[This Transcript is Unedited]



August 2, 2007

Wilbur Cohen Building
300 C. Street, S.W., Room 5051
Washington, DC 20201

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax, VA 22030
(703) 352-0091

Table of Contents

P R O C E E D I N G S (8:40 a.m.)

Agenda Item: Welcome/Introductions

DR. COHEN: Good morning. I want to call this meeting to order. This is the
second day of three days of hearings of the Ad Hoc Work Group on Secondary Uses
of Health Information of the National Committee on Vital and Health Statistics.
The National Committee is a statutory public advisory committee to the U.S.
Health and Human Services on national health information policy. I am Simon
Cohn. I am Associate Executive Director for Kaiser Permanente and Chair of the

I want to welcome committee members, HHS staff and others here in person.
As always, I want to remind everyone to speak clearly and into the microphone
so those on the Internet can hear. I would also caution everyone that these
microphones are a little touchy, so everybody needs to remember to bend over
and make sure everybody can hear before they start speaking.

Let’s have introductions around the table and then around the room. For
those on the National Committee I would ask, if you have any conflicts of
interest related to any of the issues coming before us today, would you so
publicly indicate during your introductions. I want to begin by observing that
I have on conflicts of interest.

MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield of North Carolina. I
have no conflict, but I would like to disclose that our company does send
information to the Blue health initiative that will be testifying later this

DR. CARR: Justine Carr, Beth Israel Deaconess Medical Center, member of the
committee and no conflicts.

MR. BLAIR: Jeff Blair, Loveless Clinic Foundation, a member of the NCVHS.
I’m not actually part of the ad hoc task force here. While I don’t perceive it
as a conflict of interest during our panel here, Dr. Margaret Gunter, the
president of Loveless Clinic Foundation, will be testifying. I will recuse
myself from any questions during that period.

DR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention,
staff to the ad hoc committee and liaison to the full committee.

MR. ROTHSTEIN: Mark Rothstein, University of Louisville School of Medicine,
member of the committee, no conflicts.

DR. VIGILANTE: Kevin Vigilante, Booz Allen Hamilton, member of the
committee, no conflicts.

DR. OVERHAGE: Mark Overhage, Regenstrief Institute, member of the committee
and no conflicts.

DR. DEERING: Mary Jo Deering, National Cancer Institute, staff to the ad
hoc work group and lead staff for the NHII working group.

DR. GUNTER: You can tell I don’t know the drill because I am not on the
committee. I am president of the Loveless Clinic Foundation in Albuquerque, New
Mexico, and I will be testifying this morning.

(Whereupon, the remainder of the introductions were performed.)

DR. COHEN: Welcome, everyone. I should also start out by noting that even
though I say I have no conflicts of interest, you look through the agenda and
then you realize that you do need to publicly disclose things now and again. On
the second set of testimony we have somebody coming from AHIP, Carmella
Bocchino. I should just note that Kaiser Permanente’s CEO, George Halverson, is
the new president for AHIP for this coming year. So not a conflict of interest,
but I do want to publicly disclose that. Kaiser is a member of AHIP.

As you know, the Ad Hoc Work Group on Secondary Uses of Health Information
has been asked by the National Coordinator and HHS to develop an overall
conceptual framework and policy framework that addresses issues around
secondary uses of health information, including a taxonomy and definition of

We have also been asked to develop for HHS additional recommendations on
needs for policy, guidance, regulation, public education related to this issue
of expanded uses of health information in the context of the evolving and
developing Nationwide Health Information Network.

We are taking a broad look at all of this, but we have been asked to start
by emphasizing and drilling down into the areas of quality. When I talk about
quality, I mean quality measurement, quality reporting. I think we do want to
emphasize quality improvement, which is sometimes an area that gets forgotten
in this important quality dynamic.

As we look at issues and risks, we are also looking at approaches that help
minimize those risks, tools, technologies that potentially can help risks as we
identify them. We see this as part and parcel of our report and making our
recommendations actionable.

I am leading the work group, but I want to thank Harry Reynolds and Justine
Carr for being the co-vice chairs. I was relying heavily on them to move the
work of the work group forward. Harry will be leading the sessions as soon as I
am done with my introductory remarks.

As I commented yesterday, I want to thank the committee members who are
donating their summers to this activity. Many of them thought earlier in the
year that they were going to have summer vacations. Instead they get to spend
the summer with me in Washington, D.C.

There is a lot of work to be done. This is our second set of hearings. We
will have another one at the end of August, but the time would be to have a
draft set of recommendations and a report by sometime in the mid to late
September time frame so that we can begin to discuss it with the full committee
at our late September meeting.

I do want to thank our consultants and staff support. Margaret A., thank
you as always. Erin Grant, we acknowledged you yesterday but I don’t think you
had arrived yet at that point, so thank you also for your participation. We
also have our liaisons and HHS staff, and we appreciate your participation.
Without you we would not be able to make the progress that we have so far.

In all the testimony we are looking broadly at the issues of secondary
uses. Our first panel today will be talking about one aspect, not so much
related to quality, but to research. We want to identify the issues, risks,
ideas we have about ways to mitigate risks. We are very interested in trying to
come up with a dynamic. We move frequently from a high level of framing issues
into the specifics of how we can mitigate activities.

For today, we will start out with research perspectives, quality versus
research, use of data use agreements which are a key issue in all of this.
After our morning break we will be hearing health plan perspectives. Then after
lunch we finish the testimony for these sets of hearings with data sharing
perspectives. We will spend the rest of the day today as well as tomorrow
morning talking about issues relating to what we have heard, framing issues,
what we think the report ought to look like, maybe how we begin to frame some
of the recommendations, which will be a conversation we will be continuing
during conference calls in August and in our next face to face meeting. We will
clarify that schedule later on today as well as tomorrow so everyone is aware
of what is going on.

Any conference calls we have and discussions are open conference calls. The
public is invited to call in and listen in as we deliberate and discuss the
issues that we have heard.

With that, let me turn it over to Harry to run the meeting.

MR. REYNOLDS: We will just go in the order on the agenda unless you had
agreed to some other order. So Dr. Harris, if you would please begin.

Agenda Item: Research Perspectives: Quality vs.
Research; Data Use Agreements, IRB

DR. HARRIS: Thank you. I thought I would start by telling you who I am and
what influences I bring to the table. My role at Mayo Clinic is both research
and operational, so I look at the research and quality perspectives on
secondary uses of data. I have joint appointments in the Department of Nursing.
I lead the Division of Nursing Research and also specifically the section on
nursing informatics, which is very involved with the data capture, the storage,
the way we index it, the operational practices around the retrieval and uses of
those stored data.

I have also an appointment in health sciences research in the Division of
Biomedical informatics, which is a purely research group looking at the whole
enterprise-wide data trust issues and data governance across the entire Mayo
enterprise and some of the informatics issues with that.

I sit on an IRB, on several department level research committees and on our
medical record and data repository implementation committees. You can see the
memberships I have there. I have been on our Minnesota RIO effort, I stepped
off that about a year ago, and a couple of professional organizations at a WHO
group with Steve Steindel.

The way we look at this at Mayo is that there is a cycle of health data use
that starts on the left side with patient focused data capture. The medical
record is the area I am most involved with, but this obviously extends to
laboratory systems and imaging systems and billing and accounting systems and
you name it. Those are captured and stored in transactional databases.

We do replication and modeling to take all or parts of these databases into
small to very large analytic data repositories that are optimized for
analytics, specifically to support research evaluation and performance
measurement purposes. Our goal is to develop and derive clinically relevant and
clinically based knowledge bases that we consolidate with other knowledge bases
such as guidelines that inform expert systems on point of care execution and
implementation of knowledge. In this cycle we hope to take our specific
knowledge of the patient and combine it with knowledge of how we practice at
Mayo Clinic, and combine it with external resources.

This all requires an enabling infrastructure. I think for this committee
the issues are around appropriate use and technology impact. We are going to go
to a cycle of practice based evidence to evidence base practice.

I am going to speak to a couple of guides that I as an individual working
on Mayo Clinic in the state of Minnesota under the federal guidelines look to
whether I am implementing a research study in which I am the P.I. or for some
of the quality data retrieval uses we have.

Working backwards, in relation to the HIPAA law, we have a Minnesota state
law that I am going to cover in a minute. It is stricter than HIPAA. Mayo
Clinic implementation is stricter than either the HIPAA or the Minnesota law. I
have some details on that in subsequent slides.

RElated to the common rule governing research, the Minnesota law doesn’t
address this issue beyond the patient authorization of use of their records for
research. The Mayo Clinic however supports and embraces this notion. If you
have an intent to publish you are in the realm of research. It is a very clear
line at Mayo. So we do not support people presenting quality data either in
conferences or their published abstracts or in the literature without going
through an IRB and doing a retrospective research proposal to be approved.

To move to the state of Minnesota statute, this was drafted in 1996. It was
implemented January 1 of ’97. It states that for all health records generated
after January 1, providers must disclose in writing to patients who are
currently being treated by the provider, the agency or the provider
individually that health records regardless of when they are generated may be
released, so we need to inform patients of that. The patient may object, may
decline — this is the exact language, their objection and decline, in which
case those records will not be released.

Furthermore, providers are required to use reasonable effort to obtain
patients’ written general authorization for use of their medical record data.
This written authorization has to describe the release of records. It doesn’t
expire, so it is for perpetuity. However, the patient can retract it at any
point they choose to.

If there is a lack of response to this request, the law requires that we
follow up with two mailings to the patient, to the last known address, with a
prepaid return envelope, with a conspicuous note that says their medical
records may be released if the patient does not object. So trying to make it
very, very clear to patients what the situation is. There needs to be the 60
days expiration since the second notice was sent, and the provider must advise
the patient of the rights specified.

I did not make 40 copies, but I have a single hard copy of the Minnesota
law and Mayo’s implementation of it that I can give to Mary Jo or send
electronic copies if you would like.

At Mayo, the way we have driven this law, we have influenced the way the
law was written as well as how we are implementing it. In 1997 we held some
patient focused groups that looked at and uncovered — the patients we serve
are very concerned about privacy. This is ten years ago, prior to widespread
use of medical records. They understand the need for research and they support
the need for research. We have another set of studies that say that is the
primary reason patients come to Mayo. So I think it is important in this
context to understand that patients come expecting that their data will be used
for research. They are largely willing participants in that.

They have a high level of trust at Mayo. The other thing that came out was
the distrust of insurance companies and government in terms of use of data.

Steve Jacobson, an epidemiologist at Mayo at the time and prior to the
implementation of the Minnesota law conducted a two year sample of Mayo Clinic
patients to determine what would be the bias with different types of
interpretations of patients returning or not returning their authorization
status paperwork.

Overall in this two year study, 3.2 percent of patients declined
authorization. But the finding of this study that influenced the legislation I
just went over was that the non-response rate would be 20.7 percent if the
failure to return a written authorization was considered non-approval. I have
that ma manuscript here also if you want to review that.

What Steve did a very nice job on was trying to in a smaller sample do some
diligent effort to find out why patients did not return the mailing, and what
are the implications implying authorization to use records when people had not
returned paperwork. The impact is that Minnesota law now allows for presumed
authorization if there is no response on these subsequent mailings that are
sent out.

The next slide I will show you the most recent update to that as we try and
understand this Minnesota law and patients’ intentions. Our current efforts are
tied to the genomic issues. At Mayo we have many new considerations related to
genetic data, and we have an active program to engage the community. Our
immediate community which is a catchment area for epidemiology projects as well
as referral of patients on decisions.

As I said, we had almost a million patients in our research authorization
statistics as of 2005, the last date I am aware of that we carefully looked at
it. Overall, 72 percent say absolutely yes, I am more than willing to have my
records on that first pass of authorization used for research. Through the
second and third mailings we have developed an implied yes of 24 percent, and
we see a 3.6 percent no rate, refusal to use records for research. So somewhere
between three and four percent of our records in any given study that our
investigator is using are not available for use in that study. We have
electronic systems that enable a matching of the clinic number and date of each
admission to this authorization status that is routinely used by researchers,
the IRB, the statisticians who are running the data, and others.

When it comes to Mayo Clinic use of data for quality, we embrace
transparency, but I would say with a healthy dose of realism. The state of
Minnesota also, interestingly with this protection of data and the research
authorization statute, also has a law that creates some tension in terms of
intent that requires reporting of the 27 National Quality Forum never events.
That has been required for about two years now, so for research we have some
very clearly understood guidelines on not using, and including patient data if
they have not explicitly given their consent to use those records, or if we
don’t have a really good understanding that a non-explicit consent to use
records may mean yes.

However, for the quality reporting that is on the public website, we have
to report all cases regardless of that authorization status. So I don’t know
that anybody has looked at what that means in terms of public confidence, where
the public is with that. It is obviously not identifiable, but some of these
never events like the wrong limb being removed in surgery are clearly
identifiable events.

We benchmark and share best practices across Mayo sites, Arizona,
Jacksonville, Scottsdale and our 15 affiliate hospitals and 70, 80 some clinics
and nursing homes, but we don’t send any numbers to Mayo Clinic Jacksonville
that Florida has a very different law related to discoverability. So if we
present our quality data on paper, even if our Florida colleagues are in
Rochester, Minnesota, they can look at it but they can’t carry any paper with
those numbers back to Florida, or it is discoverable. The peer protection laws
do not extend to Florida for our quality data.

Regarding patient confidentiality, patient trust is primary. We go a little
bit further than Minnesota law requires. We apply the intent of the Minnesota
law to internal uses of data as well as external uses of data. So even if it is
research that is never going to see the light of day in a publication or
quality data, when you think back to that slide on data repositories, we have
restrictions on there, so this three and a half percent of patients where we
don’t believe those patients intend for the records to be used in research, we
do not allow those records to come forward in electronic retrievals, even for
quality purposes.

When it comes to sentinel events, we dig in. We don’t not investigate
sentinel events. There aren’t many of course at Mayo Clinic, but when they do
occur, we do look at them.

An example from nursing where I live was pretty interesting. I don’t know
how many of you are familiar with the magnet hospital recognition program. We
are a magnet hospital, have been for about ten years, but every time we go up
for re-recognition our attorneys end up spending a lot of time talking to the
magnet and ANCC attorneys about our refusal to report patient level data to
this national database on nursing quality indicators because of this Minnesota
law. I think it is a unique law in the country. It delays some issues for us in
terms of benchmarking quality practices with other non-Mayo entities. And we
don’t sell data to anyone.

Within the Department of Nursing specifically, I just wanted to mention
what we have done to take this down very narrowly to a very specific department
implementation. About three years ago we went through a six to nine month
exercise at the time we were building our data marked spinoff from this Mayo
Clinic enterprise data trusted life sciences system. So we need to merge some
data sets with data that comes off the clinical data in a warehouse. So we
needed to have a department level guidelines to cover flags in non-use of data
coming from the warehouse. Some of our business operational databases in the
Department of Nursing don’t make it into the MARC.

So we felt like we needed some principles to guide use and implementation,
so we have collectively as a department — this is about 6,000 nurses now; this
is fairly well embedded through the policies and procedures of the department
— determined that data are an asset and should be managed as a strategic
resource, that individuals using data must assume personal accountability for
responsible use of those data.

We put all the electronic supports in that we can, all the policies and
procedures, but it comes down to individuals knowing what responsible use of
data means. We have many, many orientation sessions about that and updates,
that data sources are known and meet requirements for quality, integrity and

This is a big one that I think is not adequately addressed in the
literature. When we think about the use of data for research or data for
quality versus data for research, and the data quality piece specifically and
the integrity of the data. Practice changes are made much more rapidly on
quality improvement projects than the 15 years it takes for research to get
into practice. Yet we have far fewer guidelines governing generally in the
literature and ourselves also.

What do we know about the data quality when we are doing our quality
improvement processes? I think investigators are very keenly tuned into that,
but I don’t have any sense that broadly people doing quality improvement are
concerned about that on the up front side. They certainly are when they see the
numbers, they say where did you get those data and what do those data mean, but
there needs to be a more proactive attention to that. I think that is one of
the key things in terms of maintaining public trust for what we are doing with
this information when we get it.

We have a department level policy that says analysis, interpretation and
consideration as well as professional institution and regulatory standards,
that technical data standards are recognized and adopted, and that data
management tools and resources are available to staff to meet the mission. So
we don’t want to get proprietary ownership of data. We are trying to make it
accessible in responsible formats for appropriate use.

Here in my second to last slide is an example from the literature that
conflicts with my reality as I have just explained it. In Medical Care, this
very recent issue, was a study. The goal was to assess the accuracy of AHRQ’s
failure to rescue algorithm. It was a retrospective chart review at 40
institutions that participate in the university health systems consortium.

This is a quote on page 285. Because this is a quality improvement
benchmarking project, it was exempt from local institutional board review. Each
institution maintained patient confidentiality according to internal protocols.
Authors not affiliated with UHC only had access to a limited data set and
signed a data use agreement prior to receiving any data.

I have a similar study funded by AHRQ for the manuscript just accepted into
Medical Care in the last two weeks on the same topic. We went through full IRB,
a full research authorization protection, so everything in that human subjects
piece is in that same article. So the same topic, the same journal, the same
procedures are very different standards in terms of the investigators’
understanding what the rules are and the journal editors’ understanding of what
the rules are.

My impressions from this in the trenches perspective then is that secondary
use of data is as important to patient and discoveries as the medical privacy
is. There is a public trust that privacy will be maintained, and that a greater
good will be achieved. I think this data quality piece really needs to be
considered in relation to the greater good.

For research, patient confidentiality I think can be adequately protected
using existing mechanisms, but for quality purposes I think those protections
are less clear. I think a key challenge which this committee is addressing is
looking at these distinctions not just between research and quality improvement
but also the public reported measures of quality. I think they are three
somewhat separate but related efforts. There is a real risk to improving health
outcomes through research or quality if any undermining of the public trust or
the public good is anticipated by the public.

Thank you.

MR. REYNOLDS: Thank you. We will move on to Sharon Terry with the Genetic

MS. TERRY: Thank you very much. I am Sharon Terry, President and CEO of
Genetic Alliance. Genetic Alliance is a coalition of about 650 disease specific
advocacy organizations representing about a thousand diseases.

My perspective comes from a purely lay one, in the sense that I am the
parent of two affected children, and founded a foundation about 14 years ago
that then led me to be involved with this coalition group. I am the founder and
current president of the Genetic Alliance Bio Bank, so I manage for a number of
advocacy organizations samples and data that has been aggregated by these lay
groups with their medical research advisory boards. I am the manager of a
33-lab research consortium on pseudoxanthoma elasticum, which is the disease my
children have.

I am the chair of the Coalition for Genetic Fairness, which is a coalition
of about 250 organizations, including industry and professional societies,
working to pass genetic information on discrimination legislation. I am a
member of the Genetic Association Identification Network steering committee.
That is abbreviated GAIN and is part of NIH’s project to look at large scale
studies and data used widely. I am the founder of Wiki Advocacy and Wiki
Genetics, and I’ll show you why that is important, and I am a member of the
Google Health Advisory Board.

I am going to answer the charge in eight to ten minutes, so it will be a
30,000 foot view. I am not going to go into the weeds on all the things I just
described, and they will just inform my perspective as a lay individual.

I think basically that individuals don’t know about the use of their data.
They consider it information and not data, and they don’t quite see the
distinction between the two. I think at the same time they still trust that it
is okay for the most part. I think that physicians often do not know and are
either clueless or worried about the uses. I have seen both extremes, where
physicians seem to be very, very worried that any data collected and used
either for quality or for research is in fact a problem. On the other hand, I
have seen physicians not aware at all that data is being used in these ways.

I think the greater transparency would lead to greater investment, and I
will talk a little bit more about why I think that is important. I think the
logistics for achieving transparency would require a revolution in a sense
about the way we perceive health care. I think there is a continuum between the
quality data collection and use and the research uses. I think Marcy alluded to
some of that. We are seeing quality uses turnover quicker in terms of best
practices and clinical guidelines. Research seems to take a longer time to do.

One of the things that the public doesn’t understand is that it is not a
done deal. It is really iterative. That loop, were it a continuous loop as it
seems to be at Mayo would be a really good thing to have in a nationwide

I think that it isn’t that education is required, because many of the
groups that I am in simply say better education of clinicians and patients
would result in a better understanding of how data could be used and would be
used. I think it is more experiential. I think when patients experience
something or physicians, they then are more committed to whatever the actual
exercise is.

So I think the whole system needs to admit a certain kind of uncertainty.
That is, there isn’t in medicine an absolute the way some patients believe
there are, and there is a need to continue to improve guidelines, et cetera. I
think the average person going for any procedure thinks this is a perfected
procedure by a person who is an expert, and there is nothing more that needs to
be done. I think if we as a nation understood that these procedures and
guidelines need to be improved all the time, that we would be more invested as
a nation in the iterative nature of this.

I think that engaging the public — and for some people this may be a silly
analogy, but a la Facebook and Webkins, which I’m sure everyone is familiar
with. The idea that committees are being formed remittance where people are
giving up information that could be considered, and is mined in some ways by
companies. Some of it is done in a very protective manner like the Facebook
kind of thing, and others are not, like a Myspace community. But I think there
is a lot for us to learn around data and information and communication through
those electronic communities that are being formed.

I also think that people are voluntarily belonging to them with great
enthusiasm, and coming back to them and engaging with one another around the
dozens and dozens of issues. Facebook within two hours of the Virginia Tech
shooting had one million kids united together to support each other as they
went through this, in two hours. So I think if we start to look at those
technologies more broadly and understand what they mean for health care
systems, that will certainly be useful.

I think building communities — and I have a couple of examples here.
Angie’s List, which is this list where people can list what contractor they
use, a plumber or painter, and whether or not they have done a good job. So you
can go on there and look at a contractor that has had 114 good ratings and one
that had 75 terrible ratings, and determine which one to use. Or CD Baby, which
is a compilation of artists producing music and distributing it without labels,
interrelating with one another, tagging each other’s music to be alike or not.
Both of those allow communities to be built, and people who are using them
understand, I relate to other people in my community. It is a community around
different issues, but I think we can do the same thing in research in health
care, and certainly quality improvement in health care.

Obviously that is going to require robust IT systems that I think the
medical community has only begun to look at, certainly not to the degree that
these other communities use.

I think that we continually feedback improvements that include conveniences
for the person in the community. So again, I think the person either in a
clinical care system or in a research system doesn’t really get back anything
immediately or apparent. Were they able to as in a Facebook or an Angie’s List
kind of method, they would be much more inclined to be more a part of what they
are doing. So I really advocate for people being participants and not subjects
of research, and certainly participants in a quality of care loop, where they
understood that their community medical care system would be improved.

I think the potential harms of not being transparent are distrust. We have
seen many examples of that, from Tuskegee on. I think we don’t want to overplay
that. The other fear I have as a person who really needs this research and the
quality improvements to progress, is that we then dampen or tamper down all the
kinds of improvements we need to make. I think a swing in the opposite
direction which we also have seen has not been a good one.

I was one of the people who was part of the punishment for Virginia
Commonwealth when they supposedly violated the IRB around human subjects
protections for genetic research. One of the issues I asked the committee there
was, they shut down human subjects research for three years because they had
revealed some information in a twins study, what other harms came of shutting
down human subjects research, weighed against the punishment of the group who
had made a mistake in the schizophrenia twins study. So I think we need to
balance our perception of harms and look at the harms we are also creating when
we are not going forward with research.

I think we also have a lack of involvement and engagement. We have
certainly seen that in this country in clinical trials. People are not engaged
particularly around the more common conditions. They think somebody else will
do it. I think if they saw more immediate and communal benefit, they would be
more inclined to participate. I think we lose a chance to improve health care
more rapidly. We need to be able to aggregate the data, the lessons learned we
know from one another. We have no systems to do that, especially with regard to
community docs and community hospitals.

Oversight and stewardship for each use of the data. My belief, and this is
where I think there has to be some kind of revolution, is that the communities
should be allowed to have advisors be part of the projects, whether they are
quality improvement projects or research projects. I think individuals need
opt-in mechanisms and not just, I haven’t said no so you can use my data. That
would allow a greater investment.

I think with regard to results and how those are disseminated, I look at
something like the Genetics and Public Policy Center’s GWAS town halls, those
are the genome-wide association study town halls, to look at what would happen
if we did put a half a million people into a database in this country, similar
to Iceland and Estonia.

Essentially, the people in those town halls, and this is pre-publication
data, have said, you need to consent me, you need to give me choices, and you
need to respect my desire to know what gets returned to me needs to be
controlled by me. Perhaps the most creative solution I saw coming out of those
was, people suggested that you have little scratch cards. If you wanted to
scratch them off and find out if you were at risk for Alzheimer’s disease, you
could, and if you didn’t want to, you didn’t.

I think also the issues around quality versus research could be mitigated
by creating a system where the difference doesn’t matter. While that sounds
probably terribly naive when you are in the weeds on either of those sides, I
think if we did get to a place where we were looking at this as a continuum,
and understood that all of that data is important, all of it needs to be
protected, and the line between it is not something you can slice with a knife,
and build communities where there was trust and community engagement, I think
that wouldn’t be as critical.

With regard to HIPAA and the common rule, creating a hybrid system would
require elements of those systems to be merged. I think we want to remember
that both of those in some sense were created out of reactions, the common rule
to Nazi atrocities and fear of what would happen to institutions, and HIPAA
with regard to privacy. These things certainly overlap, but they also have
nuances that if we could create a system whereby we were able to integrate the
community’s participation and the understanding that this was iterative and
beneficial, then we would be able to advance both quality and research in a
system that would be useful to both.

Thank you.

MR. REYNOLDS: Thank you very much. Dr. Gunter, please.

MS. GUNTER: Good morning. It is an honor to be here to talk with you and to
hear from the rest of our panel.

I am Maggie Gunter. I am President of Loveless Clinic Foundation. I am a
health services researcher. To give you a little sense of where I am coming
from, I think one of the reasons that I was asked to testify today is that I
balance two interests. I am a researcher. I have a great deal of use of
secondary data, and use it I think in a reasonable and appropriate way. But I
am also the PI and project director for the New Mexico Health Information
Collaborative, which is building a statewide health information exchange and
RIO for New Mexico. So some of the issues about the use of that data are very
germane to what we are talking about today. So both as a researcher and as a
person involved intimately in an effort to develop a RIO, those are my

The Loveless Clinic Foundation is not one of those organizations that gives
out money. It is one that looks for money to do research. Our research is very
applied. We are an applied health research institute based in Albuquerque, and
we are very much about improving health care quality and cost effectiveness,
that kind of research as opposed to say testing new drugs or something of that
sort. So that is all about where we come from and therefore the issues about
quality improvement versus research. Those definitions come up for us as well.

We do have a research affiliation with a large integrated health system,
the Loveless health system in Albuquerque that includes a multi-specialty group
practice, a health plan and a number of hospitals. It makes for an interesting
place to do research.

When I first came there, after having been with a research division
associated with a Blue Cross plan in Pittsburgh, it was quite exciting to me to
have a comprehensive look at everything that happened to a patient. So many
times I had a piece of what happened to them, or I had just what happened to
them in the hospital; an in-hospital patient was a rare event. So it was an
exciting thing for me as a researcher to be part of that kind of system.

So it has been an excellent research and quality improvement lab for the
Loveless Clinic Foundation. Just so you know what we are talking about,
although Loveless has looked at electronic health records for many years and is
finally putting one in after many false starts, and some of you can relate to
that, I think Kaiser has had various adventures in that area, the kind of data
in a retrospective way that we have used has been typically electronic claims
or encounter data for all health care utilization for our whole patient
population. By that, we mean diagnoses and procedures, but also lab results and
pharmacy use.

So when you have all of those together, despite the fact it is secondary
data created for other purposes, it has really been quite a powerful tool in
looking at patterns of care, looking at testing interventions. It has also been
wonderful to have a clinic setting in which to test interventions and use often
electronic data to look at pre and post impacts of the various interventions.

Just to give you an idea of the kind of applications that we have looked
at, you can profile patterns of care. One distinction I make sometimes between
quality improvement and research is, for example, if somebody put in an
intervention in the entire system at Loveless and looked at the pre and post
impacts of say a new intervention to improve diabetes management, the
difference might be that when we would do that, we would do something where we
would say we are going to use matched pairs of clinics that are similar in
various demographic ways, and we are going to assign one of those clinics to be
the intervention clinic and one to be the control clinic. Then you have a much
better sense of what is really going on, because you have both pre and post,
but you can also look at, is there something else going on in general like a
new diabetes drug that might explain the differences you found, rather than was
it the impact of the intervention that you put in.

So when you do something a little more rigorous, a little more with
implications for generalizable knowledge, we will talk about that a little bit
more, but that is one of the distinctions we made in terms of quality
improvement and research, although almost all of our research is geared to
quality improvement.

This secondary data that we have had sometimes iffy access to over the
years can be used to profile patterns of care, to identify problems in quality,
to feed back comparative performance data to providers to help them improve
care. That is even true before there were electronic health records, we would
do feedback reports to providers; guide the development of quality improvement
interventions, what ones do we need, what things need to be done versus best
practice, permit the pre and post evaluation of interventions designed to
improve care and cost effectiveness.

Without these data, we could not have done the things we did in becoming
pioneers in the area of what is now called disease management in the mid to
late 1990s, where we documented major improvements in care and cost
effectiveness in about 17 different conditions.

The reason that I mention that is that I realize all the time that there is
so much done in health care where we think that we have enough money to do the
intervention itself, to make the program change, but we don’t have enough money
to measure whether it made any difference. So we fairly frequently do
interventions and continue them or not, separate from any knowledge of whether
or not they work. That just seems to me a sad and bad new of our time and our
money in a time when we are spending 15 or 16 percent on health care as it is.

One of the things that came to us as we were doing this exciting work in
the area of disease management research was, we didn’t have an electronic
health record. We knew that one of the issues was, how do you assure
sustainability of such programs and not 70 projects, and how do we further
integrate these disease management programs into everyday practice, so it
became something that physicians did all the time and not a project. On the
other hand, how do we send them to the broader community, so that was how we
were coming to the effort that eventually led to our effort to develop a
regional health information exchange.

So again, I’m not a medical technologist specialist, but I knew that one of
the key things if we were going to continue to make any changes in health, that
information technology was the most promising answer, both electronic health
records and also health information exchange.

It was always coming out for example that physicians don’t often just do
work with one insurance plan. That was even true at Loveless. We are not a
closed system like Kaiser. So you might if you were lucky get some feedback on
the patients from Loveless health plan or some other health plan, but you only
get a small snapshot of all the diabetes patients, for example. The health
information exchange had the promise that you would have aggregate data on all
of your patients once that was fully implemented.

So we got down to business in about 2003 and started mobilizing 30
community partners, and eventually applied for one of the AHRQ implementation
grants to establish what we called the health information collaborative, which
is basically a health information exchange for New Mexico in September of 2004.
It has been quite the adventure, as even Marc Overhage and others know, even
though he is one of the key experts.

We also always were concerned in that regard about privacy and security. We
knew it was a key issue. We knew if we could not resolve that issue and have
trust among the organizations of consumers, we would never be successful.

So in 2006 when AHRQ and RTI International put out an RFP for a privacy and
security project grant to examine privacy and security issues affecting health
information exchanges and develop solutions, we went after that, and were
awarded that in 2006.

To their great credit, they realized that if you just have a plan for
solutions and never any money to implement them, that is one of those other
things that tends to throw things down, and to their great credit, AHRQ and RTI
made additional funding available to the city for organizations including ours
that were in states that were putting together a privacy and security
implementation solution.

Our top choice was to develop and hopefully pass in 2008 new state privacy
and security legislation covering transmission, storage and use of electronic
health information. Right now we have very fragmented laws that address only
paper use. We just felt that trying to fix that hodgepodge of laws would not do
the trick. So we are working closely with the governor’s office and the
department of health and the telehealth health information technology
commission to put together new state privacy and security legislation.

We wanted to talk a little bit about privacy issues and data access.
Because of the various kinds of work that we have done, we have extensive
familiarity with state law. Yes, we too like Minnesota have some state laws
that are considerably more rigorous than HIPAA.

One of the troubles with our state law was that it was so short and so
brief that it gave almost no protections, just pretty much said there shall be
no disclosure under the state HMO act of any data other than for priority
purposes. The only way we were ever able — when people had small heart attacks
and discovered that state law, the only way as a research entity that we were
able to get access to data was because we are a separate verifiable 1C3, we are
separate from the health system, we are not part of it, so we are not part of
the covered entity in any sense.

We had two attorneys, one on our side and one on their side, that felt that
this work was important, and because our work is virtually all quality
improvement related and because the law allowed quality improvement activities,
we did it under that basis. But each project has to be carefully scrutinized to
make sure that it meets the quality improvements needs of the state law.

I also spent six years as chair of an IRB, so I am very, very familiar and
very sympathetic to the need to protect human subjects in research. We have
spent an enormous amount of time on HIPAA related privacy issues.

So we have a sense of those things. I have to say I really appreciated
hearing about Mayo’s approach to research versus quality improvement, because
it is something that we have struggled with for some years. I actually don’t
struggle with it much, in the sense that we have basically decided that we are
a research institute and virtually anything we do is research. But I will say
there have been some aspects, because we do interventions, that part of the
project might still have a part that is quality improvement like establishing a
health information exchange, and then evaluating it might be the part that is

It is so an ambiguous area. I think Margaret had asked me if there were
differences between the common rule and HIPAA regs. I think both of them
basically consider research — that the primary purpose is to add to
generalizable knowledge.

The issue of publication is one we have talked about a lot, and yet there
is a great deal of quality improvement work that is published. So it is one of
those ambiguous areas still, because many projects including ours have dual
goals of quality improvement and research. When you look at some descriptive
and observational research, there are people that would question whether that
is ever going to add to generalizable knowledge, and so they are much like
quality improvement.

So I think the issue for so many of us is that IRBs and organizations apply
HIPAA and IRB rules differently. That is what makes it difficult. We are part
of the HMO research network along with a lot of the Kaiser organizations and
Group Health Cooperative of Puget Sound, and we are trying really hard to
figure a way for these 15 prestigious research organizations that all have
population based databases, how can they work together as a national resource
in a way that is cost effective, and every one of the 15 IRBs doesn’t have to
look at something that is very, very straightforward. It just shows you that
this whole research infrastructure, how can we make that a little more smooth
and cost effective, so that we are not depriving patients of the great
translational research that can be based on that kind of data.

For us it doesn’t look very different in the pre HIPAA versus the post
HIPAA era, in terms of our access to retrospective data. By the way, when I say
retrospective data I have been mostly talking about electronic. We don’t do
almost any research on our retrospective data that is not accompanied by at
least a sample of paper medical records or at least full medical records,
because we feel that electronic data by itself in its current state, before
everybody has electronic health records, is not yet at a level of quality
because of coding issues and a lot of other things.

We feel it is very important for two reasons to use at least a sample of
full charts. One is, because many things are not in electronic data as it
stands mostly today. If you want a blood pressure, if you are at a place with
electronic health records, you have that. If you don’t, everybody takes it but
it is not in the electronic record, and it is a really important variable.

The other is simply that you want to validate that the data that you are
picking up retrospectively is validated through the quote gold standard, which
is not always so gold, that is, the medical record.

In the pre HIPAA era we went to the IRB often when it was a large database
we were talking about. It was not practicable to get individual consents and we
asked for a waiver of individual consent based on the fact it would not be
feasible, but it was important research and it was of minimal risk.

Of course, the whole minimal risk thing depends on how you feel about
confidentiality. I was talking to a privacy expert recently and she said, so
many IRBs think that retrospective data is not risky data. It depends on if you
are a patient that has a lot of sensitive issues. They may think that is more
than minimal risk.

In the post HIPAA era, it has typically been, we had to go through both the
IRB and the privacy board for a waiver of patient authorization based on
somewhat similar reasons in the HIPAA regs. They are similar but not identical,
and that makes it more complex for us frankly. Whenever you put something new
in, about the time HIPAA came in at the same time at Loveless that the health
system was sold to a new organization. That means that all the relationships —
you’ve got new people, you have got new roles, you have got new nervousness. So
all of those issues have to do with the application of something. There is
HIPAA and there is fear of HIPAA, and both of those matter greatly to us as

The cost. I cannot tell you what the cost of privacy regulations — and
don’t mistake what I am saying here. I think privacy regulations are critical.
I am a patient, we are all patients. We need to be protected. I think even
organizations need to be protected. But there is so much different application
by IRBs and health care organizations in applying the common rule and HIPAA
differently, and an enormous hodgepodge of state laws that further complicate
data use and research.

This uncertainty about the patient greatly increases the cost of research.
We are a small not for profit, and it is sometimes is one of the most difficult
things we have, even sometimes more difficult than actually winning the grant
or winning the contract. It delays the conduct of research.

The translation of research findings isn’t a real world improvement in
practice and outcomes. You probably heard that that takes about 17 years. We
have got to do something better. We see NIH doing this new clinical and
translational science awards in universities, so we can start moving more
quickly to translate research findings into the community, from the bedside to
the community.

The legal fees and researcher time associated with HIPAA compliance has
been very burdensome for research organizations. I have to tell you that our
attorney that has been with us for about 15 years is amazed by what large fees
have been generated by a small research organization. He has become a HIPAA
expert, he is an expert in RIOs now, he is an expert in a great many things.
This is not about anti-HIPAA, it is just trying to find some answers where we
are not having researchers and lawyers doing much of what should be done
instead of research itself.

As I say, much of my time and that of my research is devoted to compliance
with IRB and HIPAA regulations, not to research. Very frustrating and
demotivating. These are people who care about human subjects and research, and
they think that that is entirely appropriate, but sometimes we laughingly say,
and not so laughingly, that we don’t do research, we do regulatory.

One of the hard things to us because we are not part of the covered entity,
is creating an ongoing and accurate and efficient data warehouse that is HIPAA
compliant. It is central and yet very difficult to achieve. One of the issues
is that as researchers, we actually have much more training in issues of ethics
and so on than people that work sometimes in the health system. We are probably
more careful with the data. But it is one of those things where the HIPAA regs
on some of these issues are not quite as clear as they might be. Or at least,
it is sufficiently scary for people to share their data on an ongoing basis.
But we get into issues of quality.

If we just get somebody else’s version of the data that they pull, they are
not researchers and don’t pull it with quite the same care and rigor that we
do, so it really does affect the quality of our work. We worry about that all
the time. Remember, we are very applied, and we want this to be meaningful not
just for publications, but meaningful for applications in the real world.

We again find that most of our colleagues in the HMO research network have
reported similar costs and frustrations. One of my colleagues at Kaiser says
she spends half of her time with attorneys, or did until recently, just trying
to understand issues and protect the organization in terms of issues of
research access.

Although this is clearly not the intent, it often seems that the laws and
regulations are not really protecting patient privacy, but rather protecting
patients from the health benefits of good applied research.

What about secondary use and RIOs or health information exchanges? I will
have to admit to you that I had not recognized that, because we have not
discussed ourselves the issue of sustaining RIOs based on secondary use of data
and data services. But I am understanding that there is a growing recent
interest in sustaining RIOs through being able to use that data for either
selling it or data services.

Our approach in New Mexico, despite the fact that I am a researcher, I
really wanted to be very sure that we were meeting the needs of the community
and not anything to do with our needs. So our initial emphasis has been only on
the use of the data for treatment. Purposefully we have avoided discussion of
secondary use. Our attorney said to even talk about that at this stage, people
are just getting used to this idea, will be a real mistake. This was not about
transparency, it was, we are not going to use the data for other than having
information at the hands of the physician across systems at the time of the
visit, very much a treatment orientation, not a research or any other kind of

It is because it is a new and sometimes scary concept. It isn’t so much in
Indiana, but it is in many of the other states, for both providers and
consumers. We find that the providing organizations know the data is a really
valuable commodity and they are not comfortable as a first step. So we wanted
to take baby steps first as education and trust develop. This is a whole social
capital kind of thing. We also thought the HIPAA issues would be easier as well
since sharing data across organizations for treatment purposes is allowed under

We also did a federated system approach, not your favorite approach from an
IT standpoint, but that is where each data source would control their data and
where access to that data would only occur at the time of the specific use for
an individual patient. That control of the data, the sense that they could turn
off the machine, was comforting.

Secondary use I will say again is not just an issue for patients, but also
for providers, health systems and health plans, who all recognize the
proprietary value of the data and are concerned about potential negative
comparisons across organizations as well as potential liability for

I do think in terms of a long term vision for RIOs, I can remember talking
to our state department of health epidemiologist. I could see their mouths
water when they thought of having something someday like a piecemeal data that
they have on what is going on in the state, prevalence of various conditions.
If they could someday have comprehensive population based statewide data, how
exciting that would be and what a great thing it would be to public health and
to policy research, and would be so much better informed.

One possibility for the future, and it could certainly be RIOs, but the
future, a national network of centralized data repositories operated by
reliable and trusted neutral organizations with carefully designed privacy and
security requirements governing access, de-identification procedures, storage
and use.

I think again such population based data could provide enormous benefit to
the cost and quality of health care in the U.S. Heaven knows we need help
there, data to guide quality improvement, comprehensive data to improve public
health and to provide public health policy.

But care must be taken to move slowly, to listen carefully to privacy
advocates. It is a sensitive issue. This is an early phase of developing RIOs
at a politically sensitive time. I think as we build the trust over time, I see
it in my own community, it is a very, very sensitive time and that trust is
easily broken. The social capital in the bank can be taken out quickly both for
the consumer side and for the provider side.

It may be best to seek other means of sustainability first. That is what we
have thought. The irony of course is that this data is not very useful unless
you have quite a bit of it. Until a fullblown RIO occurs you really don’t have
a great amount of data to even use in secondary use. So maybe user fees for
treatment uses, hospital discharge summaries for hospitals that are currently
mailed, lab results electronically.

I think it could include those, payments to RIOs or others like them, for
aggregate data analysis and support of quality improvement activities like I
mentioned before, feedback of aggregate RIO wide data to physicians, but keep
performance indicators for all of their diabetes patients instead of just data
on diabetes patients from one health plan.

There is one thing that I do get concerned about, and I have it wrong
there; opting in would be more difficult. I think it is so important that we
all have transparency. We all are patients and that we have control of our

But I will tell you that I haven’t heard a lot said about this. Any value
to secondary data developed by RIOs will be greatly diminished by quote opting
in or opting out, meaning the issue of patients not sharing their information.
It would be very biased information.

There is every reason to believe that patients who choose not to have their
data shared are different in important ways from those who agree to share their
data. One would certainly support that if I had a major behavioral health
problem or AIDS or a substance abuse problem or a number of other things, that
I would be much more likely than other patients without those not to share my
data. It absolutely should be your right to do that, but what it will mean is
that you will have a very incomplete and biased data set, and one that in my
view from a population based sense will be of little use even for quality

We sometimes think there is a whole lot of data, it has got to be
wonderful. I have had people come to us and say, we would rather work with you
than some of these enormous data sets that are already out there, because you
know about the quality of the data, you know the physicians that helped
generate it, you can pick up the phone and talk to them. We can figure out why
the data looks goofy sometimes. So just a lot of data does not mean good data.

Sadly, the very patients whose privacy rights are being protected through
opting in, opting out, choosing not to share their data, which is absolutely
their right, will not have the opportunity to benefit from research on the
illnesses that would be made possible with complete data.

When I spoke to our attorney about this, he said, I am getting worried that
it won’t be very useful for treatment, either, because I will have this
illusion if I am a physician that I have all of the information on that patient
when in fact I don’t know when they made evident their information. While it
may be their right to do so, it may be an illusory sense of complete data.

Only comprehensive data for all patients will support the essential quality
improvement, public health, policy and research applications needed to
transform the quality, efficiency and cost of health care. But we must find a
way to allow transparency and patient control of data, and to build the trust
and privacy protections necessary to encourage virtually all patients to share
their data.

Thank you.

MR. REYNOLDS: Thank you. I’d like to thank all three of you for the
richness of the testimony. It continues to challenge our job as we hear so many

With that, I’m going to open the questioning.

MR. ROTHSTEIN: First, I want to echo what Harry said. Those were three
wonderful presentations. I think we could have questions for each of you all
day long. I know I would.

Let me add parenthetically that I only asked one question yesterday. But I
will only ask one question to begin with.

This question is to Dr. Harris. Has compliance with the Minnesota law that
has now been on the books for ten years, in your experience, has it undermined
your ability to do research and quality assessment, in the sense that the
sample is skewed?

DR. HARRIS: No. In fact, I think it strengthens our confidence. I think
given this pretty low rate, this three and a half percent, when you consider
all the other noise in retrospective research studies, I think we are not
seeing the substantive differences in people who are part of that group and who
are not. I think we are feeling fairly confident about that.

MR. ROTHSTEIN: Thank you, that is very helpful.

DR. TANG: Thank you. I just think this panel was stellar. I just really
think they added a lot, continue to add to the body of evidence of how much
good can happen with appropriately acquired and maintained and guarded
information in research.

But those are all very strong words, too. These organizations have done all
that appropriately guarded and acquired. I think that is the key to this whole
issue that we are undertaking to study.

The other piece is the notion of the lack of clarity. Hybrids hurt and cost
money. I think a lack of clarity causes not only a decrease in effectiveness,
with all of the effort that went into complying with the Minnesota law, it
doesn’t decrease the effectiveness, but there was a whole lot of cost in the
quality research area and wasted cycles in terms of how much effort it cost to
comply, not comply I don’t think with privacy provisions, but to comply with
the uncertainty or the vagueness of the interpretation.

So our biggest contribution is to create some clear path. Even the software
vendor yesterday — and by the way, I want to mention that I don’t think that
company was atypical. There are a lot. I will disagree with Mary Jo that it is
the whole industry. I also know many that have zero reselling of data. But I
think the world would be a better place if we could find this clear path.

But I think we are also getting closer, and this last panel helped find
some clarity. So in my normal simple way, it is like bellybuttons, there are
innies and outies. If your use is going to be an innie, if your purpose is to
do things inside the organization that is an innie, and can be quality or all
the opts, and you have your normal way of protecting it. If it is going to be
an outie for whatever reason, most of the stuff goes out. It is very easy. Stop
the perseveration in whether you do or don’t, just do. They have a clear path
of how they work with their IRB. That also is very helpful.

Let me get to some of the things that you said, which is two things.
Minnesota is distinctive as a state. It is known for its collaborative approach
and people. So you have organizations that are business competitors but they
get together and collaborate on the ICSE model of guideline. Yet it has this
law. Laws can either be representative of the people because of the electoral
process. It also can be a sausage making outcome.

Which one is this extra duty and burden to opt in a reflection of the
peoples’ willingness? Or was it somewhat of an accident?

DR. HARRIS: As I remember it was the peoples’ will. I think Minnesota has a
lot of threads of populism in it. I think very much a population based

DR. TANG: Then I have a very concrete question, again looking at the
concrete clear path. You mentioned if a quality study wants to go outie, I
thought I heard the phrase retrospective research review or IRB review. If you
can explain that process a little, maybe we can understand what it takes or a
way to have that happen.

DR. HARRIS: Sure. From the IRB perspective, the key driver is what is the
intent at the time you collected those data. So if you intent was quality
improvement that focuses on the practice and on the internal processes of
delivering care within a specific patient group or practice group, and then you
go back and say we did something good and we ought to share this, then you can
go ahead and request permission to use those quality data that were collected
for treatment and a retrospective data set. They are de-identified, and all
that goes on.

If however, and this happened to some very well-known people at Mayo, you
come to the IRB and you say — some people have come with abstracts, and we
have had people withdraw abstracts from conference if they are submitting that
prior to getting IRB approval. They say it was a quality project, but you
clearly had an intent to publish it going in, if I understand the IRB. We
disallow those solidly. There have been some very hard lessons on that

DR. COHEN: First of all, it has been fascinating so far, including the
questions. Innies and outies are not part of the vocabulary. I want to state
for the record that some of my best friends are attorneys, given the amount of
attorney conversations we have had this morning. Some of them are even on the

Moving into the substance of the conversation, we are talking about quality
in research, but I think this is an ideal panel to talk about issues of trust.
Since we have a new HIE, we have an institution that may be a personification
of heritage, history and all of this, and you have a lay person as she
described herself, though I think she knows a lot more than a layperson as far
as I’m concerned, a very sophisticated layperson.

To my view, a great basis of all of this is around trust. I certainly am
beginning to see that one dimension of trust is time, that you just don’t earn
trust overnight no matter what credentials you have.

I’m curious about how as you all think about this one how you might
describe — I think at the end of the day one of the pieces that we are going
to be having to talk about are trust models or how we don’t just take one leap
into the future and that’s it, how you take steps forward.

You talked about it in some aspects, but I just wanted to give you the
opportunity to reflect on that a little more, about what it is that it is going
to take for us all to be trusting this new environment.

MS. TERRY: I spent a lot of time thinking about this issue, because I spend
a lot of time building trust communities. All of the advocacy groups
essentially are trust communities. For example my bio bank has 100 percent
participation with no one opting out because they trust me.

When I examine what does that mean, I think it means first and foremost
that the association has the individual’s interests first and foremost in their
minds and hearts. That is a somewhat difficult thing to evidence through our
health care system currently because there are so many issues around payors and
around structures that put a barrier between the initial agency and the patient
themselves. So I think first and foremost is the sense that this person or this
agency has my interests at heart.

I think transparency is enormous. Even if it is not so right and not so
good, that that is communicated to the individual. They are usually much more
forgiving if they understand that this is not a perfect system, we are doing
our best here. They seem much more able. I’ve worked with Native American
tribes and with disenfranchised communities that are much more accepting of the
system and wanting to be part of it if they understand that you are going to be

Then I think some kind of participation in the system, to whatever degree
the institution can allow, allowing the voice of the people who are the
participants to be part of it. Not so much of privacy advocates, bioethicists,
proxies for the person or the patient or the consumer. I think the consumer
understands that that is an industry in itself that has its own inherent
conflict of interest to perpetuate the need for privacy experts and advocates.
So it is incorrect but I am going to say it, because we bump up against it

So I think those are ingredients are excellent ones for creating trust

MS. GUNTER: From the time we have started the RIO, it is funny how many
times the term trust us has come up, and how long we think it takes and how
fragile it is. I am even talking about in the provider organizations. These are
competing organizations, so you have got several levels of trust that we are
talking about. You’ve got consumer trust and data provider trust, what are you
going to do with my data and how do you protect it, and how do I trust you to
be the entity that is going to be transparent on lots of different levels.

It is funny, because many times people have said this isn’t about
information technology, this is about social and political and trust issues. We
are now calling it social capital. I think it makes total sense, and it has
been my instinct from the very first, that this is by far the most critical
information. As we can see, HIPAA by itself — we welcomed HIPAA, to tell you
the honest truth. We said at least there is something that is in place that
provides us some guidance in terms of how to go about this.

Our reading of HIPAA was that it did allow on a person by person basis for
the purpose of sharing of data with business associates for the purpose of
health information exchange if the purpose of health information exchange was
treatment. That is not what is going on nationally at all. It is much more the
sense of the need to opt in and opt out.

I think it has to do with something that is this new. Innovation is always
messy, it is always sensitive. I think that is what we are going through now.
One of the things that we have to make sure is that any transparency is
accompanied by education about the benefits. They often find that if all I know
is the risk of my PHI being shared I am rather unlikely to share it. But if I
know that there are significant benefits that could accrue to me and to health
care I might be more — in fact, the evidence is that people are much more
likely to share. So I think part of trust is the educational process.

DR. HARRIS: Something I would add, fully supporting everything they are
saying in terms of the community aspects and the educational needs, that is
that it really is about the behavior and the experience an individual has with
the system, with the individuals in the system.

One additional thing we could look at doing I think is, given the multiple
disciplines that are feeding into this whole environment, we need to look at
codes of ethics and standards of practice across groups like the American
Statistical Association and some of the IEEE engineering groups.

We do journal clubs. We did one on ethics and reviewed standards and codes.
Our programmers and our statisticians were in the group and some of the basic
scientists. In many of their disciplines this is a foreign concept to the
privacy and confidentiality. So as those disciplines become engaged in our
quality and research efforts, we need to look at broadening this discussion to
other communities as well.

DR. OVERHAGE: Understanding where Harry is coming from, I found a way to
combine three of my questions into one. I would be curious to hear your
comments. There was a lot of discussion about how you engage in particular
consumers in thinking about how their PHI will be used. We heard from Mayo
about community conversations and about individual understanding in the genetic
arena and so on.

One of the challenges I see is the understanding at a global level about if
the PHI might be used for research, how that might benefit and so on, and that
broad-based understanding and agreements to use for data. At one end of the
spectrum, sure, I’m okay with my data being used for research, I don’t have to
hear any more about it. The other end of the spectrum, I want to know as a
consumer about each and every use of my information to be able to control and
approve that, understand the value of that.

It gets for me at the issue of heavyweight versus lightweight research
projects, things where I am utilizing genetic information, 20 people, and you
can have a conversation with all 20 of those people, to the other end of the
spectrum where we just ran a study that we submitted the IRB on Monday, got
approval on Wednesday, it was an expedited review, executed the study yesterday
on 3.5 million people. Obviously that is a different level discussion and

Then as part of that conversation, and through this question about people
saying no and biases, but it is a free rider in some ways. Those individuals
saying to the rest of society, I don’t want to be immunized. You guys take the
risk of being immunized but I’ll be okay because of immunity. I want you to
make your data available for research. I can benefit from it, but I don’t want
my PHI at risk.

So wasn’t that very artful, putting those three together into one? The
question is about education awareness and consent or not consent. You could
say, if you are aware of consent and its broad uses, I don’t need to ask
individually. At the other end of the spectrum, every each and every patient
and each and every use.

The question is, how should we recommend to HHS from a policy standpoint
how we, as Paul was saying, bring clarity to where people need to be on that

DR. GUNTER: Currently there is a ton of secondary data out there. I don’t
think I fully got it. There is quality improvement oriented research by a not
for profit, pretty pure, relatively pure or not always pure but relatively
pure, seems like a different kind of thing to me.

I just happened to be talking to somebody that had worked for the
pharmaceutical industry. That is not mocking the pharmaceutical industry, but
they of course have for-profit self interest that they should have for those
that own their stock and so on. It seems to me that to sell data from a health
plan so that there are 30 million records all with identifiers because there is
a business associates agreement that is owned by an organization that then
sells the data to for-profit industry proprietary firms, seems a different use
of the data to me than research for quality improvement and research. So it is
that issue, too.

Are all of these things going to be treated precisely the same way? I know
that is not precisely what you were saying, but it made me think as you were
talking about this range. That seems like a pretty critical issue, and I don’t
think I clearly got it, that that data — how is that okay with HIPAA that you
have a business associates agreement to put this data together for resale, so
you are doing a particular task that is all right, and then you sell that data.

I don’t think many of us know that that happens to our data. Do you know
what I mean? I think at this point we are still allowed through IRBs to do just
what you talked about, the 3.5 million. There is a process for doing that. The
issue is, what happens — are RIOs going to be the thing that we expect to do
that work. That is one issue.

DR. OVERHAGE: One of the things that I am worried about is, they are
selling data and saying, give me a million dollars for that. There is
benefitting from the data. I was able to get the ten million dollar grant. I’m
not making a profit but I was able to get a ten million dollar grant on the
backs of your data.

MS. GUNTER: And we do that. There is no doubt about that. The term selling
has such a bad feel. But you are right, my organization benefits all the time
from patient data.

Now, we hope very much that we also are making a big effort to not have
these just be projects, but something that — but that isn’t what an IRB would
ask of me, either. They would not require that of me.

So I don’t think I have a magic answer in terms of that continuing issue
that you are talking about. I think maybe the more critical issue is for people
to be as transparent as possible as to the types of uses their issue would be
put to. It is not simple, you’re right. It isn’t like, aren’t we wonderful
because we are not for profits, but we are still benefitting from the data,
there is no question.

DR. HARRIS: There are at least four, and there are probably more,
additional uses of the data. I think there are also types of data. How do you
de-identify and anonymize genetic data? I think that is very different than the
clinical data that is in there. Whatever taxonomy is developed, we need to take
some of that into account.

The covered entities, they’re very different. Again, the national pharmacies
have different – are not covered entities the way national providers,
clinicians are, and then maybe there’s a classification group that’s around the
infrastructure that’s availability and available technologies and procedures
and processes to assure some protection and correction in the auditing
processes for the transparency.

MS. TERRY: And I would urge you since you’re looking long term and forward
not to be bogged down in what we’re capable of today because I think very
shortly we’re going to be capable of using technology to consent in a whole
different way. And that patients, especially in these public gatherings and
town halls that we’ve been doing, are looking for commitment both ways, a
contract not just that they’re making and signing, but that the contract comes
the other way. And that, for example, our bio bank with only 5,000 samples, so
very tiny, it’s set up so that patients can log in, see what kinds of studies
are going on, and commit over and over and over to participate, and they do a
hundred percent of them all the time.

So I think with that kind of choice, and while that sounds burdensome right
now, again, going to MySpace and what Google Health will become, et cetera,
those things are going to be very, very simple with technology as we move
forward, and we can’t just look at what exists today.

DR. HARRIS: But given that, we can’t require that there’s a use every time
because if somebody dies and is no longer available, we still want to
understand that they intended –

MS. TERRY: Right, and we have provisions for that, and also I’m not saying
every single project, I’m saying every single kind of project, every single
kind of data, those sorts of bigger bucket kinds of uses, but not a blanket
use, and we’re all partners.

MR. REYNOLDS: Okay. Bill?

DR. W. SCANLON: Mark actually took care of most of my question, but I wanted
to add an extra little comment to it. I think that even though there’s the very
positive experience from Mayo, Dr. Gunter’s concerns still, I think, are
something that we need more information about because even within the Mayo
experience, your Olmsted County had twice the rate of the referral, and you
acknowledge the uniqueness of Mayo and maybe the motivation of people coming to

And so the question of when you move outside of the Mayo context, outside of
the Minnesota context and you’re in an urban area where there’s a whole lot
different incidence of very serious kind of problems that Dr. Gunter talked
about, we may have more problems with respect to a skewing of a sample
depending upon the vague consent process that we have involved.


DR. DEERING: Well, actually I think Mark’s question 3.5 got to what I was
going to say and did have about education. So I’ll just ask them to do
something in follow ups, almost more as homework, and it has to do more
specifically getting at appropriate ways to directly communicate these issues
because I did my Google homework, and I happen to know that Dr. Gunter has
actually written on cultural competence and communication and all that and
disparities and all that. So, again, given the fact that we do have to write
recommendations at the national level, I would ask you by e-mail even in a few
bullets what could a group like this appropriately say about appropriate
actions at national policy or lack thereof, for that matter, should it be
something that on the contrary is unlikely.

So your thoughts about what is the most effective recommendations regarding
the public education and the provider and professional and the data source
education, I think, would be very useful.


MR. ROTHSTEIN: I have a comment and a question for Sharon, Terry. First, I
feel compelled to pretend to be offended by your suggestion that the world
would be a better place without bioethics busy bodies, even though it might be
true. But here’s my question.

You touched on something that’s been troubling to us since we started this,
and there really is a continuum between quality and research, and yet
recognizing that doesn’t really help us all that much because of the regulatory
significance of calling something one thing or another because as soon as you
call it research, then for HIPAA you need an authorization, you need consent,
you need IRB approval and so on and so forth.

So recognizing your view that it is a continuum and something that I think
most of us would agree with, in practical terms, do you have any suggestions on
where these heightened burdens should kick in.

MS. TERRY: No. I mean, I think these examples we’ve seen are struggling with
that tension, and I think your job is going to have to be to look at those
current day solutions that do struggle with those differences. I think from the
patient point of view, those differences are not obvious except that perhaps
they’re supposed to get more immediate result from a quality study rather than
a research study. But even that, I’m not sure, is obvious, and I do understand
running both research projects and also working with HIPAA covered entities the
regulatory mess that exists. You know, in our cases we always get IRB approval
for everything, even a simple study of what do our leaders of advocacy studies
thinking about yaddy yaddy yadda, just to be safe because that’s the kind of
country we live in right now in the sense of wanting to not step over any

But that brings up a whole other issue around can we make the IRB more
effective and educate IRBs about what really is risk and how sometimes putting
all the emphasis on risk and not appreciating benefit is a risk to patients. So
I have absolutely no easy answer, having lived a lot in those two regulatory
paradigms, and I don’t think we should get rid of bio ethicists. I think that
they should be part of the puzzle and not the only processes.

MR. REYNOLDS: Paul, you got the last question, question being the key
operative word.

DR. TANG: Well, there is a method to my madness, Harry. You actually get
three answers when you get something in front of them, and you get to see
whether they nod or not.

So actually I’m trying to now get concrete because I think we want to
eventually get to recommendations. So I want to vet something with you, and
it’s not this specific idea but your reaction to whether this kind of things

I think actually the community understands what quality is, and I think the
providers can do that. I think, unfortunately, it has become a loophole that
could be exploited by people who want to do other things than what we consider
quality, and that’s the root of the problem. And the other piece is trust is
something we want to earn and over and over prove. And a lot of the way we get
trust is through transparency. Now here’s the idea for your reaction.

What if when a provider group wants to do quality initiative like the
clinicaltrials.gov and just register what I’m doing, what I’m doing it for, and
let’s say who am I, who’s accountable, and what data am I using. That already
now all of a sudden it’s transparent to everybody inside and outside.

If I want to convert and do an outie, I will only be allowed to convert if
I’m on that list just like clinicaltrials.gov, and then the IRB will then
review my request and turn this into research that goes out. And what happens
is now you’ve got disclosure. In a sense, you’ve enforced transparency ala the
abstract example. If the person didn’t put it on the quality list, it isn’t
even available to convert. So you get transparency. You get declaration. The
exploitation would have to have been declared upfront as an example, and yet
you have a path to get to research. The concepts, I mean maybe the specific,
just tear that apart and see if there’s something that can try to get
transparency to create trust and help with our quality research dichotomy
because really we’re trying to get rid of the exploitation of the quality

MS. GUNTER: Paul, would you make it clear at what point in that
“research” or quality continuum you put it on the web and say that
I’m doing this. The reason I ask is obviously for researchers or even quality
people, there might be innovative things that they have in mind. And so at what
point that before you would even be getting IRB approval or anything like that
or wondering whether you need IRB approval.

DR. TANG: So the only time you’re putting it on this transparent list is
when you’re doing a quality initiative, and it is there. So if somebody wants
to question, I mean, it’s not on the public website, but it is somewhere where
it can be examined. So I’m declaring that I’m doing that.

And what happens is even as a quality person I just can’t go forging for no
reason. I basically am always declaring, yet the other thing is you’re not
imposing a big administrative burden because that’s the other downside to try
and regulate quality projects.

So I’m trying to put them all in one basket and get your reaction from your

MS. GUNTER: So if I could just, we do something that’s like that, but I
realize that you may see it as an administrative burden, and that is that we
decide that since it may be in somebody’s interest to have something be just
because it’s in their interest to have it be exempt from IRB, that all of those
things, if there should be a general category in your organization of types of
things or OSHPD guidelines for what quality looks like. And if anybody has a
question, I think that that really does need to at least go to the chair. It
might not have to go for some kinds of adjudication about that.

And I think that we did that even with part of our study for a charter(?).
We went to both our IRB and others and said we think this part of the project
is “quality,” and this part is research. And some of that had to do
with how difficult it would have been to accomplish it otherwise. But we also
made what we thought were good points and had them vetted by key people. Now
that’s a big project when it was for IRB, you know, for health information

But I think that it’s still worth saying that probably it needs to be –
you’re right, somebody other than your decision that it’s quality versus
research. And you were trying to find that area, I know. And is it your concern
that if it went through the IRB or to somebody on the IRB that that would be
too –

DR. TANG: You did it all the time for all your QI reporting and initiatives.
I’m just trying to find a clear way of –

MS. GUNTER: I hear you.

DR. HARRIS: well, I’m kind of intrigued by the idea, and I’m sitting here
trying to think what would be the potential impact in terms of a repressing
people’s initiatives and wanting to just look at things prior to doing
something formal like registering it.

It’s coming out of my sense that most clinicians, physicians, nurses,
physical therapists, social workers, you name it, don’t – I don’t’ mean to
say they don’t have respect for quality as we’re talking about it. They do. But
the performance matrix driven quality initiatives are not where clinicians put
the highest value into. They put the value into what’s happening when I’m
seeing this patient in my work group at Mayo, and I think it’s true of most
institutions there is slightly less formalized organizational support for doing
those types of quality projects versus the ones that are driven more by IHI or
NQF or you name the list of agencies.

So I guess that would be the balance. I would not want to see any repression
of any sort or discouragement of clinicians who are coming up with ideas that
they’re kind of doing on a shoestring and really are providing the kind of fun
insights into things.

DR. TANG: But posting this little –

DR. HARRIS: Yes, it could be easy to do.

MR. REYNOLDS: Let me ask, let me ask. We’re going to be deliberating a lot
of this afternoon and tomorrow morning. So –

DR. TANG: Right. My purpose in asking them is they’ve got a lot of
experience and have put tons of thought into this, and I just wanted to get
their –

MR. REYNOLDS: But I’m sensing it from a number of people, the question is
not drawing it out. So –

DR. TANG: Okay. Do you want me to clarify that piece?

MR. REYNOLDS: Well, let Kevin ask you the question to make sure that you at
least hear from someone.

DR. VIGILANTE: So the dilemma of distinguishing quality from research
becomes operationally important when people try to sneak things through the
quality pathway when in fact all along they thought it was, you know, the
intentionality was to do research.

DR. TANG: To do research or to resell.

DR. VIGILANTE: So that anybody contemplating doing quality work, let’s call
it, that in their mind they say, well, in the back of my mind if what I find is
interesting and potentially publishable or usable in some other way, by putting
it on this transparent registry that somehow enables me to pursue it with the
acknowledgment that it might eventually require putting it through another
pathway. I’m just trying to understand how – that basically said, no
matter what intent you have, if you put it here, that’s your scenario, right.

DR. TANG: So I want to do something with patient data. By definition, that’s
human – it involves the potential for human subject risk, okay. It’s gone
too far?

MR. REYNOLDS: You’re explaining it again. We want the question because we’ve
got another panel coming, and so I want to make sure that whatever we can say
to have them answer a question would be good.

DR. TANG: I think they all understand.

DR. VIGILANTE: Oh, I’m sorry. I’m the slow one. So would that help? Would
that be helpful in resolving this.

DR. TANG: I was asking whether it would be helpful, help some of their
dilemmas while not imposing additional burden on – well, you’re nodding
anyway, for the record.

MS. GUNTER: I think it makes some sense, what you’re saying.

MR. REYNOLDS: Okay, with that, we’re using this clock again because I don’t
know what your watch is on. I know it’s not right, but we’re using that. I’d
like everybody to come back at ten minutes til eleven. We would also like to
ask this panel if you can stay around today for further discussions as we might
need would be great. And Sharon, to play off of your comment, when 150,000
people voted last night between 11:00 and 11:15 on whether there should be an
asterisk on Barry Bonds’ record of home runs, there is a new world out there.
Thank you.


MR. REYNOLDS: We’re going to go ahead and start our next panel. With
everything we’ve learned so far, it probably should be 2:00 p.m, but it’s still
morning. We will continue forward. So the next group is a panel called Health
Plan Perspectives. We’re going to have Carmella Bocchino from AHIP, Shirley
Lady from Blue Cross Association, and Dr. Deborah Peel from Patient Privacy
Rights Foundation.

So with that, we’re going to go in the order for the agenda. So Carmella, if
you would, please. We need to get you a little closer to the mike. These things
are –

Agenda Item: Health Plan Perspectives

MS. BOCCHINO: Is that better? Thanks. I want to thank you for the invitation
to participate today on this really important subject. I was telling some of
the members of the Committee I’ve been speaking about secondary use of data to
a lot of different scheduled groups lately. So it is an important topic.

Let me tell you a little bit about AHIP. We’re the national trade
association representing nearly 1300 health insurance plans that provide
coverage to more than 200 million Americans. Our members offer a broad range of
products in the commercial marketplace including health, long term care,
dental, vision, disability and supplemental. Our members also have a very
strong track record in participation in Medicare, Medicaid and FEHBP.

Our members are seen by the employer community since we have an
employer-based system as the accountable agent for providing health benefits to
the employees. And in that, they are looking for the plans to create innovative
programs for chronic conditions, promoting wellness and preventive health care
and providing information on provider performance to stimulate quality
improvement and consumer decision making.

I’m going to talk this morning a little bit about what the current
environment is like in these discussions, some health insurance plan
initiatives that actually address all three areas that you’ve been talking
about today, public health research and quality, and talk a little bit about
the importance of both consumer and provider trust in any of these programs
which we do believe are very important and essential. And then I’m going to
offer some recommendations for the group.

So as I said, I’ve been talking to many organizations about secondary use of
data lately, and this was just to look at where all of you have some overlap in
what you’re all discussing.

Now the good part of that is that you now raise these issues to where they
need to be discussed and debated so that we can address them appropriately. The
down side of that is you all could come out with different recommendations.

And so I really encourage you to be collaborative and try to come out with a
set of recommendations that are collaborative across all these groups or at
least not in conflict. It will be impossible for the marketplace to implement
anything if some of you say do this, and another advisory group says do that.
And so I think that’s extremely important.

What are the benefits of a national or regional or local electronic health
exchange? We’ve all seen the numerous reports that are confirming substantial
gaps between the best care possible and the actual care. I will tell there is
growing impatience from the employer and purchaser community, whether it be the
private sector or Medicaid or Medicare, about the inconsistent quality that is
occurring in the health care system. You could just read the front page of the
New York Times last week when you look at cancer care and see the inconsistent
quality that exists across the United States right now where some practitioners
have all the information, put it into practice; other practitioners don’t have
that information readily available and are doing the best job they can. This is
not a criticism of the providers of care. It’s we need to find ways to give
them good information so they can improve their care.

Public reporting and detection has, the studies show that it does lead to
overall health care improvements. Recognition of the urgent need to align all
these different measurement and reporting initiatives. Part of my job is
actually working with the numerous different groups that are trying to collect
performance measures at the regional, local level. We actually tracked there
are close to 70 different regional health care collaboratives going on in the
United States with plans or providers. Employers are coming together in a state
or in a region to collaborate and collect information on a set of measures.
They’re all using different measures. They’re all using different methodology.
They’re using different attribution rules, different sample sizes. That’s only
going to – it may be helpful to the local community, which is where we
want to drive change, but it’s going to be extremely difficult then to compare
that across communities. And if you’re a consumer who lives in an area such as
the Mid-Atlantic area where you could reside in D.C. but get your care in
Virginia and Maryland, you want to be able to know what that care is like
across that full area where you may go for care, not just within an area, a
particular area. So we need to do something about reducing all this confusion.

We also need to address delays to interoperability. It’s essential. Paul and
I are frequently on numerous panels trying to push MORONO(?), an R.W.J.
Advisory Group, interoperability and the use of health information is going to
be essential as we go forward, and I’m going to give you some examples.

Health insurance plans promoting quality. We about 20 years ago started
reporting data to the National Committee on Quality Assurance, collected a
standard set of measures that actually the employers used to evaluate different
health plans. There are now numerous different quality improvement programs for
employees that are disease management and wellness physician assessment that
will allow a feedback group giving information back to physicians to encourage
improvement to actually promote evidence-based medicine.

Public health surveillance. I want to talk really very briefly about a
demonstration project that was done in 2002 and 2003 with 20 million lives in
Massachusetts, Minnesota, Colorado, Texas and North California where they used
de-identified patient data daily count of certain diagnostic codes or symptoms
that were reported through medical groups or health plans that had medical
groups as well as nurse call line to look for blips relative to certain
symptoms that certain individuals would be presenting that could then get
reported to the local public health, and they could actually map out or they
were seeing these little up ticks of symptoms to see if there were public
health problems that were actually occurring.

That’s the power of some of that data. The other piece has to do, I’m sure
you’ve heard about the CDC’s VSD distributive data model. That same safety link
has been in existence since 1990. It actually started as a database that was
located within CDC. They have now moved to a distributed data model. It is a
comprehensive data set on a particular scope of work to address specific issues
related to vaccines.

There is eight plans currently working with the CDC on this. What they do is
they determine the scope of work. It goes to an IRB. Even though the data that
comes through the distributed data model is de-identified, the
comprehensiveness of that data set which is all health care encounters, both
inpatient and outpatient, post vaccine are there. And so the reason for going
through the IRB was to make sure that there were patient protection and
security and privacy. But the success of VSD which is now moving to actually a
rapid cycle analysis for CDC, we have gotten evidence that says you can use
influenza in children from six to 23 months. That was studied very quickly. ATP
came out with a recommendation.

Rhoda Virus was actually taken off the market because of problems that were
found, very important patient safety issue. And most recently, VSD is actually
engaged in a study relative to Menactra, a meningcoccal vaccine because of two
isolated cases of Guillain Barre, and they are doing a rapid cycle analysis to
make sure that this is not related to the vaccine.

This is the power of what secondary use of data can do for us, particularly
in the public health area. But it is quality. If you can find this out, it
relates to patient safety and quality, and we can’t blur those.

Very quickly, the AQA Alliance is an alliance of the physician community. It
has to do with measurement and improvement by giving physicians measures of
quality and cost effectiveness in their own practice. The challenge here was
that you need to have adequate sample sizes. And so there has, as I said,
numerous collaboratives have come together to aggregate de-identified patient
information across a particular marketplace so that you have a much larger
sample size. This is identified by the provider so that, again, the provider
can get this information. But it’s de-identified on the patient side. It
actually will reduce burden to that physician because instead of getting ten
different requests for measures, they’re going to get requests from a
collaborative in a particular marketplace.

The AQA has a data aggregation work group who’s actually put out some
principles, which I would encourage you to look at. We can actually have them
sent to you and a model for a national data stewardship entity. The AQA is
composed of about 85 different specialty and sub-specialty medical
associations, the purchaser community, consumers, and the health plan. They
really believe that there should be an entity that creates standards relative
to data sampling, data sources, attribution rules, and that that should be
transparent and put in the marketplace so that we can all use those same kind
of methods no matter where you are and then be able to compare data nationally
or regionally and locally.

AHRQ recently just put an RFI into the Federal Register asking for sort of
marketplace consensus or advice about is this needed. They had over 75
different responses. They’re just reviewing those responses now. So I’m sure
we’re going to hear more about it.

You’re going a little bit from Shirley or a lot from Shirley about what the
Blues have done with BHI. I will tell you that AHIP is actually talking because
we have not only Blue’s plans, but we also have the large national plan about
putting together a national data aggregation effort on provider performance,
strictly quality measures focused to start with so that you can collect data at
the national level, but you can move it down to the regional and local level
for use by physicians, but give you some comparisons at the national level.

I want to talk quickly about our PHR Initiative. I’m sure you’ve heard a lot
of PHR. I know Paul is tired of hearing me talk about PHRs. But the potential
for PHRs is for consumers to have a health summary in one place. It does not
replace the electronic health records. We really believe the reason there’s an
interest for PHRs right now is because we don’t have enough electronic health
records within a physician’s office.

Our industry actually – so this is sort of a schematic. It can provide
important information to consumers that they need just so that they know what’s
going on with their own health that they can share with their family or
significant others. It can provide targeted alerts and reminders for
preventative screening. It can send information about drug-to-drug interaction,
particularly for patients who are going in and purchasing over-the-counter meds
at a drug store won’t interact with my prescription drug. These are all the
powers of PHRs. This was a joint project with the Blue Cross Blue Shield
Association. All our work was based on focus groups and research that we’ve
done with consumers as well as providers, and trust certainly was an overriding

The physician community had actually asked the industry to work together to
come up with a common template for PHRs. They were concerned that each plan
would do their own PHR, and we’d have more noise and confusion in the
marketplace as opposed to some standardization. So we worked together to define
and agreed to a minimum common set of data. We actually worked with a
consultant to develop a portability standard which has now been turned over to
the standard development organizations. What this portability standard allows
is that if I as a consumer change my job or change and therefore get a new
health insurer or change my health insurer from my own choice, I have the
ability to make a decision about moving that data from the plan I’m with to the
new plan. This is very much consumer-centric. The consumer makes the decision
if their PHR is going to be populated. They make a decision about what data
gets moved, and they make the decision about who has access to their data in
the PHR.

I think I went through most of this. Let me go to privacy and security. I
think I can go through this quickly. You already know that HIPAA requirements
govern use and disclosure of information for treatment and patient health care
operations, which includes quality, assessment, improvement, population, health
and care management. It sets rules for de-identification. Consumers get
information from the notice of privacy practices, and it has significant
electronic security protections.

I heard some of the discussion from the last panel, and I’ve looked at a lot
of the material before you. You’ll hear my recommendations. We’re not doing a
good job of educating consumers, and we really do need to do a much better job
of that.

Recommendations. I’ll go back to the initial slide. Because there are so
many federal groups and even state groups that are starting to talk about
secondary use of data, we need consistency in these recommendations. Part of
the challenges right now with state laws for privacy is even if a consumer
wanted their data to move from one state to the other and the state will
prohibit moving across the state boundary, some of that data can’t be
transferred. The patient can certainly pack it up and take it with them, but
interoperatively they’re going to have trouble transferring that if there’s a
state law that says you can’t move that data across state boundaries.

We have to make sure that transfer of information that’s vital to patient
care is ability to move with the patient wherever they get care. We need to
have a better understanding of the diverse business models that exist to
aggregate date that could actually benefit consumers, and I talked about that.

There’s the importance of real time data to get the right care at the right
place with the right outcome. For almost all of this, you can use de-identified
patient data. When you’re not, you’re going to use IRBs, and I think that’s the
direction we want to know. Data, no matter how it’s used, if it’s used in the
public health sector or if it’s used for research, at the end of the day should
drive quality improvement, whether we learn what works or doesn’t work, that’s
still an important indicator of quality. And so in my mind all three pieces are
very much aligned together.

HIPAA provides effective legal parameters to protect privacy and security of
individually identified health data. I talked a little bit about state
requirements that may impede electronic transfer. There is this blurred area of
non-covered entities that are beginning to look at some electronic health
information. You may want to focus your attention there. I would really
encourage you to focus your attention on where we have known problems. We don’t
want to lose vision of where we want to be, and we don’t want to put barriers
in place that are going to keep us from where we want to be.

We support public education programs about the use of clinical quality data
to improve health outcomes, both on benefits of PHRs, benefits of quality
reporting and public health.

And I’m going to skip my last slide because I actually want to read
something to you. As I said, Paul and I are actually – he’s actually the
Chair of this project with Robert Wood Johnson that is called Project Health
Design, which is to be the next generation of personal health records. So it’s
very innovative, and grants were given to different sites for them to actually
push the envelope.

We actually got a little note yesterday, and I wanted to share with you
because I think its message is so important. This was a writer who had recently
just reviewed some of the innovative models coming out of the RWJ grants, this
next generation of PHRs that are going to empower patients, engage them and
improve care.

And what she says is, “Their description is a contagious spirit of blue
sky creativity. You see, I live in Washington, home of the filibuster, partisan
gridlock and bureaucracy red tape. Nearly every decision of health and IT, and
there have been plenty in the last 20 years, is mirrored by a review of the
barriers locking its progress. Where is the technical infrastructure, who’s
going to pay, will doctors use it, can patients trust it. But this project
waives those concerns aside and asks us to imagine for a moment what is

And I would encourage you with your deliberations to remember what is

MR. REYNOLDS: Before we go to Shirley, Simon’s got a comment on one –

DR. COHN: Listen, Carmella, thank you very much for some very good
testimony. I did want to, since you had mentioned it a couple of times, address
the issue of what you describe as consistency or collaboration for a sort of
common vision.

Earlier today and I think every morning when we talk, when we sort of do our
introductions, we sort of talk about the purpose of this activity. And I just
wanted to emphasize or at least put a comment that this is actually being done
at the express request of both the Department as well as the Office of the
National Coordinator. We have close collaboration and normally sitting in the
chair across from you is John Loonsk from the Office of the National
Coordinator. Aaron Grant and others are really meant to provide close
coordination with AHIC. We obviously also have John White who is normally here,
but is not here from AHRQ. We’ve obviously been closely collaborating with
HITSP. We have an officer of the National Coordinator representative sitting
back there.

I think I would – I just wanted, since you had brought it up a couple
times, I just wanted to sort of emphasize that we agree with you that there
needs to be a consistency of vision. This is certainly not something we would
have started embarking on recognizing all of the other stuff going on if we
hadn’t been specifically asked with our role being hopefully to bring a lot of
this together.

MS. BOCCHINO: And I think it’s important for this group to discuss this, and
it’s certainly important to get a broad consensus on the same recommendations.
And so I applaud you for all working in that direction. To sort of paraphrase
from what I just read, I’ve certainly lived in this town long enough to know
what can also happen with opposing recommendations. So it was just – I
applaud your efforts. I think it’s appropriate for you to address it, and the
collaboration is essential.

MR. REYNOLDS: Shirley.

MS. LADY: I’d also like to thank you for inviting us to participate today.
It gives me an opportunity to tell you what BHI is and what BHI isn’t because
there’s a lot in the market that has presented questions in the past. I’m here
to provide you an overview with Blue Health Intelligence, and this is an
initiative that’s bringing together the claims records of about 80 million Blue
Cross Blue Shield members nationwide.

It is not there yet. Right now in the data warehouse, we have approximately
52 million, but this is not a process that easily happens overnight, and if I
can emphasize anything else besides the difficulty and the challenges of
bringing the data together.

When you talk about data aggregation, it’s just not something that’s an easy
idea, but the execution is complex and timely and costly. Our intent with BHI
is to produce national –


MS. LADY: Blue Health Intelligence. Okay, let me, I commented on the way
over here. I answered the questions that you presented, but I have not given
you any of the background on what BHI is. So let me give you a thumbnail sketch
of what this initiative is.

A few years ago, a number of the members of the Association health plan at
Blue Cross Blue Shield determined that for marketing and employer reporting
needs because they’re our clients, and they wanted reporting especially for a
national count basis that could extend across the country relative to where
their employees happen to be located, and they wanted information relative to
benchmark information on cost and quality and on utilization.

And so other plans voluntarily came together. This is the entire group of
plans. It’s 19 out of the 39 Blue Cross Blue Shield plans as independent
companies pulled their resources and said we need to build a data warehouse.

Much of this surprised the industry because many thought Blues had a data
warehouse in the back corner somewhere, and we were sitting on all that data.
That actually was not the case. But this initiative began, and it began very
methodically. We brought in a number of plans and consultants and experts in
the industry to educate us on the what’s and the how’s, the hardware, the
software and how to structure it appropriately so we could get out of the data
what you put into it – the efforts that put into it would be reflective of

Our initial loading of data is the medical claims record and enrollment data
on a member basis. I’ll talk more in detail about what that consists of and how
it’s done. But it’s being done in stages with multiple phases. The first stage
was bringing the medical and enrollment data with a little bit of provider data
that can be gleaned from the claim but not full provider data.

The second stage is pharmacy. We’re in the design stage at this particular
time. That will be followed by enhanced provider data and then eventually lab

Our initial output from BHI is to provide benchmarks to those clients, just
as I’ve indicated. But it’s certainly known to all the participants the
potential wealth of information that can be developed or extracted from BHI,
relative quality improvement programs and eventually research. We are not to
that point yet, but we certainly have that in mind. We have developed a number
of advisory groups to advise us on that, including from our employer community
as well as the physician community. So we walk down that path kindly and with a
lot of deliberation.

And this particular time, we’re producing benchmarks. Our data is actually
coming in, and I’m so happy to say because it was job security for me, that the
dot data is coming out of BHI. We are delivering on benchmarks on the national,
regional and MSA basis. These benchmarks are in the categories of cost and
utilization, and, as you can see here, reflective from the traditional
categories that you take a look at health care data across the enterprise.

The data’s certified to meet the strictest quality standards. I’ll talk more
about that in a few minutes also because you questioned very specifically about
certification and quality. And we had to make sure it was statistically viable
and the data integrity was maintained. You need to understand that for us this
is an extremely important asset for us. We’re not about to do anything that
would compromise it.

The first thing you do when you’re a large company of any sort is to make
sure that you have to be able to reflect any kind of criticism. And when you’re
the largest, you’re going to be the most criticized. So it’s very important for
us to maintain the integrity of the data and the accuracy of the data so that
we do put out benchmarks there instead of opening the marketplace and not
subject to that kind of scrutiny, and subject to that scrutiny and pass that

The data produced by BHI is de-identified. I’ll talk a little bit more about
that, and there are no third party sales much to a difference to what some of
the media says. The purpose of this slide is to show you there’s a big
difference between BHI and what’s out in the industry. For the most part, many
of our competitors are within one health care plan. I need to tell you the
challenges of bringing together 19 plans. One of the biggest challenges was
just basic data definition.

All of our plans are very knowledgeable, and they all have data warehouses
that support this large data warehouse enterprise. So individually the plans
have data warehouses. We’re taking data out of that and pulling that then into
this large data warehouse. Dr. Tang, have I answered your basic question. All
right, thank you.

So these 19 plans will reflect the 80 million members. But the warehouse was
not built to do the quality health care management on an individual basis. It’s
built to develop trending, patterns of care, patterns of experience for cost
and quality indicators, epidemiologic indicators across the nation, across our
book of business, to give us inside knowledge into what’s happening to our
population. All the true identification of individuals for disease management
and those kinds of programs are done at the plan level where they do have that
one on one relationship with the member. And so BHIs is for a very different

But the data definitions, as I mentioned earlier, was a significant
challenge. It’s down to things such as what does it mean to have a mother and a
baby stay. Well, there’s multiple ways that you can describe that, and we had
to get all those 19 plans to agree on those data definitions. That was a
significant accomplishment. I presented to CMS, and I remember Dr. Straub(?)
commenting pretty amazing, we struggle with those kind of data definitions
across medical data sources all the time. Getting that kind of agreement to
those data definitions is pretty significant.

But we needed to make sure that an outcome coming out of Texas was the same
defined outcome that was coming out of Minnesota or New York or Washington. So
it’s very important for us to get that data quality in right up front instead
of definitions and to maintain the integrity, not for the short term, but the
long term of the project.

Currently, we provide coding to, they’re all benchmarks, and the combined
services, we do have the cost purpose applied to this and for these various
categories. As I indicated earlier, the aggregate is the national, regional and
the MSA level. We adjust these by various aspects, something that we’ve
incorporated into BHI, which is fairly unique for us is a sick code, and that’s
an industry standard code. It’s a Dunn & Bradstreet coding for it so that
we’re able to compare a bank to a bank or to coal buying industry to a coal
buying industry. It’s something our employers really want to know. If you’re in
telecommunications and you’re Verizon, you want to know what telecommunications
is doing and similar or another industry. So we’re able to pull the data by
their sick codes and compare industry to industry. Whereas in one plan, for
example, if it was the State Empire, the State of New York, they would only
have maybe two banks in their system. Now there’ll be multiple banks across the
system that can of course compare their experience amongst and between each

We also include by product category CDHP products and any new problems in
the market. We need to be able to measure the success, what kind of
characteristics are behind those so that we can do improvements in those
product designs, improvement in the financial tools that work around the CDHP
products as we have experience for the types of individuals that are selecting
those and their experience in those particular products. We also have the
individual markets, the PPO market, the HMO market. So it’s the stamp.

We do not have at this time Medicare, Medicaid nor the Federal Employee
Program. And we are a larger insurer of the FEP Program. We will bring in the
FEP data after the first of the year, after the first of 2008 into the system.
So it’s fairly comprehensive, broad based group of commercial business that’s
represented in BHI.

We enhanced our analytics, the analysis, the benchmark analysis that I’ve
just given you, and the purpose is to be able to do a number of things.
Evidence-based purchase for long term improvement provider and network quality
efficiency. This is part of their transparency program at the Blues. This is
not today. As I indicated, the BHI is being built in stages. That’s in stage
three is provider data. Until we get to that point where we have the enhanced
provider data, we won’t be able to do this. But this is the vision of BHI as we
move forward.

Work with the employers, we’re there already with the data that’s coming out
and helping them manage their costs and overall health care of their employees.
Consumerism, we have to make sure that we provide cost and quality transparency
to the consumers as well as to be able to support some of the PHI/EHR efforts
out there.

BHI’s not going to be the one to give them the detail on those particular
components because it’s aggregated data. However, at the health care basis,
what we can do is identify particular trends or indices across the nation or
within our region and feed that information back to the plan that they can
investigate the impact upon that employer group or that particular aspect of
their employee and enrollee population.

To provide physicians and hospitals with insights. Our biggest ally in
health care is our physicians. We don’t have anything, we don’t have health
care and that contains physicians and hospitals. So we have to make sure we
work collaboratively with them in any information that we find or insights that
we find relative to physicians and hospitals would need to be shared and work
with them as we take those results and then put them into application.

We believe we’re going to be creating opportunities for medical experts and
researchers. That’s fairly far down the line. We recently just engaged our
Physician Advisory Panel, and research is very flattered about the potential of
BHI. I have to tell you my phone rings often on that. They’re very disappointed
when I tell them this is not tomorrow that we’re going to be able to do this.
But once we have the full robust BHI up there, we certainly will be interested
in having those kinds of research studies done.

When I work, part of my hat is with the Federal Employee Program, and we
through our Pharmacy and Therapeutic Committee, we were ahead of the FDA’s
indicators on Vioxx way before it ended up hitting the market. If we had that
same kind of opportunity with BHI across a much broader base of individuals who
will have much faster, sooner and more complete insight into those kinds of
situations and perhaps provider the government as well as some of the
pharmaceutical community information prior to it hitting the market and the
aspect it does and perhaps even preventing deaths and side effects that aren’t

We also anticipate that we’ll give insight into StruckVicki(?) and also
technological devices and those kinds of safety and procedures.

This is kind of how it works. We generate the – at the plans, of
course, they generate the raw data with medical and claims data membership
provider data. That then, that data we have – we are a business associate
at the Association, and we have multiple agreements with the plans relative to
BHI. And then we impose, of course, the strict privacy rules as well as
security rules that are contained within the government regulations that exist
to date.

We, of course, cannot disclose any participating plan’s raw data. Any data
that comes to us that is plan specific only goes back to that plan specific,
that specific plan. Believe it or not, the plans that participate in BHI are
also competitors. So we have to make sure that not only do we protect them from
an outside entity, but we also protect them from themselves sometimes.

Plans own their medical and drug claim data. They are the ones that have a
relationship with the members. We only aggregate de-identified data that’s
generated by BHI. Nothing comes out of BHI that isn’t aggregated and

You can see here the various variables of the region, age groups, and the
combinations. The NO5 is because we can’t create, our rules contain the
information. We can’t create a benchmark unless there are five individual
claims of five different individuals from five different providers with three
different health plans. That kind of qualification on what can be contained at
the benchmark gives some additional anonymity relative to not only individuals
but also from plan to plan so one plan can’t tell the financial arrangement
from another plan. So that kind of protection has been built into BHI’s
aggregation strategy.

We strip out the data coming from the health care plan to BHI strips the
information of the 18 elements that are in the HIPAA privacy rule. You can
imagine we not only have our own HIPPA Council at the Association, but we had
all 19 of the councils from the various plans participating in the discussion
about making sure that we were HIPAA compliant.

In addition to that, because we were going down to an MSA level, we wanted
to take an extra step. We were under the HIPAA requirements for three-digit zip
codes, but we needed to make sure it was still non-identifiable. So we went the
extra step and hired an independent statistician from a company called Lexicon
who’s an economics statistician to give us their opinion on the strategy as
well as the statistics validity of what we were proposing, and they did agree
that it was highly unlikely to ever be able to identify an individual. There
are no names, dates, births, et cetera in BHI, but we do categorize them by
range anything that’s in the output. So everything that’s output of BHI is
aggregated and de-identified.

All the information travels across a private network. It’s what we call our
Bluesnet Network, and it is a secure private network that connects all the
Blues together, and it’s been around for a number of years now, and we’ve never
had it penetrated. So nothing ever hits the Internet or anything that would
have that kind of access or public access or ability to be compromised.

Our plans do give privacy notices as required under HIPAA for use of the
medical information. And BHI as the business associate then comes under the
authorization for business associates to perform the data aggregation services.

We gave you a couple of examples here of what could be determined, and you
can see that we can’t identify an individual that had a CAT SCAN on a
particular date. But what we can do is say that there were at least five
because remember we have to have five at least claims of individuals from five
different providers and three different plans to build that benchmark. We could
say that there are males from this age range who had inpatient services for a
specific disease category, here digestive system, in an area, in an MSA area in
a year. So we can give that down, but that is the de-identified under HIPAA
compliance, and it cannot be re-engineered according to our statisticians to
re-identify the individual.

We did have no plans to sell the data to non-third party, not even the
aggregated data. This is a significant Blue asset. That’s how we view it, and
you don’t go giving away your assets or selling your assets.

We do anticipate having access to the data in the future because we think
there is a lot of health care, quality and public good that would be available
from this warehouse.

We intend to be very prudent in setting what we call our sandbox for being
able to get access to that data, being able to get into access for those
research kind of initiatives. But I cannot give you the exact specifications of
what that will look like today. That is still in development and probably will
be because we won’t even have the pharmacy data in until sometime in 2008. So
until the pharmacy is in, we probably won’t even be entertaining those kinds of
requests, even though they call me all the time for it.

We believe that performance, measurement, and identification of trends will
allow us to do quality improvement projects. The unprecedented size and many of
you who are statisticians know that the law of large numbers drives a lot of
information. It provides the depth and breadth and accuracy that we’ve been
unable to obtain in the past.

We’re adding episode groupers. We’ve added one of the same groupers that CMS
is using which is the Megs grouper, and that we will have standard formats with
a common data dictionary so that across the entire BHI 80 million records we
have common outcomes with common definitions so that the data is credible. And
as I’ve indicated earlier, we added the sick code.

All the data goes through four levels of certification in our process, and
that certification is to the quality of the data. The first process takes place
at the local plan level. They have to reach a threshold, and there’s a software
tool the data has to run through successfully to say yes, you’ve gotten quality

The second and third take place actually at BHI, and the fourth one is run
again through quality matrix. And the fourth one is done by an independent
third party, Milliman, Inc. which is a large actuarial firm that validates the
data. So we’ve done everything we can to validate the credibility and the
quality of the data coming out of BHI.

We believe, then, because of this data quality it will make a very robust
research tool. As I indicated earlier, as we developed these employer and
physician advisory groups that we’ll be contributing to the insight and the
utilization tool for public health and research initiatives.

We anticipate that the data will be retained in our warehouse. We would take
those research requests and apply them to the data rather than taking the data
and giving it to a third party. That is not in the cards.

I’d be happy to stand for any questions. It’s a very extremely challenging
project, but I have to say it’s awfully exciting. The potential that we can do
with BHI that we can provide to not only our own plans, which of course we will
do, but also to the community at large. The potential is just tremendous, and I
have a lot of people that are excited about that opportunity.

MR. REYNOLDS: Okay, thank you, Shirley. Dr. Peel.

DR. PEEL: Thank you. I really welcome the opportunity to be back here. I was
here in front of you in 1999. Some of you were here then. I think Jeff was, and
I was on a panel about PBMs, you know, secondary uses. Okay.

I guess I should tell you all a little bit about myself. I’m a practitioner.
I’m still at the cottage level. I see patients, and I have been seeing patients
for I guess approximately 35 years now. And what really led me to found Patient
Privacy Rights was the fact that there really were no effective voices for
consumers in the area of health privacy.

So my practice in particular, because I’m a psychoanalyst and a
psychiatrist, has always involved the most sensitive information. And so
everything I’ve learned about privacy and the lack of privacy is from my
patients. I mean, in the ‘70s when I went into practice, people would pay
me cash on the barrelhead because their lives or their reputations had been
ruined. So I know firsthand and from the people that I’m here speaking for
today that when information is not contained within really your doctor’s
office, you’re very likely to be harmed.

And so frankly, for years I’ve been giving what I call Moranda warnings. If
you use a third party payer, if you go in a hospital, anything that happens can
and will be used against you in the future. Okay.

The key points that I have to make the only way we’re going to get to
quality and the only way we’re going to get to the data is if we have privacy.
Transparency’s not enough to reassure anyone, and the only consumer concentric
system that will work is one where individuals control where their information

The good news is, and because of our position as leading this effort to
restore privacy which Americans really had until 2002, we’ve been approached by
all of the technologists that have these tools. So I’m here to tell you at the
end I’ve got great news. There really is technology existing, ready to go now
that’s going to provide all the kinds of flow of information for all the
research everyone wants and still be able to protect people’s privacy.

I would say to you there is a ton of electronic information out there, and
the primary use of it has nothing to do with health. They’re discriminatory
uses, and I love this forced to research quote. You can read it y yourself, but
privacy is just beginning; we’re not at the end, and these various kinds of
industry consortia that have been set up through HHS. I’m even on some of them;
I’m no HITSP, CCHIT is out there. Consumers are really not any kind of a
reasonable part of these efforts, and they’re really faux inclusive would be
how I would put them.

Why don’t we have any privacy? Well, first of all, consumers are just now
learning about the ramped secondary uses of their PHI. They really don’t
understand the health system is a leaky sieve. HIPAA did eliminate consent, and
then Mark, of course, convincingly wrote about the problem of coerced consents
through the health care industry. They’re really illegal. They have to do with
things like when you sign up for a health plan at the beginning of the year,
you sign up to give away all your future data. Well, that’s illegal. You can’t
possibly meaningfully consent to release a piece of information that doesn’t
exist yet. So the coerced consents are a large part of the problem.

And then the value of the data is just beginning to come out. IMS Health,
one company that sells prescription data, this is on their website or in the
SEC filings, I forget where I found it. But in 2005, the last record, filed
records, they made $1.75 billion selling prescription records. That’s just one
data miner, and of course the protections don’t follow the data.

This was our most persuasive educational tool for Congress and the media in
2005 and 2006. You can read for yourself. Congress intended that HHS set out
privacy rights that Americans would have. That’s the first box. Second box, we
got the privacy rule, and the first version, the original privacy rule says
that we have a right of consent. Consumers have the right of consent.

You can read the third box. Consent as we play. That’s the whole key to the
vast dispersion and illegal data mining industries that are going on now.
Consent does not have to be obtained because virtually all the uses of data
could be subsumed under health care operations. So that was, this was really
shocking to many in Congress to see what had happened at the agency level that
the regulations changed the intent that Congress had. Okay.

This was our other educational piece that we put together to give people
some idea of who the legal users are since HIPAA’s been changed. Zone two shows
all the covered entities, self-insured employers, hospital chains, third-party
administrators and so forth. There are over four million covered entities that
can use and disclose your data without your consent right now. They can, as you
know, share it with their business associates. Who knows how many millions of
them there are. And then the fourth zone I added because people don’t realize
this, but the Graham-Leach-Bliley Financial Services Act of 1999 allows banks
and financial institutions to share medical records with their affiliates and
non-affiliates. It sounds like the universe to me. Okay. And to barb wire is
the Texas touch, okay. If you think you’ve got privacy when millions and
millions of people can access your data, I don’t know what you’re talking
about. Outside, of course, are the hackers and thieves, the people that make
off with laptops. Security is a problem, but the focus of our organization is
on privacy. The security problems clearly can be solved, too.

This is why I started Patient Privacy Rights. The data flow ends up in
people not getting jobs, not getting jobs, all sorts of discrimination. And if
we build a health IT system that’s a super highway for data mining and
virtually every corporation in the nation can get their hands on this stuff,
we’re going to create whole new classes of citizens who are uninsurable and
unemployable. That’s not a good outcome in my opinion.

The privacy rule really is a disclosure rule. You can see all this in the
handouts. I’m sure you all have seen all the polls. I won’t really pay too much
attention to them. The famous one from 2005 where Consumer Health Care
Foundation identified that about one in eight Americans engage in privacy
protected behavior. They don’t go to doctors; they ask doctors to change
diagnoses; they pay privately for tests; they avoid tests altogether. I would
add they forgot to ask about paying for prescriptions privately. I don’t know
if you know this, but one of the most stunning pieces of information to every
audience I speak to is that even if you pay privately for a prescription, you
can forget it. All 51,000 pharmacies in the nation are data mined daily, have
been for over a decade, and that information is sold primary to insurers. Okay.

Consumer polls, the public really wants the government to give us back our
privacy. And you know, you can look at all the polls. They all say consumers
want privacy. They want control. I put in a little bit about law and ethics. We
really believe that this nation has had an incredibly strong tradition of
protecting health information. It’s been better protected than any other kind
of information. I hope the lawyers here will agree with me or comment on this.

We think that essentially we have constitutional protections under the
Fourth, Fifth and Fourteenth Amendments. There are a number of states actually
that have the right to privacy in the state constitutions. There are very
strong Common Law state law protections, tort law, physician-patient privilege.
There is in all 50 states a psychotherapist-patient privilege. All of this
really comes from Hypocrites and the Codes of Ethics of all of the health
professions all require consent before information is disclosed unless required
by statute. So we have a very strong tradition in this country that the data’s
controlled by the patient.

For example, these are some of the kinds of secondary uses that the nation’s
just waking up to, and I have a slide from Thompson Med Stat. They sell data
that they take from Medicare/Medicaid patients, health plans and the uninsured,
and this information, if you want the White Paper, it’s not on their website
any more since I’ve started referring to it. But they’re using and selling
data, and the public has virtually no knowledge of this.

Blue Cross Blue Shield, when the Blue Health Initiative was started, I
talked with the Director, David Blotchner(?), and he said that the intended use
was to service big employers that pay the bills and want to pay smaller bills
for health insurance, and he – well, you know, you can read that.

Anyway, we had a conversation about this, and he said that the intent was in
fact to sell the data. So I appreciate hearing from you about this, and I
talked with you all already about the data mining of prescriptions. That’s
seamless, daily, going on for over a decade, and you might also have noticed
the new IRS ruling relative to the Administrative relaxing stark and
anti-kickback laws in order to allow health plans and hospitals to give doctors
electronic medical records specifically allows the data mining of the
physician’s electronic records, even the ones that aren’t covered by the plans.

So who are all these unwanted and unknown secondary users and sellers? And I
know that you all are looking at categories of data users. There are
prescription switching companies, pharmacy benefits managers. I think you were
talking a little bit about the technology industry. This is not widely known by
consumers. Many of the technology software products and database products
include contractually that the vendor, the technology company, has the right to
use or own the data. So really, when patients go to a doctor’s office or to a
hospital, they should say, so who is your data vendor and what does the
contract say.

So data aggregators and data miners, hospitals are selling data. The
transcription industry, too, gets their hands on data; they sell that. Banks
and financial industries can sell it. These other bottom quality assurance
improvement, hospital studies, the things you’re talking about, these are all
uses of data that the public is virtually unaware of, virtually unaware of, and
it’s not been consented.

And in my State of Texas, for example, there are over 200 databases. You
know, there’s no way that Texans know that these are being used for studies and
data mined, and then you might recall, for example, recently the State of New
York decided that diabetes is a public health emergency. And so all blood sugar
tests are going to be reported to central public health database.

This is the slide from that Thompson Med Stat White Paper, and I see
accidentally my slide that shows what their data sets are was not included, but
there’s data on the sex, the age, the hospitalization dates and so forth in
their White Paper.

Again, you know, we consider this basically theft, that this data is stolen.
Every state in the nation has strong laws that say that you can’t use medical
records without consent, and this data is all used without consent or

This is the FBI C Notice that they put out relative to Graham-Leach-Bliley,
and I’d just thought you’d be interested in some of the language. They can
share medical information essentially like a consumer report in between banks
and financial institutions. Instead of saying we don’t think banks and
financial institutions should have medical information at all, they talk about
how to share it.

The idea that data can ever be, that health data in particular which is so
rich and so many unique pieces of information can ever be de-identified is
simply false. Data cannot be de-identified, and I’m sure many of you know about
Latanya Sweeney, and she’s sort of the one that broke the story about how easy
it is to re-identify data. She might be interesting for you to hear from.

PHRs, we are advising consumer groups not to use them. They have been
specifically designed so that existing law and ethics don’t apply to them. So
there’s no guarantee of them having any kind of protections. The financial
model for many PHR vendors is actually selling the data. Like I was talking
about, they’ll give you a free PHR. You put your data in, and then they can
data mine it. This is the financial model of selling the data in order to get
infrastructure is such a terrible idea. You know, it’s understandable because
the data’s so valuable. But it’s a little like, you know, asking your daughter
to be a street walker to pay for the wedding. It kind of defeats the purpose.

So even LOINC, Dr. Kolodner and company commissioned a study on the status
of PHRs that came out in January. I have that; I’m sure you can find it if you
want it. But looking at the PHR vendors, they looked at 30 of them. Some of
them didn’t even have a privacy policy. So they’re really not there.

And I was talking with you about how people approach us when they have
privacy protected products, and there is a PHR vendor that we have seen, the
only one I know of that has multiple layers of encryption and PKI. So that if
you had a PHR with this company, it would not be data mineable. That would be
the only kind that we would approve of and that consumers are interested in.
They’re not interested in PHRs provided by employers or health plans because
neither of them are trusted.

So what’s the solution? We need smart consumers, smart technology and smart
legislation to get what we want which is access to the data to improve health,
to be where the data is actually in the hands of the patients and the doctors
so they can do something about health as well as the researchers.

And I just want to add particularly as a psychiatrist, you know, the data in
my field is terrible. It’s terrible. I would love to know what a million people
that have had depression and that’s been managed for ten to fifteen years and
they’ve been on three or four anti-depressants, what’s the next best choice for
that. We have absolutely no data like that, zero. There’s nothing like that. So
we’re very Patient Privacy Rights and me personally, we’re very pro-research,
and we want research. And the way to get the research is with real privacy
protections. The only people – we don’t think that it ought to be up to
anyone else, and this was Hypocrites’ genius again, to figure out where you
draw the line. Each person, people really do have different opinions about
where they want to share their data or how generous they want to be with it.
There isn’t any need any more for all of us to get together and try to figure
out what’s best for the common good. With technology, each individual can
decide instantly, easily, and we don’t have to create structures that aren’t
what people want because people can create their own structures.

How we got on the table in the national debate was last year, we built a
coalition called the Coalition for Patient Privacy, and it was a group of over
40 organizations, bipartisan, from across the political spectrum including the
Christian Coalition, the Family Research Council, the ACLU, California Medical
Electronic Privacy Information Center.

Anyway, and we took basic privacy principles to Congress and said, look,
you’ve got to put the right privacy stuff in upfront in the technology because
you can’t rewire it.

And so this year we have had to update our principles based on new
knowledge, and I thought you ought to see what they are. Clearly, people have
to have the right to health information privacy with definitions in federal
law. We think that the protections need to follow the data no matter what
source, where it is, who’s holding it. People must be able to opt in. I got to
tell you this as a physician. If you take away the right to opt in, they’re
going to opt out by not getting care. Then you get zero data, and you get more
illness. You get bad outcomes when people avoid care. And in my field, I really
have seen that. People are so threatened that information about depression or
addiction will leak out and will destroy their lives, they’re very hesitant to
get treatment. That’s not a good outcome for this nation.

Then, of course, no secondary uses without consent. That’s the second to the
last bullet point. You probably know this, but HIPAA does not require audit
trails for where data goes except for uses that are not treatment payment
audits. We’ve got to have audit trails. We absolutely have to have audit
trails. Okay.

And we need breach notification. We need to make sure that consumers are
never compelled to share health information as a condition of employment,
certain kinds of insurance, credit, admissions to schools, et cetera. And we
have to again really put the firewall back between employers and employees’
medical records. Some of you may remember the scandal that Walmart got into
when the Chambers memo came out about a year ago announcing how they use
medical information to determine who to hire and fire. It’s the nation’s
largest employers.

The second to the last data point, of course, is no secret health databases.
The nation is going to be appalled. Each of us are in innumerable databases
across the world, transcription databases in Pakistan. We don’t even know where
our data is. The public’s going to really be appalled to find out. That’s the
kind of transparency we need. We need to know where that data is and be able to
get it back, and we need meaningful penalties and enforcement.

So we think we’ve got to have Congress set the privacy policy returned to
what this nation had until 2002. Some of you may have seen the Kennedy-Leahy
Health Information Privacy and Security Act that was recently introduced. It’s
about 105 pages. It has everything you could possibly want. The problem is it’s
not connected to the health IT bills. It needs to be part of any health IT

And then the other smart legislation that we really need to have is we need
to have databases for health information that patients can trust, and that’s
why we think that we need to have independent health record trusts where the
fiduciary duty of the data holder is only to you. It cannot be data mined ever
by anyone.

So what is smart technology? Well, this is one of the new tools I want to
tell you about that’s going to make it very easy to get consent. There are new
tools called independent consent management tools where you can set your
consents in one place, change them instantly. You can be down to the explicit
granular level if you want to. You can give certain kinds of blanket consents
like I want Dr. Tang always to deposit my visit information and lab reports and
so on in my health bank account. I want always to receive them, and whenever
I’m hospitalized I want that hospital to automatically always send things to
Dr. Tang so he can keep up with me because he’s my primary physician.

So there would be the possibility of setting various kinds of blanket
consents, essentially advance directives for emergencies, and so forth. And if
you’re really paranoid and you want to know about every study or quality
project, you can be pinged. You can even be informed on your cell phone.

So we think these consent management tools are really, really going to take
back privacy, and that it’s going to become imperative that any data holders,
before they use your information for anything other than the use to which you
gave it to them for, you know, for example, insurance companies. We give them
permission to have some of our data to pay claims. That’s it. Claims payment,
nothing else. The fact that they’re aggregating our data and using it in ways
that we have no ability to even opt out of is just wrong, and we believe it’s
illegal. By the way, I have Blue Cross Blue Shield insurance. So I’m
criticizing my own plan.

SPEAKER: You mean, you have it today.

DR. PEEL: Yes, you’re right. In terms of security, we’ve got to have state
of the art, you can’t privacy without security. Somebody can get into the data,
it’s done, and you all probably know this. The health industry has the worse
record of any industry for protecting data. Most of it is lying around in data
banks; it’s not even encrypted. And you know, hospitals use like two passwords
to get into the data. It’s a nightmare. So we’ve got to have data encryption.
We’ve got to have strong two-factor authentication, and we need PKI, we need

And the other idea about the health bank is that essentially when we can
trust a place to keep lifetime records, it will be an incredible research tool,
and then there’s no need actually to release the data. The health bank can
intercept queries, and if we’ve agreed to be part of research, can run the
study on our data or however many thousands of us want to be in the study, and
give that back to the researcher kind of like the Census Bureau operates. They
protect our data, and they run the queries. They don’t ever send the data out.

The other thing that I just want to mention, we’re being asked literally to
develop some type of certifying body because the leaders in technology know
that the standards out there are nil. I mean, CCHIT is going to put out
certifying standards for PHRs that say they have to be interoperable, they have
to have security, and they have to have a privacy policy. Eh, a privacy policy
doesn’t mean anything. The privacy policy can be you don’t have any.

So it’s going to become very clear that to win in this marketplace going
forward, it’s going to be the product and technology companies that really
offer the kind of control and privacy that patients want.

And then I’ve already pretty much told you this about health record trust,
and I think you even had a presentation HASNOF(?), so you’re probably really up
to date on that.

The other thing about the health bank is, of course, it can enable secondary
uses. And you’ve heard of this, too, from HASNOF. I think everyone, and the
research shows that everyone wants to participate in research, but they want to
know about it. They want to have the chance to say yes or no.

So I guess that’s about it.

MR. REYNOLDS: Thank each of you.

DR. PEEL: I think I covered everything. Oh, there were some other things I
wanted to just briefly mention. There’s a lot of research that I know about
that’s frankly sleazy. I mean, I love Mayo and all that, but, you know, for
example, in Texas the Texas Department of MHMR had really a scandal over the
treatment of inpatients being recruited for drug studies and people on the
staff doing that. And in the area of psychiatry, it’s really bad. So there’s
research, and there’s research.

There are also independent physicians in my community that in and of
themselves recruit people in their practices for research projects. They’re
paid $7,000 to $8,000 to try another anti-psychotic. We’ve got to be really,
really careful when we talk about research. And I agreed with some of the
discussion earlier. How do people, what’s the difference between quality,
research and all the rest.

In the minds of consumers, I don’t think there is one. I think everybody
needs to be asked about participation in these things. But it’s really
important because there has not been transparency. And I want to make one other

I think that the public has been really pressed about the benefits of Health
IT, and the real risk most of them have yet to know about, these secondary data
uses. The real risks have not been reported. I mean, it’s like the main use of
the Internet, as I understand it, is for porn, okay. The Internet has a lot of
great uses that we all take advantage of. But you know, the thing is the
system, this system can be the greatest system for data mining on earth, the
super highway for data mining of health information, or it can really be built
the right way, and we can get all the benefits and information at the right
time and right place.

So, anyway, and we also, the bio bank thing is very important. As I
understand it, we don’t own any tissue. We don’t own the rights to any of our
tissue that’s left our body. That’s a serious problem just like health
information. That can be used and sold without our consent or knowledge either.
So the banking of tissue and who’s got it is going to be a great scandal to the
public as well when it begins to come out. Thank you.

MR. REYNODLS: Okay, thanks to all of you. Another step in our journey as we
go forth. So Mark, Paul.

MR. ROTHSTEIN: Thank you, Harry, and again a very interesting and perhaps
even provocative. I have a question for Shirley Lady. If the subscribers in
your universe were afforded the opportunity to opt out or you were required to
give them, you were required to have them affirmatively opt in, something like
that, and further assume that the rate in which this choice was exercised was,
say, double what the Mayo rate is of 3.5 percent, so it would be 7 percent, you
would still have almost 75 million in the BHI.

So my question is would that loss of some five plus million, would that
undermine your ability to do what it is that you want to do, in other words, to
use cleansed data to check for length of stay, quality of service, and so

MS. LADY: Well, first of all, the information coming out of BHI’s aggregated
and de-identified. So I don’t know about the consent aspect, but certainly the
plan level would be interested in any kind of thing that would identify an
individual be required to get their consent.

Relative to your specific question, I think it would be in the nature of the
study that was being done, and that consent you’re asking before use of the
data. My experience has been, through the FEP Program, we’ve done programs both
with consent and without consent.

Significant differences in the response rates based upon the nature of what
you’re asking them to do. If it’s something that’s sensitive such as mental
health order or something that an individual would find much more privacy
sensitive than another, you’re going to have a less positive response than you
have on something that is generic like did you have an appendectomy.

So much of it would depend on the nature. For a lot of large surveys,
however, this database when it’s fully populated, 75 million certainly would be
adequate as long as they’re the right 75 million.

MR. ROTHSTEIN: I just want to know what do you mean so long as you have the
right 75 million.

MS. LADY: That people have opted in were the ones with the diagnoses. If the
five million that opted out were the five million needed for the particular
study, then you’ve negated the purpose.

It depends on if the population that chooses to opt out is the population
that you view that information in order for you to have a solid study going
forward to get the information that you need, then it could have a really major
effect. If it’s even regional, if one whole region, that 7 percent sat in one
whole region and you’re trying to look at practice variations across regions,
and you can’t make a determination based on a certain region because of an opt
out, then you’ve got the same challenge. You can’t move that ahead.

MR. ROTHSTEIN: But you could also make the argument that if so many people
opted out of a study, say, dealing with mental health, that would perhaps
indicate that they thought very strongly about how important that information
was and how sensitive it was. Then maybe you want to think about other ways of
acquiring that information.

MS. LADY: I would agree if the nature of the study was something that you
needed to know the name of the individual, and it had any way of being tracked
back to them. If you’re looking at something that’s broad based trend across
something for mental health, depression, I mean, one of the most over-diagnosed
and treated in this country inappropriately, that’s my opinion, not Blue Cross
Blue Shield just because Prozac’s the number one antidepressant or number one
drug right now, the number one drug that is prescripted in the country. If we
had information or more specificity about the range of the individuals, the
nature of the individuals, where they are located, we may be able to glean
information that could help us in this kind of diagnoses. That’s not getting to
the individual’s health record that’s going to be able to attribute a negative
or positive to them as an individual. It’s all in the nature and how it’s done,
and you have to be very careful. We at Blue Cross Blue Shield, and I can
personally speak for this because I’ve dealt with these areas, are very much
for patient privacy, absolutely we want to protect the patient. I mean, they’re
our members. They’re our life blood. They contribute to those premiums that
bring us income. So it’s very important to us to protect that patient’s
privacy, and we will jump through every single hoop that we need to that is
necessary within the law. But it changes and expands, and we need to take extra
steps, we will do that, too.

DR. PEEL: I’d just like to point out that right now the insurance plans have
a great deal of electronic data. And so they’re wanting to do the studies. But
I think that that same population of people would feel very differently about a
study that was conducted through a health bank where they knew they controlled
their information. People are really not happy to have their data used without
their consent particularly by insurers because so often the employers get that
identification at an identifiable label, and it affects jobs. They’re not
trusted. So if we have data banks, then we can get the kind of studies we want
done by trusted researchers and trusted institutions where people would know
that the data’s really not going to be used against them.

MS. LADY: I disagree that the employers are getting the information. There
is a firewall between employers getting the specific information. Even an
employer who is self-insured who is responsible and pays out all the claims,
there is a firewall, and they cannot get information on a specific employee.
That really is a misperception. I really want to come back to sort of context
here while listening to customers and their understanding of consumer
education. We need to educate consumers on all sides of these issues. We need
to educate consumers on the value of how that information gets used to improve
their care as well as the kind of privacy and security that’s put in place.

And I don’t want to use scare tactics with consumers because if they are
frightened at all, they already tend to be compromised and frightened when they
go into a health care setting where they’ve got a chronic disease, where they
have a catastrophic disease. I don’t want to put them in any more of an anxious
situation where they have to worry about things. I want to provide them

When we did focus groups on PHRs, clearly what we heard initially was no, we
don’t trust anybody. When you show them the power of the data and how that data
could be used by them both to empower them and to help them take care of their
care, they understood it better, and a lot of them opted to have their PHRs

So consumer education is vital in this area if we’re going to be able to
move forward.

MR. REYNOLDS: Okay, follow up.

MR. ROTHSTEIN: I just want to clarify one thing. Employers can lawfully
– I’m not saying unlawfully, lawfully obtain the complete medical records
of individuals when they apply for jobs. Now the firewall that you were talking
about is between claims and employment records. But if I apply for a job as a
condition of employment, the employer can require that I sign an authorization
that in 48 states is unlimited.

So I think perhaps what employees fear or individuals fear is not so much
that their current employer will do something that’s now technically illegal,
but that a future employer may do something that is technically legal, yet
they’re not crazy about it, just to clarify.


DR. TANG: I have two short questions formatted in the traditional way with a
question mark, PT way. You mentioned that you have four phase. In phase three,
you had I think you called it either advanced or enhanced provider data. What’s
in that data set?

MS. LADY: That data set tells us things about the – in much more
specificity about the hospitals and the physicians down to specialties,
credentialing criteria, the subspecialty certifications, all the data that we
use for credentialing a physician to have him come into our network. It also
gives languages that they speak, office hours, those kinds of detail so that
you’ve got much more enhanced. Right now, not necessarily is the rendering
physician on the claim. And so it gives us inaccurate information. So we need
to be able to have much more accurate information about who rendered it, who
submitted the claim, what group they’re in and those kinds of things. But
personal identification numbers, though they aren’t the panacea that we wanted
them to be, will be of great assistance moving forward.

DR. TANG: And the second question is in stage four you have lab, I presume
you mean lab test results.

MS. LADY: Yes.

DR. TANG: How does that fit the minimum necessary provision in doing your
job, which is paying claims.

MS. LADY: We have been told repeatedly that for a comprehensive picture of
an episode of care and the ability to have appropriate analysis that we need
the lab values. And there are no member identifiers. Obviously they were all
stripped from HIPAA that would be attached to the claim. So we’d be able to
take the total episode of care and have a comprehensive understanding of what’s
taking place in that particular arena.

The other pieces just this week from our Physician Advisory Committee, they
recommended strongly that we see if we get lab values just for now, they’re of
course thinking down the line when it comes to the point we’re able to glean
additional indicators out of the BHI data sets that this would be a value to
have that value in the data set.

DR. TANG: No further questions, Your Honor.

MR. REYNOLDS: Simon has a follow up.

DR. COHN: Well, I need to ask you a follow up question of BHI, but maybe
also one that Carmella might also want to address. You know, I am struck that
obviously a lot of times we have these conversations about these very, very
large databases, and they’re 50 million, or is it 80 million.

MS. LADY: Fifty now, eight to be.

DR. COHN: And it gets bigger and bigger and bigger. Obviously, one of the
conversations that’s been going on nationally is centralized databases versus
distributed almost along the lines of data is held locally, queries are sent
out to more of a local environment with the idea that a response or an answer
comes back and so once again there’s more local control. There’s less this sort
of sense of very, very large databases.

Can you – I mean, actually all three of you commented about the pros
and cons of that approach in terms of privacy, secondary uses and sort of, just
your thoughts on that.

MS. BOCCHINO: So let me just start quickly basically because of the
experience that we’ve had vaccine safety data link which actually initially
when it was created was a large data set that was sitting at CDC for the use of
public health purposes which has gone through a distributed data model for two

Number one, they found the technology now you can get your scope of work,
your questions, get it to an IRB, actually just pull the data you need to
answer that question. It can be done in a rapid cycle, and therefore have more
security and protections than if data were sitting in a centralized warehouse.

As our industry is talking about creating some aggregation across our
members relative to quality measurement, we have after a year of work, again,
this is not, this is de-identified patient information, it’s identified on the
provider so that you can actually give feedback to the provider for certain
areas. We are actually looking at a distributed data model and not a
centralized warehouse.

DR. PEEL: Yes, this is Deborah. Actually, we think that in terms of being
able to provide really state of the art security that larger databases may have
some advantages because they can do the kinds of things like, you know, are
done for top secret government information. There are some incredibly secure
kinds of places for data, and I don’t know that every small community or every
hospital could afford them. And so actually there are some advantages perhaps
to larger databases because we could certify them in terms of security and
privacy practices. So we actually think that because they are pretty expensive
to get the highest levels of security, your information is probably safer
there. And that’s what we’re hoping that the health data banks will have is
very secure information.

And I wanted to mention when we get consent management tools, I think the
need really for IRB approvals for research will essentially be nullified
because people can make their own approvals. The reason for IRBs was it was
impractical before technology to contact a million people. It’s not impractical
any more. In fact, it’s easy. And so I think the standard of care is going to
move away from people deciding for others whether they want to participate.

You know, Maggie was talking a little earlier about something that I said
that actually consumers are very upset at the idea of people snooping in their
health records without knowing about it, and they are. And IRBs have always
thought of that as not really dangerous because they’re looking at is this drug
or procedure going to kill somebody. They’re looking at livelihood, life. And
they think that looking at paper doesn’t threaten people’s lives. But that’s
not what consumers feel. They don’t want people snooping in their records.

And so we think that technology’s really going to solve and enable research
because people really do want to participate in research.


MR. BLAIR: Deborah, could you clarify for me. You had indicated at one
point, or least I thought you indicated at one point that there’s really not a
sure way of de-identifying individuals.

DR. PEEL: Yes.

MR. BLAIR: And, of course, I would – I’ve been a person that has tended
to take comfort that once patient protected health information has been
“de-identified,” that I worry much less about secondary use, tertiary
use or multiple uses as long as the individual patient can’t be hurt by the
disclosure of that information.

And the piece that confused me a little bit was you do take comfort, or my
understanding of what you said was that the concept of a health bank, Bill
Yasnof’s construct was one you felt comfortable with.

DR. PEEL: Yes.

MR. BLAIR: So could you clarify for me, please, both of those pieces, the
idea that health care information can’t be de-identified, but what is it in the
health bank that makes you feel comfortable?

DR. PEEL: Well, the idea that it can’t be de-identified, and I wish I’d
– one of my slides got dropped that showed the Thompson Med Stat data set,
and it had dates of hospital admissions. It had a lot of information. And if
data is collected over a period of time in someone’s life instead of simply
episodic, you’re going to have a 55-year-old woman was treated at Seton
Hospital on a certain date.

So there are so many specific dates and places in hospital data that can’t
be stripped out without essentially scrubbing the data into worthlessness,
particularly if you want to begin to compare, for example, treatment in
different settings, Seton Hospital versus Brackenridge Hospital or whatever. So
hospital data has gotten, really can’t be de-identified.

And the idea, what LaTanya Sweeney did was she took outpatient data sets
from Massachusetts and sort of cross-matched them with voter registration
records and re-identified health visits from Governor William Weldon and his

And so statistically, you know, I think we would need a lot of reassurance
about, for example, about the Blue Health Initiative data. You’re not going to
use data down to a set smaller than five. That might be not – five might
be not enough of a number to protect people. I mean, it really is going to
depend, you know, on very sophisticated methods like the Census Bureau uses to
determine what’s re-identifiable and what isn’t.

So that’s our problem with de-identified data. Over time, it really does
have where you were on what date you were treated, and employers, if they get
these longitudinal sets of data that’s de-identified, if you have multiple
hospitalizations or multiple dates where you’ve had lab tests, and somebody
missed work, you could cross absence records with health records. And many
employers really do lean on the health plans to give them data.

You know, I understand that’s not supposed to happen, and I understand many
employers don’t want the data, but many do because health costs are going
through the roof. And if you’re going to, you know, anyway, well, I’ll get off
that. And why would it be safe in a health bank? Well, again, if you keep your
information in a health bank and then the health bank essentially pings you
because, Jeff, you say well I want to know about any cancer studies on this
particular type of cancer that runs in my family, then the health bank would
send the information to you, and it would be up to you to contact the
researcher or go back and be part of a plan. So you could be, you know, they
could notify all the health banks that we’re looking for candidates for this,
and then the candidates could identify themselves so they’d have their privacy
that way.

And really the health bank could be, you know, if I knew my data was never
going to be released, I’d probably agree to every kind of study. Why wouldn’t
I? Because it would still be sitting there very secure, encrypted, only used in
the ways that I want it to be and not sent out. I mean, I’d probably
participate in everything because I’d feel really safe.

The other thing is that if we ca have a place where people really trust,
they really will put their full health time records. You know, the insurance
companies have very limited data. They don’t have data from physicians’
offices. They don’t have the data that really matters to physicians and to
patients. That’s in the doctors’ offices. And if we could accumulate that, you
know, my visits to Dr. Tang or Dr. Cohn and keep that in my database, then
there would be really incredibly rich meaningful information to study. And if I
could add to it on my own when I take herbs or get acupuncture, we could have
unbelievable research data because the institution holding it would be trusted.
It would be a trusted institution, and we’d have the richest data. So that’s
why we’re so excited about the health banking concept. A number of states have
decided to do that as their way of building health by T-system. The State of
Washington, the State of Texas. You know, states are realizing the way for the
information to flow because so many parties in the health care system don’t
want to share. They think they own the data. Hospitals have to build agreements
to share data in communities and so forth. The only people who can make the
data flow are actually the patients.

So that’s the best way to get all the data, and we want the data. Thank you.

MR. REYNOLDS: Good. Excellent. Thank you. Mary Jo? I didn’t see you.

DR. DEERING: Okay, I’m sorry, and I will be quick. I basically have
questions about two bullets from the slides. But I wanted to just preface my
remarks by thanking everybody and thanking you, Deborah, for making what I
interpret as the case that patient control is technologically possible.

DR. PEEL: It’s done.

DR. DEERING: It’s a done deal, and therefore it does not need to impose
workflow burdens for its implementation and execution. It does not need to, at
least ultimately.

Secondly, that –

MR. REYNOLD: Mary Jo, you’re cutting in on –

DR. DEERING: Okay, I said that technologically because patient control is
feasible. It does not need to impose an additional burden on the workflow
ultimately. It is conceivable that it can be engineered into the workflow. So
it need not – I’m not saying it might not initially.

Secondly, that it need not diminish the quality of the information and even
the quantity of information that is available for specific purposes at specific
times. So, again, I think if we hold – I think we hear too often the
assumption is that it is going to be impossible to implement and reduce the
quantity and quality of the data available. And I believe that we just need to
start from the assumption that it need not. Thank you.

And by the way, the RFP that was published, well, here’s comes ONC that is
out there for the pilot implementations will test that. That’s required
functionality in some of the use cases. So over the course of the pilot
implementations, there will be empirical evidence about it. So I would hope
that we would at least have an open mind about that.

The bullets that I wanted clarification from Shirley, thank you very much,
was on I think it’s your slide eight where you say BHI does not and has no
plans to sell data to non-Blue third parties. Do you sell the data to the Blue?


DR. DEERING: Okay. How do they – what is the business case for that?
Have they paid in advance? Is there a business, and this wasn’t meant to be
negative. We’re trying in fact to get away from the sense of commercial uses
and recognize that there are financial costs to maintaining data. So what is
the financial arrangement under that.

MS. LADY: Right now, these are independently – the BHI is financed
independently by each of the plans. They pay annually into the cost.

DR. DEERING: It’s fee based.

MS. LADY: It’s actually cost material to –

DR. DEERING: Okay, I wanted to give you the opportunity to say that. And
Carmella, you went over slide ten and said you thought you’d covered it. But
your last bullet there says that consumers understand that health plans have
this information and view PHRs as a convenience. What exactly is it that they
understand, and how do you know that they understand it with regard to your
specific PHRs? And what in fact information do the PHRs give to the health

MS. BOCCHINO: I can actually send you over sort of a model PHR with the data
categories because if I were to try to do it off the top of my head, I would
miss something. Our focus groups clearly indicated to us that they knew that
there was flow of information going from the physician’s office to the health
plan. And so the health plans had a lot of the information that populated the
PHRs. Their questions to us, and we did focus groups at something like ten
different states, with a whole variety of different populations, not just both
Hispanic populations and African Americans who have tremendous concerns
particularly about their data that we’ve heard consistently. They wanted to
know the benefit they would get if this information were sitting in a PHR, how
it would help them particularly if they had a chronic disease.

If you can show them examples of that, if you get them engaged, if you let
them know that they control the data and the way it flows, there’s a competence
level that’s built there.

DR. DEERING: But the information that they put in that isn’t pre-populated
from the plans, does that go back to the plan?

MS. BOCCHINO: They have an option of filling out health risk assessments.
They can choose to fill it out. They can choose not to fill it out. That
information is used. It is explained to them how that information is used. It’s
used to identify if they would be at risk for certain conditions, do they need
additional information, particularly in preventive screenings that they may be
at risk for. So we want to stay on top of it. But that information is provided
to them before they fill out that health risk assessment.

DR. DEERING: So anything that I would put in with that identifiable
information is shared.


DR. DEERING: Okay, I need to –

MS. BOCCHINO: Well, it’s shared within the plan.

DR. DEERING: Within the plan.

MS. BOCCHINO: The patient has the choice of how it’s shared. I mean, the
sort of downward curve here is –

MS. DEERING: They’ve been asked certain information or –

MS. BOCCHINO: If they make a decision that they don’t want certain
information sent to their provider, they actually have that control. So they
right now, because there’s not an interface with providers’ office, we worked
on interfaces between plan to plan connectivity. If you change jobs or change
plans and had a new insurer. They control what data gets moved. But they can
print off that PHR or if the physician’s office has an electronic, or they can
give access to their physician to see what’s in their PHR. If they control what
that physician gets –

DR. DEERING: So the plan would know whether they smoked or drank or weighed
200 pounds.

MS. BOCCHINO: Yes, but that’s something the consumer filled out through
their own choice to do.

DR. DEERING: I am a PHR fan. I’ve been waiting for it for ten years before I
retire. It’s clearly too late because I’ve only got a few more years left, and
I’ve been trying to get one through Aetna for a long time. So thank you very

MS. BOCCHINO: Oh, okay.

MS. REYNOLDS: Thank you to everyone. We appreciate this panel. We will be
back by one thirty by this clock again, and thank you very much.

(Whereupon, the meeting adjourned for lunch 12:30 p.m.)


MR. REYNOLDS: The panel this afternoon is on data sharing perspectives. I
think we have been talking about that all day, and we just didn’t call the
panel that, and we are going to hear from Dr. Karen Adams from NQF and Dr.
Sharyl Nass and Barbara Siegel.

So, let us just go in the order of the agenda if that is okay with you. So,
Dr. Adams, continue, please?

Agenda Item: Data Sharing Perspectives

DR. ADAMS: I would like to thank the Committee for inviting me to give you
an update on the NQF project that is looking at evaluating efficiency across
episodes of care and naturally this has implications for longitudinal data
requirements which I know you also interested in.

So, I thought I would start by giving you a brief overview of the project
and also provide an example so that you could see within the context of a
chronic condition in this case acute myocardial infarction how we are looking
at defining episodes of care and longitudinal measurements in that matter and
then I thought I would also put forth some methodological issues that the
Committee is thinking about and some things that of course you will be
grappling with.

So, briefly I will give you an update on the National Quality Forum
Priority Setting Pilot Project.

There is a project brief for you. One of the main deliverables out of this
project will be a comprehensive measurement framework for measuring efficiency
and we are going to be looking at this longitudinally across health care
episodes and we will see the framework of having three key components.

MR. REYNOLDS: Karen, you need to get closer.

DR. ADAMS: Can you hear okay now?

MR. REYNOLDS: Don’t lean back.

DR. ADAMS: I will be sure to lean forward. So, the framework we will have
three main components. One is some clear definitions. There are lots of
definitions going about of what efficiency means, what quality means, how do we
define waste and so the Committee thought it would be quite helpful for us to
have a common language and just for some clarity as to what efficiency means at
least in the context of what they are examining.

We are, also, going to put forth a discrete set of domains for measurement,
for example, patient-centered outcomes such as morbidity, mortality,
health-related quality of life, key processes of care and as well as resource
use and then some guiding principles for implementation.

So, it is easy to say in the framework what you think should be done and
what the future vision should be but we also want to provide some guidance in
that regard.

In addition to the measurement framework we will be identifying a subset of
priority conditions. We will be building upon the IOM work on the priority
setting as well as some work at the NQF and we want this to be a starting point
for looking at measuring efficiency.

So, we thought by choosing some common chronic conditions or an acute
condition such as AMI that certainly has chronic implications we could make
this more real.

We also want to put forth national performance improvement goals for
two-priority conditions. We are going to be looking at AMI and low-back pain
and put these goals out for the next 3 to 5 years and then a research agenda
more towards what would be needed measures to start looking at longitudinal
care as well as some models of accountability. So, the NQF convened a
multi-stakeholder steering committee and I provided a roster for your referral.
It is being co-chaired by Kevin Weiss whom many of you might know leads the AQA
performance measure subcommittee and Elliott Fisher from Dartmouth.

So, a bit of an update on the Committee’s progress to date. It is still a
work in progress. We are drafting the measurement framework and on the
twenty-ninth of August which I think will be good timing for your work we are
having a workshop with additional experts to sort of flesh out some of the
domains and the longitudinal measurement issues, and we as I mentioned earlier
we selected two priority conditions, AMI and low-back pain. The AMI work group
is being led by Bob Bono at Northwestern and the low-back pain working group is
being led by Jim Weinstein at Dartmouth.

So, the first order of business of course is this common terminology and we
built on the work of the IOM, the AQA and many other stakeholder groups. So, we
didn’t assume these definitions just on our own and we defined quality of care
as the Institute of Medicine does with timeliness, effectiveness, equitable and
patient centered.

Now, the IOM had efficiency in that definition of quality which you will
see we have punted down a little bit lower but we certainly feel that quality
is multidimensional and should be measured along those domains.

Cost of care we define as resource use including unit prices and volume and
importantly efficiency of care because efficiency seems to be the definition
that, well, it depends on from what vantage you are coming from. So, we put
forth that efficiency is quality and cost and I think that this is a really key
take-away message because in order to make judgments in regard to the
efficiency of the health care system and is the health care delivery system
doing its job and the Committee defines that as improving health and reducing
the burden of illness, and in order to be able to judge that their performance
measurement, we have to look at both quality and cost. So, they do come down
rather adamantly on that point and now moving towards value of care they
defined as the efficiency equation of quality plus cost but also paying more
attention to patient’s preferences. We don’t measure that a lot now. We
certainly do have the work of the CAP survey that retroactively looks at
patient experience of care but we really want to start putting the patient into
the measurement equation and valuing their preferences both proactively as well
as retroactively.

So, why both with longitudinal measurement or looking at extended episodes
of care and there were four points I wanted to drive about this. First, the
Committee feels that this is a patient-centered way of thinking and when you
look at an episode you follow the patients’ natural path, their trajectory,
onset of illness; if there has been a intervention and we put a predisposed
endpoint particularly the chronic conditions because those go on for years but
in this case the Committee wants to push out beyond what we traditionally look
at initially to 1 year and beyond.

We really feel that extended episodes and longitudinal measurement is more
directed at value because through the episode approach you can link the quality
and the total cost of care over an extended episode and that will push more
towards value and also once again linking in the patient preferences.

We, also, think that episodes will help address some things that are really
important to measure that really matter but we don’t often do and that would be
care coordination. We know from the work of Eric Coleman and Joanne Lynn and
Mary Naylor and others that this is where patients fall between the cracks and
so not only is quality of care jeopardized; there are serious safety issues,
medication reconciliation and there is a lot of waste that occurs here with
duplication of ordering and tests, etc.

So, we feel that episodes will allow us to start capturing some of that
across care and the lat bullet of course we could spend a lot of time on but we
do feel that looking at episodes might be able to address our current
encounter-based finance system which might not be an optimum model for looking
at episodes.

So, I provide for you here and example because now it sounds very
conceptual and so we are working on this. I do have it as a draft because the
Committee is still deliberating but here is how they are conceptualizing an
episode of care for acute myocardial infarction and so I am hoping through this
example you can see where some of the data, things that we might need to
address will come in.

So, if you start to the far left with is larger bubble of the population at
risk ideally we would like to prevent a heart attack from occurring, primary
prevention but we do know they occur and this is certainly a serious problem.

So, in this episode we will not be looking at primary prevention because
primary prevention in and of itself is worthy of an episode but for
methodological reasons and data and comparing apples and oranges we can really
only in this episode look at secondary prevention, post-AMI, not only health
life style behaviors but also you know look at management and things of that

We feel the primary prevention in taking that population-based approach
look is so important we include that as a reminder in this episode.

So, as the patient has onset of chest pain you see that they move into what
we call the acute phase. Now, traditionally the episode would begin once you
have hit the mortar and bricks of the ER or the hospital and our Committee
would like to consider pushing back a little bit. That episode would begin at
the onset of symptoms. So, we don’t collect data usually then and there are
going to be implications and I know my colleagues will be talking about privacy
but it is just not something that is routinely done. So, we want to push out
that to bring in some of the community elements around infrastructure support,
EMS, etc.

So, the heart attack occurs. You come into the acute phase and we feel at
this point, I mean certainly not when the person is going in but once they are
stabilized and you want to assess their preferences because and now this is I
admit a simplification but for diagram purposes we have talked about two
trajectories for the AMI and one would be you know you are a relatively healthy
adult and the goal would be to rehab and back to work or whatever your
preference would be and then there is the trajectory where you may be someone
who has multiple chronic conditions, quite ill coming into the infarct. It is
another assault and you may at that point want to start thinking about what are
this patient’s preferences in regard to palliative care, advanced directives
and working with the family.

So, we want to put that assessment of preferences up front in the acute
phase but importantly for the longitudinal measurement as you go from acute to
post-acute you know the handoffs that occur there and the transfers are very
important as well as when you go back into the home or into the community
looking at secondary prevention.

So, for this episode we would like for it to begin as onset of symptoms and
then measure at least out to 1 year post-AMI.

The National Quality Forum has endorsed a 30-day mortality measure for AMI
but you know we want to push beyond that or the Committee when we look at
longitudinal care particularly for chronic conditions would like to go a little
bit further.

So, in the context of that example here are some methodological issues we
are grappling with, and what we thought of course for your consideration as
well and I classified these into three categories, but the first one is data
and I think the data integrity, I mean that is an issue regardless if we are
looking at extended episodes or not but I felt it amiss not to put that there
knowing that Paul is on the Committee, too, having worked before. You know,
there are just the data elements that we need for efficiency around quality,
cost of care measures that move beyond resources. That is going to be tricky
particularly when we are dealing with administrative data and the strengths and
limitations of doing so there, but what I would really like to focus in on is
that second bullet on data collection and aggregation because you saw from
those bubbles you from acute to post-acute back into the community you are
going to be leading to collect data, aggregate data. Ideally we would like to
aggregate at the smallest unit of analysis as long as it was accurate and
reliable. You need individual provider level, group practice, organizationally,
the hospital, nursing, etc., out to the community you know to have that ability
to roll up and roll down so to speak, and so I think these are things you know
your group as well we are going to need to work with as we push more toward
longitudinal measurement over episodes and then of course these data standards.

So, we don’t have at the moment data standards that might map to this
perfectly and how we would need to codify those for use in the electronic
health record so hopefully things could be collected at point of care and not
be a high burden.

So, lots of data considerations I humbly present to this group of course.

Another issue is around accountability and how we can attribute care across
these multiple providers and this is this notion of a warranty. So, how can we
make sure that every provider that is involved with care, for example, over the
AMI is accountable or is somehow held accountable downstream and what type of
models might we look to not only for data collection but for encouraging
groupness so we can avoid the problem of small N’s at the individual physician
level, etc.

So, the Committee is spending a lot of time thinking about these types of
models and looking at something called an accountable care entity and virtual
groups, some of the things that come out of the Institute of Medicine and their
performance measurement report and then finally which I know my two colleagues
will discuss in much more detail is privacy because as you go across these
multiple settings you know how many times do you collect consent forms? Is it a
year? What is the time frame? I think there is going to be a lot there to deal
with in regard to making this feasible and management and of course respectful
to patients’ privacy.

So, I will stop here, of course, and entertain any questions you may have.

Thank you.

MR. REYNOLDS: Thank you, and what we will do is we will move on to Sharyl.

DR. NASS: Can you all hear me okay?

MR. REYNOLDS: Yes, we hear you fine, thanks.

DR. NASS: I, also, would like to thank the Committee for having me come to
present to you an overview of an IOM study that was recently launched. We had
our first Committee meeting in June of this year on health research and the
privacy of health information, the privacy rule.

Last June the National Cancer Policy Forum held a workshop on this topic to
explore issues prior to undertaking a consensus study which was just launched
this year and that workshop is summarized in a report and you can read it
online at this web site if you are interested.

The consensus study was originally requested by the President’s Cancer
Panel which is why the workshop was held by the National Cancer Policy Forum,
but when the IOM decided to undertake this study they agreed that it was
important to have a much broader overview of the issue because certainly the
HIPAA privacy rule is not just having an impact on cancer research. It would be
potentially affecting all branches of research.

So, we have a broad range of funders including cancer-focused organizations
like the National Cancer Institute, the American Society for Clinical Oncology,
American Cancer Society and C-Change but we also have quite a number of
non-cancer focused sponsors including NIH, the American Heart Association, the
American Stroke Association, Burroughs-Wellcome and the Robert Wood Johnson

The next couple of slides are a verbatim recapitulation of the Committee
charge and I put them in this way because the charge is what drives the study
at the IOM and the reports at the end are reviewed externally by a panel of
experts in light of this charge, and so it is important to have that laid out,
but overall the charge to the Committee is to investigate the effects of health
research of the privacy rule and IOM reports are evidence based. So, we need to
look at what evidence is available to undertake this examination and it is
important for the Committee to look at the needs and benefits of patient
privacy as well as the needs, risks and benefits of health information.

In conducting the study the Committee will look at a broad range of study
types, a broad range of sponsors and also review the provisions that are
specifically relevant to health researchers. I am sure all of you know the
privacy rule was not written directly to regulate health research; so not all
of those provisions are actually relevant to research and the Committee will
also take into consideration issues of interpretation and implementation as we
have often heard that there is a great deal of variability from one institution
to the next as to how these things are being interpreted and we will also
consider issues of harmonization with regulations that may have overlapping
provisions such as the common rule or FDA regulations.

Because of the workshop that we had undertaken last summer we knew going in
that there was very little data available for the Committee to work with.

Most of what was out there was anecdotal evidence and in some cases surveys
had been done shortly after the rule was implemented and so there was some
concern whether they were relevant in the sense that there would probably be a
learning curve when the regulations came into effect and that they may not be
as relevant now.

So, the Institute of Medicine undertook the unusual step of commissioning
several surveys to gather evidence. This is not something that we normally do
but we felt that it was very important for the study and so this is a list of
three surveys that are either ongoing or have been completed, a survey of US
epidemiologists on the HMO research network and also a Harris interactive poll
for public perceptions.

In addition to these which are actually funded by the Institute of Medicine
a number of foundations and institutions have also planned to undertake their
own surveys and will be providing input to the Committee based on the results
of those surveys. That includes the American Society of Clinical Oncology, the
American Heart Association, the North American Association for Central Cancer
Registries, Academy Health and the International Pharmacy Privacy Consortium.

Just to give you a brief overview of the surveys that we have commissioned
the survey of epidemiologists is actually completed although the data analysis
is still ongoing. It was a national survey that was web based and members of 13
different societies of epidemiology were invited to participate and responses
were anonymous.

There are several categories of questions that were included including
quantitative responses that ask about the types of data that researchers
collect, rates of recruitment pre- and post-rule implementation and experience
in obtaining things like waivers and de-identified information.

There were some questions that used a Likert scale to measure perceptions
of ease or difficulty in conducting research and the impact of the rule on
privacy and confidentiality.

There were also some questions that entailed case studies where researchers
were asked whether their institutions, IRBs or privacy boards would be likely
to approve. All of them were cases that should have been allowable under HIPAA.
So, it was a way of assessing variability across institutions and finally there
were some open-ended qualitative questions where people could provide more
detailed and variable input to the Committee.

As I said the analysis was still ongoing, but a preliminary overview of
results indicates that most of the respondents perceive the privacy rule’s
impact as quite negative.

There were a lot of concerns about variability and local interpretation and
also about added costs and delay as a result of the privacy rule.

The second survey is not yet fielded, but is nearing completion and is
almost ready to go. The survey of the cancer research network investigators
which includes 13 sites and collaborating institutions entails more than 50
faculty and they are engaged in a broad variety of research types and they will
also survey the IRBs that work with these groups to try to get another feel for
how variably these organizations are operating and finally an overview of the
Harris survey. This one is also nearing completion and will probably be fielded
in the next month. It asks questions about the public’s experience with and
attitudes about research and privacy,

Some of the questions will be asked of all respondents to get their
attitude about health research and some of the questions will be specifically
for people who have already had experience with health research.

Based on previous surveys by this group approximately 10 to 15 percent of
the respondents have participated in studies and they asked a preliminary
question in a survey that was just fielded this June and about 14 percent of
the respondents said that they had participated.

This is a time line of the study. As I said, the first meeting was held in
June of this year. Our next Committee meeting is scheduled for October 1 and 2,
this fall. The meeting is open to the public. So, you are all welcome to attend
if you are interested in it.

We hope to be finishing up the report by next summer and starting the
review process in the fall and we hope to have the report finished by the end
of the year with final draft reports issued in early 2009.

This is the Committee membership. If you are interested in providing input
you can go to either of these web sites, the current project web site for the
National Academies or we have a project web site as well.

With that I would be happy to answer any questions you might have.

MR. REYNOLDS: We will hold them until we finish with our next presenter,
Barbara Siegel from AHIMA.

MS. SIEGEL: Chairman Cohn, members of the work group, ladies and gentlemen,
good afternoon.

My thanks to the work group and Margaret A for the opportunity to provide
input into this important discussion on the development and use of secondary
data as well as the confidentiality and security functions surrounding the
release and use of such data.

I am Barbara Siegel, Director of Health Information at Hackensack
University Medical Center in Northern New Jersey. HUMC is a 680-bed tertiary
care teaching facility which participates in many data reporting initiatives
including the CMS quality demonstration with Premier, the Institute for Health
Care Improvement Pursuing Perfection grant and the State of New Jersey as well
as many other requests from a variety of resources seeking secondary data.

I speak to you as a department director whose responsibilities include the
disclosure of secondary data. I also speak as a representative of the health
information management profession.

It is HIM professionals who manage the many tasks associated with gathering
and analyzing the data which makes up an individual’s primary record. HIM
professionals are also responsible for disseminating data for a variety of
secondary functions including quality measurement, public health or
biosurveillance, research and myriad of administrative and operations reporting

In 2004, I provided the NCVS Work Group on Quality a brief description of
HUMC’s quality and secondary reporting activities and staffing requirements.

In June of this hear AHIMA and MGMA provided an update for that report.
This slide shows the Hackensack has encountered about a 72 percent increase in
costs due to the increase in demand for data.

So, I can really assure you that the issues around the reporting of this
data are very important to us. I have noted a few of the quality projects at
HUMC. Our quality unit and our HIM department receive an ever increasing set of
requests from third-party payers, health plans, state agencies, researchers and
others seeking secondary data. It is the diversity of these requests, the lack
of standards in process and data and the fact that our industry has yet to
achieve an interoperable electronic health record that present many of the
issues you are addressing. HIMA supplied this slide depicting a tertiary care
medical center’s demands for secondary data. I have not attempted to do this
but this does look very much like what we are doing with it at Hackensack, and
it is in your handout.

HUMC considered the role of secondary data reporting as we established the
processes and policies necessary to meet the requirements of HIPAA earlier in
this decade.

Our policies and procedures reflect both the HIPAA and State of New
Jersey’s confidentiality and security requirements. Our ongoing orientation and
training programs reflect these policies and our understanding of the state and
federal requirements.

You are aware that there are situations where HIPAA requirements when taken
in relation to other federal and state requirements create some uncertainties.
When it comes to the release of secondary data this uncertainty will increase
as the community recognizes the value of secondary data especially as the
health care industry migrates to a standard interoperable electronic heath

If we are to have quality data and data integrity industry and the
government must address these ambiguities and improve the standards for
secondary data reporting and collection across all sections of care.

To comply with HIPAA and state laws Hackensack instituted simple policies,
procedures and a notice of privacy practices and in your handouts there are a
few examples of some of our policies.

Typically our policies and procedures have been adequate for the ongoing
secondary data reporting projects. HIPAA does not require a separate consent
for disclosures or access to protected health information or PHI when it is
disclosed or accessed for treatment, payment or operations, TPO, or when
required by law.

HIPAA also provides exceptions for certain research disclosures and for
disclosure of information that has been de-identified. The remaining
disclosures require an authorization. All of these requirements are tempered by
the state preemption section of HIPAA so that if a state has a stricter
requirement the entity must follow the state requirements.

We constructed this table to show patient authorization or consent
requirements for secondary data with the assumption that the individual has
reviewed the HIPAA privacy notice and signed the initial releases normally
required. Note that there are a number of cells where the entity may not be
required subject to state law to obtain an additional consent or authorization.
There are a few situations where an authorization is required and there are
several where we placed a question mark because the release would be
situational. The request for data or the knowledge that a patient is covered by
a particular secondary data reporting requirement may not be known until after
the individual is discharged.

These questionable situations could occur when quality measurement requests
or other data requested do not potentially meet the TPO requirements. For
example, an entity might ask if a quality measurement is part of a requirement
to receive payment then can it be assumed that the release is covered by HIPAA
or TPO? Is the group requesting data a government entity or a subcontractor of
a government entity? Is the request covered by as required by law or by TPO?

Another question that will also arise relates to the requirement for
minimum necessary. What amount of the individual’s record is the minimum
necessary given the specific request and the entity requesting the information?
Providers of secondary data face the dilemma that patients may be involved with
one or more payers or health plans or multiple agencies desiring their health
care information.

While it might be perfectly appropriate to release data for a health plan
that uses quality data for payment purposes, is it appropriate to provide such
additional data to a secondary health plan that does not?

How does minimum necessary apply to each and just how do agencies and
health plans use the data they receive under TPO? Are they a covered entity or
do other federal or state laws apply? HIM professionals address these questions
daily. Secondary data is produced from paper records, electronic records and
mostly nowadays from a hybrid record of paper and electronic records and in
just about all cases the analysis is a manual process. How requests will be
handled when there is a full adoption of the standard EHR and network health
information exchanges remains to be seen especially if we anticipate a
computer-assisted response.

Fortunately the number of requests beyond the TPO requirements today are
relatively low but as the health care industry becomes fully electronic the
demand for secondary data will and really should increase.

The need to define who is requesting the data will also increase along with
associated questions. What data are they requesting? Is it PHI? What right or
rights does the individual have to restrict the data? How will the entity track
or audit releases in the AHR system or through an HIE?

As the requests for secondary data increase so will the need to train
health care professionals and educate consumers on the various nuances
associated with requests and requesters as well as the laws, regulations and
rights in effect.

As consumers receive more information or misinformation about the use of
health care data providers could find themselves in situations where consumer
restrictions are placed on the release of data for external parties. To avoid
this, the users of secondary data must provide a clear picture as to how
secondary data is being used and the protections being provided to ensure such
information is confidential and restricted to the purpose for which it was
originally provided.

Feedback must also be provided throughout the health care community to
ensure that the data is used accurately and that if processes or collection of
data needs to be changed the system will actually change.

If we can achieve a uniform understanding of what authorizations or
consents must occur, when and under what circumstances then we can better spend
our time ensuring the completeness, integrity and confidentiality of our
primary and secondary data and not on the nuances of multiple and complex

Identifying the requester of secondary data not only impacts the decision
of whether an authorization is required but also the amount of PHI included in
the data provided. Requests for secondary data especially for quality
measurement and public health must be judged not only for a TPO relationship
but also to determine any individual requirements for identification or

Some data is identified by name or a patient account number. Other
situations call for a de-identification process where a separate identifier is
used in case the patient needs to be informed of a situation calling for
follow-up care.

Such variation can be addressed in situations where only one payer, health
plan or agency is involved but the issue becomes more complicated when there
are multiple plans or agencies similar to what I described above for

Over time we expect to see additional information requested as secondary
data. Metadata will be required to determine the source of the data elements
that make up a measure or a collection of data needed for reporting. The
individual’s ability to restrict specific record information outside of the
usual categories will complicate matters from an administrative perspective and
requirements for an accounting for data access and disclosure will potentially
rise to ensure the disclosure limits are respected.

In a fully electronic system the accounting and restrictions should become
less of a problem but in today’s hybrid environment it creates significant
administrative burdens. While an electronic environment will make some
processes and protections easier the ability to provide secondary data will
continue to be difficult unless the health care industry and government can
also come to consensus on data standards.

The development of uniform standards and other processes leading up to the
adoption and use of standard EHRs are meant to ensure that the standard EHR can
capture all the data necessary to provide health care clinicians with
information they need to care for and provide optimal treatment decisions for
the patient.

First and foremost the EHR serves as the primary health record for the
patient. The record must be accurate and complete and ensure integrity and data
transfer among sub and external systems, data identification and provision of
data to ensure the clinical and business needs of the patient and the provider.

While the record is for care the same attributes are needed for the
provision of secondary data. The community, the provider and the patient are
best served if the primary records data can serve many purposes rather than the
primary record itself becoming a hodgepodge of information collected
specifically for a variety of secondary purposes.

The role of the record analyst is to review the record and provide
secondary data when requested or required. With the adoption of the standard
EHR made up of uniform terminologies some automation via computer-assisted
coding will provide common forms of secondary data. The lack of standardization
makes the process of analyzing data for reporting difficult and can result in
two different organizations, data requesters having different results for the
same measurement. This in turn can lead to confusion for consumers as well as
health professionals, a situation we have faced several times at Hackensack.

Variance in data requests that often target the same output makes
automating secondary data and ensuring data accuracy and integrity very
difficult. There is no standardization among organizations seeking quality
monitoring let alone across industry for research, population health and
administrative activities.

While there are some national standards they are not necessarily followed
on local or state level and all standards in data definitions are typically on
a volunteer basis. The recent AHRQ RFI introduces the concept of an entity that
could initiate and manage the coordination of secondary data measures, data
definitions and other attributes of secondary data requests so that data
providers can report the data and maintain data methodologies that meet
industry, government and consumer expectations.

This entity would deal with the process of developing data set standards,
aggregation processes including confidentiality and security and coordination
between standards and data users.

Working in a teaching and research facility close to several other states I
would appreciate not only the uniformity of secondary data but also the
confidentiality and security requirement for disclosure and transmission of
data. I also hope to see some means of requiring adherence to the standards and
guidelines a data entity would produce. However, it does not appear that the
proposed entity could mandate uniform use of standards and guidelines, a
problem we have seen even with HIPAA standards.

As a director of health information I am a steward of the individual’s
record and data. However, once the secondary data we produce leaves our
facility some other entity takes on the responsibility of steward of the
transferred data. I have no control of their stewardship and they must comply
with requirements under HIPAA, IRB or some other state or federal rules or

In some way government and the industry must ensure that privacy
protections extend to health care data no matter where it exists or is stored.
If individuals cannot trust the overall system they will be reluctant to
provide information in the primary record or they will add restrictions to the
use and disclosure of data diminishing the value of secondary data.

I want to note that Hackensack also complies with HIPAA and state laws in
the internal use of health information. There are so many things that we are
doing with all our efforts we take on a regular basis that if you have any
questions regarding this I will be happy to answer them.

I noted that you are also considering the role of health information
exchange. Unless the HIE is itself a data repository I do not see it as the
reporter of secondary data. Through a combination of policy. Through a
combination of policy and technology it may someday be possible that issues of
identification, authorization and consent may be addressed by an HIE. As the
provider of the secondary data usually a health care provider has a direct
relationship with the consumer. I believe the decision points we have to
discuss cannot be handled at the HIE level but without a clear model of an HIE
it is difficult to say just how an HIE could or should address the issues of
consent, authorization and other confidentiality and security requirements.

AHIMA and AMIA have suggested that uniform legislation should be passed to
prohibit the intentional misuse of an individual’s health care data or
discrimination of individuals related to their health care data. Such a law
could then ideally permit the sharing of data for secondary purposes without a
complicated set of rules pertaining to parts of the database and identifiers
and so on.

Whether the health care industry or the United States is prepared to take
on such legislation and actually prosecute offenders is open to question.

In conclusion I have only skimmed the surface of the issues facing the
disclosure of secondary data. Let me conclude by noting that if the community
as a whole is to benefit from the vast amount of health care knowledge that can
be extracted from a fully interoperable health care system then we must reach
an ongoing nationwide consensus on uniform use of authorizations and consents,
uniform use of industry-wide terminology and classification standards in sync
with international standards, uniform use of measurement or data set standards
to ensure consistent data collection across a spectrum of secondary data
requesters, uniform confidentiality policies and practices along with security
measures to protect data that is both identified and de-identified including
issues related to authentication and accounting, education of consumers in the
industry and the need for and use of secondary data and its relationship to
primary data as well as how confidentiality can be guarded and increased in an
EHR/HIE environment and strong uniform legislation to punish discrimination and
intentional misuse of health care data.

The health care industry must also address the mechanics of secondary data
exchange including the impact of the paper hybrid EHR transition on the data
required and the process for collecting such data and the need for feedback in
any secondary data system to ensure maximum use of the data and data accuracy
as health care knowledge grows.

I have attached some practice briefs, recent statements and a summary of
recommendations on terminologies and classifications.

Whether today or in the future if I or AHIMA can be of any assistance to
the work group please contact us and again thank you for allowing me the honor
of testifying on this important subject and I am ready to take any questions.

MR. REYNOLDS: Thank you. I have got two quick clarifications and then it is
Marc and then Simon and then I will look for anybody else.

Sharyl when you talked about the survey that you did was one of the
questions whether or just how much or how well the physicians and others
understood privacy?

DR. NASS: Our surveys are not really being targeted to physicians. They
were aimed at researchers and the public. So, I don’t know that our surveys
will address that question specifically. It will start to get at to some degree
how well researchers understand the regulations but there is another layer of
complexity because how they are interpreted by their institutions varies quite
a bit and so I think most people deal with the regulations at an institutional
level rather than with the original regulations.

MR. REYNOLDS: On the chart that you had where you had patient authorization
and consent and at the bottom of it you had HIPAA PPO no authorization if you
could when you get over there to research did you have a clear demarkation
between quality and research and then when you get into research you said,
“Non-IRB,” and you had “Yes.”


MR. REYNOLDS: Help me a little more with exactly what that meant by yes?

MS. SIEGEL: I am not sure I have an answer for that.

MR. REYNOLDS: Okay, and then when you got out the payment or claims which I
know from all the testimony we have tended to hear fit into TPO, the word
“some” raised a question as to why there would need to be an

DR. RODE: The reason for some is that we can run into some payers who are
not HIPAA entities and so in a case where you have a payer that is not a HIPAA
entity you have got to get an authorization. It is not covered by TPO. I am
sorry, this Dan Rode, I am with HIMA.

MR. REYNOLDS: Thanks, appreciate it.

Okay, Marc?

MR. ROTHSTEIN: Thank you. My question is for Dr. Nass and it follows
Harry’s question. We are thinking in the same way. It is sort of a comment but
if necessary I can make it a question.


MR. ROTHSTEIN: The NCVHS has long been concerned about the effect on health
research of the privacy rule and we have held several hearings and written
letters to the Secretary dealing with aspects of this and we believe that there
are some inconsistencies between the privacy rule and the common rule that make
life difficult for researchers and we have asked the Secretary to address those
and there is a task force or a committee or something at HHS that is beginning
to take a look at this, but I have some reservations about the methodology that
you are using to gain information that it is surveying the epidemiologists and
HMO research network and the public about its perceptions.

Let me describe to you very briefly two of the kinds of responses or bits
of testimony that we got at our hearings and these were not by sort of
dumb-off-the-street researchers. These were representatives of major
professional associations and institutions.

There would be people testifying before the Committee. They would say that
for 10 years we did X, Y and Z and then the HIPAA privacy rule comes along and
now we can’t do X, Y and Z. Isn’t that terrible? And our response was what IRB
allowed you to do X, Y and Z for 10 years? It is expressly prohibited by the
common rule. You couldn’t do that to begin with, and they would say something,
“Well, never mind.”


MR. ROTHSTEIN: The second type of testimony was something like the HIPAA
privacy rule interferes with our research because we want to do A, B and C, and
we can’t do that according to the HIPAA privacy rule, and then we would read
them the provision of the privacy rule dealing with research that says,
“Researchers may do A, B and C,” and they would say, “Well,
never mind.”

So, it goes to Harry’s point about I think there really is at least a
couple of years ago, the last time we looked at this issue a tremendous
knowledge gap among a wide range of researchers as to what the common rule
demands, what the privacy rule demands, what the relationship is between the
two and so that going exclusively with subjective reports may in fact be
misleading and I think it might be very valuable if you got a sense of whether
the researchers are actually correct in their assumptions.

DR. NASS: I think those are all very excellent points and we are attempting
to try to get at that. I think there is definitely a recognition that there is
variability across institutions and that the institutions tend to take a very
risk averse approach to these regulations which are very complicated and as you
say have overlapping stipulations with other things that may apply in some
cases and not in others depending on who is funding the research, who is doing
the research and so on and the questions that we are asking in the survey at
least some of them try to get at whether the researches themselves think that
things should be allowed under HIPAA and also whether their IRBs would allow
things to go forward at that institution.

So, I agree that it is an important issue. We are trying to get at it.
There are limitations in doing the surveys and if you have suggestions for
other ways that we could try to collect that sort of information I would
certainly be interested in hearing it.

MR. ROTHSTEIN: Okay, will do.

DR. VIGILANTE: Case-based approaches where you are saying, “Given this
scenario is this or is this not appropriate?”

DR. NASS: We did do some of that in the fist survey that was fielded.

DR. COHN: First of all thank you all for what has been a very interesting
set of observations and issues. I actually had a couple of, and I am being
perhaps a little naive, Sharyl and I want to start with a question or two for
you and just to help me understand the study you are doing, is it focused on
federally funded research or are you taking a broad look at all research?

DR. NASS: It is any research that would fall under the HIPAA regulations.
So, it may be federally funded and it may be privately funded. Anytime that the
information that you are collecting is coming from an entity that has to deal
with the HIPAA regulations then it is relevant to that project. So, that is
part of the complication is that it varies depending on who is doing the
research, how the data is collected and how it is funded and so on, and it is
different than the common rule because there are different stipulations there
again as well. It is a very complex set of regulations.

DR. COHN: I will apologize. I had actually meant to go home, assuming I
ever get to go home again from all of these hearings and was going to read up
on my favorite document which is of course HIPAA privacy, but you need to help
me with this one and you may know or may refer me back too the document or
maybe Marc can help me, but as I understand it the federally funded research or
institutions that receive federal funding for research they have to have IRBs
and the common rule applies.

Now, if you are an organization that doesn’t have federal funds coming in
for research in any way, shape or form and you don’t have an IRB or don’t
necessarily have an IRB and you don’t have the common rule and so am I right in
assuming the only thing that applies is HIPAA? Am I missing something here?

DR. NASS: If the data that you are trying to collect is coming from
providers who are working under that HIPAA privacy rule then you need to obtain
consent to get that data under HIPAA.

DR. COHN: Okay.

DR. NASS: If you as a researcher are not required to work under HIPAA once
you have that data they may no longer apply but if you are trying to get the
data from an organization that does have to work under HIPAA then they do

DR. COHN: Okay, just to make sure that I am sort of understanding, so
obviously in places where federal funding is occurring you are looking at the
interaction of the common rule and HIPAA in places where —

DR. NASS: — FDA registration you have to include those regulations as

DR. COHN: Okay. This is an interesting tapestry. In places where there is
no federal funding the scope of the project really does include just HIPAA

DR. NASS: Right and the other could be places where only HIPAA applies and
not the common rule.

DR. COHN: Okay, and I am glad to hear that because I think that is an area
where a lot of people seem to focus on the overlap between the common rule and
HIPAA and the confusion or I am not sure if it is confusion but whatever is
going on there as opposed to wondering what is happening where there really
isn’t a whole lot of protection necessarily with non-federally funded research

So, thank you. We will look forward to that report. May I ask another
question? Okay.

It is not to you but to Karen Adams. This was actually a question of your
extended episodes of care which I think sounds wonderful. I will be watching to
see what methodology you wind up either inventing or adopting for that.
Obviously there are a lot of episode treatment groupers out there but whether
any of them requires extended as you are perceiving, now, having said that
though obviously the purpose of this hearing and what we are investigating has
to do with secondary uses and risks and contemplation of issues as we sort of
move into this world that HIPAA may not have completely considered.

Now, as I think about what you are doing obviously there are risks as you
put more and more data together into a single record and obviously as you
extend episodes of care it isn’t just that person who is now de-identified on a
date that id de-identified had X procedure or X encounter but now you have 30
of them together or 50 of them together or extended maybe 100 of which 5 are
hospitalizations and there are three procedures and whatever.

Now, what is your contemplation around risks that relate to either privacy
or anything like this if this all happens? I mean is there contemplation that
this will all be done and any sort of an evaluation will occur locally within
an institution and there will be no exposure of data or what are your thoughts
about all of this?

DR. ADAMS: On your first comment on methodology I just wanted to mention
that this Committee certainly has looked at the episode groupers and of course
MedPAC has done a terrific analysis of the strengths and weaknesses of the
common ones out there.

They aren’t going to suggest an alternate methodology or add-on methodology
but put forth that maybe existing methodologies might not be able to meet these
needs or there might need to be modifications or let the market rule, you know.

So, I think with the privacy issues there are a lot because rarely are you
just a patient with the AMI. So, I gave you an isolated episode of AMI but that
person with AMI as you are saying could have multiple other comorbidities and
all of this is going to play. So, the group hasn’t dived into as much on this
privacy issue. They dove more into the data issues and the collection and the
desire to want to measure at multiple levels and that of course puts forth
issues, too, particularly when you want to do it at the individual provider
level which is often most important to the patient.

So, I guess my answer is that we are aware that these are going to pose
multiple privacy issues. I think when we were talking about how many times will
you have to get consent will it be across an episode; will it be every time you
go into a different environment? It becomes absolutely cumbersome but you want
to of course adhere to the rules. So, I think our group is lucky in some ways
because they are putting forth a framework, a vision, how they think
longitudinal measurement should occur and why they support an episode approach
but you know it is not going to be easy I guess would be my answer and privacy
definitely would be an area of concern.

MR. REYNOLDS: Okay, we thank you very much.

So, what we are going to do now is we will take a break until 5 minutes
until 3 by the clock and then we will be back for open discussion.

(Brief recess.)

Agenda Item: Working Session

DR. COHN: Okay and I think we have Marjorie Greenberg on the phone also
joining us. Is that correct? Maybe we don’t.

Okay, we are going to get started. I think as we have talked about this one
both earlier today and yesterday obviously the plan was to have relatively
significant amounts of testimony which I think we all feel that we have
received. This begins a period of time where we are going to sort of talk about
some of what we have heard as well as begin to talk about various framing

I am actually going to turn it over to Margaret A in just a second here to
sort of show some of the pieces, talk about some of the work that we have done.
I think I should state at the beginning that this is, in all of these projects
we started out early drawing pictures and trying to figure out how things fit
together. None of these are decisional. These are things more to try on for
size to see if they help explain the story or help us put our thinking together
better or help us identify issues that we want to address better in a more
focused fashion. So, we will I am sure go through a number of these over the
next several weeks to a month and one-half.

So, just take it as these things, they don’t have big drafts all over them
but they effectively do. So, I just want to start with that sort of disclaimer,
but with that, Margaret, do you want to talk a little bit about this as well as
begin to get into some of the smaller pieces of all of this?

MS. AMATAYAKUL: Maybe before I begin it would be good just to make sure
everybody has the documents that we passed out last night because there were
quite a number of documents.

One document you should have received was something that looked like this
and it has got Page No. 3 on the side here. This was yesterday evening. Simon,
it may be in your other document earlier. We have got extra copies if you need

The other document is an outline of report and a document that begins with
Page 9. So, obviously the document that starts with Page 3 is sandwiched
between 1 and 9. We made a slight change yesterday morning.

The other thing you should have is a page that has got red and blue and it
is August 23, 24, testimony. This is our draft schedule that we are working on
for the next set of testimony.

Simon and I took a look at this sort of doodle and it really is a doodle
because I just did this this last hour while I was listening to the last
testimony and hence you don’t have a paper copy of it, but we thought we would
go through that a little bit as sort of a real high level, very, very high
level overview and then start looking at more of the secondary uses of data
framework which is this document that starts with Page 3.

In addition Harry and Justine both have their own doodles as well that we
will use and pop up when we can. So, this particular one draws from Lumpkin’s
model where had public health research and quality as overlapping concentric
circles and then we started hearing from testifiers that treatment really also
overlaps in all of those areas and in some cases the overlap area is an area of
concern, that we may want to shrink it, define it better make sure that the
circles aren’t overlapping or make sure the circles are more completely

So, we have treatment payment operation. We have quality. We have research
and we have public health and then we have also been talking about other uses
that are somewhat undefined.

So, I have drawn a circle around here to sort of suggest this is the other
uses, some of which may be outside of treatment quality research and public
health. Some may be inside and then we have these areas in several of the
domains that are completely outside, some a little smaller than others that are
still also of concern.

So, for example, we have heard that research and quality are blurring.
Quality may be a part of the operations component of TPO. It may not. Research
may be federally funded and within the purview of IRB it may be not federally
funded and totally outside the purview of IRB and potentially even HIPAA. We
don’t know and the same might be true for quality.

So, that is just sort of a high-level picture of kind of what we have


DR. COHN: Hi, Marjorie.

MS. GREENBERG: I am there. Can you hear me?

DR. COHN: Good. We asked about you earlier when we started the session.

MS. GREENBERG: I was here then, too. I have been here since before you came
back from the break.

DR. COHN: We can hear you much better now.


MS. GREENBERG: It was frustrating to hear you say that I wasn’t there
because I was.

DR. COHN: Welcome.

MS. GREENBERG: Actually the technician knew that I was here because he
checked on me when you were on break, but anyway, thank you.

DR. COHN: Mark wanted to add a comment.

DR. OVERHAGE: I guess I had a question. I am struggling to figure out what
is in some of these areas and could think through but one of the first things I
kind of asked myself, so what is in the quality circle that is not in the TPO
public health or research, and I am trying to think of a concrete example for
each of these non-overlapping or overlapping areas and I can’t think of one

DR. COHN: Let me make sure I understand what you are saying. So, you are
wondering for quality what is —

DR. OVERHAGE: Why does it have its own circle?

DR. COHN: Okay, and is the question why it has some clear circle or why it
has some of this?

DR. OVERHAGE: First of all why does it have its own circle at all in
research and public health, for what purpose, for research or for operations,
which is it or for public health?

DR: TANG: It is outside patient care.

MS. GREENBERG: I can hear Marc, but I can’t hear the other person, but I
think it is the part that is for operations, isn’t it?

DR. OVERHAGE: Why did you do the survey? I wanted to find out how many
people really get flu vacs.

DR. TANG: TPO only applies to data that I captured in the process of care.

DR. OVERHAGE: Wouldn’t your point be that that is research when you have a
question and you want to investigate.

DR.TANG: TPO is a figment of HIPAA’s imagination.

DR. OVERHAGE: But there is a lot of value in aligning what we talk about
with those figments that other people —

DR. TANG: I understand but the difference is if I go do something in the
name of quality or research that does not take advantage of, make secondary use
of data collected for the care of patients I think that is outside of TPO.

DR. OVERHAGE: So, you are defining in that case TPO as being HIPAA uses of
data for TPO which feels really funny to me.

DR. TANG: That is because HIPAA is the one that made up TPO.

DR. OVERHAGE: That is fine but call it operations then if it makes you feel

DR. TANG: I am not a health care provider. I am a surveyor

DR. OVERHAGE: I agree. I don’t care who you are. I think the model has got
to work.

DR. TANG: Agreed. That is why we are talking about it.

MR. REYNOLDS: Marc, let me ask you a question. What would you see that
picture as?

DR. TANG: I guess I am just asking the question.

MR. REYNOLDS: I know you are asking the question but —

DR. TANG: It struck me as funny that there is a separate circle and I think
you take the quality circle away.

DR. COHN: Let us hold it as a thought here and let us just discuss how we
may want to represent this one.

Steve, do you have a comment?

DR. STEINDEL: Yes, Marc, I have a question for you. Why would you take the
quality circle away? Why not take the TPO circle away.

DR. OVERHAGE: Because TPO is imaginary. It is a fig newton of HIPAA.

DR. STEINDEL: That would be fine with me although quality is a topic not a
process, I guess is why.

DR. OVERHAGE: I think that is what we were asked to address.

DR. STEINDEL: We have got two different dimensions, circles representing
two different dimensions here. Shouldn’t this be quality, safety and
efficiency? Aren’t those the three circles we ought to have on here then?

DR. TANG: Let me try another one? This represents, so there is a domain of
quality. There is a domain of research.

DR. OVERHAGE: But they are not. They don’t get it. They are from different

DR. TANG: I am reconstructing another diagram. So, there are three domains
of use of data, okay? Now, I am going to put in those circles data that
supplies those different kinds of uses, okay?

DR. OVERHAGE: What are the three circles?

DR. TANG: The three circles encompass data that is used for each of those
three purposes.

DR. OVERHAGE: What three, the three what?

DR. TANG: Quality, research and public health.

DR. OVERHAGE: Those are not parallel things. Public health encompasses

DR. VIGILANTE: It does but it does come back to what we were talking about
yesterday, the issue of intentionality. You know people who work in the quality
world use very similar statistical tools and methods as people who work in
research and people who work in public health and so those things don’t
distinguish. Your methods per se don’t necessarily distinguish between the
three of them and the fact that they are generalizable or not generalizable,
they all have generalizable results. They could have generalizable results. It
really is the intent for which it is being used and quality is really about
focusing on improving care and processes of care in particular and as you get
into an organizational environment operation then I can see how one might carve
that out. If you are talking about research in the context of things you are
going to publish in the peer reviewed literature that have a broad range of
research implications I can see carving that out as being somewhat distinct in
intentionality and the same for public health if it is really about the public
good in a protective kind of way.

So, the teleology of them kind of is what makes them different.

DR. COHN: Can I make one suggestion? I don’t know if this helps anything.
Can we go back to that earlier version that really tries to redo this and would
people feel, I mean I agree with you that “O” includes quality at
least by HIPAA definitions, at least much of what we think of quality and so I
am wondering if actually TPO with quality is actually those sort of double
circles together and since we want to focus on quality it is a piece of the TPO
but that also we are hearing about these sorts of other uses on the edges also
and this would sort of allow us to sort of try to maintain sanity with HIPAA as
well as the quality thing.

MarK, does that help at all? I mean we are playing around with concepts now
and not trying to create symmetry of circles but would that help a little bit?

DR. OVERHAGE: It helps some. That is what I was saying. I mean quality to
me is a topic within and you could call it operations or process improvement or
whatever you want and put theme in as a separate thing or whatever but it is
part of operations. It is part of research or it is a topic that can be
addressed by operations and by research.

DR. COHN: Okay, and I think what we saw yesterday and I will give it to
Steve in just a second but I will comment you know you weren’t here yesterday
and one of the things we kept hearing over and over again was what we described
at that sort of overlap between given that research has different rules than
quality work that there was some ambiguity in an area of concern that we likely
will want to address.

DR. OVERHAGE: I understand, but that —

DR. COHN: And that helps with that.

DR. OVERHAGE: Then research overlaps, okay, fine. Why pull out quality?

DR. COHN: Okay, why pull out quality? Because that is one of the areas of
emphasis we were asked to talk about.

DR. OVERHAGE: Then we are only looking at that one dimension. I mean if the
two-dimensional, or it is a three-dimensional thing that you are trying to
squish it into a one-dimensional, you have got a whole topic in each of these
areas. You have got quality and safety as a good contrast but where is safety
in this? I mean it is not a focus area but I am just saying to me that is an
analogous area to quality and so you have to be able to have a model that kind
of —

DR. COHN: Okay, Steve and then Marc?

DR. STEINDEL: I like this discussion and, Marc, I totally agree with the
point that you just made. Actually you weren’t here yesterday when Les Leonard
spoke and in one sense in a way we are talking about quality with respect to
this group. We actually did say except for some very specific projects public
health has no quality because we don’t do clinical care quality necessarily in
public health except for some very specific circumscribed usually in hospital
safety but that is specific, but I like the way this is going.

Mark’s concept is something we have discussed about before, is that there
are multiple tiers and dimensions to other uses of data or secondary uses of
data but we have been asked to focus on this one layer and so I think we have
to cull it out.

The thing that I wanted to point out and this is just an aside comment that
I think we need to make is we did hear yesterday from NCI and again a little
bit today from the genetics person that there is a blurring starting to occur
in the area of personalized medicine you know where treatment, research,
quality are fusing together because you need that type of information to decide
how you are going to use genetic information to treat that specific patient and
we don’t know enough. I don’t think that that comment is worth changing this
diagram and I think it is something to keep in mind when we write the letter.

DR. COHN: Okay, do we have the space for it just out of curiosity? I mean
is it that overlap between research quality and —

DR. STEINDEL: If we actually take TPO out and we remove treatment from this
because personalized medicine does involve treatment then it is actually out of
this diagram. We said that it is not TPO. We are calling that inner circle I
thought quality or I mean we can call it TPO.

DR. COHN: I think we were calling that part of it of which a subset is

DR. STEINDEL: Then it is a subset, okay.

DR. COHN: I am sorry, Marc, we have been going back and forth.

MR. ROTHSTEIN: I would like to propose a simpler way of looking at this. I
think all these inner overlapping circles are hopelessly confusing. I haven’t
heard anybody say that we should rethink the rules on disclosure of
information. I mean that is what we are talking about with regard to public

So, I would just sort of take public health off and I don’t think we need
to be rethinking what research is. We can’t redo the research rules. I would
take research off. I think what we are talking about is quality and I think
conceptually quality now is under operations and the problem that we have at
least in my view that we heard is that operations is so broad that there are
problems raised by it. So, my diagram would be sort of like a rectangle and
there is a line in the middle and on the right side of the line are those
operations where we, those quality measures where we think the current rule is

So, in other words, you supply notice only and if a notice of privacy
practices then you don’t have to do anything else, and we can discuss what that
would be and I would think like internal uses, reporting to the government,
quality measures, maybe even for accreditation purposes, etc. The left side
would be those quality uses which now are under operations and don’t require
anything other than some opaque mention in the notice and things that we are
sort of troubled by, selling the data, using individually identifiable data,
publishing data, using data for marketing purposes, sharing with other
researchers and you can put on whatever you want but the left side is made up
of things where it is in a broad sense quality but maybe we are uncomfortable
having the old TPO non-involvement rules apply to it and I would however we
define those terms, I would suggest that that left side might be appropriate
for some heightened level of permission from the individual, however we want to
work that out. Is that opt in? Is it opt out? Is it who knows what?

That may be a simpler way of looking at it. We have taken research off the
table because if it is research it is on a separate page. If it is public
health it is on a separate page. So, this is non-research, non-public health

DR. COHN: I will make a comment but I will hold it because I see Paul and
Bill. I think we can all live together but I will explain that.

Paul and then Bill?

DR. TANG: I am going to piggyback on what you said because I am on the
simple side of the world and I think there are two things, too, because if the
other way of looking at this diagram is you could color the majority of it as
AOK, I wouldn’t limit it to quality because public health research is quote,
AOK and on the whatever side was the AOK side and Bill helped me remember you
know the Willie Sutton, go where the, the bank robber and in this case it is
more than just a pun. That is where in Kevin’s word the outrage is. It is
making a profit, a gain, a financial gain off of my data and we need to have
clear-cut rules if that person is asking for it and I think there are such. I
heard it in the Mayo discussion. I heard it in the NCHS. It is easy. It is also
clear-cut what kind of rules we would like and once you have those in place I
think people can start agreeing to letting their data flow in places where we
would like it to get all the benefits on the right side. So, I would subscribe
to that way of looking at the world.

DR. W. SCANLON: I respect precedent and it is sort of been recognized how
hard sometimes it is to get to a point where we are but at the same time I
guess I am worried that if we live too much with what we have got and accept it
we are really giving up on the potential of electronic record and we are also
potentially not recognizing the risks of the electronic health record.

I think everything needs to be somewhat on the table including TPO. There
is a difference in the information that potentially is going to flow between
provider and insurer in an electronic world than flows today where things are
coded and there are very limited amounts of information and there is a question
of is that all going to be okay sort of under the current sort of HIPAA rules.

The same thing with respect to sort of public health. You open up new
possibilities in terms of what you could do in terms of health monitoring,
health promotion, postmarket surveillance, etc., when you have got electronic
health data flowing and the question is are those all going to be acceptable
sort of under the current set of rules. I don’t know and then I guess the last
area is sort of this issue of research and quality to me is a part of research
and whether or not you publish is not necessarily I don’t think the critical
thing. I think in fact in some ways publishing is a good thing because it gets
the information into the public domain and everybody can use it and the actual
research that I worry about is the kind that becomes proprietary sort of and
ends of sort of being restricted, you know the access is restricted and
somebody uses it for their own profit.

So, I don’t want to blow up the world and say, “Let us start over
again,” but at the same time I would like to kind of keep an open mind in
terms of are we making sure that we are including things that we wouldn’t have
envisioned today as being sort of possible but they are going to be there 5
years from now or 10 years from now and they are either going to be very
beneficial or they are going to be very problematic and you know we potentially
are not going to make these rules but the rules are going to potentially affect
sort of whether they are there beneficially or whether they are there

MR. ROTHSTEIN: So, Bill are you basically saying that instead or in
addition to the sort of the quality rectangle we need a public health
rectangle, a research rectangle where we say, “Okay, the way things are
but maybe on this side we need to re-examine the” —

DR. W. SCANLON: I am kind of but I am more where Marc is. I don’t think we
need to separate quality from research. Quality is a topic, and it can be sort
of an issue that in some ways data that flows into the public health sector are
going to have quality implications and so I think the issue is public health
which maybe we will separate from research, I mean it makes sense to separate
it from research but then we have got research and then we have got the
operations. So, I would get back to three but those three not just two and also
keep an open mind about what we need to do with all three.

DR. COHN: Kevin, did you want to make a comment and then I will jump in?

DR. VIGILANTE: So, if we draw a small circle in the middle and do some
concentric circles and that is patient care, that is primary encounter where
this data is originally generated then another concentric circle around that,
into that space is where outside, in the second ring is where the permissions
of HIPAA in particular around operations and quality is where that we accept
that that can go. It can pass from the first circle into the second circle.
However, this circle unfortunately is a semi-permeable membrane and it can go
then to a third tier for other uses other than what the patient was made aware
of in their notice of privacy that may include certain very sensitive things
such as the sale of that information and I think that is a good place for us to
focus our attention but as I was saying earlier you know there is this risk
communication expert Peter Salmon from Princeton who would actually be a good
guy to come talk to us and he talks about risk equaling hazard plus outrage.
You can have certain things that are very high hazard but relatively low
outrage like 50,000 deaths on the highway every year. You can have things that
are relatively low hazard but very high outrage, maybe say one anthrax letter,
I mean depending on how you want to interpret that.

So, it could be that one could imagine that even if your data was protected
and de-identified in every way possible and the hazard was very low the fact
that it is being sold and you are not being told is a high outrage phenomenon.
You could see it on the cover of the New York Times front page and I think as
we consider this that is something, those are things we need to balance and I
think it is that leaky membrane that permits the sale of that data into that
other circle that has the high outrage potential that I think is at the crux of
what we have to grapple with.

DR. DEERING: Don’t draw any circles here whatsoever. It is more like
something I would like to put down as sort of one of many checklists for
whether or not we have been successful and in my mind language about setting
some stuff aside because it is AOK it seems to me what we have heard is that is
an increasingly shrinking world and the checklist that I would only suggest is
that speaking of outrage we did have a lot of testimony about things not
working. Some of that not working was simply because it is misconstrued or
misapplied at the institutional level but there were implications in some of
the testimony and we have known that there are things that don’t work well. So,
I would hate for us to conclude our work setting aside HIPAA and the common
rule as AOK not needing any work whatsoever and let us only focus on other

So, I would just hate to take that off the table.

DR. COHN: Sure, and I will come back to it but I want to let Harry talk and
then I am going to try to sort of maybe move us down a little.

MR. REYNOLDS: Kevin, let me engage you on your comment. So, the leaky
membrane, I am not smart enough to know the other word you called it. So, the
leaky membrane, we heard discussion today. There was one term that came out
today, secret databases, in other words there are things that have permission
under HIPAA but as we have had some discussion about it business associated
agreements as they start being chained our further and further you know start
to erode because of the fact that they are further from the covered entity.
They are further from what HIPAA really is s you get the covered entity and
then you get a business associate, then the business associate uses a vendor
and then you are going on down the line.

So, what other than the obvious and I like the chart, other than the
obvious how do you explain how big that leak is and how do you start talking
about that so that your picture, I can specifically put things in every
category and go, yeah, yeah, yeah, yeah, but the other thing is and we continue
to hear, we talk about wanting to just use HIPAA but the understanding of HIPAA
and the understanding and the operations were still not clearly defined and I
deal with every day, too; so, how do we define what is —

DR, VIGILANTE: At a simplistic level right? I mean I think that the way to
reduce the outrage and I don’t know if this is the right solution because there
are some down sides to this solution is to make at the point of care when the
information is being collected for the very first time which may be destined
for parts unknown to let the individual know that that information may be
destined for parts unknown outside quality and operational purposes.

Now, of course how you do that matters very, very much because if you say
to the person at the point of care when maybe it is part of the HIPAA notice of
privacy it is going to be used for you know may be used for this operational
purpose and payment should — if you say, “And it may be sold,” I can
pretty much guarantee you that a very significant number of people are going to
say, “No way,” and the question is have you basically for maybe what
may be a fairly low hazard but to protect you against high outrage, have you
caused your whole ability to use secondary data to implode, not just for
commercial purposes but for other purposes?

So, I think that is the place where you create the transparency that
reduces subsequent outrage. The question is how do you do it in a way that is
not regulatory heavy handed.

DR. COHN: Justine has a comment.

DR. CARR: Before we began this and as I was thinking about this today I
think it is helpful to sort of state first principles namely what is the good
we are trying to achieve; what is the harm we are trying to prevent and what
are the elements that are critical to success. So, in terms of what is the good
we are trying to achieve improving care and the common good are two of the
things I heard. What is the harm we are trying to prevent? There I had privacy
violations and also harm from privacy violation and also we heard about
misinformation and misuse or unsophisticated aggregation and then what are
critical to success, trust, accountability, transparency and we also heard the
need for uniformity and alignment of rules, definitions and laws, also, uniform
privacy protection, protection following data and then potentially consent
management technologies.

So, it doesn’t exactly fit into this but I think we need to hold onto where
we are going and defining what we are trying to address and I think that
Kevin’s issue about hazard and outrage really rings very true to me because
that is what we are trying to balance but I think we have got to keep our eye
on where we are going because there are so many, there will be trade-offs and I
think we have to sort of stay on top of what are we trying to do and what are
we trying to prevent. That is all.

DR. COHN: Steve, you had a comment and —

DR. STEINDEL: Now, I have two comments and this has to do somewhat with
Kevin’s and Justine’s just now. I don’t think that the criteria should be how
will this look on the front page of the New York Times when Rupert Murdoch just
bought the Wall Street Journal. Newspapers will publish anything. They will
blur it in many ways and so I think we need to look at what is the right thing
not necessarily what is the hazard of doing the wrong thing and then, Kevin I
have a question I have a question for you that is very specific on your
semi-permeable membrane. Where does BHI fall in the semi-permeable membrane in

DR, VIGILANTE: So, using the example of the front page of the New York
Times that is just a graphic way of showing the things that bother people and
it only goes on the front page of the New York Times because it triggers
something of outrage in people.

It is not the fact that it is in the New York Times. It is an index to say
that this is something of great sensitivity to people to have their information
sold and not be told about it or not even be aware that it might be going on.
That is the point I was making. Whether it actually appears on the front page
or not is actually irrelevant. It is just an index or a barometer of people’s

What was the second one?

DR. STEINDEL: The Blue Cross Blue Shield data warehouse that is being put
together, where does that fall in your semi-permeable membrane and what type of
disclosure should be in that area and from where?

DR. VIGILANTE: I didn’t sit through the whole presentation but what I am
saying is that if you can collect personal health information, stuff that you
collect under a rubric of patient care and then say you can deidentify and use
at will for operations and quality is a part of that we have all accepted that
or HIPAA does at least that that is a legitimate use. All I am saying is that
once it has been aggregated there is no guidance on any limitation of further
use of that data, tertiary, quaternary you know any use of the data and that is
the point and I think that that is one problem in terms of people not being
aware of that.

The second problem is that if one of those uses is the selling of it I
think that that is one problem in terms of people not being aware of that. The
second problem is that if one of those uses is the selling of it I think that
is of concern. Now, I don’t want to sound like I am anti-market person.
Actually I believe very powerfully in the power of the market to actually do a
lot of the things that need to be done in quality management and I think we
need to be very careful not to put an impediment in the way of future business
models yet to be imagined that could actually help us measure quality or
improve care.

So, I don’t want to be perceived as being sort of Draconian that way. I am
just trying to identify where I think our area of focus of should be.

DR. OVERHAGE: You are talking about things I think of as an example and
correct me if I am wrong but I am almost certain that every one of the
participants in that have signed an authorization. When you get your insurance
you have signed an authorization I can almost guarantee you that says that they
can do whatever they damn well please.

DR. STEINDEL: That is not true.

MR. ROTHSTEIN: The only people who have to make a good faith effort to get
a written acknowledgement of receipt of notice of privacy practices are those
with a direct treatment relationship and other covered entities including
health plans only are required by the privacy rule to send you a notice. So,
they wouldn’t have received authorization from individuals necessarily.

PARTICIPANT: I guess I was trying to ask the question is it about
authorizations and notification or is it about understanding and awareness and
expectations which I think are different.

DR. STEINDEL: My issue is getting to what you just said, Marc in your last
statement. I am actually less concerned about the level of identification of
data because I think we have heard repeatedly with today’s system you can
probably identify especially if it is episodic care even if they have done
everything they possibly can to deidentify all personal information there is a
chance you can figure out who it was if you wanted to.

So, what I am more concerned about is the transparency issue and the
consent issue and that the people are aware that you are doing this stuff with
the data and we have heard repeatedly that people don’t have a fundamental
problem with good things being done with their data. You know it is like you
have to have increase the trust in the transparency level and I think that is
where a lot of our focus should be.

MR. REYNOLDS: I think we have to be careful thinking about it too linearly.
Kevin, I fully agree with you on the statement at the time of patient care what
you would or wouldn’t do. I don’t know what might have happened as you
mentioned with the — and then we all talk about HIPAA. We talked a little bit
about databases today and we have talked about what providers have and others.
You know HIPAA even mentions that clearinghouses are covered entities and there
are no patients going through clearinghouses. Yes, the data is there. They are
covered entities. You can draw the same circle. Nobody has got any consent from
me that my data is going through a clearinghouse but they are covered entities
and I think it is just, I am just saying this to remind us that education also
as we draw all these circles and we do all these things besides the linear
understanding of people as they go through the process, they go to the doctor
and then it is going to go to a payer and it is going to go somewhere else,
this whole idea of raising the educational level as we move forward especially
if you look at the next 2 years and what the Internet has done as far as
education I think we really have to keep that in mind because as we talk about
these whatever picture we draw is going to have another dimension. So, we have
got to make sure we keep all this in mind because if you talk operations you
think certain things in HIPAA but there are a lot of other players in this that
don’t fit a nice linear progression.

DR. COHN: Mary Jo and Marc, and then I think I am going to try to put
things together at least for a moment.

DR. DEERING: I thought Harry was going somewhere else when he said that we
shouldn’t be too linear and I wanted to get back to something that Bill said
which is that linear mind set is very much today’s mind set and to the extent
that our recommendations are targeting however modest they are and ambitious we
may be, changes that will take years to affect and we all know that. These
things are, by the time they are really operational the world will be different
than in this moment at which we have written them and I think if we don’t do a
best case effort to imagine what that world will look like as we make our
recommendations and I know we don’t have a crystal ball but this is a
particularly acute period of time for us to be mired, not so mired but totally
within our August 2001 perspective and related to that in this network
environment I think when you say that it all starts at the point of care I
think the definition of where these data origins are is something that will be
different 5 years from now and I think to just assume as it always does it
begins with a disease or an illness or a walk through and a doctor is there or
some certified medical provider is there and that is the moment of creation,
that is the divine start for personal health information is when the doctor
just like bringing you into the world has created your piece of health
information. I don’t think that that is an appropriate sole model to bound our
considerations and in that respect again my hobbyhorse as you know but I think
we should given the interest in personal health records if we do something that
does not mention personal health records except to say, “Oh, gee, we had
better keep studying them,” then there, too I think we will have been

So, I think whatever our model of study is it has to account for issues,
concerns that may be generated by pieces of data that did not originate, are
captured by or owned by the providers within HIPAA.

DR. COHN: Mary Jo, I just want to thank you for a moment for just reminding
us this is actually about the patients and maybe we should be considering about
the citizenry and not just about the provider.

So, thank you for that comment.

Bill Scanlon, Mark Rothstein and then Paul Tang and then I will try to put
things together to move us to the next stage of the conversation.

DR. W. SCANLON: I was going to react to Kevin. I think that you in some
ways portrayed something that is not a feasible model which is if you tell
people that your data can be used for anything at some point in the future and
as you said you may have a lot of people sort of opting out, that is not a
viable model in terms of what we want to accomplish here and therefore it has
got to be off the table and that kind of blanket sort of permission or
notification has got to be eliminated.

Then I think one of our challenges is okay if a blanket notice is not going
to work how do we define the list of entities and the list of uses that people
should be aware of as potential sort of applications of their data and sort of
anything other than those people are going to have to come back to the patient
and say, “I want to use your data for this purpose, yes or no?” I am
glad some other people think the same thing, Marc, that your HIPAA sort of when
you sign these things there is not a whole lot of choice, that if we don’t sort
of give patients sort of either trusted options or realistic options we are
going to lose in terms of skewing samples and we are going to much worse off
than we could have been if we had done this sort of thoughtfully in terms of
identifying how it is you should be dealing with the patients to really give
them enough trust that even when they don’t have a choice they don’t feel bad
about sort of not having a choice.

MR. ROTHSTEIN: I am relatively comfortable that the merits of what we come
up with will be more or less acceptable to this group whether it is Kevin’s
model or my model or anybody else’s model. What I think is probably more
important though is for us to figure out a political strategy that is going to
develop a letter and a set of recommendations that has a reasonable chance of
being implemented by somebody at some foreseeable time and you know it is
tempting to be utopian and I could think of ways I would like to rewrite all
sorts of things, you know the common rule, the public health system and so
forth and I am no fan of the privacy rule but I think what we need to keep in
mind is who asked us to do this; what t hey asked us to do and in what context
and it seems to me what we are being asked to think about is the changes that
we envision in the use of or the quote secondary use of information that is
going to be caused by new health information exchange. I mean ONC has asked us
to look at this and that means that we have to talk about sort of where we are
in terms of the status quo and how the current privacy rule applies or doesn’t
work well and what are the future uses and how are we going to reasonably
recommend that those be regulated if not under the current regime under some
foreseeably adoptable regime and I am not giving you the answer because I don’t
know what the answer is to that but I think that is the fundamental question so
that whatever it is that we come up with is going to be valuable not just to
ONC and to the current Secretary but to the next Secretary and maybe to the
next Congress without being so out of touch with reality that it is sort of
DOA, and so I think we need to spend as much time working that out as we do you
know whose diagram we are working with.

DR. COHN: Paul, last comment and then I will try to put this together, and,
Marc, thank you.

DR. TANG: I will ask a question first. Is this an appropriate time to put
back on the table what I was proposing at the panel?

DR. COHN: What were you proposing to do?

DR. TANG: Either we have to come up with this pristine criteria of what you
can and can’t do or you figure out how to make available in an acceptable way
what you are doing with your — your notice of what you are doing and your
record of what is being done with your data and people have the ability to
examine that and make their decision in terms of whether they opt in or opt out
of NHIN.

DR. COHN: I think we need to acknowledge the piece. I am struck that I
think we need to go through a little more conversation before we start coming
up with solution statements which I think —

DR. TANG: It is a solution but it is asking whether this is the approach
versus the criteria. It is sort of like the transparency approach or the
criteria approach.

DR. COHN: Let us hold your thought without coming to an answer on that one
because I am not exactly sure what to do if we said, “Yes,” or
“No,” because I think the answer is it may have very appropriate
value depending on what it is we come up with.

Give me a second to understand it a little better because I am not sure
exactly what it is that we should capture there in terms of what you are
thinking. You can state it and we can draw it up here or do whatever.

I guess you can come back and tell me that you had the right answer after
we have spent a couple more hours talking which is certainly, you know, we
actually have a bunch of pretty smart people around the table which would be
very useful on all of this and the fact is that we don’t all see this in the
right way, in the same way.


DR. COHN: Let me just sort of go through the process that I think may be
helpful at this point and I think this is something that Margaret has come up
with. I mean I think we are, also, talking about the same sort of thing and how
to put it together and I think this is a very useful conversation. I sort of
remind everybody that the framework that we have talked about and what we
wanted to do here was yes, we want to emphasize quality but quality isn’t the
only piece that we want to talk about here. We really want to somehow try to
talk about the overall issue of uses of data, however, we describe it, the
secondary uses of data and I think it bears looking that yes, and the original
drawing we can go back to was only trying to describe at least I think it can
better describe as if there are sort of these sorts of things that have
happened since HIPAA, the NHIN as Marc has described or whatever that we need
to take a particular focus on but that doesn’t in any way say that we shouldn’t
sort of take a look at care delivery. We should take a look at quality,
research, public health because there probably are issues in both the current
environment and where we would like to see them go that bear comment,
consideration and discussion knowing that of course we will I think emphasize
at the end the quality domain because we were really asked to take a hard look
at that area and I think I would actually turn to Margaret at this point
because what she is trying to do and I think as her pages, was it 3 to 7 is you
know some of you and I think Marc Rothstein was somewhat eloquent on this one
saying, “Gee, we should be aware of where we are on the current
environment.” I think we have heard enough to get to know about the areas
that we are sort of uncomfortable about that aren’t just limited to quality but
there are pieces in a number of these things and even for care delivery I think
we probably all agree if we are happy with the way it is right now that
education is probably an area we would want to emphasize anyway.

So, I think it merits to sort of look at the various dimensions and what we
have thought about recognizing that it allows us at least to begin to think
about what recommendations should look like and I think, Paul, that is where
you were beginning to go in terms of how we frame solutions to the problem, I
think. Maybe I am wrong.

DR. TANG: In terms of what to concentrate on the vast majority of secondary
uses that people, the consumers and patients are comfortable with and the
methods of guarding, protecting their confidentiality seems robust and rather
than characterizing all of that it seems like we really need to figure out what
is on the right side and that is fundamental. So, there is a dichotomy of
approaches there and how do we spend our time and who do we hear from in order
to characterize the three bubbles that characterize the right side. That is my
main contribution.

DR. COHN: Margaret, do these help us with the conversation?

MS. AMATAYAKUL: Yes, this has been very helpful altogether.


DR. COHN: Mark, did you have a comment?

MR. ROTHSTEIN: I just want to slightly take issue with something you said,
Simon and that is that we are concerned here with all of the secondary uses and
of course we don’t know how to define that yet but if you think about the
privacy rule and all the ways in which health information is disclosed,
personal health information is disclosed without authorization which includes
for law enforcement purposes, for drug and device adverse event reporting for
judicial processes, I mean the list is quite extensive and we didn’t have any
testimony. I don’t think we are really going to consider that. So, I think that
we are dealing with a subset of however defined secondary information is and
mostly but perhaps not exclusively in the sort of the operations quality.

DR. COHN: Thank you, a very good point.

So, Margaret I guess do you want to talk about these pieces here that we
had thought to sort of at least begin to discuss with everyone and be able to
get input?

MS. AMATAYAKUL: So, what I have done here is taken those five domains, care
delivery, quality management, public health, research and other uses and if you
don’t like those domains we can take those off. I think what we are trying to
do here for the most part is try to separate it out so we can take little
pieces and look at it and try to focus on some sort of model of trust if you
will and there aren’t a lot of trust models out there that are good examples.

I have got a couple at the back of this big packet that we circulated.
Kevin sent me another one but what I tried to do here was say, “Okay, in
whatever domain it is that we are talking about, whatever domain we may end up
talking about what are the trends in trust and risks in uses of
information?” and I think that could be done in a variety of ways but I
particularly like the Belmont report and the ethical thing that we saw as long
as we don’t use the big words, malfeasance and things that are difficult to
pronounce. We can come up with easier terms but if we could kind of describe
that so that would be described on the left there and this is really just a
framework to get us started to think about it. It may serve as an appendix as
sort of a chart for people to refer back to or else just not at all a picture
but ultimately bubble up to the language of the report.

Then taking the AHIMA, FIER(?) Demarkel(?) privacy principles, the CaBIG
tool and some of the others what are the dimensions of things that we have to
consider? What are the laws and regulations, the standards, accountability,
enforcement, oversight, data storage, etc., and I played around with these a
lot and certainly they are open to whatever. If you like the notion of
dimensions of consideration we can play more with those and then say what is
the current environment and then what possible interventions for improvement
might there be in that domain for that thing.

So, for example, in care delivery we have TPO which may include quality but
we are also going to take quality out just for the purpose of the focus of the
report. Today we have information practices, HIPAA and state consent laws and
we are not talking about IRB here because research is a separate domain. That
is just by virtue of the format.

The standards we have we have in addition to the laws and regulations of
HIPAA. We have got some new CMS security guidance that came out in December. We
have VA guidelines and I am sure there are other things that we could identify.

Today we have sanctions that have been identified in HIPAA that are
sanctions that you can apply within your covered entities as part of both the
privacy and security rule and then we have HIPAA civil and criminal penalties.
Oversight data stewardship we have provided a purpose collection and use
limitation which I really like from the Markell privacy principles and we saw
frequently minimum necessary but never really brought out a lot and, Paul you
asked a question today about this and we see it a little bit but we don’t see
it a lot. Even though everybody assumes they know what it means, I am not sure
they really do always know what it means and so we could go down.

Some possible interventions and I have tried to come up with and have more
on a handwritten list from today. So, for standards maybe we need a standard
authorization and these are all things I heard. I just put down what I heard. I
didn’t filter like this is something I thought was a bad idea or a good idea. I
just put down what I heard. Self-policing, there was an article in the paper a
week or so ago about ALINA(?) having over the last 2 years hundreds of privacy
violations and since January of this year they have instituted a zero tolerance
policy and their number of internal HIPAA violations has significantly

We heard OCR and CMS enforcement might be something that needs to be
stepped up. HIPAA minimum necessary might require OCR guidance. Transparency,
we have the notice of privacy practices. Maybe we need some plain language
notice or maybe we need something else in terms of education.

HIPAA individual empowerment permission, again just for the care delivery
piece today we have rights access. We have right to request restrictions. We
have authorization for release of information in certain areas.

Certain state laws also have their own consent. Some things we heard might
be personal health records, health record banking and state law harmonization.

So, I mean we could pick on any one of these items. Here I guess what would
be helpful for me is if this structure makes sense and then we can fill in the

DR. STEINDEL: My first comment is I don’t see this as trends in trust and
risk. I don’t see where this touches on building trust or anything like this.
As a matter of fact I can see most of this as probably impeding the building of
trust because we are just saying, “Let us perpetuate some of the HIPAA
processes in these cases.” We know that people don’t trust that.

So, I would like to find another title for the first column but then let us
get to the actual dimensions, current environment, possible interventions and
which I think is the main purpose of this not necessarily the word smithing on
the column and you know it was pointed out by Les Lenert in his talk on public
health we don’t have simple things to put in these boxes. It depends on what
you are talking about. Actually patient are is one of the easiest things to
fill in these boxes but once we step out of patient care and go into quality,
go into research, go into public health it really depends on what aspect of
quality you are talking about, what aspect of public health and then even in a
broad aspect of public health what specific process are you talking about, and
so I don’t see simple ways of categorizing in these boxes.

MS. AMATAYAKUL: Let me just comment on the first piece. When we started
looking at trends in trust we were trying to find some way to describe do we
get the sense that there is a lot of trust in this area, not so much trust? Do
we feel like the trust is degrading, will degrade more rapidly over time, those
kinds of things? That is kind of where that came from.

I don’t know whether that is important to try to articulate or not but we
heard a lot about trust and so I was trying to get across as you were
suggesting there is a lot under each of these and there are different levels of
trust in each of those areas.

DR. STEINDEL: And I think a chart like that would be useful but I don’t
know if it is really the way this chart is laid out.

MS. AMATAYAKUL: I think it would be useful but I am not sure we could ever
get agreement or that we would get a sense of being accurate about it.

DR. STEINDEL: I also agree with that statement.

DR. COHN: Mark?

DR. OVERHAGE: I guess I am not sure what we are trying to do with this
chart if this is to identify where our questions are. I guess I am still
struggling and I actually like the leakage model the best from all the things
we have talked about so far just because I am still not 100 percent clear on
the through all our testimony, discussion and reading and all the smart people
in the room, I don’t know what we think the problem is. I don’t think we have a
crystal clear statement of what the problem is. What do we think the problem?
Can somebody say in a few sentences what –

DR. TANG: Yes, I think that that leakage of the semi-permeable membrane is
the problem. Okay, that is the problem. We will ignore the parts that are not
the problem which is my issue and go after that membrane and figure out how to
create the rules that control the case of the membrane, make it accessible to
consumers at the time they want to sign up for this, that or the other and then
record everybody who goes through the door passing the criteria and we will
adjust the criteria but —

DR. OVERHAGE: That helps me because I am not sure what we do with this in
the context of that and I like that approach.

DR. COHN: Harry?

MR. REYNOLDS: I am probably not one of the smarter ones in the room but I
am pretty good at process. Steve just did exactly why we have worked hard on
this chart because if you can’t fill anything in on public health then what do
you say? What do we say, just, “Have a nice day”? Remember we are
talking about trust and we are talking about the other stuff. So, have a nice
day because people in this room may really understand it but we are writing a
letter to the Secretary about what is going to happen. I would say right now
and we have spent a whole lot of time on this is we are probably going to end
up, Paul right where you want to be, exactly where you want to be which is what
is outside of there but as we go through these and say, “Covered, covered,
fine,” it also shows a due diligence. If you are producing a document, if
you are producing a report it shows due diligence that we know they are okay
and that there are already things out there that make them okay. It doesn’t
matter whether you fill in every box. It doesn’t matter whether every one of
them has got the right answer. If we just take the one says public health and
say, “Public health, have a nice day,” but the point is at least if
we don’t have a chart up here that decides what we think about it then when
this goes to everybody it is going to go out to I think Paul that we are going
to be at the point where you are. I mean there is no question. What is outside
of this, but until we give somebody the journey as to why operation is just
fine; why is public health fine and it could be one sentence, it could be 20
sentences but if we don’t show the journey and we don’t show that we thought
about it then we just dove over here and we said, “Trust us. Trust
everybody on these other things,” and that is all I am saying because
right now nobody really gets HIPAA and some of these other things nearly as
completely as they need to.

So, our knowledge in this room is robust on the subject. The knowledge of
most people that will read and deal with these subjects may not be quite as

So, it is not to belabor, it is not to drag you through something you
already know but it is to think about a process. So, I am not going to defend
it anymore. I am saying why we put it up there to help the discussion.

DR. COHN: I think I had Deborah next and then Steve.

Come up to a microphone and introduce yourself, please?

MS. PEEL: Thank you, Deborah Peel. Thank you for letting me make a public
comment. Since you are thinking about the future I just want to share with you
I think we can expect the public to get more and more aware of where the
information goes and more and more sophisticated about it and you know,
frankly, the Markell principles don’t even include the right to health privacy.
That is why I put our coalition’s principles in here for you to think about.

If we are thinking about privacy certainly one of the most important
principles is the right to control access to your information. That is pretty
important and the other comment I would like to make is minimum necessary is
talked about a lot here in terms of giving protections. I have talked to lots
of lawyers about it but on the ground you have got to understand how minimum
necessary works.

The insurance company who is going to pay the doctor for the visit says,
“I want this information,” and so you have the 800-pound gorilla
asking for the information and if the doctors push back too much they either
don’t get paid; they get dropped from the plan or they can have their payments
received retroactively denied.

So, minimum necessary is not workable on the grounds even if a doctor was
going to take every request for information, look through the chart, figure out
what is the minimum necessary to answer the question, and that would require
hiring more staff and physicians’ offices aren’t going to do this.

So, I just want to point out that minimum necessary sounds great legally.
How workable it is in an actual physician’s office, forget it. I mean we used
to have actually since I am so old at practicing when we had indemnity
insurance we actually did give out a minimum set of criteria for claims and I
can still state them. You probably can too, Simon, date of service, place of
service, type of service, cost and diagnosis. There was a minimum data set that
used to be all that was required but now when insurers ask for more information
most physicians and most patients are over a barrel. So, that is not helpful. I
just wanted to point that out, but our impression is consumers are going to get
more and more sophisticated about this and that is why we added to our
principles between last year and this year.

There was so much information about data abuse, secondary uses of data. We
are probably starting this year in connection with other consumer organizations
a campaign for prescription privacy because we think every American is going to
get that. They go to a drugstore at least once a year and they are appalled
when they find out that that information was data mined and sold without their
knowledge and consent and that will be an intro we think to help the public
begin to get educated about the gazillions of secret databases there are.

So, I just want to say I think that rather than thinking that privacy can
be worked out without going back really to the foundation of ethics which is
the Hippocratic oath and consent we have just got to, you know, I think you are
going to hear from and want more and more from consumers and they are going to
want more and more control, but the good news is if they are going to give you
the access you would make a good case. That is what we believe.

Thank you.

DR. COHN: Steve?

DR. STEINDEL: Harry, I don’t think we can provide any information beyond
the first page because we don’t have any definition for what quality is, what
public health is and what research is and we have heard that through this
testimony. We haven’t heard a clear statement on what quality is.

We have heard a lot of very loose statements that cover a vast range of
items. Research, we have heard the very vague definition given in the laws but
operationalize that and it is going to be very difficult because it covers a
wealth of different projects. We stated public health covers a wealth of
different projects and how it fits into this depends on the project.

So, my feeling is if you were looking at this t say, “Did we do our
due diligence or not?” I think we heard a lot about the difficulty in
filling in these specific boxes outside of care delivery.

MR. REYNOLDS: But the other thing that we have also considered is don’t
take the chart literally. If quality needs to be broken into four pieces,
better categories or whatever we decide we think we have heard, if research is
two different kinds, if this and that, again, it is, so you are right. I am not
saying we fill them in but it was a structure to think about. It is not right
or wrong. It is a structure to think about and pieces can be broken so we go to
research. Some research if it thoroughly funded, you may take research and you
may fairly fund it and then you may have something else. I don’t know but it is
a way to talk it through. If it goes away that is fine, but it is a way to
think about it.

DR. COHN: Justine, Mark and then Mary Jo.

DR. CARR: Just too follow up on what has been said I think that what we
have learned is that we don’t have uniform definitions. It seems that every
single presenter has come with a different definition and II think that is why
we can’t fill this in because it is not clear. So, I think that is a finding
and that is a need because it is very hard to implement a process when you
don’t even know what you are talking about.

DR. COHN: That may be a little overstating it.

DR. CARR: I am sorry, but —

DR, VIGILANTE: I think most of us have a pretty good idea of what we mean
by quality in research and public health.

DR. CARR: I withdraw that statement.

DR. DEERING: I actually was going to say that my understanding was that we
understood our charge to include the issue of definitions. We hadn’t yet
decided how we were going to execute that charge but we recognized it as a

So, I guess one of the things I am thinking from a process point of view is
whether a document that began and I know you have our taxonomy there but rather
than just a taxonomy some attempts at capturing and maybe you do have them
there, the various definitions whether as a tool to moving us forward, not
perhaps to solve our overall assignment but whether it is just one part of
moving us forward that would be useful and I would also point out that if you
recall when you open a dictionary to a word there is not one definition. There
are multiple definitions with their provenances that are given right there and
that might be a perfectly useful model for us but I just wanted to keep the
definition alive around the table.

DR. CARR: Just to respond to that, I agree. We thought this was going to be
about defining identified and de-identified and I think what we found is that
there is blurring of margins of when quality becomes research or which rules
apply to which groups.

DR. DEERING: Just to jump in I mean for example even in the area of selling
data words matter because we do all acknowledge that data analysis, data
interpretation costs money so that there may even be a blurring if we use the
words “selling data” as opposed to a business case for it. So, again,
I think words do matter.

DR. COHN: Without necessarily defining the corpus I think that we really
saw that one of our jobs is to try to reduce the blurring between quality and
research and so without having to define each we can sort of identify in that
border area not that we will ever get rid of things completely but if we can
make sort of much smaller space that will have been probably a good thing and I
would suggest that probably is one of the pieces of work that we have. So, I
just would sort of put that on the table.

Now, Mark is next. I saw Paul’s hand up and then Steve.

DR. OVERHAGE: First I think Harry’s argument for going through a systematic
approach is a compelling one. That brings us back to the circle and the diagram
because if we are going to use it in that kind of framework then I think it
becomes critical to lay out what are the buckets that we are going to do that
in and then this discussion about definitions made me even more strongly think
that for example when you say, you know, definitions of quality and research or
quality and operations, I think we may be asking the wrong question because you
can do quality in any of those domains and so it gets back that I think we are
trying to convolute things and if we sort of said, “Okay, we will look at
quality, safety and access and things,” those don’t overlap or if we are
going to look at research and operations and I don’t know commercial uses, I
don’t know, you know, those don’t overlap. So, I think in Harry’s mode one of
the things we need to do is be able to answer have we covered the ground. I
think we have to have either a linear one this way or this way or whatever but
I don’t know what the right one is but we need to have a puzzle or a set of
pieces that when you put them together it is the whole thing and not subsets of
it. Otherwise it is going to be hard to tell the story.

DR. COHN: We can show that first slide again if you like.

Margaret, did you have a question?

MS. AMATAYAKUL: Marc, could you just kind of talk a little bit more about
that because I think that is what we are trying to do is to get the pieces and
you know it seems like we always start off with pictures and we never end up
using them. So, that is not a problem, but if we could hear you a little bit
more about what do you mean by buckets and is it only two buckets; is it five
buckets; is it 10 buckets or hundreds of buckets.

DR. OVERHAGE: First of all I don’t think it is two, and I don’t think it is
100 buckets because just to tell the story you want five, seven, eight buckets
or whatever.

Now, the question is along what dimension of the problem, do we want to
create those buckets. So, my instinct although clearly there were a lot of
people around the room who didn’t share this instinct would be to say,
“Take the activities that people understand and know about and try to then
make sure we have covered it,” and what I mean by that is for example
okay, let us talk about research. Let us talk about treatment. Let us talk
about health care operations just because those are, while I agree those aren’t
crisply defined, let us define them however we want but make sure we get a list
of those that cover the ground. I don’t think quality is one of those. I think
quality is a topic or we could choose to do it in a different dimension. We
could have buckets that are quality and efficient access and safety or

DR, VIGILANTE: Topic as opposed to what? They are all topic in a sense. In
what sense are they different?

DR. OVERHAGE: I am sorry, thank you. I am just saying that if we are going
to look, if we are going to try to cover the world and make sure that we have
thought about all the aspects of it we need some categories to present our
analysis and I am just suggesting that there is more than one of those, more
than one collection of buckets or categories that could work and I am not sure
why but I don’t have a strong feeling about what the right one is, but I think
they have got to be parallel in their structure and either they are about uses
of data and I think that is a reasonable way to bucket them, right, like
research or quality or you know I mean —

DR, VIGILANTE: I see quality, but with quality I think about when quality
measures are being used for physician reimbursement and hospital reimbursement
to me that is a very specific use of secondary data that is different than the
usual sort of research.

There is services research which is quality research but this whole
emerging domain of both improving your own hospital operations but then
reporting on that publicly is I think a category worth —

DR. OVERHAGE: I am fine with that. That may be a good bucket or category.
So, maybe and let me just play it out a little bit more. So, there is research.
There is the internal operations. There is whatever and I don’t know what you
would call that bucket but it is data sharing public accountability or
something like that. I mean I don’t know what the name for that bucket is but
you could make a bucket and that is a good point. It is an example that is a
little bit different than I think people contemplated with operations and we
did hear in the testimony about another one of the areas and maybe this falls
into that, sort of the interorganizational data which gets into a lot of
stickiness and maybe that is another bucket for uses.

DR. COHN: Marc, help me with this one because I think we are actually
getting, it is a very interesting conceptualization. We have obviously talked
about innies and outies. We have talked about and typically I don’t talk about
quality only because the term drives me nuts generally but I usually talk
about, well, no, because I don’t know what it means which is I think your issue
but I talk about quality measurement, quality reporting, quality improvement,
but I think you are making the distinction of well, geez, are we talking about
somehow a piece of that for the outies as Paul might comment; is that sort of
what you are, the two of you are beginning to come to?

DR. OVERHAGE: I am not sure I understood your —

DR. COHN: I think there is internal quality measurement, quality

DR. OVERHAGE: Oh, I see what you are saying.

DR. COHN: Whatever, and that sort of has fallen in typically within what we
have contemplated as TPO historically.

DR. OVERHAGE: Let us forget TPO.

DR. COHN: But that is the operations quality.

DR. OVERHAGE: If you are saying that yes, I think we were talking a little
bit about it. I mean there is operations inside your doors and there is, I
don’t know what the right word is, operations outside your doors.

DR. CARR: Quality going out your doors, also, actually part of payment if
you think about it for pay for performance.

DR. COHN: So that is sort of what we are, however we describe it that is
sort of the area we want to focus on.

Paul, did you want to comment on this one? I know Steve had a comment, but,
Paul go ahead.

I am assuming you want to talk about this one.

DR. STEINDEL: No, my comment should dovetail to what Paul is going to say
because it is going to be very, very short because as I have been listening
more and more I think Paul’s basic comment about thinking about this as innies
and outies is the way we need to think about it and I think it was phrased very
nicely in the discussion you and Marc just had about internal operations versus
when you start looking at things that are going external to your internal
operations and we look at things differently and that is basically the way I
interpret your innie-outie type comment.

DR. TANG: I can’t resist an opportunity to weigh in on Harry’s


DR. TANG: But I will second the vote that he is on to something. So, there
is no way that I don’t think any of us are objecting to the systematic build up
of the report and I think one of the things we have sort of what I have been
saying is we have heard a lot of good evidence that says that for research and
public health they do it really well and it is well defined and the methods are
even there and it is testable and so really it is this semi-permeable membrane
and when I run into a word that just hangs us up which I think quality has and
I actually think well, I think it has hung us up because TPO, everybody
understands treatment and everybody understands payment. So, you have got to go
after the “O,” and if it was TPF you know treatment payment and
friendship we would be after the “F,” and the reason is because if we
call it that word, “quality,” it is a free ticket. If you cal it
friendship, it is a free ticket, and so we have to find some other way and that
is where we got the innie/outie is to make it clear and you can’t escape it
because they couldn’t come in and say, “Well, what I wanted to settle for
was treatment,” because it doesn’t work. So, you come in for any blurry
word you can get as long as it sounds nice and that is sort of I think how we
got hung up because I think we almost have to ditch the vernacular which I
think we just got hung up in this discussion.

I guess I am supporting your idea of being systematic and building up the
case, but I also am sort of, we have still got to go where it is fuzzy and go
pin it down and relabel it if we have to and particularly if that relabel is
very descriptive and well understood that we will make a step forward.

DR. COHN: We are getting closer.


DR. STEINDEL: Speaking as a chemist now, I will put on my chemist
background and the semi-permeable membrane of before, the innie/outie works
very well in that purpose because if you have the certain characteristics of
the chemicals or the right osmotic pressure everything stays inside and if its
characteristics are such that it can leak through the membrane then we have
other types of things that we need to consider about it.

So, I think it is a very good conceptualization and ties in well with
Kevin’s idea about the semi-permeable membranes.

DR. COHN: So, let me go back and I am not sure if we want to go back to the
original graphic or whether we want to go back to your areas but what I am
hearing is that maybe the lumps, let us just talk about the lumps that we
somehow want to deal with this one, it appears to be a lump that is called
treatment, payment, and basically what we described as sort of internal
operations that relate to quality and all those other things that we can’t
define very well.

There is a piece called the sort of external quality and performance
reporting measurement and I don’t know whether improvement falls in, I mean
there are some pieces of improvement that seem to be out there but maybe not
but they are sort of uncontemplated. What?

PARTICIPANT: There is the feedback.

DR. COHN: Yes, exactly and maybe it does wind up but maybe it really is
that I don’t know I guess that external uses of data. Now, we obviously have
research but I think I would also suggest that we have this somehow need as we
talk about research that, and I am just reflecting the areas that I found that
made me concerned as we listened, and one is non-federally-funded research
which may be an area that is permeable and I don’t know whether it is or not
but it feels sort of permeable to me, and there is also this issue of trying to
figure out what is quality and what is research because there seems to be some
permeability around that.

DR. STEINDEL: We need to talk about.

DR. COHN: We need to talk about it, okay. Then somehow we need to at least
for issues of completeness we obviously need to —

DR. STEINDEL: We need to talk about public health, too.

DR. COHN: Okay.

DR. STEINDEL: And the innie/outie model is out there and what we may say
about it is that we heard at this point in time the way pubic health is
handling the data that there is a good trust model but as Les pointed out in
his talk we are thinking about doing two things and going at some of these new
sources of data which may change the trust model and I have no objection to
saying that.

MS. GREENBERG: Whoever is speaking I can’t hear you.

DR. STEINDEL: I am sorry, Marjorie. I didn’t have the phone on. What I was
saying was Simon was making the comment about public health and I was saying,
“Yes, public health is out there. It is already an outie. We have to talk
about it,” and what I am envisioning what we would say is you know that we
have a good trust model with public health as we handle it today but as Les
pointed out in his talk we are very seriously considering new models of working
within the new data environment and we may want to issue some statements about
that and how it looks on the other side of the membrane because now it is
getting very close to some of the other ways we are collecting data.

DR. COHN: Mary Jo and then Bill.

DR. DEERING: A lot of this discussion is sounding like we are going to be
focusing largely on the protective aspect and given the fact that certainly
within quality the goal is also to enable, facilitate, promote I would like to
make sure that whatever we do in our analysis we remember that there may be
some things that are AOK because they have got a good trust model but if in
fact the existing regulations are barriers or are not optimal then I think we
would be remiss in not calling those out as well.

DR. COHN: Very good point.


DR. W. SCANLON: I was just going to comment on the trust model for public
health. I mean I think that the trust in some respects is the public support of
the fact that public health reporting has value to society. It is not
necessarily the trust on the part of the person being reported upon that
appreciates this and that is an issue for us which is that getting data into
the system to be used is a consideration because we don’t want the sample to be
skewed in unacceptable ways so there is a question of sort of where are the
limits of trust and where some form of coercion is important because there are
both social benefits and even benefits to the individual that they maybe sort
of myopically decide that this is not sort of in my interest but it may be and
we have to think about that in our considerations.

DR. STEINDEL: Simon, I think that is a very good point to make because we
did hear that from several people. There are very good societal statements
about the benefits of public health and it is embodied in many laws both
federal and at the local level and that is a different type of trust. That is a
societal trust and a lot of what we are talking about in other areas is
individual trust and we have to make a distinction between those two.

I think research is an interesting area and the comment was made one reason
things like the common rule came about was because people started to stop
trusting research.

DR. COHN: This has been a very useful conversation. I guess the question
is, I mean do people have more about this? I am actually wondering whether we
should go back and look at some of the things. Margaret, I am going to scare
you, going back and looking at some of the dimensions of consideration maybe
trying on the right size buckets that we have just been talking about and
obviously one of them is I mean we talked about, I mean the first one we have
just been talking about wherever that is is basically the sort of treatment,
payment, internal operations which in include internal quality work and then
recognizing the public and after that is the sort of external quality reporting

MS. AMATAYAKUL: I am lost.

DR. COHN: Okay, I thought we were talking about what sort of buckets we
wanted to go through with this sort of a model.

MS. AMATAYAKUL: On the far left or the dimensions of consideration?

DR. COHN: No, the far left.

MS. AMATAYAKUL: Okay, got you.

DR. COHN: I was not talking about the dimensions of consideration.

Mary Jo?

DR. DEERING: Getting back to the point I just made that you said was a good
one, I am wondering if the label on the left, is this only to look at the trust
issue; is this particular appendix only to look at the trust issue or even in
this document should we get at that also affirmative enabling aspect as well or
is it hard to do it or are they two different purposes?

DR. COHN: No, let me tell you what I think the purpose of this document is
even though Margaret may be a little less certain than I am.

I think that this becomes the framing for recommendations and so to my view
recommendations fed into whatever recommendations we reel are necessary in
relationship to this area is that the intent here, and I sort of at least
personally saw this as a vehicle to help us figure out as Marc sort of
commented, well, I don’t which of these tools I want to use in this area but at
least this becomes a vehicle to have the conversation whether it is just notice
for information practices, consent, I mean exactly what it is that needs to be
around all of these things or exactly how we want to slice them. So,

DR. DEERING: It just would imply something like a phrase and barriers to
optimum use or something like that which gets a little awkward thee and I am
not sure how to do it but if indeed this is to be the framework then somehow
that left hand column has to be beyond just the trust mode/

DR. COHN: So, basic trends and trust and risk and use of information and
barriers to optimum, sure.


DR. STEINDEL: I made the comment earlier. I don’t like the word
“trust” in that column. I mean we heard a lot about trust but I think
we are talking about you know, trends in risk, uses, barriers, etc. I don’t
know if we are necessarily talking about trust.

DR. CARR: I was going to make the same comment. I think we have some
objective data about areas of overlap and confusion. I think trust is more of a
qualitative response to those overlaps in different settings. So, I would first
focus on where are the overlap and areas of concern and then come back with
trust at another point. It is a separate issue.

DR. COHN: Can you help us given the conversation?

MS. AMATAYAKUL: It sounds to me like what you are trying to come up is
first what are the big bucket domains, the activities that we are going to
focus on and then within that we want to try to characterize the level of trust
and we want to describe the barriers to optimum use.

DR. COHN: As well as possible interventions.


DR, VIGILANTE: I agree with what Justine said. I mean I think we all know
that the trust issue here is very important but the trust is very hard to
quantify without an actual trust scale and it is really the consequence of
having specific things in place that create a relationship which over time you
will trust.

So, we can go into what those things are. There are various models but I
don’t think we are in a position to measure trust. I think we are more in a
position to talk about risks and benefits and the degree to which those risks
may b mitigated by existing policies, procedures and so forth and so on and
then identify the white space for risk, you know, then identify the risks for
which there are no or inadequate policies and procedures or regulations.

DR. CARR: May I follow up on that? I think what we want to start with is in
these areas that are on the outside what are the challenges and why are they
the challenges. So, maybe they are a challenge because there are overlapping
regulations or maybe because there are confusing definitions but what causes
the challenge on these outside uses? So, if we were to say, let us take
quality, we have heard 15 definitions of deidentification, masking, scrambling,
purifying, you know, everything like that. That is a problem because we are
talking about data going outside and we still can’t figure out what is attached
to it and what is permissible and what is not permissible, what rules apply.
So, that would be a way I would identify the challenge of trying to figure out
quality information going outside, one example.

DR, VIGILANTE: In terms of the recommendation I need to understand our
charge. I mean is our charge to make recommendations that will help guide the
use of, secondary user of data in a way that maximizes benefit and reduces risk
and/or the perception of risk to consumers, patients, individuals, however, you
want to characterize it?

DR. CARR: I think step 1 is define the problem. Step 2 is identify —

DR, VIGILANTE: Is it assumed to be a problem?

DR. CARR: Identify the challenge. I am not going to call it a problem but
why is this outside a different set of issues? It is outside and it is being
sold. Why is that an issue? It is outside and we don’t’ know how to de-identify
it. Why is that an issue? It is outside and there are three different
regulatory bodies overseeing it and on any given day any given testifier is
following somebody else’s rules when we might think that they would all be
following the same rules.

So, I am just saying that as sort of an intermediate step to say what is it
that we are trying to address. First we are going to say that here is the issue
and then we can come up with here are some things that we heard that would
mitigate or address what —

DR, VIGILANTE: So, we have the introduction where we set this all up and we
talk about the — I guess I am jumping to kind of the bottom line here to the
recommendations, you know, putting that first because I know we can write all
the other stuff and at the end of the day I am trying to think you know, okay,
what genus and species of recommendations are we proposing to be making here
and is it around mitigating, and my hypothesis and it could be wrong is about
mitigating risk and whether there is perceived to be risk because there is
inadequate guidance, policies, procedures in the current environment to address
that risk. Is that right or wrong?

DR. COHN: I agree with you and that is I think the endpoint of what we are
trying to get to and how quickly we get to it is I think the conversation we
are sort of having.

Now, Harry, you had wanted to comment and Marc and then we will figure out
how we actually move forward.

MR. REYNOLDS: I am trying to listen, but listening to what Marc had to said
earlier it appears to me thinking of that we have heard care, which is one
bucket. We have heard operations which is a second bucket and we have heard
research which is a third, okay, three buckets?

What I just showed Marc was under care you have quality, efficiency,
safety, public health. Under operations you have the same things. That is where
he was trying to say these things may fit in each one. So, let us take an
example of care and quality which he just made a quick comment that maybe it
didn’t belong there. Having been heavily involved in e-prescribing when you are
doing care you are getting quality data about what are the drugs the person is
or isn’t on and it has given you warnings and other things. So, that is adding
to the quality of what is going on right there.

If you go to operations and you talk about quality, back to our earlier
point, Paul’s innie and outie you have got is it internal ID’d, internal
de-ID’d? Is it external ID’d and then the same thing with research because when
you get to research we have talked about if it is totally deidentified, back to
the risk, back to the trust, back to the other things. Maybe that is not as
high, and I showed it to Marc. So, making some of these other things that we
have heard a subset of each of these not at length just whether you mention
them or not is different than maybe what we had done because we had quality as
its own thing and maybe it is permeated in each of these as a subset with other
things. Just a thought.

DR, VIGILANTE: Going back to my sort of paleolithic conception of things I
see care and the activity of care and the intention to seek care as the way
primary health care information is generated and the patient, most patients
don’t expect it is going to be used in any other way. They get the notice of
privacy but they probably don’t read it and even though they are being told it
can be used for operations. So, that is primary, and everything is secondary to
that and I think that quality, the Venn diagram of quality there is a large
overlap with the operations bucket because a lot of the quality work that is
done is done in the name of operations quite legitimately and then there is the
public reporting and I think that you made this point in your presentation to
distinguish between internal operations and external reporting of quality
measures and so I do think that can stand on its own as a separate bucket and I
think that is not without guidance, at least part of it certainly from the
HIPAA perspective there is some regulatory coverage there. Research I think is
a separate area and certainly from the common rule there is a large segment of
regulatory coverage there although there may be some areas that are not quite
adequately covered because they are outside the common rule for some reason.

I think what is least well covered is what leaks out of operations or other
appropriately covered secondary data sources into tertiary, quaternary,
particularly those that are paid for.

So, I don’t have a problem with care but that is primary. Quality is often
secondary and research is also secondary.

MR. REYNOLDS: If you listened the one presentation today when it talks
about, and I will just use e-prescribing because I will tell you right now
e-prescribing is secondary use of data.


MR. REYNOLDS: If I have three drugs for the care and now I haven’t gone
back for a month and I come back in again and using technology you go out and
get if you are going to use that data that you did for my care the first time
and you the secondary use of it is e-prescribing for my care again, okay, it is
not data that was so — and it is in the database, and it is in all these
things where we talk about you call operations or I don’t know what you
operations but all I am saying is as we look 5 to 10 years from now —

DR, VIGILANTE: What about data that you use to pick up your prescription?

MR. REYNOLDS: That might be one. There might be that I did pick it up.
There might be that warning that comes back —

DR, VIGILANTE: Let me try to understand the example. I may not be
understanding. So, let us make it extremely concrete. I come see you. You
prescribe digoxin, lasix and cataxin(?) for me and then I leave and I come back
a month later and you are saying what?

MR. REYNOLDS: When you prescribe a drug for me I go out —

DR. VIGILANTE: You are prescribing for me.

MR. REYNOLDS: Good. Okay, when I do that and I put it through e-prescribing
it is going out to a database that exists that has your drugs on it and comes
back and says that there is a warning. Is that a primary use or is that a
secondary use?

DR, VIGILANTE: That is neither. That to me is something that you know that
is decision support that is a functionality that theoretically you could have
figured out with your own brain.

DR. STEINDEL: I look at that as primary use. I think most of us would look
at that as primary.

DR. CARR: If we are going with the belly button model of innies and outies
I would just put care on the inside and the areas that we are focusing on I
don’t think care is there. I think it is quality reporting, public health,
research and other and then trying to, I go back to what I was saying before
about trying to define the challenges. So, quality reporting is understanding
more about de-identification and sale of data.

Research is how do you get from quality data to published data. Are you
crossing the line, and then what is the oversight body if you are federally
funded or not? I mean these are the kinds of issues but I would leave care on
the inside and not needing to be addressed.

DR. COHN: I think we are sort of agreeing that care is probably on the
inside on this one.

Mark is next.

MR. ROTHSTEIN: I want to comment about the growing acceptance of the
interior/exterior dichotomy which I don’t think on reflection is nearly as
clean as it might seem and I think these are factors to consider but I don’t
think they are necessarily determinative and let me give you an illustration of
the kind of problems that I am thinking about.

Now, when Kaiser, its multi-locations shares data on outcomes at its
different sites with central Kaiser research somewhere okay is that internal or
is that external? I would argue just for the sake of argument that it is
internal, okay? So, if say that it is internal now, what is BHI which collects
data from affiliated but not identical or self-contained one self-contained
organization; is that internal or external and how are you going to make the
argument that let us say Kaiser’s use of the data is internal and BHI’s use of
the exact same data is external? I think whether it is acceptable or a registry
for that matter if you want to get a third model, I think whether it is
acceptable without any sort of patient permission depends on what the use is of
the data not just whether it is deemed to be quote, internal or external.

So, I can envision all three of those sample entities doing things that I
would consider quite acceptable and whatever the loosened rule that we are just
sort of generally applying internal ought to apply but I could also envision
all three of those doing other things that I might not want them to do without
some level of patient permission.

So, all that I am saying is that I think it may be more complicated than
simply if it is internal, however defined it is okay and if it is external,
however defined, it is not okay.

DR. COHN: Marc, thank you.

Justine and then Steve?

DR. CARR: You raised a very good point, I think but I think if we were to
begin to parse that data and we say, “Internal to where the data was
generated,” that takes care of Kaiser, whether you are part of a hospital
or a system or so on.

MR. ROTHSTEIN: But you mean it has to stay within the four walls?

DR. CARR: I mean if it was generated by a Kaiser affiliate and it is being
used by Kaiser that could be considered internal and off the table but your
point about, so BHI thinks of it as internal because it was submitted to them
but it wasn’t generated by them. So, that represents another category and how
we deal with that then, we think about that but was generated in your facility.

DR. COHN: Maybe I will jump in before Steve goes on. Obviously without
going through models or whatever but obviously there have been associate
agreements. I am not sure that I would for example consider what I mean of
course I can talk about my colleague here dealing with the Blues but given that
they are talking about business associate agreements that actually sounds sort
of what I would typically describe in the vernacular as internal. It is sort of
when it gets beyond business associate agreements. As I say that I thought part
of the conversation was do we need to strengthen or clarify business associate
agreements. So, I don’t know that we, you see, I mean I think that there was
some value for us to look systematically through the pieces because some of the
issues you know we may want to recommend some strengthening of things.

MR. ROTHSTIEN: I wasn’t suggesting any sort of model or where to put each
of those organization. All I am saying is I think it might be more complicated
than simply saying internal/external.

DR. STEINDEL: Actually you didn’t convince me that it is more complicated
than saying internal/external but I think we are saying the same thing an this
gets to what we said earlier. Just because something is external that first of
all doesn’t make it bad and second of all doesn’t mean that we are going to
ignore it. We are going to look at it. That is all it means is we are going to
say that we want to spend a little time discussing it. I think your registry
case is interesting because the way I would look at it at an internal cancer
registry that is doing the cancer registry work within the facility of the
hospital I would look at that as operational quality control and it is internal
but once they send that data to a state cancer registry then it becomes
external and we need to ask the question okay, is there anything we need to say
about the data once it leaked outside and in this particular case I would say,
“No,” because we have good state laws of covering it and it has been
considered to be a societal good, but we did stop and say, “Look at it.’

In the case if BHI and Kaiser I think those are two very good examples but
I think in one case Kaiser actually used data that was to draw their Vioxx
example. They used data that was collected for clinical care and derived their
inferences from that whereas BHI may derive the same inference but it is using
data submitted outside for payment and that is why I said that it leaked
through the membrane.

MR. ROTHSTEIN: But, Steve, even treatment information that is used
internally within the same four walls of let us say a single entity hospital,
right, there is just one hospital that doesn’t mean that we shouldn’t take a
look at what is being used and maybe even though it is primary use we say that
there should be role-based access, right? So, it is disclosed to the billing
clerk. It is disclosed to the dietary department but they don’t get the same
thing that the treating docs get.

DR. STEINDEL: I will accept your clarification because we were just making
the presumption in our discussion that okay we are talking about this data that
is being used for operations and quality internal within the hospital and we
have to really realize that that is a big domain and we do have to talk about
data restrictions in that domain, and we need to reference that material.

DR. CARR: Is that secondary? I mean is that within our purview? I agree
that role-based access is important but if we are talking about secondary use
and I am in the cafeteria waiting for the order for your lunch and you are a
patient that is primary as far as our routine or you are coming to the OR and
asked to look up what floor you are on and that is operational.

DR. COHN: I would worry if we spend all of our time in the next 4 weeks
talking about what is internal versus external or what is primary versus
secondary. I think we need to see as we look to areas, see where the
recommendations lead us and what we think are the risks which is one of the
reasons why we have put a page up there that talked about care delivery,
whatever only because yes we can spend all of our time trying to dissect out or
we can talk about it and see if there is a valuable recommendation there/

Kevin and then Margaret?

DR. VIGILANTE: The choices people make are based on the calculus of
benefits versus risk and I think it is pretty clear that the benefits of
secondary data can be extraordinary and I think we will point that out.

So, I think our role is to identify those areas of risk and I think from
what I have the biggest risk comes from data leaking out of the operations
bucket into other uses than people would have expected in particularly the same
of that data.

So, I think that is a big area of risk in this whole calculus that we need
to focus on. Now, the, oh, I jut lost my point. Why doesn’t’ somebody else
talk. I am sorry, I forgot what I was going to say.

DR. CARR: Outside should be risk versus no risk. Risk is already covered
whereas outside there are outside uses that I know we are not doing
inside/outside but if we were —

DR, VIGILANTE: Go on, and I was going somewhere and I forgot where I was

MS. AMATAYAKUL: I think that it is really important to go through an
exercise and try to come up with internal/external, is it care delivery, is it
research quality, those kinds of things because there certainly are differences
but I am also sort of mindful that I sat down an made a lit of recommendations
totally outside of any attempt to bucket them and I am wondering if for
tomorrow with all of this good information and we shouldn’t throw it away but
maybe we just take a look now at some of the recommendations and then say is
that really a global recommendation? It doesn’t matter what use or that is
really for this specific use.

DR, VIGILANTE: I would like to do that. I remember what I was going to say.

So, if one particular area of concern is about the unforeseen sale or the
undisclosed sale of data then I think the buckets that we talk about whether
they are quality research, public health, is there another bucket called
commercial or is it sustainable model or does each one of them have a
corresponding quality model or commercial component of each of those rather
than commercial being on the side, but we need to address in some way I think
as a bucket the quality of the commercial component of each of those rather
than commercial being on the side, but we need to address it in some way I
think as a bucket.

DR. COHN: I think that issues are defined by the purpose and the executor
or the user.

DR. VIGILANTE: Put that on the “to do” list. I think we need to
come up with something there.

DR. COHN: We need to think about how we are going to frame that. I mean it
is a general concern of exactly how you bucket it.

Now, Harry has been absolutely patient and you can see how brilliant he is.
We all ought to listen very carefully.

MR. REYNOLDS: The other thing I would like us to use as a filter is I
thought we heard an excellent presentation from Joel Goldwein about what they
are doing with the oncology situation because if you look at what he had to say
they are going all the way from to all the way to selling it.

So, that is the one example that we have had so far that kind of took it
because it was owned by people that cared for them and then it was sold.

So, I think it was an excellent testimony as we heard as we talked about
what type of data it was and what happened to it and I think that is a good one
to use as a filter also because we are starting to focus on just particular
players and I would say to you that this both now and in the future, the
players will blur as to who is who and what is what and what is our capability.

So, I think it is very important that we add some other testimony. You know
some of today’s is fresh but I thought his was probably the most complete we
have got all the way from end to end and so I think that is also another good
filter whatever we decide is to overlay that one on top of there.

DR. COHN: Now, we are going to change topics just slightly but I want to
give you a chance if you have anything more to say on this.

DR. STEINDEL: Where would you put Northern New England? I mean except in
the early days he did sell his data but today he is not.

MR. REYNOLDS: I am saying that we have had a number of excellent examples
that we can, yes, that is what I mean that we can put in there.

DR. COHN: I want to give everybody a deep breath here because I think we
have talked, I mean I think we are trying on models and we are trying to figure
out how to put this together.

I mean there are issues that I think we have identified and this
innie/outie, the research quality sort of conundrum or area that has some
permeability but also sort of process and everything else.

Probably there is an issue around and I don’t know if we want to get into
it or not but this issue about non-federally-funded research and we obviously
have had testimony on that but I think it continues as sort of an issue knowing
that at least as far I think most of us are concerned federally-funded research
has exceptional protections.

In fact, people get confused because there are so many protections there.
So, maybe it is the opposite problem and then public health which I think we
have heard pretty adequately about.

Now, I now that between now and 11 o’clock tomorrow morning we have a
couple of things that we want to talk about. One is that we do want to I think
hopefully based on this conversation go through and begin to look at some of
the recommendations that seem to be sort of seeping up at least you know maybe
holding our word smithing about is this exactly the right bucket but just to
give a flavor of the types of things that I think we are all thinking or at
least the questions we have and I think if we can sort of give our input to
Margaret it will be immensely helpful in terms of sort of moving us forward
because I know Margaret wants to spend some time beginning to try to put things
together and as you remember we do have a conference call scheduled on the
fourteenth of August from 12 to 3 eastern time where hopefully if we can
provide appropriate input we can begin to sort of see how things may begin to
come together.

Now, another piece is that we have a hearing scheduled, hearing and meeting
scheduled for the twenty-third and twenty-fourth and of course it is already
beginning to get filled up with various presenters and I think maybe we can
just take a minute and sort of wander through that but the other piece that we
need to reflect on today and tomorrow is really and I think Margaret is
obviously, I think we are all sort of concerned about what have we missed that
we need to hear about and I will tell you that obviously my desire would be for
us to finish off at twelve noon on the twenty-fourth but given that we may not
have additional hearing dates or sorry, there are no more planned which of
course we can talk about tomorrow as well as on the twenty-third and
twenty-fourth of August. We want to make sure that we are not missing something
that we need too hear about.

Now, Steve, you had a comment. You have a very worried look on your face.

DR. STEINDEL: Yes, I would like to touch a little bit on the question of
non-federally-sponsored research and what we need to hear about it or from what
because obviously we are thinking about future things and this was one of the
things that you mentioned.

As I understand it, well, first of all the federally-funded research coming
from I think most arms of the Federal Government even though I think NIH is
probably the only on that is really required to do the IRBs but CDC does and
AHRQ does, you know, require this high level of approval and from what I also
understand and Marc is probably the one I am going to rely on the most on this
even if it is non-federally-funded research if it is done in an institution
that gets federal funds it still needs to go through IRB approval and then in
the non-federally-funded area, so we are talking about a sub-segment of
research, you know that is done out of institutions or places that receive
federal funds and correct me if I am wrong because I am talking about my
understanding and then when we have non-federal dollars going into it we have
people like RWJ and the Gates Foundation and you know people that we generally
think about as good and then we have people like the pharmaceutical companies
whom we may or may not think about as good but I think they have very high
standards in the way they do research in a lot of areas as well and so there is
really just I think and people can correct me a very small sub-segment of
non-federally-funded research that would fall into the area that we would want
to question and quite frankly I don’t know if we can identify those people or
if we would get them here, and please correct me if I am wrong.

MR. ROTHSTEIN: I am not sure we need a witness on this. What I think we can
do is we have had Julie Conasharo testify previously. I am sure we can ask her
to describe the kinds of entities that would qualify as non-federally covered
and it is very small because as Steve suggested the federal regulations not
only apply to recipients of federal funding but institutions that receive
federal funding execute what are called multiple program assurances with the
Federal Government which says that any project that is worked on by that
institutions regardless of the funding source or it could be not funded at all
will adhere to federal research guidelines and in addition then you have got
the pharmaceutical research which is the human subjects part is done in
contemplation of an FDA drug submission and they are covered by the research
rules of the FDA.

So, there are some theoretical and some practical researchers that escape
through the net but it is very small and I don’t think it is really worth
wasting a lot of time on.

DR. COHN: That may save us then and so, I think your idea of just asking
the question to her might be very appropriate.

Justine, do you have something on this point?

DR. CARR: No, it was a suggestion for testimony.

DR. COHN: Oh, okay, I was going to go through what we have so far, but do
you want to —

DR. CARR: I am just looking over the notes from John Loonsk yesterday. He
talked about the commercialism better definitions of commercialism.

DR. COHN: Loonsk?

DR. CARR: Loonsk and then last hearing we talked about technology that can
help address privacy and we heard about that again today, too. So, I just
wanted to put those two out.

DR. COHN: Where you need to reflect on the question is and I agree with
you, I think that this is, we need to make sure that we are hearing about or
hearing further about these sort of mitigating approaches which include tools,
technology as well approaches to reduce risk.

The question of course is whether or not we have them in here already or
not and I don’t have the answer to that one but I thought we could at least
take a look through, and give you a chance to sleep on them tonight to see if
there is anything that we are missing.

Harry, did you have a comment?

MR. REYNOLDS: Yes, I had asked Dr. Peel if she would give us a list of what
she mentioned in her testimony today. I wanted to make sure that that was —

DR. COHN: Yes, but I certainly agree with you that we do not want to leave
stones unturned on that one.

So I think everybody has a copy of at least the proposed agenda for the
August meeting and I think part of this is people who aren’t able to
participate previously and some of it is also this issue of moving into the
litigation issues.

The first hearing I think we were talking about of our HIE experiences
which include a good sound health alliance, hopefully Santa Barbara and some
experiences from the UK.

Do you want to go through this Margaret?

Okay, Margaret, why don’t you go through what we really have?

MS. AMATAYAKUL: I am going to, yes, I will go through it and Aaron and Mary
Jo have been e-mailing all day long today as well. So, they will have some
updated information.

Rachel Quinn from Puget Sound, that is the value exchange and we are
uncertain whether she or somebody else or anybody can come or be by phone. We
have to find out about that.

Robert Reed from Cottage Hospital I think if we can’t get him and there was
some possibility we could for later we have a fair amount of information from
the conference that was held yesterday where David Braylor presented about the
issues there and Monica Jones from the UK, Mary Jo?

DR. GRANT: She basically confirmed. I don’t know the date and time.

MS. AMATAYAKUL: And the purpose of this would be to focus a little bit more
on health information exchange, get an international perspective, get a
perspective of the lessons learned and to look a little bit more at this value
exchange concept.

The second panel on health data protection solutions needed in health
information exchange we are still trying to get John Santa or maybe somebody
else from the Prescription Project and then we are trying to get somebody
either from Kaiser or PBM to talk about secondary uses of pharmaceutical data
and then David Hopkins from Pacific Business Group.

For consent we are still looking at trying to find an HIE vendor who can
give us some technical perspectives. John White has told us that he will not
have the data storage of RSI completely finished but —

DR. GRANT: They are currently looking through their responses they
received. I think they received about 75 responses but they won’t be completely
summarized by the end of August. So he can provide us with some information but
it won’t be a complete report. So, when I spoke to him he just wanted to make
sure that the group was comfortable with sort of limited information.

MS. AMATAYAKUL: Dan Macies and his entire crew is going to be in Australia
and for automated consent management we have three companies, one of which is
in New Zealand. So, I strongly recommend we just go down there.

There is one company that we may be able to get and then Rick Peters was
also suggested as somebody who might be knowledgeable in that area if we are
going to the other companies first. I don’t know.

DR. STEINDEL: I believe the security and privacy work group of HITSP is
undergoing public comment on their security constructs which contain a lot of
these elements. We might be interested in hearing them. I think they should be
pretty far along by then.

DR. DEERING: There is a tool for the managing of tissue specimens that we
have and that tracks consent for use of specimens across use and we could
identify someone to speak about that if that were considered an interesting

DR. COHN: I would that agree would be, is everybody in agreement that that
makes, you know, okay.

DR. STEINDEL: We actually have the same sort of projects going on at CDC
where we track consent for use of specimens and I think it is a very focused

DR. COHN: I don’t care if it is a focused area. Is it a generalizable

DR. STEINDEL: I think what I am saying is I am not, based on what I know
about the CDC tool I am not certain it is a generalizable approach.

DR. GRANT: Steve, your point about HITSBE just saw the most recent schedule
yesterday and they are doing public comments through August 17, and then they
will be doing comment resolution and panel approval August 20 through October

So, to the extent that they will have summarized what they receive through
public comments by the time we have our panel I am just not, I can check on

DR. STEINDEL: But I think they probably could talk at least about what they
sent out for public comment.


DR. DEERING: Actually, Steve, it did occur to me that maybe the use case
isn’t necessarily generalizable but the technology is. I mean the underlying
technology of how you capture and manage and track this is open source
technology and it is certainly to the extent that I think the Committee wanted
to hear you know is it doable, is it technologically doable not necessarily a
specific use case, I think it would be generalizable but again I am not going
to push it.

DR. STEINDEL: No, you just said an essential difference between what you
are doing and what CDC is doing and the key word is open source. So, it might
be worthwhile.

DR. COHN: Good thank you.

MS. AMATAYAKUL: The next panel on potential trust communication solutions
our main focus here is plain language health literacy and Mary Jo has got some
contacts there. We also thought it might still be worthwhile to look at some of
these Health Grade, Choice Point, physician certifying boards. We do have an
invitation out to one of the certifying boards but we still haven’t heard back
from them.

Health Grades declined. Choice Point is another option for us but I think
we are going to focus on plain language health literacy over the other two and
then finally Tom Penno from Indian Health Information Exchange and Elizabeth
Belmont from Maine Medical Center in the American Health Lawyers Association
are only available on the twenty-fourth. We don’t have either one totally
confirmed but we are close I think.

DR. GRANT: Yes, I will hear back from Elizabeth next seek whether or not
she is available but what she did say was she and a colleague can pull together
written testimony. It is just whether or not she would be here to walk us
through it.

DR. COHN: So, I would have you all think about this.

Yes, Margaret?

MS. AMATAYAKUL: So, two open questions are do we want to have somebody like
Litanya Sweeney or somebody talk about the de-identification process and I
heard Justine say definitions of commercialism.

DR. COHN: I was looking at the notes from John Loonsk’s presentation or
discussion yesterday. He said, “What needs to be defined going forward,
better definition of commercialism, commercial ventures, doing public
good,” and then also —

DR. COHN: It may be a discussion topic. I don’t about testimony other than
I think we are very well aware for the record that there are a significant
number of commercial entities that are trying to do public good and we support
them all.

DR. CARR: As you had said, are there any gaps that we haven’t heard you
know thinking about that as the last thing? Are we ready? Will we be ready at
the end of that to make recommendations? I mean I think we have got a lot of
background and a lot of information about where the challenges are but in terms
of recommendations have we heard enough?

DR, VIGILANTE: I think one of the things I guess is when we go back to
increasing transparency at the point at which permission is given to use data
if it is going to be used in unexpected ways is really understanding what
mechanisms we would use to resolve that issue and talking to communications
experts about that might be a useful thing and this guy that I mentioned
earlier, Peter Salmon from Princeton you know he probably knows nothing about
what we are talking about at all in terms of the specific application, but I
just wonder if he would be like just an expert in risk communication would be
somebody who could help us think about that if you want to ultimately do things
that will decrease the outrage factor.

DR. COHN: I would use a different term. I think I would talk about
mitigating risk. It is probably a nicer way and I think communication, I mean I
think we all recognize it is a key part of it. So, yes, I think your idea is a
good one.

DR. DEERING: When you talked about do we or do we not need any more
testimony about commercialization, etc., before we seemed to have been sort of
saying, “Well, no, it is a point,” and we moved on but I would like
to sort of at least keep it on the table to make sure that we have considered
this aspect. You will recall that when all four of the NIM(?) prototype
contractors stood up and said, “What is your business case going
forward,” it was data mining an so I am sure that that is partly not just
for quality but I think that concern is that is this assumed by many of the
RIOs(?) to be the only bona fide business model going forward.

I am going to ask a question. Is there something about that assumption an
that issue and that challenge that we should be looking at from the point of
view of a prototypical RIO because it would serve ONC and it is secondary use
but is there something about that particular use case that is special that just
to be due diligent to our clients we should be looking at?

DR, VIGILANTE: I think the corollary to that is what does this market look
like? How big is this market from an economics perspective? How big might it be
and what damage may be done or how important is that market to sustaining the
collection of secondary data, you know, a revenue source to actually do the
work that needs to be done in the future to actually make your quality
measurement a feasible financial enterprise and the public reporting of it? Is
it all going to be publicly funded? Can docs and providers bear the burden on
their own financially or do info-mediaries have to be, does there have to be a
thriving market of info-mediaries to provide this information in order for this
business model to continue and thrive?

Now, there is probably nobody who can give us those answers but it would be
a useful thing to think about in this context.

DR. COHN: I agree. Do you have thoughts about who could help us think
through this one?

DR, VIGILANTE: I don’t know who has studied it.

DR. COHN: I think it is a very good question though.


DR. ROTHSTEIN: I think that might be taking us a little far afield. I think
we all understand that the current funding mechanism and the business plan for
the NHIN components is sort of up in the air but even if that were resolved
there still would be commercial entities unconnected with the NHIN that would
be interested in doing data mining.

So, I think it is fair to say that it is a significant problem and it is
unlikely to go away and therefore we are recommending the following steps to
deal with it without being, I mean this is so difficult and we are so far from
resolution that I am afraid to get us going into a different direction.

DR, VIGILANTE: You are probably right. I guess what I am trying to think
of, I guess what I am trying to get at is you know in the future it may be
important to have a thriving sustainable marketplace that can actually support
the aggregation of data in order just for the general good and that caution has
to be, at the same time that you need transparency there also needs to be
caution in the exercise of regulatory power so as not to undermine the possible
development of such an industry and I think that we have to consider that.

DR. COHN: Marc O, did you have a comment?


DR. COHN: Okay, Harry? Okay. Anyone? Okay, I know we have sort had a long
day. It was intended to be. I think we have actually had a very good
conversation and I don’t know that we have necessarily moved the ball but we
have exhausted couple of things.

I think this is obviously, you know, we have gone through this process a
number of times now and the purpose of models which is what I said at the
beginning is not to fall in love with them but more a question of, and I am
reminded yesterday that one of our presenters, I think it was Wendy who sort of
was like so what. I mean the purpose of these things is to help us tell a
story, to help clarify the issues for us, to help us develop recommendations.
There is no intent at this moment that we have the final model and there may
not be one, but on the other hand if the conceptualizations help us move
forward I think that is really the intent here and so we will just take it as
such, recognize that they are all draft and we are sort of bandying around and
batting them around but I do agree with Margaret that tomorrow morning we would
be very well served if we suspend belief a little bit and start looking at
actually what recommendations seem to come to us that make sense and that
hopefully will be what we use most of the morning for.

Now, tomorrow morning does start at eight-thirty. This is one of those
mornings where to get you out at around eleven I would hope everybody will be
prompt and let us do some work.

With that the meeting is adjourned and we will see you all in the morning.

(Thereupon, at 5:30 p.m., a recess was taken until 8:30 a.m., the following
day, Friday, August 3, 2007.)