raised a very good point that if people could actually see who was looking at their record, as a counterbalance to this concept of making everything available, does that add maybe the requisite balancing control that says, we are going to make this record available? I think I know what you are saying, but I wanted to confirm it, first of all.

DR. FRANCIS: I agree with you. I actually think the use of an electronic health record may continue to shift the standard of care towards evidence based medicine. I actually tend to think that you can always get sued, but you can’t always —

DR. HOUSTON: Getting sued is pretty traumatic.

DR. FRANCIS: It is very traumatic. What you raise is two separate questions. The question about what information gets in is a separate question from the question of who can access it. I think that on the liability side, nobody can argue that you failed to meet the standard of care if you didn’t take advantage of information that was never there for you to look at in the first place. I think there are very strong reasons for a patient being able to say a given record stays with that physician and never gets into the electronic record at all.

If I wanted not to have anyone know that I wanted to claim parenthood and go have an abortion, that would be one kind of example. Another kind of example would be the second opinion example.

DR. HOUSTON: I hear the concern that — say you had wanted to have an abortion done, and Simon being an ED doc, you show up in the ED eight hours later, your mother brings you in because you are hemorrhaging, and the doctor doesn’t necessarily understand why, the record is not available, and you die.

DR. FRANCIS: There is just nothing there. That is what would happen today. They would ask you today —

DR. HOUSTON: Assuming you are lucid.

DR. FRANCIS: Yes, lucid, but they wouldn’t know.

DR. HOUSTON: But that is what we are trying to avoid.

DR. FRANCIS: Yes, you lose that advantage. If I can say that this visit, the whole thing that the physician did in this visit doesn’t go into the record, then I — something else that could happen is that the visit gets noted, but any of the facts about the visit doesn’t get noted. If I can say that and use the power of the information, —

DR. ROTHSTEIN: John, I’m going to ask you to make this your last question, because we have got lots more.

DR. HOUSTON: But as a followup to that, does the patient — this is going to sound really bad — does the patient necessarily know best? I’ll tell you why I say that. I used this example on a couple of occasions where I got called by the privacy officer of the health system by a gentleman who demanded that his information not be contained in our electronic health record. When I queried him about what happens if he happens to be at one of our satellite facilities and is in a car accident, he said, well, I definitely want my information to be available to them then. I said, how do we do that absent having your information there? His response was, I want it in for that reason.

So his first comment to me was, I don’t want it in at all. But then his followup comment to me was, well, yes, I do want it, but only if needed.

DR. FRANCIS: Yes, right. You also have the problem that — I think it would be very problematic to have patients, that bit of information by bit of information goes in. That is why I was saying do it with the whole provider.

DR. ROTHSTEIN: Do you want to respond, Nick?

DR. TERRY: If I may. The two examples that are in my written statement — so I agree with what you say. If a patient was taking lithium and presented in ER following an overdose, absent knowledge of the medication or underlying diagnostic, the patient would be at extreme risk, as there is no screening test for detecting lithium.

Similarly if medication data pertaining to sexual dysfunction were limited to treating urologists, ER physicians would be unable to safely treat cardiac chest pain.

I add to what has already been said, and take the bait of your liability question. I was sitting in a room in Melbourne with the folks from Health Connect, and during the course of our discussion I mentioned that there is a U.S. case holding a physician liable for using a summary record, not the full record. There was a nasty sucking noise at that point, as the air left the room.

I also would go further from the practical medical implications to legal implications, but also into the health information technology. After all, the patient safety information model we are looking to build here doesn’t just stop at the electronic health record, much as Professor Francis has discussed. The outcomes work that is going to come out of the EMRs as they become interoperable, and we have an interoperable EHR, that data gets processed, gets researched, flows through evidence based analysis. From that, we presumably develop, though not without controversy, practice guidelines. Those practice guidelines then seep back into the clinical decision support systems as the norms or partially the norms and the triggers for event alarms and so on in our systems. So that actually comes back and helps — if it is done quickly enough, could help that particular patient. So I am proposing a loop piece to this as well.

Now, it is because of a sense that one has that all in is better for both individual patient care and general population care that I tend to concentrate on — much like Professor Francis, from some of her comments, that I would actually prohibit the collection of some data, and I would prohibit the collection of some data by certain types of entities.

I think this is medical data, and it should be data that stays in the medical domain. This is not data for pharmaceutical companies, this is not data for multinational data aggregators to do market research on us. This must be kept within the medical domain.

Then within that domain, I think we need a lot more control on disclosure. If you are in the circle of care, you get everything. But if you are not in the circle of care, if you are not a physician or a physician’s assistant at another entity, you can’t go surfing into the EIHR to see whether Fred really does have AIDS. You don’t get to go in there just because you are within the health domain. You have to be within the circle of care in order to get that.

DR. REYNOLDS: This is really outstanding testimony. You really framed it well. I am also intrigued by some of your work. It was very helpful.

Both of you used some words, simple, informed consent, then if you think about our current environment of care. I am an implementer, much like you.

Based on all your premises, how can we really — in the world of how we do treatment and the world of the physician’s office, how can we really pull this off, to where you say the patient can decide what is in or out or this or that. How can we really pull it off? What will be your premise to actually make it happen?

DR. FRANCIS: I don’t think you can pull off a piece by piece doing this, I really don’t. I think it is basically by — comes in from a provider and is available, accessible to those in the circle of care, or it is just a mess.

DR. TERRY: I am assuming your question is limited to in terms of this meeting which is on privacy and confidentiality, rather than the various cost and other issues.

DR. REYNOLDS: I think your circle of care discussion, both of you, was outstanding. I think that put a whole different context on some of my thinking. Thank you.

DR. HARDING: Just a couple of things. Very good testimony. You talked about mistrust. We were talking about an individual having control of their information and what they would do with that.

I had to think about my father-in-law, who still puts his money in his mattress, because of what happened in the ’30s, and that there isn’t any trust. He still doesn’t have trust, 60 years later, because he lost everything.

The other thing I would like you to comment on is the issue of education about informed consent. We have struggled with that issue of how to educate the public as to what they are consenting to, and to edify them. But that is a tough thing to do with the general population. There is a level of people who have more knowledge of HIPAA probably than this table, people around this table, but there are masses who don’t know straight up about HIPAA, how to do that. You professors and so forth, chairmen of departments, do you have any thoughts along those lines?

DR. FRANCIS: Simplicity, one system. The drug benefit from Medicare, the confusion that has come out with that. It seems to me it would be a disaster to have a market system with competing managers with different standards and different things in our records and all of that.

DR. HARDING: Inter-region or between regions?

DR. FRANCIS: I think if it is not national, you have all the disadvantages of possible variety, you have a little more mobility, but people don’t necessarily just move within their regions. The VA might be instructive here.

DR. TERRY: Look at what HIPAA did, and then try and do the opposite. Be educational, be principled, be simple, be clear. I can barely describe what the HIPAA federal privacy and confidentiality standards do to extremely sophisticated health care students, health care law students. There is no way you can even begin to have a discussion with a lay person or an extremely knowledgeable HIT savvy doctor about it. You can’t talk about transaction premises and covered entities.

I think I would probably start by looking very closely at for example the Australian health care privacy principles. It is two pages that they are written. They say, this is what we are and are not going to do, what can and cannot be done with your information.

I think that you probably do need to give some people some sort of recompense or remedy, if that goes wrong. It gets them into the system, they buy into it. But this is not the time to have another tort crisis thrown in.

So again, what I think I would look to do would be to have some kind of ombudsman or mediation process, some agency that is somewhat independent from the Administration, that can investigate complaints, work with the health care industry, to work with patients to try and remedy these things, and in some cases help with mediation. It may be some cap limited award, and in extreme cases refer it off to Justice for prosection.

So I would probably start with those two pieces. But I think we have to tell our patients, if you are going to come to this field of dreams, we can tell you, because it is written down in a piece of federal legislation, that your personal health information is not going to end up in the marketing department of a drug company, your personal genetic information is not going to find its way into the databases of a life insurer.

I think if you can start telling people that and then filling in the other pieces as cogently and simply as possible, I’m not going to tell you it is going to work, but I think it starts you off in the right direction.

DR. FRANCIS: If you start with what people are used to, which is information being kept by their doctors and shared with other doctors and protected that way, that is an easy concept to understand. But that does mean it is going to be used for your care and it is going to be shared with doctors who are involved in your care, and that is it.

DR. TANG: I also really enjoyed the testimony. I particularly liked Professor Terry’s classification of EHR architectures and the corresponding privacy and confidentiality implications.

I would like to re-pose the first question back to you. The reason for doing this is that the statements ending with a question mark outnumbered by twice the statements that ended in a period. So I want to re-pose the first question. What model, either the confidentiality model or the architecture, do you prefer and why? I think I understand Dr. Francis’ answer to that question, I’m not sure I understand yours. I don’t think you gave one.

DR. TERRY: From a personal level, I disagree with Professor Francis. I think the personal model is actually more secure. I think there are a bunch of reasons. One, I think it is by nature siloed. When you are looking at the overall system risks, it is siloed. There will be people who lose bits and so on.

I think the custodian has the best incentives to take care of it, and much less room for complaint if they mess up. I am a highly sophisticated user of technology. I probably personally would prefer the personal model. That is how I handle my finances, that is how I secure my own systems, and that would suit me.

I don’t think it is going to work at the national level. I think we are going to have to go to an all-in model of some sort. I think the summary data models are a trap, both for liability and for bad health care. Those two things are different. So it is going to have to be all-in.

DR. TANG: All in but personal?

DR. TERRY: No, no, all in, whether it is a single trustee or whether it is the federal government or whether it is a cooperative effort, market-led effort. I think it has to be that.

With that regard, I think if you twisted my arm, if you would give me my federal privacy legislation to keep some stuff from being collected, some stuff from being disseminated, if you give me my circle of care, personally then, what I think I really want is an envelope, a secure envelope, so that I can put — maybe if I have some real issue in there. That is a very good selling point to the general public. It says there is a real sense of trust if you can make that kind of decision.

We need an awful lot of research, to continue the metaphor, as to what you put on the outside of the envelope. If you are worried about your teenaged ob-gyn issue, and you put only to be opened by an ob-gyn in a certain way and under certain conditions, you may give away an awful lot of what is in the envelope. But I think there is some research that can be done there.

Am I getting close to answering your question?

DR. TANG: I’m trying to decide. You made a comment about wanting to have laws about not collecting certain things, but you did say that essentially the doctor should have all information. So it sounded more like you were saying laws for disclosure to other than medical —

DR. TERRY: I think we have tremendous unease in this country about the collection of genetic information. There I would have a privacy rule, which is a collection-centric rule.

As far as the dissemination or confidentiality rule, the data goes into the health care system. It doesn’t leave the health care system.

DR. COHN: Like everyone else, this has been fascinating. Thank you both very much for your presentations.

I may be asking many of the same questions that others have asked, but I found myself fascinated, Dr. Francis, by one of your comments on page seven, where you talk about, EHR should not be available for other purposes even on a consensual basis, patients may be unaware of what may be in the record and what such consent really means.

I was just reflecting, I tend to think of rules, and when one wants to do something other than those rules, you have to get permission for disclosure. This is obviously a very different frame which is potentially more paternalistic, but there may not be anything wrong with that.

I was curious, if what you are describing here is a set of strict fair information practices that a patient, even if they wanted to go beyond that, they actually couldn’t. Is that really in the best interests of everyone? I’m not sure I’m against it; I’m just asking.

DR. FRANCIS: What I was meaning to propose here is that I think that there are limits on the uses to which information in a network can be put. I think we share that view, but it shouldn’t be available to insurers, economic managers, marketers, newspaper reporters, even if — what I was meaning to say there is that I don’t think right now we can figure out a good informed consent regime that would let people be giving good informed consent to a more general use model for a network.

Part of the reason I think that is that I think we don’t yet anticipate what all the problems would be with something like this. So I think there needs to be informed consent, but I would only have it be for a medical use model. That is what I was meaning to say, for use of the information for care purposes.

DR. COHN: So not beyond that?

DR. FRANCIS: No.

DR. TERRY: I think this also goes back to Dr. Tang’s question. I sketched out what you would have to give me which would satisfy me, and I would be happy with my stuff circulating, my pathetic little file circulating in the NHIN.

I still think it is an open question, as to whether we would have to give a generalized autonomy consistent right to opt out completely. I don’t know how many people would. I don’t know what the impact on a NHIN would be. Would there be such a level of opting out that we would lose all our outcomes work and our public health impacts and stuff like that, and then just this nasty crumbling noise as it all falls apart?

But I think we need to talk more and do more research before we can make the paternalism decision. I don’t have an answer for you on that. I need to know more.

DR. ROTHSTEIN: I want to thank you — we will get to this side of the room. I just want to say thank you for coming and further confusing me, which doesn’t take very much on this topic. I want to see if I have a sense of what you are saying, and then maybe you can help me figure out where we are going with this. The lesson you said, Nick, was that we may need to in essence respect patient autonomy or individual autonomy by invoking some sort of rules that give them certain rights. I would support that wholeheartedly. But autonomy means flexibility and variability in what people elect to do. They may put lots of things in envelopes, and their envelopes may be gigantic.

That notion conflicts with your italicized and bolded simplicity, that a system to work has to be simple. It can’t be both — in my judgment it can’t be both autonomy conferring and simple. We are going to have to find some way to trade off and reach some sort of medium between the desire for simplicity and the desire for autonomy, and I don’t know what that is.

But I think both of you support the idea where we make the cut between all-in and don’t get is medical versus non-medical uses, but that is hard to do in reality, because there are so many third party users that have the economic leverage to compel authorizations, of no matter what form. I am concerned about the all-in principle as guiding us, because that is not keeping the status quo, that is a change from the status quo.

We can use our own silos of doctors to protect our confidentiality, and now that would be lost for all sorts of uses. So that is not a question, but you may want to respond.

DR. FRANCIS: It seems to me there are two yes-no choices that are pretty simple. One of them is, am I in the network or not altogether. The second one is, is my interaction with this provider in the network or not.

That is why I was suggesting that I thought a second simple yes-no choice could be that I could silo my entire set of interactions with the provider. That is what Mr. Houston was —

DR. ROTHSTEIN: But when genetics is done by a primary care doc, now what?

DR. FRANCIS: That is the trouble. I think it is very difficult to sort out half of the information from a given physician.

DR. TERRY: I think the question comes down to, if you can satisfy me on the large question types of data that I am not going to allow collected, or where it goes. Then I think you need to find out the extent to which our patients feel the need for additional protection for their autonomy. Do they need the option to keep out of the system completely? Or would they for example be satisfied with an envelope type model or, given the above statements, and if we can make it simple and tell them what their rights are, will they require any more?

I think those are part of the pallet, and is the pallet that is complicated. I stay to my task of trying to keep it simple as we actually articulate the final thing.

The other point is, I think there is a danger — you talked about keeping this within the medical domain. I think there are two pieces to this, if I am correct that we are in agreement on this. Not only we need to define the medical domain, and I accept the issues that you raise as difficult, particularly as we project into the future.

But there is this second category, and I believe we are in agreement, a smaller category, which is the circle of care. I particularly would like to reinforce the distinction between those two.

DR. HUNT: You suggest restricting information to the medical domain. I can see how you might legislate that, but I’m not sure that that would achieve trust, because there is a lot of legislation that doesn’t necessarily achieve its intended objective.

So short of that, how would you go about restricting f to only medical use, mechanically with the system, not through legal means, but in terms of agreement within the medical system to do that? How would you make it work?

DR. TERRY: For clarification, you are suggesting that this is without legislation or regulation.

DR. HUNT: Suppose the legislation were even in place. How would you mechanically achieve it to a level that patients believed it were true? When the press currently has excesses that occur that are outside current law. I am trying to raise the point that it is not just a legal question.

DR. TERRY: But if you have the technology and tracking and auditing systems that we are building into our sophisticated EMRs and EHRs, those will be set to ring system alarm bells. We can also set them to ring privacy alarm bells.

I think you can also then make a subgroup of that, describing electronically the circle of care with regard to any particular thing.

DR. FRANCIS: I don’t have a technical comment about this, but I would put two points out that are by analogy history type things. One is that we haven’t really talked about whether patients should be able to access the electronic record. There is a lot that goes into your health record that you might wish weren’t there, for very good — that is not medically relevant, or is, but for example, suppose your provider puts your social security number in your health record. That could be there if the whole thing gets dumped in, just to take an example. That is not medically relevant, except as an identifier.

DR. HUNT: But that is medically relevant, to be sure that it is your information that is in this particular record.

DR. FRANCIS: Well, we have to do that, but you don’t have to have the social security number in the record, actually written in the record so that somebody reads your social security number to do that link.

So I don’t know whether you want to design a system or not, but I would raise it as an issue for you, in which patients get to see what is in there, and think about the accuracy.

The other thing I would weigh is I think potentially important for trust. It is that patients be told if there is an access, and know they are going to be told if there is an access.

DR. HUNT: Is it important that we tell the patient or make available, as you had indicated, the ability for the patient to audit accesses to their record? In theory, by giving that patient the right to audit, you are achieving in the same way, except that it is up to the patient to decide whether he or she goes and looks, rather than us having to decide it for something inappropriate.

DR. BERNSTEIN: I actually saw your testimony on this issue. HIPAA right now has a provision for accounting of disclosures, but the patient has to ask for the accounting to be produced, and the provider or whoever holds the record has to be able to create that record.

But it seemed to me that you were suggesting that maybe in real time, that every time my record is disclosed, up comes on my computer a little ping that says, by the way, your record went here, there and another place. Is that what you intended, or did you just mean for something like the accounting?

DR. FRANCIS: No, I was actually intending to have you at least think about that. Suppose for example my — I know a lot of docs who are friends, I hang out with docs. Suppose my doc friend looked up my record. I may have no reason to think that someone had done that.

If it is in an individual provider’s office, my friend is going to have to be very curious to go to my provider, but depending on what kinds of firewalls are set up, unauthorized breaches — maybe it should be related to unauthorized breaches of firewalls.

DR. BERNSTEIN: A firewall implies somehow that there is somebody who is not authorized, but technically, as opposed to somebody in the hospital, who is believed to be in the circle of care but really isn’t, some nurse who happens to be your neighbor down the block, who is not really authorized but has access because of their work. That is the kind of thing that people are more concerned about, that is very hard to track, who gets access who is not supposed to, but because of their — that has authority.

DR. PEEPLES: I was kind of curious. In some ways you have answered this, about excluding all uses except for treatment, but harking back to what was previously said about strong-arming authorizations out of individuals anyway, since that is presently possible, how would you prevent that under the electronic health record model anyway? Are you saying that there would be no ability to get an authorization or a consent, therefore you have eliminated this kind of strong-arm tactics from insurers or other people? Is that what you are saying?

DR. FRANCIS: Yes.

DR. PEEPLES: That is very interesting. I just wanted to validate that. Thank you.

DR. ROTHSTEIN: In addition to health information legislation, that would take a tremendous range of other substantive laws, employment laws, insurance laws and so on.

DR. FRANCIS: If I could just add to that, I would do that for personally identified health information. I do think that if we are trying to look at outcomes and so on, but it is perfectly appropriate to use anonymized.

DR. GREENBERG: With or without consent?

DR. FRANCIS: Without.

DR. GREENBERG: I also want to thank you. I guess I just have to agree with — not because of lack of clarity in your testimony by any means, but thank you for confusing me further, because a level of ignorance is sometimes bliss, and the more we find out, the more questions there are. I think you have done a terrific job raising a lot of those questions, and I appreciate it.

I wanted to ask Dr. Francis, in relationship to your statements on page seven, which I found of everything that was said the most provocative, I wanted to make sure I understood what you were proposing here. I don’t know if you followed the work of this committee very much, and in particular the NHII, not as much the work of the privacy subcommittee, but the overall committee on the NHII.

One of the underlying principles is this principle of collecting data once and using it for multiple purposes, or what might be called secondary uses of data. By definition, you collect it once and other clinicians could use it, so for your care that would be within the circle of care. But by definition, that whole idea of secondary uses of data means not for medical care, but that is the principal use. The principal use is for care, and then all these secondary uses, which in fact, without those it is probably unlikely to be able to sell the system to the industry in general, without some of those, at least.

Furthermore, by not being able to do that, you could reduce a lot of the utility of the information. However, I was troubled by this to some degree. Being someone from the public health arena, it concerned me also that clearly that is not part of your — certainly not the circle of care. But then I re-read this, and it said, other uses of the entire EHR for all these purposes should not be permitted.

Putting aside whether it is really possible to not permit these things, even with informed consent, and that may not always be possible, but putting that aside, are you basically saying the transfer of the entire record should not be used for these purposes, but you would not preclude the entire record feeding information for these purposes, even identifiable information?

So for example, instead of people having to laboriously code the diagnoses for a claim, the information in the electronic health record would feed the claim transaction, or would go to an adverse event reporting system, or a syndromic surveillance reporting system. In some cases it could be anonymized, but if it is paying somebody’s bill or it is a public health situation that involves contagious diseases or whatever, it couldn’t be anonymized.

Are you objecting to that, or should I take you literally, other uses of the entire EHR?

DR. FRANCIS: What I was meaning to suggest there is that right now, we have a variety of regimes in which you report controlled substances or you report infectious. There could be a way at the provider’s office to design a screen where the billing information goes here, the infectious information goes to the infectious database, the current existing reporting requirements, and if it is an all-in system, the electronic health record information goes to the electronic health trustee, and it could be a single transaction.

DR. GREENBERG: And those other things could be fed by information from the original health record.

DR. FRANCIS: At the time the original health record is fed into the electronic health record, it could be — there could be several feeding streams. That is the way it happens now, only it goes to the chart and to the other —

DR. GREENBERG: So you wouldn’t preclude that?

DR. FRANCIS: But what I would preclude is, it goes into the electronic health record and then the electronic health record goes to the scanning, to the biller and the cost control person and whatever.

DR. GREENBERG: You mean the entire electronic health record? You wouldn’t even want information taken from the electronic record?

DR. FRANCIS: I wouldn’t want those folks to be able to mine the electronic health record. I think that you could figure out a design in which at the time the original information is fed to the electronic health record, that there are ways to do the ID reporting and the billing at the same time. So the electronic health record — and this is for trust reasons as much as anything — doesn’t get tainted with all that other stuff.

I don’t object at all — and you guys may have different views about this, but I think for public health purposes, that the use of aggregate data without identifiers is really a wonderful opportunity with this. That doesn’t compromise patient confidentiality if you don’t reveal the identifiers. That has actually been worked out pretty well under HIPAA.

DR. TERRY: I take a similar kind of view. It is really a matter of which fields can be seen by which participants in the system. It is just a matter of setting the rules for that. Obviously for me to buy into something like a NHIN, I have got to have the public health benefits and the outcomes assessment. That is one of the huge rewards I get.

I am also not terribly concerned that CDC is going to start bombing my mailbox with targeted advertising for their products.

DR. GREENBERG: Unlikely, but they might start sending you messages to stop smoking.

DR. ROTHSTEIN: I want to thank both of you for wonderful testimony. We have no public comments this afternoon yet. There may be at closing time when public comments sign up.

So we will take a 15-minute break now, and begin the panel number two at 3:40. Panel number two will go from 3:40 to 5 o’clock. Thank you very much. We will resume at 3:40.

(Brief recess.)

Agenda Item: Panel II

DR. ROTHSTEIN: Back with panel number two of our afternoon hearing on National Health Information Network. I want to thank our two afternoon panelists for presenting, and welcome you. Have you talked about an order in which you want to go? We will just go the way it is listed on the agenda, and ask Pam Dixon to begin.

DR. DIXON: I have supplied written testimony with a good bit of detail and substantiation for the broad points that I am going to make, so that you can review it later, simply because that is the way I like to do things, and I assume other people do, too. I am going to go through pretty much the high points of this just quickly. I am not a J.D., I am actually two hair-pulling years away from a Ph.D in history, where I am studying information flow in societies. So I come from a research background and also from a technology background, and also a forensic investigative background.

The World Privacy Forum very quickly for those of you who don’t know us, we have done a lot of work in investigating and researching large scale infrastructures and data flows. We have done a lot of work in the employment area. We did a year-long sector-wide study of employment data specifically as it related to all the data flows through all those large structures, and as it related to a very similar mechanism, which is resumes and portable little pieces of data that are personally identifiable. At any rate, that is enough. I would like to go ahead and jump in.

I want to talk about three things today, very simple. I want to talk about the really thorny problem of patient choice within EHR related systems. Then I would like to discuss several facets specifically related to any NHIN, whatever it may look like, and then finally, I’d like to close with a series of ten questions which I propose.

DR. ROTHSTEIN: No questions. We are supposed to ask the questions.

DR. DIXON: I know that, and I apologize, but they are questions that I have. I hope I bring a slightly different perspective so that you can gain some insight from them, anyhow.

I would like to start with patient choice. I really think that patient choice is the fundamental bugaboo that all of you are going to have to tackle with this system.

My point A, I talk about medical identity. I don’t know if any of you have looked at this yet. It is a new trend. It is quite new. It is only about a year old. It has gone into the crime syndicates and whatnot.

What has happened is that on the one hand, you have a very sophisticated crime organization stealing patient identifiers such as Medicare and MediCal numbers, and using them to alter patient records in order to gain supplies and prescriptions and then sell them on the black market.

In other situations you have individuals who are stealing identities, who are simply gaining treatment in another person’s name. I have supplied four examples in the last few months; there are many more. We have literally hundreds of them that have come into our offices. I am going to let you review them on your own, but there have been some attorney general actions on these medical identity thefts and whatnot.

There is one particular point I would like to bring to your attention, which is the California situation, which just happened a few months ago. What basically was happening is, bad actors were purchasing stolen patient information from an insider for under $100. Investigators said that searches, quote, have turned up medical charts in the process of being altered.

I believe that all of you know where I am going at this point, and that is this. If one out of six people in general have some form of identity theft, and if specifically we are looking at that kind of number of people who have medical identity theft, and altered medical charts, then I think this has very profound implications for the accuracy of any electronic health record. When a health record is made electronic, then this information which is altered — let’s say this person here in Lufkin, Texas receives somebody else’s medical bills after that individual used his identity to get medical treatment. What if he presented to a doctor, he didn’t know that this had happened to him, and this chart reflected different medical information, and what if he presented in an unconscious state after a car accident?

Unfortunately, I am afraid that this is a situation that is going to have to be accommodated. It is not a pleasant thing, nor is it something that is a positive in our society. But I am afraid it is a fact. I think for that reason alone, there needs to be a very thoughtful series of checks and balances to avoid precisely this kind of problem.

Then I wanted to also then move to patient choice regarding participation in any form of EHR or network environment, regional network, an NHIN, whatever shape that could take.

I was listening to the other testimony, and I heard things like simplicity is great and let’s restrict the secondary uses of the data and whatnot. Technology just isn’t that flexible, I’m afraid. I hate to not be a techno-Utopian, but there are just certain things that are very challenging to do.

I am not proposing any models, but basically what I am saying is this. Who gets to opt out, and why? Do we allow people who are public officials to opt out because of the potential for mischief? Do we allow victims of domestic violence to opt out because of the potential for mischief? Do we allow everyone the ability to opt out because of concerns about identity theft or security? Or do we allow no one to opt out?

So I think these are pretty much the options. They are not pretty, not any of them. If you allow someone to opt out, then you have a legacy system in some form, maybe a paper trail. Then how does the provider network, whatever that looks like, then deal with two systems? That is challenging, it is cumbersome. It is not a lot different than having credit cards and cash, but I think certainly it contains a lot more information.

So I think this issue of patient choice is really going to be the one that has to be addressed head on.

Along these lines, I think that a related question is, can a patient access and correct their own electronic health record? I touched on this with identity theft, but I would like to approach it from a different angle, particularly focused on — right now, for approximately the next ten, probably 15 years, if you look at other different areas that have digitized, for example, museums and libraries.

Basically what we have, and I put a really interesting Wall Street Journal story, where there was an internist in New York who was scanning 70,000 charts from his office and getting them into his IT system. This is the ugly process that it will take to get EHRs in operation in a critical mass. They are going to be typed in, they are going to be scanned in, and we all know that 70,000 scans just in one office, you multiply that on a scale and you have got a lot of errors. We all know what scanned documents look like. So we have a very high potentially error rate in EHRs. So can a patient access and correct their record?

Of course, my answer is, I really want that. Having said that, the next problem is, how do you authenticate that person? We just talked about identity theft. How do you make sure that person really is who they say they are without further violating their privacy?

There is an inherent tension in that point right there between the security of authenticating a person and then the privacy of making sure that person is who they say they are to protect them. That is a very profound security issue that I hope to get to a little bit later. But I think that there has to be correction, but I think that correction will have to also be posited in an environment of authentication of a person.

I wanted to add just a quick note about transactional records. I heard just a little bit of it in the last testimony. I think transactional records are going to be an issue. For example, I can get in my credit report. Can I get a list of everyone who has accessed my medical file? If so, that is great for the individual patient, but it does bring up provider and health care and other issues.

For example, let’s say that you have a complex disease process and you need five specialists. Their name is going to be on your report. What issues does that bring to those providers? I think that needs to be looked at as well. Let’s say that Pam Dixon goes to the hospital, needs five different doctors. I then go and say, I would like to see who accessed my EHR, and I get a listing of the doctors. How do we protect those doctors in circumstances where it is sensitive? For example, abortion clinics and other potentially sensitive situations, so there is another situation.

That relates a bit to blanket consent. I wrote about this, and I encourage you to read it. Blanket consent is not appropriate for any kind of digitized environment. I don’t think it works. I think there could be a revocable consent architecture that is built. It is not simple to do but I think it is a possibility.

I would like to quickly move to security breaches. There have been 94 security breaches this year. Eleven of those security breaches have been specifically of medical information. I have listed each, 16,000 individuals in Houston in January, 140 from Kaiser in January, San Jose, 185,000. We are talking patient billing, names, addresses, SSNs, confidential medical information. The list goes on and on and on.

Basically, my point here is this. Unfortunately, breaches will happen in any EHR system, breaches will happen in the NHIN, however it looks. This is an absolute fact. There is no such thing as security that is going to prevent these breaches. These breaches are already happening in an environment with approximately a 20 to 30 percent digitization rate. Breaches will happen. Therefore, how do you deal with breach?

Right now, I think you are probably all aware of Feinstein’s and Nelson’s and some of the other bills that are running through Congress trying to deal with breach notification laws. Notifying a patient of a breach is not enough, given the sensitivity of the information. So what is the answer?

I think that in part, there must be some kind of legislative answer that allows some kind of prevention mechanisms within the systems participating in the network. For example, encryption is something that could be tested to be done in stored health records. You could also have situations such as disaggregated information done as a matter of best practices, but codified within laws. There are other remedies similar to that. These are very base level things, but they are starting points to start thinking about what to do about the lack of trust and the problems that a breach will bring to the system.

Patient trust and choice. My biggest concern there is that there will be a sector, and I don’t know how large it will be, but I think there will be some people who will look at this and say, I don’t want to have anything to do with it. We know that will happen. Since that will happen, how do we help those people get medical care that is equal, equivalent in some way to the people who choose willingly to participate in an electronic system? So that is very important.

Just shifting quickly to the NHIN, I don’t know what the NHIN is, it is so amorphous. So I focus my comments on the issues that I know very well, and can comment on.

I just don’t know what the NHIN will cost. I went digging around for all the numbers, and I just haven’t seen a firm estimate. For all of you who lived through HIPAA, this really brings back all the various provisions in HIPAA, administrative simplification, it is going to save costs. I would really like to know, what will NHIN cost, and will that cost be offset by the cost savings? I guess that is my question.

Then I would like to move just briefly over the privacy and security of any NHIN, whatever it looks like, whether it is regional or national.

I talked a little bit about just one issue, which is tiered access control. Tiered access control has been put forward as a way to control the information in an NHIN. I take it apart and show why it absolutely doesn’t work at all. I’m going to let you read that.

The bottom line is this. The second you try to make this system secure, you end up with all these problems. You have got payors who cannot access the information. You have basically a system which has for years been a system that is an open loop system, in which — you mentioned earlier — there is a lot of secondary uses of medical data, and because there will continue to be secondary uses of medical system whether we like it or not, you have got to take that into consideration when you build the security in.

So what are we going to do? Are we going to have everyone go through a background check, so they can access data from thousands of points across the United States, tens of thousands of points? Who pays for those background checks? Does the government run the system? If so, what if a person doesn’t pass a background check, but they are a physician? It is a nightmare. So I would urge you to read this, because it is very well considered. And unfortunately we have had to do that work with other large databases before.

I have listed ten questions. I have set them in the context of principles which I took from the OECD and put as a conclusion. The questions are related to, can patients opt out if they so choose. Who gets to opt out, and how do you break it to them if they don’t? Do we get correction rights, and do we get to tell people who gets to access our medical data, what kind of autonomy and choice do we have?

How will health care providers be able to guarantee patient identity with a specific view toward identity while still protecting patient privacy? Big, big question.

Then of course, one-time blanket consent, is this appropriate anymore, and cost and cost savings, does it match. What will the cost of securing an NHIN be? I think it will be larger than the cost of building it over time, certainly not initial cost, but over time I think it will be a very large cost.

Then finally, if as a result of implementing an NHIN or even a system of EHRs that is networked in some non-NHIN way, if as a result individuals or patients have less privacy and less security, how is that going to be dealt with with the public? How will that be explained to the public, and when? Are patients going to be involved in this process, or is this going to be a legislative process? How does this process work from the point of view of the patient?

As a person who interfaces with the medical sector, I know it is very difficult to think that people would want to be involved in an authority process like this, but I think that people do. I think when it comes to people’ medical information, they get very, very adamant about it, especially in the area of employment, just because so much discrimination has taken place. If someone finds out that there is a genetic disease, or perhaps a psychiatric incident in a person’s past, this can really destroy their ability to get employment in the future. So I think patient information is going to be of great concern to a great many people.

That concludes my testimony, and I will be happy to take your questions.

DR. ROTHSTEIN: Thank you very much, and we will be happy to ask them. Dan, thanks for flying out here. Good to see you, and please proceed.

DR. RODE: Good afternoon. I would like to thank you for the opportunity to provide input on this issue of privacy and confidentiality with the electronic health record, and with the National Health Information Network. It is amazing that we have gotten so far in having taken these issues on, except for the work that you have done this last spring when we were all busy doing some other work. It has been a very busy year.

I think most of you know who AHIMA is, and I am not going to go through the song and dance of who we are. I would note that we are one of the principal professions that do provide privacy officers to HIPAA entities. We do have three certifications in privacy, two with HIMS, that also deal with security, and we are involved in a number of advocacy efforts related to privacy, including legislation for genetic non-discrimination and preemption, and we will probably address a little bit of that later this afternoon. We have also been very involved with the Connecting for Health program for the last three years, and so you will hear me refer a little bit to them, and then we will let Connecting do their own thing tomorrow.

Lastly, I wanted you to know that we are now in the first year of a project that is spun off of a personal health record project. That is, we are now conducting consumer forums in 37 states, addressing the personal health record. But it has also turned into a HIPAA forum, talking to patients about what their HIPAA rights are and what access to records and other things that they have the rights to in these states. We are now thinking of doing one for physicians, because we are hearing from physicians that patients have come forward and said, gee, you didn’t tell me my rights. I will refer to that a little bit further.

We need to have an accelerated effort to achieve a state of the electronic health record, but we can’t do that without addressing this situation to date. We need an ability to better collect data and to collect better data for quality improvement, public health and other purposes that benefit our population. They will be achieved through standardization, interoperability and the implementation of an EHR as an infrastructure.

It has been hard to keep up with these changes, as well as the significant other changes that we have seen in this last year, including Medicare, HIPAA, industry changes, the implementation of private security rules, new quality programs, prescription drug processing, medical order monitoring, pay for performance and so forth. If we can’t keep these straight, our patients are probably in a worse situation right now of knowing where we are with all these things going on in health care, especially when they have received notices of privacy practices from a variety of different providers, from their health plans, from their pharmacists, from their dentists. We have left individuals with a lot of confusion. As you have already heard, we have also left those same individuals hearing about lost or stolen electronic records, identity theft, and other situations which give them pause to wonder what it is we are doing and how are we really protecting their health care.

As our AHIMA team discussed your questions last week — and this was a great discussion, I wish I could have brought the group here — one of the things that came to mind over and over was the need to understand what are our goals for health care data and why have we embarked on building the standard electronic health record and NHIN. This understanding is needed within our industry and by our patients and others who deal with health information. We also need to insure that as we build our NHINs and connect them with a variety of entities, this whole process and relationship must be transparent to consumers. Otherwise, some of the issues hinted at in your questions will come to pass.

Finally, we need to understand and we need to build trust into the electronic information process in this new era of an NHIN and EHR. Without such trust, without a commitment to confidentiality and security, there will not be a complete or reliable network.

Let me set the stage a bit with the difference between an EHR and an NHIN, or as I will phrase it, a health information network. I am not going to go through Dr. Terry’s long list, but to say that when I speak of an EHR, I am talking about a standardized electronic health record, very simple concept right now, and the way I want to put it.

We see the EHR existing at a provider site and administered by the provider for the patient. EHRs can also exist at non-provider sites such as government entities, foundations, health plans and so forth. In these latter cases, the EHR would most likely be in the form of a repository. All repositories and registries, whether they be governmental, private or commercial, must be transparent. Individuals should be aware that such EHRs or databases exist. Their existence should not be kept secret. Individuals should have the right to authorize any release of personally identified data except in cases defined by law or where prior authorization or consent is given.

HINs will serve as a means of electronically exchanging health information in a secure manner. Some networks could contain a repository, others will simply serve as an exchange or network between appropriate entities. The former case I will talk about later.

This latter case describes an interoperative electronic mechanism to exchange information, and to that extent is no different than any exchange of data we have to date, presuming that the NHIN at either end of the network is itself not considered part of the network. So we are looking at a spokes kind of a system, but saying that the pieces at the end of the spokes aren’t part of the network per se.

When we talked about your questions, we decided to approach them from an EHR and go out, rather than in the order of your questions. So I am going to take question five first, should individuals have the option of having their health records maintained only in paper form.

AHIMA believes that an individual should not and cannot be given the option of having their health records maintained only in paper form. Individuals who seek treatment in health care systems must conform to the recordkeeping practices that exist as an industry standard. To provide an option for paper-only records would damage the integrity of the patient’s information, especially if the individual’s information had to be treated differently from other patients, add potential complications to insure confidentiality and security in a hybrid office, give the false impression that paper is safer than electronic, and result in cost from duplication of efforts and create an administrative nightmare.

While the hybrid record systems in the electronic world should not be the norm, every EHR and other collection or system of PHI must have the capability of being printed to paper should the patient or other legal authority require or request such a copy. Likewise, to avoid any fear of record loss, every EHR or collection or system of PHI must be protected against loss of data with appropriate backup security. Because individuals are familiar and experienced with the current health information standards, they are for the most part comfortable with existing paper health record systems. Rather than attempt to create a paper form option to the EHR, the industry must address the health consumers’ concerns regarding the EHR systems. As the e-health information systems become commonplace and refined, consumers will become more familiar and comfortable with electronic health information, just as we have all become comfortable with similar changes in banking and finance.

Education has already been raised several times this afternoon, and I am going to raise it several times more. It is going to be very important to educate consumers and others on just how such systems work, and why EHRs will facilitate better confidentiality and security.

What information should individuals be able to exclude from their record or the NHIN? Again, we need to separate the EHR from the NHIN, and assume at this point that we are discussing an EHR at the provider site. AHIMA believes that there should be no exclusion of information in an electronic health record, just as there should be no exclusion of data in a paper record today. Exclusion of data from the record means that the provider has an incomplete record that could affect the care rendered in the future to patients.

Many providers will refuse to render care under such restrictions. However, providers do segregate records or provide greater privacy for parts of the record, either at the request of the patient or because they are required to do so by law. For example, adoption records, HIV and so forth.

Somewhere in the organization is an indicator that a separate document exists, and has limited access or is not to be shared. In an electronic world with EHRs, the same protection for such records can exist. In fact, it probably can do a better job, because access to parts of the record can be limited. Electronic logs can identify who has actually accessed and seen the data in the record, and an immediate signal or message can be triggered when such an action is occurring or has occurred.

In the meantime, clinicians are staffed with appropriate access credentials can be aware that appropriate information exists, and can seek to use such information when appropriate with patient or legal permission as needed. I probably go a little further beyond the circle of clinical care that was mentioned before.

The question gets a little more difficult as we think about the potential identifier in an HIN. The one that is built to allow or request to seek the records for an individual, we will call it the record locator service, when the identity of the record holder and the type of record in effect provides personal health information about the patient. Should there be some type of screening, similar to what would be needed within the provider setting, to allow access? Should patients be allowed to exclude the record locations of some of the records? Perhaps, but such exclusion is not without potential health consequences, and consideration must be given to the role and responsibilities of a requester looking for records, just as they must be within an organization today.

A patient usually wants to restrict information in a record because of access issues or disclosures. The patient’s restriction is generally made out of fear regarding what would happen if such information were released. AHIMA is convinced that if this fear or the lack of trust in an organization’s confidentiality could become a significant barrier to the use of EHRs or NHINs, even worse, could result in an incomplete health information for the use in making treatment decisions.

Another reason for requesting to exclude data from a record comes from a lack of understanding of the implications of such a restriction. Patients may not understand the impact of the provider’s or the clinician’s ability to treat the patient or how the patient can be negatively affected if such information is not appropriately available.

As we think of potential errors, we can see in the future a systems knowledge of restricted information could to some extent at least trigger a potential error message, which would in turn permit a better health care decision. But it will take education of patients, something more than just a privacy notice, to understand the benefits and options available in the EHR of the future and again, the limitations and access to information of the NHIN.

It is not clear that the personal health information will exist in a static mode within an NHIN, if you take the perspective that the repositories or registries exist at the provider or similar site and are not considered a part of the HIN. HINs could have PHI contained either at an internal registry or the RLS. In any case, AHIMA believes the patient should have the same right to control access as they do for records kept by the HIPAA entities now. Patients are individuals whose PHI flows through an NHIN, must also have the knowledge that the HIN has been built and is maintained with security measures necessary to prevent an assault or inappropriate access to whatever PHI exists in the network. Records kept at the tangential points of the network would continue to fall under current HIPAA constraints, if the entity is covered by HIPPA.

As this subcommittee is very aware, there could be entities attached to the HIN that are not covered under HIPAA, leaving the distinct possibility that confidentiality could be breached. If individuals are going to trust the HIN, then they must know who is in the HIN and that all the entities are required and committed to maintaining the confidentiality of all individuals’ PHI. The HIN will be judged in all its parts, not just some of its parts. Protections for confidentiality and security must be broadened to cover all entities holding PHI.

Because networks will cross state boundaries, the HIPAA floor requirements must be raised to include best practices that shall apply in all localities for all types of entities, public, private or governmental. When it comes to the NIH, we often hear of benefits, including access to records in time of emergency, access to ancillary testing by multiple providers to save time, pain and money, access to data perhaps identified for research, public health and bioterrorism monitoring, exchange of information in a trusted secure network.

The networks linking PHI from EHR to EHR or similar registries will provide these benefits and have several advantages over our limited system. More appropriate detail will be exchanged, more securely and faster. The questions that arise as to who has access to the PHI in the tangential record, paper today, EHR tomorrow, remain. If this HIN or national HIN concept is to be successful and useful for patients in population health, these access questions must be addressed.

The paper records and administrative problems arose related to privacy rules and administrative requirements. To meet these needs, the HIPAA rules established a provision that allowed waiver of consent for release of PHI for treatment, payment and operations. From AHIMA’s annual privacy and security survey, we know that more than half the states still require consent for release of TPO information, and many entities have decided to continue to obtain consent, even though they are not required by HIPAA.

Some of the barriers paper records present in the form of administrative procedures can be overcome with the EHR. For instance, having an EHR might be cause for me to have a conversation with my provider or my administrator of my EHR over who is allowed access. Yes, I want the physician who comes in through the NHIN to have access to all or some of my information.

These are all possibilities that arise out of an environment of EHRs and HINs, but two other needs arise. First, AHIMA believes that the HIN systems must employ some way of identifying the requester, who is it and whether they are who they say they are. It also means that there must be a mechanism of identifying what information it is that they seek and why. These requirements come from a need to know, how much, or what part of a record is needed for the purpose at hand. It is a reflection of the minimum necessary concerns that continue to arise when responding to requests.

For instance, if information is needed for a claim, should it be necessary to send the entire record if asked? Even in cases of treatment in emergency rooms, some individuals want all pertinent information sent. At the same time they would probably object to having their family counseling information sent.

AHIMA is convinced that the EHR or HIN must have access controls and monitoring, ability to identify the requester, authenticate the requester, and understand the reason or purpose of the request for PHI, in order to exercise minimum necessary restrictions as defined between the patient and the provider or administrator of the particular EHR holding the information being sought, ability to log in the information regarding the requester and request for accounting of the disclosures.

I have to make two comments about that. Obviously, some of these restrictions would be tempered on the size of the organization, just as we have tempered some of the security regulations now.

The second one is that I have come in front of this committee and suggested that we be relieved of some of the accounting ability for logging disclosures, and that request still exists. But I want to define that there is a difference within the electronic health record. The electronic health record, we have some automated ways to be able to do that, which we don’t have today in a paper record. That is why it may sound like I am talking about of both sides of my mouth, but we do believe that we should have accountability for disclosure, but we have got to have some accommodation for today’s situation.

There is a second need. Besides the software elements in an EHR and an HIN, this is the need for the patient to fully understand the HIN and their uses. AHIMA believes that if individuals are going to benefit from these technologies to the fullest, they need to understand how the technologies work and what the impact of consent or authorizations will have on how well they will work for that individual.

Many fear this new highway of health information because they don’t understand it. Educating the patient means that we should do more than give them a copy of a notice of privacy practices. We must have educated staff who sit down and explain the impact of decisions related to whether an individual wants or does not want to have information shared, and the protections available to them. EHRs will give us more security and flexibility, but as an individual I cannot benefit from this if I don’t understand it and know what my options are.

AHIMA’s project on the personal health records is already addressing how the HIPAA operations work. Perhaps in the not-too-distant future, we can educate consumers as to how NHINs will work, and what decisions the individual must make, what protections are in place, and what the benefits and limitations are of these tools.

Today there is the potential for too many competing standards, guidelines, rules and regulations that hinder the success of such an NHIN vision. To the extent feasible, a single set of national privacy and security rules and a single common framework for these protections across the networks must be encouraged. Variation in guidelines, rules and regulations will add to administrative complexity of personal health information management and the NHIN, as well as confusion to the individual whose health information is the focus of such a network.

What are the implications of letting a patient control their records? The IOM reported that a direct relationship between patient safety and availability of health information was necessary. Incomplete records place the patient at risk. To provide the best possible care and to insure patient safety, the providers must have access to the individual’s complete health records. In the same light, providers can best serve the patient when they know that they have a set of complete information regarding the patient.

As the HIP discussed this issue, the point was raised that perhaps the government should take on a community or parental approach and simply pass a law that says that everybody’s information will be in the system. I think we heard about that a little earlier.

There was also the fact that perhaps a request for service, for instance, arrival in an emergency room, should be considered as permission to obtain any necessary records. While these might work, we do not believe that our American culture would tolerate such an approach, no matter how good the intention.

AHIMA does not consider the decision to be one of whether the individual’s records will be part of the HIN, rather it is a question of the patient’s desire to have PHI shared for one or another of his or her EHRs. The only time a patient needs to consider the HIN is when there is a potential for the use or release of PHI in an internal registry or the ROS. If it is a registry, then the discussion must take place that the provider health plan or other entity sending information to this HIN registry, similar to other disclosure discussions. The RRLS will require similar discussion, but the ramifications are different and will need to be explained.

We suggest that HIN registries, ROS or similar functions require an opt-in approval of the individual at the time that access and release decisions are made. This way, the individual can maintain the right to safeguard PHI confidentiality.

Remember, we are also recommending educating individuals to make these choices. An opt-out option for the PHI that might be made in an HIN makes too many assumptions about the individual’s desires, and makes it easier for an EHR administrator to avoid the entire discussion.

What model do we prefer and why? I think you already can tell this one. We have worked very close with Marko for the last three years. We are part of the 13 organizations that responded to the RFI. From that perspective, we favor a rational health information organization approach. We see the NHIN as a network of networks governed by a common framework which would include approaches to identifying patients, providers and requesters that we have addressed and our previous answers to your questions were based on this perspective.

No HIN that we are familiar with prohibits individuals from carrying their own PHI device. However, while AHIMA supports and promotes individuals’ use of personal health records and the integration of personal health records with individuals’ electronic health records, we are concerned that hand-held PHRs currently have obvious limitations that can affect the integrity of the data they possess, and lower the level of confidentiality compared to using electronic health records via an HIN.

From an HIN perspective, AHIMA sees several implications we believe must be addressed within the network. HINs with internal registries are serving in the capacity of a central EHR will need to address the same requirements regarding access, use and disclosures as the provider or plan that administers an EHR. If there is an ROS that has to contain PHI, then access, use and disclosure will have to be addressed with the individual and the function itself must be built to insure appropriate access to patient approved information. Any entity associated with or using the HIN must be covered by the same combination of privacy and security requirements as all those other entities in the network, and to fully function there must be a privacy ceiling across all networks.

The data exchange process and security pieces associated to achieve access and disclosure within the network itself must also be uniform, or information will not flow between networks. Health care data, especially PHI, must be protected no matter where it resides, or the industry will be spending considerable amounts of money and effort that will not result in the protection that the public is seeking.

While there has not been a decision regarding the model, it will come into play. Our comments still remain true, I believe.

What other recommendations do we have? Our recommendations fall into two categories. While confidentiality and the accompanying security are needed to protect PHI, our principal objectives in this discussion, there are no foolproof systems, processes or regulations that can or will provide 100 percent guarantee of protection without interrupting the continuum and quality of care. AHIMA believes to build and insure trust in an EHR or an HIN, individuals must be free from the fear that they will be discriminated against if their PHI is inappropriately accessed, obtained, used or disclosed.

In a world where stories of identity theft, discrimination and other breaches of privacy fill the news daily, individuals must be assured that such misuse of PHI will not be tolerated. To this end, AHIMA supports current efforts to see enactment of a genetic non-discrimination law, supports efforts to insure that serious penalties in the form of fines and criminal penalties, exist and are forcefully employed for any misuse of PHI, including but not limited to discrimination, identity theft or inappropriate commercial use. To this end AHIMA also support efforts to insure that individuals as well as institutions are held responsible for any misuse of PHI.

Support efforts to insure the non-discrimination protections apply to all PHI, and that such protections apply to PHI whenever and wherever such violations occur, including those committed outside of entities currently covered by HIPAA. AHIMA believes that if we do not address and resolve these issues, an NHIN will fail to meet its goals.

We have discussed several concepts today. We need to see a fully functioning NHIN with a public employed in this process that understands what it is, how it works, where the data goes, how the data is used, and how it might best serve the public.

We think that this committee, we think that associations like ourselves, are in the position to do that education, as soon as we figure out what this common framework and common entity is going to look like. We further believe that as we develop the NHIN and as we develop the privacy and security pieces that go around it, we need to have a uniform communication to the public. We cannot have another set of privacy notices that are different from provider to provider and leave the patient more confused as to what this entity is that they are looking at than we have now.

This education and communication needs to start, because it has been very obvious even this afternoon that it is not clear where it is that we are heading. We believe that the use of EHRs and the use of an NHIN is so important to the health information and the way it can be used for patient health care, that we can’t let privacy and security essentially sink the ship. We have got to come up with some way to deal with this, and we hopefully can deal with it together.

We are working as hard as we can as an association to do this. We congratulate you, because you have been working for the last three years, and I have sat through most of your meetings, watching you try to do this. I thank you for the opportunity to have a chance at this discussion.

DR. ROTHSTEIN: Thank you very much. You laid out a very comprehensive list of suggestions that we will have to consider in due course. The floor is open for questions, and we will proceed in the same order as before.

DR. HOUSTON: I know Dan had raised this as one of the recommendations under question six, but I am going to also ask it of Pam. I think this is in my mind one of the more important things that can be done in order to strengthen privacy. It relates to penalties.

You raised a lot of examples, Pam, of identity theft. I think being a security as well as a privacy professional, and worked for a health care provider, we can do all the things that we can do to try to protect records, and if somebody wants to get a data, they are going to figure out a way to get a data.

So I wanted to make sure I understand this completely. Should we be focused on looking at the bad actors? We can go after the health care providers saying, you can put the best security you can in place, and we can put penalties in place, but it is a different set of people that it sounds like we need to go after.

To dovetail on Dan’s recommendation or AHIMA’s recommendation, should the penalties be extended outside of covered entity for misuse of data?

DR. DIXON: I discussed this in the comments. I do suggest that a prior right of action is important. There are so many exclusions.

DR. HOUSTON: I’m not talking about a private right of action. I’m talking about, if somebody goes and steals data, whether they be working for a hospital or not, they go and steal data for some ulterior purpose, should there be laws on the books to prosecute those people? Should there be special laws that will give the government a right of action in addition to identity theft, the way they prosecute people for identity theft, to strengthen the public’s trust in allowing their health information in an NHIN?

DR. DIXON: The first thing I think about with that, it is very similar to spyware. If you look at California, California has a very specific spyware law. It is very lovely, it is a lovely trophy, but everyone is prosecuted under Section 1031.

PARTICIPANT: Under what?

DR. DIXON: It is a computer fraud abuse act. It is a pretty decent federal security law. The fellow, Shuh Shang, who was the hacker, who had the key logging program in Kinko’s, he was prosecuted under that particular law.

I view very much the same thing in this situation. I think that there are appropriate laws which could deal with those kinds of bad actors in the theft of personal information. That is not to say that it wouldn’t be appropriate to bolster some other rules.

If you look at financial practices, you have Granwich-Blyly and the various rulings on that, that have increased security. I think you are going to see those again go forward. I think that there could be some additional pieces that were added, but I do think that it would always be a bit of a patchwork. I don’t think that is a horrible thing.

DR. RODE: In 1997, the year after HIPAA was passed, there were some laws passed about misuse of medical records. They haven’t been used very often, but they are starting to be used.

We hear of stories of people that are paid 100 bucks to go swipe a record. Every election campaign, some politician’s record mysteriously appears. We just believe that we need to make an example of them. I hate to put it that way, but an example needs to be made that it is not worth your while to steal health care data. Generally when it is stolen, until we get to the identity theft thing just recently, it was done for some personal reason or something to injure the party that the record was stolen itself.

With the identity theft, in Washington, D.C. recently a unit clerk got arrested for identity theft. The interesting thing was, the unit clerk was being observed because they believed the unit clerk was part of an East Coast identity theft ring. So we now have criminal groups entering health care organizations to look at a health care record. We have got your mother’s maiden name, we’ve got your social security number, we have got everything. We even know the city you were born in.

We have got to do something with this. Ninety-nine percent of health care employees plus are — we have got to do something.

DR. HOUSTON: Back to your recommendation, though. Should the data be extended to individuals how are outside the health care realm? I know the original issue — the ruling came down that individuals could not be prosecuted under HIPAA, which I think is an issue.

DR. RODE: The reason we added it was because of your committee’s testimonies over the last two years. We heard, or didn’t hear in a couple of cases, didn’t get people who were willing to come forward, of situations where the information was released after it left the HIPAA entity. It was given to a state agency and released out of the state agency. It was given to one of the data collection groups, and the information got leaked out of a data collection group.

We have got all these entities that get personal health information that are not covered by HIPAA. If we were to take all this effort to fix the network and to make sure the health care entities are being covered, how can you then say, we have got this wonderful effort, that you can give it to an agency that is not covered?

DR. HOUSTON: I’m worried about the people who are bad actors, who go out and hack into a system that is secured to the best of somebody’s technical ability, and should there be additional penalties for those individuals because they have chosen to go after a class of data that the society puts an additional emphasis on from trying to protect?

DR. RODE: I think the answer is both, really.

DR. DIXON: I think the legislation would be very tough to pass, though, depending on what the corporate responsibility would be in response to that bad actor. Are we talking about a corporate entity that is a bad actor?

DR. HOUSTON: I’m talking about third parties.

DR. DIXON: A third party.

DR. BERNSTEIN: A third party can be a corporate entity.

DR. HOUSTON: It could be corporate. I am thinking of the teenager, or the identity thief.

DR. BERNSTEIN: You’re not worried about the nurse?

DR. HOUSTON: I’m worried about the nurse also, but Dan’s recommendation, I was concerned, was focused toward those types of individuals and not the others, who I think are just as likely to —

DR. RODE: I don’t think we would have any problem extending that comment to include someone that came in and wrecked the integrity of a record, which is what could potentially happen here, as much as someone who takes the record and uses it inappropriately.

DR. DIXON: I think the integrity of the records is very important. I have a different conception of the technology than you do. I don’t really separate EHRs from networked information, because once you get information in zeroes and ones, networks and pathways through networks can be created at will and ad hoc, and then they go away. It can be somewhat amorphous.

I don’t view the NHIN as a fixed entity for that reason. Records can be e-mailed, they can be FTP’d or transferred through files. They can be transferred in so many ways. When you get all this digital information, you have ease of transmission that is just amazing. The second you can get information to scale, that is when you get all the professional thieves, and that is where you run into real trouble.

I think that any law that would be additional would have to be very carefully crafted so as to complement HIPAA, but not create so much backlash among corporations that it would be killed. I can tell you that right now, laws to protect people within financial institutions are getting killed left and right, and very similar kinds of breaches within financial institutions. That is because of corporate interests. So I think there are some strong lobby interests, and they would have to be dealt with, if that helps at all.

DR. REYNOLDS: I appreciate both your comments. This whole covered entities thing as Dan mentioned, it has been a discussion we have had over and over again. We heard something from the earlier testifiers on the circle of care, which obviously zeroes in on the EHR, that would be held a little tighter than maybe what has been discussed before, versus, PHI says it doesn’t matter whether you have got an EHR, whether you have got a standard record, whether you have got anything else you have got going on. If you touch PHI, you are in the game.

So having said that, do these things work together, the PHI statements and the circle of care, or do you think that one or the other takes precedent, or do you want to leave them split?

DR. RODE: I have a problem with the circle of care concept as I heard it this afternoon, only because I have been in the industry more years than I care to comment on. Our ability to restrict the data down to just clinicians — I’ll leave it at that — still in many organizations would not allow us to handle data correctly.

So first we would have to define who is in the circle. Then we would have to apply how that circle applies to different kinds of entities, because I can have a different circle in a two-man physicians’ office than I am going to have in a tertiary teaching hospital.

Then I’ve got to define, if I am sending data out to a laboratory, was the laboratory in the circle of care? Is there data I shouldn’t give the labs that I give them now because they might have too much data to do their work? It raises for me at least out of my experience, too much.

On the other hand, I look at an EHR and I look at what we have already built in the security world, and if we begin to apply the access to an EHR, that we don’t have the paper record, we have taken some major steps.

Right now, as much as we try to secure paper records, in a larger institution you don’t know who has touched that record all the time. You have got the old record down in the record room, you’ve got the new record up on the unit, you might have some information over in radiology and in four or five places, what you need to do to render the care. But I don’t have any idea who is accessing it.

I’ve got an electronic health record; I’ve got at least the means to be able to log that process through. I think we have to think about, we are in this transition period right now. I don’t think we can say we are going to do this tomorrow, this is the way we are going to do it. We have got to transition to some type of a model that begins to allow us to apply these safeguards. We don’t have the safeguards today.

But if I have got the access built in and I’ve got the logging capabilities built in, and I have already got in HIPAA that the patient can demand to find out who has done it, then I have got some of that there. But I’m just not there technically yet. I’m still dealing with a paper record.

DR. REYNOLDS: You’re saying log every time somebody touches a PHI?

DR. RODE: Essentially that is the system right now. In my last hospital, that was awhile ago. They knew when I went in the system and went out. I had to sign in every day. They knew what records I touched.

DR. REYNOLDS: Didn’t AHIMA put together an estimate of how many people touched a record? I think you gave a number.

DR. RODE: Yes, I think we have done a chart like that.

DR. DIXON: I’m going to read you what I wrote when I was listening to the circle of care comments. This is what I wrote, honest reaction, I didn’t think anyone would read it.

Circle of care, concept, beautiful, challenging. Simplicity is not possible, cannot restrict information to medical use only. Mechanically cannot keep different categories of people out. The technology isn’t a fix here.

You cannot have an electronic circle of care. If you look at the technology, it doesn’t happen that way. We are just not there yet, maybe in 20 years. So therefore, you end up with what you were talking about, the logging capabilities. I have to tell you, I think the logging capabilities are a very, very weak kind of technology to rely on. We have seen over and over very sophisticated technology companies such as ChoicePoint, Axiom, Lexus Nexus, they can’t tell law enforcement who has logged what to great precision.

So for example, if you look at a personal health information, we can say someone accessed it, but can we say what they did? Did they look at this part, that part? Then what did they do? Did they print it out? After they printed it out what did they do? There are certain limits.

So given all of that, what do you do? I think what you were hinting at in our question is, you were — I could hear you thinking about a tiered access to data. I do think tiered access is possible. For example, gradations of people who can access the data. But I think a conception of that is a little bit different.

Let’s say you have just for the sake of example, let’s say that we were accessing personal information on a network right now. Who in this room would get access, and how would we make that decision, and how would we determine they got access? If you can answer that question for this microcosm, you have got it. You come up with a system of, okay, we give you one kind of access, an access credential, we will give you another, you another, you another and so on, and that can be built into a system.

When you look at a very secure architecture such as you find at the FBI and whatnot, that is what you have. It is hard to build.

DR. HARDING: Let me change a little bit here to two incentives. Bear with me here. I feel that my personal health information is an asset that I own, and I am willing to — using a banking analogy, I am willing to put that asset in the bank, because it is going to be safe there, and it is going to be in a savings account or something. I know that I can always get to it within a reasonable amount of time and so forth, and altruistically that asset is going to provide interest for the public’s health and case management and other things that I altruistically feel are important.

So why isn’t the public demanding this? The public doesn’t give a blank about this, really. Some people do. The public doesn’t care a great deal about this issue, in my opinion.

DR. ROTHSTEIN: About NHIN?

DR. HARDING: About NHIN.

DR. DIXON: I think they will.

DR. HARDING: They don’t know. My brother is an orthopod. Somebody comes in with a shoulder and he says, yes, you’ve got a shoulder, all right, and your elbow is sore and so forth. They have to beg him to operate. They have to come in and say, please operate.

The public is not doing that to us. We are doing a downward movement here, coming up with things that we feel the public should do, and the public isn’t that interested, in my opinion. So how do we incentivize? What is in it for the public that the public can understand, that they are going to be begging us to get this system up and going?

DR. DIXON: May I jump in? I think that this system, if you look at just the continuum of the maturation of technology, this will help it, because we are moving from an analog society to a digital society. So this will help it. It is almost a moot point.

I don’t think there needs to be incentive. I think you will have electronic health records and some form of NHIN.

DR. HARDING: I agree that it is happening. But for it to really work and for acceptance to be there, the public has to understand. You can’t leave me out of this. I want to be on that thing because I get something out of it.

DR. DIXON: I think you have to do really substantial risk management. I understand your incentive. I think of course medical research and progress in that area would be something that comes immediately to mind, and hopefully better accuracy and et cetera. But I think if accuracy isn’t in fact better and if treatment isn’t in fact better, I think then all the risks rise higher in peoples’ minds.

I think it was you who mentioned that there would be a bit of a revolt. I think Americans are a tremendously tea party bunch, and I think the risk management is going to be —

DR. HARDING: The majority in my opinion are passive. They are passive.

DR. RODE: I think they will buy the system for all the reasons they heard from President Bush on down, for reduction of medical errors, for improvement of quality, for bioterrorism monitoring, for public health. But the more they hear that they could be damaged because of information in there, then the level will start to rise, or the pushback will start to be there unless we have got some answers for them.

DR. DIXON: Right.

DR. RODE: As I have looked at some of the studies that come out of different places over the last year, the biggest place is in discrimination. I don’t care if you have my health information, I really don’t. You can use it for Marjorie’s shop and for Atlanta and for everybody, but don’t you discriminate against me because you know I am a cancer survivor and I have a better statistical chance of having cancer again, and you don’t want to give me a job.

DR. HARDING: I’ll stop, but I think the only thing the public is listening to right now is the negative incentives. You put that thing in computers, and everybody is going to know about it, and that is what they are hearing right now.

DR. RODE: But the education. It has got to talk about the other side, and that is why the education is so important. I have used Mark’s hearing with the school nurses so many times to talk about the problems of getting health information into the schools where it needs to be. Those are the things that people have got to start to hear.

DR. DIXON: I think it is still a bit amorphous. I don’t think there is a firm shape. I think that is why you are not seeing a complete picture at this point.

DR. TANG: Let me see if I can summarize somewhere between the lines for your testimony, Dan. One is to create legislation to prevent bad behavior. I translate that as a process restriction. In other words, you have comprehensive confidentiality legislation. Anyone who touches PHI gets stuck with the responsibility, period.

Then you have a law against bad decisions, and that is the anti-discrimination. In other words, you cannot make unfair decisions about people.

Third, you would ask if you have tools that allow you to enforce these laws. That is auditing, those kinds of things. Fourth, to figure out the education, perhaps that is one of the biggest.

That is what I thought I heard from you. Did I put words in your mouth?

DR. RODE: A few. I would reword that to say that we want a law for bad behavior in the misuse of PHI. To take John’s example, that is organizations, which says, if you have PHI then you protect it. It is individuals who may misuse it, it is people who may endanger the integrity.

It is suggesting that as we build the tools, we build them to some type of a privacy model. I don’t think we have the tools right now, but if we want to maintain a trust with the public, we want to give them what we said we would give them out of HIPAA, then let’s build the tools there, tiered access or whatever settings that would help protect it, as we move into this process.

We are not there yet. The majority of the people don’t have electronic health records. We don’t have any functioning health network that I am aware of to any extent, but we have got time to look at that and make sure these protections are in there.

Then the education piece I think comes now, and it keeps coming. But the thing that you may not have caught is, it is not only education. I can go out to the Chamber or the Lion’s Club and give a great talk about this. The education is when the individual is sitting there with the physician or someone in the physician’s office, and they are new and they say let’s talk about what your access and your disclosures are going to be. It is not saying, here is our privacy notice, would you like to sign this, this is saying, we have the ability to give your information to any doctor in the country, so if you are out in Arizona and there is an accident, would you want a doctor to have access to that information? What is 99 percent going to say? Do you want your child’s school nurse to have access to this? Do you want the pathologist to have access to that, and actually have a discussion.

We did not have a discussion with HIPAA. We put six to 11 pages in front of somebody and said, trust me and sign this. I think we have to do a little better than that, because that question is going to start coming. Somebody is going to say, I hear you have got a new electronic health record, Paul. Yours isn’t like that one over at Kaiser’s, is it, where they stole all the records? Can you tell me why I should sign this and allow that? The discussion has got to be there, too, and we didn’t do that the last time. I think long term that is one of the things we have to do.

DR. ROTHSTEIN: I have a question. I’m not sure it is a question yet, but I may phrase it in the form of a question.

I want to take issue with something that Richard said just a couple of minutes ago. That is that people really don’t care about their privacy in the abstract, but only when their information is used to their detriment.

DR. HARDING: The majority of Americans, I’m saying.

DR. ROTHSTEIN: Well, that may in fact be true. But there are many people who have things in their medical records that will not result in loss of job or unemployability or loss of insurance, but they consider to be very personal, that they don’t want widely disclosed. I think we need to be concerned about the intrinsic privacy loss that people feel if this information were disclosed.

The other point that is related to that is that many people are concerned even if it would be released to a health care provider, because all health care providers are not made equal. Something that I told a provider 20 years ago, my current provider doesn’t need to see that. I was in a different life stage, or state of affairs then, and I don’t want that in my mind poisoning the relationship that I have with my provider.

So I think it is going to be even more complicated than we think. The last panel suggested this division between non-health care and health care uses, and I don’t think it can be that neat. We may have to refine who those health care users are. I don’t want my ex-brother-in-law, just because he is a doctor — I don’t even have an ex-brother-in-law — to gain access to my medical records, right?

I don’t know how we do that. I don’t know what sort of restrictions we can place on providers. Some patients are seeing provider X, and they don’t think that she is a really good doctor. They want to go to see why, but they don’t want to give up on X because Y may not be any better than X. But they want to go to Y and they want to still have the option of going back to X and not having X know that they saw Y.

How do you do — there are hundreds of these permutations. So can we design a system that can build any of that in?

DR. RODE: I think it is inherent in the model we were talking about where the EHR is not part of the network, where you are going from one entity to another and saying, I would like to get information. I may have to go through a locator to find you, but at the same time, what information it is that I want.

You don’t need my whole life’s history, the fact that I was in college and had a social disease. I didn’t, but maybe that happened when I was 23, and you are treating me for a urological problem and I am 55. So do we specify episodes of care? I would like to think, and you all have to tell me that a physician is capable of saying what kind of information they want to get out of the HIN. I don’t think any physician I know of wants to go out and say, give me every record on Don Rode, wherever he was, and bring it back to me, which some people envision this network. Who is going to read all that stuff?

You are going for specifics. I think one of the issues on the minimum necessary, the thought behind it that didn’t quite work out, is what is the message that is going to go through this system right now, what is the message we use right now when Doctor A wants information from Doctor B? What kinds of processes are we going to use in this system?

Scanned records won’t do it, either. If we started an electronic health record today and they were all built and they were all the same standard, are we really talking about going into that record and looking at everything? Paul, when you look at a record, do you look at a patient’s entire history or do you look at parts of the record that are most attuned to what you are trying to treat today?

DR. TANG: How would I broadcast what it is I need without sharing essential information? Your example about the SPD in a woman could be very relevant to a future abdominal pain. So I need the searching capability without broadcasting my intent.

DR. RODE: That may be the envelope that we were talking about earlier, which is the means to pass an envelope through the system from provider A to wherever provider B is, which is why we need the locator, to say I have got a situation. But it still requires the trust in Doctor A and Doctor B. I have got to have that much trust.

DR. DIXON: I think I really come at this from a different perspective. I understand that, but I think it is important — I want to point out patient choice again. I know it is very unpopular to say that patients should have choices in this realm, but I’m sorry, I think patients need choice. I think that patient should have the ability to say, I don’t want an EHR, I don’t want it on a network.

I don’t think you are going to be able to have an EHR that is not on a network. It doesn’t work in terms of the technology. That won’t happen long term. An EHR will be part of a network; it is just the way the technology is going to mature. So in that case, why can’t the patient choose to not have Doctor A find out about what you are doing with Doctor B? Why not?

DR. HARDING: You will give up liability. That would be at least a consideration. It is not very good ethics, but that would help if there was no liability for what was left out.

DR. HOUSTON: But also, let me say this. There is also the insurance component of it, which is that there is a quality of care impact which says that the insurer A can no longer insure you for X dollars a year because you have decided to excise parts of your record, which makes it —

DR. DIXON: You are talking about not having a doctor find out that you are seeing another doctor.

DR. HOUSTON: I understand. That is a side effect of it which we can use as a bright-line example. I am concerned about the case where relevant information is withheld from a physician who needs to know it, and as a result there was an impact on care, which has the liability issue. But I think there is also an equally likely event that because you didn’t get as good care that you are going to — that is going to impact the cost for an insurer to cover your medical expenses. That is part of it too which concerns me.

DR. DIXON: And I understand those arguments, but I want to go back to the idea of an STD. Why can’t you keep that selectively from a physician until you believe that that becomes necessary? Just like you do when you are giving a patient history when you are sitting down with a doctor.

DR. ROTHSTEIN: Right, and there are many other situations. You could have beyond STDs, where there would be no plausible medical significance of something that happened 20 years ago.

One general comment I want to make is, as we are trying to envision this future system, many people want to have it perfect, where docs are going to get all the records when they want it, they are all going to be accurate, they are all going to — that is not life today. Life today is, the medical records contain lots of errors, and the fact that they are so dispersed in ten or 12 different providers is tremendously inefficient, and it compromises patient care, but it does have the net result of protecting privacy. So something that happened to me 25 years ago, they couldn’t find it if they wanted it. But in the future, if we tie everything together, all they have to do is press a button and there it is, all of this embarrassing thing that happened to me.

DR. DIXON: Privacy through obscurity. It is classic. It is like the court records, people who bounced a check 24 years ago, all of a sudden they are getting fired from their jobs for the first time.

DR. TANG: Just to comment on the choice thing. So you apply for life insurance. There is this MIB that has tied together all your medical records from all your years.

DR. ROTHSTEIN: No, it only covers applications for life insurance.

DR. TANG: That have disclosures, that you sign under penalty of perjury that I am disclosing all of the things about my health, because I don’t know all the things that you use actuarily to estimate whether you are going to accept me or not.

We make a choice all the time. We make a choice by renting from Blockbuster. As everybody knows, Congress came around and said, I have got a fix for that behavior, which is to make all rental records secret.

DR. BERNSTEIN: Blockbuster has a fix, which is, you sign your signature every time you get your little Blockbuster card, and it is irrelevant.

DR. TANG: We are saying we want the choice, and we don’t want to play by the rules that the other party is liable for in terms of responsibility. So the life insurance company — not that I hold them in that high esteem — but they have to make their actuarial decisions. Doctors have to figure out whether your social behavior in college is relevant to your abdominal pain or your infertility workup today.

DR. ROTHSTEIN: There are lots of things that people don’t tell doctors, because they don’t want them to know.

DR. BERNSTEIN: Or it is forgotten.

DR. TANG: But interestingly, we unlike the credit bureaus, the life insurers, they don’t make you sign under penalty of perjury. Maybe we should.

DR. ROTHSTEIN: It goes both ways.

DR. DIXON: What is wrong with a balance in the system? I think that each side is obviously going to come to a compromise, but I think right now the compromise is weighted against patient choice.

DR. ROTHSTEIN: Excuse me, let me cut in this. We have got some other people who need to get their questions asked, and I don’t want to run too late. Bob.

DR. HUNT: I want to thank you for further illuminating the difficulty of choices, and I pass on the question.

DR. PEEPLES: Ditto.

DR. HOUSTON: But the issue of patient choice — and I know we are getting into this philosophical argument — right now what we are hearing is that the current state of things is not good enough, that we have too many medical errors, that we have rampant health costs, it is spiraling out of control. So I think we have got patient choice today, but we also have serious problems which we are trying to solve.

I always come back to the same point, which is that people do the right thing with data for which they are provided access to. You don’t have any of these problems. If the doctor only looks at the things that the doctor needs to, or when they go look at your record, not necessarily understanding what is wrong with you, and they have to do a little more searching, but we know they are doing it for a fundamentally good reason. They take the Hippocratic oath that says they are not going to use it for other purposes.

We are talking I think here about the situation where people are trying to use information for either bad purposes that may be illegal or immoral or unethical, or they might be using information — we hear about the marketing examples. It is one of those things where some people don’t see harm in it, and other people recognize that there is a great harm in it.

So I think if we focus on the good uses of data and people trying to do the right thing with regard to data and their stewardship of data, and then trying to focus on how do we deal with all of the other people that are outside of what I will call the norm. I guess what I hear at the end of the day is that as long as we are trying to do the right thing, there really shouldn’t be too many objections. Maybe I’m wrong.

DR. ROTHSTEIN: Well, John, we are going to leave that on that point.

DR. GREENBERG: Just one thought. A lot of this has to do with some really basic things in life, like communication and trust and choice, and what people decide is important to them, and people come out on these questions quite differently. Far be it from me to be able to solve these issues.

But it does strike me that we have talked a lot about education. We have been talking about education in the committee for many years, on this topic in particular. I commend AHIMA for what you are doing to try to go out and do the focus groups or to talk to people, et cetera. I think a lot more of that needs to be done.

I think we have recommended as a committee education and evaluation, and it kind of falls on deaf ears, but that doesn’t prevent us from recommending it.

But I think there is an element of education for clinicians as well. We are talking about educating patients, and it is true, but this is communication, and the issues here are of basic trust. I feel like I would trust Paul with that information because I can see that he wants to use it for my best interests. But some other clinicians don’t inspire you with exactly that sense.

So I think that we really need to educate the entire chain here. We are talking about chain of care or circle of care or whatever, so we don’t just need to educate the physicians, we need to educate the clinicians, so it is not just the physicians. This is a massive societal need, to really make this thing work.

You are still going to have bad actors, people who do this identity theft. We have just got to figure out a way to hit them with the law. But I think we need to keep that in mind, that there is an entire circle of people. It is a massive educational effort, but it is not just the patient.

DR. HARDING: Look at the effort that is going into Medicare right now, compared to what went into HIPAA.

DR. HUNT: I have a question about the emphasis on education. Let’s say that we just took this subject at its current level of understanding amongst the ten of us around the table, and each of us went out and did our education to the people that we knew. What is the probability that we would all be teaching the same thing?

DR. GREENBERG: Oh, zero.

DR. HUNT: That I think is why we are stuck. We haven’t come to a story that we can tell.

DR. GREENBERG: But we need some people focusing on this. The previous panel talked about research. Mary Jo and I were having a little discussion about that, about what it is that people want to know, need to know, what the real problems are.

I respect this committee very much, and I think the hearing process raises a lot of good stuff. But this needs to be a major undertaking, in which you include research, evaluation and education, all of that.

DR. HUNT: The variation among patients, the variation among physicians is such that you cannot come —

DR. ROTHSTEIN: We need televised hearings.

DR. HUNT: It is a complex, adaptive system.

DR. GREENBERG: Right, and some people are going to want more than others.

DR. ROTHSTEIN: I am going to take my prerogative to close the hearing for today. I have a sneaking suspicion that tomorrow some of us will have even more to say on this topic. I thank you for coming and sharing your thoughts with us, and we will give them a great deal of consideration in our deliberative process, which actually starts after lunch tomorrow.

So thank you, and today’s hearing is adjourned.

(Whereupon, the hearing was adjourned at 5:12 p.m.)