[This Transcript is Unedited]



Subcommittee on Privacy and Confidentiality

Hearing on Privacy and Health Information Technology

AUGUST 17, 2005

Hotel Monaco
501 Geary Street
San Francisco, CA

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax, Virginia 22030
(703) 352-0091

Participant List:

  • Mark A. Rothstein, J.D., Chair
  • Simon P. Cohn, M.D., M.P.H, FACP
  • Richard K. Harding, M.D.
  • John P. Houston, J.D.
  • Harry Reynolds
  • Paul Tang, M.D.
  • Maya Bernstein, J.D.
  • Beverly Dozier-Peeples, J.D.
  • Marjorie Greenberg
  • Mary Jo Deering, Ph.D.
  • Debbie Jackson, Ph.D.
  • Steve Steindel, Ph.D.
  • Katherine Jones, Ph.D.
  • Karen Trudel
  • Audrey Burwell
  • Dr. Rob Weinzimer
  • Susan Kanaan


  • Bernard Lo, Ph.D.
  • Henry T. “Hank” Greeley, J.D.
  • Gerald M. Hinkley, J.D.
  • William R. Braithwaite, M.D., Ph.D.


P R O C E E D I N G S [9:10 a.m.]

Agenda Item: Introductions and Opening Remarks – Mr. Rothstein

MR. ROTHSTEIN: Good morning, welcome to day two of round four of the
hearings on the National Health Information Network of the Subcommittee on
Privacy and Confidentiality of the National Committee on Vital and Health
Statistics, my name is Mark Rothstein, I’m director of the Institute for
Bioethics, Health Policy and Law at the University of Louisville School of
Medicine and chair of the subcommittee. And just for the record the NCVHS is a
federal advisory committee consisting of private citizens that makes
recommendations to the Secretary of Health and Human Services on matters of
health information policy. We’ll begin with introductions of the subcommittee
members, staff, witnesses and guests, as always subcommittee members are
invited to disclose any actual potential or implied conflicts of interest and
others need not do so. I’ll begin by noting that I do not believe I have any
conflicts. Paul?

DR. TANG: Paul Tang, Health Medical Foundation, member of the subcommittee,
no conflicts.

DR. HARDING: Richard Harding, University of South Carolina, member of the
subcommittee and committee with no conflicts.

MR. REYNOLDS: Harry Reynolds, Blue Cross and Blue Shield of North Carolina,
member of the committee and no conflicts.

MR. HOUSTON: John Houston, University of Pittsburgh Medical Center, member
of the committee and subcommittee and no conflicts.

MR. GREELY: Hank Greely, professor of law, Stanford University, no
conflicts that I know of.

DR. LO: Bernie Lo, professor of medicine, University of California, San
Francisco, I’m a recent victim of credit card fraud so I can say I have a
personal interest in this topic.

MR. ROTHSTEIN: As am I actually.

MS. GREENBERG: I’m Marjorie Greenberg from the National Center for Health
Statistics, CDC, and executive secretary to the committee.

MS. PEEPLES: I’m Beverly Peeples, CDC Privacy Officer, and staff to the

MS. BERNSTEIN: I’m Maya Bernstein, I’m the privacy advocate of the
department and I work in the Office of the Assistant Secretary for Planning and
Evaluation, I’m the lead staff to this subcommittee.

MS. JACKSON: Debbie Jackson, National Center for Health Statistics, CDC,
committee staff.

PARTICIPANT: [Comment off microphone.]

MR. HINKLEY: Gary Hinkley, I’m a lawyer with Davis Wright and I’m here on
behalf of Connecting for Health.

DR. DEERING: Mary Jo Deering, National Cancer Institute, lead staff to the
NCVHS Workgroup on National Health Information Infrastructure.

MR. RODE: Dan Rode, American Health Information Management Association.

MS. SQUIRE: Marietta Squire, I’m with CDC’s National Center for Health
Statistics and I’m staff to the subcommittee.

MS. CHRISTIANI(?): Ginny Christiani, meeting logistics contractor for the

MR. ROTHSTEIN: Welcome everyone. Invited witnesses have been asked to limit
their initial remarks to 20 minutes and after both of you have had your 20 we
will have ample time for questions and discussion and as in the past it’s
really the give and take is most valuable to the subcommittee. You may submit
additional written testimony to Marietta Squire within two weeks of the hearing
and if anyone here has a cell phone I would ask that you put it on mute or
buzzer or something, vibrate, so that it won’t interfere with the hearing.
Unlike most of our hearings, and indeed all of our other hearings, we are not
being broadcast live on the internet, we are however being recorded and there’s
a phone in line for people to call, I don’t know if anyone has called in, there
are some people, good morning, could we ask the people on the telephone to
introduce themselves?

MS. HORLICK: Hi, this is Gail Horlick from CDC in Atlanta, staff to the

MR. ROTHSTEIN: Good morning, Gail, good to hear from you.

MS. MCANDREW: This is Sue McAndrew from the Office for Civil Rights, privacy
liaison to the committee.

MR. ROTHSTEIN: Sue, good morning as well. Anyone else? So for the benefit of
those listening on the telephone I would ask everyone to speak clearly.

As I mentioned at the outset this is our fourth round of hearings on the
NHIN and beginning after lunch today we will start to try to piece things
together with the goal toward getting a recommendation through the full
committee and to the secretary this fall. At our first round of hearings in
Washington in February we heard from experts on privacy and confidentiality as
well as representatives of consumer organizations. At our second round of
hearings in Chicago in March we heard from a range of health care providers and
health organizations. At the third round of hearings in Washington in June we
heard from representatives of and experts on integrated health systems, health
plans, RHIOs, and health systems in other countries. And so this brings us sort
of full circle to try to see the big picture and to give us an idea of where we
might want to go in terms of our recommendations.

As you know in advance of the hearings and to focus our discussion the
subcommittee distributed to the witnesses a list of six questions, some or all
of which we hope and expect that the witnesses will address. Very quickly for
the benefit of those who have not memorized the questions yet I’ll go through
them, they are as follows.

Number one, with respect to the design of an NHIN do you prefer a model
based on a RHIO, a model where individuals carry their own personal health
information on a device, trustee model or something else? Why and what are the
implications of this model for privacy and confidentiality?

Two, what are the implications of permitting individuals to control whether
their records are part of the NHIN? If permitting this option is appropriate
what mechanism should be used to obtain individual consent or authorization?

Three, what information if any should individuals be able to exclude from
their EHR or the NHIN? What if any limits should apply to these exclusions?

Fourth, what limitations if any beyond those of the HIPAA privacy rule
should be placed on access to personal health information in the NHIN? How
should such limitations be developed and applied?

Five, should individuals have the option of having their health records
maintained only in paper form?

And six, what other measures are needed to protect the privacy and
confidentiality of personal health information and to build public trust in the

So we look to you to help us, if not immediately resolve those questions,
get us started on the right track. And we will go in the following order with
our witnesses this morning beginning with Dr. Lo and then to Professor Greely.

Agenda Item: Panel III – Dr. Lo

DR. LO: Thanks, it’s a pleasure to be here again with you and welcome to San
Francisco, I’m sorry the weather wasn’t better. I’m going to wear my physician
hat today and I’d like to start with giving you a couple of brief anecdotes of
recent examples from my own clinical practice where a National Health
Information Network might have been very useful.

The first example is a patient under my care but who’s also being cared for
by another physician, and in fact this is a patient getting antibiotics at home
and I need to get some lab tests to follow up some things and the lab that does
the lab tests is different then the lab from the home care service, different
then the lab that ordinarily does my testing and to which I have immediate
electronic access. So trying to get that person’s lab results which were needed
for care was a huge problem and took me and my staff a lot of time to do that
and caused actually a somewhat dangerous delay in changing care for a patient.
There are similar issues that come up any time you refer to a specialist who’s
not in the same integrated health network which does happen.

And then secondly a patient who was recently hospitalized and the outpatient
records were not available to the inpatient physicians. Now increasingly I
think as many of you know there’s a separation in continuity of care between
your primary care outpatient doctor and the so-called hospitalist who’s the
inpatient specialist, it’s sort of a British model, so there’s a real concern
about important information not being available for the doctors taking care of
you while you’re sick. And the two pieces of information that were not
available were first, previous electrocardiograms to try and see if a change on
the admission cardiogram was new or old, if it was new it meant a whole lot of
additional cardiology tests, if it was old it meant that probably it was not an
active problem.

And secondly the question of what medications had been previous tried for
this patient’s condition because what happened in the case I’m thinking of is
the doctor sort of picked a medication for congestive heart failure which is
the right thing to do according to guidelines. What they didn’t know is this
patient had been on the medicine about a year ago and had really serious side
effects. And of course they sent him out and five days later he had the side
effects. So all these sort of examples which I think any of you in practice I
think are aware of happen all the time if you’re not in an integrated, solely
within an integrated system.

Now I wanted to also tell you about a story, an anecdote on the other side,
Dr. Harding may be able to comment on this. I recently saw a new patient and it
turned out her major problem was depression and this was the most serious of a
number of episodes. She was reluctant to start medications for depression
although she met the clinical criteria for that and as we talked it turned out
she had been tried on medications in the past, had had adverse effects that she
considered intolerable relative to the benefit. But she couldn’t remember the
drugs, she couldn’t remember the dosage she’d been on, and she couldn’t
remember sort of how the dose escalation took place. This is unfortunately a
common problem in the lack of quality of care for depression and so we were
really stymied, there was no way for me to get these records, they were in New
York and she didn’t quite remember the name of the doctor who had been taking
care of her. It made it very difficult for us to address her current problem.

So I think what I’d like to first underline is that a NHIN could have
enormous benefits for patients when they’re patients, when they’re sick and
seeking care, and I would argue to you that these clinical benefits are
greater, would be greater, the greater the scope of the NHIN. So the more
information that’s included, the more timely access is by providers actually
taking care of the patient for a current problem, the more providers and
institutions who participate, and the more patients who participate the more
likely it strikes me the benefit is if you look at things from a population
basis. If these records are adopted only sporadically by a few doctors, a few
hospitals, and a lot of information that potentially is clinically relevant is
left out you’re not going to get the clinical benefit.

I just wanted to make a comment on a question, one of the six questions that
you all raised in terms of should patients be allowed to have paper records. I
think there’s an increasing trend within at least larger medical practices and
health systems to have electronic records be the default so I can’t keep paper
records at UCSF. I can sort of keep them, no one is going to be able to find
them, they’re stored someplace nowhere near the hospital or clinics, and
they’re totally useless. Increasingly we’re trying to put everything online for
all the reasons that you’ve already discussed but I think it may not be
realistic for many patients going to many providers to ask that records not be
kept electronically.

Now I want to now shift to sort of the concerns about privacy and
confidentiality which after all is the theme of your subcommittee and just to
sort of make the point which I’m sure is obvious to you that the risks to
privacy and confidentiality will also be greater the more information that’s
included, the more timely access is by a larger number of providers, the more
providers who participate, and the more patients who participate. So it seems
to me what makes this difficult is the very qualities that make this electronic
record network useful to a clinician and patient facing an actual clinical
problem are exactly the conditions that raise concerns about privacy and
confidentiality, that’s the dilemma I think that your committee and the larger
committee is struggling with.

On the second page of the handout I tried to reproduce a couple of newspaper
headlines from the past year to sort of illustrate the kinds of concerns that
are in the press about privacy and confidentiality, these are electronic
medical records, not necessarily a National Health Information Network. The
first is from the Boston Globe, a headline saying Harvard Fixing Data Security
Breaches Loophole Allowed Viewing Student Prescription Orders. Well, a very
bright sort of computer savvy Harvard student with too much time on his or her
hands found out that he could actually hack in to the medical record system at
student health services and actually download lists of medications that
students were prescribed including sensitive information about prescriptions
for things like mental illness, HIV and the like. And this is just one of many
examples of these kinds of break-ins, there’s one about a year ago at the
University of Washington in Seattle, so these are institutions that have
security officers and good security programs but are not inviolate.

Second instance is, I guess there’s no one here from Kaiser today, he’s
here, a disclaimer here, so California regulators fine a prominent health care
system in California $200,000 dollars, the state imposes a penalty for
breaching patient confidentiality and exposing health records on the web. And
this is not the only example where that a patient’s medical record by name
appeared on the internet and usually these are some sort of computer glitches
in the security system, things get posted where they shouldn’t get posted, but
obviously for the patients this is sort of your worst nightmare come true.

The third headline is actually a UCSF problem from the San Francisco
Chronicle, our local paper, Special Report, Looking Offshore, Outsourced UCSF
Medical Notes Highlight Privacy Risk, How One Offshore Worker Sent Tremor
Through the Medical System. Well, in our institutions drive to become more
efficient they figured out that when people like me dictate a patient note on a
hospitalized patient to cut down on the lag between the time that actually
appears in the paper hospital chart they send the transcription offshore to
India or Bangladesh where you take advantage of the time zone difference and
the note gets transcribed and sent back before the doctors come in the next

Well a problem was that some of these people doing the transcription had not
been paid by the sub-subcontractor who had hired them and they said if you
don’t pay us we’re going to put this stuff on the internet and just to prove we
can do it they sent this to the CO of my hospital, here’s somebody’s patient
note from yesterday and sure enough they had the name, medical record number,
birth date and the like. Now obviously there are concerns about business
partners and sort of follow through but again, this is not, UCSF is not a fly
by night organization, someone should have been thinking, there are people who
think a lot about privacy but this is something that slipped through the

And the final headline is from the San Diego Union Tribune from last fall,
Albertsons, which is a supermarket chain that runs the pharmacies in their
supermarkets, is sued over prescription practices. The allegation was that
firms paid Albertsons for data on its customers for marketing purposes.

You see headlines like this and I think people, a lot of people see in the
news or hear about concerns about security, privacy, confidentiality breaches
and the reason I put these in front of you, I mean you’re familiar with these,
is you don’t see headlines the other way, say patients spared dangerous
operation because doctors tracked down old records and found surgery
unnecessary. Or serious complication of a drug avoided because doctors realized
that the drug had already been tried.

So my concern is that as the public as individual patients think about how
they want to make this balance between access to information versus privacy and
security, what’s most salient to them in their minds in sort of the public
media are the risks. And I think one of the things I would like to see more as
a physician because when I actually sit down and explain to patients why this
is important they say oh my gosh, of course I would want you to know about this
and about that. Now I’m their doctor, they’re seeing me for a medical problem,
and that to me is different then when they’re putting, sort of putting on their
patient hat, and that’s different I think then when they’re putting on their
consumer hat when they’re healthy, they’re thinking sort of in a more abstract
way about how they want their medical information to be handled.

So I want to now try and address some of Mark’s questions, just I’m going to
toss out some ideas and hopefully we’ll have some time to talk about it. So
limits on access to personal health information in a NHIN, it strikes me there
are two general approaches that one might take. One is to limit what gets put
in the electronic national record and the other is to limit who has access to

My main concern about limiting what is placed in the NHIN is that if you
have a simple check-off where I go in to see a new doctor and they say if you
don’t want certain information to be put in the medical record check the boxes
and sign here, I will check the boxes, I’ll say I don’t want this, I don’t want
that, without someone sitting down and saying well but do you know that if you
check that off if this situation comes up there might be information that the
doctors would want. So my concern is that we would like these decisions to be
informed decisions, it strikes me the decision to exclude something should be a
thoughtful decision that takes into account the potential benefits of inclusion
versus the potential risks. Informed consent as you know is difficult under any
circumstances, I think it’s going to be very difficult here.

I’m particularly concerned that once you make the decision to just leave out
all my psychiatric information, and I focus on psychiatry because under HIPAA
at least psychotherapy notes are given sort of special protection in terms of
privacy and confidentiality and certainly something many people are very
concerned about is not wanting that disseminated. But in terms of diagnosis,
medications tried and side effects I would argue that if that information isn’t
put in an electronic record a doctor in the future who needs to know that to
help the patient make a decision about a new medication is going to be
operating without crucial information. So you can’t, the problem is if you
exclude it in the first place you can’t then add it, or it seems to me it would
be very difficult, could be very difficult to add it.

Now maybe some of you have some technical solutions to that in terms of
giving some information to the patient who has it on one of these memory sticks
and can say oh Dr. Lo if you really, thank you for explaining why you need it,
plug this into your computer and only you can look at it. Maybe that’s a

The other solution that strikes me is limit access, by limiting who has
access to certain parts of the record and already those of you who are involved
with designing systems this is already part of the design, people in the
billing office don’t have access to the same information that the treating
doctor or nurse has and it strikes me that you may be able to refine that
further. I like that because you can change the access, I mean I have patients
who may not want me to know about things that happened in their remote past but
if it suddenly becomes potentially relevant to a current problem, if it’s in
the record but blocked, if they can remove the block the doctors can say okay
I’ll look at it now because we’ve talked about how this might be useful. I
would favor that kind of limits on access provided that we allow the patient a
surrogate, if the patient is too sick in an emergency or because of a medical
condition to make those decisions for himself or herself.

So let me just quickly finish and give Hank Greely to address you. I’m going
to make a couple of, three recommendations. The first is that I think we need
to provide more incentives for security, that I think, I know your committee is
focused primarily on privacy and confidentiality but a lot of the breaches in
confidentiality are security violations and I’m not sure our current
technology, at least if you read the papers, is up to the task. And I’m
particularly concerned about subcontractors and as I say I’m sensitive because
I got clawed in this UCSF fiasco.

The second issue I’d like to highlight for you is the use of NHIN for
marketing. I’m very concerned about how the current HIPAA regulations, because
of the exclusions in the definition of marketing, allow a lot of uses of
personal information for ways that I think are very hard for some patients to
understand the benefits to them. And right now under HIPAA you can’t even opt
out of being on a marketing list, opt out of having your PHI used for marketing
purposes by your provider. So I would say that at the very least we need to be
able to allow people to opt out of that and I would actually flavor flipping
the presumption the other way and saying you need to actively opt in to allow
your PHI to be used for marketing and informational purposes.

And my third recommendation is that, I’m actually, I actually am a strong
advocate of electronic records because paper things get lost. And I think that
when I sit down and explain to my patients the benefits of an electronic record
they understand it and they’re willing to trade-off and accept certain limited
risks to their privacy and confidentiality. But I think the focus should be
first on the treatment benefits, I think that if we start to say the benefits
of this are going to be for business operations or for other sorts of things
the public is going to be less enthusiastic then if you say the true benefit is
to you that if you become a patient and are sick and the doctor and the
hospital need information this is a way of getting information that will
improve your care. And it strikes that should be the first thrust of showing
that this NHIN is beneficial, at the same time I think we also have to show
it’s safe in the sense that there are no real problems with privacy,
confidentiality, or security.

So let me stop there and I hope we’ll have a chance to talk —

MR. HOUSTON: What’s your practice, what’s your specialty?

DR. LO: Internal medicine, and I do both inpatient and outpatient.

MR. ROTHSTEIN: Thank you very much, some very interesting things for us to
talk about. Hank?

Agenda Item: Panel III – Mr. Greely

MR. GREELY: Well thank you, Mark, it’s a pleasure and an honor to have a
chance to share some thoughts with you on this topic. I have given some written
comments, some written testimony that you have, written late last night so
forgive any typos, spell check, as a teacher I know that spell check is by no
means perfect at ferreting out typos.

I don’t want to just read my written comments so I’ll use them as a base for
what I have to talk about but I want to talk more broadly about what I think
are the most important issues from my perspective and I want at the end to
actually address the six questions which I don’t specifically address in the
written testimony.

I am not a privacy expert, I’m not a law professor who has worked on or
written specifically very much, a little bit, but specifically very much about
privacy. I worked on health law and policy and on biomedical research law in
the biosciences, in those two areas I run up against privacy issues constantly.
I have some thoughts on them which I’m happy to share but I do offer those
thoughts with some uncharacteristic for me humility although it may not sound
that way.

I find this a really hard topic, I do not envy you people your task at all.
As I say in the written commentary I think there are different ways in which
problems are hard and this one is hard in the worst way. I don’t think there is
a good solution to this problem, there are least bad solutions, there are
adequate solutions, but we’ve got real conflicts here between deeply held
social views and forces of efficiency, both economic and medical, and there’s
no way that you or anyone else is going to come up with a solution that leads
everyone to ooh and aah and shower you with the gratitude of a happy nation,
it’s just not going to happen —

MR. ROTHSTEIN: They might shower us with something but it probably won’t be

MR. GREELY: I think that’s probably right and I think, I hope you realized
when you signed up for this that anything you were going to do was going to
lead to significant unhappiness, because it’s a hard problem but it’s a problem
we’ve got to deal with. I notice that the National Committee on Vital and
Health Statistics actually goes back to 1950, which is just about the same time
that the first computers were being invented, the INIAC(?), and I suspect back
in 1950 somebody was saying within a couple of years we’ll be put health
records in computers. For most of my lifetime the electronic medical record has
been a year or two away, it sort of reminds me of the great Reggie Jackson, the
baseball player, near the end of his career he was dogged by rumors that he was
about to retire and after it had made the front page of the New York papers one
day he called the reporters in and said well boys, I have no interest in
retiring yet, don’t worry I’ll let you know when I do but you guys keep writing
those stories, you write them long enough one of these days you’re going to be

Electronic health records one of these days are going to get here and that
day is coming very, very soon. My wife is a practicing physician, a
pulmonologist with the Permanente Medical Group, and I was talking with her
about the subject of this testimony, she’s about 65 to 70 percent converted,
her facility, to electronic health records, she loves them, she sees the
advantages of them, it annoys her when she can’t get something electronically.
She’s full of stories like the first half of Bernie’s talk about the great
advantages to her patients of electronic health records and she hopes that
within a year or two it will be 100 percent then. It’s a problem that can’t be
avoided any longer because it really is getting close.

I’m torn on this issue. In general I am a strong advocate of the rights of
patients and of research subjects, I think they are too often underestimated
and not, that their concerns are not given sufficient weight. But on this issue
on privacy I worry that our society has almost a cult of privacy, I think
privacy is important, I guard my own privacy, but privacy is not the only value
in the world, it’s one that needs to be traded off against other important
values, it can be and must be traded off and I worry very much that the cult of
privacy leads to a situation where people say if it can’t be perfect, if you
can’t promise me that there’s no way this will ever leak then you shouldn’t do
it. If that’s the test we have an irreconcilable conflict ahead of us.

So I think part of what we as a society have to do I’m afraid is to refocus
our thinking about privacy from the almost sacred status of complete and
absolute privacy to a more realistic notion. I don’t agree, I do not endorse
Scott McNeely(?), the head of Sun Microsystems, very pithy comment a few years
ago, privacy is dead, get over it, but there is some truth to that.

Even more importantly I think the general public has a false vision of how
private health information is today. They don’t understand how many times
doctors not only are not required to keep things secret but are in fact
affirmatively required to report things, to public health officials, to civil
authorities, to the criminal justice system. Nor do they realize how many eyes
can have access at various areas to paper records, or how amenable health
records are to subpoena in various pieces of litigation where you’re involved
as a litigant or where you’re just a hapless bystander whose medical records
happen to be relevant to an action against a physician, say a licensure action
against a physician, where your records are evidence in that case. So people I
think have an exaggerated view of how protected they are today and an
exaggerated view of how protected they should be in the future.

Having said that I don’t want to give the impression that privacy breaches
are unimportant, privacy breaches can be very important, I would hope though
that we would focus on concrete harms that follow from breaches of privacy more
then we focus on the offense against the idea that the doctor/patient
relationship is somehow peculiarly sacredly private. So three suggestions of
pathways to proceed, none of which will be easy or uncontroversial, none of
which will be anywhere close to a perfect solution.

The first is focus on controls, which I’m sure you’ve been doing, focus on,
and I thought Dr. Lo made an excellent point about stressing if you’re going to
limit something limit access, don’t limit what goes into the record for all the
reasons that he said but focus on limiting access to those records. But realize
that, and tell everyone in the world that none of those controls can be
perfect, anything humans do humans mess up.

I think this is probably the first most important deepest rule of public
policy, humans mess up from time to time in anything they do, no system of
privacy protection can be perfect, and the harder you try to make it perfect
the harder you make it for legitimate users sometimes in desperate
circumstances, the auto accident out on the highway and the emergency room far
from the patient’s home. The harder, the stronger the controls the harder you
make it for important uses, there is an unavoidable tradeoff there. So focus on
controls but remember that those controls come at a cost, not most importantly
a financial cost though there is a financial cost, but a cost in the valuable
uses, the personal and public health uses of that information.

I like in terms of control two other strategies as adjuncts to a direct
limitation on access. One is an audit trail, so make sure that you can tell
exactly who accessed every piece of information, when, where, through what IP
address, etc. Now good hackers may be able to hack around that as well but if
you make them hack both around getting access into it and then hack around the
audit trail you’ve increased their burden and you’ve allowed breaches of
security potentially to be followed, either directly to the person who
committed the breach or at least to the institution whose systems allowed the
breach to happen. So focus as much attention I think on audit trail, on the
transparency and the recording of who gets access to what, when, and how as you
do on protecting access.

And the other thing I’d stress is liability, make people who disclose
inappropriately, illegally disclose personal health information liable, make
them liable for damages to the extent there are actual damages, make them
liable for nominal or statutory damages if the actual damages are not big
enough. And make them, require them to disclose to the people whose privacy has
been breaches that the breach has occurred. We may not think of that directly
as liability but no institution wants to have to tell its customers that
they’ve done this, it’s a strong disincentive.

California has such a law with respect to financial records which is why
many of these recent breaches of security with financial records have reached
the public because California law requires that the customers whose
confidentiality has been breached be informed about it. So control both
directly and indirectly I think is important, look at some of the less direct
ways of exercising that control, think about even limiting the media and making
the media liable for unauthorized disclosures, there may be some first
amendment problems lurking there but there’s a lot of space short of a prior
restraint in which even the press can be subject to the law and can be held
accountable for publishing things that should not be published.

Second strategy, think about structural changes in society and this is
asking a lot for your subcommittee, I understand, but you know there are really
two different problems with privacy violations, one is the sort of intangible,
the personal sense of violation, of having this sacred relationship opened up
to the public. I was a victim of a burglary 30 years ago and I remember they
took two stereo speakers, it was trivial, but it really changed my feeling
every time I walked into that house until a year later when I moved because it
felt different. That one you can’t do very much about by structural changes
except maybe by trying to change people’s, the culture’s sense of the
importance of privacy.

But there are more concrete consequential damages from loss of privacy,
things like worries about employment discrimination, health insurance
discrimination, life insurance discrimination and so on. One can take the
direct approach of trying to ban that discrimination rather then trying to keep
information from which discriminatory actions can be taken away from the people
who might want to discriminate, ban the discrimination in a straightforward
way, make it illegal for an insurer, an employer, etc., to take actions adverse
to an employer or a customer based on inappropriately obtained health

Now of course that won’t be perfect, it would require the person who’s
discriminated against to know he’s been discriminated against, to know that his
information leaked. A lot of times that won’t happen, sometimes it will. Title
XII has not eliminated discrimination on the basis of race or sex but I think
it has limited it, both the over discrimination which is almost completely
eliminated and the covert discrimination as well, and this could be a useful
step I think to limit the damage that could have been done, that could be done,
by leaks. There is an issue of the extent to which this is redundant, the
Americans with Disabilities Act, the non-retaliation section of ERISA provides
some protection, but it’s not protection focused on leak of confidential
medical information and I think there would be advantages to having a specific
statute focusing on making illegal the negative use of inappropriately
obtained, leaked, stolen, personal health information for these purposes.

As somebody who is occasionally referred to as an ethicist or a bioethicist
I can’t let this subject pass without bringing up what I think is the biggest
ethical flaw of our entire health care system, in terms of health insurance we
could resolve lots of these concerns about health insurance discrimination if
we joined every other rich country on the planet and guaranteed health coverage
to all of our residents. Many problems become much smaller if people no longer
have to worry about losing their health insurance.

Third area, we’ve talked about controls, structural changes, the third area
is more a one of renegotiating the boundaries of privacy. And again, I set you
no easy task, I think it would be important, I think it would be useful and
will be important for us to try to move the cultural perception of the
importance of health privacy to a more realistic view, to one that is both more
realistic in terms of how private those records are today, much less private
then people believe, and realistic in terms of how private they can be if we
are going to as we necessarily will try to obtain the health and financial
advantages of moving to a more electronic system.

So talking about the limitations that exist today, making it clear to people
that we don’t live in a golden age of perfect privacy today, so that the
tradeoff is not as stark as they think, and pointing out to people that
depending on your circumstances your health records may not be of all that much
concern to you. I would much rather let you see my health records then let you
see my credit card records, or even my tax return. You’ll see my health
records, you’ll see my doctor has told me to lose weight, over and over again,
this will probably not come as a surprise to you. You’ll see that I’m on
statins, this may not come as a surprise to you either. Now there are some
things that would be mildly embarrassing and I know that there are many people
who whom there are things that are more then mildly embarrassing that can lead
to stigma and negative consequences, protection of privacy is important, but
health privacy is not uniquely and always specially sacred.

I also think that we need to negotiate out at the highest level with the
greatest possible legitimacy exceptions to privacy, both those dealing with
marketing that Bernie talked about, and those dealing I think, the area I’m
most interested in, those dealing with biomedical research. Right now post
HIPAA we have a situation where clarity is not the prime result in terms of
what can and can’t be done with these records and neither is legitimacy. HIPAA
was adopted under the Administrative Procedures Act and yet it’s adopted by an
agency that most Americans could not name with tens of thousands of pages of
comments, I hate to recommend this, I’ve been around politics in Washington too
long to do this lightly, I think we need legislation.

Legislation can do many bad things, it takes forever, you never know whether
it will go through and you never know what it’s ultimately going to look like
when it gets through the legislative process, you can end up in a worse shape
then you were when you started. But one thing legislation can do that
regulatory actions really can’t do is confer a sense of legitimacy and social
consensus. And what HHS does in HIPAA regulation does not have that same force
of society’s agreement behind it that what something passed by both Houses of
Congress and signed by the President has. I’m not talking about, I’m not saying
it’s illegitimate, I’m not talking about any legal qualms about the regulatory
process, I’m talking about the public perception, the sense that this is a
social norm which can come to some extent at least from legislation, much more
then it can come from administrative regulation.

So those are some broad thoughts, let me mention, let me end by looking at
your six questions, the design of the National Health Information Network, I
don’t have strong views other then that there is a tradeoff, centralization
gives you more efficiency, gives you more control, it also means that if there
is a leak there’s a bigger leak. My bias is towards a more centralized system,
I do think that individuals carrying around their own information is a recipe
for disaster. I know how often I lose things and misplace and I think I’m no
worse, not much worse anyway then average at that. We can do much better
control of centralized professional controllers but how centralized to go and
exactly what mode I don’t have strong views on.

Second, implications of permitting patients to control whether their records
are part of the NHIN, I wouldn’t allow it, I wouldn’t allow them to opt out. I
think that the advantages are so great and I also think that allowing opt out
plays into the cult of privacy. I think we need to take the position and make
it true that there’s a social decision that broad access to this information is
in everybody’s benefit and allowing opt out not only complicates greatly the
day to day lives of the people trying to work with this information and biases
any work that one tried to do with it but it also sends the message well, it’s
okay to opt out, that there are really strong things, this is a little
dangerous, it’s a reasonable thing to do to opt out. I think we should set up
the system as carefully as possible to make it that it’s not a reasonable thing
to do to opt out, that opting out is not a reasonable option and I think
shouldn’t be allowed, which runs strongly counter to my general view of most
aspects of the doctor/patient relationship.

What information if any should individuals be able to exclude? I agree with
Bernie that it would be a mistake to allow them to exclude it, one may want to
allow some sorts of information, particularly mental health information,
information related to sexual activity, either reproductive or sexually
transmitted disease, addiction information. You may want to have special
protections for that, I wouldn’t allow it to be excluded, I would leave open
the possibility that we put it under some sort of special controls, higher in a
double passwords and both people have to turn the key at the same time kind of
protections. But I would not allow that, I would not encourage you to do that
at an individual basis but have that part of the socially negotiated decision
making about what deserves special protection and what doesn’t, preferably
through Congressional action.

What limitations should be placed beyond those of HIPAA on personal health
information? I think there are a lot of potential reasonable answers to that
question, I’m more interested in the process and again although I shudder to
even say this, I think legislation is probably the best way to develop a sense
of legitimacy and social agreement to what limitations should be allowed. I
personally am particularly interested in making sure or in trying to assure
that as much useful research can be done with this information as possible
because I think the long term payoff in human health and happiness is enormous
there but let that go through the political process and have the chips fall
wherever we as a society think they may.

Should individuals have the option of having their health records maintained
only in paper form? I would not allow that, I think for all the reasons that I
wouldn’t allow them to opt out of NHIN.

What other measures are needed to protect the privacy and confidentiality of
personal health information and build public trust in the NHIN? I pointed out
some measures that I think can help protect privacy and confidentiality and
even more importantly help protect people from the negative effects of the
inevitable occasional breaches in confidentiality and privacy. I would come
back though to what I think is the very difficult but important task of
desacralizing(?) health privacy, it’s an important interest, it’s not a sacred
interest, it’s not the most important interest, the only interest, and I stress
that in conclusion because as I observe this area from medium distance I worry
that this is a prime example of an area where we run the risk of letting the
perfect be the enemy of the good. That we run the risk because of the high
stress on privacy, of demanding perfect guarantees, perfect safety, absolute
certainty, which cannot be done.

We cannot let the perfect be the enemy of the good because this is here,
these records are available now, becoming increasingly available, we need as a
society to do something about it. We need to do something that’s at least
adequate and hopefully good but we cannot set ourselves the standard of
requiring perfect or we’ll end up in a worse situation then we are now.

Thank you.

MR. ROTHSTEIN: Thank you, Hank, you’ve given us just one or two things to
mull over, and we’ll have some questions for your, begin with John Houston and
then we’ll go counter clockwise around the table.

MR. HOUSTON: I really enjoyed the testimony, thank you very much. I did have
a couple questions especially for Mr. Greely. One of the I guess interesting
questions I have is you really didn’t talk much about genetics but yet I
noticed on your written testimony you indicated that you’re a professor by
courtesy of genetics at Stanford —

MR. GREELY: It’s a very courteous department.

MR. HOUSTON: I just, I wonder what, whether you believe your answers change
at all based upon sort of I think in ten years what will be the reality which
is genetic information will be a major part of medical care and delivery of
medical care, but yet will have a profound impact on the way people view
privacy and issues over secondary issues and use for insurance purposes —

MR. GREELY: I’ll be happy to talk about that, if Mark had told me I had an
hour and 20 minutes I would have talked about it to begin with but I’ll try to
talk about it in much less then an hour —

MR. HOUSTON: Given the context of your recommendations does it change any of

MR. GREELY: This is also perhaps a counterintuitive response, for me I think
our biggest problem with genetics is not that genetic information is peculiarly
special but that we tend to treat it as being peculiarly special. Genetic
information is useful and important to the extent it provides health
information and health predictions. You can tell me that I have a cholesterol
problem because I carry a mutated version of a gene that leads to familial
hypercholesterolemia, you can also do a cholesterol test and tell me that I’ve
got a cholesterol level of 862 which is not genetic directly, and it’s not
genetic information directly although it is in that sense indirect genetic
information, but both of them have the same kinds of consequences.

I think that within the ELSI world that Mark and Bernie and I inhabit more
or less, the ethical, legal and social implications of genetics world, there’s
been a lot of discussion about genetic exceptionalism, treating genetics as
different, as special, as again sacred, I keep coming back to that term today,
and what a mistake it is. So I actually would not put genetic information in a
special category, I think that by doing so we tend to only reinforce a false
idea in the public that genes are magic, special, all powerful, genes sometimes
are. If you have the gene, the allele, the version of a gene that causes
Huntington’s Disease, as far as we know the only way you’re not going to die of
Huntington’s Disease is if you die first from something else.

But most of the genetic connections as far as we can tell particularly to
things that are not rare turn out to be more subtle, more effected by
environment, for effected by other genes, more effected by chance. Your risk of
having colon cancer or type II diabetes may vary 50 percent based on your
genetic background from eight percent lifetime incidence to 12 percent, or to
four percent, but that’s not that big a deal and it’s not inevitable, it’s
effected by your environment.

So for me it’s a great question, I think people tend to think of genetics as
being special information, particularly powerful information, I think it’s a
mistake when they believe that and I think it’s a mistake for public policy to
reinforce that idea.

MR. HOUSTON: Just to sort of follow up on that for a second, I guess maybe
in terms of health care I would agree with you. You talked about discrimination
and issues related to discrimination and clearly if you’re an insurer or
somebody who’s providing life insurance, when you’re looking at statistically
at whether you’re a good risk or a bad risk to die early or live a nice long
life, if you had certain genetic markers that would say you’re more likely or
less likely to have cancer or a certain type of cancer, clearly I think they
would be interested in that and I think the flip side of that too is that if I
recognize I have a certain marker for cancer I’m more likely, or I may be more
likely to get higher levels of insurance coverage, whether it be life
insurance, I would make sure that I had, I would choose certain health plans to
cover my health insurance for fear that I come down with one of these, with any
of these different illnesses and maybe based upon the insurance that I have
chosen it would be a lot more or less expensive for me.

I mean I would think that there’s an impact in that way and so I think you
can, I guess you could argue that the patient as well as industry could sort of
gain the use of genetic information for their advantage in some way —

MR. GREELY: This has been talked about for a long time in the genetics world
and it’s this concern about what the insurance industry calls adverse
selection. It’s I think a realistic concern, it’s often an exaggerated concern,
particularly since so few Americans get health insurance in a way that is
medically underwritten. We almost all get health insurance through an employer
or our own or our partners, or through the government, and those 250 million
people, 240 million people who get their coverage that way don’t face medical
underwriting, the insurer doesn’t have a choice except for the very smallest
employers, the insurer doesn’t have a choice of saying you’re risky, I’m not
going to cover you, you’re not risky I’ll take you.

More fundamentally though yes that information could be significant in
discrimination but there’s nothing special I think about genetic information
there. A life insurance company will take a look at me and be worried about
risks from my weight without caring about my genes. A life insurance company
may know that someone has had breast cancer in the past, that’s an important
marker about risk, more important statistically then whether you carry the
BRCA-1 or BRCA-2 mutations in your genes. So yes, genetic information can be
used this way, so can other health information and I don’t think there’s
anything peculiarly powerful or special about genetic information there despite
the fact that culturally we have tended to, for a variety of interesting
reasons, to take the position that genes are magic and are uniquely powerful.

Let me note though there is one area where I think this issue of adverse
selection is particularly interesting that I think would be interesting to
watch. There are some genetic markers that show risk for Alzheimer’s disease,
the area of long term care insurance is a new insurance field, the issues of
adverse selection there with respect to people who are at high risk for
Alzheimer’s disease are I think quite real. And that may be an area where it
might make sense to allow insurers to use that information because otherwise
the market may collapse. Specific circumstances can lead to different specific
answers but in general I think it’s a mistake for us to try to treat genetic
information differently from other health information.

MR. HOUSTON: Thank you.

MR. ROTHSTEIN: Bernie, do you want to comment?

DR. LO: No.


MR. REYNOLDS: Thanks to both you, excellent testimony. When we went through
HIPAA privacy, no matter what anybody tried to communicate it was poorly
executed, poorly understood, and has created somewhat of a furor in people’s
minds as to what it was or wasn’t. As you look at the NHIN and the electronic
medical record and everything it goes to the next level of scary, but Dr. Lo
some of your comments were, your examples were good. So in a society of 24 hour
news where it’s not as exciting, the bad is far more exciting then the good,
and each of you have talked about it, how do you, how do we really change the
culture, how do we really as you mentioned communicate differently and how
would we recommend that in a different way?

DR. LO: I think that’s a terrific question, let me offer two different
approaches. One I think is you have to use the media, I mean as you suggested,
the media can have a large impact, I think there needs to be a public health
campaign, I mean the CDC and other organizations have thought a lot about how
you try and communicate difficult complicated messages to the public using the
media and I think we haven’t seen those kinds of resources and expertise
applied to this issue.

The second thing I think is that there’s a level in which the individual
doctor and patient need to be able to sort through these issues. I remember
when HIPAA, well we all remember when HIPAA first came in, you checked in five
minutes late to your doctor’s appointment because the parking was terrible and
they sort of said we’ve got to give you this pamphlet, please sign here so we
can document, what is this. So that I think was well intentioned, trying to get
people informed, but that wasn’t the right, the most effective way of actually
getting people to understand. I think it was useful in terms of documenting
that providers did what they were supposed to do.

I’m old fashioned, I sort of have this sense that when the doctor and
patient go into the examining room and close the door the kinds of
conversations you have there which are focused on the individual patient mean a
lot. So I’m not quite sure how to do that but I think you need to get
physicians more involved talking to their patients about the potential benefits
of privacy. And again, there are ways of doing that that don’t depend on my
having a 15 minute conversations with every patient but just to make some
incentives for doctors and patients to have these decisions, or at least to let
patients know that the doctor is someone you should talk to if you’re concerned
about is this going to help me in my future care. There may be other, I don’t
know what trusted organizations now there are that people will believe but
certainly to have a website that really goes into the benefits of having this
National Health Information Network, that needs to be part of the discussion.

MR. GREELY: I agree with Bernie, I think it’s very important to make sure
that patients hear about the advantages to them of electronic health records
and of a National Health Information Network with concrete examples to the
extent you can find situations of people whose health was, whose lives were
saved because a doctor in Connecticut was able to get quick access to
information from California, or maybe within the Kaiser system a doctor in
Southern California was able to get access to information from Sacramento very

Make sure in your report that people know that those health benefits are
realistic and are important, try the idea of a public health campaign sort of
treating electronic health records like vaccination, something that never
occurred to me but I think it’s right, it saves lives, it helps people’s
health, it saves money and saving money in the health care system is not just
an issue of dollars, saving money for one thing allows that money to be used
for other valuable health purposes instead of being used to pay, as I think
happened to the tune of tens of billions of dollars with HIPAA implementation,
to pay consultants and lawyers to help people learn how to do HIPAA

So you’ve got a limited ability to do this but you do have a report, use
your report that way and use your report to encourage others to get, to try to
change the public view of this from scary unknown risk to something that has
clear benefits, to the extent you can encourage doctors to have those
conversations with your patients, their patients, I think that’s another
excellent idea.

The one thing I would really strive to avoid is what I view somewhat
cynically is the HIPAA strategy to this, beloved of lawyers, we get people to
sign a form saying that they understand something and everything’s okay. But we
know that that’s a fiction, it’s a fiction lawyers are peculiarly enamored of,
but it doesn’t really do any good, it doesn’t truly mean that people understand
what’s going on or that they’ve agreed to it, or that they’re happy when
something happens that runs counter to their expectations regardless of whether
it runs along the lines of the form that they didn’t read when they signed. So
avoid that but a public health, a broad educational campaign focusing on
concrete health benefits would I think be a very important step.

DR. HARDING: Just two quick questions, one, Dr. Lo, do you have any cure for
the offshore issue that you were talking about, that UCSF has come up with and
so forth? And then the other question would be more to Professor Greely about,
you talked about liability of disclosure being an important thing, is intent
involved in that or is it disclosure no matter what the intent?

DR. LO: Well, as far a the offshore issue, I think the policy question is do
you hold medical institutions who set up these electronic records responsible
for subcontractors they deal with and the sort of policy set by HIPAA is that
there are limits on what you expect people to do with regard to subcontractors
and I think we need to re-look at that or at least provide more incentives for
institutions that do rely on subcontractors for work that they may not be able
to do in-house —

DR. HARDING: Does UCSF still contract with Pakistan to do that?

DR. LO: No, but that’s kind of too late, right, once you see where the hole
is, even though there’s no damage done here the publicity was enough to scare
people away. But I think that you want to provide more positive incentives.

MR. GREELY: I’d just note on that issue the offshore in part makes it harder
to control what the subcontractors do but it’s not unique to Bangladesh, same
thing could have happened in South Dakota, same thing could have happened
anyplace in the country or the world. For a lot of political reasons it’s easy
to beat up on offshoring of information or offshoring of work. I don’t think
the key issue here is offshoring, the key issue is control and liability of the
entities that subcontract out for the misdeeds of their subcontractors, whether
those are in the United States, in Bangladesh, or on Mars.

In terms of the liability issue, whether there should be an intent rule or a
strict liability or something somewhere in between is something that if this
got far enough to be legislation would undoubtedly be pounded out in the
lobbying world, in the legislative world, and I’m not crazy enough to think I
could predict how it would come out.

I would opt though, I would recommend a fairly strong liability standard,
you’re not liable merely if you knew that it was inappropriately obtained
information, I would rather have strict liability with a safe harbor defense,
if you took appropriate measures, if based on appropriate investigation you
concluded that it was legitimate information, that it was appropriate
information indeed and released by the person in question or otherwise was in
the public domain then you were safe even if you turned out to be wrong. But
really have almost strict liability for, in order to truly encourage people to
be very careful about what kind of health information they release and where it
comes from. Make them investigate where it comes from so that their liability
may change based on how good an investigation they did.

DR. TANG: I want to thank you for this testimony because I think it really
crystallized a lot of things that we heard yesterday and today. Some of the
answers don’t prohibit the collection of information that can be potentially
valuable and useful in saving lives and caring for the patient, focus on the
regulations and punishment for violating illegitimate access, i.e., controlling
access. I like the idea of legislation as a tool for creating social norms and
creating the process by which you get some kind of census(?) as it were in
legislation, as far as you can go, and the call to privacy I think is a very
real kind of animal, beast that we have to deal with, and we need to demystify
that and talk about the education part. And it’s true also, your comment about
there’s more actually private information in your credit card receipts then in
your health record, I mean it sounds like a flippant remark but it’s actually
very true, just as you said, really your genetics, there’s so much more I can
tell, I mean the fact that you’re female, a whole lot of things that you’re
subject to that the male isn’t, your race, your weight, I mean there’s so many
things that are just so plain obvious that we’ve picked in a cult way, the base
pairs(?) to pick on just because it’s part of the cult.

Now the one thing we’ve all been talking about is this education and been
down that road before and thought about even the Ad Council because they were
so incredibly effective with seatbelts, the whole dummy thing, crashing into
the windshield, or Smoky the Bear, and we now, I’m talking about an
organization I belong to, the American Medical Informatics Association, started
a campaign called Got EHR? Like the Got Milk? Thinking that we would use the
consumer/patient to push the health care industry in that way. Well we got an
education from those experienced in this kind of PSA, public service
announcement. Now what if you were wildly successful and they went knocking on
the doors? If you don’t have the solution ready to market, bring to market or
to deploy, you’ve created a frustration that actually may set you back.

One of their examples is they were very successful in booster seats, in the
campaign to raise the use of booster seats. It so happens that there’s no way
the market could meet the need for booster seats and that’s one of their
lessons. So coming back here the quandary now is are we ready to do this
enormous campaign, can we deliver, or will the frustration and the mismatch
actually set us back? So this is, I don’t know whether you have any comments on
that —

MR. GREELY: I was very canny in how I set up the testimony because I started
by saying these are really hard problems and that’s one of the ways in which
it’s a really hard problem. I don’t know whether you’re ready for a public
information campaign yet but part of the report should be when you are ready,
taking into account the counterproductive nature of a premature campaign, when
you are ready one should follow and maybe some thoughts about who should
organize it and who should make the decision about whether you’re ready or not.
That’s not much of an answer but it’s the best I can do to a hard problem.

DR. LO: I think there are people who are expert on these kinds of issues and
I would try and ask them and take into account their advice.

MR. ROTHSTEIN: I want to thank you of course again for wonderful testimony
and having a hard time figuring out which of the 50 questions I want to ask
you. But I want to focus on one where I’m not sure, I mean I agree with most of
what you said but there’s one area that concerns me and that is I’m concerned
about the effect on individual health of adopting a strict rule that you both
seem to be suggesting of no patient based carve out, I mean that’s, I mean if
you think, that’s the basis of the Hippocratic principle of confidentiality and
when we teach medical ethics to second year medical students one of the
problems that we talk about is what do you do when the patient comes in to see
you, doc I’d like to tell you something but only if it can be off the record
and not included in my chart. Do you say at that point no, everything you say
has got to be in the chart? Do you say well in the future I could put it in the
chart but block it somehow? Or do you say tell me what the problem is?

And I’m concerned that if the strategy changes where everything is in then
that people will not go to the docs when they’ve got certain problems, some
mental health problems, some you know the kinds of concerns we’re talking.
That’s the first half of the question, see I’ll work in the second half as

Hank, I couldn’t agree more with your comment that we need to work on sort
of the end users of the information but the likelihood that we’re going to
change the law regarding what employers have access to and what insurers have
access to and so forth on the basis of in essence compelled authorization, sort
of releases, is very slim. And the privacy issue that I see is, that’s sort of
exacerbated by electronic health records, is now when you apply for a job and
sign a release disclosing all of your medical records in non-California or
Minnesota states they get basically your current health records from your
primary care doc but in the future they’d get everything from everybody and so
these third party users who can compel these authorizations, the amount of
information that they’re going to get, irrespective of whether they can legally
use it, is just going to increase exponentially.

So tying that together to a single question, are you concerned about the
health consequences of individuals not getting prompt treatment if it’s going
to be part of their longitudinal record?

DR. LO: Let me answer the first part, the clinical question, Mark, which I
think is a really tough question. I would try and break it down and first of
all say that there are ways for patients to avoid having stuff get in the
medical record. Some of those are not very useful for their health, I mean
don’t come to a doctor, come to a doctor and don’t talk about that problem,
talk about something else, but the doctor always has an option of what they put
in the medical record and all the time people who come in say exactly what you
said, I want to talk, this is really off the record, or they say a friend of
mine had this problem.

And that’s okay, I think it is important but this is a progressive thing and
if I’m just talking and the patient really needs that reassurance that it will
never leave the room then I think it’s important. If it gets to the point where
I can see some advantage to having this part of their record because I’m not
going to be their doctor forever then I can come back and have the conversation
and say you know, we’ve tried a couple of medications here, you’ve had some
really bad side effects, if this ever happens again and this is a chronic
condition and if you move or if I retire or something, or you change doctors,
it would be really important for your next doctor to know that we tried these
other medicines which are the first line drugs and they didn’t work or you
couldn’t tolerate them. Do you now, now that we’ve worked through this and you
see the benefits, do you now want me to make some additional notes to my

So I’m very comfortable doing that, I think patients have to understand not
everything they tell the doctor gets transcribed verbatim, there’s always a
filtering process and this is no different. Psychiatrists negotiate these,
early in the AIDS epidemic when there was no treatment, many AIDS patients said
they don’t want this in the record and then I said well if you show up in the
emergency room comatose knowing that you’re HIV positive is going to make a
real difference in terms of what we do. And then there was a negotiation. So I
think that’s one solution, and sort of what the formal rule is there’s always
ways around that that a good doctor can help a patient in an individual case
but the default is that you should document what would be useful in terms of
the record.

Another thing I think is to come back to this issue of how can patients have
some control if it gets into this electronic national information network and I
like the idea of saying there are going to be parts of this that will be
included there but it’s going to be really hard for people to get at. And you
or your proxy, your surrogate, will have to actively consent to someone looking
at it, I’m thinking this is, you don’t need anybody to see this but if
something happens in the future where the doctor thinks this information may be
relevant they can sort of talk to you or your surrogate and say now can I have
permission, using a double password, a PIN number or something, it strikes me
that’s a lot of security there. It’s not foolproof but it seems it’s pretty

So I would say that you have a rule, there’s always kind of ways around it
and I think we should recognize that we don’t want to say that there aren’t
ways for doctors and patients to talk about things that won’t show up in the

MR. ROTHSTEIN: I just wanted clarification on that

MR. GREELY: On the first half it’s attention to the extent that you promise
less then complete confidentiality, you worry about driving people away, we
worry or should worry I think about mandatory disclosure of suspected child
abuse because arguably that means parents who are worried that their
pediatrician will worry that these bruises were inflicted by them rather then
the normal toddlers falling down off the jungle gym won’t bring the toddler in.
It’s not a new problem, it actually would be really, I don’t know if there’s
been any good research on the extent to which it actually empirically happens,
that would be an interesting area to look at —

DR. LO: Kaiser has done a survey, in a survey 20 percent of respondents say
that there has been a time where they didn’t tell a doctor something because
they’re afraid of its being in the record. What the question didn’t ask was how
salient was the information to their current problem, I mean if it’s a standard
routine physical and they’re asking about past history I can leave a lot of
stuff out that’s not going to effect my care at the time.

MR. GREELY: As far as you know.

DR. LO: As far as I know.

MR. GREELY: So I don’t think it’s a new problem, it’s yet another reason
it’s so hard, it’s a tradeoff. What I would allow these publicly negotiated
preferably Congressionally passed areas for heightened protection so that you
could carve out mental health, not so much on an individual patient basis, one
could make it both, there’s a Congressional decision that individual patients
can ask to have specific information in those areas, specific areas protected,
I don’t know that that’s necessary and it adds some administrative complexity,
but areas that are particularly sensitive I would say allow it to be under
special higher protection —

MR. ROTHSTEIN: Does that mean automatically or at the option of the patient?

MR. GREELY: I’d actually, I don’t have a strong view about that, I think
automatically would be easier and probably more honest, I’m very skeptical
about how well thought through and meaningful a patient’s decision is on any of
the myriad of forms that patients are often handed as they’re hurrying through
a health related appointed. So the individual option strikes me as not adding
that much benefit though it adds a lot of administrative complexity, but I
don’t feel strongly about that, I just do think that it shouldn’t be solely
individual, I think there should be a Congressional or other social decision,
yes these are important sensitive areas, for them we require security level two
or some sort of heightened security.

And finally I just want to underline the importance of Dr. Lo’s comments,
people are professionals, we give people the status of professionals for a
reason and we trust, we think that we can, we hope that we can trust their
discretion and it is important for us not to try too hard to limit that
discretion into a straightjacket. If that means that the law says X but we
recognize that sometimes doctors in good conscious acting professionally will
not do exactly X, I think we should accept that as not necessarily a bad thing,
it’s actually an affirmatively good thing.

Your second question, the second part of your question about employer misuse
and so on and the difficulties with changing the law, I certainly appreciate
the difficulties of getting any law relating to discrimination in employers
through Congress, we’re still waiting on the Genetic Information
Non-Discrimination Act after ten years in Congress and several unanimous votes
by the U.S. Senate.

But I think there’s some value in trying, or in saying that it should
happen, I also think there is greater possibility of activity at the state
level though once again this is a tradeoff, this information has such national
value logically I would prefer there to be uniform federal regulation, but if
you can’t get the best you deal with the second best and state regulation is I
think politically more feasible, as has happened in say California and
Minnesota, and can ultimately light a fire that may lead to uniform federal
regulation if only because non-uniform state regulation makes the interest
groups sufficiently unhappy that they’re willing to get, to push for the
passage of federal legislation they would otherwise oppose if only to get
uniform standards.

So I don’t think it’s a lost cause though it may be a quixotic one, at the
same time I’m not averse to as part of the Congressional or other broad social
negotiations about what uses could be made. It wouldn’t trouble me and I
haven’t thought it through fully but it might even be a good idea to just say
no blanket waivers, no blanket authorizations for employers to get your health
information and have that as part of the statute. You’d of course have to have
a variety of provisos, exceptions, and so on but I would like to see us
negotiate out and get at least public, a Congressionally or otherwise publicly
expressed position around which a consensus might build to say here are things
that can be done with this, here are things that can’t be done with this.

My own view would be employer use, it should be minimized, research use
should be maximized, the political process and the consensus building process
may lead to a different result. But I certainly wouldn’t exclude the
possibility or even the benefits of having a complete ban on, almost complete
ban on broad scale authorization for employers to get access to employee
medication information.

DR. LO: Could I add one more thing to my response to the first part of your
question and go back to this issue of patients asking their doctor to keep
information out of this electronic record. And I want to go back to this theme
that wherever you set the general rule with opt outs, with exceptions, there’s
also another layer of exception which is sort of how the doctor and patient
kind of handle it on a very individual case by case basis. And I want to kind
of, I’ve sort of indicated how a lot of times you can overcome patient’s
reluctance to include things by explaining to the patient why it’s in their
best clinical interest.

It also works the other way, I mean I sort of tried to make the case that in
an urgent or emergency medical situation you need a lot of information quickly
and the electronic record, national health information, offers a promise of
getting comprehensive information quickly. Having said that I also want to say
that we can still do what we do now sort of the old fashioned way which is if a
patient has such concerns about medications that they don’t want their
psychiatric medicine or their HIV medicine to appear on their electronic record
we can work around that.

First of all I think patients need to understand it may not be possible to
do that, if I write a prescription in an integrated system it’s going to be on
the electronic record. It certainly can be on their pharmacy bill that they can
get, their Safeway card. But what we do in the emergency room is we say to the
family, if there is a family, can you go through the medical cabinet and just
bring in all the bottles you find so we know exactly what he’s taken, it’s
really important because we want to make sure that some of the problem isn’t
due to the wrong, being on a certain medication, we don’t want to give them a
medication that will interact with something he’s taking. And at that point the
concerns about privacy seem relatively small compared to the potential benefits
of having your treating doctor have the information to meet an urgent medical

So I would prefer to have it all electronically rather then wait an hour to
try and get into the patient’s apartment but that’s what we now do and
hopefully doctors will continue to keep doing that. It does depend however upon
making sure everybody in the system knows that when a patient can’t talk to
their doctor the family needs to have full control and be able to make
independent decisions about revealing information to the doctor that may be
different then what the patient said before. I think it would be terrible if
someone said well, grandma was always so concerned about people knowing what
medicines she was on that I’m not sure she would want us to bring in all her
medicines. Well, that was when she was relatively healthy and now that she’s
sick it’s different.

MS. DOZIER-PEEPLES: I don’t have any questions but I’d like to thank you
very much for some very informative testimony, thank you.

MS. GREENBERG: The same, I was just sitting here thinking that it was
definitely worth getting up this morning for this testimony, but actually I was
thinking that that was kind of low praise and in some ways it was worth coming
out to San Francisco for it so thank you very much.

MS. BERNSTEIN: I’m surprised that you apologized for the weather when it’s
95 degrees in Washington and 105 degrees —

DR. LO: Fall here is supposed to be absolutely blue skies, about 75 degrees

MR. GREELY: Drive 35 miles down the peninsula and we’ll show you 80 degrees,
sunny —

MS. BERNSTEIN: I’ve been sort of dying for the whole week to ask somebody
and it seems like you guys are the right guys to ask this, on Monday morning on
NPR there was a story that I don’t know how many people heard about the
possibility of having a chip implanted literally like under your skin in your
arm which would have not your medical record because that changes but a number,
some code that would allow the hospital to sort of scan you I guess, and I
don’t want to say what my personal view is but I just wanted to know, so you
could go to the web and it would have the rules about if we decided to have
something excised or not or whatever the management rules are for access
control to that information if you’re conscious and available to give your
doctor information then it wouldn’t be needed but if you show up unconscious in
the hospital then they could get access to your data. And I just wondered if
you heard that story and if you had any response to it.

MR. GREELY: I hadn’t heard that story on Monday, I have heard about these
identity chips and having just lost a cat I wish we’d had a microchip put in
that cat. I think the world is divided into lots of different sorts of people
and some people love technology and are early adopters and have never met a
technology they don’t like. I certainly wouldn’t make it impossible for those
people to get those chips in there if they wanted to but I think it would be a
real mistake to try to, certainly to mandate it or even to strongly encourage
it given the way it manages to combine privacy concerns both about health
information and also about the sanctity of your body. So I would not prohibit
it but I certainly would not strongly push it.

DR. LO: I guess I would ask other then sort of the high tech pizzazz bit
what’s the clinical utility. It seems to me the clinical utility is when you
show up in the emergency room having been surfing in Monterey and no ID and no
one around to give surrogate consent. That allows people to identify you,
presumably by default get your medical records. Those situations are relatively
rare and you have to decide whether by allowing better care in those situations
you’ve created such concerns as Hank outlined that people would doubt the whole
system. I think the real issue is do you have a default within a current
electronic medical record system which is if you show up for care in somebody’s
emergency room and can’t consent and it’s a real serious situation is the
default assumption that you would want all your medical information that’s
available to be made available to that treating physician without any
additional authorization and I would strongly argue that should be the default
and the chip only solves the problem if you don’t know who a patient is.

MS. BERNSTEIN: Well it solves the problem that Professor Greely mentioned
that people lose their data and so you wouldn’t want somebody to have it
carrying around but that’s a way to carry it around without losing it because
it’s always on your person.

MR. ROTHSTEIN: Well, we of course had hearings on RFID devices last year and
it’s an issue that we’re going to continue to monitor in our spare time. Again,
thank you, we will take a 15 minute break, I’m sorry, Mary Jo.

DR. DEERING: I crept up to the table, Mary Jo Deering. I too very much
appreciated your testimony, thank you very much, and it was more in the sense
of a comment and it was first going to be regarding the issue of public
education and I wanted to say it while they were here because I actually wanted
to offer some encouragement in that I’ve actually been in the field of health
communication for nigh onto 18 years and I wanted to mention is that when you
think of public education you don’t necessarily need to think of the end
message which is this stuff is great, go get it, go ask for it.

If you approach communication from a behavioral change perspective which is
the way the experts do then you can phrase your messages to an earlier stage of
awareness and understanding and the class model that was way back in the 1980s
was the National Heart, Lung, and Blood Institute that already had a lot of
expertise about high blood pressure decided it needed to launch a cholesterol
awareness campaign. Those of us with gray hair are old enough to remember that
they spent one whole year simply saying, remember this line? Do you know your
number? It was merely to let people know that there was a number out there
whose existence they had no knowledge of or appreciation of and so they wanted
to sort of lay that baseline awareness.

And I think in the field of privacy it’s the same thing, I know the Markle
people are looking the same way, it’s just first just building appreciation of
what health information is all about and how it can be used and then you can
begin to work in certain privacy risks and benefits rather then jumping in
toward the end.

The only thing I wanted to add now that Maya brought up the NPR thing is I
feel a little guilty about that because I believe that what you heard was that
former Secretary Thompson has signed up with the Verichip(?) Company and I
actually was responsible in introducing him to that inadvertently and that we
had a prevention oriented summit for him, he had a series of summits, and I’ve
been in technology for a long time and we had a technology showcase that was
supposed to be prevention oriented. Well, these guys weaseled their way in and
the Secretary made us look towards the showcase during his prevention summit,
and by golly if he didn’t stop there. And actually I had had to do some damage
control because I had images of oh well HHS is going to think about implanting
chips in individuals and I could just imagine how that was going to look but I
never realized the extent to which he personally took that, I think he signed
up to work with that company now, he’s on the board —

PARTICIPANT: But not to have a chip implant.

DR. DEERING: He’s on the board, exactly, so anyway, things do go in strange

MR. ROTHSTEIN: Thank you for that history and we will still take our 15
minute break however it will now end at 11:00 and we will begin panel number

[Brief break.]

MR. ROTHSTEIN: Good morning, we are back on the record with panel four of
hearing four of our inquiry into the National Health Information Network and I
want to thank Dr. Braithwaite and Mr. Hinkley for agreeing to testify. Bill is
going to testify I assume first, is that right Bill? Second, very good, so
we’re just going to see if we can round up the remaining members and I want to
thank you for coming Mr. Hinkley and welcome you and I know you’ve been sitting
in on some of the earlier testimony and now you know what we’re concerned about
so you can clear things up for us.

Agenda Item: Panel IV – Mr. Hinkley

MR. HINKLEY: Just by way of background I am involved with Connecting for
Health which has an organization that has four or five years of history funded
by, principally by the Markle and the Robert Wood Johnson Foundations and for
those of you who aren’t familiar with it it is an extremely thoughtful well
managed process around the topics that this subcommittee is addressing. My
formal role is as a member of what they call the Policy Subcommittee which is
the direct subgroup of Connecting for Health the collaborative itself and is a
major organization within Markle. I’m also their lawyer with respect to certain
of the work product that I’m going to be describing today, principally the
creation of template documents and policies for regional organizations to
connect sources and users of data.

Today I have the great honor of standing in for Carol Diamond, Carol is a
national figure on this topic and an inspirational leader in so many ways, a
wonderful convener, and I also am here really on behalf of the hundred
organizations represented by the collaborative and the 45 institutions and
individuals represented on the Policy Subcommittee. So as a result of that I’m
going to stay pretty close to script because this is not about me, this is
about the work that this very important organization is doing and how important
Connecting for Health views opportunities to speak to this committee and to
contribute as appropriate to its very important work.

My day job, I’m a partner with a law firm called Davis Wright, I’m based
here in San Francisco, I am a native Californian, I have been practicing health
care law just over 30 years and have had the pleasure of doing it in California
so that I know the wacky and the wise. Anyway, I believe everybody has a copy
of the text and I’m going to stick to that pretty closely as I mentioned in
really deference to the entire organization.

As I mentioned Connecting for Health is a collaborative of about 100
organizations and attached to your materials is a roster of the organizations
that as of July 2005 have been actively involved. Initially Connecting for
Health was focused on advocating for interoperability in health information
technology adoption and it was a very broadly theoretical and strategic
approach. More recently over the last two years Connecting for Health has
developed an approach for the National Health Information Network that
envisions a decentralized and federated network of networks and has adopted the
concept of sub-network organizations across the nation that are capable of
exchanging information when necessary with each other by conforming to what we
have termed the common framework of nationally established technology and
policy standards that enable interoperability.

And just as a footnote the term the Sub-Network Organization would be
inclusive of concepts such as RHIOs, which I’m sure you’ve heard about in the
course of your testimony and your research, but also any other appropriate
network of information sharing. And I think the approach here is that what is
being considered and addressed by Connecting for Health is in some element of
information around an index that I’ll describe in a minute but is really
agnostic to what the local network looks like, there’s no prejudice around a
regional health information organization or a university based data sharing
organization or the like. And the thought is that the country is going to
develop these networks as appropriate and the role of the National Health
Information Network is to provide the glue to allow those networks to
communicate with each other in a way that addresses both the technical and the
privacy concerns that are shared at a national level.

As I mentioned earlier the only novel piece of infrastructure that is being
proposed is what we’ve called the Record Locator Service. The Record Locator
Service is the glue, it is a patient specific health index that does not itself
contain health care information but contains rather demographic information
that would allow someone utilizing the network to identify that this particular
patient has information in the network that can be obtained through the locator
service. And there are a couple of references in your materials to rather
detailed explanations of how this works and I won’t go any farther into now
because it bears some study.

But I think one note is that the Record Locator Service supports patient by
patient inquiry, it does not support as defined queries for aggregating data so
that it would not be envisioned that you would query, tell me everybody with
pneumonia in the last 12 months in zip code 94111 for example, you would be
looking for an individual patient through that locator.

Connecting for Health is working closely with existing information networks
to apply its model in a prototype, and there are three communities that were
selected for this, Indiana, the state of Massachusetts, and then a network
located in Mendocino County. In each case the existing local network will map
its current technology to the proposed national approach and interoperability
and the effort here is to work through a use case and this is, we’re hoping to
have completed by the end of this year where these three networks would
demonstrate the ability to locate a patient’s record, locate and retrieve the
patient’s complete medication list, and locate and retrieve the patient’s lab

So it’s a relatively circumscribed use case but really the goal of the
prototype is to show that a group of institutions with no formal affiliation
can securely use the internet to connect to one another and to find and
exchange records as needed for patient care. And they can do this without
requiring a unifying patient identifier or a central store of clinical data,
that the system can allow participation even by relatively technically
unsophisticated institutions, and that the accuracy, responsiveness, security,
and scalability of the prototype system would merit broader deployment. So this
is essentially teeing up something that we believe, if the results are as we
expect, would be something to look at further.

Connecting for Health operates both a technical and a policy subcommittee to
define the specifications and the policies for the prototype and the common
framework. The subcommittees are charged with developing the practical tools
necessary to implement a record locator service and the common framework within
the prototype project. So that’s, if you can understand kind of what we’re
doing, we’re trying to actually generate some data, real live on the ground, as
policies are developed how do they work and what is the reaction in the context
of the prototype. And our expectation is as I mentioned that this work would be
reportable at year end.

Our subcommittees are composed really of national experts and
representatives of experienced implementation sites and commercial vendors and
public sector representatives who are working to identify needed technical
standards and to develop a consensus about the proper policies that must be in
place to achieve an interoperable health information environment.

Through my testimony today I intend to share with the committee a more
detailed explanation of one aspect of the work currently underway within
Connecting for Health and I want to focus on the work of the Policy
Subcommittee which is aimed at providing practical tools to assure privacy and
security of information exchange. The stated purpose of Connecting for Health
is to catalyze changes on a national basis to create an interconnected
electronic health information infrastructure to support better health and
health care.

Connecting for Health recognizes that maintaining privacy of personal health
information is the foundation of the entire system. Privacy is not merely a
worthy goal but an indispensable attribute of the system. Without public and
professional trust in privacy and security of network regional and national
exchanges the national context would not work in our view. People will not
participate or will refuse to allow various uses if privacy and security is
lacking and the potential then for legislative controls being necessary,
although we’ve heard discussion about their efficacy, could be a potential

We believe that fundamental design principles of national information
exchanges must reflect the importance of protecting patient privacy at the
outset and in their basic design. Privacy cannot be an afterthought, it needs
to be addressed through legislation, rules, sanctions, or to be waived away by
requiring blanket consents, but must be built into the architecture, the
technical decisions and policy agreements throughout the system. Indeed the
work of Connecting for Health to define the technical architecture over the
last two years was bounded by certain basic principles including the need to
protect the privacy of health information. We cannot simply trade away patient
privacy to get increased technical efficiency, for example, or saddle providers
with mandates as a way of deploying new tools or technologies.

In the solution we propose, sharing is peer to peer among participating
institutions and both the decision to participate in the system and the
decision to share records are made locally where the records are created. And I
want to get off script for a second here and explain what we mean here. The
concept is that at a national level there need to be basic rules and policies
established that those that desire to participate in the network adopt. What
Connecting for Health has determined is that many, many things should
appropriately be done at the local level including the decision to participate
in the network and the degree to which participation in the network is
appropriate. And through other testimony that I’ve heard in the brief time that
I’ve been with the group the concept of kind of silo to silo federation where a
very local decision is made about what data is going to be shared has been
talked about and that is something that Connecting for Health definitely

What the goal here of this immediate work is that our team is developing the
stack of necessary technical standards and recommended uniform national
policies and procedures to serve as a discussion piece for the national
framework. We are in the process of developing a first draft of the common
framework that will actually implement these standards and policies through the
prototype that is underway and we’re expecting that our initial draft of the
common framework is going to be available for discussion by the end of November
of this year.

At the very root of the privacy work that Connecting for Health is doing is
a sense of basic privacy principles that we believe need to be imbued
throughout the system and at all levels, and these are listed on page four of
my outline and just to repeat them here. One is that the network needs to be
open and transparent, that its purpose specified and minimized, that collection
limitations be addressed, that use limitations be addressed, the concepts we’ve
heard earlier in these hearings around confidentiality versus privacy. That
there be a measure of individual participation and control, that there be data
integrity and quality assured, that security be safeguarded and controlled.
That there also be accountability and oversight and that there ought to be
remedies or consequences when these principles and the policies that implement
them are not followed.

In the view of Connecting for Health all of these principles must be
addressed and balanced to create a private and secure and trusted network.
Connecting for Health believes it’s important that these be provided with
balanced resources, that no one principle become the dominant strategy for
protecting patient privacy but that the architecture and policy environment
assure that all of them are addressed and complement each other. If any one
principle is the dominant method of protecting privacy we believe it can
diminish and undermine the others.

I want to talk a little bit about the technical design decisions that we
believe have significant implications for privacy of patient information.
Again, just returning to the concept of the Record Locator Service which is
really key to Connecting for Health’s strategy. That central to this is that
the records remain with the providers of care, that indices are built within
what we call the sub-network organizations, or the SNOs, that would contain
only demographic data, and that retrieval of clinical data still requires some
form of authorization by the patient or the provider with appropriate levels of
security. Connecting for Health favors this federated form of database as
contrasted to centralization of clinical data to reduce risks from hacking and
privacy spills. And Connecting for Health believes that common security
standards must have national adoption.

The Connecting for Health Policy Subcommittee, on which I serve and provide
some staff functions, consists of 45 nationally known experts representing law,
ethics, consumer advocacy, and implementation experience. The subcommittee is
fortunate to be chaired by Bill Braithwaite who needs no introduction, is
currently a senior official at eHealth Initiative and has been a wonderful
colleague for years on the topics that we’re interested in. And also Mark
Frisse who is really an inspirational leader and has achieved great prominence
through the work that he’s done in the Vanderbilt context and I’d refer you to
Appendix C where the members of the Policy Subcommittee are listed and each one
of them from my own experience has taken this job very seriously and made
important contributions toward the work of the subcommittee.

What we are doing in our current set of activities is to develop a product
and the product is what we call the Model Multilateral Agreement and that’s a
document that I’ve spent a fair amount of time personally on developing, it has
a few components I’d like to outline. One is a registration agreement, a simple
what we envision online who are you and why are you qualified to participate in
the network. This is envisioned to be more often at an institutional level then
at an individual practitioner level and the thought is that individual
practitioners would be included as authorized users on behalf of registered
participants as opposed to having obligations through the registration process
on an individual basis, more as a collective basis.

The next piece is the common framework which we are calling our Policies and
Procedures Manual. This is the national set of basic rules and policies that
would apply to all networks that elect to choose to be interoperable on a
national level. We also as a subset of this are developing a number of issue
papers. As this subcommittee so well knows none of these issues is easy and as
Pam Dickson and I were commenting at the break in some respects it’s nice to
know what the opposition thinks but these issues need to be teed up and an
important work of Connecting for Health is to assist in teeing up the issues
and to present in a balanced way what countervailing thoughts are on the
various matters particularly related to privacy and I’m going to outline a few
of those topics in a minute.

And then finally something that we have just developed as a discussion draft
that we’re starting to issue some exposure pieces about is a model sub-network
terms and conditions. One of the things we’ve discovered in the work that we’ve
done is that on a regional basis everyone is starting with blank pieces of
paper and it’s a little bit like Mickey and Judy in the old movies where they
get a barn and decide to put on a show and I think the sense of Connecting for
Health is that there are common considerations that regional organizations can
benefit from, not dictating form but merely teeing up issues and demonstrating
thoughtful approaches and responses to a lot of the issues that these regional
organizations are going to be grappling with, so to kind of assist them in
getting off the ground in that way but also to raise the bar nationally.

The local organizations don’t necessarily have the resources to address some
of these issues with the intensity that they might merit and so kind of the
luxury of Connecting for Health is kind of getting together the people that
you’d really like to think about these issues and having the benefit of their
thoughts and then sharing them on a regional basis. And I personally believe
that this particular aspect of the work is going to prove to be extremely

An additional part of it is also for the benefit of the national structure
is to propose a design and governance structure for a standards and policy
entity which we envision a non-governmental entity that would have control over
the national policies that bind the network. And similarly principles and
guidance models, etc., for regional organization and governance to provide some
basic assistance in the initial phase of getting up and running.

The last component of this is a document that we’re, I apologize, it’s not
available today for the group but is in exposure drafts internally now called
Our Policy Background which is a very, very thoughtful piece that really has
served or provided an underpinning for a lot of the thoughts that have gelled
at Connecting for Health around the importance of the pervasiveness of privacy
throughout the national and the local network as an essential component of
potential success of a national network.

Some of the issues that the subcommittee is addressing and will be the
subject of our issue papers include for example which policies and standards
must be nationally uniform or which can be tailored to local circumstances
without lowering public confidence in the system or increasing security risks
and this is one of the $20 million dollar questions. For example through the
record locator there is a patient locator algorithm and although elements of
that algorithm could be established nationally there will be geographic
differences that need to be addressed so that the algorithm works better,
particularly the example that we cite here is the prevalence of certain names
ethnically based on regional dispersion.

The second one which is again an enormous question is the level of patient
consent that would be appropriate to participate in the Record Locator Service.
As opposed to participating in the network totally the Record Locator Service
is a pointer to your information and Connecting for Health is actively
addressing what the individual patient’s rights ought to be with respect to
even appearing in a locator service as opposed to participating in the network
through access to individual silos of your information. And the balance here is
that if you’re not in the locator service at all there’s no plug and play for
any of your providers and a serious amount of debate is going on about the
rights that ought to be there, should patients have to specifically consent to
being in a locator service and if not then what safeguards need to be there so
that the information about the patient is appropriate, is complete, is not over
complete or erroneous.

Another topic that we’re spending a fair amount of time is once the
algorithm is run through a Record Locator Service and five people come up that
respond to it what are the implications of that, does it fit within what has
been termed an incidental disclosure under HIPAA that does not create damage.
Connecting for Health recognizes that that issue is not a foregone issue and
really the question of how much tolerance can the system stand for incidental
disclosure that would lead you potentially to the information about a patient
that is not the one that you’re seeking information about.

The last one of the examples that we have here is the break the glass
concept of when all else fails, when a patient presents in an emergency
department and is unconscious or can’t provide information what ability in that
circumstance would an emergency room physician have to kind of jam through the
Record Locator Service and adopt independent algorithms, self help if you will,
to try to identify where this patient’s records are. And don’t misunderstand
me, the fact that we have these issues on the table by no means does it mean
that we’re at a point to say here’s the answer but the assurance that I’m
giving you now is that some pretty big minds are grappling with this at
Connecting for Health and want to be a resource to the committee with respect
to those kinds of issues over time.

To conclude protecting privacy and confidentiality of patient data is
fundamental to a successful network and the principle upon which technical and
architectural decisions are guided and that is firmly believed by the
collaborative at Connecting for Health. Adequate protections will require both
technical, what we call architectural policies and structure as well as
policies and rules that are uniformly followed at a national level. With fair
information principles as a base and the nine principles that we’ve outlined
previously we believe those principles all need to be adequately addressed and
balanced and that the striking of that balance is an extremely important
element in establishing a trusted national network.

Connecting for Health is moving quickly as I mentioned to develop a first
generation set of standards, policies and methodologies, I think when the work
plan for 2005 was established a lot of us scratched our heads and said how are
we going to do this and Carolyn and the other leadership of the organization
said that’s not the question we have to ask, is that we have to do this, that
the anecdotal swapping of privacy breaches and security issues that we seem to
spend so much time talking about, we now know those are going to happen and we
know that security breaches will happen in the future and that privacy
principles may be abused over time but we need to get on with this very
important work of attempting to achieve a national consensus about what it is
going to take on a national level to establish this kind of a network.

All of our products including specifications, manuals, models, policies, and
procedures are going to be publicly available. We’re in the middle of an
aggressive exposure draft cycle now and really are going to make the November
30th deadline that has been set for the organization which for many
of us is extremely gratifying.

In closing I just want to emphasize on behalf of Connecting for Health and
its leadership our desire to work with the subcommittee. You have very
important work to do, you’re under all the same kinds of time pressures that we
all feel currently. I think as you can grasp from our comments here we’re
raising more questions then we’re answering, we’re taking confidence though
that we’re at least raising them and addressing them and attempting in as
reasonable amount of time as possible to come up with thoughtful responses, not
necessarily the one way but certainly ways that groups such as this would be
able to feel have been adequately weighed.

I also want to just as a postscript honor the questions that you posed. In
putting together our remarks we wanted to tell you our story and so we were
selfish in that regard and I apologize, but we also believe that the questions
that you’re asking deserve specific answer and I just want to quickly respond
to you so that in any questions you may have for me we don’t have to go over
that ground, you’ll at least know what we’re thinking.

With respect to network design your first question, as I mentioned we are
wedded at this point to the Record Locator Service but we have no prejudice
with respect to what the sub-networks need to look like. And as long as they
can adhere the overarching principles of the network and the adoption of a
demographic only Record Locator Service the position of Connecting for Health
at this point is that those sub-networks and the participants in those
sub-networks should have a tremendous amount of latitude with respect to what
information ultimately gets shared and about whom.

Number two, what are the implications of permitting patients to control
whether their records are part of the NHIN? I think what we recognize is that
patients have been giving their doctors incomplete information for all time and
we don’t expect that that’s going to change. And we think an important element
of privacy is your ability to have incomplete information about yourself out
there as your patient sees fit and I know that there are some of you in the
room and certainly others that have spoken to you today that really are paying
homage to the necessity for the absolute most complete patient record on the
planet, at this point we believe that patients are not used to that and they’re
not expecting that and I think the standard of practice, doctors are used to
not knowing the whole thing. It would be great to know more then the patient
wants to tell you in some circumstances but it may not be accomplished through

Number three, what information should they be able to exclude? And this is
kind of a subset of question number two, I think the additional point to make
here is that we think it’s important that providers also have the ability to
decide that even though they participate in the sub-network organization that
there’s some information that they’re just not going to make available and
that’s a provider decision over and above a patient decision. One example
that’s cited all the time are practices of organizations such as the Betty Ford
Institute of what they’re prepared to share consistent with their own standard
of care.

You ask in number four what limitations beyond the HIPAA privacy rule would
be appropriate, I think all of us, most of us at least, acknowledge that HIPAA
was designed in a non-networked environment and so it doesn’t answer questions
that might have been answered if that had been on the table. And that’s not to
fault HIPAA, it’s just things happen when they happen, it certainly raises the
issue which we think is an important one of whether or not any kind of
legislative solution, HIPAA or HIPAA plus for a national network, is going to
be viewed as a floor upon which states can act or would be a ceiling and
effectively preempt state activity. And I guess from a realistic standpoint we
believe that it’s probably unlikely for there to be very widespread support for
something that absolutely preempts the field, we are a federation and to gain
at option of the state level reasonable floors are going to be more palatable
then absolute ceilings that bring everybody up to the same level.

You ask in number five should individuals have the option of having their
health records maintained only in paper form and with all due respect to the
committee we think that horse is out of the barn and really, we don’t have that
choice now, wondering why, I don’t want people talking about that now, that’s

What other measures are needed to protect privacy and confidentiality of the
personal health information? And I think what we think is that our paper speaks
to that directly but we also want to underscore that we believe a governmental
focus on this issue should not be limited to technical solutions but that
really a focus on developing the basic privacy and security principles is
really the central challenge now and that oftentimes the debate is how do we do
this from a technical standpoint that can’t overarch the why are we going to do
this and how are we going to serve the interests of the individuals who
ultimately are supposed to be the beneficiaries of the work that we’re doing.

And with that I’m happy to answer questions after Bill has spoken.

MR. ROTHSTEIN: Great, well thank you very much and we’ll hear now from Dr.
Braithwaite and have questions for both. Bill, are you still with us?

DR. BRAITHWAITE: Yes, good morning everybody. Mark, can you hear me all

MR. ROTHSTEIN: We can hear you just great, can you hear us?


MR. ROTHSTEIN: Okay, take it away.

Agenda Item: Panel IV – Dr. Braithwaite

DR. BRAITHWAITE: Okay, although I am as you probably saw there listed as a
co-chair of the Policy Committee for Connecting for Health my day job is the
chief medical officer of the eHealth Initiative which is a Washington based
non-profit organization dedicated to driving improvement in the quality, safety
and efficiency of health care through information technology, that’s motherhood
and apple pie in other words. It’s my pleasure to talk to you by phone although
it’s too bad I couldn’t be there with you.

As many of you know I was the main author for the Administration
Simplification Subtitle on HIPAA and worked at HHS for seven years helping to
put out the regulations under HIPAA including for privacy and security. I also
staffed the President’s PITAC report from June of last year. What I’m going to
talk to you about today are my private views, my views as an individual, of the
privacy issues around HIT and the National Health Information Network.

While working toward driving the adoption of standards and interoperable
health information systems and the connectivity to mobilize health information
we at eHI are focusing on improving the customer’s trust and confidence and
trust in the system by bolstering the quality, privacy, and security of
electronic health information. We deal with communities a lot and as
communities across the country mobilize information across the organizations
through multi-stakeholder collaboratives, which is the way we work, we’ve done
pilot projects in this area and worked to develop and share and disseminate
knowledge about how this is going for particular communities and how others can
learn from that by exchanging information amongst communities.

When I go out to these communities and make some onsite visits the most
frequent question I get, maybe it’s because know that I was involved in HIPAA
but the most frequent question I get is about privacy and security. They’re
very concerned about whether the HIPAA privacy rule allows them to share
patient’s information in the way they plan, they’re very anxious to get HIPAA
compliant model policies and procedures and agreements and so on that can be
adopted to their particular circumstances and their state law. These are
exactly what Gerry was talking about as the expected products of the Connecting
for Health project and I’m very pleased to be part of that.

In June of this year eHI sent out an electronic survey of 100 communities,
more then 100 communities, that either had implemented or are trying to
implement these health information exchange projects. And one of the questions
we asked was what are your most challenging, what are your most pressing
challenges related to your health information exchange effort. And two thirds
of those people answered that privacy and security and otherwise was either a
very difficult challenge or a moderately difficult challenge. 59 percent of the
respondents who in addition identified themselves as well underway with the
implementation or fully operational cited that their policies that they had
established regarding privacy go beyond the HIPAA requirements, some of them
because the state that they’re in required them to and others because they
thought it was appropriate. In all cases it’s clear that the communities still
need guidance and technical assistance on sometimes complex privacy and
security issues before they feel comfortable moving ahead.

Having said that I tend to view the principles underlying the privacy issues
at a very basic level and I find the following approach to be very
understandable, I use it to explain what was behind HIPAA privacy to patients,
health care providers and administrators, and whether it’s in the context of
HIPAA or not I really believe that these principles are understandable by
ordinary people and they can relate them to the environments that we’re trying
to set up to improve their health care.

The first notice is the existence and purpose of record keeping systems.
These systems have to be known about, another way of stating it is that there
shouldn’t be any secret databases about people.

Choice, information must be collected only with the knowledge and permission
of the subject, used only in ways relevant to the purpose for which the data
was collected and about which the subject was informed, and disclosed only with
permission of the subject or in accordance with overriding legal authority such
as a public health law that says that disclosure when a patient has SARS to the
public health department is more important to the public health then the
individual’s privacy.

The third one, access, is the right of a subject to see the contents of
records about them and propose corrections through some due process that
assures the accuracy, completeness, and timeliness of the information.

Security is reinforce privacy principles, reasonable safeguards have to be
in place for the confidentiality, integrity, and availability of the
information for its intended purposes.

Enforcement is yet another privacy principle, assurance have to be in place
so that violations of the principles that result in reasonable penalties to
deter violations and force mitigation of the effects of the inevitable, but
hopefully rare, breach to privacy or security.

Don’t misunderstand, despite the simple nature of these five principles that
I use for teaching purposes, the explanatory purposes, applying them to the
most complex human endeavor in history, as I call our health care system, is
not at all simple. And many of the privacy and security questions that arise,
especially when I’m not in the field, are not answered directly in either
HIPAA, the privacy rule, or in the guidance available from HHS. In these
situations I refer people back to these basic principles and try to make a
reasonable rational judgment based on those principles about what is the right
thing to do and then document how they came to that conclusion.

I think the experiences that Gerry talked about in the Connecting for Health
implementation project point out how every design and implementation decision
connected with health information exchange has to be examined carefully for
alignment with the principles and all decisions have to be documented along
with their rationale. Some of the questions that have come up in this
implementation are just, you wouldn’t have expected them, I can go into some
detail later if you want to talk about them.

Gerry’s talked about some of the practical aspects of how the privacy issues
covering most of the third, the first three principles are being handled in
Connecting for Health, so I want to talk in some detail about the last two
principles and in essence giving you a long answer to your last number six
question because you can’t have privacy without the appropriate security and
enforcement and infrastructure to support the kinds of protections we’re trying
to put on this information.

The HIPAA security rule sets very general principles in place, it wasn’t as
specific as the privacy rule, recognizing that the technology and the problems
around security change rapidly and people need some leeway, organizations need
some flexibility to implement security in different ways depending on their
risks and their ability to respond to those risks. And it’s true too not only
in what they do to protect the information they hold but how they implement
security when exchanging protected health information between organizations on
the National Health Information Network. And this requires a more well defined
and standard set of mechanisms then when you’re sharing information among
systems that are part of your organization. Obviously two organizations that
are sharing information have to implement security in compatible ways otherwise
you can’t share the information. So the need for standards when you’re sharing
information across the network is much more acute then when you give each
organization permission to do security on its own.

It also requires a degree of trust in the technology and in the other
organizations that you’re interacting with that’s not there today. When we
survey our communities one of the things that pops up as a major barrier is the
lack of trust between competing health care plans and providers, between
providers and plans who have totally different perspectives on how information
should be used, and many other aspects of trust that need to be resolved
usually through face to face meetings and gradually building up to an
understanding and agreement on principles on which a local health information
network and sharing can happen.

I really think on a national level the health information network will fail
miserably if we don’t solve the trust issue around internet communications. I
think that the NHIN has to be built on top of the internet, it’s the only
technology that provides communication capabilities to virtually every health
care organization in the country, even small rural locations are able to get on
the internet even though it may require a little bit of extra resources for
them to do that.

But there are some standard security mechanisms that have to be in place to
support this trusting sharing of data between organizations. The first is
authentication and maybe the most difficult one. In essence authentication
requires a face to face interaction, documentation presentation with someone
who can authenticate the identity of the person and to whom it’s an enforceable
offense to lie. At the moment the only person in our country who can do that in
my understanding with any authority is a notary public, typically a clerk in a
bank. Totally paper based, they write the stuff in a journal, it’s difficult to
verify, not capable in general of issuing verifiable electronic certificates
that are required for implementation the National Health Information
Infrastructure. Although in 2002 they came out with a new model notary public
law, I remember each state has to pass notary public laws and most of them are
different but they tend to follow this model. So the new model allows notary
publics to get certified to issue electronic certificates, but, there are no
standards and there are no federal requirements for those standards to be met
by notary publics and until those standards are set and enforceable the
authentication problem is a very, very serious one.

Authorization, sometimes confused with authentication, requires a secure
digital evidence of some kind that credentials a specific entity with certain
professional capabilities, essentially a role and a relationship. So a
physician, a role of the physician or an employee of an organization or a
physician with a particularly specialty, licensing boards on a state by state
basis provide a partial solution to this if they got into doing electronic
authorizations but a solution for the overall health industry is very
scattered, very parochial if you will, at the moment.

The third is non-repudiation, this is a secure mechanism that identifies
that an individual is the source of a communication and can’t deny it. This
involves electronic signatures that guarantee that a message hasn’t been
altered in transit and guarantees that a particular person sent it. But this
requires a trusted source for the keys in the public/private key infrastructure
or some other mechanism of putting out encryption and signature keys that are
tied to the authentication mechanism, and some sort of standardized algorithm
that everybody agrees to use. There are many different ways to get these keys
and many different algorithms that you can use today but until health care
decides on which one to use very few people are looking at this as a mechanism.

Auditing of course is critical, you’ve got to record what information about
whom was sent by whom and to whom and when, this is the underpinnings of
enforcement for privacy and security. And of course you can’t just make an
audit trail, you’ve got to actually analyze that audit trail using software
tools and humans to detect and investigate anomalies, if you don’t do that of
course then there’s no real enforcement capability behind the privacy and
security principles. This is not required by the HIPAA security rules but in my
point of view it’s poorly implemented in most health care environments.

Encryption, a mechanism used to assure senders and receivers of a
communication that it couldn’t have been reasonably intercepted by others or
altered by others. Again, a trusted source for keys and a standard algorithm is

Transport, this is the easiest to solve, actually the internet is the
obvious mechanism and although everybody can get access to it the secure way to
use the internet is not so obvious. You all probably experience spam and
fishing on your internet email and we have to find a way to do secure
electronic communications for health care that other people can’t get involved
in, in that way or any other way.

Getting authenticated, getting keys, getting security software and so on are
relatively easy and trivial by themselves, but they can be expensive, they can
come from many different sources, and they can be used in many different ways
that are incompatible if specific standards are not followed and we as an
industry have not set those standards. We need a single standard, single set of
standards, to use in an inexpensive consistent way of getting and implementing
these security elements that is trusted, technically, fiscally, and
philosophically. Standardization, creation, and maintenance of this relatively
complex constellation of services is critical to the future functioning of the
National Health Information Infrastructure in a way that protects the privacy
and security of health information and we can’t do it without this

The last principle of privacy of course is enforcement and as I’ve said you
can’t maintain the trust level necessary to feel comfortable about exchanging a
patient’s information if breaches in privacy and security are not dealt with
appropriately by enforcing the rules and the contracts against those who
intentionally or negligently ignore them, including require actions that
mitigate, as much as possible, the negative effects of breaches that will
happen. It’s important to plan ahead for these when they do happen and we
haven’t been very good at that.

HIPAA was written with significant civil fines for these breaches but with
enough leeway that HHS has been able to push for voluntary mitigation of
accidental breaches and for resolution of system problems to prevent them from
happening again. The fines are small, the excuses are large, so in fact
although HHS has responded to many thousands of complaints about privacy they
have yet to undergo a civil penalty, levy a fine against someone for violations
though only time will tell if these mild deterrents are sufficient for this
kind of violation.

But they also instituted more severe criminal penalties to deter individuals
from making knowing decisions to violate a patient’s privacy for their own
purposes or for their own gain, and the few that resulted from these made
people pay lots of attention to the privacy rule when it came out, it had more
attention to the privacy rule then any one of the other HIPAA rules. And it
probably led some of the industry to take steps that are more conservative then
what was intended, for example I often hear from frustrated providers who see a
patient in an emergency room and ask a hospital for a copy of the records and
they’re told in no uncertain terms they won’t get the record unless there’s a
signed release from the patient as required by HIPAA.

Of course HIPAA doesn’t require, HIPAA makes it very clear that there shall
be no restrictions on a provider’s ability to share or get information for a
patient for treatment purposes. So there’s much education to do out there and
when privacy raises its head in an inappropriate way to interfere with the
quality treatment of a patient I get livid and I hope you feel the same way.

As I’m sure you’re aware on June the 1st of this year the
Department of Justice issued an opinion to HHS on the scope of criminal
enforcement under HIPAA and this may have made the criminal penalties under
HIPAA ineffective, we’ll have to see what happens there, it may in fact require
a new law get passed or some sort of clarification to make sure the punishment
indeed does fit the crime.

In conclusion, while organizations like Connecting for Health are coming up
with the technical and contractual means for implementing a reasonable model
for federated health information exchange nationwide I believe the federal
government and especially HHS must take action soon to support these efforts
with appropriate infrastructure. Only the federal government has the breadth
and authority to set national privacy and security standards for health
information exchange and to either implement or cause to be implement the
internet services described above in a sufficiently robust and trusted manner
that they will be adopted and used by health care organizations nationwide.

I think leadership by CMS in adopting the internet, which it has refused to
do for the last many, many years despite the pressures on it to do so, and this
interoperable communications infrastructure over the internet for purposes of
administrative and clinical data for Medicare and Medicaid claims processing,
claims attachments, and in the future pay for performance programs would start
the ball rolling. However, in the same way that the Department of Defense’s
DARPA seeded the early internet and enabled the World Wide Web to evolve by
setting standards and implementing the basic services of the internet it will
take a larger longer vision for the federal government to seed the necessary
infrastructure, as we have discussed above, to assure the growth and prosperity
of the National Health Information Network.

The Secretary has got a large role to play in getting this right. Many
communities that we at eHI are talking to are going through the growing pains
right now to discover and implement the sustainable business models necessary
to support the regional health information exchange with the expectation of
results of these efforts will be higher quality, more efficient healthcare,
that results in fewer medical errors. Privacy and security concerns, however,
could overwhelm totally such efforts if they’re not addressed fully and it’s
clear that incomplete and fragmented security will not satisfy anyone with
privacy concerns.

I believe the National Health Information Infrastructure that will connect
these communities will amplify the value of the records but will die on the
vine if not nourished by rapid and decisive action from the federal government
in the near future to establish and maintain the required secure infrastructure

I hope I’ve been able to contribute constructively to the discussion and
look forward to your feedback.

MR. ROTHSTEIN: Thank you, Bill, I’m sure the members of the subcommittee
have questions for you and Mr. Hinkley as well so we’ll start with John

MR. HOUSTON: Thank you. Again, I think this was excellent testimony, I’m
glad we’re hearing, I mean the last two days have been fantastic.

I know a lot of what Bill had focused on were security versus privacy but I
really, one question continues to come to mind, is why the internet? I think
when I look at other high performance transaction environments, I look at like
such as in banking, often they’re done on entirely private infrastructures that
have performance and security and other attributes that maybe we can’t expect
from the internet and I know in my own health system which is a regional health
system we understand the volume of information and the security issues related
to that information is such that we’ve obviously put very large networks in
place, private networks in place, to ensure that we have adequate transmission
of data and we can keep it secure and high up time, things like that. Why are
you insistent that we really do need to have a reliance on the internet?

DR. BRAITHWAITE: My position on it is that it’s the solution to the end by
end problem, that is because of the privacy and confidentiality concerns and
because we don’t at the moment at least have national standards about exactly
how we interchange information any exchange of information between
organizations, I don’t mean within an organization, I mean between them, has to
involve a negotiation between those two points. And if you’ve got two or ten or
even 100 different organizations that want to exchange information it’s
feasible to have that 100 connections to you but each of the 100 has to
negotiate 100 connections to you as opposed to everybody negotiating one common
set of standard interactions with a common way of communicating with everybody.
It just doesn’t scale, there are millions of different parties to the potential
future information exchange within the United States and I don’t see any way to
do that on a one by one point to point connection negotiation.

MR. ROTHSTEIN: Thank you. Harry?

MR. REYNOLDS: I have a question for each of you. Bill, first for you, thanks
for your testimony. Your survey you did of the 93 respondents, where the 31
said it was not a challenge as far as privacy and security, did they tell you
any more then that? They need to come help us because we’ve heard enough over
the last three sets of hearings —

MR. HOUSTON: They don’t understand.

MR. REYNOLDS: But I’d be interested in you giving us a little more on —

DR. BRAITHWAITE: Well, it’s tough for me to give you more yet but it’s
certainly something we are investigating further. These are preliminary results
from the survey and realize that it was just a survey, so the people who
responded were the people who responded and my best guess is that it’s not a
problem if it’s a small community, a small group of organizations, providers,
plans, etc., that are already working together and are able to come up with a
common mechanism of dealing with this issue.

There are probably, I don’t know, in the low 20s, somewhere in the 20s
anyway, an actual operational regional health information network working in
this country now and they have found some way to make it work. But every one of
them has found a slightly different way as far as I can tell to make it work,
some of them do it under state law, some of them do it under a mechanism that
says every patient who comes to the institutions who are part of our regional
network are notified in their privacy notice that this is what’s going on. And
if you want to complain about it here’s who you talk to and if you want to go
somewhere else that’s okay too.

So as far as I know everybody’s doing it slightly differently but we don’t
yet have a solid understanding of what these 31 had in mind but it would be a
good thing for us to go back and try and find out.

MR. REYNOLDS: Thanks. Okay, Gerry, you mentioned that the CFH is moving
quickly to develop a first generation set of standards, policies, and
methodologies, I picked up on standards because obviously there are a lot of
standards out there in the industry right now and since CFH is not kind of
recognized as a standard setting body, help me —

MR. HINKLEY: Standards from the standpoint of, not a technical standard as
much as a statement of the policy around what the technical architecture needs
to look at —

DR. BRAITHWAITE: I think there are two levels, Gerry is talking about the
level, the standard agreement that everybody can sign. But they’re also saying
not that they’re a standards setting body or standard creation body but they’re
selecting existing standards and saying we’re going to use this one.

MR. REYNOLDS: That’s what I assumed it meant but that’s not what the
testimony said so I wanted to get clarification on that. Thank you.

MR. ROTHSTEIN: Richard Harding.

DR. HARDING: I’ll pass and come back to me.

DR. TANG: I appreciate both of your testimony and I agree with John, this
has been really an exceptional couple days. One thing that’s come up I think in
every panel is the whole notion of choice and there’s a couple statements that
were made and I just would appreciate your opinion on it. Choice is normally
said that the patient, the information is used for the purposes under which it
was gathered. Another statement has been made, and most people make this, is
that no problem with use of de-identified information or disclosure of
de-identified information. Now when you say choice do you mean that a third
party should be able to use the information for the purpose it was collected
and then reuse information for other purposes to its liking so long as
information is only disclosed in a de-identified fashion. How narrow do you
define choice?

MR. HINKLEY: Well, I think, Bill, if you let me go first and then you’ll
correct me. I think what we’re trying to focus on is what is the patient’s
expectation regarding use and so that if that kind of use is going to be
contemplated it shouldn’t be then someone else can say well gee, we’re going to
use it for this because no harm no foul, we’re viewing that the individual
who’s making this decision needs to understand the rules that are going to
apply to the use going forward —

DR. TANG: Regardless of how it’s disclosed, with or without identifiers?

MR. HINKLEY: Well, I mean if that’s a permissible use then that ought to be
on the table at the time the choice is being made as opposed to somebody else
deciding gee, let’s go, we’ve got all this data we can mine and we aren’t going
to hurt anybody with it.

DR. BRAITHWAITE: My view is that the uses of identified information have to
be relatively well communicated to the subject, that the uses, that
de-identification can be a use on its own, that is if you inform people that
one of the things you’re going to do with their information is de-identify it
so it can be aggregated and used in research and so on but never identified as
coming from you, then the use of that information is put to is not required to
be laid out in detail.

MR. HINKLEY: I think we disagree, it sounds like we disagree slightly, I
mean Bill, are you essentially saying that there would be levels of
de-identified usage that wouldn’t have to be explained to whoever is making the
choice on use?

DR. BRAITHWAITE: My position is that as long as you explain what
de-identification means and that you are going to de-identify this information
and use it in some aggregate way for some general purpose that you don’t have
to get an explicit about how that de-identified information is going to be used
and you do if the information is identified.

DR. HARDING: Bill, you’re going to have to talk up just a little bit.

DR. TANG: Well, I think there is a nuance and this is one we’ve struggled
with, so for example the famous HIPAA covered entities and I know Bill that you
were handed that set of players and HIPAA discusses some of the things you can
and can’t and how you would de-identify things. What we’ve heard about PHRs,
there are third parties that are not covered entities and actually don’t even
have a business associate agreement with sources of data and one of concerns is
they have no guidance and so I just want to clarify the guidance, to see if
Connected for Health is sort of providing under choice and what Bill might be
describing as choice and I think there is a little difference.

MR. HINKLEY: And I think just to maybe put that into context, a principle
that the Connecting for Health has embraced is that the blanket consents are
not necessarily consents, that if you really don’t have a level of, if it’s
buried at the bottom of your consent to treatment or it’s that five page thing
that one provider I won’t name hands you when you’re bleeding, it’s not, that
consent at that point is not particularly well informed.

MR. ROTHSTEIN: Simon Cohn.

DR. COHN: Well Dr. Braithwaite, first it’s good to hear your voice and I’m
actually obviously sorry that you’re not here to join us in person.

DR. BRAITHWAITE: Likewise, Simon, I’d like to go out to dinner with you.

DR. COHN: Exactly, maybe we’ll find some time in Washington since obviously
you’re there a lot these days it sounds like.

Now I’m sitting here struggling, I’m not even sure that I have a question
well formed, of course unlike everyone else. But certainly we’ve been spending
this set of hearings as well as others really fundamentally talking about the
trust issue and obviously as I reflect on myself I’m a clinician and care for
patients but I’m also a consumer and a patient. And just as I reflect on sort
of my sense of my own concerns about privacy, I have obviously very, I mean Mr.
Hinkley as you commented, a lot of my data is already electronic so with my
providers, within my provider environment, I mean I trust that environment, I
know about it, it never would occur to me to be too concerned about those
issues. I mean I know them, they may be large but I basically trust that
environment. Now yesterday we talked about sort of moving beyond just your
provider to your sort of circle of, what was the term you used? Circle of care,
in other words maybe not part of the same organization but other providers that
care for you and that there’s also a level of trust there. And then from there
you start going off into a RHIO where it begins to feel like well, where is it
going, what is it doing, who might look at this, and then you start going cross
RHIOs where you start going hmm, I mean once again I just find myself, it’s
once again it feels like we’re stepping things up a notch each time.

Now my question I guess for both of you is that do the same, I mean maybe
there’s a framework that maybe applies in all cases but do we apply the
framework in the same way for all of the cases that I’ve just described? I mean
is there a requirement for more of any of this stuff as we begin to move into
the sorts of larger environments or are you all proposing that what’s good
enough within my environment or within the circle of care is the same standard
that we would use either for privacy or security or if my data was being
accessed to Georgia?

MR. HINKLEY: Why don’t I start? Connecting for Health believes that it is a
local decision of how that information could be utilized and that the common
framework allows the connection but individual providers and patients decide
ultimately where that information is going to go and so that’s kind of some
fundamental building blocks are that the information resides with the source
until retrieved and that the source of that information can make a decision
that this data isn’t going to get mined by somebody and that’s an appropriate
decision to be made and there has to be some, just because you found out where
information resides doesn’t automatically mean that it’s accessible beyond what
the local rules are with respect to that kind of accessibility. And that begs
an enormous question how you structure that but assuming that we can answer
that we think that that’s the right place and that somehow moving to a national
structure should facilitate patients and providers getting what they want with
respect to the information they’re holding because they believe that it can be
helpful in other situations related to the care of that patient.

And so it just makes it work, it doesn’t mean that it makes it dysfunctional
or that you lose the local controls. And it also may mean that the people who
really want, are advocating for access to large amounts of data for aggregating
purposes and stuff, you know that their interests are not going to be well
served by that kind of structure.

But I think what we think is that’s not an ox that’s going to get gored in
round one, I mean at this point it’s got to be the ones who currently control
the information or believe they control the information now are not going to
give that up in a national context and there’s some wonderful benefits to be
derived from interoperability, particularly for threatened populations that are
probably going to be the first beneficiaries of this kind of method, people who
get their care in wacky ways as opposed to when I happen to be in Wyoming on a
raft trap, I’m not testifying to make that easier, there are lots of people who
are going to benefit from this way more then that but so creating the network
has these discernable benefits that have been identified.

But it still at least in our views needs to be driven locally and that there
isn’t going to be something crammed down from a higher level saying oh and by
the way now that this information, we can find out where it is we also get to
have it.

DR. BRAITHWAITE: I will add to that mantra of local storage and control by
observing that just because you implement technology that enables the sharing
of data does not give anybody a permission or requirement that they in fact
share it.

MR. ROTHSTEIN: Thank you. Bill, could you repeat that last sentence? We
didn’t quite hear it in the room.

DR. BRAITHWAITE: Sorry, I was going to add to the mantra of local storage
and control by saying that just because you implement the technology to enable
the sharing of health information beyond the circle of trust that you currently
have, whether that’s your provider or a group of providers, your circle of
care, your RHIO or whatever, does not mean that it has to be shared or that
anybody has permission to share it. We believe that the decision to whether or
not you share that information is local with the organization or person who has
the current storage and control over that information and they should keep it.

MR. ROTHSTEIN: Thank you. I have no questions. Maya?

MS. BERNSTEIN: We’ve been talking about this presumption that trust is
essential to the network and that basically we don’t have trust now from your
survey and from other testimony that we’ve heard and Simon echoed it in his
comments about how as information is more available at each level more
nationally people are, he or other people are less comfortable with it. So I’m
wondering how it is we, that we can be easily, or you can be easily advocating
sort of pushing quickly ahead and even asking for secretarial action to help
push ahead with this kind of technology knowing that consumers and patients are
not comfortable with it, how do we recommend, how do you recommend we change
that public perception and my sense is that the public doesn’t know anything,
your average consumer doesn’t know anything about security measures, about
authentication or encryption or I mean whatever, they just don’t trust that
their information is going to be out there. So until we change that public
perception is this kind of proposal pretty sure?

DR. BRAITHWAITE: I think not, the reason I think that is because the very
reasons that people don’t trust the current way we share information which in
most people’s perception is what they perceive as the internet or the web is
because we don’t have the security features in place that I’ve been talking
about. If you are absolutely assured that any message you send would arrive at
the location you sent it to, could not be interfered with during the process of
sending it, it could only be read and understood by the person you sent it to,
and the person who received it could be absolutely assured that you, and only
you, could have sent this information, then we can start building from all
these kinds of communication —

MS. BERNSTEIN: But my point Bill is I can be assured but I’m not going to
believe it, that’s the problem. You can put all that technology in place and
tell me it’s really great but I don’t believe you.

DR. BRAITHWAITE: [Comment off microphone.]

MR. HINKLEY: What I was going to say is this is all, I mean what we’re doing
right now is about that, is to have this national debate about what is going to
be required to create trust. I think if you kind of look at how at least
medicine is appreciated in the United States and how the regard with which
people hold their physicians, the medical community assuming that it adopts it
more affirmatively then it may have to date is going to help go a long way with
that, I mean I’m not, this is personal obviously, I’m not, I don’t know whether
Got Milk? is going to be the way to get this Got Trust? across but it’s the
people that you’ve always trusted with your care will be adopting something

When I go to my doctor and he says you know we’re going to give you new hips
I don’t have to believe in that, I trust that, and so I think the system can,
assuming that the kinds of things Bill is talking about which he understands to
a much greater technical degree then I do, if those things are there and if
physicians who tend to be an extremely knowledgeable group generally on all
kinds of subjects, and I’ve learned that over many years of practice with
physicians, if they start telling their patients this is how we’re going to do
it I think that’s going to take us a long way. But I think it’s kind of a
dialogue generally that is going to move it along and there could be some
perverse things in connection with this depending on what kinds of incentives
get added to utilization of technology, they could either drive that kind of
adoption of a trusted attitude or not and that’s a whole other conversation.

DR. BRAITHWAITE: Building the technology to enable trust and not force trust
on anybody, it’s a long process.

MR. ROTHSTEIN: Beverly Peeples.

MS. DOZIER-PEEPLES: I guess this question is for both of you, I guess I’m
hearing kind of contradictory statements, I think I’m hearing some kind of
contradictory statements, you said that we really don’t have the secure
environment on the internet now to make, to do these transactions and share
this electronic health data on the one hand but there’s a statement in Mr.
Hinkley’s testimony where he says CFH favors federated databases as contrasted
to centralization of clinical data to reduce the risk from hacking and privacy
spills and yet you intend to securely use the internet to connect these
institutions to each other in the prototype and I guess tangenally(?) related
to the previous statements I guess if this prototype is able to securely use
the internet to connect you will build some trust. But I’m wondering why you
think this federated databases are going to be more secure then a centralized
database when you’re using the internet.

DR. BRAITHWAITE: I hear two questions there, let me address at least one of
them. There are technologies and standards available today to make trustworthy
communications across the internet between point A and point B. The problem is
that you can’t do that unless you know who point B is and set up that trusting
relationship out of band as they call it. You have to get to know them or
you’ve got to communicate with them in some other way then the internet to make
sure that you know who they are and agree on how you’re going to encrypt and
sign the information you’re going to exchange. The standards for doing that are
available today, what I’m talking about are standards that everybody can use in
the health care industry so that when you get a message from Dr. XYZ in Alaska
that you’ve never heard of before that you can trust that it’s that person
because you can look it up electronically with someone in fact you trust that
this person in fact is a physician that works for an emergency room in a
certain place, whatever mechanisms you need, and works under the policies that
you had also agreed to to share information securely across the internet using
specific standards. But you have to sort of build the mechanisms to allow trust
with people you haven’t built that trust with before over a long period of

MS. DOZIER-PEEPLES: Thank you for that clarification. And I guess the other
part was —

DR. BRAITHWAITE: The other part was why federated instead of centralized?


DR. BRAITHWAITE: In a sense all record databases are centralized because
unless you carry around your own medical records and they’re not kept anywhere
else, which is one of the things you addressed I think in the first question,
your record is kept with other people’s records someplace, whether it’s in your
doctor’s office or in the Kaiser system or in some national database or in some
localized database, it’s mixed up with other records.

The real question is if you put everybody’s record in one huge database in
the sky could you protect that as well as you can protect the individual sized
databases that we have now and our belief is that given the current technology
and the current ability to protect things that if we keep the databases
relatively small and under the control of the people who interact with the
patients directly that that will provide the best combination of knowledge and
security and diversity of information sources to protect the information and
still allow it to be shared in a standard way using controlled security.

MS. DOZIER-PEEPLES: And I guess that’s consistent with some of the other
testimony we heard regarding greater centralization equals greater potential
risk for disclosure so I guess that’s consistent with what we’ve heard before.
Thank you.

MR. HINKLEY: And it also I think the concept of independent databases that
are connected through some kind of federation, that doesn’t mean that the data
is commingled, it means that their systems work in parallel, and then that
supports the notion that you can maintain local control rather then having
attributes in a central database that say well gee this is controlled by X so
we can’t do something, actually having that source of data be able to control
the outflow supports the local control concept. And I think as Bill described
we believe that it’s better to have a whole lot of smaller pots of information
then one centralized pot that could be an easier single target.


MR. ROTHSTEIN: Thank you. I want to thank both of you, the members of the
panel number four, for providing us with very valuable testimony. I want to
briefly before we break for lunch go through the schedule for this afternoon so
that the subcommittee members know what it is that we’re going to be doing. The
first item that we are going to be taking up is the draft letter report to the
Secretary on personal health records, you should all have a copy of that, we
have been asked by the NHII Workgroup and the Executive Subcommittee to take a
look in particular at the privacy section of that which begins on page seven
and in fact there’s a paragraph before the privacy second on page seven that I
would also call your attention to. So we’re going to begin taking a look at
that, on page seven, the paragraph before privacy and the entire privacy
section which runs through recommendation number seven at the top of page nine,
so that will be our first item of business.

After completing that then we will go to a discussion of what do we do next
with regard to the NHIN and our recommendations and you might want to be
thinking not so much in substantive terms but in procedural terms as to how we
should proceed, and we will be having a discussion on that in terms of our
timetable, our method of operation and so on and so forth, and that will
precede any discussion that we have.

And our quitting time for this afternoon I’m going to keep flexible because
I don’t know how much the subcommittee wants to do of a substantive nature and
so we’ll leave it up to you how much to do on that today.

MR. HOUSTON: Can I suggest we at least try to get some general themes
decides upon?

MR. ROTHSTEIN: Well you certainly may suggest that and we’ll take that up
right after lunch. It’s now almost 12:30, how about if we take an hour and
resume promptly at 1:30. Okay, thank you.

[Whereupon at 12:30 p.m. the meeting was recessed, to reconvene at 1:40
p.m., the same afternoon, August 17, 2005.]

O N [1:40 p.m.]

MR. ROTHSTEIN: Well we are back with the subcommittee discussion portion of
our meeting and if you can get your copies out of the —

[Briefly off the record.]

Agenda Item: Subcommittee Discussion

MR. ROTHSTEIN: Okay, if you could please turn your attention to page seven
of the draft PHR letter and I want to begin with the paragraph that precedes
the section on privacy that begins of note. And if it’s okay we’ll do it sort
of this way, does anybody have any comments or suggestions for any changes in
the language in that paragraph? This is page seven, the paragraph before
privacy that begins of note, because it does have a privacy component even
though it’s not in the privacy section.

DR. TANG: I guess I question the at a time when information is viewed, why
we need that.

MR. ROTHSTEIN: Who’s on the phone?

MS. HORLICK: It’s Gail Horlick, I’m sorry, I forgot to put it on mute.

MR. ROTHSTEIN: That’s okay. Is there anyone else on the phone besides Gail?

MS. MCANDREW: Hi, this is Sue McAndrew at OCR.


MR. HOUSTON: I think use of the word commodity is the wrong —

DR. TANG: I found it not to contribute and also potentially to detract from,
I mean I don’t know that anybody has ever said personal health information is a
commodity, so I mean the simplest way I would suggest was just to get rid of
that sentence.

MR. HOUSTON: I think there’s a value to it, in fact commodity implies that
there’s some —

DR. TANG: The next sentence, the rest of the sentence describes our concern
so there’s a second, I mean secondary use is one of our biggest concepts that
we need to deal with I think, it says that in all the rest of the paragraph
without that sentence, I think.

DR. COHN: Let’s take a hard look at it, so basically you’re just saying get
rid of that whole sentence?

MR. ROTHSTEIN: Paul, I didn’t write this, I don’t have any pride of
authorship, is it the word commodity or is it the sentence? If it were changed
to at a time when information is already viewed as having economic value in
other sectors personal health information is also being termed, or exploited
for its economic value or something like that. Is that okay?

DR. TANG: That’s setting up our argument, right, exactly right.

DR. COHN: That sounds a whole lot better.

MR. ROTHSTEIN: Mary Jo, do you —

DR. DEERING: — also be exploited —

MR. ROTHSTEIN: For its economic value, is that okay? Or has the potential to
be exploited for its economic —

MR. HOUSTON: Commodity, something has value, commodity I’m thinking of
something in bulk, it’s fungible, you can have this or that, pork bellies,
exactly, as opposed to —

PARTICIPANT: Sort of denigrating —

MR. HOUSTON: Exactly, it makes it into this —

MR. ROTHSTEIN: Okay, I have a problem —

DR. COHN: Mary Jo, did you get it?

DR. DEERING: Let me read, at a time when information is already viewed as
having economic value in other sector personal health information also has the
potential to be exploited for its economic value.

MR. ROTHSTEIN: is everyone okay with that?

MS. BERNSTEIN: That removes yourself from the fact that it now has economic
value in the marketplace, it sort of says potential and may have and all this,
it definitely has growing value, it already has existing value, it’s being done

DR. TANG: And actually we want to pose it as a threat not an opportunity. So
what happens if we take it back out?

MR. ROTHSTEIN: Mary Jo, could you read the sentence again?

DR. DEERING: At a time when information is already viewed as having economic
value in other sectors personal health information also either has the
potential to be or may be or is being exploited for its economic value —

MR. ROTHSTEIN: How about is increasingly?

DR. DEERING: Is increasingly being?

MR. ROTHSTEIN: Yeah, would that get it across the —

DR. TANG: We’d have to justify it more, that’s a claim.

MR. HOUSTON: This letter is supposed to set up the emerging trend of PHRs
and what we need to do in order to adequately embrace them. To argue that the
information already has value sort of makes the assumption that PHRs are
widespread which I think, that’s not the case —

MS. BERNSTEIN: We’re just talking about medical information generally, not
PHRs in particular —

MR. HOUSTON: The way Mary Jo modified it used the word PHR which is the only
reason why —

DR. DEERING: I didn’t mean to, I said personal health information, I may
have misspoke and said record, I meant to say personal health information.

DR. COHN: So where, Mary Jo help me, so basically we’re on, there’s the
first sentence, is it PHR systems or —

DR. DEERING: Health data in PHR systems, the health data contained in PHR
systems, at a time when information is viewed —

MS. GREENBERG: That implies that health information, it says other sectors
so it implies that health information doesn’t currently have value, of course
it has enormous value, so I think you’re setting up a dichotomy that doesn’t
really exist here.

DR. TANG: Again, taking it back out —

MS. GREENBERG: I would take out that in other sectors, it’s already viewed
as having value, health information retained by a person —

MR. ROTHSTEIN: I think that’s a very good suggestion, at a time when
personal health information is already viewed as having an economic value
personal health information in PHRs —


MR. ROTHSTEIN: Could be exploited.

MS. GREENBERG: Exploited, I mean the fact is it’s not as if that’s not —

DR. TANG: I wonder if instead of setting up another argument just go off of
the first sentence.

DR. COHN: I’m actually sort of coming away with a second sentence seemingly
to be unnecessary —

DR. TANG: Or embellish the first instead of creating a new argument, so
you’re saying there’s an emerging tenet of secondary uses, some of these uses
may not be for health related purposes, see what I’m saying?

MR. ROTHSTEIN: See we use the word trend in the first sentence and so if we
took out the second sentence the third one would still make sense as it is.

DR. COHN: Could I ask an odd question?

MS. GREENBERG: Just to leave it, I thought of that also.

DR. COHN: I think that may be the simpler solution here since we’re
stumbling over. Now let me just ask a question and this more a question of
fact, is the first sentence true as an emerging trend?

DR. TANG: Well we heard, we had entire session, half day session that
described, that alluded to it and I know Jeff Blair brought up the fact that
there was an impending announcement about another —

DR. COHN: But that one turned out not to, at least to my knowledge, be an
example of this, so that was what I was —

DR. TANG: Our whole problem is we don’t know, there’s nothing that’s been
stated that would refute whether that was going on or not.

DR. COHN: Well, when you start talking about an emerging trend that’s a very
strong statement of current existence as opposed to being concerned about.

MR. ROTHSTEIN: All right, how about if we say of note, NCVHS is concerned
about the secondary uses of health data contained in PHR systems.

DR. TANG: No, we heard about this concern —

MR. ROTHSTEIN: That’s what I think Simon is questioning whether that in fact

DR. COHN: No, I think we heard about the concern, I’m talking about trend —

MS. GREENBERG: I think you heard it was actually happening.

MR. ROTHSTEIN: Okay, NCVHS heard of a growing concern about creating a
secondary —

DR. TANG: Okay, one of the examples was the reinsurance, request, require of
the primary insurer to send information, which actually the testifier felt very
uncomfortable with and almost somewhat pleaded with us to address this issue
because that person was not going to find any place to buy secondary insurance
unless they gave up all information about their clients. It’s a compelled
consent kind of a thing.

DR. DEERING: I think part of, if I can also hark back to some other concerns
was that in fact, and we touch on this in the privacy section that follows,
that where we say that some business models of some PHR systems may be
predicated on the secondary use of data. That’s in the privacy section and I
think the reason we used market language here is that both this administration
and many testifiers do talk about the PHR market, we want the marketplace to
drive this, we want this to be consumer drive, it was a lot of market language,
market oriented language when people talk about PHRs. And so we wanted to sort
of pick up on that language and reflect what we had heard and observed in the
context of that heavy market orientation and be really responsive to those
people in this particular section since this is on value and we’re talking
about the market. So we wanted whatever this paragraph says or these sentences
say to be very specific to people who think market and we want the consumer
market to drive this.

MR. ROTHSTEIN: So where are we?

DR. DEERING: I agree with Simon that we didn’t really hear an emerging trend
of creating the market, that was added in one of the final revisions by someone
who was just trying to be helpful, I think we originally started almost at that
sentence about the potential of it to, of personal health information acquiring
a value in the marketplace.

DR. COHN: Let me make a comment about how this paragraph has evolved and I’m
actually wondering, as I’m looking at this real hard I’m actually finding
myself having a number of questions about the whole paragraph. And number one
is I want to remind everyone that, once again and there may have been things
that I just didn’t hear or passed over me, my short and long term memories
don’t seem to work quite as well as they used to. But what I thought I was
hearing was a lot of concern about new offerings potentially doing these sorts
of things and it turned out that the new offering that everybody was being
concerned about, at least as I reviewed their privacy policies on the web, I
can’t cite this as an example concern here. So the question is is this would
obviously have to be along the lines of not confirming a trend but just more
concern something like this might happen. Now the other piece is that this
paragraph was originally around more general marketplace issues, not around
privacy issues, this was more like somebody going bankrupt and therefore the
data, I mean some sort of a marketplace failure and it has sort of now —

DR. TANG: But those examples do exist —

DR. COHN: Oh, do they? Okay.

DR. TANG: Yes, an example of EHRs and PHR companies going bankrupt and the
assets being sold, given away to the purchaser or to employees who for further
interests, that’s a known as an example. The fact that some groups, it could be
an employer that sponsor PHRs, use the information for other purposes other
then for you to make sure that you’re getting your hemoglobin A1C, and that
goes back to the choice thing, and then the whole reinsurance, the purchase of
your lab test results from the lab vendor instead of from the patient, going
directly to Quest and basically getting all of your lab test results. Those are
things we heard about.

DR. COHN: Yeah, but that’s not a privacy or marketplace issue.

DR. TANG: The first one, the bankruptcy is marketplace, the marketplace
issue is there was a transaction, a financial transaction, from people
acquiring data from the source, that’s market driven, there was obviously a
financial reason for doing that. And those are, maybe the trend was, we heard
of this more and more with every panel and the trend was our awareness trend —

MR. ROTHSTEIN: Paul, let me ask members of the subcommittee to take a look
at the very last line on the page that begins, because this issue is addressed
again, it begins several PHR vendors testified that their companies have no
access to any patient data —

DR. COHN: Where is this now?

MR. ROTHSTEIN: The very last line on the page, last sentence, several PHR
vendors testified their company has no access, however the committee is
concerned that some business models involving third party data warehouses could
be predicated on the secondary use, including sale of the consumer’s data,
blah, blah. So it is restated on the conference call, there was a thought that
it needed to be also mentioned in the marketing, commercial area. One option is
to just delete the entire paragraph that begins of note and let the other
statement that I just alluded to be the total discussion.

DR. TANG: In some sense that’s what I think Mary Jo did because she referred
to, said this is going to be discussed later on under privacy, but I assume she
raised in under marketing because there are, because there is a market benefit
for getting access to and using in other then health care, for other then
health care purposes, this information.

DR. DEERING: Well I think it was also for health care purposes but it was
this notion that again market driven third party offerings, one of which we did
not hear about but which was I think alluded to but we didn’t hear direct
testimony on it, I mean specifically says this information is of value to
pharmaceutical companies and others doing population health surveys and we are
going to put the ownership of that data in the patient’s control so they’re the
ones who can be paid, who can agree up front and be paid to consent to the use
of their information. So that was just one more point where it’s proper with
consent supposedly but where it’s this emphasis on the value, the economic
value and the exchange propositions. And again in the context that so many
people see PHRs as being market driven and there’s so much of this rhetoric out
there, well let’s let the market drive them, let’s not do anything that’s going
to effect the market. I think Simon’s concern about bankruptcy as well as
secondary uses, we were trying to not focus exclusively on privacy but allude
to if you just allow the market to determine where these go there could be
unacceptable consequences.

DR. COHN: It just doesn’t exactly say all that, I mean and I’m just not, the
problem I’m having as I read it, I mean I know all the things that you’re
saying and I sort of share the concerns, I’m just not sure, I mean we’re not
doing a very good job of describing that since Paul thought it was primarily
around sort of secondary resale of data and I guess I’m not sure that, I guess
part of the question I have is do we really want to bark into this area or are
we better just taking the paragraph out?

DR. DEERING: Could I suggest one possible approach? And I don’t mind taking
it all out, let’s take out the first two sentences and maybe even modify the
third which implies that all we’re talking here about is secondary uses of
data, and let’s allude to the paragraph above, and the two paragraphs above
that talk about market drivers and perhaps we allude only to NCVHS, we try and
move more directly down into the second half of that last paragraph that says
NCVHS is concerned that an over emphasis on market drivers to determine the
future of and just set aside any of the other specifics and just tack it
directly onto those two paragraphs that emphasize the market.

DR. COHN: Well, that’s not what we were saying either though —

DR. TANG: A big crux of our argument is for informed, truly informed
consent, awareness and consent to let things happen with your data, so one, we
want to push, make a big educational push to help people understand the
personal health benefits of sharing your health information in a responsible
way. One of the things some people including myself and other consumers did not
know is what happens with some of these secondary uses. So just like we’re
trying to promote the health benefits to the individual and populations I think
one of our goals is to help people understand the risks that they may not be
aware of and secondary uses is not even on the radar of anybody.

DR. COHN: But Paul I would agree with you except I think that’s covered in

DR. DEERING: That’s covered in the next paragraph, that’s where we really
get into that in depth in the next paragraph.

DR. COHN: I think we say well here, I guess I’m finding less and less reason
for this first paragraph, we can go back and look at it after we go through
privacy if you want to —

DR. TANG: I think your main criticism isn’t what our concerns are from the
market driven, from the response to the market, the market’s response to this
opportunity were not well described, that’s probably the biggest thing.

DR. COHN: You see the reason I proposed this originally had to do with more
marketplace failures, bankruptcies, these whatevers and all of that stuff, this
doesn’t in any way, as I look at this part now we’ve modified this so much that
it no longer sort of represents that and I don’t know that there’s a value
added of what we’re saying here.

MS. BERNSTEIN: I sort of think there is a value and because this section has
to do with market value, I mean what’s happening, this whole section aside from
this little paragraph has to do with the value to different role players in the
market of data. And I think the market failure that you’re talking about is not
just when a bankruptcy occurs or something like that, that’s actually not
really a market failure, that’s a business failure in which we have a way to
deal with it in the market, the market failure is that consumers don’t own
their data and therefore are not playing in the market. The data is bought and
sold without the consumers being able to negotiate about that. And the failure
is that they don’t get to play and so their interests aren’t taken into

But there is a significant market for businesses and I think it’s important
to sort of talk in this section about the economic value of the information and
then to follow-on by talking in the privacy section about the more consumer
oriented parts of that. But in the value part, I mean to whom is the value, the
value is really to various types of commercial entities and then the question
in the privacy section is how are we going to balance the problem of consumers
not having really a role in that market with privacy rules. At least that’s the
way I see it.

DR. TANG: So in fact in this table key benefits or beneficiaries we have
omitted some other ways of using data and deriving benefit including financial
benefit and so we’re sort of making up for that by this paragraph, we didn’t do
a good job of it, that’s the main —

DR. COHN: And I guess that was really the frustration I was having. John

MR. HOUSTON: I listened to what Maya said, I have to agree that it does act
almost as a good transitional paragraph between the two sections —

[Multiple speakers.]

MR. HOUSTON: I would argue that if you look at the sentence structure maybe
what you want to say is of note, NCVHS emerged an emerging trend of creating a
market for secondary uses of health data, period, or there is a market for
health data, and then use that sort of as the transition of saying that we
suspect that’s going to occur with PHRs, we hadn’t really heard the testimony
but that does raise issues of privacy which we are going to explore below.

DR. TANG: So maybe the second sentence after you said there’s maybe some
other value to this health data is that that may create tension between the
health care uses of that data and other ways of deriving financial, I’m not
saying that correctly —

MR. HOUSTON: I think if we simply use it a segue into privacy I think
that’s, I’d argue that’s sort of —

MR. ROTHSTEIN: Okay, keep in mind this is a section that does not have its
own recommendations and it is just a mention of our concerns, there are
recommendations of course that flow in the privacy section. And not to shortcut
this discussion but it’s going to be discussed again at the full committee
meeting in September and we also have this other matter of the NHIN on our
agenda for this afternoon.

DR. COHN: Okay, well I guess what I’d say is, I mean Maya, and Mary Jo, if
you want to just try reworking this somehow we can talking about it at the NHII
conference call, I think we’re all sort of saying as it is it’s not right, it
either needs to be deleted or simply approved. John Paul, I sort of liked where
you were going in many ways and maybe being a little softer but providing it as
an introduction to the privacy issue.

MR. HOUSTON: Again, I think we have evidence of the secondary uses of PHI,
not necessary in PHR systems, so we can say that’s the case and I think it’s
reasonable to argue that this does raise privacy concerns as well as concerns
over people’s willingness to engage, be involved in PHRs, and that we will
discuss it more fully below. And just leave it at that because I don’t think, I
think the rest of it, we talk about it in privacy.

MR. ROTHSTEIN: Harry, I’m sorry?

MR. REYNOLDS: Something like testimony illuminated that marketing and resale
of data are continuing problems in the U.S. PHRs contain health information
that will be profitable when used in secondary ways. The privacy section below
begins to recommend a structure for protection against such practices.

DR. DEERING: The only thing I want to say back to Simon is that now we have
gotten, if that’s the direction we go we have gotten 100 percent away from his
original concern which was not to limit it only to privacy and not to use it
exclusively to set up privacy concerns and to try and say if you’re going to
view this as a market effort then you need to be mindful of things in addition
to privacy where government oversight might be needed as with any other market.
And so we’ve now totally lost that —

MR. REYNOLDS: That’s the reason I wrote that last sentence like I did is it
doesn’t lose it, my last sentence says the privacy section, I talk about
marketing and resale as big issues and the PHR has health information which is
still under marketing and resale in my sentence, and then it says the privacy
section below begins to recommend structure for protections against such
practices. It doesn’t say privacy, protection against the marketing and resale
which is the section you were in, that’s why I tried to write it that way.

DR. DEERING: I’ll take it.

MR. REYNOLDS: I’m not trying to use my words, because then it does still
leave it, it’s marketing and resale are the issues up here but we use privacy,
the recommendations in privacy relate to how to fix that and so that’s why I
tried to write the last sentence like I did.

MS. BERNSTEIN: I wrote another couple. They’re similar to these but I sort
of tried to tweak this, NCVHS observed an emerging concern about the potential
market for individually identifiable health information. As with other economic
sectors personal health information is a commodity acquiring value in the
marketplace, and then it goes on, or we can pull together what Harry was just
talking about.

[Multiple speakers.]

MR. ROTHSTEIN: We’ve talked about virtually every word in this paragraph
except the part that I’m concerned about and that is the last sentence, the
otherwise sentence, the way it reads now our only concern is that it’s going to
undermine the NHIN and I think we need to express concern about the breach of
confidentiality. So I would propose changing the last sentence to read as
follows, otherwise besides breaching confidentiality the likely loss of
confidence in PHRs and PHR systems could effect consumer’s trust, blah, blah,
blah, I mean you can smooth out the language but I need, I would like to see us
emphasize that we’re concerned about two things, if that happens there’s going
to be a breach and second people are going to lose trust.

MS. DOZIER-PEEPLES: The impact on the individuals and the impact on —

MR. HOUSTON: One point though is that on line 24 we don’t limit consumer
trust just in PHRs, we’re really talking primarily about the consumer trust,
the resulting consumer trust or lack thereof in electronic health records in
NHIN, so we’re really starting, we’re framing the issue and saying we have
concerns about, if this happens with PHRs the impact will be on EHRs and NHIN

MR. ROTHSTEIN: Well I understand, but that’s one concern, and the other
concern is we would be upset if confidentiality were breached in any way,
that’s all I want to say.

MR. HOUSTON: I think it’s implied but I understand your point —

MS. BERNSTEIN: I have to say I was moved by the testimony today in which
they were talking about the import of a breach of confidentiality is not the
breach itself but the harm that comes from the breach, which this doesn’t say
yet, that one of the harms is to the system itself —

MR. HOUSTON: Consumer trust —

MS. BERNSTEIN: Right, to the system, but to the consumer, him or herself, I
mean the breach itself is not the harm, the breach is, I mean the harm to the
consumer is potential discrimination, loss of reputation, those kinds of things
that result from the breach itself. Because if somebody finds out that I’m in
lipitor or whatever, who cares unless they can harm me with it.

MR. HOUSTON: No, but I think the point being though is that in the aggregate
what you end up with is a lack of trust by consumers in EHRs and in NHIN which
is —

MR. ROTHSTEIN: That is one thing but I also think that we need to express
concern about the fact that this would, that would be a breach of
confidentiality and one of the consequences of that is to undermine the trust
in the whole system. I don’t doubt that but I just want to add a little thing
at the start. Mary Jo?

DR. DEERING: Here’s a way to also capture what Maya was saying and it could
still be somewhat further tweaked, otherwise besides breaching confidentiality
and potentially harming the consumer him or herself such a breach of confidence
could —

MS. BERNSTEIN: Effect trust in the whole system.

MR. ROTHSTEIN: I’m fine, good, I’m happy, everybody happy? Okay, so we’ve
got six votes for that.

MS. GREENBERG: I hate to jump in here but we have said that, I mean I guess
the problem is what is this tacked on to because it’s one thing to say that
personal health information has a value in the marketplace, now we jump to the
assumption that we have breached confidentiality. Now it may be that the rules
for this particular personal health, or these personal health records allow for
this and that’s the problem, so you haven’t actually breached confidentiality,
confidentiality is only breached when you do something —

MR. ROTHSTEIN: If this were an unauthorized disclosure —

MS. GREENBERG: Unauthorized would breach confidentiality —

MS. BERNSTEIN: Actually what we’re concerned about is an authorized
disclosure, an unanticipated by the consumer but perfectly legal secondary use
of the information, that’s what this letter is about.

MS. GREENBERG: But then it’s not a breach of confidentiality.

MS. BERNSTEIN: Right, but what’s still a problem —

MR. HOUSTON: It’s akin to the compel to disclosure issue where if you want
to participate in a PHR you’re almost forced to accept the secondary uses which
you as a consumer may not like but because you recognize the value of the PHR,
or you don’t recognize the fact that these other secondary uses are going to
occur —

MS. BERNSTEIN: But you may not even know about it.

MR. HOUSTON: That’s what I’m saying, that’s what I just said, they may not
even understand that, that you’ve agreed to it, and all of a sudden you find
you’re getting —

MS. GREENBERG: I understand all that but that isn’t the breach of

MR. HOUSTON: That’s not a breach, you’re saying it’s not a breach and I
agree, you are correct, what it is is some type of —

MS. BERNSTEIN: But I think Mark’s concern is still the same, that is the
consumer is harmed by a disclosure that they didn’t anticipate or understand
was going to happen to them and that will undermine the trust in the system.


MS. BERNSTEIN: But I think Marjorie is right, we can’t call it a breach
because it implies that it’s somehow not legit —

MR. ROTHSTEIN: Okay, Mary Jo?

DR. COHN: We’re quickly losing this paragraph I’ve got to say.

MS. GREENBERG: I’m really thinking this paragraph needs to go —

DR. COHN: If it’s taken us 45 minutes and it’s still —

MS. GREENBERG: — because you really deal with these issues under privacy,
so I haven’t caught the value of keeping this paragraph —

MR. ROTHSTEIN: Because the concern is a privacy concern, right, it is a
privacy concern —

MS. GREENBERG: It is a privacy concern and I think it’s addressed here, it’s
a legitimate concern. But I think when you have this much trouble with a
paragraph it needs to go.

MS. BERNSTEIN: This is not an easy problem, if you want to solve it easily
it’s not going to happen, that’s what I was trying to say in my email the other

DR. DEERING: Why don’t we move on to the privacy section and see how far we
get to addressing some of these concerns —

MS. GREENBERG: Maybe I’m being a little flip because what is the benefit of
having this paragraph when you already have the stuff that comes below it?

MR. HOUSTON: I will tell you what’s the benefit, because there was at least
bringing up the fact that secondary use, there is a secondary use value to some
groups, organizations, of this data. This paragraph discussed value and all we
were trying to say whether we agree with the value proposition or not the
secondary use created value for somebody —

MS. GREENBERG: And that’s not said anywhere else?

MR. HOUSTON: I don’t believe that it is, that’s why that paragraph made its
way in there.

DR. COHN: I mean I think A, I’m not sure that the confidentiality last
sentence needs to be there, we can try it with all of this stuff up to that
because we obviously got ourselves into a complete knot in these conversations
about is it confidentiality, is it whatever.

MR. ROTHSTEIN: Mary Jo, are you confident that you might be able to save the
last sentence?

DR. DEERING: not necessarily but I’m willing to try.

MS. GREENBERG: How about just one sentence that says something like —

MS. BERNSTEIN: I’ll work on it.

DR. TANG: I’ll work with Maya.

MR. ROTHSTEIN: Okay, sounds great. All right, let’s move on to the first
paragraph under privacy. Anyone have any issues with that?

MS. DOZIER-PEEPLES: Taking into consideration Nicholas Terry’s testimony and
his definition of privacy versus confidentiality and control on the front end
or the back end I’m wondering if we might want to add confidentiality to the
privacy and kind of make a distinguishing comment about that in this section
because I don’t see it right up front.

MR. HOUSTON: I don’t like his definition —

MS. BERNSTEIN: I don’t either and the privacy people won’t agree with it

MR. ROTHSTEIN: But not withstanding his definition I think you make a good
point about calling this section privacy and confidentiality —

DR. TANG: And we’d have to be consistent.

MR. ROTHSTEIN: I understand, the first sentence says that privacy issues, so
we’d have to say the issues of privacy and confidentiality.

DR. TANG: No I mean we’d actually have to separate privacy and
confidentiality and then use it appropriately, that’s the only danger.

MR. HOUSTON: See I think privacy is something, a moniker that we’ve, with
HIPAA and everything else I think people have gotten used to that as being the
heading for —

DR. COHN: So we may be okay —

MR. HOUSTON: I think we are, I think —

MS. BERNSTEIN: I think confidentiality is one facet of privacy which has a
wider range of things then he was defining.

MR. ROTHSTEIN: Okay, but it’s a comment that certainly resonates with me and
that I want to deal with in our NHIN letter.

MR. HOUSTON: I agree with that.

MS. GREENBERG: I don’t know about his distinction exactly but it is a
legitimate —

MR. ROTHSTEIN: Absolutely.

MS. DOZIER-PEEPLES: Then at the very least I would suggest the first
sentence be modified as to state that the privacy issues are complex, not that
privacy issue is not one issue.

MR. ROTHSTEIN: I think that’s fine. Okay, any other concerns or comments on
the first part?

DR. COHN: Actually I like the first paragraph —

MR. ROTHSTEIN: Okay, good —

DR. COHN: I was just going to comment to Mary Jo that we’ve gone through a
lot about control and ownership and whatever and I think that their place here
is pretty good.

MR. ROTHSTEIN: Second paragraph, it’s a long one —

MS. DOZIER-PEEPLES: I’m sorry, I had one question about the last sentence
and I wasn’t part of the drafting so I don’t know, why are we listing in the
last sentence on line 41 the difference between consumers and patients? Because
of insurance? I didn’t get the —

DR. COHN: That goes throughout the document.

MS. BERNSTEIN: The distinction for me as a consumer is someone who’s healthy
and who’s out there looking to consider options, a patient is someone who is
needing treatment —

MR. ROTHSTEIN: Not only that, there’s a distinction that we made I believe
in the NHIN draft is that there are many individuals who have relationships
with health care providers that’s not a patient/physician, so you’re dealing
with your pharmacist.

MR. REYNOLDS: One other comment, I think consumer is going to be key going
forward in general is I disagree a little bit with the testimony earlier, more
and more people are buying their own insurance, that’s the fastest growing
segment of the population with groups getting out of it so consumers are going
to be buying more things and so I think I buy it as a consumer then I use it as
a patient. I think that’s a key distinction —

MS. GREENBERG: Lawyers shouldn’t try to be economists right.

MR. ROTHSTEIN: Okay, are we okay with the first paragraph? Sold. Second

MR. HOUSTON: Can I make a suggestion on the second paragraph?


MR. HOUSTON: Paul, I defer to your learned judgment. I believe that we
should split this into two paragraphs and I would say the point where we split
is on page eight, line eight, at also, I think there’s a point, there’s a
natural break there where we start to, where we start to talk about providers
that are not covered entities, so I think there is a break point there.

MR. ROTHSTEIN: Without objection? So disaggregated.

DR. TANG: May I comment on Part A? The old first top half of it, and this is
just more a little bit flow so before the while there may be benefit to
secondary uses, stick line seven, consumers using PHR systems may have low
control over secondary uses, while there are many legitimate beneficial
secondary uses such as with marketing surveillance, etc., the consumer/patient
should have the right to make an informed choice when signing up for one of
these PHRs.

MS. DOZIER-PEEPLES: What does that mean? Does that mean, I mean what does
that mean? Does it make a chance to opt out of these legitimate uses? I mean
what are you saying?

DR. TANG: Right now at this point we’re just saying they need to
understanding what’s happening to their data, we have introduced the concept
and also be able to make an informed choice.

MS. DOZIER-PEEPLES: Well what is the choice? To be in or be out? Not to
include or exclude data?

DR. TANG: No, at this point to be in or out.

DR. DEERING: So it would read, starting from the top the sentence would be
however it’s concerned, predicated on the secondary use of the sale of
customer’s data, period, consumers using PHR systems may have little control
over secondary uses, while there may be —

DR. TANG: While there are many legitimate, I mean because we’re listing a
lot of the legitimate uses.

DR. DEERING: We’re moving it from line seven, the phrase that says, we
delete the words in addition, capital C and it just gets teed up in there.

DR. COHN: Could I ask a question here about a sentence which I should
understand —

MR. ROTHSTEIN: Excuse me, Simon, are we satisfied with that?

MS. GREENBERG: I’d rather it said while there may be, I mean the thing is
with electronic health records there definitely are but I don’t think, it
concerns me that the committee is suggesting that secondary uses of personal
health records, I’d just keep it maybe.

DR. COHN: Can I ask a question? It’s a sentence here and maybe some of you
guys can explain to me exactly what it means, page seven line 46 it says
several PHR vendors testified their companies have no access to any patient
data. And I’m trying to think what does that —

MR. HOUSTON: Maybe what we really need to say is that they do not have, they
do not make use of —

DR. COHN: Make secondary uses —

DR. TANG: To be a little bit more clear, first of all it’s not several that
made this claim, most people will say they do not sell their data and it does
not preclude using the data for their own purposes or the purposes of their
affiliate and it does not preclude essentially bartering, in other words with
another entity, instead of exchanging money, i.e., selling, they exchange data,
because that stuff —

MR. ROTHSTEIN: Are you saying that’s common?

DR. TANG: That was the crux of the dot.com era. If you’re surprised you will
hear people say we do not say your data, if you read your privacy notices from
all these banks they do not sell their data, they have lots of subsidiaries
that have access to the data and they do have third parties, a marketing that
will market their other appliances let’s say and they can exchange data which
includes capital financing groups on life insurance.


DR. TANG: The statement has only been that they do not sell.

MR. HOUSTON: I think it’s fair to say in this sentence that several PHR
vendors testified that their companies do not sell patient data and actually —

MS. GREENBERG: They didn’t testify that they didn’t have access.

MR. HOUSTON: Right —

DR. DEERING: No, I think there was at least one that testified literally it
was more like an RLS, like a Record Locator System, that they literally did not
maintain, we have the opening sentence here on line 44 and actually the word is
on line 45, that warehouse and provide pose unique privacy issues, so this was
stuck in to say there were some who said that we don’t actually access that
data at all, we’re just handlers and welters and matchers of —

MR. HOUSTON: Could I suggest that we, Mary Jo, if you could remember who
that was maybe we can go look at the transcribed testimony to see if we can see
that what was said.

MR. ROTHSTEIN: Well, I’m less concerned about what the one person said that
we don’t do it then what Paul said about what other people might be doing and I
haven’t seen that in here at all and that statement is giving me heartburn —

[Multiple speakers.]

DR. COHN: Paul is reflecting on his vast experience being a dot.commer.

MR. HOUSTON: The very next sentence though says the committee is concerned
that some business models may involve third party data warehouses that could be
predicated on secondary uses including sale of consumer data. That goes
straight to what Paul was talking about, all of these different secondary uses,
so we do get to that issue right away.

MR. ROTHSTEIN: The word secondary uses sort of flew by me without the sort
of color that Paul added to it and I would think the document would be much
more strengthened and our recommendations much more likely to be followed if we
spelled out some of the things that he said.

MR. HOUSTON: Then we should put in the next sentence —

MS. GREENBERG: I don’t think Paul was saying he heard that anyone did that
but this was a practice that goes on —

DR. TANG: No, that was common practice in the dot.com era and one of the
examples and I won’t place the name is that a holder of EHR and PHR
information, i.e., patient visits the doc, did have a marketing relationship
with an ISP and in the contract the ISP got to have access to personal data
unbeknownst to either the doc or the patient, and yet that person did not sell
the data.


MR. HOUSTON: Can I recommend to rectify this pretty easily I think is on
line two, the next page, where it says including sale, in parens, that we
expand that and I would maybe call to Paul to put the words in to describe what
he —

DR. TANG: People were concerned about is secondary uses of the data where
the consumer, and it doesn’t just mean sale —

MR. ROTHSTEIN: Could you see in this paragraph —

MR. HOUSTON: Look at line two on page eight.

MR. ROTHSTEIN: Including sale but we include sale, barter, some sort of
affiliation —

MR. HOUSTON: To keep us moving I’m just saying that Paul, if you could
describe those and give them to Mary Jo in terms of some list.

MS. GREENBERG: Do you want that sentence about several testified they had no

DR. TANG: I don’t think that’s precisely true, in other words it’s not
numerous, there may be one —

DR. DEERING: Well, I think then it, let’s go back here, I think that we do a
disservice to have a purely alarmist tone here is all I want to say and I think
that we need to be careful not to say that based on what we hear we’re scared
silly, this is a whole mess out there, these people are egregiously at fault,
there are huge, there are practices, there are de facto practices going on that
we are so scared we’re standing up here and we’re waving the red flags, that’s
not, I don’t think that that’s an honest contribution either.

DR. COHN: Thank you, because I mean we’re really not, you should be
appropriately alarmist, maybe we say while several PHR vendors testified their
companies have no access to any patient data the committee is concerned that
some business models —

MR. ROTHSTEIN: How about if we say at the bottom of seven several PHR
vendors testified that they do not sell any patient data and at least one
testified that their company had no access.

DR. TANG: But are we worried about the number or are we worried just about
making sure that people understand how their data is being used, or on the flip
side, recommendation side, that people disclose what they do with it —

DR. COHN: Well, before we move on into all of that in the next couple —

MR. ROTHSTEIN: I was just trying to support Mary Jo’s point that we need to
sort of set what the industry norm is and the industry norm is not that,
necessarily as far as we know, that everything is loosy goosy and that there
are several models in which the information is respected, but we are
nevertheless concerned that —

DR. DEERING: And I think actually to be more accurate about what we heard
over and over again, and again it’s all on the fine print of their privacy
policies, but I think what we did hear from most vendors of the stand alone
PHRs is that their users have total control, their users, they implied it’s an
opt in to all uses of their data —

MS. GREENBERG: They don’t make unauthorized uses.

DR. DEERING: They don’t make unauthorized uses, now again, that may pose us
greater challenges but I think that that’s what most of them said as opposed to
sale specifically or anything like that —

MR. HOUSTON: — authorization it’s no longer an authorized use, so they
could still be using it for a variety of —

DR. TANG: Correct, so again, they’re correct, nothing they do is not
voluntarily done by the patient and what you did is you agreed to all the
things with the I agree that we don’t read, just like all the statements you
get from a financial, and I thought one of our purposes again is the awareness
thing, that’s the education piece, and the balance.

MR. ROTHSTEIN: Okay, so can you tweak that sentence that begins several PHR
vendors to make the points that we’re talking about because I think sort of on
the good side of the practices because we’re beefing up now all the bad things
that can happen, the bartering, the trading and so forth.

Okay, anybody have any comments on the second half of that paragraph that we
split beginning with the word also?

DR. TANG: The only comment I have is in some cases when we refer to address
to these services, we really mean, line ten, sorry, address these services,
just make sure we’re careful to reference these, in this case it’s a third
party services, so the HIPAA covered entities do have laws and regulations,
it’s the third party that —

MS. BERNSTEIN: It’s PHR services as a whole are not covered, some of them
might be covered entities but that address that service in particular.

DR. TANG: So you’re saying a covered entity that offers a PHR is not
covered? I mean is not —

MS. BERNSTEIN: It might be or might not be.

MR. HOUSTON: What we discussed was you can carve out the covered entity
function and make the PHR part of a separate entity which is not considered to
cover, so you can do the hybrid entity stuff and end up carving it out I guess
is my point.

MR. ROTHSTEIN: How about if we change that sentence to NCVHS is not aware of
any privacy laws or regulations that specifically address PHR services? Isn’t
that what we’re trying to say? There are no PHR specific privacy laws?

DR. COHN: That’s good.

MS. GREENBERG: I don’t know if you’re removing anything there or that was an
addition but PHR is different then personally, what is it, personal health
information, it’s different because it’s something specific. And I think saying
privacy measures similar to those in HIPAA is kind of misleading because HIPAA
allows for a lot of disclosures without authorization because of societal
needs, etc., treatment and public health and all that, but the personal health
record is different, I don’t think, I mean that’s something that could be owned
or controlled completely by the patient, I don’t see public health pulling data
out of the personal health record necessarily or —

DR. TANG: If the PHR is a view of an EHR then you have more of a problem.

MR. ROTHSTEIN: Marjorie were you on any specific line?

MS. GREENBERG: Yes, where it says NCVHS believes that privacy measures
similar, excuse me, 16, similar to those in HIPAA should apply to all PHR
systems. I think it’s a different animal and I’m not sure that HIPAA is the
right model there.

DR. COHN: Well, I think we all need to talk about it because this gets into
the recommendations too.

MS. GREENBERG: But you think it is?

MR. ROTHSTEIN: We could just say NCVHS believes that privacy measures should
apply to all PHR systems.

MS. GREENBERG: I agree with that but I just think bringing HIPAA in is
really a different animal.

MR. ROTHSTEIN: Is that okay?

MS. DOZIER-PEEPLES: Wasn’t the point that they’re not covered entities? PHRs
are not covered entities and therefore it doesn’t apply and therefore there are
no laws, that’s the point.

MR. HOUSTON: But I think Marjorie’s point also, if I could speak for you for
a second, is that there are a lot of things that HIPAA provides because of the
fact, because of the EHR or the patient data that’s part of a covered entity,
but as a patient providing data him or herself to a PHR a lot of those
permitted uses that don’t require an authorization frankly may not apply. So if
we apply the HIPAA rule it might provide data use that was really not, that a
patient would not intend.

MR. ROTHSTEIN: So are we in agreement, line 16, NCVHS believes that privacy
measures should apply to all PHR systems whether or not they are covered

DR. DEERING: Strike similar to those in HIPAA.

MR. ROTHSTEIN: Correct. Okay, anything else in that paragraph?

DR. HARDING: Isn’t one of the recommendations that anything that touches PHI
should be covered?

MR. ROTHSTEIN: Well, we are coming down to that.

DR. HARDING: It’s kind of the same —

DR. TANG: In some sense we do have two big concepts, one is non-covered
entities, third parties who operate stand alones, and the other is what Richard
is talked about and I think we sort of mushed them a little together and maybe
this paragraph should be more reserved for the notion that there are, that when
you have a PHR that’s maintained by third party that’s the concept in this

MR. ROTHSTEIN: I understand what you’re saying, I think there are three
parties that you’re concerned about, there are three parties you’re concerned
about there, HIPAA covered entities that have PHRs, there are non-covered
entities that have PHRs, and then there are secondary users who may get access
to the PHR information from either source that are not covered entities because
they’re marketers or other vendors, so there are these three categories.

MS. BERNSTEIN: In the third category there are sort of two sub-categories,
if they have a relationship with a HIPAA covered entity they might be a
business associate and if they have a relationship with a non-covered entity
they’re just out there floating around, they’re also non-covered entities and
nothing applies to them.

DR. TANG: I like what Mark said and I wonder if that’s what we do with this
whole top half of page eight, reconfigure it, and I’m also willing to work on
it, to distinguish those three and then what are the privacy implications of
those and then go into recommendations.

MS. BERNSTEIN: When you use the term third party I didn’t know which of any
of those you were referring to so I just want to be more precise in our
terminology so that we all are on the same page, that’s all.

DR. TANG: There’s two kinds of people who store, maintain, and all have
access to PHI, people who are strictly covered entities and people who are not.
There also is another group that can make use of information and as Mark said
glean from one of these two other sources and we need to sort of address all
three of those parts. Does that make sense?

MS. BERNSTEIN: Yeah, I just —

MR. ROTHSTEIN: And what do you think needs to be done to that paragraph to
make that, and everyone thinks it’s not clear now? That we want to —

DR. TANG: I think we have to go and actually divide them into those three
groups you said and that actually may help some of the rest of our —

MR. ROTHSTEIN: Mary Jo are you —

DR. DEERING: I’m happy for Paul to try and take a first stab at it like he
promised, to divide the world into three, with the privacy implications, if you
can type out a few sentences, I mean I can certainly, I don’t mind giving it a
try. And for no particular reason except just as a matter of process I want to
be sure that, if my literary history is correct and the phrase a Manichean view
of the world which is black and white, you’ve got covered entity or not covered
entity and I was absolutely sure that that is the starting block for a useful
discussion here even by the time we’ve added the third. So those three,
starting from, first of all you’ve got HIPAA/non-HIPAA, and then moving on from
there doesn’t inadvertently get you down a path that’s less helpful.

DR. TANG: It’s not HIPAA/non-HIPAA, it’s covered entity/non-covered entity,
so if this associate is a non-covered entity, so that’s how I made that black
and white because that’s one of the biggest —

MR. ROTHSTEIN: Yeah but in theory HIPAA still applies to the business

DR. TANG: But it’s just so —

DR. COHN: But I don’t think we want to get into that level —

MS. BERNSTEIN: I wasn’t trying to say that we should make those distinctions
clear in this letter, I just wanted to make those distinctions clear in our
policy discussions so I understood what you guys were trying to get at as we
try to craft the language. I’m not sure that we should necessarily divide the
world out that way, it presumes HIPAA is the be all end all and we’re always
going to have to live with it, I mean this committee, the subcommittee is free
to propose any scheme that it thinks is worthwhile in the world including
things that are not currently inconsistent with HIPAA if it thinks that HIPAA
is not the right way to go. You’re free to do that, you’re not confined in your
developing policy by what exists in the rule, it’s a first shot by the
department as to what the rule is and we’ve only had two years of experience
with it and probably there are problems, we didn’t get it perfect and we’ll
have to change, and I think the expertise of this subcommittee can be applied
to that and you should feel free to say how the world should be and not confine
yourselves to how the world happens to be at the moment.

DR. TANG: That’s an interesting though and one of the things we could do is
take it, Greely, the circle of care business, the whole provider, I’m doing
this for your care and all others —

DR. COHN: Let’s not get too exotic here, I mean we’re a little late in the
process here to start making —

DR. DEERING: The only other thing that I was thinking that we could, I
appreciate very much Maya’s statement and I’m wondering if you could have
almost a short stand alone paragraph that perhaps says the limitations of HIPAA
here and the fact that HIPAA may not in fact be the appropriate framework
within which these decisions need to be made, without necessarily saying that
it is or is not, but to just observe that we are —

MS. GREENBERG: Kind of apples and oranges, and it really isn’t true to say
that if these groups have contractual ties with a HIPAA covered entity, it’s
untrue to say NCVHS is not aware of any privacy laws or regulations that
address this —

MR. ROTHSTEIN: We changed that to NCVHS is not aware of any privacy laws or
regulations that specifically address PHR services.

MS. GREENBERG: Oh, okay, fine, but I’m sort of with Mary Jo, that I’m not
sure HIPAA is the right, HIPAA privacy is the right model.

MR. REYNOLDS: HIPAA started based on some administrative transactions that
were a clear structured set of transactions mainly between providers, payers,
and others. NHIN, PHR, EMR, any of this stuff doesn’t start in the same place,
doesn’t really deal with —

MS. DOZIER-PEEPLES: This can still apply to a lot of that.

MR. REYNOLDS: It can but not, a covered entity as we’ve seen in
e-prescribing and everybody has seen, covered entity blows up immediately,
instantly, in any discussion that you have whether it’s a PHR or whether it’s
e-prescribing or it goes through six switches and none of them are mentioned
anywhere, so I think that’s a key issue.

MR. ROTHSTEIN: Harry, how about if we add between the break that John
suggested before the also new paragraph, maybe we can add a sentence or two
that says basically HIPAA was not designed to address issues such as PHR
although in the absence of any other legislation its provisions would apply to
covered entity, HIPAA covered entities engaged in PHR services. And then we can
discuss as to those, blah, blah, blah —

MR. HOUSTON: My concern is that the covered entity could again create itself
as a hybrid and carve out those functions.

MS. BERNSTEIN: But that piece wouldn’t be a covered entity unless they do
that. Presumably every business would do that —

DR. COHN: I think if you’re talking about covered entity, a covered entity
by definition is covered, that’s why it says covered, and so you can be a
hybrid and if there’s a part that is not a covered entity, so if you’re a HIPAA
covered entity by definition you’re covered.

MS. BERNSTEIN: If we just said that, the beginning part that Mark said, that
HIPAA was not designed to address issues such as a PHR and therefore —

MR. ROTHSTEIN: It may not be the proper regulatory framework.

MS. BERNSTEIN: Right, some privacy scheme should be, we should consider some
other, some privacy scheme to cover them, whether it’s different then HIPAA or
the same, but it’s sort of like we punted over here earlier where it sort of
says that privacy rules should apply, we just sort of —

MR. ROTHSTEIN: We could finesse the issue without sort of bad mouthing HIPAA
by saying that HIPAA was not designed to cover PHRs and therefore a more
comprehensive system needs to be developed to regulate PHRs.

MS. BERNSTEIN: I would just say then more comprehensive another scheme,
whether it’s more comprehensive or less comprehensive or —

MR. ROTHSTEIN: Because we haven’t made out the case that not everybody is
covered by HIPAA.

MS. DOZIER-PEEPLES: I’m not sure we can actually say that it wasn’t designed
to address PHR when we had the unimplemented portions of HIPAA concerning
individual patient identifiers and that whole concept in the original statute
that was designed to allow this electronic transmission of health information
with the individual patient identifier which hasn’t been implemented so I’m not
sure we can actually say that wasn’t contemplated.

MS. BERNSTEIN: But for EHRs, not for PHRs.

MS. GREENBERG: Well, is it the case though that if a covered entity is also
operating a PHR, the PHR by definition has personally identifiable information,
so then I would say HIPAA does apply.

MR. ROTHSTEIN: Yeah, but it still may not be good enough from what we’ve
sort of, Harry was waiting —

MS. GREENBERG: You’re not using that data to collect, conduct transactions,
so you’re saying HIPAA doesn’t apply.

PARTICIPANT: That’s correct.

MR. REYNOLDS: At some point, I guess Simon this is to you as the chair of
the full committee, at some point we keep tripping over this non-covered
entities in lots of places, we did it in Standards and Security, we’re doing it
in Privacy, and now we’re reading an NHII letter that’s doing the same thing.
And I think at some point we need to put something in somewhere that says the
idea of business associates was a good idea however as you get more and more
chains of events and more and more new players in this business as things like
PHRs and other things arise, it doesn’t look like the breadth of that is
appropriate, or everything gets covered up under some segment of this thing and
we keep tripping, I’ll even say it this way, we keep tripping over it and
e-prescribing you remember, we really had a lot of discussions about it because
you got it being passed off and people switching, translating the data and
doing everything else and we really didn’t feel comfortable with what we had a
hold of. So I think at some point maybe, as a group of subcommittees we’re
running into the same issue and I don’t know whether that’s a, it goes in just
this one, it’s not just a privacy matter, I think it’s a matter in everything
we’re doing.

DR. COHN: I think you bring up a good point which is the issue of trying to
cover PHI by entity versus PHI because it’s PHI, different nations have
different approaches. Now that all well said and good I would open it up that
that’s, I would ask the Privacy Subcommittee to consider whether it wants to
get into that in a separate communication to I think begin to get into that,
hold hearings and come to some resolution.

Now I’m obviously concerned that we’re losing bounds here in terms of some
of our conversation in all of this stuff, this is a first letter, I feel sort
of strongly that we don’t start going, brainstorming great solutions, as we
sort of go along that have nothing to do with testimony, nothing to do with
anything that we have sort of vetted in public or otherwise. And obviously at
the same time I would like to be able to come up with a letter in September. So
I’m sort of saying, the house is blue today and we’ll change it to pink

Now I guess from my own view and I guess the problem that I thought we were
talking about here, and maybe I’m wrong about this one and I would I guess ask
people like John Paul and others is that we have covered entities that are
covered by HIPAA, now it may not be perfect but we darn well know what they’re
covered by, and it may not be all that bad, I mean it may be like a half size
off but it isn’t like I’m wearing a flat and a high heel on the other shoe. But
we have other entities that there’s no coverage whatsoever, there’s no law,
there’s no whatever and so we’re sitting here chewing about well is HIPAA
perfect or is it only 89.5 percent perfect or whatever, where what we’ve got is
like sort of a zero on the other side, or maybe it’s the FTC coverage or
whatever. And I think that that was the problem that we were trying to focus on
here as opposed to trying to make everything perfect. So I just want to frame

MR. ROTHSTEIN: Well, let me extend on your remarks, Simon, if I may and that
is as a matter of courtesy the NHII Working Group and the Executive Committee
asked the Subcommittee on Privacy and Confidentiality to take a look at this
draft, which has been through innumerable revisions and iterations, to comment
specifically on whether we have any problems, concerns, suggestions, on the
privacy issues of this letter. So I would suggest that the big picture kinds of
things that we are kind of getting bogged down in are perhaps not appropriate
for our discussion given the fact that this will be taken up again by the full
committee in a few weeks and that we’ve got our own agenda, we just need to be
I think comfortable that the privacy issues are addressed to our acceptance
level. We don’t have to be happy about it, we didn’t draft this as a
subcommittee —

DR. COHN: I’d like you to be happy about it —

MR. HOUSTON: It seems disingenuous that we have this NHIN Working Group
which has a bunch of people on the Privacy Committee drafting a letter that
then the Privacy Committee as you sort of indicated isn’t necessarily happy
with. We’ve have too much overlap here at the end of the day be somewhat at
odds —

MR. ROTHSTEIN: Well, maybe happy is the wrong word, I mean acceptance on
this, and I think most people around the table are, it’s just that if we, I
don’t think we’re doing a service to the full committee by reinventing the
wheel at this stage and in this form, that’s all I’m saying.

MR. HOUSTON: But in our last NHII conference call, maybe it was our meeting,
I remember I said we needed to give it to this committee because this committee
has to be satisfied with the work product or else, we can’t push this letter
forward unless there is consensus and I think NHII should never talk about
privacy unless, in a vacuum of the Privacy Subcommittee and it can’t do it, I
mean if we’re —

MR. ROTHSTEIN: I agree —

MS. BERNSTEIN: This is a letter of the committee, not the subcommittee, so
the whole committee has to be satisfied, you’re all members of that committee

MS. GREENBERG: It’s better to hash this out here, we don’t want to hash it
out in September. I really do think that this paragraph is salvageable, I think
this paragraph starting with also is salvageable, I think there are a few
points you want to make, that HIPAA, exactly how I’m not sure, but there are
protections for personal identified information in HIPAA but they only apply to
covered entities. There are vendors, PHR, I think PHR vendors are not covered
entities, so those protections don’t apply at all. Those are factual statements
I think because I do think if you are a covered entity some of HIPAA would
apply, I’m not exactly sure if it’s quite the right fit for PHRs but I think
it’s actually wrong to say that it wouldn’t apply at all because I think they
do. And then you can say consumers and these other groups don’t necessarily
provide notice of their policies and procedures, or they’re necessarily
required to provide this information and that the national committee believes
that it’s absolutely vital for PHR system vendors to provide clearly stated
easily understood up front notices to consumers of their privacy policies and
practices and to me that’s what you’re trying to say.

MR. HOUSTON: I think it’s there, the first sentence on there that
differentiated between covered and non-covered entities, I agree.

MR. ROTHSTEIN: I think that’s fine, I just would make some revisions to the
consequently sentence —

MS. GREENBERG: I didn’t mention the consequently.

MR. ROTHSTEIN: Yeah, I don’t like the consequently.

MS. GREENBERG: I don’t either.

MR. ROTHSTEIN: So if we take the consequently sentence out my concerns

MS. GREENBERG: And then everyone basically agrees with what, I mean on that

DR. DEERING: I think I’ve got it so let me give it a try.

MR. REYNOLDS: I think that helps, I think it helps the Standards and
Security Subcommittee because that’s been an issue for us in e-prescribing, so
as a member of the full committee I could also be comfortable because we’re
running into the same problem and I think one other thing, I think your words
are good, HIPAA did not assume that consumers would contract directly in many
cases with people that were non-covered entities, HIPAA did not take that into
consideration and that’s what PHR starts to get into.

MS. GREENBERG: You don’t have to mention that.

MR. REYNOLDS: No, but I’m saying, that’s why this is such an issue for us,
so that’s great, I thank you.

MR. ROTHSTEIN: So anything before we get to the recommendations?

MS. BERNSTEIN: The last sentence is now reading like a recommendation
itself, maybe it’s the specifics are in the recommendations.

MR. ROTHSTEIN: Okay, recommendation three, comments.

[Multiple speakers.]

DR. COHN: I’m going to ask Mark to help us in terms of reviewing that.

DR. DEERING: I will do that whole new bifurcated paragraph and I almost
thought of bifurcating it in three.

MR. ROTHSTEIN: Recommendation three, comments?

DR. HARDING: In the final sentence do we want to tell the public that there
are “25 undesirable secondary uses”? Do we want to include the
desirable and undesirable in a statement to the public or do we want to do
something to get rid of the undesirable?

DR. TANG: How about desirable and unanticipated?

MR. ROTHSTEIN: Desirable and unanticipated.

DR. TANG: Richard’s comment whether we actually want to use the word
undesirable and I saw the same thing and so I was trying to substitute
unanticipated. Does that help?

MR. ROTHSTEIN: So your suggestion would be to make it including the
potential for desirable and unanticipated secondary uses. How about if we just
made it including the potential for unanticipated without desirable and

[Multiple speakers.]

MS. DOZIER-PEEPLES: Not even potential but all secondary uses —

MS. GREENBERG: Some people may think because it’s a personal health record
there are no secondary uses and disclosures.

MR. ROTHSTEIN: Including secondary uses and disclosures, all secondary uses
and disclosures.

MS. GREENBERG: Well, you don’t need the word all, including the potential
for secondary uses and disclosures.

MS. BERNSTEIN: You may end up with internal business, secondary uses, you
don’t want to cover that necessarily —

MR. ROTHSTEIN: So want do you want to make it? Including the potential for
unanticipated? Secondary uses, okay, good. Anything else in three? Four? Okay,
recommendation four.

MS. DOZIER-PEEPLES: I think one four developing resources should say
authoritative resource because when HIPAA came out there were all kinds of
resources and some were better then others —

MR. HOUSTON: But HHS, when we recommended HHS develop resources I think
there’s some —

MS. DOZIER-PEEPLES: A premise that it will be all authoritative, okay.

MR. ROTHSTEIN: Anything else on four? Okay, five.

DR. COHN: I think five looks good.

MR. ROTHSTEIN: Is everyone okay with five? Do we need to say subject
individual? How about the individual? The last line.

MS. BERNSTEIN: 38 and 39? If you say that all secondary uses and disclosures
can’t happen without the consent of the subject individual you’ve got the
examples that are evident from the model we have from HIPAA that there are
lots, it’s sort of a non-starter because there are lots of legitimate uses that
should be made without that consent.


MS. BERNSTEIN: Maybe, maybe, talk to your local law enforcement guys —

MR. ROTHSTEIN: Well why wouldn’t they want the EHR?

MS. BERNSTEIN: They might or might not be able to get it as easily as PHR.

DR. COHN: Maya, what are you suggesting here? Is there something, accept as
expressly permitted by law, is that what you want to say here?

MS. BERNSTEIN: No, because right now everything is permitted by law. This is
the problem —

DR. COHN: As expressly required by law. No?

MS. BERNSTEIN: Nothing applies to this —

DR. COHN: Well Maya, it doesn’t sound like you have a suggestion here. You
have a complaint but not a suggestion.

MS. BERNSTEIN: Well but my complaint is that that if you try to say anything
about this without actually exploring the problem further you’re going to get
into problems no matter what you say. And I just want people to understand that
what you’re recommending is sort of, either you adopt HIPAA or you adopt this
or you adopt required or you adopt permitted but none of them are good choices.
And I want you to understand what it is you’re saying when you adopt any one of
those because it’s very complex, there’s a lot of nuances to it and you’re
trying to sort of —

MR. ROTHSTEIN: Okay, the saving grace of recommendation five is that it only
applies to pilot projects and it’s not a statement of the way the law ought to
be forever and ever. So it could be, I mean we could make and do, have this
broad statement that for the pilot projects if they’re dealing with a vendor
that’s not a covered entity, I mean we take a very strong position that there
should not be any secondary uses without express consent. Is that okay?

MS. BERNSTEIN: If you intend for it to be limited that way —

MR. ROTHSTEIN: I think that’s —

DR. COHN: That puts five here so we can talk about six as a separate item.
Are we okay for pilots?

MR. ROTHSTEIN: And can we take out the word subject, that makes me happy —

MS. DOZIER-PEEPLES: It has issues with like law enforcement issues that Maya
raised, who is the individual and the personal representative of the individual
and what about abandoned DNA on other individuals —


MS. BERNSTEIN: Whoever is the legal, I put the word subject in there so my
point is that if the individual was just a reference that didn’t refer to
anything specifically and I want it to be clear that it’s the record, the
person whose record it is is the one who gets to make the decision and
presumably any legal representative of that person is also included, I just
presumed that. If you have next of, next of kin is the wrong word but your
legal representative whoever that is.

DR. DEERING: I think that’s presumed though when you say the consent of the
individual given all that we’ve talked about in the prior sentences.

MS. GREENBERG: It might be if there were really a regulation —

MR. ROTHSTEIN: It would say an individual or someone legally authorized to
give consent on behalf of the individual or whatever. Number six.

DR. TANG: On line 44 the sentence that begins with, these privacy policies,
just that introductory phrase could be eliminated and start with that in on
line 45, so in those situations where HIPAA does not apply etc. But we may want
to look at this whole HIPAA thing in light of our earlier conversation.

MR. ROTHSTEIN: So Paul suggests striking out the end of line 44 starting
with the word these and capitalizing in on line 45.

DR. TANG: And the other thing is in those situations. And that’s probably
all editorial.

MR. ROTHSTEIN: All right, let me read that, I might have a concern there.

DR. DEERING: So in both recommendations we would substitute the word
situations for instances.

MR. HOUSTON: I don’t think it needs to be in there because this
recommendations talks all about privacy, about the adoption of privacy policies

MR. ROTHSTEIN: Now this raises Maya’s concern, okay.

MS. BERNSTEIN: I already said it, you know what I think.

MR. ROTHSTEIN: Well, I don’t know what you, I’ve saved us in five, now you
save us in six.

MS. BERNSTEIN: My point was I can’t save you on this and that there are
four, and Simon is going to have my head if I say it again but if you’re
talking about any out there private sector vendor currently an unregulated
entity with respect to this product or service that they’re doing, no secondary
use of information without expressed consent is extremely burdensome on that
business, right, expressed consent also is, I don’t know if you mean written,
oral, does there have to be a record, how do they prove legally, you mean
implied consent?

MR. ROTHSTEIN: No, we mean consent, so I would strike the word expressed.

MS. BERNSTEIN: But you don’t know whether you mean implied or explicit yet,
that’s okay because it leaves it open.

DR. COHN: Does that help a little bit?

MS. BERNSTEIN: A little but that solves that little problem but it’s very
burdensome, there are probably lots of times where we could think of where
somebody might want to get access to that record legitimately —

MR. ROTHSTEIN: Without consent?

MS. BERNSTEIN: Without consent.

MR. HOUSTON: We’re talking about a PHR which I think, where there’s a much
greater expectation of privacy with regards to it, I believe that the
expectation of the consumer is, and that’s part of the problem here is that
there is a miss set expectation that there’s additional privacy associated with
the PHR —

MR. ROTHSTEIN: This is something voluntarily, they don’t have to do it, they
want to do it —

MR. HOUSTON: Exactly, and these are the things we are by the way going to
use your record for, you can say yes or no I agree or maybe check off you do or
don’t agree with them, it ain’t going to get used for it.

MS. BERNSTEIN: I would make the exact opposite presumption, where I have a
record that’s being used for my medical care that has clear physical, mental,
and other kinds of implications for me, that I have more expectation of privacy
in that record then I do in some private sector thing that I can contract with
them and I can theoretically negotiate with them about any rules that I want —

MR. HOUSTON: I disagree —

DR. DEERING: — you can negotiate —

MS. BERNSTEIN: Yes, but in fact what, you can’t negotiate, I mean in fact
the consumer has no standing, nothing to trade theoretically, they can withhold
their business or not —

MR. HOUSTON: They can withhold their use of it, if enough consumers say you
know something, I am offended by their secondary uses, that enough consumers
decide not to use it, then it fails.

MS. BERNSTEIN: I completely agree with that but what you’re also saying is
that there’s no expectation, the expectation is that you will barter or you
will negotiate over it, you will negotiate. So there’s no expectation, the
expectation is whatever you can put in your contract and whatever you can
negotiate you can get.

MR. HOUSTON: I disagree.

MR. ROTHSTEIN: I have a possible saving solution for number six. Number six
if you read it, this is a recommendation to private sector vendors that does
not have the force of law or anything else —

MS. GREENBERG: Well, none of your recommendations do I’m sorry.

MR. ROTHSTEIN: Well, I mean but the Secretary does, yeah, well —

MS. BERNSTEIN: Assuming adopted still doesn’t put the force —

MR. ROTHSTEIN: So this is what we are sort of suggesting to the private
sector, they can take it or leave it, but our view is that to protect privacy
and confidentiality there should not be secondary use without consent.

MS. BERNSTEIN: Could I just briefly, what this used to say, there’s four
sort of choices that we had for what this said at one time or another. One is
that uses should be whatever is permitted by law, that’s a non-starter because
everything is permitted by law at the moment, that’s the problem. Whatever is
required by law, nothing is particularly required by law, it’s almost the same
because they’re just not contemplated by law at the moment. We should do
whatever is in HIPAA, which imposes a very complex scheme on these things which
are currently not covered by that scheme. Or this, which is everything should
be by consent. And those are the four choices that we’ve talked about —

MR. ROTHSTEIN: And you think there should be like a fifth choice —

MS. BERNSTEIN: None of which are very satisfactory, that’s all I’m saying.

MS. GREENBERG: But consent can be two things and I’m not sure what you mean
here, it could mean that you’ve consented to a range of uses and then anything
outside of that would need separate consent, or are you saying that every
single use needs individual consent, because that’s what so impractical. I mean
you could say, you could agree to, I’m going to record all my blood sugars in
here and my blood pressures and all of that and all of that kind of information
you can send that to my physician, you’ve agreed to that but you don’t have to
consent on sending each time you send a blood sugar or a blood pressure. But
then if they have some other use that isn’t included in what you’ve agreed to
then you need a separate consent and I don’t see why that’s so burdensome to
these people because they shouldn’t be making other uses anyway without your

MS. BERNSTEIN: But you’re talking about businesses which have as we
discussed before as their model, they’re going into this business because they
think they can make money with the data.

MR. ROTHSTEIN: Well they need to go out of business.

MS. BERNSTEIN: That’s not an acceptable answer to us.

MR. HOUSTON: Well, when I go to look, let’s just say I have diabetes and
let’s just say there are five diabetes websites out there that will give me a
PHR provided by a third party. I can go down and if there are clear plain
language notices of what the secondary uses are going to use my data for and
some maybe have very little secondary uses, some have many, I can read through
them and say you know something this is a nice site but it requires me to allow
them to give data to such and such, or use it for such, I don’t like that. I’m
not going to subscribe to this site, I’m going to go look at this site. And I
look at that site, I finally find a site that has the functionality that I want
and has terms that are acceptable to me. I may find that none of them have
acceptable terms to me or I may find two or three, but the point being is if I
don’t find any with acceptable terms I may say you know something the privacy
of my information is of such importance to me that I don’t believe that I want
to participate in such a site. And that is then my ultimate decision and if
enough people in my position say I don’t want to participate in this site it is
not going to be commercially viable and either they’re going to change their
model of their consents and things like that and their secondary uses, or
they’re going to go out of business.

MR. ROTHSTEIN: Right, they’re going to charge people ten bucks a month to
subscribe to the site instead of making it free and figuring they can sell this
stuff for $120 bucks a year. Harry?

MR. REYNOLDS: One’s a type of question, does vendors, is that broad enough?
Most people read vendors to be the people that created a system, or sold it to
someone —

DR. COHN: Maybe it’s just PHR systems should voluntarily adopt —

MR. REYNOLDS: We have people that create things and we tend to call them
vendors and then we have people that package them and sell them as something
else, we don’t tend to call, I’ll let somebody else figure it, back to the
earlier comment, we are saying that these people should be held to a higher
standard then covered entities, I don’t agree, I think that they should fit
into what covered entities do and covered entities have the right to do
different things but they got to do an authorized disclosure and they’ve got to
do other things —

MR. HOUSTON: I disagree.

MR. REYNOLDS: No, that’s fine.

MR. HOUSTON: Well, let me tell you why. A covered entity has certain rights
to use data for health care operations and the like without patient
authorization and I think —

MR. ROTHSTEIN: If they want to set up a separate PHR they shouldn’t be, they
can use the EHR stuff but why should they be able to use the PHR stuff?

MR. HOUSTON: But going to Harry’s point, that’s my point, I agree with you,
but Harry’s point was is that the PHR should simply be governed by HIPAA and I
say no that’s not good enough and I think that’s what you were saying earlier
which is hey, yes, data in EHRs is considered confidential and I have privacy
rights, but when I start to add my own personal information to it it actually
goes up a couple notches in terms of my expectation of privacy, my privacy
actually goes up as soon as I put information into a PHR.

MR. ROTHSTEIN: I would say in regards to Harry’s comment what would make me
happy is the sentence that begins currently on page 44 that Paul altered, line
44, I would say regardless of whether the PHR sponsor is a covered entity under
HIPAA there should be no secondary use of the information without consent of
the individual.


DR. COHN: Hang on for a second. If we knew what a PHR was we might be able
to say that, but the first part of the thing says there’s a wide variety, a lot
of it looks just like an EHR, we don’t know the exactly line back and forth, I
mean if we knew and could say exactly what it was I’m not sure I would argue
with you but that’s not where the rest of the stuff is going. What I think we
need to say somehow is that the privacy policies either need to be like what
we’re describing here which is more exhaustive then HIPAA or at least as
strong, and I don’t know, the term strong is obviously a different term then
exactly the same or equivalent, because we don’t want things to be any weaker
then HIPAA —

MR. HOUSTON: My concern is that what is considered acceptable under
treatment, payment or health care operations or health care operations
specifically I would consider in some cases to be a secondary use for PHR —

MS. GREENBERG: Because the principle use is for the patient.

DR. DEERING: Could we do without all reference to HIPAA and put back in the
phrase that Paul took out and just say these privacy policies, now this is
going to set the higher bar but this is what John is saying, and what I thought
we were basically saying is that we didn’t want to insist that HIPAA was
necessarily your starter block. So if we just took out the middle part of the
phrase then it would read these privacy policies and practices should include
the provision that there is no secondary use of data without —

DR. COHN: Well, but we don’t know, I mean now we’re talking about people
that may be covered entities or not and since we don’t know what this is what
are you telling them to do? This is one of those things where we were making a
differentiation here by saying —

MS. GREENBERG: Are private sector vendors covered entities? Could there be
private sector vendors that were covered entities? I guess if they were a
clearinghouse —

DR. COHN: Are we saying here private sector vendors of PHR systems who are
not covered entities should voluntarily, is that what we’re really saying here?
Well in that case why don’t we say at the beginning private sector vendors who
are not covered entities should da, da, da, da —

MS. GREENBERG: Yeah, I think those are the people you’re talking about.

DR. COHN: If we say that then we’re fine, I mean I’m just sort of a little
concerned here since we don’t know exactly what this thing is —

MR. ROTHSTEIN: Okay, we agree on the end product, the end result, right,
they should be treated the same, but your hang up is on the beginning because
you say we don’t know exactly what a PHR is. Is there any way that we can
tailor the language of that, the beginning of it, depending on the nature or
PHRs in a certain form or whatever, to satisfy your concern about the varied
forms of PHRs and then get everyone to sort of agree to end of that tacked onto

DR. COHN: Well, we could say something where we say PHR systems, owners,
hosters, whatever, who are not covered entities should voluntarily adopt —

MR. ROTHSTEIN: But we want, we’ve also I think agreed that the same higher
standard should apply to covered entities as well.

MS. GREENBERG: Not necessarily because there is a model that isn’t the kind
of PHR that John and I used to think PHR was which was just really, it’s the
patients thing, I mean we own it, we control it, we can do whatever we want
with it. There is this other model that is called a PHR which is more a kind of
partnership it sounds like between like the provider and the patient.

MR. HOUSTON: Even at that that’s why there should be privacy policies that
describe how would information be used and absent the patient’s agreement as to
those policies, if the patient says no, either they can opt out or maybe the
policy will allow you to selectively decide how your information can be used —

DR. COHN: John Paul let me just ask, I mean you have system and you create a
patient portal and you have communications where the patient is sending emails
to their doctor. Now is that a PHR and that therefore you can’t disclose is to
the doctor under these roles?

MR. HOUSTON: I would actually consider that —

DR. COHN: That’s what I’m sort of saying, where you’re saying there that’s
not a PHR.

MR. HOUSTON: That is absolutely not a PHR.

DR. COHN: Well, that’s interesting because we say that those sorts of
functionalities could very well be PHR functionalities.

MR. ROTHSTEIN: Do we define those in this document, can a PHR stand alone —

DR. COHN: We talk about dimensions of functionality and function, we don’t
say a single thing —

DR. TANG: I think we included that as a PHR.

DR. DEERING: Is the statement from Simon, and I want to put it very bluntly,
from the provider’s perspective, because Kaiser and Paul both offer views into
their EHR —

DR. COHN: So does John Paul.

DR. DEERING: And so does John Paul, okay. But I’m hearing that Simon
believes that those, because here’s what it boils down to, Kaiser should not
have to offer a higher level of privacy protections for the information that is
generated from this view then it offers within its EHR, that you believe that
Kaiser should just adhere to one standard and that’s HIPAA for all, for
everything that it does with its View, like Maya you’ve Epic, I think they call
it My Chart or something like that. So everything that’s in My Chart you
believe should only be subject to HIPAA.

DR. COHN: Well, the truth is I don’t know, but since I don’t know what is
and what isn’t a PHR —

DR. DEERING: I’m not asking about your right now —

DR. COHN: No, what I’m saying is I don’t know only because I don’t know
what, I mean with lack of knowing what is not an EHR and already covered by
HIPAA in this space it makes it an impossible conversation, a question to

DR. DEERING: I guess I don’t understand that because I was asking
specifically about My Chart, you have right now, would you be comfortable or
not saying that that, Mary Jo Deering’s Kaiser Permanente My Chart View should
have protections that are only those of HIPAA or that it should have an
additional level of protections.

DR. TANG: Listening to the discussion I’m getting more and more swayed by
Maya’s suggestion that we actually not be only tethered to HIPAA and that we
just talk about privacy practices surrounding PHR information, and we can refer
to HIPAA and mention that the information in PHRs protected by HIPAA and sort
of just talk about the myths associated with that with regard to covered entity
and not covered entity but actually are the thrust of our major recommendations
don’t get tethered to HIPAA because I think —

MR. ROTHSTEIN: Okay, but the question that we seem to be hung up on, Paul,
is whether people are uncomfortable with saying that for all PHRs there should
be no secondary use without consent. And I think that levels the playing field
but the concern that Marjorie and Simon raised is that that sweeps too broadly
because there are these PHRs that I don’t exactly understand that shouldn’t be
subject to that because they’re really closer to EHRs or something.

MR. HOUSTON: Let me say this, I think again, these aren’t done in a vacuum,
when I enroll to a tethered PHR for lack of a better term it says that this
will be used for communications with my physician or other caregivers, that
this information will be included in my electronic health record and as such
will be subject to the provisions of HIPAA including the permitted uses thereof
which may include —

MR. ROTHSTEIN: Then under that arrangement that would satisfy recommendation

MR. HOUSTON: And that’s what I’ve been saying all along, that yes —

DR. TANG: And I would agree, in other words I don’t feel that you’re making
it onerous on us, so we still, we the provider still have access to the things
that are in our electronic health record on that patient and can do the things
that are reasonable in care and that are specified in HIPAA. Let me give you an
example of something that we do not have ownership over, so there is a section
of our PHR, John’s and Kaiser’s, where the patient has entered in a private
space that only the patient has access to. Now that’s hands off to the provider
and all the things that a provider is allowed to do under HIPAA. In theory we
could get access to it because we still have access to it in the database but
that’s the distinction we would make between what is submitted with the
understanding that it’s private and personal and updated by them versus what is
in our electronic health record system for which we have purposes that are led

MR. ROTHSTEIN: So let me go back to my original suggestion and we can think
about this again. I originally proposed saying something like regardless of
whether they are considered covered entities under HIPAA PHR systems should not
permit any secondary uses of information without the consent of the individual.

DR. COHN: Let’s try that on and see how it plays.

DR. DEERING: Just once more with feeling —

MR. ROTHSTEIN: Regardless of whether they are covered entities under HIPAA
PHR systems should not permit any secondary use of patient/consumer PHR
information without the consent of the individual.

DR. TANG: That is maintaining this whole anchor to HIPAA though and do we
want —

MR. ROTHSTEIN: Well, the only reason I’m saying that is because people are
confused and we could take out the regardless language but I think it might be
less clear if we do that.

DR. TANG: That’s why I would suggest if we do go the route of just talking
about PHRs policy we would have a separate section that describes how this
relates to HIPAA and try to be clear about it in that section.

MR. ROTHSTEIN: Right. Mary Jo is trying on a revision of the split off also
paragraph to try to make more clear the HIPAA versus non-HIPAA along the lines
of Marjorie’s suggestion. Harry?

MR. REYNOLDS: I have not seen a PHR yet that does not include claims data or
doctor visits or lab results or other things that most covered entities have,
will use, and have to use in treatment, payment, and health care operations,
whether it be Kaiser or any of the people that have spoken so far, forget
payers for a minute —

MS. GREENBERG: But they didn’t get it from the PHR.

MR. REYNOLDS: No, but we’re not making a distinction here. PHR is made up of
personal things that the person puts in and stuff that is usually downloaded or
gathered from the EHR. But now we are saying, we are making it all the PHR and
saying that whether it’s Simon or Paul or John’s hospital now cannot use, how
do you differentiate what’s part of the EHR and what’s PHR if part of the EHR
is in the PHR?

MR. ROTHSTEIN: The same material, I understand what you’re saying, it’s the
same information but they are getting it from a different source, right?

MR. REYNOLDS: Absolutely not.

MS. GREENBERG: Maybe it isn’t pushed from the record, they’re just getting
that view into the record —

MR. REYNOLDS: Here’s how a lot of PHRs get handled, you let somebody sign
onto your website, you let them put in stuff they would want to put it, so you
mentioned a protected area, and then you may get an icon like let’s say we put
one up and it said list my last ten doctor visits that you have from your
claims or list the lab results or list these results, those are coming straight
from databases that are used by covered entities —

MR. HOUSTON: That’s a tethered database.

MR. REYNOLDS: Well fine, but the point is if we just say PHR you just took
all that stuff that was already usable and you just nuked it.

MR. ROTHSTEIN: I have a suggestion, Harry, how about if we add, Harry, how
about if we added a last sentence, now keep in mind this is a recommendation to
PHR systems, so could we add a last sentence to that recommendation six that
says this recommendation is not intended to prohibit and then the uses that
you’re describing, would that make you satisfied?

MR. HOUSTON: Getting back to my point before which is as long as the patient
understands those linkages that exist over to the claims system or an EHR and
it’s described very clearly in the notices that are provided to the patient
when they enroll, I don’t understand what —

MR. ROTHSTEIN: Because that’s not good enough, we say they have to consent
and they don’t have to consent when they get an NPP from a covered entity.

MR. HOUSTON: But we’re not talking about the Notice of Privacy Practice in a
covered entity, I’m talking about as a patient/consumer, or a patient, to
decide that I want to avail myself of Harry’s PHR, there’s a separate
acceptance that you have to agree online or otherwise that yes, I agree to the
terms, which would describe exactly what the linkages are to those other
systems. But see again, that assumes that it’s tethered to another system,
there are PHRs out there that are tethered to nothing.

MR. REYNOLDS: But I think Simon said it very succinctly, PHR is not a term
of art yet, it is not defined, you can’t find a definition of it anywhere and
you can’t really —

MS. GREENBERG: You can find definitions but they don’t necessarily sort of
apply to all of the products.

MR. ROTHSTEIN: Harry, isn’t it a fact and maybe people can correct me if I’m
wrong, isn’t it a fact that you cannot have a PHR of any color or stripe that
the individual does not agree to be a participant in?


MR. ROTHSTEIN: So regardless of the shape of the PHR, whether it’s a look
in, a tethered, untethered, they’re going to have to agree to sign on to that.
And at that point they’re going to have to consent to the arrangements, right?

MS. GREENBERG: I think your suggestion was a good one, that you could have
what we’ve talked about and then a last sentence that says this is not intended
to apply to information from the provider’s system that’s already covered by
HIPAA or something like that.

MR. HOUSTON: But see I would disagree, I would think, going back to what
Mark just said it’s really just simply describe what information is going to be
in that PHR as part of this authorization or whatever you do, when you enroll.

MR. ROTHSTEIN: But we might be able to combine those and say this would not
prohibit providers blah, blah, blah, blah, blah because when the PHR is set up
the individual would already have to have consented.

MR. HOUSTON: Agreed, now let me say this —

MS. GREENBERG: I’m hearing this very interesting model or whatever, that I
think I’m hearing from Harry, that it’s not, I had had pictured like data from
the provider’s system, whether it be lab data or whatever in the electronic
health record, the transaction information, being kind of push into the PHR.
But he’s saying that isn’t necessarily what might happen, it just might be a
feature of the PHR is to have a view into that information and then you could
interpret that that information is now part of the PHR and it’s not available
for these other uses which it should be available for —

MR. REYNOLDS: It has to be.

MS. GREENBERG: You’ve got to make clear that’s not what you’re saying.

MR. HOUSTON: But two things here, first of all I think again you would cover
that up front when the patient enrolls as to what all the features and
functions and things are. But I also think Harry your earlier point though is
at the beginning of the document we tried to describe this evolving concept of
a PHR and what it may be in terms of all of its permutations and I think that’s
also part of this. I really think though that what we’re trying to recommend
here is informed consumer consent about all of this.

MS. GREENBERG: I’m taking a five minute break.

DR. COHN: I need to leave also, I guess we need to see what we have here.

DR. TANG: I have a comment on Harry’s dilemma in terms of is the new privacy
recommendation that applies to PHR, does that tether the provider with this
EHR? And my answer would be no so just because I downloaded stuff from our EHR
into your PHR doesn’t mean I can’t use information solely in my EHR to do PPO.
Does that help, Harry?

MR. REYNOLDS: I don’t know, I don’t think that’s what we said, we said no
secondary use without approval by the patient and if I was a patient and I saw
something in my PHR and I found out you used it for something else then my
first question would be wait a minute, I signed up that you couldn’t.

MR. HOUSTON: Well, if that was what the terms said, I think this is what
this recommendation is all about is giving the person an informed understanding
of what the recommendation will or will not be used for so that if in fact
there is a linkage to claims data or there is a linkage to an EHR, that it
would have to be clear to the patient that hey, if I am including my insulin
levels and my blood pressure or whatever the information is, that this
information will in fact then be included in my EHR and that will be available
and that HIPAA will apply to it both in terms of the potential other uses that
HIPAA permits and otherwise. My point is is that you look at specifically, all
we’re saying in this recommendation is we’ve got to be clear in terms of the
uses of the data and —

MR. REYNOLDS: I agree but it says right now no secondary uses without —

MR. HOUSTON: — authorization, but when you sign up, let me say when you
sign up and you say I accept you’re authorizing, if it’s some global scheme of
use, it’s like you’re entering your blood pressure and your physician is going
to see in, you put in this type of data —

DR. COHN: I think that rather then trying to argue this one I’m hearing that
we may have to look at it written down. Luckily the good news is is that we can
take this and all talk about it a week from Friday, and we may have one or two
versions that we can look at because I think this one should be, we should take
a look at this one. I thought Mark may actually have a good idea, John Paul —

MR. ROTHSTEIN: You mean adding another sentence?

DR. COHN: Well, we may need to look at this and see and then see whether we
need an additional sentence or not. To me there’s what we have originally,
there’s what we have in this new versions sort of saying that everybody has the
standard, of course I’m not sure how the standard is different then really what
HIPAA does though maybe I’m confused —

MR. HOUSTON: I think the issue of HIPAA is to the extent that there are
other uses under HIPAA and the as required by law, there’s other provisions
related to —

DR. COHN: Let me just ask here, if basically your consent would have to say
anything that you put in here, since we don’t know what’s PHR versus what is an
EHR, would have to be basically open for HIPAA rules because if you receive
something and you have this all together you would likely to have to disclose
it under HIPAA rules.

MR. HOUSTON: And my point being is is if that is clearly disclosed as part
of your enrollment in it I think that’s reasonable.

MR. ROTHSTEIN: How should we wrap this up because we’re not going to resolve
this and then re-do it in three weeks or whenever it is we meet next month?

DR. DEERING: I don’t feel I have enough to craft a recommendation on this,
I’ve heard too many different things.

MR. ROTHSTEIN: Can we agree that we’ll put in the regardless stuff —

DR. DEERING: That I captured.

MR. ROTHSTEIN: Okay, and then make a mental note that that doesn’t satisfy
Harry’s concerns and we may need to add another sentence, but we haven’t
decided on what that is, sort of a savings clause for that recommendation.

DR. DEERING: And if anyone can suggest it to me and send it along I can
always put it in so that that’s what you see the next time around.

MR. ROTHSTEIN: Harry, is that okay with you?

MR. REYNOLDS: That’s great, yeah.

MS. BERNSTEIN: Do we need to satisfy what I heard Simon was concerned about
which is that an entity like Kaiser should not have to be subject to two
different schemes? I mean I thought it was similar but not exactly the same as
Harry’s concern.

DR. COHN: Well, I think it is, I think if John Paul is comfortable with
being —

MS. BERNSTEIN: But John Paul has a different, my understanding, what I heard
the three of you were saying is that John expects more privacy then HIPAA,
which means that he’s comfortable with the recommendation language as it is.

MR. ROTHSTEIN: Because they have to sign a consent that they have their PHR.

MR. HOUSTON: By default without any further —

DR. HARDING: But the public is going to be confused, uniformity is, just for
the public’s sake they’re going to say you can for this and not for that, it
just becomes another educational nightmare.

MR. HOUSTON: This is such a complex, I don’t think there’s any way, I don’t
believe there’s any way absent having something online that the user would have
to really understand and accept which would describe other uses and the
functioning of the PHR, I don’t think that there is a way to have uniformity
because of the fact that there are so many different types of PHRs for so many
different purposes and different motives, I mean some people are going to have
profit motives, other people are going to have —

MR. ROTHSTEIN: Richard, you make a good case for legislation to deal with
PHRs separately but in the absence of that HIPAA covers some, other people are
not covered at all, and we’re saying in recommendation six that all PHR
sponsors should do this.

MS. BERNSTEIN: Actually with respect to your point on uniformity what the
current language suggests that all disclosures should happen by consent is
simple and straightforward from the consumer’s point of view, what’s complex is
HIPAA, right, so they don’t understand that now, they’re not going to
understand it much better likely even unless we have a lot of education, but
the uniformity issue for the service, I don’t want to use the word provider,
but the PHR service is an issue I think that Simon was raising which is that an
entity like Kaiser has a non-uniform practice which make it difficult for it as
a regulated entity, if I heard that correctly —

DR. COHN: Has had a problem with what now?

MS. BERNSTEIN: Well, that Kaiser as a covered entity has a certain, has to
be covered by HIPAA and understands, to the extent that it understands how it’s
covered by that has rules about it, and then if Kaiser goes into the business
of being a PHR service will have a different set of rules either stronger or
less strong, whatever, which are non-uniform for Kaiser and as a regulated
entity makes it difficult for Kaiser. I heard you saying that it’s hard if I’m
that kind of an entity to have two different schemes that apply to me —

DR. COHN: Well, I think it’s actually not just Kaiser, it’s hard for every

MS. BERNSTEIN: Right, any entity that would be covered by two different
schemes that would provide the service, it’s difficult for them.

And I think what I also heard was Harry saying that having more protections
then HIPAA, more stringent protections then HIPAA, is not fair, is sort of the
opposite of what John was saying, that HIPAA is plenty complicated and plenty
strong and we don’t have, we have more expectation of privacy but it’s not fair
to have, for these companies to have, to be required to have more stringent
protections then HIPAA. Did I accurately reflect that?

MR. ROTHSTEIN: Okay, Harry and John and I are going to work on a sentence to
deal with recommendation six. Anybody have any problems with recommendation
seven? I want to have a break after seven.

MS. GREENBERG: That is just beautiful.

MR. HOUSTON: I agree.

MR. ROTHSTEIN: No problems? Okay, seven is fine. We’re going to take a five
minute break for everyone and we’ll resume at 3:45.

[Brief break.]

Agenda Item: Subcommittee Discussion

MR. ROTHSTEIN: All right, now we go on to the difficult issue and that is
what do we do next with the NHIN. I suppose that the first issue that we need
to address is whether we have heard enough. I’m serious, is there anything that
anybody would need to know to come up with our recommendations? Paul?

DR. TANG: Here for another two minutes.

MR. ROTHSTEIN: Okay, you have anything to say say it now.

DR. TANG: The only other, the thing that we are so unclear about is what
really is going on in secondary uses —

MR. HOUSTON: We’re off of that already, we’re onto our letter —

MS. GREENBERG: Well secondary uses are relevant to your letter aren’t they?

MR. HOUSTON: He’s still talking about the PHRs.

MR. ROTHSTEIN: Are you still talking about PHRs?

DR. TANG: Yeah, I thought you said is there anything more we need to hear.

MR. ROTHSTEIN: No, is there anything more on the NHIN that we need to hear,
do we need more hearings before we start thinking about recommendations on

DR. TANG: Isn’t secondary use still just a whole what is it used for, it’s
still a question on NHIN?

MR. HOUSTON: It’s interesting because we asked everybody to answer six
questions and I think people sort of, and in many cases sort of begrudgingly
answered the six questions and still went off and gave their view on things and
it didn’t, this testimony was very, very interesting this time and I thought it
was very informative, it did tend to bring things together. I think what we
were really trying to do with the six questions was focus us on getting to some
conclusions and I think that if we try to hold more testimony I think we’re
still, I don’t think we’re going, we’re just going to get more information. I
think this set of testimony was probably the best that we’ve had but I don’t
think it’s going to move us, I don’t think any more is going to move us any


MR. REYNOLDS: I agree.

DR. TANG: I agree.

MR. ROTHSTEIN: Marjorie?

MS. GREENBERG: I also agree but I’m wondering if, I mean these issues are so
complex and as Professor Greely said there are no good, in a sense almost no
good solutions, it’s very difficult because there aren’t good solutions. And I
think of HIPAA and the people who worked on that and they really, really worked
hard on it and they really, really tried to balance things and all of that and
everyone just keeps blasting it, you kind of whether is it possible to get this
right. But I’m wondering if your letter doesn’t need to almost be like an NPRM,
I mean I’m wondering if you don’t need to develop your letter, get the input of
the committee on your letter as well, and then expose it to comment. Now that
doesn’t mean you have to accept all the comments or anything —

MR. ROTHSTEIN: Is there any precedent?

MS. GREENBERG: Yes. I did that several, I was involved in that process
several times with when I developed, when I was involved with the committee
developing uniform datasets or revisions to the Uniform Hospital Discharge
Dataset, the Uniform Ambulatory Care Dataset, and the core health data
elements, I have a long history of working in that area, but it was all work
with the committee. And each time we held testimony, we collected information,
etc., and then we developed recommendations and we sent them out to everybody
who had testified and maybe others as well, but at a minimum everybody who had
testified and maybe everybody who’d attended the hearings, whatever, and we got
their comments and we evaluated them and them we finalized the recommendations.
I’m just suggesting that that’s one possibility.

MR. ROTHSTEIN: I think in the abstract I think it’s a great idea but I have
two practical questions or concerns. Number one is that we would have to make
the draft more widely available then to the people who testified —

MS. GREENBERG: You would, but it would be by definition because —

MR. ROTHSTEIN: I don’t know whether publication in the Federal Register or
whatever, or on our website —

MS. GREENBERG: You might put it on the website or something.

MR. ROTHSTEIN: And it may be that, I mean this is such an important issue,
we might get 500 comments, and I don’t know that we’ve got the staff to
evaluate that, so that’s the first one.

MS. GREENBERG: Well, you could just send it to the people who testified,
others might send you comments but you could, no I realize that, I’m not saying
do this, I’m just putting it out there —

MR. ROTHSTEIN: I think it’s a very interesting idea and I’ve often thought
this is, even if we thought it was the final version other people will view it
as sort of an NPRM or a request for something or other.

And the second one is the timing issue, so Dr. Brailer expects that we’re
going to have something by our November meeting, if we sent it out for more
comments I think we’re talking about the spring.

MS. GREENBERG: Or the February meeting. He seemed to indicate, he assumed he
didn’t need it any sooner then November but I don’t know.

MS. BERNSTEIN: Is anyone here aware of whether the responses to the original
RFI, which are similar issues, are available yet? I don’t think that they are.

MS. GREENBERG: You mean the actual individual responses?

MS. BERNSTEIN: The actual individual responses, as opposed to the summary
document —

MS. GREENBERG: Some of them I think will never be available, I thought some
of them were —

MR. ROTHSTEIN: But didn’t they have to release them to be —

MS. BERNSTEIN: They are the subject of a Freedom of Information Act request
at the moment and they are, and he said that they would release them with
redactions appropriate for, but there’s no whole document that will be not
available, I can’t imagine any whole document, the existence of all of the
documents will be available under Freedom of Information Act when they get
around to it and my guess is if you did that, if you went out for comment you
would get very similar responses but if those comments were available to you
they might be helpful to you.

MR. ROTHSTEIN: On the other hand they don’t know exactly what we’re going to

MS. GREENBERG: No, I’m not saying just go out for comment, I’m saying put a
position or a letter with recommendations for comment. I don’t know, I guess it
depends on just how much agreement you can get, if you can get a very high
level of agreement in the entire committee then maybe you have enough
information —

MR. ROTHSTEIN: Well, it’s not the information, what I was going to say is
that it may be that because this issue is so contentious that we’re not going
to be able to go into the depth and specificity on for example the 20 proposed
recommendations that I have in here, in the first draft, it may be that we only
agree on five general things and if we’re only sending five general things we
don’t need to send that out to the public.

MS. GREENBERG: That’s true.


MR. REYNOLDS: There are so many things, and you mentioned whether there’s 20
findings or whatever it is, and we may be able to close some of them out, we
may recommend further hearings on some of them, but at least it puts a
structure out for David Brailer or anybody else because I guess I feel
uncomfortable as chair of the, co-chair of the Standards and Security, when we
were doing e-prescribing and we had 50, 60 people in the audience on a
consistent basis continually plan and I guess what’s been surprising to me as
we’ve done this privacy is the numbers, even though Dan has represented those
other 50 and 60 well, the numbers of seats filled on probably a dramatically
more contentious subject then some of the other stuff, makes me a little
nervous that we go do our thing and we write a letter and then it blows up. So
I like this idea maybe of, if we put a letter, if we list the things and you
said 20 or whatever it is, 15, 10, 20, whatever it is, and we know that there
some of them that we are comfortable with what we heard and we don’t feel any
different, or we send out a draft, or I mean something, because I feel, I guess
having gone through the same process on something far less contentious in my
opinion —

MS. GREENBERG: Except they knew that was going to end up being a

MR. REYNOLDS: Well, that’s true, but it’s still, I mean this is, as we get
closer it just seems, I just feel a little —

MR. ROTHSTEIN: Well there’s another component to this and that is the
relationship between what we do and what AHIC(?) does and it’s quite possible
that when they get up and running they will want to get more information on
some of the stuff that we identified as issues but couldn’t come to closure on
and then we’ll in effect sort of kill two birds with one stone. John?

MR. HOUSTON: It’s interesting that when Hank Greely spoke and sort of
summarized I think some of the things that he thought should be
recommendations, as soon as he started to describe his thoughts everything sort
of gelled to me and I really went from I think not really feeling what are we
going to do here to sort of getting a sense from his, just what he discussed
that he sort of did have a bridge straw man and a place to start on trying to
put something together. I really believe that he sort of did distill down I
think a lot of what needs to be in the substance of a letter —

MS. GREENBERG: Actually we were saying that at lunch time.

MS. BERNSTEIN: Over lunch we were saying, Marjorie and I, that Dr. Lo and
Professor Greely sort of said things that I wrote down that could go right into
a letter.

MR. HOUSTON: Not that Dan didn’t have good testimony, but he really
distilled for me, as soon as he started speaking, especially some of his
recommendations, I said you know I think that’s really, I sort of got the sense
that that’s the tone of what I would feel comfortable writing and I’d want to
go back through and read, sort of read the transcripts again —

MR. ROTHSTEIN: Well, he’s got written testimony.

MR. HOUSTON: No, but I think the transcripts were much more even more
focused then his written testimony was and taking the transcripts maybe and
rereading those I think, unless I reread them and say no, I thought I heard
something else, I really feel like that the basis, I really think it’s the
basis for trying to put the letter and I think it was real good stuff —

MS. BERNSTEIN: Pieces of it, yeah.

MR. HOUSTON: I mean there’s more to it, I thought there was still a
structure there and again, he would go in terms of yeah, so for what it’s worth
my preference would be, maybe we sort of shove what Marjorie said simply to say
let’s get some pen to paper and maybe after we get done we say okay maybe do
need to clear up —

MS. GREENBERG: Keep that in your back pocket as a possibility.

MR. ROTHSTEIN: I think it’s a very interesting option that we may need to
look at —

MR. HOUSTON: Don’t foreclose it, let’s get something together recognizing
that it might be something we decide to put out for comment. I would really
take, let’s say we get this transcribed, his testimony early specifically so
that maybe we can start to look at it —

I’m not saying the other stuff wasn’t important but boy he distilled a lot
of what other people were saying I thought.

MS. GREENBERG: Not only that, I mean yesterday afternoon although I thought
the testimony was very good I was feeling sort of hopeless, but then he made me
feel hopeful, that may be dangerous but he did.

MR. ROTHSTEIN: Okay, there are many other issues we need to consider. The
one is the timetable, if we are going to have a recommendation by November we
are not scheduled to meet except at the September meeting for a couple of
hours. So the question is knowing the complexity of all these issues do you
think we can do things by email with a series of conference calls, maybe an
in-person meeting in October or something, what’s your sense of how we ought to
handle this? John?

MR. HOUSTON: Can we try to plan, since we know we don’t have a work product
for September is it possible to try to work in two separate sessions during the
full committee meeting? One on each day? That would be my proposal, maybe try
to get some extra time.

MS. GREENBERG: The agenda is up in my room, Debbie might have it. But let me
ask something, Simon has asked you to kind of preview your letter in September

MR. ROTHSTEIN: In September I’m not going to preview the letter, what I’m
going to do is describe our procedure, the various hearings, and some of the
issues that we’re working on —

MS. GREENBERG: You’re not in a position I would say to preview certainly any
of your recommendations, correct?


MS. GREENBERG: Well he needs to know that.

MR. HOUSTON: Can I ask a question?

MR. ROTHSTEIN: Does he really thing I’m going to —

MS. GREENBERG: Well, I think at —

PARTICIPANT: I think he knows know.

MS. GREENBERG: He probably realizes it.

MR. HOUSTON: I’m looking at the schedule right now, who is on Standards and
Security or on Populations?

MR. REYNOLDS: Simon and I are on Standards and Security.

MR. HOUSTON: What’s Paul on? Is he on Populations?



MR. HOUSTON: Okay, because absent Simon and Harry, because 3:15 through 4:45
is Standards and Security as well as Populations, and my point being is is I’m
willing if we can get the other committee members on this maybe sit down and
spend some time on it with as long as Harry and Simon are comfortable coming in
the next day and maybe doing more work on the letter.

MR. ROTHSTEIN: So in other words to have two sessions, one in the afternoon
of the first day and the second the morning of the second day.

MS. GREENBERG: We just have to know to get a room.

MR. REYNOLDS: Well and the other thing is I would —

MR. ROTHSTEIN: Well, we would just the slot of Standards and Security, is
that what you’re saying?

MR. REYNOLDS: No, no, we’ll still have that session.

MR. HOUSTON: They can still have it —

MR. REYNOLDS: You will have another session also.


MR. REYNOLDS: And what we might be able to have happen since we just went
through a planning session last time with Simon as you know, we put out that
chart of what are the things we’ve got to work on, we kind of got ourselves, it
may be good for Simon to join this, Jeff and I can run Standards and Security,
so we’ll see.

MR. HOUSTON: We’ve got Mark, myself, Richard and Paul, even if you and Simon
both go to Security and do —

MR. REYNOLDS: But look at the next day and make sure Simon is not on NHII —

MR. HOUSTON: No, NHII is after, Standards and Security goes to 4:45 and
Privacy goes from 4:45 to 6:00 —

MS. GREENBERG: No, you mean NHII goes —

MR. HOUSTON: I’m sorry, NHII goes 4:45 to 6:00.

MS. GREENBERG: And what’s the next morning?

MR. HOUSTON: The next morning is Privacy and Confidentiality and Workgroup
on Quality, those are 8:00 to 9:50.

MS. GREENBERG: The only thing I’m thinking is do you want to kind of work on
writing or —

MR. HOUSTON: I think we’re going to gnash teeth again —

MR. ROTHSTEIN: I think we’re so far from writing, what we need to agree on
is sort of philosophy and structure and recommendations, I mean we’re way far
from —

MS. GREENBERG: I’m just wondering then if it’s a session in which, that
first one, I mean the second one because it’s part of the official agenda we
will have a transcript, we will have, it’d be like a regular meeting, you
wouldn’t have minutes because you’re not having testimony or anything but is
this rump meeting that you want to have, not rump, additional one, is that also
one in which we should have it transcribed and —

MR. ROTHSTEIN: I think we’d better because it’s the equivalent of the same

MS. GREENBERG: It’s just so we know to make the arrangements.

MS. BERNSTEIN: What time, that’s September 8th, what time do you
have there —

MR. ROTHSTEIN: As well as notice to the public —

MS. GREENBERG: We’d have to change the agenda to indicate that you are also
meeting —

MS. JACKSON: If it’s an official meeting generally we don’t have the meeting
where members are conflicted, you’re comfortable with having several members
who —

MR. REYNOLDS: Since we have a subsequent meeting the next day —

MS. GREENBERG: He’s okay with it.

MR. REYNOLDS: I mean we have people working on drafts at different times
where we’re not all sitting there at their desks with them so it’s no different
to me.

MS. GREENBERG: It’s just that Harry and Simon are coming, do represent I
think a somewhat different constituency or perspective and that doesn’t mean
you can’t all agree on a number of things but so having these down there may
reduce the productivity of your discussion.

MR. HOUSTON: But I also think, and maybe Mark and Richard and (?) have time
off, but I’ve got an hour and a half gap or so which I could easily, we could
again as a group could sit down and start to work through some of the
preliminary stuff so that the next day’s meeting, again we can recap for Simon
and for Harry and —

MS. GREENBERG: We should put it on the agenda, we’ll get a separate room,
have it transcribed, the whole bit.

MR. HOUSTON: I just think it’s going to be more productive, I don’t mind
doing conference calls but it’s just additional face time where we can start to
go through —

MS. BERNSTEIN: Does this need to be separately noticed in the Federal

MS. GREENBERG: No, it’s just part of the overall agenda.

MR. HOUSTON: We don’t do that for conference calls do we?

MS. BERNSTEIN: No, we’re not required in fact for our meetings to do any —

MS. GREENBERG: People know that they need to check the agendas periodically
to see if they’re going to change. It’s just one more working session of a

MS. JACKSON: And we always have a disclaimer, subjects and topics and
speakers subject to change, so people know that there’s flexibility —

MS. GREENBERG: But we will, if you want to definitely do that as soon as we
get back we’ll make sure we can get you all a room —

MS. JACKSON: I’ll call in to, I don’t know who can work on it while we’re
out but —

PARTICIPANT: We can use the same room as the plenary session —

MS. GREENBERG: But that’s probably where Standards is, but it’s only a few
people so I’m sure we can find a place, except some people may want to sit in,
others may want to sit in.

MR. ROTHSTEIN: Okay now the next question is how can we use our time most
productively? That is our face to face meetings, Maya?

MS. BERNSTEIN: I’m sorry, I just wanted to finish off John was suggesting
that we have more then one meeting and we’ve, did you mean the two on that?
Because that’s very early on, that’s two weeks from now, did you mean another
meeting between September and November?

MR. HOUSTON: When’s the September meeting?


MS. BERNSTEIN: It’s in two weeks, it’s on the 8th and the
9th, a Thursday and Friday.

MR. HOUSTON: No, I think two meetings is enough.

MR. ROTHSTEIN: So the question is whether, the meeting that we’re going to
have around the regular NCVHS meeting is still going to be in a very
preliminary stage and then there’s going to be a lot of this sort of stuff like
that we had like today around the PHR letter when we finally get something
written. Do you think we need to try to schedule an in person meeting or can we
do that by conference call or by email? Should we schedule a meeting in
November, mid-November with a prospect that we’re hoping we cancel it because

MS. GREENBERG: You mean October.

MR. ROTHSTEIN: October, I’m sorry —

MS. BERNSTEIN: Is there another meeting in October of any of the

MS. JACKSON: There are no meetings in October.

MS. BERNSTEIN: There are no meetings in October.

MS. GREENBERG: There aren’t any set up right now in October?

MS. BERNSTEIN: Are there any other meetings between the two full committee

MS. GREENBERG: Well, there’s a meeting the end of September of Standards —

MS. BERNSTEIN: So the question is since some of you will be here anyway, in
D.C. anyway at that meeting —

MR. ROTHSTEIN: When is it?

MS. BERNSTEIN: The end of —

MS. GREENBERG: That may not be, that might be too soon.

MR. HOUSTON: I wouldn’t be adverse to getting together in October for a day.

MS. GREENBERG: Well October might be a good idea, I probably wouldn’t be
around but that’s okay.

MR. ROTHSTEIN: Well it could be maybe the Halloween, the 31st and
Monday the 1st, I mean that Monday and Tuesday, those are really the
only two days in a row that I’m not out of town. Or October 10th and
11th, those are —

MR. Reynolds: I’m unavailable all week that week.

MS. GREENBERG: The 10th is Columbus Day —

MR. ROTHSTEIN: When is our meeting? Oh, it’s the 15th and
16th, we could —

MR. HOUSTON: Could we do a one day meeting?

MS. GREENBERG: When is your November meeting? The November meeting is after
Veteran’s Day, the 16th and the 17th.

MR. ROTHSTEIN: I’m available the 11th, this is October, the
18th is a wonderful day for me, October, wonderful day because I
have to travel to Washington anyhow for a meeting on the 19th. I
love that 18th

[Multiple speakers.]

MR. HOUSTON: I was going to say, I have them in my calendar but I don’t know
how to pronounce them —

MR. ROTHSTEIN: What about Friday the 21st?

MR. HOUSTON: I don’t have any problem with the other ones, it’s just the
Jewish holidays depending on —

MR. ROTHSTEIN: What about Friday the 21st?

MS. GREENBERG: I have Yom Kippur but I don’t have —

MR. ROTHSTEIN: That’s the week before.

[Multiple speakers.]

MR. ROTHSTEIN: So could we do it on Friday, the 21st?

MS. BERNSTEIN: That Friday is fine.

MS. GREENBERG: No, Tuesday the 24th I guess, or 25th.

MR. ROTHSTEIN: Another day I could it would be the 24th

MR. REYNOLDS: Did we disagree on the 21st?

MR. ROTHSTEIN: I’m good for the 21st.

MR. REYNOLDS: I’m okay for the 21st.

MR. HOUSTON: I’m okay for the 21st?

MR. ROTHSTEIN: Richard? Okay, done, so can we try to schedule that? Friday,
October 21st, I love that too because I can just stay another day.

MS. BERNSTEIN: Friday, October 21st, what did we say about the

MR. ROTHSTEIN: Nothing, the 18th went by the board because you
can’t make it. I have, I’ll just blow off the bioethics conference, it’s in

MS. BERNSTEIN: Tell me what day of the week that is —


MS. BERNSTEIN: Friday the 21st

MR. ROTHSTEIN: Correct, Friday the 21st. And in theory we should
be pretty far along by then and we will also, I don’t know whether now is a
good time or not to set up conference calls, maybe we ought to do that, because
after we leave the 9th maybe starting the week of, how about at the
end of September we arrange a conference call, let me give you a couple of
possibilities. The 28th, September 28th, not good —

MR. HOUSTON: I’m not available, that whole week I’m out.

MR. ROTHSTEIN: That whole week, okay, what about October 3rd,
that’s a Monday?

MR. HOUSTON: I’m fine.

MR. ROTHSTEIN: Are you coming to work on October 3rd?

MS. BERNSTEIN: Yeah, I’ll probably leave at 3-ish.

MR. ROTHSTEIN: Let’s see, we’d have to make 12:00 right, that’s the
earliest, 12:00 eastern time, so can we schedule a two hour conference call,
12:00 to 2:00, on October 3rd?


MR. ROTHSTEIN: Okay. 12:00 to 2:00 eastern time, eastern whatever time it
is, standard, daylight, 12:00 to 2:00 on October 3rd and then we’re
going to be meeting in person 18 days later and maybe we can do by email
anything else.

Okay, now the next question is how can we work most productively and
effectively and one possibility is if I get a hold of, I have some notes from,
if everyone likes Hank Greely’s framework, in other words at least the three
part, the way he divided things up, I could do a draft before the September
8th meeting in which I revised this, not that you’ve agreed to it
but just so we can hold something in our hand, in which I try to plug this into
the Greely structure and also incorporate some of the other suggestions that we
heard, like I really liked, and I think many people did, Lesley Francis’
suggestion of, no, the first five years of the NHIN, health care only and —

MS. GREENBERG: Do you really think a lot of people liked that?

MR. ROTHSTEIN: Oh, I think it’s, in terms of building public trust? I think
it’s a terrific idea.

MS. GREENBERG: I think it’s a complete non-starter.

MR. HOUSTON: I think it’s a little naïve, it’s a good concept at a high
level but I think when you start asking questions you start to recognize that
there’s a lot of —

MS. GREENBERG: I think it’s a complete non-starter, I’m not saying I
couldn’t embrace it philosophically but —

MR. ROTHSTEIN: She is a philosopher —

That raises a question and we’re going to have to come back to this issue
repeatedly, but what should be the role of our letter and I think we have to
walk a fine line and that is as follows. I don’t want to put in the letter
anything that we would consider politically naïve or pie in the sky or
just totally out to lunch. On the other hand it’s not our job to weigh the
politics, I think we can —

MS. GREENBERG: I don’t really think politically, maybe small political —

MR. ROTHSTEIN: I’m not talking about this particular issue, I was talking
about overall. I don’t think it’s our job to weigh the politics, I feel very
confident that the people in the Humphrey Building will do that. I think that
we have to make, and I’m speaking for myself now, I would like to see us make
the strongest credible case on behalf of privacy and confidentiality because if
we don’t make it it’s not going to be made. And if they want to cut back on it
because they don’t, they think it’s too expensive, it’s infeasible, it’s
politically not viable, fine, that’s their job. But personally I feel that we
should put out the product that we think best assures privacy and

MR. HOUSTON: Should we at least when we talk about that, the circle of care,
is that what she called it?

MR. ROTHSTEIN: That’s what Nick called it.

MR. HOUSTON: Should we at least say it’s a circle of TPO or circle of —

MR. ROTHSTEIN: I wasn’t going to even use that.

MS. GREENBERG: It wasn’t completely clear what she was recommending first of
all, she might have only been talking about the entire electronic health
record. I mean can you imagine that NHIN, and in fact they didn’t agree with
that anyway, that for the first five years no electronic health record data
could go to public health.

MR. ROTHSTEIN: No, no, I don’t think that’s what, I don’t interpret that —

MS. GREENBERG: They’re not within the circle of care.

MR. HOUSTON: They were pretty adamant about those other uses that they felt
was outside the scope.

MR. ROTHSTEIN: Well what I’m talking about is I mean the NHIN has been
touted as a great way of quality assurance and all sorts of measures like that,
that ultimately may in fact bear out. But unless the public is convinced that
the primary purpose of this is to improve their care, assure the continuity of
care, assure that there are no mistakes made in terms of medication errors and
the like, they’re going to say, and several people said, I think Maya said
this, what’s in this for me and I don’t like it and I’m getting out and
whatever, if they can get out.

MS. GREENBERG: If they want care they’re not going to be able to get out.

MS. BERNSTEIN: You’re getting into the substance, you were trying to focus
on how to best use your time.

MR. ROTHSTEIN: Thank you very much. Harry?

MR. REYNOLDS: I was going to say the same thing because I think it’s key, I
mean I too liked what Hank had to say but we’ve heard a lot so whether or not
everything we’ve heard and I don’t, the circle of care is an interesting
thought, whether she described it right or not it’s an interesting thought,
it’s at least a premise to look at. So I guess I’m comfortable having you put
it together using whatever model you want to use but I want to make sure we
sweep all this up because we’ve heard a lot of people say a lot of good things
and some of them have said the words better and different then somebody else —

MR. ROTHSTEIN: I’m going to go back and review —

MR. HOUSTON: And I agree with you, I just think when I heard Hank speak,
some of his conclusions, it did seem to pull together conceptually a lot of
what people were trying to express. That’s the only reason, I don’t think he’s
the end all be all, I just think his conclusions expressed a lot —

MR. REYNOLDS: I’m not disagreeing with that, I’m making sure that we’re not
prescribing exactly what we’re going to say.

MS. GREENBERG: I remember in Chicago you had completely diametric things
being said, one panel versus the other, they were like the mirror opposites.

MR. ROTHSTEIN: Right. And his three part strategy I would say addresses only
a quarter of the issues.

MS. GREENBERG: Yes, it doesn’t address —

MS. BERNSTEIN: Could I make a little suggestion? One of the things that I’ve
been frustrated about is not being able to provide the subcommittee with,
because of other things that are going on, the PHR letter or whatever, with a
time when you can just really sit down and amongst yourselves hash out what
you’ve heard. And we haven’t really had time for that, certainly not in the
last two hearings when a lot of stuff came out. The first hearing was my second
day of work and the second one I can barely remember. But it seems to me that
you’re sort of chomping at the bit for some time for that, just as this
conversation points out, and maybe you should try to reserve some of that time
to do that kind of thing —

MR. ROTHSTEIN: I agree but I think it would be helpful if we have a paper in
front of us.

MS. BERNSTEIN: Yes, I agree, but I think you need to have some time to do

MR. ROTHSTEIN: And I would strongly recommend to the three other members
present and maybe we could let Paul and Simon know as well that I think it
would be valuable if you all went back through the testimony, through your
notes, and came up with a list of things, recommendations that you heard that
you like or things that you wanted to make sure were in the letter, and so that
we can consider all that stuff. And with any luck there will be some overlap
between what people considered important to be included.

MS. GREENBERG: Marietta, am I correct that up until this hearing, and of
course you have everything from this hearing, everything should be, almost
everything should be posted on the web?

MS. SQUIRE: You mean minutes and transcripts? Yeah.

MS. GREENBERG: Well the transcripts and the presentations from the three
previous hearings.


MS. GREENBERG: I mean if you don’t it in your files or whatever —

MS. BERNSTEIN: Are there also minutes for the small meetings? Okay.

MS. GREENBERG: I’m wondering if this, well if there’s some value of you
working with Maya on this, either her going to you or you coming up to
Washington or something —

MR. ROTHSTEIN: Well, I’m in Washington a lot, we can possibly work out of
some sort of trip but I think it has to be after September 8th and
9th when we’ll have a better idea of how much agreement we have on
general principles and that’s one of the things —

MS. GREENBERG: I thought you said you were going to write something for
September 8th

MR. ROTHSTEIN: I am, I am, but only as sort of a straw man, a starting
point, because it will at least get out the issues, people may disagree as to
how I resolve them but at least it will have the issues and that’s what I tried
to do in this first document but we’ve heard more stuff and I need to go back
and revisit it. This document was written around the questions and —

MS. GREENBERG: Yes, and I don’t think those are all the questions.

MR. ROTHSTEIN: Well, they aren’t all the questions, they are some of the
questions, so I don’t think that’s a structure for the —

MS. BERNSTEIN: We did whittle them down —

MR. HOUSTON: The questions were intended for our, weren’t intended though to
be the structure for any type of recommendations either, really just for our
edification and try to get people focused.

MR. ROTHSTEIN: And it was interesting to me just to make a sort of side
remark that many of the witnesses, virtually all the witnesses to address the
issue, took a shot at the question on should patients be allowed to keep paper
records —

MS. BERNSTEIN: They all had the same answer.

MR. ROTHSTEIN: Yeah, they all had the same answer, which is fine, which is
the conclusion that’s already in here, but I included that question so that we
would have a record to back up our recommendation. But people were saying like
the train has already left the station —

MS. GREENBERG: I was the one I think who recommended that that not be the
first question because I was concerned that people might really think the
subcommittee was proposing that —

MS. BERNSTEIN: I didn’t want to jump off on that foot so I tried to go from
the general to the specific with the caveat at the end but then, Dan’s nodding
his head over there because he didn’t understand why I started cracking up
during his testimony because we had this conversation already.

MR. ROTHSTEIN: Well Dan correctly saw the logic and put it first.

[Multiple speakers.]

MS. GREENBERG: — my concern was that people would think that you really
were proposing —

MR. ROTHSTEIN: Well, that was probably a good thing —

DR. HARDING: Mark, what’s the title and subtitle of our letter?

MR. ROTHSTEIN: We don’t have one yet, do you have any ideas?

DR. HARDING: But what’s the, I mean —

MR. ROTHSTEIN: Well, they’re the Privacy and Confidentiality recommendations
for the National Health Information Network, unless, well, I mean that’s —

MR. HOUSTON: That’s what the testimony has been about.

MR. ROTHSTEIN: Tell me what you’re thinking.

DR. HARDING: I’m just trying to, when you write a letter like we’re writing
it has a title, but really what are we saying?

MR. ROTHSTEIN: My guess is, and of course we have nothing written, that this
will be in the format of a cover letter and then an attached report but the
report I don’t think should be more then ten pages long, rather then a giant
ten page letter. So that’s what I had in mind as the framework and then the
title on the report can be anything you want.

MS. GREENBERG: It’s the Privacy and Confidentiality implications of the NHIN
and related, and then recommendations, isn’t that what it is?


MS. BERNSTEIN: I think you’ll find it ambitious to get it down to ten pages
but I urge you to try, it’s hard, I mean it’s complex, that’s all.

MR. ROTHSTEIN: Keep in mind that we can only include those things on which
we agree and so even though it may deserve 50 pages —

MR. REYNOLDS: Well the last five pages will be things we need to have other
hearings about.

MS. BERNSTEIN: But actually I’m not sure I agree with that, that is you
could identify the issues on which, you could identify either other issues on
which we have yet to come to agreement and where perhaps further developments
in the market or committee or whatever —

MS. GREENBERG: Or research, I mean there were so many recommendations —

MS. BERNSTEIN: You might want to have a discussion even though you don’t
have recommendations —

MR. ROTHSTEIN: And in fact even in some of the recommendations of the 20 in
here they’re not really spelled out in any sense, number 20, HHS should support
ongoing research to assess the effectiveness of NHIN including privacy and
confidentiality —

MS. BERNSTEIN: Right, it’s the discussion that comes before that that
outlines where it is you need to have research or why and so forth that might
take you some time to describe. But you should feel free to do that.

DR. HARDING: It says so many things and it’s such an important letter that
we ought to, there must be some way to kind of make it like these are the
things that are really important, here are some things that would really be
nice, and here are some things we don’t have the faintest idea —

MR. ROTHSTEIN: That’s one of doing it, sort of most important to least
important, another way of doing it is these are the things you need to do right
away and these are the things that you sort of can phase in later.

MR. REYNOLDS: We’ve kind of put that approach on e-prescribing with
Standards and Security, we said these are the base things we all agree on and
the industry appears to agree on, these are the things that we need to have a
little more about and these are the things are a little longer term questions

MS. BERNSTEIN: Well, it’s a matter of low hanging fruit, right, if you can
agree and industry agrees, certainly pluck those off first and fastest.

MR. REYNOLDS: But your list is clear, the list, and back to your point
Richard, the list of issues is clear, it’s just what is the timeframe and what
is the process to get to some kind of resolution on them.

DR. HARDING: I don’t think general agreement necessarily means it’s the one
we should put up as the ones —

MR. HOUSTON: If we throw them all on the table and we come to agreement on
some and some we don’t, we can decide on the order, I mean I think it’s
premature to say what the rule is going to be —

MS. GREENBERG: And whether it’s one letter, I mean this is as I see a 14
page, well, maybe is it double spaced —


MS. GREENBERG: No it isn’t, this is like a 14 page letter, I have a bit of a
problem with a 14 page letter too but I mean one way to address what Richard is
saying if you took your approach, and I think it will just depend on what we
end up with, but is in the letter to highlight just what you feel, if someone
is only reading two pages it’s almost like the letter is an executive summary

MR. ROTHSTEIN: Well, we may want to have a one page executive summary of the
report —

MS. GREENBERG: And then have more —

MR. ROTHSTEIN: Well, do you remember, let’s see, Richard is the only one who
would remember this, when we did our big letter on the privacy rule, sort of
the last one where we set out everything, we had a long discussion of whether
we should put them in the order in which we thought they ought to be and the
committee, the big committee, was of the opinion that if we did that nobody
would even look at the stuff that was not bolded, that was the discussing —

MS. GREENBERG: I remember the bolding, in Salt Lake City.

MR. ROTHSTEIN: So the decision was put them all up there and sort of
emphasize the ones in text or summary that we thought was more important.

MS. GREENBERG: But I think we’ll get to that.

MR. HOUSTON: I think it’s premature to even worry about that.

MS. BERNSTEIN: I think if the committee does what you suggested, to go
through, look through their own notes, look through the testimony, whatever is
available to us on the web, and come up with a list of those things that
resonated with each of them and just look for where you have matching lists,
then that will be a good start and plenty of work already for you to do at the
beginning —

MR. ROTHSTEIN: And when you get my document see how many of those I’ve
addressed and whether I’ve done justice to what you wanted said, or where you
would plug in the things that I missed, is it the beginning or the middle or
whatever. So that’s why this is valuable, not because I expect you to sign off
on it but still we can hold something in our hands.

MS. GREENBERG: Well and I might recommend in your document but where there
just is really divergent viewpoints kind of giving maybe the most, giving
alternatives —

MR. ROTHSTEIN: You mean for the subcommittee —

MS. GREENBERG: Yes, rather then concluding where you would come out.

MR. ROTHSTEIN: Well actually in some areas —

MS. GREENBERG: Where it seems like there’s consensus —

MR. ROTHSTEIN: Well here I talked about the issue of although we recommend
that a health care provider should be permitted to require an individual’s
agreement to use an electronic health record as a condition of treatment
establishing a system of longitudinal blah, blah, blah, blah, accordingly we
recommend that EHRs of individuals should not be a part of the NHIN without the
individual’s permission. We did not resolve the issue of whether an opt in or
opt out approach should be used to obtain blah, blah, blah, and then talk about
the benefits of one and the benefits of another. So I support that view and
certainly at this early stage we ought to do that.

MS. BERNSTEIN: Are you suggesting that instead of what Mark just outlined we
would have option A, EHRs should be all in the NHIN, or option B, whatever, and
option C, and here the advantages and disadvantages of each of those?


MS. BERNSTEIN: That’s a good OMB career letter looking thing, that’s what I
did for nine years is make memos like that —

MS. GREENBERG: That will stimulate a discussion on it rather then people
like agreeing with you or disagreeing with you. I don’t want to make more work
for you but —

MR. ROTHSTEIN: Well, I was thinking that, but it will have the arguments

MS. BERNSTEIN: It will have the arguments, that’s right.

MR. ROTHSTEIN: Are there any other matters we need to discuss before I run
up and start working on this?

MR. HOUSTON: I don’t like your tie, just kidding.

MS. GREENBERG: I can only say that these three days the committee did not
refute its longstanding reputation for being one of the hardest working
committees in the government.

MS. BERNSTEIN: Do you care to say anything just among this subcommittee
about the discussion about Brailer’s workgroups and AHIC and so forth?

MS. GREENBERG: Did anyone brief either of you? Did you get a review about
the earlier discussions?

MS. BERNSTEIN: You’re going to get a call from Simon.

MR. ROTHSTEIN: Well, Dr. Brailer was here on, geez, what day was that, on
Monday, and he said that they’re going to establish at least five working
groups under the AHIC umbrella in various areas and one of them was
“security and privacy” —

MS. GREENBERG: Privacy and security, he said privacy first —

MR. ROTHSTEIN: Privacy and security, and we agreed as an executive committee
that we would communicate to him our interest in taking on those
responsibilities —

MS. GREENBERG: Well he also said that he, he invited the national committee
to serve as those working groups for all five topics although it was not clear
what was meant by that and whether others would have to be added, all of that,
but he did offer that.

MR. ROTHSTEIN: Okay, so what we don’t know, the AHIC has not been officially
appointed, they have not had their first meeting which will take place next
month, we don’t know exactly what that entails for us. The easy version of it
would be that we are to sort of oversee the contractors who are hired pursuant
to the RFPs that went out, so the privacy RFP asked for people to do a 50 state
survey of state privacy laws, state health privacy laws, and that would be
relatively easy for us to do. But it could be all sorts of other things as
well, many of which we’ve been talking about in terms of the NHIN. And the
bigger version might well entail another round of hearings on all sorts of
potential topics going into more detail then we have on these issues and so
we’re kind of in limbo as to what we’re going to do. We’re most likely going to
have a role with AHIC. Now what complicates that is that the working groups
might have numerous other members appointed to them because there were hundreds
of people who applied to be appointed to the AHIC and there are only eight
private sector members appointed, and so we can’t have all these disappointed
people running around so we’ve got to appoint them to the working groups, and
there may be 100 people who want to be on the Privacy and Confidentiality
Workgroup —

MR. HOUSTON: — enough for five or six —

MR. ROTHSTEIN: Exactly. So who knows what the future is going to hold on

MR. HOUSTON: I think it’s great to hear that that’s where Brailer’s thoughts
are vis-à-vis NCVHS, so I think any opportunity we have to support all
of this I think we should really try to jump at it. Again, I think what I think
I said before in prior meetings was is that I think the way that NCVHS
continues to stay relevant is to stay on top of the things that are relevant to
the administration and to HHS and this is clearly on the top of the heap —

MS. GREENBERG: We basically came out with that, it was, we obviously can’t
do it without resources, we need to understand better what it is and all of

MS. BERNSTEIN: And there were some concerns about whether this would
overtake the rest of our agenda, on the other hand if we don’t take up the
gauntlet, gauntlet maybe isn’t the right word, to take up the invitation that’s
been laid out then we sort of become irrelevant because that’s what they’re
interested in. But also we are a ready group with particular expertise that can
hit the ground running for them so they kind of need us, because otherwise
Brailer is going to have to create this group himself.

MR. HOUSTON: And recognizing it also validates, I mean NCVHS really does
have some name recognition, at least within the circles here we’re talking
about so having NCVHS intimately involved in it I think simply helps the cause
I think from his perspective.

MR. ROTHSTEIN: Absolutely, I mean when we come to town we draw a big
audience —


MR. HOUSTON: Maybe we ought to bring the audience with us.

MS. BERNSTEIN: It’s also somewhat temporary, I mean on the one hand I don’t
think all that he said, sort of he doesn’t expect these workgroups to gel until
the spring essentially —

MS. GREENBERG: He didn’t exactly say that, he said the ONCHIT process would
not really gel until March, but I don’t know about the workgroups.

MS. BERNSTEIN: Right, we don’t really know, but also there’s a sort of
political reality which is their timeframe is about a year and a half, so it
might take over a lot of our work for that time and then —

MR. HOUSTON: I don’t think it’s necessarily bad though, I mean I don’t know.

MS. GREENBERG: Also there is a, we are planning to have a conference call of
the full committee on this topic on —

MR. ROTHSTEIN: Friday the 26th of August.

MS. GREENBERG: No, no, that’s just the Executive Subcommittee I think.

MR. ROTHSTEIN: Oh, the PHR was first —

MS. GREENBERG: I think the following Monday, the 29th


[Multiple speakers.]

MR. ROTHSTEIN: Okay, is there anything else? People asked whether we would
be finished by 5:00 and I said of course and well before 5:00, and I want to
thank you all, and I certainly want to thank Marietta and Jeannine, and our
staff, so thank you all and we are adjourned.

[Whereupon at 4:55 p.m. the meeting was adjourned.]