[This Transcript is Unedited]



August 23, 2007

Hubert H. Humphrey Building
200 Independence Avenue, S.W.,
Room 305A
Washington, D.C.

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax, Virginia 22030

Table of Contents

P R O C E E D I N G S [9:05 a.m.]

Agenda Item: Introductions and Overview

DR. COHN: Okay, good morning. I want to call this meeting to order. This is
a meeting of the Ad Hoc Workgroup on Secondary Uses of Health Information of
the National Committee on Vital and Health Statistics. The National Committee
is a statutory public advisory committee to the U.S. Department of Health and
Human Services on national information policy.

I am Simon Cohn. I’m Associate Executive Director for Kaiser Permanente and
Chair of the Committee and this Workgroup. I also want to welcome Committee
members, HHS staff and others here in person, and, of course, welcome those
listening in on the Internet and remind everyone as always speak clearly and
into the microphone, especially given the nature of the logistics of this room.
I think if we’re not careful, we’re not going to be able to hear each other
much less those on the Internet.

With that, let’s have introductions around the table and then around the
room. For those on the National Committee, I would ask if you have any
conflicts of interest related to any of the issues coming before us today,
would you so publicly indicate during your introduction.

I want to begin by observing that I have no conflicts of interest. Harry?

MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield of North Carolina, a
member of the Committee and Subcommittee, no conflicts.

MR. ROTHSTEIN: Mark Rothstein, University of Louisville School of Medicine,
member of the Committee and the Working Group, no conflicts.

MS. JONES: Monica Jones. I’ve come over from the U.K. for this meeting
today. Thank you very much for the invitation, and I don’t think I’ve got any

DR. OVERHAGE: Marc Overhage, Regenstrief Institute, Indiana University
School of Medicine, a member of the Committee and the Workgroup, and no

DR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention,
staff to the Workgroup and Liaison to the full Committee.

DR. W. SCANLON: Bill Scanlon, Health Policy R&D, member of the Committee
and of the Workgroup, no conflicts.

DR. FITZMAURICE: Michael Fitzmaurice, Agency for Health Care Research and
Quality, Liaison to the full Committee, staff to the Workgroup.

DR. ANDERSON: Kristine Martin Anderson from Booz-Allen & Hamilton and
contract support for the Workgroup.

MS. GRANT: Erin Grant from Booz-Allen Hamilton, contract support for the

DR. VIGILANTE: Kevin Vigilante, Booz-Allen & Hamilton, member of the
Committee, no conflicts.

DR. DEERING: Mary Jo Deering, National Cancer Institute, staff to the
Committee and to the Workgroup.

MS. JACKSON: Debbie Jackson, National Center for Health Statistics,
Committee. Staff.

MS. AMATAYAKUL: Margret Amatayakul, Contractor to the Workgroup.

DR. CARR: Justine Carr, Beth Israel Deaconess Medical Center, member of the
Committee and the Workgroup, and no conflicts.

MS. VIOLA: Allison Viola, American Health Information Management

MS. WOOSTER: Laura Wooster, Blue Cross Blue Shield Association.

MS. INGARGIOLA: Susan Ingargiola, Manatt Phelps & Phillips.

MS. COHN: I want to welcome everyone. As I said, this will be a close and
personal session today. I just make a comment about logistics. Obviously, this
room, I think, is set up for the moment well for taking testimony as we begin
to get into conversation later on this afternoon, we’re going to be moving
people more into a round circle situation moving people here. But certainly,
for the testimony, we’ll be obviously looking at it here just to be aware that
we will be moving things around as the day goes on.

Let me make a couple of opening comments. Obviously, today marks the
beginning of the third set of hearings on secondary uses of health information.
Just to remind you, specifically we’ve been asked by the U.S. Department of
Health and Human Services and the Office of the National Coordinator to develop
an overall conceptual and policy framework that addresses secondary uses of
health information including a taxonomy and definition of terms as well as
develop recommendations to HHS on needs for additional policy, guidance,
regulation and/or public education related to expanded uses of health data in
the context of the developing nationwide health information network with, as I
think we’ve discussed, an emphasis on the uses of the data for quality
improvement, quality measurement and reporting.

I want to thank Harry Reynolds and Justine Carr for being willing to be
co-vice chairs and will be turning the session over to Harry in just a minute
to sort of facilitate the day’s hearing.

I obviously want to thank the rest of you, some of you were not here, people
such as Paul Tang, but Bill Scanlon, Marc Overhage, Mark Rothstein, Kevin
Vigilante for being willing to serve on this Workgroup. We obviously also want
to thank all of our support including Erin Grant, Kristine Martin Anderson, of
course Margret A who has been my lead support for helping us move to this

Of course, also our liaisons, John Loonsk isn’t here today, but Steve
Steindel, Mary Jo Deering, and of course our Debbie Jackson who is not liaison
but is also a key support. And of course the other support from NCHS that has
really made this possible today.

As I have said previously, we’ve obviously spent a lot of the summer on this
project. I want to thank you for giving up your vacations, saying goodbye to
your family on such a frequent basis all summer.

Having said that, I was impressed recently as I thought about this on a
Sunday with Margret A about how much it’s going to take to get from where we
are today to recommendations in a draft form for discussion with the full
Committee in late September and from there to final recommendations in the
October timeframe.

So I think you’ve all been queried about possible dates for additional
conference calls. Obviously, we have a lot to do to get from where we are today
moving forward.

Now the agenda today, and I just want to remind everybody, we’re trying to
do sort of two things at once. We’re talking about a broad framework that
relates to secondary uses, but we’ve also been asked specifically to drill in
to the issues that relate to quality measurement, improvement and reporting.
And so we just need to be aware that the discussions are going to be basically
taking sort of, we’ll be talking broadly but then narrowly and then broadly
again, and everybody just needs to be able to tolerate that sort of moving up
and down the levels of specificity.

I know that many of you have been thinking about how we put all this
together. And having been in many other processes like this, I think it’s a
valiant effort. However, I do want to remind everyone that we’re not double
tilling yet, and I fully believe that we are going to be having very
interesting information coming from today and tomorrow that will help
illuminate our thinking in all of this. So I would just caution you to (a) keep
your mind open, be aware that we are probably going to be reconsidering between
now and the end of September five or ten times overall frameworks and
conceptualizations of how all of this comes together. And so I would just ask
everybody keep an open mind, listen, not come to judgments or opinions too
quickly in this whole area because I think there is much around here that is
nuanced and that we need to sort of tease out as we sort of move forward.

Now the agenda today is, I think, very interesting. I’m very pleased to have
Monica Jones start off with a perspective from the U.K. I think we heard from a
colleague of yours, for those of us who attended the American Medical
Informatics Association meeting in the, I guess it was late springtime, in
relationship to what was going on in the U.K., and I think it once again
provides, I think, a different perspective about how we deal with all of this
maybe not so much the subject matter, but how you deal with mitigating risk,
other approaches. And remember, part of our role here is also to look at tools,
techniques, approaches to help mitigate risk in all of these areas as we
identify that there are risks. So I think a different view from a different
country would be very helpful at this point.

Then we move into a discussion that I think begins to sort of push the
envelope a little bit because we’ve talked about the whole issue between
quality and research, commercialization, you know, and how even to talk about
those issues. And I think we’ll find in the second set of hearings that there
will be some discussion that begins to cause us maybe to look at this, maybe
rethink what quality, where the barriers are, or if there are any barriers if
all of this really begins to merge together. But I think it will hopefully be
sort of interesting set of discussions.

From there, we remove right before lunch to a discussion about
de-identification, and is in this world de-identification really possible,
which I think should also help inform our thinking.

This afternoon, we talked about additional technical solutions for various
issues that I think we going to need to be thinking about related to both
consent and other issues around mitigation risk.

And then the very important issue of communication. Now I would just remind
you that communication is a tool. It goes along with transparency. It goes with
trust, and I think we need to be a little more grounded in all of that.

Now at around four o’clock I serve a two follow item where we are going to
have an open microphone, and then we’re going to go to committee discussions
for the remaining time until about five thirty adjournment.

Just to remind you, we do start tomorrow morning bright and early at eight
thirty, but we’ll have everybody out by twelve thirty, and as I said, later
we’ll talk some about future meetings, hearings, sessions that we will be
holding as we move from these conversations into actual report generation.

Now with that, Harry, I will turn it over to you and ask if you have any
opening comments before we proceed.

MR. REYNOLDS: No, we’re right on time, so we’ll stay there. So Monica, we’re
really excited to have you here today. So if you would please begin and then
we’ll hold all questions until you’re finished, and then we’ll start from
there. Thank you. We’re also going to hold all questions.

Agenda Item: HIE Experiences

MS. JONES: Good morning. I’d just like to say thank you very much for
inviting me over to Washington. I’ve basically been asked to sort of give the
U.K. experience in terms of what we’ve actually managed to do with our
secondary uses service which is part of an overall major program of work within
the U.K. which is our national program for IT which is a ten-year program that
is essentially upgrading and putting a massive investment into the whole of the
NHS information infrastructure which is very exciting, but it’s also very
difficult. And what I’d like to try and give you today is a bit of the
perspective in terms of how, what we’ve sort of encountered and the type of
difficulties and picking up on the points that was said earlier in terms of the
tools and techniques for the sort of the risk mitigation.

I’m quite happy for people to either chip in or we can wait for question
until the end. But if I sort of come up with sort of U.K. type terms that
people aren’t sort of aware of, then please just let me know.

What I’d like to run through is essentially these six items. I probably need
to set the scene in terms of what my organization is which is the Information
Centre for Health and Social Care, and then really moving on to the purpose and
scope for secondary uses service, but also sort of exploring perhaps what we’ve
discovered there are also sort of primary uses for some of the secondary uses
data, and this has really sort of become apparent as we’ve actually gone
operational with our systems.

I’m going to give you sort of a very high level technical framework for the
secondary uses service, not getting bogged down in the IT, but really giving
you an idea of how the component parts fit together.

I’d then like to just touch on the regulatory, the legal and the ethical
policies that frameworks us, and how we’re sort of tackling those particular
ones. And as part of that, then I’ll touch a little on patient consent and then
really sort of wrapping up with the value to date, what our lessons learned and
what our future plans are.

So without further adieu, what I’d like to show you here is the information
for how social care is actually a special health authority. So we’re part of
the English NHS which there is a Scottish, a Welsh one and an Irish one within
the U.K., although there are huge amounts of a synergies within that and very
close cross border working. But I just want to sort of particularly make that

A special health authority is essentially an organization that is referred
to as an arms-length body to our Department of Health. It operates very closely
under the direction and policy of the Department of Health, but has its own
sort of governance and its own chief executive and staff within that
organization to make it accountable.

And we were set up in April 2005, and we took on some of the
responsibilities of some previous organizations. One was the NHS Information
Authority, and the other was the Department of Health Unit for Statistics. So
as you look down these services, these 12 services that I’ve tried to highlight
for you, then you’ll see that it is not only about the collection and the
collation of data, it’s about the definition, it’s about defining what the
standards are, and the interoperability, but it’s also about producing
statistical returns and publications of which we do hundreds within a year. So
it’s just sort of letting you have that such a balance.

And speaking to Mary Jo sort over the last sort of couple of weeks, she just
sort of said to make the comparison to the NCHS, and I just sort of had a look
at the website, and I think that we’re actually probably doing very similar
things within the Information Centre in terms of some of the elements that we
particularly cover.

We are interestingly enough the Information Centre for Health and Social
Care which is the first of its kind and certainly within the U.K. that we’re
realizing that we want to try and move a lot of our sort of health services
from being very sort of hospital based actually out into the community and,
wherever possible, we want to sort of expedite that through the use of data and
information. So therefore we’ve got to be able to cope with the boundaries of
patients moving across those areas. And certainly the government at the moment
is really concentrating very much on health and well being and, therefore, it’s
about the public health elements of that.

I probably don’t necessarily need to say much about each of those 12 except
that an actual data set service which is essentially a department I sort of
head up which defines the data items mapping to classifications which I hope
you’re all familiar with, an ICD-10 and OPCS-4, and I’m very much moving
towards using clinical terminology such as SNOMED-CT coding.

And also the one in the box really which is the secondary uses of NHS care
record data, and the data sets work as the input specification for those.

DR. DEERING: Monica, you have information governments as a separate
“service.” Could you just say a word about that.

MS. JONES: Absolutely. That is it’s predominantly a function for the
Information Centre. So it’s not really about providing the information
governance for the broader sort of NHS. It’s more about making sure that we’ve
got our house in order. But it’s really a systems come online and that we’re
starting to actually sort of tackle the whole patient confidentiality and
security to make sure that we’ve got the correct legal advice and that we’re
liaisoning with our already existing ethical committees such as there are,
which are at various sort of levels. We have a local ethical committee and then
a sort of a regional one, and then there’s actually a sort of a national one
that is called COREC. But we also have this concept that there is unappointed
person within each NHS trust who is the senior clinician who is responsible for
the legal and ethical use of data, and they’re referred to as a Caldecott
guardian, and they actually have the ultimate role of making sure that the
patient’s data is being treated in the correct way.

So we sort of lace with that, but this information governance sort of
section within the Information Centre is predominantly about making sure that
everything that we’re doing is within those legal and ethical boundaries.

DR. OVERHAGE: I’m sorry, I missed the word, Caldecott Guardian?

MS. JONES: Caldecott guardian, yes.

DR. OVERHAGE: Okay, I’ll have to have you write that down for me later.

MS. JONES: Okay. It’s named after someone called Caldecott. Okay, what I
wanted to touch on now is really from an input or output perspective. I think
it’s really important, and I hope you’ll agree that we do have the sort of
correct tools and techniques for making sure that we’re able to standardize but
also use data and make sure that things don’t sort of fall through the cracks.
So we have this sort of concept that there are five different sort of types of
standards flowing from the left to the right.

So there is an input standard which is very much about sort of looking at
the existing systems our local service providers within our national program
and actually capturing standards, making sure that they’re coded correctly.

Certainly, since the implementation of our systems in the U.K., the
importance of actually coding correctly has become much, much more high profile
than it was previously. The poor little coders used to be sat in the dungeons
of hospitals being sort of ignored by everybody, and suddenly it’s become very,
very important and they sort of march into the CEO’s office and such as that,
and people have become much more aware of these things.

And then it’s about making sure that the data can flow. We have moved to
transferring data via XML schema. Previously, they went to sort of flat files
into a central repository. But this is about the validation and the
verification of the data and making sure that we keep the responsibility for
the quality of the data as well very much sort of with the providers and
keeping that sort of local ownership, while obviously there is a responsibility
at the central side of things.

Then some data processing and communication, so there are standards and
rules associated with that. I apologize because there’s quite a lot of acronyms
on this slide, but PBR is a system reform within the U.K. which is payment by
results. So it’s very much about the remuneration of services appropriate to
the service that is actually being delivered, which is it’s quite a step change
within the U.K. particularly and in all public environment, and I’ll touch on
that later.

And then it’s about, so those rules associated with it, then the actual sort
of warehouses themselves that we’ve got housed centrally, the major one of
those is the secondary uses service. And so there are appropriate standards
associated with that.

And then there is the output, an extract data set. Quite often, we started
with the right hand in terms of defining what our real sort of business
requirements are. There’s been a program over the last sort of five years of
setting up national service frameworks within the U.K. really to look at the
provision of service in particular specialties. And there were ten of these set
up, national clinical directors appointed to those particular sort of
specialties and referred to as czars that were really to look at where there
was disparity of service and try and even that out across the whole of England.

So there’s one in particular for cancer, for diabetes, for renal, for
children and maternity services, for older people, for – I can’t remember
the rest of them, and really it’s about sort of focusing in on that from a
specialty perspective. And sometimes the requirement for an output data set
would come from that particular matter or clinical director. And so, therefore,
in terms of developing the standards and getting the data to flow through, then
the output specification would be done first and then we would tick the boxes
going through the five sort of stages to make sure that everybody knew because
there’s not one organization that does the end-to-end bit, unfortunately, and
it’s making sure that somebody takes overall responsibility even if they don’t
have a raw sort of ownership to make sure that things don’t fall over in
particular stages.

And that in terms of this particular sort of slide is about making sure that
not only are we defining the standards, but actually we’re in a position to
turn that data into inflation and that we’re therefore able to actually use
that in the provision of outcare both in a primary purpose but also getting the
benefits from a secondary purpose.

So moving on to the secondary uses service, it’s essentially a repository of
care data for the use in care planning, policy development, performance
management, clinical audit and medical research.

And those are elements of sort of coming on line bit by bit. So it’s not a
sort of a big bang, and then you’ve got absolutely everything because our
infrastructure just wasn’t there in order to support it. And in terms of risk
mitigation, then you wouldn’t really go with that kind of approach.

So we had parallel systems that we were running previously and some systems
that just didn’t exist. But we knew and started to develop the concepts of what
we were going to bring into this.

So the aim in secondary uses service and it will provide a consistent
environment for data management allowing better provision across the sector,
very much focused on the protection of confidentiality through rigorous access
control and removal of patient identifiers from data transferred to warehouse,
although there are associated issues with that, and we’re still not wholly at
the point where we’re pseudonymizing and anonymizing data yet. We’re still
running through some pilot studies, and we concentrate very much on the
existing laws and processes. There’s no point in reinventing the wheel and
putting some kind of infrastructure in or some kind of legal framework that is
already sort of covered by existing legislation.

And the concentration is very much around the NHS care records service. And
what we’ve started to do is as each system comes online, there is a duty of
responsibility for the doctor, for the general practitioner that the patient is
registered who is normally the first sort of point of contact, to make the
patients aware that data is actually being captured electronically, and that
potentially it’s going to be used for other things.

It concentrates very much on the existing Data Protection Act, human rights
legislation and Common Law, and this brings in the responsibility of the
Caldecott guardians, as I mentioned earlier, the existing ethics committees and
PIAG which is a national body which is patient by identifier advisory group. In
order to be able to hold your, to be able to use patient identifiable data, and
you have to have PIAG approval, and it’s a pretty rigorous procedure to have to
go through. For example, some organizations will have standing PIAG approval
such as, say, cancer registries or some particular sort of organizations that
actually do need to have the identified data. But they come up for renewal on
an annual basis actually, and then they have to go through a full sort of
rigorous review on a five-year sort of basis.

Now we’ve recently published a document called the NHS Care Record Guaranty,
and you can actually download a copy of that from
www.nshcarerecords.nsh.uk, and
there’s a patient version and a practitioner version within that. It was first
published in May 2005, and this is also reviewed annually. And it’s published
in nine different languages, and it’s got an audio version as well.

And we ultimately aim to give patients access to their summary health care
records as well so that they can actually sort of check the details that are
being held on them are actually correct, but we’re not there yet.

So this is very much the sort of the mechanism that we’re using within the
existing sort of laws and governance. But, you know, why publication, but also
there is a policy that is a an opt out rather than an opt in. So your data is
always being held really on your record in a paper format, and the sort of
informed consent type of process that goes through from the GP as each of these
systems come online, we’ve recently launched a picture archiving record system
essentially for digital x-rays. So as somebody is being sent for an x-ray or
getting that, then it’s explained to them that this is now being kept as a
digital record of an analog record and the benefits of using that and the fact
that potentially an anonymized version of that could be used for medical
research. And at that point, the patients are given the option to opt out, but
there is an assumption that they will, you know, that your data will be used
unless you actually opt out.

MR. ROTHSTEIN: Can you explain what they’re opting out of.

MS. JONES: They would opt out of having their data held electronically.

MR. ROTHSTEIN: All electronics?

MS. JONES: Well, no, the particular data sets and the secondary uses of it.

DR. VIGILANTE: If they’re asked at each opportunity, or – I’m sorry, if
the question’s actually posed at the time of use, in a sense it’s not a
complete opt out; there’s an opting –

MS. JONES: The absolute, yes.

DR. VIGILANTE: So as you’re using it, and then if they become aware of it,
then they have to do something. It’s sort of you’re presenting it to them and
giving them the chance to opt out which is sort of a de facto opting –
it’s not a classic opting, but there’s an opting – the exercise. Isn’t it
right, I mean –

MS. JONES: There is, but it’s happening as – it’s an informed opting


MS. JONES: The details, the absolute details are in this guarantee, and it’s
actually very sort of usable and meaningful. It’s quite useful if people want
to know more about that to get a copy.

DR. DEERING: Could you repeat that URL once more?

MS. JONES: Yes, it’s www.nhscarerecords.nsh.uk, and
it’s called the NHS Care Record Guaranty. It’s about a 12-page record, the
patient version. Okay, I thought I would actually sort of cover that within the
SUS rather than just taking it out of context. So the third bullet point we’ve
got there is access to timely data for analysis and reporting, and by
increasing the, using the technology to be able to get the data flowing on a
much more sort of timely way than obviously the effect is that you can do the
analysis and reporting in a more timely fashion.

And then finally, better data accuracy and a reduction in the burden for the
NHS. It’s a big thing within the NHS in England is this sort of concept of the
burden of data collection and information provision that we’ve made a point of
concentrating the action on actually providing care and not making the doctors
and nurses spend all their time collecting data. And certainly one of the key
aims for the Information Centre is actually to reduce the burden.

So where people want to do a new collection or a survey, then they have to
go through a pretty rigorous process which is called a Review of Central
Returns, ROCR, which is a committee that actually sits and assesses whether
this is a reasonable request that could potentially, or whether there is an
increase in burden associated with it and sort of survey, audit, collection,
and you have to have a – in order for a collection to become an NHS
standard, you have to have ROCR approval as well as our Information Standards
Board approval. And the aim of that is to reduce the burden with the ultimate
aim of moving things to taking them directly from the national care record. So
I do want some and share many, and that’s very much the principle behind that.

But there was a point in the late ‘90s where we were just sort of
getting terribly excited about collecting all of these things, and the burden
was just going up and up, and there was a backlash from the clinicians within
the NHS that we’re just not doing this, I’m not getting the chance to treat
patients and to put our record into this. So you guys go away and work out the
best way to do it and to use the technology, and then we’ll comply with it.

So it seems to be working very well. In the last year the ROCR committee
sits within the jurisdiction of the Information Centre, and we calculated we
reduced the burden by 11 percent last year, and it’s getting better all the

So I’ve touched on some of these, but it’s probably useful to just put it
into context. The secondary uses service is but a small part of the national
program for IT. This was set up in 2002. It’s a ten-year program, and the
national application service provider who are the prime contractor is British
Telecom, and the contract was awarded to them in December 2003. There are a
number of subcontractors. There are a number of local service providers for the
provision of the systems across England that are a collection of consortia with
such main players such as CSC, Fujitsu, BT as well. I’m not sure that IBM are,
and then until recently Accenture and all that.

The data are transmitted by the Spine which is a national grid
infrastructure. The first five years of the national program has been very much
the sort of unsexy stuff. It’s been putting the infrastructure in place. It’s
about increasing the number of PC terminals within hospitals to I think it’s
sort of up to 18,000 now, and getting a standardization of the services in our
patient administration services which was called Paths. It’s about putting in
broadband secure connections. It’s totally publicly funded across the whole of
England, getting connect codes between every single hospital and also between
every GP surgery and getting the data able to flow between those. So it’s the
nitty gritty sort of putting all of your, setting out your store before you can
then start to put the applications on top of it. And some of the suppliers, I
think, have been quite surprised as to how little profit there is in that, if
any. I don’t think BT has made any profit yet, but they’re expecting over the
next five years for it to go up, and I think that has had a knock on effect in
terms of some of the suppliers that are changing their allegiance.

The main warehouse for the secondary uses service is being delivered by BT
as part of the national program, and it’s managed by us. Well, our sister
organization, NHS Connected to Health. Now the split between the Information
Centre and NHS Connected to Health is that they tend to deal with the IT and
the infrastructure and the applications and the developmental software, and we
very much got the responsibility for the data and the information and the flows
and the standards and the legislation and the governance associated with that.

In terms of the secondary uses service, it is very much a partnership
between the two of us, and as it says there, we’re particularly responsible for
the data definition, the analysis and the reporting.

We have a lot of statisticians working within the Information Centre as well
as analysts and both business analysts, systems analysts and information
analysts. So it’s those kind of skills that are covered with the Information
Centre which is over 400 people strong and rising.

Such is the single NHS wide system for processing commissioning data sets.
Now Mary Jo’s allowed me to say what a commissioning data set is. It’s
commissioning in essentially the purchase of services. So we – when a
patient goes to the GP, then the money that is paid in order to be able to
provide that service comes from a primary care trust, and they are referred to
us, the commissioner. So they for their local area commission the services. So
they look at their public health, they look at their epidemiology, they look at
their populations and they essentially request money from the government in
order to be able to provide those services which is cascaded down through a
strategic health authority of which there are ten within England. So the role
of the commissioner is really to make sure that they’ll able to provide the
service, that they’re getting value for money, that they’re efficient, that
they’re effective.

But if you’re therefore referred from your GP to secondary care, say, from
primary care to secondary care, then the commissioning responsibility moves to
that secondary care organization. So it’s therefore the responsibility of the
acute trust or mental health trust or the ambulance trust that is providing
that secondary care.

And in order to do that, we have a set of data standards called
commissioning data sets, and they’ve always been very event driven. And they
were set up in the late ‘80s. They were referred to as kernel returns at
that particular point, and in 1995 they became mandatory so that everybody has
to return the commissioning data sets for every event for an inpatient
attendance, but an outpatient, for an AME incidence, for really the whole area
of the predominantly secondary care. The standards are not quite as well
defined as in primary care, and we’re starting to work on that.

And as I mentioned earlier, those commissioning data sets are essentially
the ones that are used to support our payment by results. And the secondary use
of service is also the basis of the hospital episode statistics. Not the
hospital episode statistics, referred to as HES, has been running for really
since 1995, so for 12 twelve years, and they have always been like sort of a
mini SUS really. So we’ve been able to take those hospital episodes. We’ve been
able to link the patient records, and we’ve been able to do analysis and
reporting and do a whole host of organization not the least parliamentary
questions which come up very, very, very regularly. So we’re sort of a primary
source of answering health parliamentary questions.

And we’re sort of building on that with the upgrading of the commissioning
data sets to have a far greater sort of coverage. And we also have a mental
health minimum data set which is those patients that are covered within the
mental health trusts and systems.

MR. REYNOLDS: Monica, as we look at the time, if you could try to get
through your slides in maybe the next ten minutes. You came so far and you’re
creating so many questions, we want to make sure we have time.

MS. JONES: Sorry.

MR. REYNOLDS: No, no, don’t apologize.

MS. JONES: I think I’ve probably come with quite a lot of things to say. So
what is SUS designed to do? I think I’ve covered most of these things. It’s
pseudonymize patient-based data. It has a range of software tools and
functionality to enable users to analyze, report and present these data. It
enables linkage of data across care settings. We’re in the fortunate position
that we do have an NHS number which is assigned to everyone which is
essentially the primary case. Obviously there will be instances where the data
doesn’t have to, the NHS number where it isn’t necessarily captured because
we’re not at the point where we’ve got a national care record yet. But that’s
due to be in place by April 2010.

And we’re actually going live with our Sonic Care Record this autumn which
is literally just the basic patient demographics which is being launched
through the Patient Demographics Service, and that data will flow up and down
the Spine and is accessible by anybody who has the authority to be able to
provide care for that particular patient. So that’s across primary and
secondary care.

Ultimately attached to that will be a much broader set of data that can then
be called upon, will flow down the Spine but will be obviously all of it is
encrypted, but it would have to go through a series of protocols associated
with that in order to get the data.

So it is to ensure the consistent derivation of data track and construction
of indicator for analysis and to improve the timeliness and data. I think I’ve
already covered the governance model, the access control is very important, the
use of pseudonyms to replace identifiers is something that we are starting to
be able to do. And as I mentioned before, we’ve carried out some recent pilots,
and there’s a report that is now in the public domain that was published on the
first in January, 2007, can be downloaded, Version 0.1. So the long term is for
access to authorized users to data from the NHS Care Record Service but the
short term they can generate this from existing trust space, commissioning date
sets that will still be in clear and are still in clear and with running these
series of pilots. So in terms of what is the down side of actually doing
pseudonymization and ultimately anonymization particularly in terms of the
effect on the business processes and within your local service provider. So the
purpose of this pilot was that do we get the same results with the
pseudonymized data, what is the impact of pseudonymized data on business
processes to explore the minimum data coding standards for the use of data,
particularly for commissioning in epidemiology, to identify where the use of
pseudonymization is not sufficient to actually support the existing business

And I can give you material to let you have as to where that report is that
should give you a good idea of what we’re doing in this area.

This is just the sort of the view of the, a schematic view of what SUS is
all about. Fortunately, you’ve got the existing data flows. This is the truth
as of the 23rd of August, 2007 is that actually the forms that we
have at the moment are commissioning data sets for inpatients, outpatients and
in waiting lists and NHMVS. As of October of this year, the Person Demographic
Service and the data from Choose and Book which is an application in terms of
increasing patient choice will be linked into these data that are coming in.
They get loaded because they don’t all come through at the same time. So they
needed to be sorted and put together. Then there’s some process and validation.
They get staged, and then they go into the data warehouse.

And then there are a series of views of that data warehouse that are, the
pseudonymization actually happens at this particular point so that the data
marks are not in clear. And there are a number that are supporting hospital
episode statistics and payment by results. And then the one at the top which is
a reform that is coming in at the moment which is about 18 week waits which is
due to be in place by December of next year.

Now we’re realizing everything can actually, all the marks can actually be
housed within the main warehouse, well, not within the main warehouse, but
within the sort of BT provided sort of core. So we are actually moving to a
much more federated approach. But the big gray box around the outside stresses
the point that the security and confidentiality is consistent through access,
control and design. And so we’re able to bring other third party suppliers in
to spread the load, spread the risk and to bring their sort of specialisms to
work with the public sector to provide other analyses and reporting, in
particular clinical audit, practice space commissioning, and there will be a
number more that will come online. And these are essentially the lessons
learned so far that we realize that people were sort of being told that
everything would be in the big core warehouse and the marks would be there. But
the volume of the data and just the amount of processing that we’ve already had
to do over the last six months, it’s standing at 14 terabytes, and that’s just
transactional data that is coming through here. So we’ve got to spread the load
and spread the risk.

So the current services, the first priority is the implementation of payment
by results. This is about providing a fair and consistent basis for hospital
funding, and it’s also a pretty good way of tidying up the data because if
you’re concentrating on the enumeration and the payment, then people tend to
sort of focus their minds from a provider perspective. And so we’re seeing a
lot of increase in the quality of the data which is excellent.

Another one is practice base comparison. There’s an application that was
launched in June of this year which is an NHS wide web based comparison which
is available on line for the provision of general practice comparators and
quality data, quality outcomes framework which is essentially the framework
that was put into the new GD’s contract in the U.K., and it allows those
practices to be able to look at where they sort of fit into relation to each
other, and this is just a screen shot that shows at the authority outpatient
attendances per 1000 population and where you fit in with everybody else, and
then there’s the opportunity to drill down to PCT to practice, obviously on a
role based access control action. But it’s giving people real time data. It’s
allowing them to actually get the feedback and to be able to go first to be
able to go through an interactive process of development.

So the key issue and it’s something that you read in a lot of your
documentation as being spoken by this morning is that it’s about the data
quality. You know, whether we like it or not, secondary use of service is
populated with NHS data, and the providing commission is held responsible to
make sure that all staff who are collecting it are fully aware that it must be
accurate, consistent done with purpose.

The data quality of NHS data has been poor, been terrible in some places.
But if we’re going to be able to use this genuinely, then we’ve got to start
tackling these things because there are those quality challenges that we can’t
link the data if we don’t improve the quality and leads to incorrect financial
payments and misleading comparatives and potentially unnecessary and
inappropriate use of identifiable data.

So it is getting all of our sort of once gain our sort of house in order to
be able to provide this sort of service. And this graph just shows you an
example of that where this is a summary by strategic health authority which
shows the percentage of missing primary diagnosis where it hasn’t been coded
and it hasn’t come through. Essentially, the tariff was calculated on the
primary diagnosis. So if you can’t do that, you don’t get your money. So this
is really sort of focusing the mind and these are the sort of things that we’re
concentrating on in terms of getting the data flowing, increasing quality and
moving that forward.

Key developments that are coming up which is the commissioning data sets
Version 6 which is about 18 weeks reporting. Now I said before that our
commissioning data sets were just event driven. They would just happen every
time something happened. We’ve now introduced the concept of patient pathway
identifiers as well as patient identifiers so that you can see that all of
these events against this particular patient are actually in the same pathway.
So we’re having a concept of a future care event so that the clock starts
ticking when you send a commissioning data set. They should be at this point in
the pathway of this particular date so that the trusts can then review those
and say, oh, we’re about to breach on all of these, and we can actually do some
follow up and be proactive in terms of actually contacting patients or
contacting other people and organizations within that particular pathway to
make it more effective and efficient. So it’s a really exciting development
that is happening at the moment.

That’s due to be implemented by the first of April of next year. It’s
optional from the end of this year, then we’ll have to see how it goes. But
it’s due target is due to be here by December of next year.

And I’ve already mentioned the payment by results. And so it’s about this
bringing the standards in together but also operationalizing them and making
sure that they are fit for purpose. And this is the sort of thing, just a
screen shot of it that will come with the 18 weeks application that is very,
very simplistic here. But there will be much more complex analyses and also the
raw data will be available and downloadable for those providers who are
entitled to it that you can see straight away what the average length of wait
is, what the total elective inpatients are and where the spread is of elective,
non-elective care.

So we welcome the 12-month cycle because we’re having to react and we’ve got
a ten-year plan. But we’re operational now. It’s happening. So we’ve got to be
able to react sort of quite quickly. So these are the sort of things that we’re
actually doing. We’ve literally got sort of upgrades and testing and new
functional releases almost every month within a 12-month cycle.

But we are able to react to things quite quickly now. We are able to put
things back through the system in a very rigorous change control and release
mechanism. There are certain annual uplifts that are associated with certain
data types and data sets. So we can plan the longer term ones, but we’re able
to be dynamic and reactive to others.

And then the future plans which are essentially the addition of the clinical
data and extracts covering priority areas such as cancer, diabetes, heart
disease and renal clinical audit. Those audits are coming online next year as
part of, you saw on the diagram on the federated approach, that’s a system that
is being procured from within the Information Centre but managed by us.

Data relating to patient prescriptions, we already have an electronic
patient prescription system, data related to primary social care of patients.
And then the potential uses of the database covering all areas of trust of
England are absolutely huge, and at some point it will expand beyond the NHS
commission care and include other patient specific data, finance, support, work
force, estates and National Audit Office information.

So we’re not quite there yet. And really by 2012, we really do expect to be
in certainly the first four, I’m not sure about the fifth one.

And that’s it. Thank you very much.

MR. REYNOLDS: And Monica, do I understand you’re going to be able to spend
some time with us today. Is that correct?

MS. JONES: Yes, I’m available all day today.

MR. REYNOLDS: Okay, so as we have these other discussions, we may be able to
play off of this. So what I would ask the Committee to do is one question each
because I’m sure there’s going to be a list, and rather then run-on questions,

SPEAKER: Why are you looking at me?

MR. REYNOLDS: I’m looking down the table. If you need to take it personally,
that will be fine also. All right, first I have Kevin, then I have Mark
Rothstein, then Simon.

DR. VIGILANTE: Actually, I haven’t chosen which one yet. So why doesn’t
somebody else go first.

MR. REYNOLDS: Mark Rothstein.

MR. ROTHSTEIN: I have chosen which one of them I want to ask. Thank you,
Monica. That was very interesting, and I know we all have lots of questions.

I’m wondering if you can help us with two things at the same time that we’re
working on. It’s my understanding that the NHS in England is developing or
working to develop technology that will allow patients to mask certain elements
in their health records, and maybe you can bring us up to date on where that

And then the tying together question is, assuming that’s brought online at
some point, how will that affect what you do in terms of the secondary uses of
the data when possibly some of the data’s not going to be there.

MS. JONES: Okay. This is essentially a prior envelope concept, and this is
all being taken forward through the test records service and board. There is
this idea that you can, it’s really a sort of opt out process that we were
discussing sort of earlier.

Now at the moment, we don’t have an electronic patient record. Let’s realize
that that’s the situation we’re in at the moment. There isn’t the option to
mask your summary data. So that’s it, that’s even if the patient went in the
trust, then that’s the case. But it’s through this sort of potential opt out
process that patients, it’s expected that patients will be able to say, well,
I’m happy for that data to be in the system, but I don’t want it to be
available and accessible.

I don’t know the absolute fine details of where we’re at with that
particular subject program, except for the fact that we are moving towards a
care records service, and we’re bringing that along.

MR. ROTHSTEIN: Are you saying that the opt out will go to whether the
patient wants his or her entire records available, or a subset, for example,
substance abuse, mental health, other sensitive information?

MS. JONES: Because we’re doing it on a piecemeal sort of basis, then the opt
out is against particular subsets.

MR. ROTHSTEIN: Okay, thank you.

MS. JONES: And that’s part of the reason for doing it in this way so that we
can actually target it.


DR. COHN: It sounds like Mark has a little letter on his mind. Maybe I have
a question maybe a little more central to what we’re talking about here.

I wonder if you’d talk a little bit more about pseudonymization, and it
sounds to me like you’re more contemplating it than doing it. We are sort of
aware in this Committee that everybody uses anonymization, pseudonymization,
whatever somewhat differently. And I guess I’m sensing that your
pseudonymization is basically just – actually I’m not sure what it is, so
I’ve asked. But where do you see its purpose and usefulness is in terms of the
overall construct of what you’re doing?

MS. JONES: Our view of pseudonymization is essentially taking out the
absolute patient identifiable item which is the NHS number and all the ability
to identify somebody through sort of what’s referred to as fuzzy logic which is
taking the gender, the post code and the derived age of an individual which is
the way that we identify people if we haven’t gotten an NHS number for them. So
there’s only really identical twins living at the same house who will get
through that fuzziness.

And it’s taking that out having, holding the keys in a separate data
repository and having a mapable key that is non-identifiable against the
record. So that’s our pseudonymization. Anonymization is basically just taking
out any of that, but can only really apply to aggregated data. So that’s, and
the process for doing this is, like I said earlier, we are still exploring it,
and these pilots that we’ve been running over the last six months to a year,
and we’ve got a third pilot to come along is saying because we have to be able
to provide the identifiable data back to the providers so that they can match
it to their local sort of systems. And those are some of the difficulties that
we’re trying to reconcile at the moment that if it’s coming in through two
different parts or it has to go back out by two different routes, how do we
link those back again?

And I think it’s safe to say that we’re having, you know, there are a lot
more implications that people haven’t necessarily sort of thought of when the
whole concept of pseudonymizing because a lot of patient identifiable reporting
and analysis is done at local secondary uses within sort of trusts and also
operationally being able to use this to manage services.

DR. COHN: I guess you have a report so we can look further at sort of what
is happening with this pilot. So I’m just trying to figure out what it is that
you’re thinking about using pseudo, now that I understand your pseudonymization
is sort of like what we talk about is pseudonymization, I just was just trying
to figure out whether you were, what purposes you were thinking of using that
data for. And it sounds like you’re trying to play around with operational
reports, and maybe not, that’s not so helpful, but maybe it has problems. All
these other reports of quality and research utilization, is that what you were
going to be using this pseudonymized data for?

MS. JONES: That’s definitely what it’s aimed to be used for because the
secondary uses service is very much about the output coming out here for the
end users, and it’s ultimately being able to do the sort of web based
applications for practices and PCTs and strategic health authorities. But it
also down here is extracts for non-NHS organizations.

There will be context there where anonymized data in its aggregated form is
just not granular enough for that kind of analysis to take place, and therefore
the ability to have a pseudonymized version to be able to push out
predominantly in research is something that we’re really trying to do.

MR. REYNOLDS: Is there some part of your document you could direct us to,
you just used two terms, local secondary uses and operations.

MS. JONES: There isn’t a sort of formal –

MR. REYNOLDS: Can you work one up before you leave?

MS. JONES: Yes, local secondary uses is not really a formal definition, but
it happens all the time. I have actually got another presentation that I’ve got
that sort of tackles some of those direct use, the local secondary uses and the
NHS wide secondary uses on a graph that I could put in this, but I just thought
it would bog down in it.

MR. REYNOLDS: No, that’s fine.

DR. VIGILANTE: I was just wondering in the same similar vein that Mark was
going down. So you give an example before, somebody comes in, gets an imaging
procedure and is going to be put in your PAT system, and at some point there’s
some interaction with the patient where somebody says to them, you know, this
could be anonymized or pseudonymized and used for other purposes, is that okay
with you. Is that, who does it? Is it explicit as to who ought to do that, the
doctor versus the technician versus somebody else? Is it done verbally, or is
there a piece of paper that you give somebody to read and say, you know, read
this, figure it out, sign it and then like we do with HIPAA. Nobody really
understands what we’re doing, but we feel good about it.

MS. JONES: No, it’s done verbally. It’s done verbally by the clinician at
the first point that this actually sort of happens.

DR. VIGILANTE: Right. Every time an image is taken or –

MS. JONES: No, just the first time.

DR. VIGILANTE: So if you’re okay the first time, you’re good for life?

MS. JONES: You’re good for life, but you’re given the details about the


MS. JONES: You’re given the patient leaflets, your appropriate language in
audio, and you’re told that at any stage you can come back and you can opt out
and there’s a way to address them.

DR. VIGILANTE: You sign something?

MS. JONES: It’s recorded on the record.

DR. VIGILANTE: In the doc reports.


DR. VIGILANTE: And how do clinicians feel about this? Do they get a lot of
push back on that? Is this like too much they’ve got to be asking people, or is
it not –

MS. JONES: No, I don’t think so because we’re doing it as each application
comes on line. So we’re not just going, and another thing, can we just go down
the list. So it’s very much in the context of what is happening.

DR. VIGILANTE: And is there standardized language that they sort of say you
must say something like this, or does everybody kind of wing it on their own?

MS. JONES: No, there’s a standardized, it’s almost a brief that is given to
them, and it’s based on the care record guarantee. So it’s very, very clear
direction, and it is absolutely standardized.

DR. VIGILANTE: Right. Okay.

MR. REYNOLDS: Marc Overhage.

DR. OVERHAGE: I guess I do have a lot of questions, and thank you very much.
I told you before the meeting I’ve had a chance to look at your website, but I
found the presentation very helpful in pulling in some of the details.

One of the things I’m still not quite clear on is the commissioning data
sets. If I understand those and I probably have it wrong, essentially these are
data sets that have been developed, selected, agreed to with some oversight by
this ROCR Committee and others perhaps that essentially you require be reported
from each of these different settings that help build the data sets to become
useful for the kinds of secondary uses that you have.

MS. JONES: Yes, absolutely. When the commissioning data sets of which there
are 19, there’s, I don’t know, about three or four in each sort of setting, and
there’s not very many data items within that, and each time quite a lot of
demographics information is collected. So at the moment they’re not as
efficient and effective as it could be.

But as we move to linking the records, and we won’t necessarily have to
transmit those as often, they’re approved through a very rigorous development
process and they only become an NHS standard once the information standards
board has actually approved them. But it’s sort of my department within the
Information Centre that develops those and maintains them and supports them.

And yes, it’s very much the sort of event that is happening to that
particular patient at that particular time. But because they’re monthly, they
only flow monthly at the moment. So there are essentially, there’s an aggregate
return for all of inpatient attendances for this particular hospital for this
particular month, and then they’re sent through.

It used to be entire nationwide clearing system which we switched off as of
the 31st of December last year, and it now goes into the secondary
uses service. But as you see on this particular sort of diagram here, this
ease, extracts and reports to all the PCTs, trust and NHAs, they can download
their view of the data at any time. So they’ve got online access to download
those as a commissioner.

But at the moment and particularly because we haven’t really gone to fully
pseudonymized or anonymized data, there’s very limited access, and it’s really
only the providers who are able to get the data out at the moment until we’re
absolutely certain that we’ve got it right on the pseudonymization.

MR. REYNOLDS: Bill Scanlon?

DR. W. SCANLON: In terms of the warehouse and you talked about sort of non
NHS users, have you identified a group or types of users that you wouldn’t
given data to because in our context we’ve at various times talked about
commercial uses without defining that and thinking that it’s different than
research, it’s different than public health.

MS. JONES: There are sort of three classifications of the sort of users.
There are those who are referred to as the NHS families, so it’s actually the
NHS, and the expectation is that they will have obviously all access, they will
have access to all of the data.

There is then a sort of next level that is sort of non-NHS, but public
sector. So it’s very much our public health observatories, our registries, the
broader public sector sort of support mechanism for the health and social care.

There is a slightly more rigorous approach for them to have to go through,
and you have to set yourself up, you have to become a registration authority.
You have to be able to access the system by our entering network. You have to
have your, be cleared for your check and pin card to be able to get these data,
and that process of becoming a registration authority is the mechanism for
doing that.

And then there is the rest. That does include commercial providers. There is
no restriction at the moment as to who will or who won’t be able to have access
to this. But it is at the moment is being considered on a case-by-case basis
for that third group in terms of who would have access, what their purpose is,
and the associated –

DR. W. SCANLON: Is there a history here yet of having turned down a number
of applications, or –

MS. JONES: I don’t know the exact detail. I think a lot of people are
probably asking. There’s probably a lot of people that have been told that
we’re not quite there yet even to be able to consider your application. But we,
you know, there are quite a few particularly public-private partnerships, and
we even have one within the Information Centre with a company called Doc Foster
Intelligence. They get regular extracts, and they provide a sort of certain
portal and UNHS choices website which has been launched in the last sort of few
months. Doc Foster Intelligence who are a private company, although their
associates with Imperial College London and ourselves at the Information Centre
are working very much within that sort of public-private partnership. But
they’ve got the expertise, and they can do the marketing, they can do all that
stuff. We’re not really very good at that. So we work very closely with the
private sector as well.


DR. FITZMAURICE: Thank you very much, Monica, for coming over here and
sharing your experiences. It’s good to have another country that has gone
through some of the same things that we’re going through.

I want to follow up on Bill’s question with a separate question of my own
and get more specific. If I were a pharmaceutical company wanting to use your
data to determine which practitioners are or are not using my drugs for their
patients, would that be an appropriate use of the secondary –-

[Teleconference automatic interruption.]

DR. FITZMAURICE: That is, do you share this data with pharmaceutical
companies today. They may ask for the number of prescriptions or a drug for
specific practitioners, or they might ask for the number of diabetes patients
by specific practitioners so they could follow up with a diabetes drug. Is that
an appropriate use of the secondary data?

MS. JONES: Yes, it is. And I mean, there is a precedent set through the GPRD
which is the General Practice Research Database which is been up and running
for about ten years or so, and that’s actually managed through an NHRA and also
the Medical Research Council.

That would only be in sort of a subset. Once again, a sort of a mini-SUS,
and some of the main users of GPRD has been pharmaceutical companies. So there
is an expectation that the secondary uses service will provide that service as
well, will provide the whole sort of coverage. I think GPRD has about a
coverage of between 5 to 10 percent obviously. So it would cover the lot.

MR. REYNOLDS: Okay, Justine, then Tom and then break.

DR. CARR: Monica, thank you so much. This is interesting. I have a question
about the office encounter, and I want to make sure I’m understanding

When a patient is seen by a provider, there are 19 data sets that might
apply within which they might ask questions and record the data. I guess what
I’m requesting is, you said we don’t have an electronic health record, and so
what we’re talking about these data elements are questions that are asked of
each patient who might have one of the target conditions.

MS. JONES: Well, the CDS are really not even necessarily true as sort of a
direct verbal contact with a patient. So it could actually, the elements within
that can be just the fact that you know that you’ve got this person sort of
blocked in, and they’re coming for an elective treatment, and that these are
essentially the things that sort of happen to them. So it’s not necessarily an
interaction with the patient.

DR. CARR: So maybe you, I guess I’m thinking about the fact that you reduced
the work of the physicians 11 percent in the first year.


DR. CARR: So what is it that they do, and how long does it take, and what
does an 11 percent mean?

MS. JONES: The 11 percent was really about reviewing the existing
collections, reports, surveys and audits and saying, right, where is the
duplications and having a view of the whole lot because prior to the
Information Centre being set up, nobody had actually done a sort of an
overarching sort of view in taking responsibility for all of these sort of
collections, and things had been springing up all over the place, and nobody
had been regulating them.

So the reduction in burden at the moment is about us saying do you know that
actually ten of your 11 data items are covered by this particular sort of
return, or this is actually captured by eight items that are really
commissioning data sets that flows and is mandatory flow that is captured with
a patient administration system. Do you really need those three additional data
items, what is the purpose of those, what are you going to use them for. And
they go, well, we definitely need those. Okay, well just capture the data. And
what is the best way of actually capturing data, or, no, we don’t really need
those. Okay, well, we’ll use that particular data set, and I actually just
switch the other ones off. And it’s about that rationalization of having the
overall picture, what is anything that is flowing through the systems, what are
people being asked to do and saying, right, okay, we have taken responsibility
to reduce that burden to stop this unnecessary sort of waste.

DR. CARR: Thank you.


DR. COHN: Monica, again thank you. One of the great privileges of the Chair
is you get to ask the last question before the break.

You had mentioned, and I’m just trying to sort of put the various pieces
together, so maybe you can clarify for this meeting. You had talked about three
uses or three groups in terms of uses of the data warehouse, and I presume
there’s a party that’s local probably as well as national in terms of how
people are handled.

And you talked about a case-by-case basis decision. And then earlier you had
also talked about Caldecott guardians, and I’m a little vague even about the
Caldecott guardians, but probably a national and local sort of model that sort
of has, there’s something in all of this stuff. Is the use of the Caldecott
guardians and all of this to help identify this case-by-case basis decision?

MS. JONES: Oh, absolutely. The case by case would have to have, if they want
to have patient identifiable approval, they would have to have Section 60
exempt from PIAG. They would have to have Caldecott guardian approval. It would
have to have Ethics Committee approval. It’s the same as what happens with
clinical trials. So it’s looking at that particular sort of context, and it
would have to have literally sign off by the Caldecott guardian for that
particular sort of data, or it would have to, if it was a national one, it
essentially has to have a group decision by the Caldecott guardians that this
is a suitable use of the data, and this is a trustworthy and reliable
organization that could use it.

So that’s, there is a very strict sort of given structure, but it is done on
a case by case sort of basis. And so, therefore, it can’t be just done in a
wholly objective sort of way. There’s got to be a certain amount of
rationalization, I think, associated with it because we haven’t done it enough
to know that we’ve absolutely got it right. I think that’s the, and
particularly with the sort of non-NHS users, we’re just preliminary, but we
don’t want to close any doors because the whole purpose of making it all better
to have a secondary uses service is that we’re going to really sort of make a
difference and give people access.

DR. COHN: All I’m presuming you are talking about, and let me see if I can
describe this one. Obviously, these people are probably not generally getting
access to straight personally identified health information. Sometimes they’re
getting, I mean, does this change in the world of pseudonymization or do you
think all of the same principles apply?

MS. JONES: I’m not entirely sure what –

DR. COHN: Well, I was just trying to think of the, I mean, on the one hand,
I can see very rigorous standards if you’re looking at personally identifiable


DR. COHN: But I’m actually wondering does this change at all in this world
that you’re contemplating either de-identification, pseudonymization, or is it
absolutely the same thing?

MS. JONES: It’s the same thing, but there are certain steps that won’t
necessarily have to be sort of met, but the checklist will include all the
same. It’s just that if you’re asking for anonymized data, you don’t need PIAG
approval. Then that’s a sort of cross or tick against the PIAG bit. But the
overall checklist under rigor is the same.

MR. REYNOLDS: Okay, excellent, thank you. We’re glad you’re going to be
sticking around. I’m sure you’ll have friends at every break and lunch. But
with that, we’re only going to take a ten-minute break since we’ve got a tight
schedule this morning. So back at 10:40 per the clock to the right. Thank you.


MR. REYNOLDS: If the presenters wouldn’t mind joining us on the other side
of the table here. Sean Flynn, Steve Labkoff, Micky Tripathi and who’s going to
be presenting from Manatt Phelps and Phillips?

MS. MURCHINSON: Julie Murchinson is on from Manatt.

MR. REYNOLDS: By phone, okay.

MS. MURCHINSON: Julie Murchinson is on from Manatt.

MR. REYNOLDS: Micky, are you on the phone?

MR. TRIPATHI: Yes, Hi, Micky Tripathi from Mass eHealth Collaborative.

MR. REYNOLDS: Why can’t we hear the phone better? Could you say something
again, please.

MR. TRIPATHI: Yes, Micky Tripathi.

MR. REYNOLDS: Yes, that’s great, yes, thank you.

MS. MURCHINSON: And this is Julie Murchinson from Manatt.

MR. REYNOLDS: Oh, okay, good. So we have a large panel. So if each of you
would keep your remarks crisp, that would be great so that we would have enough
time in the end to ask questions. So I’m going to, unless somebody tells me
different, I’m going to go right down the list in order. So with that, the
first presenter, and we need a microphone for him, please, and that would be
Sean Flynn from the Program on Information Justice and Intellectual Property
from American University. So, Sean?

Agenda Item: Health Data Protection Solutions Needed in

MR. FLYNN: Okay, thank you for having me here today. My name is Sean Flynn.
I’m a professor at American University, Washington College of Law, and I run a
program called the Program on Information Justice Intellectual Property, and I
also serve, and I guess my role today is I serve as counsel to a group of
public interest amici in a case involving a challenge to a recent law that was
passed in 2006, the New Hampshire Data Privacy Act, which limits the ability of
pharmacies and PBMs and other entities to transfer to pharmaceutical companies
and health information organizations patient and prescriber identified
prescription data for marketing purposes. The law, and we can get into this a
little more detail, allows the use and transfer of such information for
non-marketing purposes including educational purposes and to do studies,
research, et cetera, but it doesn’t permit that data to be used or transferred
for commercial marketing purposes, specifically pharmaceutical products.

The group that I represent includes the New Hampshire Medical Society, the
group of doctors that petitioned for this law to be passed, AARP and other
patient rights groups and collections of state legislators that are considering
similar legislation in other states.

So I think what I would like to do is describe briefly what some of the
concerns that prompted the legislation are. I’m not going to get in detail
about what the legal opinion is and what our arguments are in response, but I’m
happy to take questions on that if anybody feels like being a lawyer today, and
I know there’s one in the room with us.

And then briefly discuss, there’s been a couple different laws that have
been passed in other states, specifically Maine and Vermont that have similar
goals to the New Hampshire legislation but have taken different vehicles. So
I’ll briefly describe what those are and hopefully not take up too much time in
that endeavor.

So as I mentioned, New Hampshire is the first law in this country to attempt
in some means to regulate the prescriber identified portion of prescription
data train. Of course, HIPAA already regulates the patient aspect of that.

The New Hampshire law did add an additional state cause of action for the
trade of patient identified information as well out of the belief that HIPAA
doesn’t have sufficient remedies, and that adding state remedies to that
already federally prohibited activity would be helpful in the state.

A brief note on the history of this practice which you may know all about
given the topic of what you’ve been studying. But basically the practice that
we’re talking about today starts in 1994 basically. That’s the year that IMS
released its latest iteration of what started as a sales force tracking
mechanism. So pharmaceutical companies have been tracking their sales forces
and trying to measure what doctors are prescribing in various kind of
aggregated ways since really about the 1940s, 1950.

But that was done usually through surveys and samples that didn’t
individually track every prescriber and their individual prescribing habits and
attach doctors’ names to those prescribing habits.

The first we really have a full data set to do that was 1994, and between
1994 and today there have been a large number of other companies who have
entered this area. Some of them in subspecialties, some of them competing
directly in IMS in the kind of broad range of pharmaceutical prescribing

The reason for that, of course, is the digitization of prescriber records
pushed by the entry of pharmacy benefit managers into the chain of distribution
and compensation for drugs. Today, PBMs digitally manage about 95 percent of
all prescriptions, so roughly 95 percent of all prescriptions are transmitted
through some data set that can be easily sold and transferred to other parties.

Previous to that, of course, you know you had actually handwritten
prescriptions. It was very hard for pharmaceutical companies to track anything
like 95 percent of the prescriptions in the country. But that’s now possible.

So in 1994 and since, there’s basically been a relatively unregulated
exchange of information between pharmacies and other peoples within the
prescription chain and pharmaceutical companies through health information
organizations and as intermediaries.

So the state today is that pharmaceutical companies can receive from various
vendors detailed computer-generated statistics on pretty much every prescriber
in the country, exactly what they’re prescribing on a day-to-day basis. There’s
a quote in the record of the New Hampshire case that essentially says that a
detailer can walk into a doctor’s office at nine o’clock in the morning, and at
twelve o’clock in the afternoon in the same day figure out whether that doctor
prescribed the drugs that was being pushed by the detailer in that transaction.
That is, in itself, as you can imagine, presented a real problem of undue
influence from pharmaceutical marketers towards doctors.

A pharmaceutical marketer can walk into a doctor’s office and know exactly
what that doctor’s prescribing, if they’re prescribing for instance a generic
medicine for a specific ailment, and they want to push a newer branded product,
they know exactly what that doctor’s prescribing, how much to what patients.
They know what mix, they know what percentage is branded and non-branded. There
is information in the House Oversight Committee from the Merck investigation
that showed that they actually came up with detailed ratings of doctors from an
A+ to a D on how much Merck percentage of product in every single ailment that
Merck treats, what percentage Merck versus non-Merck products that doctor was

Now that allows pharmaceutical marketers to walk into that doctor’s office
and really tailor messages specifically towards what that doctor is prescribing
and specific critiques and presentations of whatever data is out there to
attack the generic medicines, for instance, or to attack whatever else they’re
using. And it’s an advantage that branded pharmaceutical companies have that
generics don’t because generic drugs don’t have the same financial incentives
to send individual detailers out to target individual prescribers in this way.
So it creates a certain undue influence within the marketing of prescription

Additionally, that information can be used to target gifts and compensation
and speaking engagement invitations, et cetera to those doctors that meet what
Merck called the A+ doctors. The more you prescribe, the better you reach out
and prescribe the specific pharmaceutical company’s targeted medicines, the
more compensation through gifts, meals, et cetera those pharmaceutical
companies can shower on doctors.

And we know from popular press that some doctors receive tens of thousands,
even hundreds of thousands of dollars a year. They’re the primary targets of
pharmaceutical marketers. Now those gifts, a lot of that gift giving happens,
of course, absent the data. But the data allows an extremely improper degree of
influence to be linked to those gifts because pharmaceutical companies can
specifically observe and reward prescribing behavior. In effect, you have
doctors that can be incorporated into the compensation chain of the
pharmaceutical marketing companies, and that is very troubling to many of the
doctors’ groups that I represent.

So let me just talk a little bit about the rise of the backlash. As I
mentioned, these data systems really came about in 1994. Between 1996 and 1998,
there was a huge backlash first in Canada, then in Europe. This practice has
been banned, the specific prescriber identified tracking of prescription
records have been banned in several Canadian provinces and in all of Europe. In
those countries, health information organizations can still measure and track
prescriptions, but not patient identified. They can track them regionally. They
can track them in blocks. They can track them in specialties. They can still
figure out how they’re doing vis a vis competitors, but they can’t track the
individual prescribing behaviors of individual physicians. That’s the new thing
that’s happened in the last decade or so, and it’s becoming a peculiarly
American phenomenon.

In the U.S., the story really broke with the front page story on the New
York Times
in 2000, and there’s been a series of large articles and
national papers describing various levels of physician outrage at this practice
since then. One of the reasons for physician outrage in addition to
occasionally being told by pharmaceutical marketers that they haven’t lived up
on their commitments to the marketers and being informed that their individual
prescribing behaviors have been tracked, an additional concern – well,
excuse me, let me fast forward from that a little bit.

So numerous physician groups around the country have acted to try to limit
this data. It’s happened in local medical association resolutions, and it’s
happened in AMA through several resolutions that have been attempted to pass.
The AMA, however, sells its physician data file to pharmaceutical companies for
a cost of about $40 million a year, and so it has not followed through on
various resolutions that have been pushed through the AMA to try to propose
federal legislation on this issue which is one of the main reasons we see the
main action going on in states.

So as I mentioned, New Hampshire was the first state to act, and there’s a
case going on right now. A district court has held that the New Hampshire Act
is unconstitutional on free speech grounds, and that case is currently going up
into the First Circuit.

And there is essentially five interests that the state is representing to
the First Circuit that lie behind this legislation. So the first, as I
mentioned, is to curve undue influence within pharmaceutical marketing, the
one-sided nature of marketing in this area because of the lack of incentives
for generics especially to have counter-marketing efforts and the extremely
high cost of states to mount their own counter information campaigns.

So you have a situation in which most doctors are getting for most drugs
heavy marketing on one particular drug but have no real counter messages unless
they reach out on their own to survey what the marketers are giving to them,
the information that that marketers are giving to them.

Second, of course, is just the cost and health impacts of this system, of
the undue influence within the system. So there’s been about a fivefold
increase in drug spending amounts over the last 12 years or so, and studies
have shown that about a third of that increase has been marketing induced
shifts of prescribing behavior from cheaper drugs to more expensive drugs.

Now we can’t know exactly how much of that one-third is inappropriate
shifting or appropriate shifting. But a sizeable amount of shifting has been
demonstrated in various studies from cheaper, often more effective generic
drugs out there to newer, more expensive, but often less effective treatments
for the sale ailment. So that’s the cost linked with the health impacts. The
shifting is going on shifting prescriptions towards medications that are often
worse for patients and also cost more, both of which imperil the health system.

Another issue of particular physician group issue is standards in the
medical profession. The ability to use data to incorporate doctors within the
compensation schemes of pharmaceutical companies, the ability to observe and
reward prescribing behavior threatens the ethics in the medical profession, and
the more it becomes public to patients, threatens that bond of trust between
patients and doctors, the trust that a doctor’s prescribing something for the
patient because it’s the best for the patient, not because they’re getting more
gifts and speaking engagements because of that practice.

Third is just the rise in vexatious sales practices that have coincided with
the ability of pharmaceutical companies to track individual prescribing
behavior. So over the same period of the last 12 years or so, the data mining
has become widely used to target prescription marketing efforts. The amount of
detailers in the country have doubled. We now have over 100,000 individual
detailers in the country.

The average primary care physician receives 28 visits from the detailer a
week. Now if you can imagine yourself in your consumer mode what kind of
lobbying you would be doing on the federal and state level if you received 28
marketing phone calls in your house a week, you’d try to ban the practice
that’s leading to it, right.

The pharmaceutical industry, as you know, spends about $27 billion a year
now on marketing. That number has gone up about two or three times in the last
several years, and 85 percent of that is targeted directly towards doctors.

And finally, I just want to hit on patient privacy. These physician records
are patient de-identified. However, that doesn’t mean that marketers don’t know
exactly what prescriptions a specific patient, not by name, but they actually
do often track specific patient records by number, and then they track the
prescriptions on that patient over time.

So they can see whether you, a specific patient walking into a doctor’s
office, they don’t know your name and address, but they have you identified,
and they know whether you’ve shifted your prescriptions, for instance, towards
a generic. And if they can see that information come into the doctor’s office
and target that doctor, switch back to the brand, your medical treatment is
being specifically targeted for marketing without your knowledge regardless of
whether your name is mentioned or not.

So there’s a patient privacy issue in these laws and in these issues, even
though the patient specific names are not identified in the practice.

As I mentioned, there’s a lawsuit going on. There’s an appeal. There are
several states that have acted since the District Court has handed down, and
I’ll just mention three things that are going on.

First, Vermont has adopted a law only allowing the prescriber identified
records to be traded if the doctor specifically opts in. So on their medical
licensing information, there’s a box and a doctor can choose to check that box
and allow their prescriber identified information to be traded.

Maine has adopted an opt out provision. Also on its licensing materials, it
permits a doctor to check a box and opt out of the trading of its information
to pharmaceutical companies.

Now there’s a problem with both of these laws which is that it doesn’t
actually directly address the state’s overriding concern in reducing the undue
influence of marketing and allows doctors to basically opt in to this kind of
compensation system that is a record that is influenced by the data.

And finally, a couple states are considering, none have passed, legislation
to regulate the detailers themselves, to regulate the messages that they can
bring, to regulate deceptive and misleading advertising and to require the
detailers to be licensed professionals instead of basically sales forces.

So those are the other options that are out there, and I’ll stop there and
allow the responses from my panel members and hopefully some time for some

MR. REYNOLDS: Sean, thank you, and it’s been requested that, Julie, you go
next since we’re talking pretty much about the same type of thing. So is that
okay with you, Julie?

MS. MURCHINSON: Sure, that’s fine.

MR. REYNOLDS: Okay, please continue.

MS. MURCHINSON: Okay, so I will try to stick to the presentation and the
slides that you all have in front of you as opposed to rebutting directly on
what Sean was saying. But I will acknowledge a few things that he did say along
the way.

Manatt Phelps & Phillips is a law and consulting firm that has been
working with and representing private sector companies and membership
associations in this debate and, I think, pretty much on the opposite side of
the testimony you just heard.

This has allows us to really do a lot of state surveys and activity on this
issue across the country to analyze specific state laws in many of the
contentious states, to evaluate the impact of these laws on health information
exchange efforts since we do a lot of work in that area as well. And given the
work we’ve been doing on some of the HITSP, the privacy and security work from
ONC, we’ve also had the opportunity to evaluate this law in the context of that
privacy and security effort to really understand what the potential impacts
could be.

So today I’ll talk about the motivation behind this state data restriction
movement. I’ll try not to duplicate what Sean just said. I’ll talk a little bit
about the goals for the New Hampshire law and what some of the unintended
consequences could be for not only New Hampshire citizens but also for others
across the country, and discuss a little bit about some of the efforts that we
see starting to address this situation, but clearly more is needed to really
address the issue.

So I’ll start with the slide titled what is behind the state activity, I
believe it’s slide three. And is someone turning slides there?


MS. MURCHINSON: Okay, great. So as Sean mentioned, this is clearly a
physician driven concern, really highlighting issues around the budget for
controlling drug costs. Clearly, public perception around pharma marketing
activities and really raising questions around the data privacy. There’s been a
significant lobbying movement behind this that has been fueling efforts across
the country and really addressing this issue in almost half the states in the

But for the most part, this is really a very kind of pharma movement that,
you know, we’ll highlight may or may not be acknowledging a lot of the other
unintended consequences of this action.

So, next slide, slide four. So as Sean mentioned, the purpose is to really
protect citizens, protect privacy as patients and physicians, which is
interesting, and to lower health care costs. And the proposed law really does
focus around this prescriber identifiable data. However, it is our opinion from
looking at the legal aspect of this that the law is written in a vague way to
really potentially impact more than just prescriber identifiable data, but also
the impact on prescriber identifiable data is not insignificant.

I will just stop here to mention I am not an attorney. I am a consultant who
works with a number of attorneys on this issue. So any questions that might get
into the law may not be my strong suit, but we’ll work through that.

So the next slide, on slide five, from our perspective, this is a game
changing issue for a number of reasons. Because of the significant effort
behind this at the state level and almost half of the states that have analyzed
this, there’s a potential to start to pass laws that impact privacy in a
significant way and would create a patchwork of privacy and data restrictions
across the country that would limit our ability to have interoperable privacy
policies and procedures.

On the patient privacy front, we really feel that the patient de-identified
data that’s being discussed here really poses no threat to patient privacy. So
this is not a patient privacy issue. However, since HIPAA doesn’t preempt state
law, that’s an issue. And HIPAA specifically exempted patient de-identifiable
data for a reason. So we don’t want to be advancing laws in specific states
that start to compromise that previous decision.

One of the major concerns here is that the New Hampshire law is starting to
really advocate for physician privacy and providing rights for physicians to
not have others seize the data for the jobs that they are doing and not have
them be evaluated for how they are doing in caring for patients. And this is
not necessarily just about whether or not pharmaceutical companies can see
their prescribing patterns and potentially employ tactics to address that. This
is about how the entire health care system and those people who are appropriate
to see physician behavior and physician prescribing patterns have the ability
to do that. So we believe that a law like this creates for really the first
time a physician privacy platform, and that’s definitely not necessarily a
productive thing for health information exchange.

And mostly because this is really about marketing concerns, you know, this
is game changing because it’s taking a very different attempt at marketing
concerns that frankly are starting to be addressed in many other ways. You
know, there are other states in the Union who have passed legislation requiring
manufacturers to report the amount of money they spend on marketing and to
register their sales reps with the state. There have also been laws passed to
ban manufacturers from providing physicians with gifts, and the pharma industry
has also started to basically self-impose or self-regulate their marketing
activities through a code of conduct.

So there are some efforts going on across the pharmaceutical industry and
certainly at the state level to try to curve some of these marketing concerns
that are really the core basis of this argument and not necessarily take the
kind of approach being taken in this law in New Hampshire to potentially create
problems with privacy law interoperability.

So slide six, Manatt works with a number of different plaintiffs including
IMS and Verispan to really pull together an amici brief made up of amici who
are representative of pretty highly notable organizations that are working to
improve health care through the use of health care information technology and
through quality improvement efforts with the goal of looking at value-based
improvements in the health care field.

So these groups include the eHealth Initiative, NAHIT, Surescripts,
Washington Legal Foundation, Wolters Kluwer, and the Coalition for Healthcare
Communication. There are others who have also even expressed interest in the
continuation of this amici work in the New Hampshire appeal. So this is really
starting to take on a very interesting collection of organizations that see the
danger being traded by this kind of law.

Next slide, please. The main amici concern is that the goal for the health
care field overall is to be able to monitor physician activity and to actually
be able to reward physician through performance mechanisms. So although Sean
highlighted the way in which the pharma – he perceives the pharma industry
looking at that type of monitoring and rewarding mechanism, that’s in fact the
very mechanism that the health care industry is looking to use not just at
physicians but how devices and technologies are performing on individual

So the amici are really looking at that as a goal in saying that this type
of law that restricts use of prescriber-level identifiable data really could
put at risk the quality monitoring activities, a lot of clinical research
activities, certainly our public health surveillance activities and post-market
drug surveillance if we don’t necessarily have the information at the
prescriber level. Slide eight, please.

So as Sean mentioned to a certain extent, the initial ruling was that the
judge said that the law really improperly restricts commercial speech, and
there are a number of things that I think are important to highlight about what
the judge said in the first round of this.

Essentially, basically there is no evidence of any kind of coercion or
intrusion of doctors. So the evidence that was brought there was not
significant. The state case did not show that the law was, failed to show that
the law would promote public health. So there was a very weak connection
between how this law would really help improve the health of New Hampshire

The law failed to show appropriate controlled health care costs through this
type of mechanism as well, and I think most importantly, the ability to control
health care costs without compromising patient care. So that case was not
strong enough.

Furthermore, and interestingly enough, the state’s experts acknowledged that
the pharmaceutical detailing practices actually can provide public health
benefits. So even though there might be a public perception that that’s not
necessarily appropriate, in many cases it does provide public health benefit,
and that’s something that we should all be striving for.

Lastly, the state noted that there really are alternatives to this kind of
law, and I think this is probably one of the more important points to take
action on, that there are alternatives out there, and some alternatives are
starting to be employed, and that this may not really be the best path to
accomplish the goals that are being brought by this law.

Okay, slide nine, please. Just to highlight a few comments I made earlier.
This has not been an insignificant effort at the state level to get several
states in the Union to propose similar legislation. Between 2001 and 2006, 17
states introduced bills to restrict physician prescribing data, and 2007 more
than 20 states considered the data restriction.

At this point, 19 states have restricted the legislation to date, and
Massachusetts is scheduled to consider legislation in September. As you also
heard, Vermont and Maine have been pretty active in this area. Maine passed a
law extending the current state prohibition of the sale of prescription drug
information in June of 2007, and, as mentioned, the law includes an opt out
provision for prescribers that can be designated when renewing their license.

And also in June, an active month on this topic, Vermont also created a new
prescriber data sharing program requiring a prescriber to opt in or get consent
for his or her identifying information to be used for the purposes other than
pharmacy reimbursement and some of the other regulatory purposes. So both of
these laws take effect January 1, 2008.

So in all, you know, three states have been very active in this. Over 20
states have considered this. The story is certainly not over. The story’s
definitely just beginning, and I think that all eyes are on New England,
frankly, to see the direction in which this law goes. Slide ten, please.

So I don’t have to educate you, but as many of you know, the efforts that
are going on to create not only technical interoperability between and among
health care stakeholders in our system are also striving to create some sort of
policy interoperability so that information can flow for the benefit of the
patient and be consumer centric. And although this is a very consumer centric
movement, the ability to actually take action and improve care for consumers in
America, this type of model was really predicated on understanding what’s
happening at the point of care, and this point of care activity not only just
includes prescribing behavior but frankly prescribing behavior is one of the
more important aspects of what’s happening at that point of care with a

So we really believe that this law puts at risk a lot of the good efforts
that are going on in this movement. Slide 11, please.

We tried to highlight on the slide kind of two points. On the left hand part
of the slide, patient de-identifiable data is being used today or could be used
in the future in very beneficial ways to really look at population health on
the whole and put into place some improvements or mechanisms that will help
move population health in a certain direction, looking at system efficiencies
and certainly looking more at institutional level performance.

However, the real goal of what the health care agenda is today is really
trying to get towards a more personalized health care environment. And that
relies on the use of this provider identified yet patient de-identified data to
really be able to address some of the healthcare safety and post-market
surveillance issues and to modify the way in which our reimbursement system is
working today and start to turn that into more of a performance based system.

So, again, it’s a lot of what we’re trying to achieve is predicate on
understanding how our clinicians are helping our consumers today and
prescribing behavior can’t necessarily be treated differently than any other
monitoring we might be doing at that point of care.

And lastly slide 12, from our perspective, there are a number of contracts,
efforts, movements, associations, industry engagements that is really helping
in this area. But it’s really just the tip of the iceberg. The HISPC efforts
are clearly focusing on what patient privacy should look like, does look like
and how to achieve more of that policy interoperability, and I think it’s
making good progress in doing so.

On the industry side, we are definitely seeing industry leadership in terms
of looking at more responsible data sharing activities, and there are a number
of different projects and programs out there that are really trying to make
this data, even prescriber level data, more identifiable to physicians
themselves as a way to really help them understand what they’re seeing and how
they could be thinking about what’s in the best interest of the patient in a
different way and in a more data driven way.

AMIA as an association is working very hard on the secondary uses issue
which I think you’ll be hearing some about, and they have put out some guidance
principles that we believe are principles that should be addressed in a more
serious way and really well understood by NOA, the national agenda, but also by
the many stakeholders who are aggregating, analyzing and applying data for the
improvement of the health care system.

And lastly, we really believe that the policy and legal framework around
patient and prescriber information really does need to be taken into
consideration and looked at in a more affirmative way. Some more is needed here
to really set the appropriate framework to make this information not only
useful but appropriately used for all of us as Americans.

And that’s all I have today.

MR. REYNOLDS: Julie, thank you very much. We’ll hold our questions until the
end. Next, Steve Labkoff.

MR. LABKOFF: Hi, good morning. My name is Steve Labkoff. I’m Director of
Healthcare Informatics at Pfizer Pharmaceuticals, and I appreciate the
invitation to come and provide additional testimony to this Committee after the
work we did with AMIA back in July. And I’ve been asked today to give a talk
about the initial request around health data protections needed for health
information exchange.

And I took a little bit of a different tact with the answering of this
request in that I think most people, when they saw a request like that, might
be looking around the issue of things like ciphering and encryption and how do
you keep things clear, safe over the wire.

I took a different tact with it and will talk about access to data and
protecting access to data in health information exchange. And this first slide
actually, I hope, will summarize most of this talk in fact. And from a
pharmaceutical research organization’s perspective, and I work in the Research
Division of Pfizer, by the way. I work in Pfizer Global Research and
Development in the Healthcare Informatics Group. When a drug is being created
or discovered and developed, there’s a tremendous effort to acquire as much
data about that drug as is possible through the use of clinical trials,
randomized controlled trials and so forth, and that’s represented in this
graphic by the blue curve and the integral on that curve.

And as you’ll notice, though, when the drug is launched, the slope of that
curve actually doesn’t vary a whole lot. And the orange curve that is above
that represents information that’s generated about that curve when the public
starts to consume that drug in terms of millions and millions of encounters
with the molecule as opposed to photo trials which are usually measured in

And the real issue here is that we perceive and believe there is a huge data
gap which we actually don’t have a lot of control over right now. While we try
very hard to understand what’s going on out there for safety, surveillance and
some other issues, that gap represents something that health information
exchange is actually able to help us bridge, and I’ll talk about the kinds of
activities that we can bridge through that in the upcoming slides.

We need to make sure that doctors, patients and regulators are well informed
about how they can – as well informed as they can be about the use of our
products. Pharma is expected now to find and meet unmet medical needs and to do
it faster, safer than we’ve ever done it before. That area under the orange
curve is represented by information that is locked in patient charts, mostly in
paper, something on the order of 80-85 percent of it is in paper these days in
laboratory results, insurance claims and electronic health records, in federal
government claims, databases and foreign governments, data sets, third party
aggregators. We believe that access to anonymized and aggregated health care
data will be critical in the role to achieve these expectations, especially in
domains of safety and surveillance and evaluation, the development of new
compounds, regulatory requirements, new drug indications, factors affecting
adherence and treatment guidelines, evidence-based medicine and clinical trials

We were asked explicitly to talk about some of the data sources that are in
use in the research arm of our business and have put together a small sample,
there are many other data sets that we procure, and what I’ve eliminated here
on the slide are the names of those data sets and the organizations that use
them and what they tend to use them for. I don’t have time in the course of the
ten minutes I’ve been allocated to go through this in much detail, but you have
this slide in your packets and can go through it, and I can answer questions
off line.

Just to highlight, I suppose, is that each of these data sets is
de-identified. It is generally speaking aggregated information, and it is used
for, as on the right hand side says, drug discovery research, outcomes
research, market analytics, drug development, clinical trials design and
clinical education manager which those are folks who go and do outcome studies
in the field with their clinician partners.

There have been a lot of efforts undergone in the past couple of years to
understand how these data can be used, especially data from health information
exchange which is probably the newest and probably the largest growing sector
for this type of data that’s out there. The first issue I’ll talk about and
first project we’ll talk about is one called the Slipstream Project. That was a
project undertaken by Pfizer, AstraZeneca, Wyeth and BMS along with Accenture
to examine use cases of how health information exchange information could be
leveraged in the R&D space.

And two major use cases were generated out of that and were presented at
NCVHS last July, and they were on pharmaco-vigilance and how to connect
patients to clinical trials. We also generated detail functional requirements
related to how to use this data for clinical research.

We also then late last year and early this year did a large scale project
within Pfizer, and it’s just been submitted to JAMIA for publication for as
late as yesterday, we submitted it to make sure it got in yesterday so I could
say it was submitted today, and the project was called Electronic Health
Records and Clinical Research. And we interviewed 35 senior leaders within the
R&D space at Pfizer and also in safety outcomes and clinical operations and
asked them, you know, if you had access to clinical patient data from health
information exchange, what could you use this for in your day-to-day
operations, and how could this be used in a way to speed up or make your
business processes faster, more effective, cheaper, whatever, and they
generated 14 use case categories and 42 specific use cases whereby these data,
if utilized, could enhance data speed through portions of their business
processes could take place. And they include and the major bullets here are
clinical trials outcomes research, the audit of medication, work flow, disease
modeling, safety, support of regulatory approval process and clinical
epidemiology. And that paper hopefully will be accepted for publication and
will be widely available within a short period of time.

Just as an ancillary piece of that project, we surveyed 15 of the 38 CCHIT
certified ambulatory care EHR programs that were on the market at the time of
the study which was December of 2006, and we asked them to look at the 14 use
case categories and to self-rate how they could answer or if they could
actively do the use cases or give data in those use cases. And as you’ll
notice, less than half of them were able to do most of these use cases, and in
many cases we believe they say they’re highly over ranked or over rated. For
example, there was a question about using supporting clinical regulatory
approval process, and five companies claimed that they could support that, but
no company that we’re aware of in our research actually supports 21 C.F.R. Part
11 for clinical audits necessary for regulatory submissions, and five companies
claimed that they could do that to that degree, although they weren’t

Summary of the findings here is that there seemed to be very significant
opportunities for EHR population health utilization in the research arm of
pharmaceuticals. Senior management sees the top use cases for clinical trial
improvement, drug safety and surveillance, retrospective analyses or
understanding disease mechanisms and observational studies in epidemiology,
outcomes research, Phase IV clinical trials.

And the senior management is also concerned about, you know, one of the
things they’re really concerned about is the data quality and its data
completeness. Spurious associations that can be made from these data, false
positives and adverse event detection and independent analysis that lacks
appropriate context. This has led to a project that some in this room are
actually very familiar with, a project that we’re doing to actually test this
data in one of those domains, and it’s a clinical safety domain, and it’s a
project that’s being spearheaded by the eHealth Initiative partnered with
Johnson & Johnson, Pfizer and Eli Lilly, the Indiana Health Data Exchange
and Partners Healthcare in Boston. We’ve generated three use cases to look at
how this data and health information exchange could be used to understand
clinical signals of known clinical events and see in a clinical health exchange
how that data can be interpreted to find these events and to better understand
how they would be identified in these health data sets.

One use case is the use of Statins in laboratory results or basically
aberrant liver function tests, Warfarin-related bleeding abnormalities,
documenting how designated medical events which are about 30 very serious
adverse events can be identified in clinical health data from electronic health

The basic reason to do this is to study value and utilization of the HR data
for signal detection. It’s something that people have been talking about for a
great deal of time but hasn’t really been qualified or quantified to a
significant extent. So we’re engaging on this particular study.

So the last question, you know, getting back to the initial ask of the
Committee which was look around for protections, I asked the question what
needs protecting. Well, we absolutely need to protect the community trust that
data won’t be mishandled. That’s for safety, for privacy, patient’s identity,
confidentiality and any specific identifying information.

We do also need to protect the ability to do business. Privacy is not
compromised in aggregated health data situations. There are commercial and
academic research processes that need to take place for the advancement of
medicine in our country and in the world, and there are regulatory demands that
need to be fulfilled for the business of getting these products to market.

Some suggested protections of promoting the testing of the intrinsic value
of this data. More projects similar to the EHR project I just presented would
be something that we would absolutely support. Putting into place an
organization to moderate data stewardship, the national health data stewardship
entity as proposed by AHRQ would be something that we would support.

Addressing privacy, confidentiality issues, various checks and balances
through that process. Protecting access to data, legislation that protects
access to anonymized health care data for research both commercial and
academic, and lastly endorsing the AMIA, the American Informatics Association’s
stewardship principles and data analytics principles would be something that we
would also support. And lastly, what we’re trying to get through here is to try
and bridge that gap, to try and understand what the data inside that orange
curve represents, how it could be used to generate new drugs and bring them to
market for patients in this country and the world.

And with that, I want to say thank you and mine the gap.

MR. REYNOLDS: Thank you very much. Micky, if you would go ahead and proceed.
Micky, are you still with us?

MR. TRIPATHI: Yes, I’m still here.

MR. REYNOLDS: Yes, we’re getting your slides up, and if you would just say
next slide when you want the next one, please.

MR. TRIPATHI: Okay, great. Well, thank you for the opportunity to talk about
the Massy Health Cooperative. I think my presentation’s going to be quite
different than the others on the panel, and then I’m going to really be
speaking about what is we’re doing and what infrastructure we put on the ground
and what privacy policies we’ve built in as a part of that health information
exchanges that we’re launching.

So you use the first slide, please, I’ll just give a couple slides as
background because I think it’s important to understand what it is we’re doing,
who we are and what we’re doing to understand all of the policies that we’ve
rolled out.

So first up, you should be on slide one that says MEHC Routes on the top.
The eHealth Cooperative was formed so this – you have this up on slides so
the automation is there. I just want to make sure I know which one –


MR. TRIPATHI: Hello, I just want to make sure that I’m seeing what you’re
seeing. Some of the slides have animation, so I’m not sure when I should say
next slide. You should be seeing a full slide there that says ACP and Blue
Cross on the left and MEHC on the right.


MR. TRIPATHI: The eHealth Cooperative was formed in September 2004. We were
launched with a $50 million financial commitment from Blue Cross Blue Shield of
Massachusetts, and really with a project plan in our intellectual routes in
some work by the Massachusetts Chapter of the American College of Physicians
who led at this time by Dr. Alan Goroll and Dr. David Bates from the Brigham.
We, as I said, we were formed in 2004. We are backed by 34 leading non-profit
healthcare organizations in Massachusetts. Next slide, please.

Slide two is the organizations representing the cooperative. I won’t spend
any time on this unless anyone has any questions after. Slide three, it should
pilot selections with a picture of the map of Massachusetts. The $50 million
project involved selecting three communities in the State of Massachusetts to
essentially be colloquially wired for health care, and so I’ll describe that
project in a minute. But we invited any community in Massachusetts to apply to
be one of these three pilot projects. The red dots on the map there depict 35
communities who responded to the application, and we chose three communities to
partake in these pilot projects, Brockton which is in the bottom right there,
the three yellow stores, Newburyport which is up on the top right and North
Adams which is way out on the left on the border of Vermont and New York. Next
slide, please.

There are four main pieces the pilot projects have. I’ll just quickly talk
about the bottom two because those really set up for what we’re going to talk
about here. The first thing in each of the three communities, just to give you
a sense of the scope of this, it’s roughly 450 physicians who are participating
in the project across all three communities, and they practice in 200 office
locations roughly. So add mid-level on top of those 450 physicians, and you get
550 clinicians roughly practicing in 200 office locations.

And what we’re doing in the pilot projects is first we’re paying for and
implementing our electronic medical records in each of those office locations.
So we’re providing the hardware, the software, the implementation services, the
post-implementation services, work flow design consultation, all of that to get
them up and running on electronic health record systems.

And then the second box there which says connectivity, we’re creating three
stand alone health information exchanges in each of those three communities for
the exchange of patient identified information in real time for treatment
purposes, accessible at the point of care.

This is slide five, I believe, it should say MBEHC on the top right.

MR. REYNOLDS: Yes, we are.

MR. TRIPATHI: The way we’ve constructed these health information exchanges,
and this is a graphic that was developed in the North Adams community, is to
have a subset of the information that is resident in each of the individual
EMRs, have a subset of that information extracted and then merged together into
what it says here, the Community eHealth Summary which is essentially a
repository of patient centered repository in each of these three communities.

So on the left panel, you see doctor’s office record, and those are
basically elements of the record of the EMR in each of those practices that
stays in the practice, stays at the practice level, will never be shared in
that Community eHealth Summary. On the bottom left, you see the eHealth
Summary. Those are the items in the EHR that are extracted from each of those
EHRs and then put forward into the Community eHealth Summary and then merged
for a patient centric view from all the source systems in the community. Next
slide, please.

So this slide should eHealth Collaborative Architecture and Data Flows.
There’s some animation, so if you could click it once, what I show on the slide
is the data flows of all of the data that’s flowing through the eHealth
Cooperative Project. So we have provider level electronic health records. We’re
deploying four. NextGen, All Scripts, GE and eClinical Works, and then we have
a couple of legacy EMRs that were there when we started. One practice is a
Physician Microsystems which is now McKesson, and the others have EMDs. If you
can click the slide again, please, it should say Community Level HIE. Those are
rolling up into three stand alone health information exchanges, as I said, one
in Brockton, one in Newburyport, one in North Adams. The eClinical Works is
running the one in North Adams and WellLogic which is another integration
vendor is putting those together in Brockton and Newburyport. Next slide,
please, or click again, please. It should say MAEHC level QDW. Those three
health information exchanges are feeding a quality data warehouse that eHealth
Cooperative is using if you could click it once more, please, we should be up
at the top where it says MAEHC Level Analysis. The eHealth Cooperative is
creating that quality data warehouse for two purposes, (1) for providing
benchmarking data along nationally recognized quality measures, basically the
AQA recommended starter set, providing that benchmarking data back to the
physicians participating in the projects so that they can see themselves
benchmarked along those quality measures. And then we’re doing a whole series
of outcome analyses on connection between quality and health IT as a part of
the research project that we have.

The quality data warehouse is fed, maybe I can describe this in the next
slide, I think, yes, if you could advance the slide, please. It should say
Quality Data Warehouse Privacy Approach, slide seven, and if you could click it

As I described, those health information exchanges are consent-based patient
identified data. So each of those is a repository. It is consent based, and
I’ll describe our consent policy in a couple slides here. But that is patient
identified data that, as I said, is live data being used or will be used for
treatment purposes. If you could click the slide again, please.

What we are doing is extracting out of those health information exchanges
limited data sets in HIPAA terms with no facial identifiers for the quality
data warehouse that we’re building. And then if you could click it one last
time, please, we are assigning random number identifiers that are unique to the
patient with the key held by each of the health information exchanges for
individual re-identification if necessary. And the reason we’re doing that is
because we’re providing this benchmarking data back to physicians and want to
be able to give the physicians feedback information so that they can use that
to improve quality of care.

The experience of a number of quality organizations is that unless you do
that, de-identification is very difficult for physicians to act on the quality
matrix that are fed back to them. We tried to sort of balance the need for and
the desire for having quality data and having this type of secondary use of
data. But without having multiple repositories of PHI’s floating all over the
place. So that’s, you know, this is the solution that we’ve come up with to try
to manage that.

MR. REYNOLDS: Micky, what’s supposed to be on the screen now. I’m not sure
we’re keeping up with all the lines.

MR. TRIPATHI: We should be on slide seven.


MR. TRIPATHI: And it should say “Quality Data Warehouse Privacy

DR. COHN: I guess we missed the arrows sort of going through. Can you go
back –

MR. TRIPATHI: Oh, sorry, I think if you click it, there’s some animation
that rolls up.

MR. REYNOLDS: So which one are you on right now? How many arrows do you see
on yours?

MR. TRIPATHI: I’ve actually already gone all the way through it, but there
should be one that says Consent Based Patient Identified Data.

MR. REYNOLDS: We’re good now. We’re good. We’re set, thank you.

MR. TRIPATHI: Okay, all right. So basically the point is, you have patient
identified data in the health information exchanges, those three cams there,
and then we extract from that patient identified information a limited data set
that populations the quality data warehouse, but that is able to re-identify.
We are able to re-identify as necessary back through the health information
exchanges to provide that information back to the physician. The quality data
warehouse – the manager of the quality data warehouse never have those patient
identifiers. So they and the researchers are not able to re-identify it. Only
back through the health information exchange and back to the physician office
where the re-identification happens.

Next slide, please. So as I said, these health information exchanges are
permission based, and the next couple of slides, I’ll just describe that and
then I’ll stop.

The eHealth Collaborative took our privacy approach is really based on sort
of a couple foundation principles here. First, we needed to decide what the
patient notification and consent was going to be. It’s certainly not required
for stand along electronic health records, but we were exchanging, we were
creating these health information exchanges that are exchanging data across
legal entities. So we needed to do something.

In Massachusetts, I should say that our legal counsel is McDermott Will
& Emery who provided very valuable guidance in this, and in Massachusetts
our consent requirement preempts HIPAA along certain dimensions, and the
general consent principle is based on case law, Alberts v. Divine which
found that in an affirmative consent is required before disclosure of
information to another legal entity, and a second affirmative consent is
required for disclosure of sensitive information.

And there’s also a specific statute that requires specific permission for
disclosure of results of certain genetic and HIV tests, and those tests are
specified in the statute.

And you know, importantly the HIPAA notice of privacy practices does not
count for the Massachusetts consent. So there is a separate consent that’s
required in Massachusetts today.

And certainly certain types of data exchange already happen today under
prevailing consent process. It happens by fax, phone, mail, email. We know it
happens all the time, and in the ambulatory setting these exchanges are almost
always point to point stemming from discreet episodes of care with physicians
directly involved, and the treatment for that episode is care.

And so, you know, as it happens today, consent is already being gotten for
those point to point exchanges. Next slide, please.

However, the health information exchange and particularly with a repository
is a new type of exchange, I would argue, and therefore we felt that we needed
a new consent for that, that we couldn’t essentially piggyback on the consents
that are already out there.

And then really in particular, the things that we thought were qualitatively
different were (1) about who can access this, that it is persistent data held
at the center, there’s no person in the loop, and it’s not related to a
specific episode of care. So any authorized users on the network, for example,
not just those directly involved in treatment in an episode of care will be
able to access this data.

It is any data from any of the authorized sources, I mean, from that list
that I described earlier. And then when is it available. It’s available any
time, not just during the time period of a specific episode of care. So for
those reasons, we felt that we needed to have a new consent process for this,
and the consent policy’s sort of the core features are that it’s an opt in
approach where a consent is gotten at the point of disclosure. So essentially
it’s at the legal entity where consent is required before the data is disclosed
through the network, and we have a slightly different model across the
communities. In Brockton and Newburyport, that consent is gotten entity by
entity which means, and those are legal entities. So that means that a patient
will be asked for permission to disclose their information held at a given
legal entity to the network at each of those entities, and that gives the
patient the opportunity to say yes to a primary care practice, for example, and
no to a psychiatric practice, for example. So it would allow a patient to have
that opportunity to say yes and no by entity.

In North Adams, there is a global consent that’s really a function of the
tightness of that community that essentially we were able on a consent form and
by the agreement of all of the providers in that community to have a single
consent that in effect deputizes every one of those practices, every one of
those legal entities to get consents on behalf of behalf of every other legal
entity in the community. And a patient, when presented with that consent, is
able to see on one form every single practice that is participating on that. So
they can either opt in or opt out based on their being able to see, you know,
every entity that would be contributing data and, on the other side, accessing
data in the repository.

The period of consent essentially covers all episodes of care until a change
in opt in status or the consent expires which will be in two years we would
reconsent. And what I mean by that is this is persistent data held at the
center. So we’re getting a one-time consent upfront that is an opt in, and from
that point forward all of the patient information will flow into the network in
this repository until a patient changes their status or the consent expires at
which case we will refresh the consent with the patient.

The next slide really is just a schematic depiction of that. I don’t know
that we need to know that or go through that in the interest of time. So I
would ask that we just skip to slide 11 which is a bar chart showing opt in
rate, and this will be my last slide.

Here, I’ve given the opt in rate for North Adams which is the first
community. Their health information exchange is up and running. It went live in
May, and as you can see depicted there, the opt in rate is 94 percent across
the community. Each of those bars represents the opt in rate for an individual
practice in the community, just to give you a sense of the variation there. And
some of the practices over in the right, what you see in that variation, that
practice that’s 50 percent there are only seven patients who were asked there.
So there’s a small sample issue there. But you tend to have more of the
specialists on the right and more of the primary care on the left. The
specialists in general seem to have a lower opt in rate because they are
specialists in essentially a rural community. So they’re seeing people from the
whole western part of the state some of whom really aren’t a part of the North
Adams community, and therefore they end up, they tend to opt out. That’s our
sense of who’s not opting in.

But let me stop here and look forward to discussion going forward.

MR. REYNOLDS: Okay, I’d really like to thank everybody, first, for your
crispness and second for the richness of your data. So with that, I’m going to
start first with Mark Rothstein and then see who else has questions.

MR. ROTHSTEIN: Thank you, Harry. I want to commend all four of our panel
members, and I’m sure the rest of the group has lots of questions. But I will
just limit mine to one, of course, and I want to talk about the New Hampshire
case or ask a question about it and try to relate that case to what it is that
this working group and this Committee is doing.

Whereas the New Hampshire case really pits the state and the docs against
the pharmaceutical industry and the information vendors, our cut is different.
We are trying to balance and accommodate the privacy and confidentiality
interests of patients with all the beneficial purposes of disclosure of
information in terms of quality improvement and the like. So it’s a somewhat
different cut. But with regard to the case itself, and I’ve tried to phrase my
question in the positive and the negative, and it won’t work in the positive,
so I’m just going to have to give it to you in the negative which won’t
surprise too many people.

Should patients have a right not to have their health information used for
marketing purposes without their knowledge or permission even when the
marketing is directed at a third party and even when their information is
disclosed in de-identified or anomymized or some not readily detectable form.
And that’s not an issue in the case, but it is an issue for us.

MR. FLYNN: This is Sean. I’m happy to respond to that, and I’m sure Julie
would like to respond in a different fashion. As I tried to incorporate into my
presentation, we believe there is a patient interest at issue here, and it will
be raised in this case.

Although HIPAA requires and pharmaceutical records, prescription records are
devoid of a name, they are not devoid of who is treating that person and
exactly what conditions and treatment that person is receiving. It’s not very
hard to go from I don’t know, there are allegations, but I don’t know if it’s
true or not whether companies are able to actually use that information to
identify people.

After HIPAA, there have been individuals who have received drug marketing to
their homes, and there has been a concern that was expressed in the legislative
record that HIPAA has not been adequate to actually keep patients from being

But even if they’re not identified, they are being targeted. You know, a
patient as an individual is being targeted for a change in their treatment. And
whether they’re listed by John Smith or number 2207, their treatment is being
affected by individualized marketing based on an observation of their treatment
by a for-profit entity that’s not necessarily interested in their best
treatment. They’re interested in what’s going to sell the most drugs.

So I think there is a huge patient interest, and that’s part of the argument
of why you can’t just take the patient name off, you have to take the
prescriber name off as well because it’s, when you have the prescriber
identified, now you can target an individual office.

MS. MURCHINSON: Sean, I assume you’re done.


MS. MURCHINSON: This is Julie. I would just say that if I understood the
question correctly, it was definitely a good convoluted question. I think
patients’ rights should be vested in their interest who has the best care, and
in order for us to have a consumer driven health care environment, consumers
need to have more legal rights to their information so that they can direct
their information to be stored where they’d like it to be stored, to be used
how it should be used.

So in that context, I believe consumers should be interested in this law not
preventing them from receiving the best care. So whether it’s post-market
surveillance activities or their doctor being informed of the best drug or
device that they could be utilizing for who they are as patients, you know, as
we develop more information about patients, perceivably that is a future

You know, even as was pointed out by the people from Pfizer, this
relationship between clinical research and patient information, I think
patients should have a right that helps them make sure that their care will be
the best. Does that address your question?

MR. ROTHSTEIN: No, but that will do just fine, thank you.


MR. REYNOLDS: Micky, I can’t see your hand if you wanted to make any comment
on any of this.

MR. TRIPATHI: No, I didn’t have any comment.

MR. REYNOLDS: Okay, good. Justine.

DR. CARR: Thank you. This is a question for Micky. You showed at the end the
opt in, the North Adams experience. Was it different in the other two
communities where they could differentially opt out?

MR. TRIPATHI: Yes, we haven’t started the consent process yet in the other
two communities. We’re going to start it in the fall in September.

DR. CARR: Okay, thank you.

MR. REYNOLDS: Okay, Simon.

DR. COHN: You know, I think that I first of all want to start out by making
a disclosure, too. Somehow when we get in these conversations, you don’t always
think about them when you begin the day. But I think as you all know, I work
for Kaiser Permanente, and I just want to comment that Kaiser Permanente as a
general rule the Permanente medical groups do not allow drug detailing. So just
put that on the table. Though certainly that does not in any way impact state
legislation or opinions on all of that.

Julie, I actually had a question sort of for you, and I just wanted to sort
of better understand where your, a couple of comments you made as well as
exactly the positions you represent. And I will apologize, I am not an
attorney, so I’m not quiet so nuanced as some of our others are in terms of
looking through the presentation.

And I really had two sort of separate questions. Now number is, is your
position, are you representing also the plaintiffs’ positions in all of this
work, or are you just representing amici briefs or whatever in the comments,
number one.

And number two is you made a comment that I just wanted to better understand
it. It seemed to indicate that you felt that limitation on secondary uses of
data such as was being proposed or discussed appear to have a chilling effect
on health information exchanges, and I just wanted to understand a little
better your views about the chilling effect on that. And if I’m overstating
your comments, please let me know.

MS. MURCHINSON: Sure. Let me say first we technically are representing the
amici and working on behalf of the plaintiff, just to clarify the relationship.
Does that address question number one?

DR. COHN: Yes, thank you. As I said, I just couldn’t tell at your overheads
exactly the relationship there. So thank you.

MS. MURCHINSON: And your number two question was about why we believe that
some of these secondary uses of data, if this law were in fact passed, it could
have a chilling effect on HIEs, is that what your question was.

DR. COHN: Yes.

MS. MURCHINSON: So sure, you know, from our perspective, it comes back to
the privacy and security at the core. If the law really enables physician
privacy of information and creates different access to information across
different state lines that the privacy and security policies, if you will, will
not be as interoperable as they could be to facilitate health information
exchange. I think that’s point number one.

Point number two is that there are a number of activities that we believe
can be had by using patient de-identified prescriber identifiable data that get
down to the level of physician or clinician behavior that allows for a pay for
performance and allows for specific actions or activities that can be
supportive of transparency of quality and cost related to what’s happening at
the point of care and not prescriber identifiable information is important to
be able to not only know and monitor that, but take action on that. Does that
answer your question?

DR. COHN: Sure, but I just want to comment also. Thank you. Please.

MR. FLYNN: Thank you. I just wanted to respond to a little of this. There is
actually a key position that Julie took that I actually agree with. There’s a
lot that Julie said that I agree with, and it’s always a concern to make sure
you’re addressing the unintended consequences of legislation.

But there’s one point that I don’t have her. On page five, she mentions, I
mean, a core part of the argument she was raising again is this idea that we,
speaking from her for a moment, we don’t want this idea of physician privacy to
become a barrier to quality control or monitoring cost effectiveness or
monitoring quality, make sure that doctors are using evidence-based prescribing
techniques, et cetera. And this is a perfect example coming from you. Kaiser
doesn’t allow pharmaceutical marketers to be a part of that process, but Kaiser
monitors its own physicians and their prescribing practices in making sure that
they’re using the best evidence-based practices, and we completely agree with

And we also, none of my clients want to erect a Chinese wall between doctors
and all the different authorities that may want to monitor their practices for
various health based evidence based prescribing purposes. The difference is we
don’t believe the pharmaceutical companies should be part of that chain not on
individual monitoring and individual prescriber basis. Their interests are not
perfectly aligned to promote evidence-based medicine in this aspect. And that’s
a decision that organizations like Kaiser has taken, but that it’s very
difficult to take for a large number of partners that are not part of a similar
organization. So –

MS. MURCHINSON: And I’ll just say one more thing on Sean’s comment. Thank
you, Sean, and I think that one of the issues is, you know, there are a number
of other solutions that has been considered or put in place to address some of
the concerns that come from aspects of detailing activities.

So I think part of the amici position is that this law is in fact not
necessarily the best way to address some of those concerns.

MR. REYNOLDS: Okay, Micky, I’m going to ask the last question of you, and
then we’ll move on to the next panel.

So 94 percent is pretty impressive as far as opting in. Who actually talks
to the patient, what kind of a document is involved, and is it really, are they
really – this is not a challenging question; this is a probing question.
Are they, do they really understand what they’re signing, or is it kind of an
easy thing to do. No, we all deal with the HIPAA privacy notice, and we all
sign it to get surgery. That doesn’t mean we understood it. You opt in, and so
it’s just a question.

MR. TRIPATHY: Yes, no, I think that’s an excellent question because we spent
a very long time working through how you make this an educated process that
isn’t going to meet the standards of informed consent as we know of that term
for clinical trials and things like that. I mean, it’s certainly not going to
meet that standard.

But we want it to be more educated than what we all typically do with the
HIPAA notification which is a sign and move on like you do with your mortgage
documents. So we created a set of educational materials that go along with
this. We’ve posted those on the website. We’ve had a series of community events
on the radio and other public type events, and the actual opt in process
happens at the registration desk of any of the practices where the brochures
are there and the actual consents are there, and we’ve had community training
sessions for all the front desk personnel for walking them through how the
consent process should work, what the background is on this, and giving them
FAQs and various other materials to help inform patients.

So the typical process is that a patient will walk in. They’ll be handed the
consent and the brochure, and some of them will have follow-up questions which
they can pursue with the front desk stop, or sometimes they’ll pursue it with
the doctor, and we’ve trained all the physicians as well and informed them that
we expect them to have the discussion with their patient if the patient wants
to carry it further beyond that. So we’ve had sort of multiple layers on that.
I mean, Brockton and Newburyport, we’ve actually hired a professional branding
firm to help us with materials. Those communities are a little bit bigger, so
to help with educational materials that we want to be sure will be read.

MR. REYNOLDS: Well, thank you very much. Mary Jo, did you have a question,
or did you have a comment?

DR. DEERING: A very quick request, actually. I’m Mary Jo Deering. We’re
actually having a panel this afternoon that gets at communication, and I’m
thinking it might be very interesting to see your materials. And I personally,
and I suspect the Workgroup, would really love to see a sample of your
educational materials and the consent form. I’m going to say the same to
Monica. You said that you have a pretty strict brief that people have to follow
when they’re communicating. So I think collecting examples of what have been
proven effective in terms of the opt in, opt out decision might be useful.

MS. JONES: I’ve downloaded a couple and brought it with me. So you can pick
it up.

MR. TRIPATHI: I couldn’t hear it that well, but what I heard was an interest
in seeing those materials. I’ve be happy to provide them.

MR. REYNOLDS: Yes, that would be great. Well, listen, again, thank you to
this – yes, Micky, we’ll have an email sent to you on what we’ve
requested, and that would be great. Or you’re saying you want to send it, okay,
good. I’d like to again thank this panel. I really appreciate it.

I’d like to move on next to LaTanya Sweeney from Carnegie Mellon University
on de-identification. Ready to go? Good, thank you.

Agenda Item: De-Identification

DR. SWEENEY: So my name is Latanya Sweeney. I want to thank you all for
allowing me this opportunity to speak with you. I know that you don’t have
printed copies of this. One of the reasons is you’ll see a lot of my slides are
graphic in nature, and rather than just fill in the gap with something, I think
it would be nicer if I printed the graphic. So I’ll put that on my website
which it will be at this address there, and you’ll be able to download those.
I’ll also make them available to whomever you tell me to distribute to.

So what I want to do, the bottom line of what I want to share with you today
is what privacy vulnerabilities do we know actually exist in secondary sharing
of personal health data? What kind of solutions do we know work, and what are
their limits, and consent is horrible in today’s setting.

First of all I want to thank you again for having me, and the over arching
question that sort of guides the work that we do is how can we share data with
guarantees of privacy protection while the data remains useful.

We’re not an advocacy group. I’m a computer scientist by training. I work in
the Computer Science School at Carnegie Mellon, and I run a lab where my job is
really one of data intelligence. That is, we’re really good at figuring out
what kinds of information can be strategically learned out of data, and we sort
of do that. We call it data detective work, and then if we’re really good about
learning sensitive information out of data, we can often advise how to build
technologies so that in fact we can control what can be learned, i.e., privacy.

We’ve had the wonderful opportunity to work in the real world environment
over all kinds of information, basically every major problem society has had
has somehow found its way to our door mainly because a lot of our work is
funded by people, by companies actually, not the government who actually have a
burning need, an immediate need to solve a privacy problem.

This is just some of the team members whose work I’ll talk about. So I
didn’t do it all myself.

One of the things that we found in a lot of our work is that a lot of times
in these kinds of conversations and discussions, there’s sort of the idea that
in order for me to have privacy, the data can’t be very useful, or for the data
to be useful, I have to give up a lot of privacy.

Now we’ve been able to show a lot of the environments you just —

MR. REYNOLDS: Excuse me, we’ve got people on the Internet and on the phone,
and the further you get away, the – you’re telling them good stuff,
they’re not hearing it right.

DR. SWEENEY: Wow, that’s cool. What we’ve been able to find is a real sweet
spot where we’ve been able to show how it is people can have both the privacy
and the data that they’re looking for. And so I’d like to give you a couple of
examples of those today.

The way I organized the rest of the talk is first I want to talk a little
bit about anonymity versus de-identification and then jump into the issue of
demographic re-identification, the issue of multi-stage linking and sort the
overall lessons learned from those experiences.

So what we mean by re-identification is very clear. We have a person, say
Ann, who goes to a hospital or a particular facility. Information about Ann,
known as Ann, gets stored by a data holder. That data holder decides to share
it subsequently, a very common thing nowadays is to remove explicit identifiers
shown in the diagram by just removing her name, but still other information
about her in this case, part of her birth information and her zip code and so
forth is shared.

And in prior work, we’ve been able to show how that can be re-identified
through external data sufficient to re-identify Ann that I could actually
contact her. So when I use the word re-identification, I mean that it’s gone
all the way to the point where I started with data that seemed innocent or
innocuous, and I was able to actually re-identify the person that was the
subject of the data.

The first example I want to give you is one that won’t be as charged as
health data because it’s not your area. If I was talking to Homeland Security,
it’s a different issue. But we can learn a lot by looking at this. This is a
question that has come up a lot that we’ve worked a lot on, not health data,
but all of the issues are exactly the same, and it has to do with video data,
that is, how can we share video data where I can kept as many facial details
about you in the video, but yet I can prove that no one could be re-identified.
Assume the face recognition software is just perfect, how can we do that. Those
things are for 42nd Street where we do surveillance.

One of the interesting things that we learned right away is we didn’t think
this was a particularly difficult problem. We said all you got to do is hide
part of the face. We could put bars over eyes or nose and so forth, and it
turned out that trying to do each of these things, these sort of ad hoc things
didn’t work. That is, the face recognition used in its optimal settings was
very robust and would find other features in the face to re-identify people.

So then we said, well, let’s try pixilation which you see on television
often. We even tried gray scaling. We even tried Mr. Potato Head, which is
basically pasting on other people’s eyes and nose and mouth. So shockingly,
none of these techniques worked either. And in fact, pixilation actually
improved face recognition software because it got little additive noise around
the eyes.

So left with that, we had to sort of invoke a new approach, and that was
sort of this idea of how it is in real time, we could actually peel the face.
My graphics isn’t working, but that’s okay. Often real time in the video and be
able to modify that face.

I see. Now that one works. That just shows you how fast the software can
work. So what we’ve done is basically develop this, and we’ll just click all
the way through, idea where we can take a face, extract the face image. We can
then tweak anything we want to about the face, and then we can re-render it or
morph it back into the video. And what we morph back onto the video in this
particular work is what we call K-anonymized data that is we took K similar
faces, and we averaged them together. So the faces that you see at the end
aren’t really anyone’s face, any one of these faces but somehow it’s the
average of all of them.

Also we noticed the larger that K gets, the more attractive the face gets,
which is kind of interesting. So in the use of – this actually ironically
never started in health data. The uses of this in health data, though, I think
you can see right away. They’ve come back to a lot of clinical trial
information. But also two tools that are meant to be used in the home that
require video surveillance for the aging and things like that where people who
are in the home don’t necessarily don’t want to be videoed.

And so here what we see is basically the face being peeled off of the
person, and then we can see without any other information about them their
appearance, their expressions and so forth. So in the case where it’s showing
up in nursing homes and places like that, this technology allows physicians and
psychologists to be able to understand how much interaction did the person
have, were they being yelled at, that kind of thing, what was the physical

Now I want to take this opportunity to talk a little bit about what was
learned about this, especially as it relates to the kinds of interest that we
have in medical data. One of the things is that we labeled this one
de-identified, but we might label it, we could say it’s anonymized if I could
prove you could never figure out who he is. If I stuck this face right where
the green mesh is which I can do pretty easily since I know where the green
mesh is and I know how to put that on, the problem is I’m still left with a lot
of other details that aren’t masked that I might still know him. So the
terminology we tend to use is the difference between de-identified and
anonymous data. Is anonymous clearly a higher standard, one that I could prove
can’t be re-identified. Well, de-identified data sort of has that ad hoc feel
to it that in fact it’s sufficient for our needs leaving you, of course, with
an effort argument.

So what I’d like to do is now take the lessons learned in sort of a safer
area, safer because it’s not our area of discussion, and then I’ll try to move
that into our area of discussion.

Many of you sort of may know of me from earlier work I did sort of pre-HIPAA
showing that medical data like the kind released at that time in hospital
discharge data which include diagnosis, procedures and also basic demographics,
could be linked to population registers, and this example of burger lists to
put back onto the de-identified data the name and address, and all that I
needed to do was use basic demographics to do this re-identification.

And what I was able to show that in fact in the United States if you take
date of birth, month, day and year of birth, gender and the five-digit zip
code, that uniquely identifies 87 percent of the population. What this graph
shows is the size of the number of people who live in the five-digit zip
population and the horizontal axis is the percentage of that population
uniquely identified. So as you would imagine, the smaller, the fewer the number
of people who live in this zip code in general, the more identifiable. We see
100 percent of the people being identified. And in general, the larger the
number of people in this zip code, the fewer the people.

But let me point out just a couple of interesting data points. And one is
zip code 6023 which is in Chicago, Illinois. It has over 100,000 people living
there. Now even if you aggregate HIPAA standards to the idea of only using the
two or three-digit zip code, many in the places in the U.S. still don’t give
you to 100,000 people.

Yet, there aren’t that many people over the age of 55 living there. So those
who do tend to stand out, and as a result they’re easily re-identified.

Another interesting data point is in Suny New York. There are only 5,000
people who live there. They all tend to be between the ages of 19 and 24. I can
tell you lots and lots and lots of things about them. We can’t figure who is
who, and that’s because these are all students at the University, and these are
dorms, and they’re so homogeneous a group that I can tell you lots about them,
but I just can’t figure out who I’m talking about, plus they’re very mobile.

So that example, that earlier work was really important because it showed
first of all the power that demographics can have in re-identification. And the
second thing that it showed also in that second part of the example is that if
I try to proscribe a remedy through policy, it’s probably not going to be
perfect because I don’t know whether you live in Suny, New York versus whether
you live in that zip code in Chicago. So I can’t get it quite right.

But I think there’s a general sense this is sort of demonstrated in this
chart. What you see here as I go up vertically, I’m aggregating geography. And
as I go horizontally, I’m aggregate age information. And so the 87 percent
begins to get smaller and smaller as we go up and outward.

And in fact, if you only know county, gender and year of birth in the United
States, there are still some people we can re-identify. Now they tend to Yogi
Bear and Yellowstone and people like that. But the point is there are still
some people.

We did a study to figure out where does the HIPAA safe harbor come in, and
the HIPAA safe harbor comes in right about 0.04 percent. So it’s the equivalent
of your birth town or the equivalent of county, month and year of birth as an

What that’s important to say is that we didn’t expect the HIPAA safe harbor
to be perfect because for the examples we saw earlier, perfection is not going
to be possible by prescription. And in order to get precise privacy and precise
utility, to do better than those, we’re going to find something better than
these crude statements in policy.

I’ll skip the HIPAA thing. I think you all know. Not only does it help
re-identify some people, but it’s also pretty useless. One technology that we
did transition out from the school university is a part called privisor, and
what it basically does is it says, okay, I’m going to figure out how many
people could be identified in your data. So you give me a data set, I’ll figure
out how many people can be re-identified.

And if that number is no more than 0.04 percent, we’ll certify it as HIPAA
compliant. And the reason their view of that is simply legally that the safe
harbor has a risk of 0.04 percent, then if you can change the fields around and
get some other set of data elements, or you can show that they don’t put the
public at any more risk than 0.04 percent, you’ve done no more harm than the
safe harbor would have done even though the data elements that you’re asking
for may be those even explicitly prohibited, and we see a view of that.

So that gives us a sense first from the face identification of anonymity
versus de-identification how basic demographics work which is the policy
solution there is sort of HIPAA. HIPAA sort of came in and said we’re going to
address explicit identification.

So the question is, is that good enough, and how does that carry on. I want
to introduce a notion of how we measure identifiability. So we have a
population who consists of these six guys. I don’t know if they’ll have a next
generation, and then we release some people out of the population shown by
these images.

One other person, even though you’re not able to see the colors, is an exact
match. He turns out to be both green with the same shape head, where this guy
would be ambiguous. Unfortunately, the colors didn’t come through. So you can’t

But the point that we’re trying to make is that by masking this guy and
having only to go by his profile and sort of the overall coloring, he would
only relate to one person, where this guy masked out going by his just shape
would relate to two people. So that just gives us the terminology we need.

This particular project was a bioterrorism surveillance project early on,
and this is essence to the resurveillance here in the DC area. And this was the
kind of field so it was being requested from emergency rooms and other places.
And you can see that is somewhat pretty identifying even though there’s no
explicit identifiers. We know it’s identifying because of the conversation we
just had about the zip code and date of birth and gender, three that we just
got through talking about are sitting right there. In the early times, the
unique patient identifier was the patient’s social security number. So that was
kind of another problem.

And the question was how could we actually allow the data to go to an
outside surveillance outside of the hospital setting and still be HIPAA
compliance because at that time there was no exemption for public health. And
so what we do is we see how identifiable is it that the data that they’re
actually asking for once we take out the social security number so it will be
obvious. And we found that 75 percent of the people coming through that data
set were uniquely identified. Ninety-four percent were either uniquely
identified or ambiguously identified with one other person. So a then size of
two means that here’s a record, and here are two people by name, Alice and
Joan, and that person, I can’t tell which one, it’s either Alice or Joan. Where
a uniquely identified then size of one means, ah, that record is definitely

So as you can see, this data would be considered by most people’s standards
highly identifiable or re-identifiable. And how is that possible. Well, it’s
the same as – the way that happens is the same old re-identification that
we had talked about before. So there’s really nothing new there.

The question, though, is how the heck do we go about fixing it because our
job isn’t just to point out problems, we need to actually fix it. So one of the
things we said we found out that they didn’t actually need the full date of
birth. They could actually aggregate it to month and year of birth without any
loss in the algorithms that we’re using to determine whether or not there was
some anomaly that day.

And when we did that, we saw that it dropped the identifiably which looks
pretty good. The pink thing you see down here is where the HIPAA safe harbor
would be if they had used HIPAA safe harbor. They can’t use it because it’s not
useful to the way their algorithm works. But you can see we’re making the
progress. The data’s still useful, not quite ready, not quite comparable to the
safe harbor.

So then we say, well, could we generalize date of birth some more. And then
it didn’t matter seemingly how much more we could generalize in date of birth.
Just even five-year ranges, ten-year age ranges, we could not get the line to
go lower. And so when we looked at exactly what the problem was, it turned out
that the strategy was the following. That the bioterrorism surveillance data we
saw before was linked out to here. But what we’re seeing now is that it was
using hospital discharge data and was linking on diagnosis, gender, visit dates
and zip and which is really kind of a shocker because these are the things that
we don’t normally think about as being sensitive. But in combination, they
turned out to be quite identifying.

The other thing that this shows is it doesn’t matter how much I aggregate
age in the biosurveillance data. It’s not going to have any impact on the
actual field so it’s the subject of the linking. And because the hospital
discharge data we were looking at had month and year of birth of patient, this
gave me automatically back the month and year of the patient irregardless of
what I did in my own data set.

And so, therefore, so the identifying data we were really seeing was this
being linked to our other list. So the way we solve the problem, though, is we
then had to break or aggregate at the field level one of the fields that are
actually causing the linkage. And it turned out that, thanks to some great help
from the Omni and other people at CDC, we were able to group these diagnosis
codes into syndrome classes, which is currently what’s used. And syndrome
classes collapse the diagnosis code, and then when you try to link it, it
doesn’t link very well. So we were able to squish that line all the way down to
a link that was very comparable to the HIPAA safe harbor. It’s not at zero, but
it’s very comparable in terms of its identifiably.

So, and that’s sort of what their data set looks like now and that’s from
New York. Now why is this useful. Because what legally what that allowed them
to do, I mean, now of course they have exemptions. But in the days before they
had exemption, what it allowed them to do was to do what was termed selective
revelation. That is, we were able to take their algorithms of how they detect
an anomaly was happening and render them sufficiently anonymous. That is, I
could prove to you that no more people are put at risk for re-identification
than were in the HIPAA safe harbor, and they were able to use that from normal

Then when something would happen, a trigger would happen, it would lower the
identifiably of the data so that they could get more detail on those cases that
were seemingly to be a problem. And if there’s still that more evidence, they
would use a more refined algorithm. But by this point, public health law took
over because once public health law knew that it was something explicit, they
could demand the explicit identified data.

So this idea of selective revelation is a very powerful one. It fits very
nicely into our notion, our legal structure already because it sort of is like
search warrant protection, this sort of the idea of a reasonable cause
predicate being satisfied through the technology. And so it allows us not to
have to change the laws, but to be able to use existing firm works.

Okay, now I know, let’s pull that closer to the kind of data that we’re
talking about. We’ve been able to do the same kind of two-stage link attacks on
pharmacy claims data and on clinical trials data. So this is an example of
pharmacy claims re-identification. Now I didn’t put up what the fields were,
but let me tell you they don’t include the explicit identification of the
patient. We didn’t use the fact that the doctor’s identification was provided.
Instead, we used again those same ideas of using the relationship between the
diagnoses, and for gender we used an algorithm that helped compute based on the
hospital’s reported statistics of where people come from when they come to
their hospital.

This doesn’t work across all medications. But for medications of interest to
certain pharmaceutical companies, we were able to produce the results that we
showed you. This was actually work funded by pharmaceutical companies.

So you can see this doesn’t work at all like the HIPAA safe harbor even
though the pharmacy claims data is neither explicitly identified and is also
not covered under HIPAA.

We’ve also been able to show similar using a different technique – we’ve
been able to re-identify DNA databases.

DR. COHN: I’m sorry, using, say again, the pharmacy claims data is not
covered under HIPAA. Could you clarify that?

DR. SWEENEY: Sure. Under the – so if you ask a particular
pharmaceutical company how it is they got pharmacy claims data, it’s not
because it was part of the – it may not have been necessarily through
insurance claims is the point that I’m making because it could have been data
provided through the pharmacy network themselves. It could have been data
provided through other organizations that do claims clearinghouse and so forth.
So that’s –

DR. COHN: It sounds like it’s covered by HIPAA. So I’m just –

DR. SWEENEY: I don’t have the slide. But I’m glad you brought that up. We’ll
put them all together. The other culprit of this problem is hospital discharge
data which is also not covered under HIPAA, right. So I live in the State of
Pennsylvania. A copy of every time, if I go to the hospital, a copy of that
information is forwarded to the State. This all happened as part of the earlier
1990s. People didn’t understand why health care was so expensive. One of the
things that did happen was an explosion in the collection of hospital discharge
data. So a copy of that claims information goes to the state, and then the
state provides publicly and somewhat publicly available versions of that data.
And the AHRQ used to, when they were called AHRQ, used to provide versions of
that data as well. So collectively, I’m turning that hospital discharge data.

When HIPAA came along, that’s not data that’s covered by HIPAA because
they’re not a part of the insurance structure that HIPAA originally began to
cover. That is, they’re not a part of the medical claims processing. So that
data, and they’re not obligated to oblige to the HIPAA safe harbor provisions
and so forth, and many of the data that we were getting was not adhering to it
at all, not voluntarily. So that’s the example that you see here.

MR. ROTHSTEIN: Once it reaches the state, it’s not covered by HIPAA. But
when it’s disclosed by the hospital, the hospital is a HIPAA-covered entity.

DR. SWEENEY: Yes, they’re a HIPAA covered entity. But HIPAA can’t stop the
state law that requires the data to go to the collection agency, the hospital
discharge data. And so that’s why we say it’s not covered under HIPAA because,
to the extent that the – the question for us and the work I do is where is
the data covered, not if the person, yes, the hospital is covered, but
essentially they’re not totally covered because they have this other place
they’re obliged to provide the data to.

MR. LABKOFF: Can I ask a question. Hi, one question, please. You keep
mentioning this issue about data being re-identified. Can you just clarify
please, you know, the NSA can re-identify things, too, but it takes massive
computer power and a lot of effort. Are you describing things that are easy to
do, likely to do, or really hard to do?

DR. SWEENEY: This is pretty easy to do. Well, someone’s talked about what’s
the level of effort required. To do the linking from 1997 was talked about
before, that kind of linking. I basically take this data set, and I link it on
this data set, and any access database, any kind of regular database, that’s a
simple match question. Give me all the records where the zip code, date of
birth, gender or version of this date of birth matches in both data sets. So
there really that’s a one line statement in a database. Now suppose I don’t
have a database, suppose I don’t even know anything about databases. But you
know what? I’ve got a little time. How could I do it.

Well, I load this data set into Excel, and I load this data set into Excel,
and I sort it first by probably date of birth, and I pull out the ones that
have the matching dates of birth, and I just keep working, and then I resort
those by zip code or do a three-way sort if I wanted to. And I can then figure
out which ones match. So it’s a little more laborious, but certainly I can
effectively get the same result. Yes?

MS. SOLOVEICHIK: I’m Rachel Soloveichik from the Bureau of Economic
Analysis, and it seems like this is data that’s pretty public knowledge because
I know when my friends go to the emergency room or something.

DR. SWEENEY: Right. So what we do is we – this sort of gets back to the
question I was just asked a moment ago because he had two parts of his
question. One was the complexity of what’s involved in doing re-identification.
The other part of his question, though it was sort of glossed over, was how
accessible is this data.

I don’t have it on this slide, but I have a slide that has a continuum. At
one end of the continuum is privately held data. At the other end of the
continuum is publicly held data. By publicly held data, we mean that pretty
anyone can give you. You may have to sign a form. You have to pay a nominal
fee. But pretty much anyone who asks for it can get it.

Semi-public data is data that the fee might be substantial, or you have to
be one of a group of people. Like, for example, a pharmacy might sell its data
to a pharmaceutical company. It may not sell its data to some other party who
might choose to make these kinds of divisions. Or some data just simply is
expensive. We call that semi-public data.

Semi-private data and private data are data that we don’t talk about. All of
the examples that we use are almost all publicly available data and, in some
cases, semi-public.

Okay, so we’ve done this with DNA, and we’ve also done this with, to the
extent that I can polarize health information about you by knowing what
websites you visit. So we have done some work that was published in JAMIA about
disease predicting and disease following behaviors. But that’s kind of outside
the scope of here, but I just want to give you a sense of kind of the things
that we’ve done.

So I sort of tipped the iceberg a little bit about the kinds of problems
that we found. We’ve looked at all kinds of data. There is another great
problem, too, in clinical information that has to do with the clinical notes,
and that is if the notes are de-identified to the letter of the safe harbor,
they still leave lots of information on the table about who you are. So, for
example, the kind of information we see in clinical notes at the age of two,
she was sexually molested. At the age of three, she set fire to her home. At
the age of four, she stabbed her sister with scissors. Now nothing in that had
any explicit identifiers that would require anonymity for the safe harbor. But
yet, that gives you a sense of how many of those little details about your life
tend to show up in clinical notes and can be re-identified.

Okay, let me summarize so I can be quiet and take questions about what are
some of the lessons learned.

The first lesson I want to point out to you is that ad hoc techniques don’t
work. That what we’ve found, just like in the face example I started with, the
idea of putting bars over people’s eyes and so forth didn’t work. You have to
be able to prove that your privacy protection is sufficient.

Where do I see that happening a lot in the health data that we’re talking
about is the improper use of encryption as a protection mechanism. What we see
a lot is people will say I’m going to use a really strong hash functional or
strong encryption function, and therefore I know the entity is protected unless
you, if it’s encryption, unless you have the key. If it’s hashing, there is no

And so the way we break these systems is quite easy. I simply will take the
hash function, I’ll try every possible social security number and run it
through here, and I’ll get an index. It gives me the unique identifier that
you’re using and matching it to the social security number, and I’ll try it for
all of them.

So one of the things, but how long will it take. I mean, social security
numbers are nine digits. How long does that take, say, on this Dell laptop, oh,
yes, this Dell latitude that’s sitting right here. Well, almost that exact
machine took me four seconds. So it gives you a sense that this idea of this
dictionary attack problem on encryption is a good technology used in a bad way.
So we’ve got to do better on that regard about ad hoc techniques.

The second lesson is one of the things that Privacert was very effective at
doing in the biosurveillance base was whatever knowledge it had, it had a more
global knowledge than the person who’s sitting here with only their data source
or only their kind of data. So even if you had all of the hospital discharge
data in the country, you still are only talking about your data, and really
these re-identifications are happening because of data not under your control,
data that other people hold who how it affects with your data.

And so that’s a serious problem that almost begs us to think in terms of a
more comprehensive approach.

Another problem is that it renders consent and fair information practices
pretty useless. One of the reasons that that happens is we can spend a lot of
time with consent and so forth – I’ll come back to the fair information
process in a second. We’ve spent a lot of time focusing on the person who
originally collected the data. Did I trust them? Did I therefore give my
consent? Oh, no matter how much factual information you say about all the other
places it might go, the truth is there’s a trust issue about the first person
who I’m giving the data to. The problem with that is we then scrutinize the
next level of data they give it to. So if this is the physician who I
scrutinized these type of networks and other people who are getting the data.

But once it gets to them, there’s no limit on that because there’s no
scrutiny beyond that, and that creates yet another problem that we’ve been

Another problem with consent is that a lot of work that’s come out of the
economic community with respect to can people actually make rational decisions
on data with respect to consent. So there are tons of them where people have
gone to a corner and I’ll give you a dollar for your social security number, or
I’ll buy you a hamburger if you tell me all your medical data, things like
that, and people will overwhelmingly say yes. Most likely, many of us in this
room have participated in something similar by using your loyalty card at the
supermarket. Yes, I’ll take the discounted rate, and I don’t care if you track
my groceries. I don’t care. It doesn’t matter to me because in some sense we
can’t phantom what could happen to us down the road. That is, in some ways if I
now tell you some of the uses that people have tried to put grocery purchases
to, you would almost scratch your head and say, oh, my God, I would have never
have thought of that, that someone would try to correlate absenteeism at work
with junk food purchases or diseases with junk food and diet and things like
that that are purchased there. And, of course, the more famous ones have been
the ones of purchasing condoms and things like that when a person’s Catholic.

So the problem with consent is you’re asking an individual who is so
ill-equipped to know the long term ramifications of the decision that you’re
actually asking him to make. And then even if you write it out and even if you
sit down and you guide them, it’s not even clear that many of the organizations
that are receiving the data can understand the long term ramifications of the
very policies that they’re advocating for.

This begs for policy, and that’s the role of health policy is when the
individual can’t make that choice, when the organization under their best
attempts can’t really make that choice, we have to come up with coherent
policy. I’m not saying what that policy is, I’m just saying – I’m just
dumping it on your door.

Also, there was not much talk from what I heard about fair information
practices. But I think that probably because what I heard in the early
conversation, people recognized they’re just not going to be useful.

But it did beg out the question I heard in the earlier presentations, the
panel right before me, is, okay, fair information practices are totally going
to help me here. But what actually might be alternatives. Is there a notion
that after I opted in, I could then opt out and you’ll remove all my data. Can
you tell me all the places that my data went so that if I later did have harm,
I could actually have a trail of loss which I don’t have right now.

So let me give you an example. There was – it’s been a debated issue.
It appeared in the Journal of JAMA, the Journal of the American Medical
Association issue about a Maryland banker who took a list of people who had
mortgages at his bank and crossed it with information he found on a publicly
available cancer registry, and then if he got matches, he began discrediting
their credit basically calling in their loan, calling in their mortgage. So if
you are one of these people who had cancer, all of a sudden you don’t know why
it is that the bank is getting all testy with you and trying to un-do your

The problem – I don’t know, it’s been contested whether that was true
or not true and so forth. I can’t speak to that specific example. I can
absolutely tell you it certainly is easy to do. I can tell you that I’ve had a
lot of anecdotal conversation with people who seemed that they may be doing
things like that.

But that doesn’t help us here in this conversation. But what does help us is
to be able to say, you know, if we don’t allow an audit trail back for patients
to say where the data went, then in fact that person has no course of action
because there’s absolutely no doubt there are fantastic benefits from sharing
health data. I mean, I think that the panel before me just the eureka in terms
of, gee, look at all the things we could do. Look at these great things that
could benefit society. But in the United States, people make hiring, firing and
promotional decision. When those surveyed, the top Fortune 500 companies and
something more than 30 percent said that they do use health information to make
hiring and firing and promotion decisions.

So the problem is that the down side risk like the Maryland banker example,
like the Linnow study is borne by the individual. And it’s great that society
can reap the benefits of my medical information. But at the end of the day, I
still want a job. I still want to be able to live in my house and so forth. So
we have to kind of balance this out.

So the last lesson that I want to point out is that one of the things I
don’t like about my talks is a lot of people focus on the re-identification
problems and not the thing that I think is the most important, and that’s the
balancing that the technology often does. It’s really, with the kind of
technology and solutions that we’ve been able to deal with and develop are
solutions that can nuance the utility and privacy at the individual level,
something that policy in general can’t do really well just having a blanket

We do have a grant from the National Library of Medicine to do more work in
this area on the kind of data that you’re talking about for these technologies.
But obviously, that’s not on the table right now.

So let me end with that, and say thank you. This is my email address if you
have any problems finding the slides and the subject on my website.

MR. REYNOLDS: Wow would be my first comment, and then I’ll open it for
questions from the Committee.

DR. VIGILANTE: Just a very simple minded question here. So am I hearing you
say that basically nothing in our current standard is actually not
re-identifiable? When we say re-identified, it’s really, well, I guess I’ve
lost my sense of, you know, the question of risk here in my, my internal risk
calculus, I’m a little bit askew, and I’m having a hard time reorienting. So
when you say the HIPAA safe harbor, are we talking about those 18 fields that
everything gets, now remind me, in those fields, are we obliterating those
fields, or are we providing vague aggregated versions of those. Because in
other words, are we obliterating date of birth or are we providing an
aggregated version of that.

DR. SWEENEY: In the case of date of birth, we’re providing age.

DR. VIGILANTE: Right, providing, okay.

DR. SWEENEY: It’s kind of pretty much the nightmare for anyone who wants to
use the data because it’s pretty much get rid of everything that seems useful.



DR. VIGILANTE: What are we doing for zip? Are we doing –

DR. SWEENEY: Zip three and zip two in really small communities.

DR. VIGILANTE: Zip two, okay.

DR. SWEENEY: Well, primarily zip three for most of the U.S.

DR. VIGILANTE: All right.

DR. SWEENEY: I found glossed into that slide.

DR. VIGILANTE: So you go to year or age, zip two or three and gender, you
get a 0.04 identifiable?

DR. SWEENEY: That’s right.

DR. VIGILANTE: Point 04 –

DR. SWEENEY? Point 04 percent of the U.S. population.


DR. SWEENEY: It’s not given that there are 20 million different people.
That’s not that kind of number. But I think what you’re getting to and I hear
the push back is that it’s not really no longer a black and white issue, which
it never really was. It’s really about drawing a line somewhere, right, and
HIPAA not knowingly just following a policy prescription, ended up drawing a
line right across the 0.04. But in fact, you know, we could do better in other

DR. VIGILANTE: So actually that doesn’t feel that bad.

DR. SWEENEY: 0.04? Unless you’re one of those people.

DR. VIGILANTE: Right, but it just – it’s probably a risk I’d be willing
to take. I mean, I’m just speaking out loud. I mean, —

DR. SWEENEY: No, this is good, this is good. So you wanted to take –

MR. REYNOLDS: Are you having your own chat there?

DR. VIGILANTE: But actually what does this mean to me? How does that feel?

DR. SWEENEY: No, I think that’s cool. So then what happens, though, is I use
the other part of the fields that are still left in tact, and I then come up
with these numbers.

DR. VIGILANTE: Like diagnosis.

DR. SWEENEY: Yes. And certainly what I want to say you can’t include
diagnosis. So it just begs that that kind of prescription policy is not really
the right thing.


DR. SWEENEY: I think that’s the thing because you might be okay with, you
know. 0.05 percent of something, but you know, it’s a 10 percent for a bin size
three. So for marketing purposes, that’s a no-brainer. Marketing will take
three. In other words, after you’ve mailed three times as many pamphlets
because two of them are going to the wrong person, and you want it to go to the
right person.

So let’s try to work on that compass a little more. One thing that’s really
alarming is when I go to the EU, in Canada the privacy commissioners in Canada
commission various people across Canada to try to repeat a lot of these studies
in Canada, and the numbers look pretty like 0000s, and you say, well, why, how
come. And it’s because they have a comprehensive perspective. Because they
have, they have this idea this is what personal and health related information
is. If you have it, you’re subject to this rule, and this is the rule. And as a
result, it sort of gives it global coverage because these problems are
happening because this is in the hospital discharge data, or they’re happening
because of the existence of a pharmacy claims data, things that are sort of
leaking out in other ways.

And so in Canada, they don’t get to leak out. They’re all covered by the
same group, and then it becomes easier to make useful data more readily

MR. REYNOLDS: So to use that here like our privacy letter was that
everybody’s a covered entity in that case, maybe –

DR. SWEENEY: That’s right. That’s exactly right.

MR. REYNOLDS: Simon, you had a question.

DR. COHN: Yes, and actually thank you very much. It’s been very useful sort
of a reminder of the environment that we have, and I think, like Kevin, I’m a
little shocked because you think about it and you realize all these things.
Your government obviously can get data, and these are all obviously all
preclusions we don’t think about it a lot.

Now you assured in our earlier conversations when we were talking about the
whole issue of pharmacy data, and I noticed you began to show some data on all
of that, and maybe I’m asking a very simple minded question. But obviously
there’s a whole intent very appropriately beginning to do a lot of evaluation
with the provider as the unit. And I would just sort of listening to you and
listening to that. I was obviously trying to think in my own mind if there are
particular privacy concerns because we’re basically dealing with relatively
small sample sizes, especially when you start getting certain things happening.

Now, of course, you obviously are also throwing in all of these other things
that we can link. But even without that, I mean, are there from your
perspective, are there sample size issues and cell issues that are just sort of
obvious and no-brainers in all of this?

DR. SWEENEY: Well, I mean, the data and the web logs data used very
different kinds of attack strategies, different kinds of algorithms. The
algorithms that I think were kind of really on the table are these linkage ones
because they’re just sort of easy to do, and they’re just sort of sitting out

The problem with the provider data is that the question is where the
provider ID then becomes the key. The key to how many things? And so if I can
get the provider’s ID number and a list of licensed physicians with the
provider’s name, then that tells me I think I can get the provider’s name.

If the provider ID shows up in hospital discharge data, then I can use the
provider ID as a way to link to the general practice on location. So in some
sense, and I don’t want to speak out of school because I don’t know the answer
to those questions. But if you were to ask me, gee, what do you think the
vulnerability is using provider ID as the main key, right away I can say, gee,
I’ve seen that in pharmacy claims. I’ve seen that in hospital discharge data,
some of it, not all of it. I’ve seen it in quite a few places. Gee, what did it
actually buy me. Isn’t it at the end of the day going to look like some two
stage or three stage link.

I don’t know the answer. But I would sorry. Anything that has that kind of
key or cross data sets can be a problem. The kind of thing that we’re doing
with the NIH grant is we’re actually thinking, we’ve already come up with some
ways, but we have to test them out and we have a couple of test beds in the
country, of leaving the data where the data sits, and we’re able to answer any
query off of the data and make sure that the result you get doesn’t create a
privacy problem. So that is one. All of the research that was talked about
before that absolutely happened. But we want to do it where you don’t have to
have a copy of the data on your machine to do it. The original data still stays
at the data source, but we provide you with a mechanism to answer queries from

Better than the kind of thing you get now where we can only pull down
certain numbers. There are some of these kinds of things already existing out
there that you can only answer how many people with disease X. We need
something richer than that, something as rich as the kind of things that get
published, could researchers use data, get data that way. Again, that’s
speaking out of school. We don’t have those rules.

DR. COHN: I have just a follow up, and again maybe I’ll look to all my
colleagues in the U.K. only because, I mean, thank you for introducing this
concept because I think part of our mandate or request is to sort of try to
identify approaches to mitigate risks, and obviously this is the type of tool.

I guess I’m looking at the U.K., the last time we heard a representative
from the U.K. talking, they were actually talking about that sort of an
approach. And I’m just not sure that I didn’t actually, maybe that’s implicit
in what you were describing where requests are sent to a specific spot with the
answers coming back which I think you’re commenting on.

MS. JONES: Yes, that’s the expectation certainly with the secondary uses
service if you’ve got this roll base access. You’re actually only getting
access to the sort of the mark which is essentially is a query engine anyway.
So you’re not actually, you’re not pulling the data, although there are
opportunities to have a sort of an extract. But that’s a very sort of clearly
defined process in order to go through to say this is the data that you’ve
actually requested. This is what you’re using it for, and this is essentially
what you’re getting, and there’s a sort of almost a sort of a contract, really.
But in terms of actually the access, then it’s very much that kind of model.

DR. SWEENEY: One of our challenges is a little different than the U.K.
because you at least have a centralized data source from which query can start.
We assume that there is no such centralized data, that in fact the data over
which we want to query is maybe across the country, maybe across the region,
and I need the same query to link on this same patient, give me the accurate
information I want across different data collections.

And what we like about that system is the fact that I can use explicit
identifiers of the patient because after all I’m not going to give you their
social security number, but I could use it because I could use it in a very
accurate way. And in some sense I think we’re going to be able to show the data
results we’ll get are better than data where privacy try to prescribe and then
you do the research off of that.

MS. JONES: Can I just ask one sort of question. It’s really just –

MR. REYNOLDS: Yes, this will be our last one, and then we’ll break for

MS. JONES: It’s about the identifiable bit, the sort of zip code, year and
gender there because we consider in the U.K. that to be an identifier rather
than a sort of de-identifier. And so, well, we haven’t actually gotten an NHS
number, then we actually use those three items. But that is considered to be
identifiable data. We use it to identify. So it would never be put in the
context of non-identifiable.

DR. SWEENEY: Yes. Well, we’re different.

MS. JONES: Okay.

DR. SWEENEY: We’re kind of like the wild, wild west when it comes to data.

MS. JONES: I think the thing that’s really been in my mind is the threat,
the identification of the threat which I find absolutely fascinating in these
sort of down the line sort of uses of it, and that it’s really saying, well, at
what point do you say I have to take that risk and what don’t you do. And I
think with a national health service, we’re a like position that there’s not as
much of a threat in the whole thing.

MR. REYNOLDS: Thank you very much for a really compelling discussion, and
thanks everyone. We will be back at 1:45 per that clock.

[The meeting has adjourned for lunch.]


MR. REYNOLDS: Okay, I hope you’ve digested your lunch and what went on this
morning. Okay, Justine’s willing to commit to half of it.

All right, our next group is going to be discussing the technical solutions
for consent and other HIE issues, and we’re going to have Jonathan White go
first since he has other pressing matters that he will go with. And so with
that, Jonathan, why don’t you go ahead and get started.

Agenda Item: Technical Solutions for Consent and Other

DR. WHITE: Hi, I’m Jon White. I work at the Agency for Healthcare Research
and Quality, and today on Oprah, Stewardship Entities and the People Who Love

I have had the pleasure of coming to you before to talk to you about the
concept of health data stewardship and, in particular, an RFI that the Agency
released back in June on the concept of a national health data stewardship
entity, and I’m going to give you a brief update on that and where we are.

MR. REYNOLDS: Can we move your microphone over a little bit closer so that
when you turn, if you’re going to be looking at your screen, we’ll make sure we
hear you. Let’s do that. We’ll put one on both sides of you.

DR. WHITE: So I’ll make you laugh. For my fellow IT folks, in medical
school, you know literally from the first day I was the guy that when the slide
projector broke, everybody turned and looked at me said, Jon, go fix the slide
projector which is how I ended up where I am today.

I start with a quote from one of the masters of literature, Mark Twain,
“Persons attempting to find a motive in this narrative will be prosecuted.
Persons attempting to find a moral in it will be banished. Persons attempting
to find a plot in it will be shot.” These are the opening words of
Huckleberry Finn, and from even before the release of the RFI, accusations were
hurled of our contending to establish a national health data stewardship entity
throughout the world. And I have tried to make it as clear as I can from the
beginning that we have been involved in conversations that discuss the concept
of folks who aggregate date and how you should be treating that data which is
the concept of health data stewardship. But I have no plans to do anything
further with this data other than to summarize it and make it publicly
available to richly inform the discussion about this because this is a very
rich discussion for topic with very strong considerations on both sides, as you
all have been hearing over the past several months, and therefore I have no
ulterior motive other than to hopefully, you know, contribute a richer
understanding of the concept of data stewardship and, you know, certainly not a
comprehensive understanding of what opinion is on the subject and knowledge is
on the subject, but at least a more comprehensive understanding of what’s out
there, what people’s opinions are which is the reason for doing a request for
information publicly.

So the question that NCVHS had posed today was to ask what lessons and
experience, what experiences can we provide relative to oversight or data
stewardship. There’s a list of these, but this is the one that appeared most
relevant to what we were talking about. So I’m going to talk about the RFI. I
will preface this by telling you that the summarization process is not yet
complete. We received all the responses by July 27th. So it’s been
about a month. We have received over 100 responses which I’ll get to in a
second, and several of those were very lengthy and some written by some people
in the room, and they spent a lot of time doing that, and do justice we’re
taking a while to be able to try to summarize them.

So in particular for the RFI, the concept of health stewardship data entity,
at least for me, really first of cropped up in the context of the AQA. Now I’ve
talked to you all about the AQA, so I’m only going to briefly recap.

The AQA has three work groups. I was part of the data sharing aggregation
workgroup which talked about bringing together all pair data for the purpose of
performance measurement for individual physicians, originally ambulatory and
then expanded to all types of physicians.

In addition, there were two threads that fallen through the work of that
work group. The first is how do we aggregate data for that purposes, and the
second is shouldn’t we be kind of careful about that, and what are the issues
surrounding that. And we first talked about the issue of data ownership which
in a digital day and age becomes challenging as that data becomes instantly and
on a vast scale replicable and therefore the concept of which I’ve also talked
to you all about before about the concept of stewardship of data. And
stewardship for me means taking care of something you don’t own. So that’s a
succinct way to say it.

There was about two years’ worth of discussion on the concept of data
stewardship at the AQA. Some documents were arrived at that were fairly well
thought through, and then the group felt that it was time to ask for broader
comment on the concepts that were contained in those documents.

And ultimately the group arrived at the conclusion that the best way to do
that would be to issue a request for information released publicly in the most
public way an the most public way that the group could think of was through the
Federal Register.

So seeing as federal agencies are the ones who publish in the Federal
Register, AHRQ was nominated to publish this. The group reviewed several drafts
of the request for information that was released out in early June, and two
months were given up for a response. And on July 27th, it closed.

The topic was health data stewardship, and in particular, crystallized
around this concept that was advanced in the context of the AQA of an entity
that performed the functions of health data stewardship or advanced the
principles of health data stewardship, and, therefore, that was the example
that was given in the RFI and much of the supplementary information related to
AQA documents that laid that out.

So the primary purpose was to gather information to foster broad stakeholder
discussion which is a function that AHRQ fulfills evidence generating agency
and the convening agency. Supplementary information is from the AQA. There were
25 topics for discussion. I’m not going to go in depth into them. I know you
all have seen the RFI before. I do want to point out potential respondents, and
we really tried to call from across the spectrum of stakeholders from health
care. We were hoping that we would get respondents from providers to peers to
government agencies to creditors to you name it. So we were hoping to get a
wide variety of responses.

So the responses that we got, we got over 100 responses to the RFI. Several
of them, the majority of them came from private citizens, and the majority of
those were form letters that were sent in. There is a group that saw the RFI,
generated a response to it, and for their members generated a form letter to be
pasted to represent their point of view.

So I would say that the majority of the responses fell under that category,
okay. Now that said, there were a number, probably in the range of dozens, of
in-depth, detailed responses ranging from ten pages to up to the 50-page limit.
So there were a number of fairly hefty responses to this RFI.

I’ve provided a list of the types of respondents up here. They include
providers, peers, patients and their advocates, creditors, industry, state
government, what I euphemistically call the quality enterprise and I’ll
characterize each of these in a second, and health care organizations. Examples
of providers and provider organizations that responded would be the AAFP, the
American Medical Association, the American College of Physicians, the American
Academy of Pediatricians, American Osteopathic Association, the only hospital
association, although not the AHA or the FHA, FAH, Federation of American
Hospitals or American Hospital Association.

Peers included Blue Cross and Blue Shield of America, patients and their
advocate, in addition to the individuals that responded. These would be folks
along the lines of the World Privacy Forum, the Org Chart Frontier Foundation,
the Institute for Health Freedom as well as a number of consumer labor groups
include SEIU, the AFL-CIO, organizations like this.

Creditors, JACO submitted a joint response with NCQA and NQF. The first two
primarily, but to an extent, the Joint Commission are folks that I characterize
as the quality enterprise, you known, when we try to, Carolyn and Clancy and I
when we talk about this a lot, we try to figure out who’s when we talk about
quality and healthcare, you know, we talk about this loosely organized quality
enterprise. And these include folks like AHQA, NATO, National Association of

SPEAKER: [Inaudible]

DR. WHITE: Thank you. The Leap Frog Group responded, Academy Health
responded, West Virginia Medical Institute. So a number of folks from quality
enterprise. State government was California. There were two folks from two
entities from California that responded. The California Health and Human
Services Agency Office of HIPAA Implementation as well as the California
Insurance Commissioner. I thought that was interesting. And then finally health
care information organizations which include Connecting for Health offered a
very substantive response. AHMA offered a very substantive response, and so
that was outstanding.

I briefly, you know, I’ve talked about the type of respondents. I briefly
want to talk about the non-respondents and I was hoping at this point that some
of my federal friends didn’t respond. I can probably understand why they
didn’t, but I was hoping that we would get some other federal agencies without
naming names to respond, but they didn’t, and that’s fine. You know, again the
purpose of this was not to be completely comprehensive, but it was to try to
get a more comprehensive picture of what’s out there.

I said that the responses are not yet finished. Let me tell you what the
next steps are, and then I’ll give you, I’ll try to give you a general sense
for what I’m hearing and as I read through these because I’m through them all
yet. I do have a day job still, although maybe not long after this is done.

So eventually by October, the responses will each be individually posted on
I think the AHRQ website. Unless I have a better solution, we’re going to post
them on the AHRQ website which is a federal site. We’ll remove identifying
information like emails and stuff like that, but we’ll keep people’s names, and
I want them to know that their response was heard.

And also we’re going to put together what I’m calling a qualitative summary,
okay. We’re doing this through our national resource center. And when I say
qualitative summary, this is what I mean. I don’t want the agency to interpret
the responses, okay. I don’t want to say, well, based on this we think that
one, two, three, four should happen, okay. Again, the purpose is not for us to
draw conclusions and act on them, but to more richly inform the discussion.
That’s the point of this, and we’re serving as a science partner sort of to our
colleagues by doing this.

When I say a qualitative summary, I mean that this is not a democracy. This
is not each one response counts for one vote. You know, one response might
cover organizations that represent several thousand people. How do you know how
to weigh what against what. So instead, what we’re going to try to do is we’re
going to try to represent the range of responses, okay, to given topics for
discussion in a summary way, but nonetheless represent them so that all of the
ideas that are contained therein are well represented. And you can go to one
place. You don’t have to read through each one of these documents to be able to
get to it.

It’s quite an effort. It’s challenging to be fair, balanced, inclusive
without being exhaustive. But that’s kind of what’s laid before us. So that’s

We are planning on having these done and posted by October of 2007, so about
two months hence, and we’re going to formally present them to the AQA because
that was, again, the kind of the nitus(?) for all this and then wherever else
is necessary.

So that’s the formal part of the presentation. Let me jump and try to offer
you some general thoughts that I’ve been hearing back from the RFI, and then
hopefully we can have a good rich discussion about this.

I would say that fairly universally, nobody wants one big database in the
sky, okay. Many of the folks who read the RFI responded to it in such a way
that they had read these materials to indicate that AHRQ was thinking about
establishing a database of all health data, and you know, although that wasn’t
necessarily the intent, it is valuable to understand that there is a very
visceral and strong reaction that that should not be the case from a number of
different folks and for a number of different reasons. But I think that was
pretty clear.

There was a strong indication of the value of many of the secondary uses of
health data that you all heard about, okay. I mean, I don’t have to tell you.
You’ve been here, and you’ve been listening to it in a very comprehensive way.

So there were many respondents who saw great value and represented different
ways that, you know, data that’s generated for one purpose could be used for
secondary purposes that have benefit to society or individuals within society.
So that was clearly called out. Also clearly called out were the various ways
in which abuse could take place of that type of data, and, again, these are
things that you all have heard about. I’m not going to belabor the point.

What was interestingly clear to me is that there is a clear thought from the
folks who didn’t just say no, there was the clear thought that if you’re going
to go about this process, you must be extraordinarily careful, you must be
extraordinarily thoughtful in how such a venture would be undertaken, and you
must be impeccably transparent in the processes how decisions get made, why
they get made, by whom they are made, and for whom they are made, okay.

And I think it would be my personal observation to you that if anybody
broached the subject of health data stewardship in a national way and that it
was agreed upon that there was value in doing that, that such a group, entity
whatever would have to have what I call executive sponsorship which really
means support from kind of the gamut of health care stakeholders in this
country, okay, and that they would need a degree of insulation.

Folks who grapple with these subjects are grappling with extraordinarily
powerful, financial, moral, scientific concepts and issues, and political
issues, too. And really, without a degree of insulation for those folks, they
would be torn apart by the gravitational forces, okay. They just would be. You
know, it’s one of those things where you can absolutely see nothing happening
because of the weightiness on all sides of the issues.

When I say insulation from some of those forces, I don’t mean being
non-responsive to those forces. Those forces represent different points of view
which are very legitimate, okay, on both sides, all sides really. I keep saying
one side versus the other; this isn’t really one side versus the other. But
there are really legitimate issues that get brought up by people on all sides
that should be addressed and should be addressed thoughtfully. So that is a
really brief and concise summary. I would offer the final thought that I’m
really grateful to all the folks that have taken what is clearly a tremendous
amount of time and thought and effort and put their hearts into some of these
responses. I’m really impressed, and I’m very grateful to be working on it. So
with that, I would love to talk with you about it.

MR. REYNOLDS: We’re going to go ahead and ask some questions of Jon since he
needs to go. So Simon, I want to ask a clarifying question, and then I’ll take
other ones.

DR. COHN: Well, Jon, thank you very much, and it was good seeing you here.
It certainly sounds like an interesting set of pieces which I’m sure will be
de-identified by the time we see them on the web. I know that was sort of my

But now you know, as I thought about it and once again I’m remembering back
to the RFI, and I remember there being a goodly number of very significant
principles that you were asking for input on. And then I guess there was the
question of, well, what does this thing look like. And, of course, I would
observe that it’s one thing to espouse or somehow have an expectation that
organizations will adopt principles which is one form of data stewardship. It’s
a whole another thing to create another entity that somehow even without a
single database would be adjudicating something or other, and I’m not sure what
that would be adjudicating.

But you really actually didn’t comment a whole lot about the principles and
whether there was widespread support or at least the principles that you were
espousing, or were they just so obvious and so nice that it really was not

DR. WHITE: Great point. So if you look at the supplementary information in
the RFI, there’s a proposed mission, proposed precepts, a proposed scope of
work, and then proposed characteristics of the hypothetical stewardship entity.
And it kind of reads like the scout law, trustworthy, faithful, you know,
things like objective, independent, knowledgeable, responsive. Most folks
didn’t respond to that. I mean, you know, to the extent that they did, they
said yeah, I’m mean all those make sense. All those are desirable

Most of them got straight to the issue of whether or not we should even be
talking about stewardship, and whether or not we should even be grappling with
that issue. You know, some folks said yes, we should absolutely be going there,
and other folks said no, we shouldn’t be going there. And both of them would
here’s why, and some folks said be really careful if you’re going there.

But as far as the principles, the proposed characteristics and some of the,
I would say that folks largely did not argue with those. As far as, and the
precepts would be fairly much the same to be objective, to weigh carefully to
bring about new changes. The scope of work was robustly discussed, you know. I
would say that there is, again, a variety of opinion on that. But should these
folks be involved in aggregation, should they not be involved in aggregation.
There’s some discussion of what methodologies should be used, but not terribly
extensive. Uses of data was widely discussed. But yeah, I would say that the
principles were not questioned largely.

MR. REYNOLDS: That was my question, too.

DR. WHITE: It’s hard to argue with the principles as they’re laid out there.
You know, who doesn’t want some more – yeah, it was more the issue of
should we even be going this, should we even be going there. And, again, to
just very broad brush, yes, no, be really careful was the responses.

MR. REYNOLDS: And again to ask it differently, then, going to centralized
databases or going to data stewardship?

DR. WHITE: If one is to go to any sort of database, whether centralized or
regionalized or localized, then issues of stewardship should absolutely be

MR. REYNOLDS: Thank you.

DR. WHITE: So there are principles of stewardship that should absolutely be

MR. REYNOLDS: Well, Jon, I thank you. We appreciate it. If you could speed
your date up, that would be great. If you’d go ahead and write it up for us
tomorrow, we’d appreciate it. Okay, with that, our next speaker is Assaf Halevy
from dbMotion. And, Jon, thanks.

MR. HALEVY: Thank you. So as I said, was relocated to the U.S. two years ago
and actually three weeks ago, moved from Atlanta to Pittsburgh following the
business of dbMotion. DbMotion is doing virtual patient records with the pure
focus on interoperability and shared medical data across either harmonized,
unified single enterprise such as UPMC in the example of Pittsburgh, or that we
are implementing right now, or in a very distributed, independent environment
such as the Bronx RHIO which is using dbMotion in order to implement Bronx RHIO
challenges around interoperability as well.

Feel free to interrupt and stop me with questions any time if you prefer
rather than at the end.

MR. REYNOLDS: I’d rather wait til the end, if we could.

MR. HALEVY: I’ll start with the first slide which is very simple, as you can
see. It’s just three colors, right. It’s purple, green and red, that’s it. So
in the next three hours, we’ll go over it. And actually, this is only the
context for what I would like to share with you. I think it’s important just in
a few words to understand what is it that we’re doing in order to create and
enable interoperability in a secure way, and that will allow me to use this
context while I move forward and share with you what I think I can.

Just two more words before doing so. What I think I bring to the table that
may be useful for the Committee is mainly three things. Personally, I’m a
computer science educated, and I spent the last ten years purely in shared
medical data in a very practical, incomplete world. We are running in
production in Clalit Services in Israel, which is a very large organization. I
want to say altogether we have the experience of about 70 percent state level
medical record sharing.

So what I bring to the table is maybe the practicality of really doing it
along with the scar tissues of it. Conceptually, gray area over here is
operational environment of the hospital, a group of hospitals, any combination
of inpatient, outpatient, ambulatory environment. What we do is we collect
information from different sources across different standards and so on into a
clinical data repository which is separated from the operational environment
yet is staying within the operational environment, the ownership, the control
of the existing organization. And we have those layers over here, which create
some intelligence around the ability to query records across those different
standards, different systems and so on.

So if you will, EpiCare, Sierener(?), Meditech, MISIS, Quest, all those guys
over here with their own world and right here is where we start to create some
common language. And right here is where we add some intelligence. Not only we
collect allergies from three systems, but we do it in a semantic way. We do it
in a way that at the end of the day the clinician can really look at a single
standard way rather than so here it is in a portal merging records on the fly.

Last thing about this slide is conceptually we create a virtual patient
record, which is actually assembled on the fly from those dbMotion notes or
sites in which we’re doing the colors and layers and stuff.

So just keep that in mind. The virtual patient record is what we eventually
deliver back to the consumer, and the consumer can be a web viewer, it can be,
of course, the clinician at the point of care with the focus of the point of
care, and, as you can see, it can be also research or DSS and so on.

In this conversation or presentation, I’ll focus on this blue box over here
which actually it’s an implementation and a design of a security framework that
I want to say already addressed quite a lot of the challenges around patient
safety, privacy, confidentiality, rules, profiles, permissions, authorization,
authentication in a central or in a distributed environmental interoperability.

I wanted to share with you just anecdotal few points that I just came across
when I kind of communicated over the years with organizations. Real stuff
happened for real. Authorized physician is looking at a VIP in this case
medical record simply because it’s interesting, of course. I don’t want to say
a quarterback or anything like that of any football company, football team, but
was fired because there was no justification for looking at this medical file
record aside of curiosity and the chance that, you know, this person was
authorized in terms of using name, password and so on. So it’s not in effect
breaching any authentication process or so, but just abusing it not for the
good reasons or right reasons.

Printed medical notes were found in a garbage can, again, lawsuit was filed,
of course, and consequences are over the years developing back and forth of who
is to blame and whose responsibilities and who is the owner. Medical errors. I
see personally that medical errors are sometimes related to access and
ownership and control of medical data in the eyes of the patient. At the end of
the day, my potassium is not 4.1, it’s 1.4. And if somebody messed with my
record, or if I changed it, or if somebody sent it to a central database, and
somewhere in some system tweaked and changed them, whatever, then somebody
needs to be responsible for those medical errors that derive from that, not to
mention the life-threatening situations sometimes, and potassium is a, I think,
a great example for that.

Advanced directives. What if I’m in ED and I’m unconscious, what can I do,
what I allow you to do, what I don’t allow you to do, whether the assistance
today and the solutions today and the approach and policy of the organizations
of the providers allow even the ability to enforce those kinds of things which
we all know that we need to at the end of the day.

OBGYN, very sad story that I came across. There was an abortion of a
teenager who had it, of course, confidentially, and against all odds eventually
the family practitioner shared it with a relative. And within this society, for
whatever reason, she lost her life because the family decided to take the law
to themselves and decided it was a shame to the family, and there you see maybe
the extreme, the top extreme result of confidentiality translated into really
sad consequences.

So what are the basic safeguards, and actually maybe the red parts are not
actually basic, but I want to say more advanced safeguards that we want to have
and we already have. Aside authentication and authorization which are given
people and colleagues that talked before me here talked already about roles and
profiles and so on. But I want to share with you on a different level maybe
about the same challenge because at the end of the day reality is with the
devil in the details.

So it’s not about roles that we want to prevent or allow or manage. It’s not
only about send your doctor, can do such and such, and if you’re treating a
patient, you can or cannot look at their psychiatric information and so on.
What about content? What is the definition for I as a patient do not let you or
allow you or permit you to look at my psychiatric information. Is it the fact
that I’m admitted at a hospital which is psychiatric institution, or is it the
fact that I have some diagnosis in my file somewhere that related or hinted
that I am. Or is a drug that somebody prescribed to me or dispensed somewhere
that, again, if you see this drug by itself, you can already tell that I have
some psychiatric background. And the same for HIV and others.

So my point is, it’s not always about let’s define the policies and the
permissions of users and patients, so to speak, and we’re good to go. I think
the challenge is more than that if we want to be really, I want to say, close
and cover all bases and make it happen the way that we really feel that we are
providing the right level of security and privacy.

And, of course, the opt in option, again, from my perspective and opting was
discussed previously in the morning session, for me opt in is something that
eventually needs to be translated to different levels within my clinical
domains so I will be able to or should be able to allow or prevent different
parts of my medical record maybe to a granular level of a lab result or a
granular level of a med that I’m on or not, to a granular level of my specific
physician or my currently treating care provider or in emergency situations
there is maybe a different set of permissions there I would like to enforce,
and so on.

So it’s not only about the way we manage the population, but more about
consequences, the context, the content and the semantic behavior of where data
is going and why. I’ll say a few more words about it later on.

The rest is pretty much obvious. I’ll skip those, maybe just the last one
which is distributed policies management which is a challenge by itself. What
do you do if you have a central database and maybe it’s a central policy
management. But when we look at the, for example, the HHS initiative now with
original initiatives and local initiatives, then sometimes the management or
the central management is at some point it’s no longer practical to do so. For
example, even at UPMC right now where I am responsible for the overall
operations, 19 hospitals, 40,000 employees. Who is going to manage this nurse
which is moving now from internal Department A to Department B within the same
hospital, or a physician that is working at Montefiore and then working at
Presby two days later. Who is going to manage this policy. Is it a central
thing, holistically managed by the enterprise altogether for those thousands of
people? Is it realistic and practical to follow all the changes and so on, or
maybe do we want to have some central capability and keep some distributed
local management to some super users that will help us to enforce everything
altogether and somehow not become too clumsy and blocked to eventually, as
again as was discussed in the morning, that the quality at the end of the day
will not be good enough to still use the data. On the other, that the
management and reality will not kind of prevent us from doing the things the
way we want and need to do.

One more thing I want to share with you as one of the ideas to address some
of it is the user, principal object. In our world, in our model, our
architecture, we have and we do create a user principal object for each and
every provider that is right now consuming data off a patient. This user
principal object has a lifetime and eventually it loads and manages all
permissions, authorities, and so on off this current patient provider session.

Whenever this UPO is terminated, destroyed, not valid and so on, the whole
access is prevented or denied, and everything is directed, audited and so on.
This is another mechanism. If you will, this is like a digital token that is
virtually following the data of the patient to the next interaction of whoever
consumes it, and it’s almost like a passport control. Whenever there’s an entry
point to the next consumer, there’s a passport control station validating the
UPO did match and in sync with the current permissions, authorizations,
policies, rules and roles of the current consumer.

So what is role-based access control, and you can see here some examples. I
want to say those are pretty trivial. I mean, the regular typical different
levels of roles of different providers and organizations and to eventually
practically have a system that lets you manage those levels of rules or roles
you would like to have.

Maybe more interesting is rule-based access control, and I kind of alluded
to that earlier with the content and semantic perspective. What about –
physician is not allowed to see patient that is not currently admitted at this
specific unit. What about nurses are not allowed to query the network or share
medical data, whatever you want to call it, after working hours. And the same
nurse, I have the same role, it’s the same policy, it just happens to be 5:30pm
and for some reason the organization will enforce different policies on
different hours on different users.

So, again, this is where the management comes into place. From now on, there
are no more bullets or no more text. So that’s it. Again, I’m very practical in
my approach and exactly the same time I’m saying it’s probably not complete and
we’re covering everything. But I think it’s very mature. You can see here I
kind a print screen of roles and rules management, and you see here, for
example, that we can really get down to for each role we can define different
levels of granularity of observations and encounters and so on, and be able to
tweak and change the level of definition based on that as a policy of the

Later on, we can add to that. In this example, a patient’s insurance card,
health insurance card is being used also as consent card, and that is a smart
card which is swiped, and if the patient is not swiping it or giving it to the
provider to swipe, then you don’t have access to my file.

However, maybe before I’ll speak about that, however, in emergency
situations, I do let you some default level of access to my record so in the
event I am unconscious or whatever, you get to see my allergies from everywhere
and still have some useful decisions you can make.

What you see here is actually that the system tracks and logs all activities
within the system, not only about the users or the patients, but also about the
way information is consumed. So in each and every time, we can tell, as you can
see here, browsing a web application that is consuming data, we can have them
log activities off lab results were viewed, which system called, what was
available, what was delivered back and so on. And exactly at the same time, we
can do the same for users and have the ability to monitor the activity of users
consuming data even to the level of did they print something, or did they look
at the screen and for how long. Did they log in, did they log out, did they
leave it unattended and didn’t log out and so on.

Conceptually, we can generate reports out of it, and you can see a lot of
tracking and auditing activity of who is looking at my record as a patient, or
who is looking at my patient’s record as a physician, and this is just an
example. So you can see in slides and search and filter it in those different
levels that you can see here. In production, our customers are learning a lot
and actually eventually using that also for quality management not only for
security management.

For example, they can learn how much time physicians are spending on looking
at medical records rather than or instead of treating the patient themselves,
and is it good or bad or less or too much or so on. Are they looking at meds
more than they’re looking at labs and so on. So we can learn about the trends
in work flow of the physician in practice rather than the way that EMRs are
dictating it, if you will.

When you combine everything I’ve said so far, I think the way to go is to
have the ability to generate retroactively the picture at point in time that
you want to go back in order to really enforce and make sure that you really
monitor everything together.

So we have this virtual patient object that we generated for a consumer, on
one hand, so we can go back to the log and see that. But that’s not good enough
because eventually what was presented on screen is what the eyes of the
physician and the decisions were based on at the end of the day.

But still that’s not good enough because what was the policy at the same
time. He was a doctor at the same time, but half a year later he was senior
doctor. And if we’re looking at malpractice events, half a year ago, we really
need to be able to combine all three things and be able to generate exactly the
snapshot of data and screen at that point in time. That will allow us to say
half a year ago that patient was such and such. Your set of permissions and
authorization were such and such. You looked at A, B and C, and those were the
actions, and the whole picture together will enable us to regenerate the data
exactly as it was at that point in time, although three days later maybe
somebody changed the lab results from 4.1 to 1.4 because it was a mistake. So
this is another flavor of using it actually in this case for malpractice and
legal reasons rather than patient privacy per se.

And, of course, the ability to do a lot of research and analysis reports on
the data that we collect and track and audit and, of course, learn from that
and get trends from that and so on.

If I focus more on the eyes of the patient, as you can see, then the patient
is very concerned who is looking at my data. And, again, reality is that my
data is not in a single lab. It’s in a lot of different affiliated and
non-affiliated physicians. It’s different EMRs, it’s physician offices, it’s
all over.

So who is looking at my data, and the approach is to create a PLV, a patient
log view and actually slice or carve out some parts of what I showed you
earlier and create a different flavor of that, that speaks to the patient

Conceptually, the patient will be able to look at track log view and, for
example, have an indication that those are the things that were viewed by Dr.
van den Reigen(?) in this example. So I can tell that Dr. van den Reigen(?)
looked at my virtual patient objects, and those are the parts of the virtual
patient record that he looked at. And I can, of course, drill down to that and
see more of it.

So security rules that we would like to apply from the patient perspective,
and you can see some example of that, are patient/physician relationship, are
you treating me, is there a good reason for you to look at my data right now or
next year or whatever in the future based on some events. Am I currently
admitted, and if yes, I want to do something. I want to define breaking the
glass kind of emergency access definition in case I’m an ED and so on. You can
see my data only if you belong to institution such and such and different
levels of rules that we would like to let the opt in action eventually to get
to this level and allow those kind of definitions to be enforced.

Treatment relations as an example can also be analyzed in different levels
as well if we really want to be practical. I’m currently taking care of the
patient is something that you can define and eventually monitor as an event
whether it’s happened or not, and you can see one more example is you can see
here. Only my physician can see my data, and the definition of my physician, of
course, can be something that I will pick out of a list or group of physicians
and so on.

The translation of those rules into practically doing it then, as you can
see here, we can define an opt in mode or opt out mode, and we can let the
patient say I agree that my personal health information will be shared in this
organization/organizations according to such and such, and that will be almost
kind of all or nothing definition.

But as I said, we can support the ability to start having some different
flavors and different levels of permissions into that and be very practical
about it.

At the end of the day, then the result of this whole mechanism should be to
look at the policies from the organization’s side and the administrative for
who is doing what and what policies are enforced from the
organization/organizations and look at the roles and profiles and activities
within the organization.

On the other, to look at the patient access service, we call it, which
actually creates patient access records and look at that and say what is the
patient saying about what can be and cannot be shared. And the group of rules
from both sides eventually need to be merged and compiled into a unified set of
permissions. And if you have the right framework in place, then you can
generate those and enforce them almost in real time on whatever is happening
right now.

So this is what I wanted to share with you was pretty short, and I’ll be
happy to answer any questions. The last thing I want to say is what I’ve shared
is actually, as I said, is based on a lot of discussions and events over the
years with our customers. One of the things that they had, and I shared it with
Margaret over lunch, is a committee that – I want to say, of course, not
in the same order of primitude in terms of the goals, but it was their
responsibility to be able to come back and define what is it that we’re going
to do with patient confidentiality and privacy and so on. And there were a lot
of different opinions in the committee way after we go live with an

And I think that this is a very important point because the solution for the
field that I think we need to recommend must be flexible enough, we must
enforce the field to be flexible enough to support different levels of
adopting, so to speak, of those capabilities or concepts. Otherwise, we’ll
never be able to cover all different opinions, and we’ll never be able to have
a single opinion that everybody will agree because it’s different challenges,
and probably that’s the way it’s going to be.

MR. REYNOLDS: Okay, thank you. We’ll hold our comments til after Richard
Dick speaks, please. He’s from You Take Control.

DR. DICK: Thanks again. I appreciate the opportunity to be here. I
appreciate the invitation. You Take Control is something that I’ve been working
on for several years actually now. The concept is a very simple one but we
believe a very powerful one, and that is aimed at empowering the individual to
literally control who has access to their data, how it may be used, when it may
be used and so forth as an, what we call, an independent consent management

I trust that you’ve gotten some of the slides that we sent. I’ll very
quickly go through those, and then I want to give some pragmatic examples of
how it can actually be utilized and empower the individual in some significant

So the idea basically then is that certainly this statement from Forrester,
we believe, is coming true more so every single day, that fueling political
battles and putting once routine business practices under the microscope is
certainly happening.

Just a few key assumptions. The individual is the rightful owner of the
data. The enterprise that may be holding the data has a stewardship for it and
so forth. I’ll not go into each of those, but I do want to highlight this one,
and I’m sorry it’s cutting off a little bit on the left side there.

Covered entities and state and even local regs come into play. I can just
tell you that when HIPAA hit, and in fact there’s some very interesting studies
that have been published in the last couple years, in fact about two years ago
in the annuals basically pointing out how HIPAA’s shut down a lot of studies
and research. And in fact, because of some of those issues, of course, the IOM
has focused on some of those issues and have asked me to come and testify in
October about some of those issues as well.

But there are literally thousands of these unique consent forms spread
across many thousands of enterprises, and that has proven to be and will, we
believe, prove to be a major brick wall for a lot of enterprises as we engage
in all of this fluidity, if you will, of health information being able to flow
between institutions.

And I think it would maybe surprise some of the people even here on the
panel how many requests there are from external sources from all kinds of
bizarre places like the U.S. Department of Transportation and other places that
are obscure places that ask for health records. Let me give just one case in
point in my work with Brigham Women’s Hospital the HIM Department.

They have on average about 4,000 requests per month coming in from the
outside world – not doctor to doctor, not hospital to hospital, but other
external organizations asking for release of information, PHI, and those have
to be handled and addressed. So the numbers of those are not inconsequential.

Some key underpinning elements of independent consent management are that
the solution must never be perceived as the fox in charge of the hen house.
That is why it must be independent, and I’ll get to that in more detail here.

We really can deal in a case-by-case basis customized releases of data down
to the data element level here in number two and number three really. Consent
forms must be consistently maintained and updated as this is a very dynamic
world. State statutes and so forth come into play, and some of those, as you
well know, are far more stringent than the federal statute of HIPAA.

As you go to the U.K. and other parts of Europe and other parts of the
world, some of their regulations are far more stringent than anything we have
here in the U.S. The ability of the consent management platform to help
populate PHRs is one that I’ll be showing you as well.

Therefore, independent consent management makes the old paradigm of opt in
and opt out, we believe, really completely irrelevant and unnecessary because
we can get down to the individual data elements and complete audit trail
provided for all transactions.

It’s important that the data be used only as the individual directs, and the
independent consent management platform should be able to roll back, and this
is primarily for Marc’s comments and his great work on this area of coerced
consents. We believe that TPO unfortunately has been abused mightily, and that
it is so broad today that probably you can drive ten Mack trucks side by side
through it in most institutions, and they do routinely. And that through an
independent consent management mechanism, the individual should be able to help
roll some of that back to more reasonable levels.

This is a graphic illustrating basically how You Take Control works. There
are a bunch of folks on the left who want access to your data, and those are
myriad in number and applications. There are a bunch of folks on the right that
we call source data providers, those who hold your data.

“You Take Control” sits in the middle and holds none of your data,
I repeat, none of your data. But we do have the very important and critical
element that is your authorizations and consent to be able to release the data.
We also can provide the technology and do provide the technology to intercept
the incoming request protecting the source data provider, grab a standing or an
existing authorization. We have three different kinds of authorizations at
YTC’s broad categories, provide those and the request to the source data
provider, and they can then release that data with authorization, recapture
however the complete audit trail and make that available to the individual and
to the enterprise that released the information and so forth.

So that covers the basic attributes of You Take Control’s being the
independent consent management platform. And let me give a realistic example of
that. There are, as you are cognizant, many employer-oriented sponsored
programs to try to facilitate the aggregation of PHRs and other health
information. And, of course, when some of those have been announced, the
challenge has been presented. So what is there to say that you XYZ employer or
ABC employer won’t just look into that repository since you’re facilitating it
and will fire anybody you want at will because of what you find.

And there have to date not been very satisfactory answers to that, but enter
You Take Control as the independent consent management platform, and the
problem is solved because they can say with a straight face neither we, ABC
employer, or XYZ employer will get access to that sensitive information without
first checking with You Take Control where you can control what we do with your
data. And that through You Take Control and through your authorizations, you
will then be able to control who has access to that data and hence never
perceived as the fox in charge of the hen house as the employer might be
perceived of as those who hold the data might be perceived of.

I’d like to now show a couple of other examples of how it might be used.

And this is a very pragmatic example with one of our partners that we’re
working with right now, and I will generally refrain from sharing any details
about our partners right now. But that’s the graphic that I was just showing
you and why we’re independent and sit in the middle.

This is an example of an actual standing authorization that can be signed
and placed in your account as an individual at You Take Control. It is pointing
out that whether I’m conscious or not for the purposes of medical evaluation,
treatment, et cetera, you have access to just my pharmaceutical data, as an
example, for a period of a year from the date of my signature.

We support what we call five levels of paranoia in electronic signing, and
that is you can sign it with merely a click through multiple biometrics if you
are that paranoid about it. How serious are you and how concerned are you about
this document I’m signing, it’s up to you. But by signing such a document, we
can access and do have access and currently have a hit rate that I’ll show you
that’s pretty staggering, but here is the concept.

Having signed that authorization that You Take Control will permit not any
breaking of the glass, none of that is necessary, but rather an advanced
directive, if you will, it’s that sort of a thing that can sit there in my
account and be used to literally save my life potentially in an emergency
situation or even for any treatments where I may show up.

So in this hypothetical example, with our partner MedicAlert, the ED
Department at Florida Hospital is one that we’re using as an example, can use
the call center at MedicAlert or use their USB-based token that they also
provide. Either one will work fine, and we can work with all PHR vendors in
this same regard.

But we have access to and have under contract the most complete source of RX
data anywhere today. Here’s the scenario. So a patient, Lucy Williams, shows up
in a comatose state at Florida Hospital. They locate the patient’s MedicAlert
ID, their bracelet and use the call center for the USB device. They can insert
that into any computer in the emergency room and answer two questions: is that
really Lucy Williams lying on the gurney over there, did I get the right record
looking at her driver’s license or any other ID material coming off of the PHR
or coming off their other ID that they may be carrying on them. We can now look
forward to have the wrong data or the wrong patient, the right data for the
wrong patient.

And then verifying themselves and this is another very significant piece of
the puzzle, being able to authenticate themselves as a provider, and in less
than a minute, we can provide this kind of screen through MedicAlert of
allergies. Where does that come from? It comes from the personal health record
or from somebody like a MedicAlert. This area comes off of those. This area
comes off of the PHR.

But the most challenging aspect of PHRs is, other than, and I’m going to be
a little cynical here, forewarn you, other than the fact that they’re not a
legal record, other than the fact that they shouldn’t be trusted as being
current, accurate or complete by any provider, they’re just fine. So given
that, one of the real challenges is what am I pulling off of this PHR. How
valid, how much can I trust it. Quite frankly, the allergies are probably the
most trusted piece. Where do you get that? You get it from the patient anyway

Some 50 some odd tests can be performed, and how many patients have that in
their record, probably not too many, but some. But quite frankly, the allergies
are a piece that ought to be trusted or could potentially be trusted. This is a
piece of data that’s very hard to get. And if I were a surgeon, that data
element right there is going to tell me I’m going to have some real problems
because it’s such a high dose, and as a surgeon I can anticipate some real

The centerpiece here is what You Take Control can facilitate by using that
standing authorization going out and hitting that source of data, RX data, and
pulling up then the most current list of data. And in fact, it is so current
that it is every 24 hours it is updated by all 51,000 pharmacies getting an
over 80 percent hit rate and will soon be well into the 90 percent hit rate. It
is a secret database that hardly anybody knows about. Here is the audit trail,
and I’ll get into that database in a moment.

If Lucy Williams recovers from her trip to the ED and three hours later is
in recovery and gets access to the website or to her records at YTC, she will
have this complete audit trail as does the holder of the data including what
data was released, how it was released, and if she clicks on that, she gets the
actual authorization that enabled the transaction in the first place. So this
is a very pragmatic example that we are pursuing currently with multiple PHR

Where does the vendor come from? This is where the data comes from. It is
totaling more than 12 terabytes, over 230 million Americans’ data, updated
every night by all 51,000 pharmacies who update these records. It has been used
for underwriting purposes in life, long term care insurance and health
insurance. It is, as I say, over this length it is updating all Americans’
data, and in this AMIS system alone, there are more than 100 million people,
and it is individual data that’s being used quite frankly in the underwriting
world right now and is changing the underwriting world.

So I wanted to have you understand what that scenario is. So basically
MedicAlert can through their call center place the request. We can intercept
that request, grab the authorization, bring it back here, hit the data source,
hand that data back to MedicAlert and the whole audit trail including the
envelope information that I just showed you and the audit trail is there,
potentially saving people’s lives.

Dr. Golodner earlier this year talked about these nine domains of privacy
and security. We address all nine of them in very powerful ways. So I wanted to
show that to you and basically describe a pragmatic example of how it might be
utilized, and we can work with ultimately we plan to work with anybody who’s
holding data including payers, providers and so forth.

We do believe that there’s a huge opportunity to roll back, though, this
coerced consent that the payers and others insist on and that there is a
mechanism like we can provide that’s a very practical way of, some very
practical ways of doing that.

Why don’t I open it up to –

MR. REYNOLDS: Yes, I’ve got one other thing to cover first, and then we’ll
open it up to everyone.

DR. DICK: Sure.

MR. REYNOLDS: Mary Jo, you were going to mention that we’ve got some other
written testimony that came in on this subject. If you would touch base on
that, and then I’ll open it for questions for all of our speakers.

DR. DEERING: Earlier on, the Workgroup said that it would be interested in
understanding about consent tracking technology that’s used within the cancer
biomedical grid. This is not – what you have is two items. You have some
slides that look like that that you actually don’t need to focus on.

The more important one is something that says CA tissue because it’s bio
specimens. CA tissue systems requirement. I’m going to take a very little time
to just give you a high little overview about what this technology does.

Right now, it is in place in 13, it’s 11 or 13 cancer research organizations
that ban together to do prostate research, and it will be offered to all NCI
designated cancer centers in the firs quarter of 2008. I’m just going to call
your attention to a few things. What is interesting here is that this applies
both to the secondary use of the initially connected specimen sort of like the
secondary use of data. But specimens are capable of giving derived specimens.
So you have secondary specimen. You have secondary use of secondary specimens
in a sense, and it’s not as complicated as it sounds. But I just found that
sort of interesting.

On the bottom of page two, and I regret that they’re not numbered, but Item
B shows you, for example, that there are a variety of different consents from
you can only use this for this purpose all the way down to you can use this for
any purpose in the future to please contact me for future research that you’d
like to do. You can even use it for genetic studies, et cetera.

So there are those different levels, and those are just examples of
consents. On page four, skipping a couple of pages, a couple things to draw
your attention to is, again, under item number nine, it does indicate that the
tumor tissue biopsy could derive RNA DNA or tissue microwave specimens, and,
again, you could track that. And then the very last line on that page does say
that while physically and technically in principle the actual physical
collection of the tissue and the consent may happen asynchronistically because
you go one place to get your tissue and to another place for your consent. It
does say the specimen may not be distributed until the consent status is
verified. So that’s another requirement.

Skipping just to the next page, under E, it notes that if you think of all
the consent tiers and the different uses that you could get multiple consent
tiers, and the data entry burden can get very difficult. However, there is
technology that enables you to cluster your data elements so that you can input
all of these multiple consent components at the same time.

Item F says that it’s absolutely essential that you be able to track consent
withdrawals which are considered to be permitted. On page seven, Item G, it
says that any kind of a specimen is being viewed, and the results of specimens
are displayed visually like a computer. The consent status must be displayed

And then lastly, Item H at the bottom of that page, because you have enabled
these different layers of consent, you can then do future research based on the
consents available. So you could say let me, buy me a specimen that is a DNA
specimen where I can use it for this. Or you could say let me find one where
someone has consented to be contacted for the future. So, again, that can
facilitate your access for secondary use purposes afterward. Please don’t ask
me any technical questions.

MR. REYNOLDS: Thank you. We appreciate your input. Questions by the
Committee for either Assaf or Richard.

DR. CARR: I have a question for Assaf. Well, thank you to all the speakers.
This was most interesting. A question for Assaf is, is dbMotion in place, where
is it in place, and how long has it been in place?

MR. HALEVY: U.S. headquarters are in Pittsburgh. We’re in the U.S. in the
past four years, and we have our R&D Center in Israel. We have an
implementation at Pittsburgh UPMC, the Bronx. We have a project going on in
Belgium, in the Netherlands and in France.

DR. CARR: My question is, are you tracking, are you aware of unanticipated
consequences. For example, going back to the nurse who can’t access data at
night if she takes a night shift, I mean, it seems like there is a lot of
specificity in detail. But that introduces complexity in the sort of unexpected
changes in roles or need for access.

MR. HALEVY: Actually, it’s the opposite because the complexity is there in
the field. I mean, I think the complexity is exactly in the way providers are
practicing medicine. Providers are working in different units and different
organizations. They move and change roles and responsibilities. They treat
different patients. Patients are moving from one department to another, being
discharged to rehabilitation or to home. And then after one week, they’re back
at ED. Is that already a kind of, should be in the responsibility of the
previous encounter or not, and so on. I think actually the approach that I
shared is handling this complexity by the fact that you are capable of tracking
those changes and monitoring them in a way that you can always in a flexible
way be able to slice or take a time stamp and have a picture of exactly what
happened and who is doing what.

DR. CARR: But I mean is it interfaced with the nurse’s on call schedule or
something like that? How do you, what if a nurse is working the night shift,
but she’s not allowed to look at data in the night?

MR. HALEVY: Well, that means that when she logs in at the night shift to the
network, okay, and this UPO, Universal User Principle Object is being generated
for her for that specific session or treatment or data consuming that she’s
doing, right there the rule is enforced because then –

DR. CARR: So she doesn’t have access, or it makes an audit –

MR. HALEVY: It’s up the policy of the organization. It can do either or
both. It can prevent the access. It can just log the access. It can explain to
the user what’s going on.

DR. CARR: I guess that’s my question, though. How do you, given all of that
variability, how do you ensure that her need for immediate access to care for a
particular patient is not interrupted by any question answering on the

MR. HALEVY: Okay, well, in most cases, there is no question and answering.
It’s either the organization decide what prevents or allows access, and we
track it. And in all cases there is a kind of a breaking the glass capability
for all users. So if the nurse think at that point in time that she need to
have access, it’s quite and regardless of all rules or whatever because, for
example, it’s a life threatening situation or whatever, she can always just
check, break the glass check box and log in, and she will have access no matter
what. The system will then log and track that, and she will be asked to say why
are you breaking the glass. So it’s really from our perspective, we provide a
flexibility to the organization to be able to configure out the different
levels how annoying you want that process to be for the user from zero to 100.
It can be transparent to the user. For example, in Clalit Services, at some
point in time, the committee said we would like to notify the user that access
is prevented due to such and such, for example, that it’s the night shift and
you’re not allowed. The field then generated a lot of complaints like why am I
allowed and you are not in different levels of data that are exposed to
different users. Then the committee changed the approach and said we will give
always a notification that you don’t see a full data set. So we’ll tell you
what you don’t get. You’re not, we’re showing you lab results. Those are the
sources, and those are the sources that you’re not looking at right now. So you
know what is available and not, but you don’t know the reason, whether it’s
security or anything else.

Again, it’s a question of policy, the way they enforce it. From our model,
it has no influence on the way we can implement. We can support both.

DR. CARR: Thank you.


MR. ROTHSTEIN: Yes, I have a question for each of you. But I know your
slides are not available. But slide number 15 was the most interesting one, and
you sort of blew right through that. So I can tell you what’s on it. I can’t
read that. It’s so small. It’s the slide in which – well, I can tell you
what it is, and maybe you can describe it. It’s the slide that has the check
boxes for the consent.


MR. ROTHSTEIN: And there’s a whole list that I didn’t get to see all the
elements that they got to consent to. And the question that I had was, have you
implemented that part of your system yet, and how has that gone and so on.

MR. HALEVY: Well, first of all, the list that was described here is just a
sample meaning you can in your organization, you can decide to have different
set of rules that you would like to enforce. You will have the platform to
create them, and those will be the rules that will participate.

As I said, since we live in a world of central solution for UPMC as an
example and distributed solution by the way in our case for the Bronx RHIO in
which we have CDR in each hospital separately because it’s totally independent
organizations. We provide, we can have, for example, you will be able to say
those four rules or five rules, the state or the region or whatever is forcing
on everybody, those are read-only rules for all institutions. You cannot change
them. You must comply with them. Then you can add more that again the policy
allows you to have the control and ownership independently and create your own
rules if you choose and want.

MR. ROTHSTEIN: But I have a sort of practical question, and that is how do
you identify those data elements in free text, in so there’s several states,
for example, that have special rules with regard to genetic information. Well,
how do you define that? How do you identify it? How do you retrieve it or not
retrieve it? I mean, so there are lots of these kinds of issues.

MR. HALEVY: Yes, absolutely, and the answer is in the simple slide, the
first one, which I can again, it’s too many details for ten minutes, 15 minutes
presentation. But somewhere in the purple layers which are the data layers the
way we consume data from the operational environments, there is an UMS, Unified
Medical Schema, in which we create clinical domains mainly derived from the HL7
Version 3 ring in terms of the data model.

But I want to say it’s maybe taking it to a little bit more practical level
from the data schema perspective. At the end of the day, you map your private
world to the unified medical schema and the ring, and security and rules are
enforced on those elements. We’re not looking into the database. We’re looking
at our logical data model, which is linked and mapped to whatever you’re
consuming for real.

So to your question, you will look at the lab domain in which you’ll pick
biochemistry, and you’ll decide some level of policy based on population of
patients as an example. Cancer patients, whenever there are such and such, I
want to allow whatever. You enforce that on the business object and the data
object that reflect those. You don’t care at that point in time that
biochemistry eventually will come from Cres or will come from Misys or will
come from somewhere else or whether it will be reported as HL7 messages or will
use LOINC standard or will it be free text. You are absolutely correct that if
it is free text as an example, then the level of flexibility is limited, and
you know, we will not be able, at least not today, will not be able to parse
everything free text and understand the logic and compute in what you wrote.

But still we’ll be able to treat this free text element by itself as an
entity that we’ll be able to enforce the logic that you define and associate
with it.

MR. REYNOLDS: You said you have another question?

MR. ROTHSTEIN: Yes, if that’s okay. I have a question for Richard. You had a
very provocative statement that I wrote down, and I’m sure you intended it to
be provocative. And you said that opt in and opt out are now irrelevant because
you can get down to the individual data elements. And so I need to pursue that
for a second.

DR. DICK: I’m sure you do.

MR. ROTHSTEIN: Wouldn’t that only apply if you knew what you were looking
for. So here’s my example, okay. I applied for a job with a telephone company,
and my job’s going to be driving trucks and climbing telephone poles. And they
as a condition of the job, they make me sign – they requested I sign an
authorization –

DR. DICK: If you want the job.

MR. ROTHSTEIN: If I want the job, and it’s to disclose all of my medical
records. And so you’re going to – everything goes, right?

DR. DICK: Well, what I would argue in that case is, you know, as HIPAA says,
there’s each covered entity must have in place a minimal release policy. And so
is it really required that they have the entirety of your medical record, or is
it important that they have certain subsets of it that are germane to the tasks
at hand.


DR. DICK: That’s the real issue. And what I’m saying is that with the
technology that we can provide, you can get down to splitting hairs and carve
only those subsets of the record that may be directly germane to the kinds of
information that this organization that is placing the request, the reason for
that request, and therefore I’m just saying that we’re providing a very
advanced mechanism that would enable that to happen. Whether or not the
individual would be able to insist that that happen is an entirely different

That’s why I also was saying being able to roll back what is covered under
TPO instead of it being so broad that the individual could conceivably get to
the point where they could control, yes, as a payer may need these kinds of
information, and I’ll sign up for this minimal set. But I’m not going to just
carte blanche give you access to everything the way you routinely do today.
There’s at least a mechanism in place that we’re providing that could begin to
roll that back especially if the public demanded it.

MR. ROTHSTEIN: Okay, so it seems that there are two elements that are still
missing. One is some legal restrictions on the employers from requesting
everything which they now can do in 48 states.

DR. DICK: Right.

MR. ROTHSTEIN: And the second is what we’ve called for, and that is the use
of contextual access criteria and research on that because the missing step is
suppose there was an authorization that said send everything that’s related to
my ability to climb telephone poles and do that sort of work. Well, then you’ve
got to translate that into some sort of algorithm that is going to be
searchable against the medical record, and that takes for 10,000 job
descriptions a lot of work.

And so you’re going to have to figure, okay, well there’s this orthopedic
stuff we need to send. There’s this stuff, maybe not this stuff, and that is
– we’re, I think, a long way from having that part of the solution
available, even if your technology will be able to sort of search and parse.

DR. DICK: Now one of the things that we provide is a very potent set of
metadata around the authorization itself. That’s something of real significant
interest to HITSP and others, and that is in a very pragmatic world you have to
be able to utilize the authorization to map to, for example, the various kinds
of data that may be stored within the enterprise that’s holding that data under
consideration for release.

And so it’s vital that that set of metadata be able to address those kinds
of issues. And I’d be glad to go into the technical details of all of that
outside of this meeting. But there are some very significant issues associated
with that, and we believe that there’s some interesting and innovative
mechanisms for addressing that in a more, I’ll call it, comprehensive way than
most have been able to deal with today.

MR. REYNOLDS: Thank you. Mary Jo?

DR. DEERING: I have one question for Richard which is in a way is also
perhaps for the Workgroup, and then one question for the Workgroup. Richard,
you made another provocative statement, I thought, that Mike was going to pick
up on when you said the AMIS database is a secret, well, first you called it a
secret database that nobody knows about, and then you told us what it was. And
you said that it has my personally identifiable information about every
prescription I’ve ever had. I want to know how did my personal health
information get into there? Where were the consents that allowed it to get
there? And where were the business agreements whereby you got it? And that’s
only half of the question.

The question for the Workgroup is, is this a gap in public policy.

DR. DICK: I will tell you that I was directly involved and designed and
built these AMIS systems, okay. I did not set out to build the ultimate Big
Brother, but that’s what happened, okay.

If I can take just a minute and explain this because it’s very –

MR. REYNOLDS: Don’t go too far.

DR. DICK: Basically, these AMIS systems are owned and operated by Engenics.
That’s the company we sold it to. As I say, it’s getting those kinds of hit
rates, and it’s used for underwriting purposes. It takes underwriting from 90
days to ten minutes. How did the underwriters get it?

When you apply for life insurance, long term care insurance, you always sign
that. You sign an authorization that says I will permit access to all of my
driver’s license information, my health information, my medical records, you
name it. Pretty interesting authorization, and it is used routinely to get at
medical records including all of this very sensitive pharma data.

It’s the drug, the dose, the strength, the number of days supplied, the
pharmacy that filled it, the physician who prescribed it, and their specialty.
And it is updated every night at two thirty in the morning over this link from
the production systems of virtually of the PBMs. It has all the mail order. It
goes back 60 months at least five years, and it is a pretty potent database. It
dwarfs our XHUB and anything else that’s out there today.

It is real. It’s operational, has been operational for about four years. It
takes underwriting from 90 days to ten minutes. That’s what it was designed
for. I said, I was in the –

SPEAKER: Insurance underwriting?

DR. DICK: Pardon?

SPEAKER: Insurance underwriting?

DR. DICK: Insurance underwriting like long term care insurance, health
insurance, and claims on property and casualty side, okay. And so with the
authorization, they have access to it, and they will only hit it when they have
the authorization. But it is sitting there in the PBMs. What is it to have data
in ten systems and what if they have it in 11 systems sitting on their

It’s just like that. They always have that authorization in place to hit
these databases. YTC has this data now under contract for other purposes, and
the use of it, what it could do in saving lives in emergency rooms is primarily
why I wanted to build this system, and then the PBMs quite frankly got scared
and said we’re going to keep this super, super secret and we’ll just use it for
underwriting, and I hit the wall, hit the ceiling and said, yes, it’s legal,
its HIPAA compliant, but it’s not right. I said what would be right you the
individual should be in control of who has access to this data and all your
data for that matter, and it got me on the course of how would you go about
doing that, and You Take Control is the result of that.

MR. REYNOLDS: Okay, Mary Jo, I’d like you to hold your question for the
Committee until discussion, okay. Justine, and then we’ll break.

DR. CARR: Thank you. Just a question about You Take Control. I’m not clear
about who all is using it today. It sounds like insurance companies. What about
emergency rooms?

DR. DICK: As I pointed out, we are working with several PHR vendors now and
MedicAlert is now going into a pilot and then production with their call center
and so forth for using You Take Control and introducing all their members to be
simultaneously members with You Take Control, about four million people that
they have.

We’re working with some other employer groups. So we’re just this fall
rolling this out in real time, okay. And we have several partners that are in
the wings that I’m not prepared to yet announce, but some very large
enterprises. Okay.

MR. REYNOLDS: Okay, with that, thank you again to this panel. We’ll take a
break until 3:45 and be back then.


MR. REYNOLDS: It’s getting late. We don’t even know what seats we’re in.
We’ve been here way too long. All right, with that, our next testifier is Cindy
Brach from AHRQ. So Cindy, we really appreciate you being patient, and this is
kind of our last set of hearings on testimony. So we don’t want to cut anything
overly short, or we’d be writing it without knowing anything. So thank you very
much, and we appreciate your comments?

Agenda Item: Risk Communication Strategies

MS. BRACH: This is actually my first hearing that I’ve been at where they
played Vivaldi during the break. So it’s been very pleasant.

Mary Jo asked me to come and talk to you a little bit about what we’re doing
at AHRQ in the area of informed consent and authorization with a lens of health
literacy, and one of the many hats that I wear at AHRQ where I’ve been for over
a decade is sort of the lead for health literacy at the agency.

And for those of you not familiar with health literacy, this is the
definition that comes from Healthy People 2010, increasing Americans’ health
literacy is party of the health communication goals for Healthy People 2010,
and you’ll see that it actually doesn’t say anything about reading or literacy
or writing in there, that the concept of health literacy’s much broader than
that, where it is about being able to obtain and process and understand and use
effectively health information.

And the Institute of Medicine when it issued its landmark report on health
literacy in 2004 recognized that that also takes place in the context of
culture and language. So there’s some overlapping some of the issues around
limited English proficiency and cultural competence when we address health

This is a graphic from an article by Dave Baker on the meaning of health
literacy that was published in JAMA in 2006, and it’s the best picture that
I’ve seen to date that really displays the interactive nature of health

On the left hand side, you have what we typically think about the
individual’s capabilities, what they bring to the interaction. It has to do
with their reading abilities, their innumeracy, it has to do with their prior
knowledge. But equally important is what we have at the top and the bottom and
the middle in yellow which is the complexity or the difficulty of the health
messages, both print and verbal that patients are presented with. And it’s
really the interplay of those two things that produces health literacy, and you
can think of health literacy in the print area, you can think of it in the oral
health literacy area.

Having now told you that health literacy is a fairly broad and complex
construct, unfortunately all of our efforts to date to measure it have really
relied on the print literacy based concept. And in 2003, there was a national
adult assessment of literacy that was done, and for the first time as a
component of that, we had a measurement of health literacy and the aspect of
health literacy being the ability to read a document, chart, prose and be able
to answer some comprehensive questions about it.

As you can see on that far left hand bar that says total, only 12 percent of
U.S. adults are considered proficient in health literacy. So the sound bite
that HHS has taking away from that is almost one in ten of U.S. American adults
may face some challenges in obtaining, processing, using health information.

You can also see from this graphic health literacy has a great deal of
ethnic and racial disparities. So if you sort of follow those blue bars or
periwinkle bars at the bottom, you can see 24 percent of African Americans, 41
percent of Hispanic Americans, we have 25 percent of the American Indian and
Alaskan Native population who are at the below basic level. That’s the lowest
level that can even take the test.

And we have 66 percent of Hispanics who are at the basic or below basic
level. So when you think about health literacy, while the majority of people in
the lowest, below basic health literacy category are in fact white Americans,
that we see that it is disproportionately hurting minority populations.

Back in that Institute of Medicine report, they recognized informed consent
is one of the issues that present challenges when you’re dealing with a
population with low health literacy, and basically identifying that there’s a
fundamental mismatch between the complexity of those documents and reading
capabilities of the average American.

Now when we talk about the average American, let us remember that that means
that 50 percent read at a lower level than that. So we observe this problem.
There are a number of studies where research participants have been surveyed
after giving informed consent indicating that they really did not understand
what they were consenting to. And in addition to the fact, and this is also
true that there’s a mismatch of the reading capabilities not only on the
informed consent but on the privacy notice documents. And there was a study
done in 2005, Michael Pasheur(?) found that the average reading level of
privacy notice was above the 12th grade level, and that that did not
vary based on the local literacy level or the percentage of limited English
proficiency patients that the institution was serving.

So basically these documents are out there. They’re clearly not at an
appropriate level. And what’s more is the process, we know that informed
consent and authorization is more than just a form. It is a discussion, and
that discussion is not standardized, and that there’s no standard process for
verifying that the prospective subject really understands what they’re agreeing

So the way I got into this issue was one of AHRQ’s staff members who works
on the privacy rule was discussing in an HHS committee about what concerns that
the privacy rule was having a chilling effect on health services research, and
that researchers were very concerned about this, and they commissioned a study
to sort of take a look at that potential problem and found indeed that health
service researchers were quite concerned. And one of the issues that they
identified is there were now these processes. They already had an informed
consent process. They had complied within a set of regulations and IRBs and
kind of knew that, and that was familiar. And then layered on top of that was
now this new HIPAA authorization process, and there was some overlapping
elements that they were different, and they were different forms, and it was
confusing for the research participants, not to mention the researchers. And
they said it would be really helpful if you could produce some templates that
integrated those two that when we need to obtain both authorization and
informed consent that we wouldn’t have to go through two separate things. And
not only would we like a combined form template, but we’d like it developed for
low literate audience because we, you know, want to be able to use people of
varying literacy’s in part of our subject population, and we want it throughout
the health services research we do because a lot of the attention that’s paid
in this field is related to clinical trials that has a whole layer of
complexity that health services researchers don’t have to grapple with.

So sort of grasping that low hanging fruit, we have proceeded to actually
develop a tool kit to help health services researchers in this arena. We
started with the contractor who did the study kind of took a first stab. It
came to me as the health literacy expert for the agency. I said not good

We rewrote them, and we said it’s got to be more than forms and examples,
built a toolkit that dealt with the process around it. We involved the Office
of Human Research Protection in it, got their comments. We sent it out to a lot
of informed consent and health literacy experts, got comments with that.

And then just last month, we let a contract to test this revised toolkit,
and I’ll tell you a little bit about that in a moment. But our sort of end game
in this is to do what I say practice what we preach which is to ask our
researchers just like we ask clinicians to take into account the health
literacy of their subject population, to make sure that their documents are
going to be understandable, and to give them this toolkit as a way of helping
them comply with that expectation.

Just to note that while there are sort of standard ways in which we try and
produce simplified materials, I don’t want to imply that it is an easy job. I
found it personally a very humbling experience. And so I want to acknowledge
that this is something that requires a fair deal of expertise and effort.

But just to give you an example of what difference it might make. On the
left hand column which is marked before, this is an actual clause that an IOB
has on their website as part of their template, and I can see a few of you have
read through it because you’re laughing already.

And then on the right hand side, you see an alternative which basically gets
to the essential elements. This is voluntary, and it’s not going to change
anything if you say no.

So it can be done, but we’re not used to doing it, and our lawyers are not
used to doing it, et cetera. So I mentioned before that the toolkit included a
whole process. And so part of that process is thinking about the environment in
which the informed consent and authorization discussion takes place, if there
are language barriers, taking the time to actually read the form out loud, to
review it, and then using a health literacy technique called teach back which
is a way of ascertaining whether or not people understand without stigmatizing
somebody to make them feel like you’re testing them or you think they’re too
stupid to get this.

So there’s certain ways in which we suggest in the toolkit which are
standard health literacy methods of getting people to sort of validate.

There are other things included in the toolkit that serve that purpose as
well. One is that we developed a certification form which is for the person
conducting the informed consent and/or authorization interview to actually
certify, and it sort of serves as a checklist that they followed the process,
that they did these things, that they discussed all the elements of the
informed consent, that they did the teach back to verify understanding. It’s
not to say somebody couldn’t check it off and sign it anyway, but it’s one step
to kind of say, okay, did you really go through this.

And the other is to use the informed consent form itself as a check on
whether the process has been followed where the person who’s giving informed
consent says yes, I understand these elements. Yes, they checked with me that I
understand it. And in fact, I’ve got to tell you that the idea for this came
from one of my former colleagues at the National Quality Forum brought in for a
presentation on the informed consent toolkit that they developed for providers
in doing a clinical consent. A Kinko’s Fed Ex sheet that she had gotten when
she sent her overheads, and on the sheet it says the person who has ordered the
copying says I am confident that the Kinko’s staff understands my order, that
they repeated back to me correctly what I wanted done, and they sign that. And
she said, you know, if Kinko’s can do it, we can do it in health care. So that
can be part of it as well.

We recognize that just creating a valid toolkit is one step, and that we
really need to be involved in getting this toolkit adopted and reaching out to
the wide variety of stakeholders at IRBs and research and in fact in our
process of testing the toolkit has been inculcating some opinion leaders and
getting people behind this, and Mary Jo’s going to speak a little bit about how
Dick Water(?) at the AMC that is leading an effort similarly to simplify
informed consent.

And we still anticipate that there are going to be resistance and in fact
have included something like in this informed consent toolkit recognizing that
people who want to adopt it are going to have to deal with their IRBs or their
lawyers, et cetera and have prepared them for meeting those objections.

So as I said, we are testing the toolkit, and not only are we doing
cognitive testing with a very diverse population prospective research
participants, but we are testing it with Health Services researchers and with
IRB officials. We want to make sure that this is considered feasible, that this
is considered useful, that we really can get some traction in picking this up,
and that part of that testing contract is to actually promote the toolkit so
that we can get that into action.

So in sum, I think that there are a few take away points for the Committee.
The first is, I think, self-evident and something that you probably talked a
lot about which is we are not accomplishing the goal for the privacy rule when
we hand a patient a totally incomprehensible piece of paper and say sign this,
you’re protecting your privacy.

And researchers feel totally locked in to this. As far as they’re concerned,
they’ve been told this totally obscure language can’t be changed a word and is
what they must do, and that we in the federal government need to provide some
guidance to help privacy lawyers realize that there are ways to be compliant
and yet be clear, and that we at HHS have a role to help provide those
templates and move that process along.

MR. REYNOLDS: Very good. Thank you, well done. Mary Jo, were you going to
cover similar stuff on the same topic, and then we can ask both of you, or do
you want to go ahead and –

DR. DEERING: I think it will all fit together. But I think all the questions
will probably go to her.


DR. DEERING: Yes, actually, I’m going to be schizophrenic now because I’m
three people at once to help sort of round out this –

MR. REYNOLDS: Will all of you hurry?

DR. DEERING: Yes, and in fact I’m probably better than having the real
people because I’m basically just an informed pre-reader of their material. So
I don’t know enough to amplify it beyond the time available.

And so in the order in which I’m going to proceed, first of all you have
something that looks sort of like this. It’s heavy text. It’s from Peter
Sandman who is really the father of risk communication. You have a set of
slides that look like this. So that should be the number two in your
collection, perhaps, because this is the order I’m going to take them.

And number three, you have a document that looks like this, and it’s
partnered with the blue and black document. The second one was from Howard
Dickler who made a presentation to another Secretarial advisory committee just
a short while ago, as a matter of fact, about the same topic that Cynthia was
just covering.

And the last one is from Susan Kleinman who leads a communication group that
was contracted in the financial sector to do exactly this kind of work. So I’m
going to start with Peter Sandman. And by the way, the field of risk
communication started way back three or more decades ago, and it came out of
the environmental health field, and it was specifically around the community
right to know and how to communicate risks to health. And it has been taken to
the health field, and it is usually about risks to health, not other
generalized risks.

However, what is so important about Sandman is that it was way back in the
1980s that he coined the formula that risk equals hazard plus outrage. And by
the way, it’s Kevin who encouraged us to have something from Peter.

But the point of that is that what he discovered is that people assess risks
according to matrix other than their technical or health seriousness, and that
these include trust, control, voluntariness, dread and familiarity. And that is
what the outrage, and those taken together are the outrage factors. And those
are as important to individuals as actual mortality or morbidity in determining

I’m going to very quickly go through his first six points which deal mostly
with the release or withholding of information by health care organizations. So
these are a little tangential to our work, but there’s a couple of points that
may be pertinent.

It seems to me if I had to summarize this whole first point is that when in
doubt, HHS should be biased in favor of transparency or release of information
over confidentiality in its dealings with organizations. And so they should
actually require information possessors to have a good reason to be withheld
and the default should be release.

Second, if it is being withheld, it’s very important to say why. The cost in
lost credibility, he says, and lost trust is much higher when withholding of
information seems mysterious or arbitrary. The third key point, I think, is
that whenever information release is not explicitly forbidden, it should be
required that it be released.

His next point, number four, I believe the message there is that information
should not be withheld simply because one thinks it may be misleading or
misunderstood. So this portrays a contempt that may in fact be much more
damaging than any misunderstanding.

I think the key point in number five is that uncertainty or the belief that
the information itself is uncertain is not black and white is not a reason to
withhold it, and he has some URLs where you can go to, to learn more about the
issue of the uncertainty of the information.

His sixth key point, I believe, is that when you have information that may
be presumed to be either misleading or misunderstood or uncertain, it is best
in all of those circumstances to go ahead and release the information and
discuss the possibilities upfront. He does then have three points where he
discusses informed consent specifically, but he notes that he is not actually
an expert in this literature.

But I think that they get at some of the points that Cynthia just raised.
First of all, he said that it’s important to be clear on what the goal is of
the informed consent procedures. He hypothesizes that you can have three goals.
You just want to do the minimum of meeting the legal obligation without
creating any hassles at all, and you don’t want the patient to think much about
the decision.

Secondly, you can have informed consent about informed consent which is, you
know, going to great discussions about the informed consent process without
caring how it comes out. And then the third could be to encourage or require
active consideration of the material itself. And whatever the goal is, and
there could be others, as he says, that informed consent protocols can be
developed based on established risk communication principles.

Next point eight, I believe, is that informed consent about releasing data
could also have different goals. It could urge the patient to let the default
be the decision whether it’s opt in, opt out, you don’t have any choice anyway,
whatever the default is. Your whole approach could be to try and just encourage
the default. It could be to urge the patient to either leave the default or
look closely at the choice, or to urge or require careful consideration, give
no advice on which to choose, or urge require careful consideration and give
advice about what to choose because you really do have a bias. But, again,
effective informed consent can be developed for any of those goals, and he does
believe that the goal should be to help patients make their own judgments about
trade offs, and he does have some suggested approaches.

And so there’s ample – he has a website. If you just go to Peter
Sandman on Google, you will find his website, and you will find a great deal of
information is publicly available from him.

Next to your slides from Dr. Howard Dickler, again this was on creating
informed consent documents that are approachable, readable and brief. Now his
first two slides, it seems to me, just talk about that many informed consent
forms don’t actually meet all of the requirements of the CFR in any case. Some
of them have missing elements, et cetera.

But going on to the next three slides they show that these forms are at way
too high a reading level. They’re usually at fifth to, they’re supposed to be a
fifth to the tenth grade level at most, as you’ll see in the one that talks
about the 2003 medical school websites. Their average readability, those are
the standards that were proposed by the medical school website group. But you
can see that the average score of most sample IRB text was in over the tenth
grade level.

And then the next slide also shows that by increasing the length of these
forms that they’re very intimating, they’re getting longer, by the way, and
that it raises a credibility issue, and people begin to think that, gee, is
there something hiding there.

The next slide says the results of shortening the consent forms, and he
shows that in fact the comprehension was inversely related to the length, and
that they tested and found 67 percent comprehension on the short form and only
35 percent comprehension on a long form. And the point of that last bullet is
that there were actually errors that occurred, errors in consent anyway, on the
long form because this was a test, remember, that two out of 22 volunteer
despite a contra indication that clearly if they had understood what they were
reading, they wouldn’t have consented. And five of the 22 missed fatal
reactions that might have occurred, and, again, this was a test sample just to
show what length and complexity can do. And then he goes to show some of the
good results from shortening these forms and lowering the reading level to a
little over the eighth grade level. And you can see that the comprehension
improved over 85 percent scored correctly when they were questioned afterward
about what was in it. So there were those benefits.

Then his next few slides talk about the AAMC deciding to take a serious look
at this and holding a meeting which was the beginning of a process that they
intend to complete to really promote the use of more effective documents. And
you see who the participants were there.

And then they go through some of the examples of some efforts the Children’s
Oncology Group and what they learned, and you can see the positive results
there. They mention the AHRQ informed consent toolkit as one possible example.

The next one shows a commercial IRB where they got it down to a simple
one-page consent for simple procedures research and the impacts there. They
talk about some of the obstacles that they encountered, and I’m sure it’s not
surprising that simply inertia is a big obstacle. Well, we’ve always done it
this way; it’s easiest to use the form that we’ve already had.

Also, as you’ve said, writing simply, clearly and concisely is hard. It’s
not easy, and it takes a lot of thought, and no one does it well unless they’re
an expert, and even then they don’t do it well unless you test it and test it
and test it.

So again, they’re coming up with an approach that would try to have a
three-tiered approach, three-part approach to have the first part would be very
simple, very succinct. The second part would be all of the supplemental
information, and then Part C touches on something that you mentioned which is
sort like the teach back approach to make sure that it has worked.

They have some next steps so that they’re actually beginning to develop
this, these materials, these toolkits establish a repository, begin to
implement them, work with NIH and the industry. And I’m sure that the last page
where it talks about how that advisory committee could help support change. The
same would probably hold true for this workgroup in that it can at least
support positive proactive action by OHRP, FDA, NIH, et cetera and promote best

The last one, I’m actually not going to necessarily summarize her testimony
because this is more how you should do good effective communication. But it’s
important for the Workgroup to know because you’ve already heard that there’s
good research about how to communicate effectively. This is a nice succinct
document that I think the Department could benefit from. What I wanted to touch
on just very briefly as a model, this document is the executive summary from a
report which was commissioned by six high level federal agencies in the
financial sector, the Federal Reserve System, the FDIC, the Federal Trade
Commission, the National Credit Union Administration, the Office of the
Comptroller of the Currency, the SEC. If those six can get together and say we
believe we have a problem about the readability of our financial notices and we
want to do something about it, I think that makes a very significant statement.

The way I heard it said through my contacts at the FTC when I first started
looking at this years ago was they believe that the complexity of the documents
in effect negated the principle and policy of the financial notice, that they
had just absolutely were not meeting the requirement. And so they indicated
that the preliminary report did indicate that it is possible for financial
privacy notices to include all of the information required by law in a short
document that consumers can read. It can be done.

And what they intend to do is they’re pursuing this project, and they do in
fact intend to explore a full range of options for improving financial privacy
notices in light of all their consumer research. So, again, the take home
message there is that you have to do the consumer research, and you don’t just
hire policy analysts to do the research; you hire people to do the consumer
research to understand what the problems are and what the solutions are. Thank

MR. REYNOLDS: Mary Jo, thank you. I’m going to ask a clarifying question of
Cindy, and then I’ll open it, and I know Mark has a question and we’ll see who

Cindy, we’re dealing with treatment, payment, health care operations, HIEs,
NHIN, research, marketing, commercial use. So few things. Do your comments play
across all those categories, or do you think that it ought to be in any
particular areas.

MS. BRACH: What we focused on was research and largely AHRQ is an agency
that funds and conducts research. And so that was what I was attempting to do
was making sure that we ourselves were walking the walk in terms of making sure
that we are being responsive to the populations we’re serving.

The next place that I would like to take this work in AHRQ is to bring it
more toward the clinical informed consent curve for clinical procedures and
sort of spread that similarly.

MR. REYNOLDS: Procedures or trials?

MS. BRACH: Procedures. In terms of trials, NCI had a number of years ago did
a very nice job putting together templates and materials for clinical
researchers to use. As far as I can tell, though, they haven’t implemented it
in a meaningful way, that there are still huge cancer trials that don’t follow
those principles, that they haven’t enforced on a large education effort to get
those researchers on board and the intramural efforts to simplify are way, way
behind what NCI already did. So there’s a lot of work to do in the clinical
trial side.

I think the principles that I’ve been working on operate as much for HIE as
it does for Health Services research. But I also want to acknowledge the
limitations of my expertise in that I haven’t tried to apply it specifically to
each of those designated areas that you just mentioned.


MR. ROTHSTEIN: Thank you, Harry. I have a comment and a question, and I’m
glad Harry raised that point because both my comment and my question apply to
informed consent in both clinical as well as the research setting.

And the comment is that I think increasingly in medical schools in teaching
medical ethics the topic that we’re addressing is not referred to as informed
or just informed consent. It’s informed consent and refusal to get across the
idea to medical students that it’s acceptable to present the options and your
recommendation to your patients and for them to decline for personal,
religious, cultural, all sorts of reasons. It’s okay for them not to go along
with your recommendation even though you think it’s a mistake medically for
them to do that. So I think that’s an important concept.

The question that I have refers to how you train the issue, I mean, it’s not
just informed consent, it’s knowing voluntary informed consent. And for many
people who have the health literacy and who are otherwise cognitively able to
understand what they’re being asked either orally or in writing, that’s not the
problem. The problem is somebody in a white coat who stands between them and
really bad health is requesting that they do something or recommending that
they do something, and for many patients they’re not going to say no.

And so my question is have you factored into your educational program some
focus on the nature of the timing when the informed consent is being sought,
and who’s doing it, and the sort of the feeling of powerlessness that many
patients and potential research subjects have.

MS. BRACH: Thank you for both the comment and the question. I do want to
actually respond to the comment as well, and that you’re raising the issue of
refusal which I think is terrific and one of the things that we have talked
about, and I can’t remember whether it was at Howard Dickler’s AAMC meeting or
another forum where we talked about, you know, what kind of matrix can you use
to figure out if this process is successful.

And one of the things that we said is if you have a 100 percent sign up
rate, then that actually should be a red flag that something’s not quite right.
So I think you’re quite correct to underscore that the refusal is a very
important thing. And in fact, if I had to choose one of the eight elements that
OHRP would say are all equally essential or whatever, the voluntary nature is
the most critical.

Earlier when I said we at AHRQ were able to grab the low hanging fruit, we
primarily fund Health Services research. So often and what this toolkit is
primarily targeting is people who are promulgating surveys, fielding surveys
and using medical records for Health Services research.

So it is a very different situation then. I heard a witness testify at the
SACHRP meeting which is the Secretary’s advisory committee on human rights
protection who is currently a member of the UCLA IRB but who 12 years ago was
the mother of a child with a brain tumor and who was approached to participate
in a clinical trial and spoke very eloquently about that process. You know, she
was a high school teacher, but her health literacy plummets, her son has just
been diagnosed, and here this person in the white coat who she’s hoping will
save her child’s life is asking her to participate in a trial.

And I think one of the important factors that we talk about is no time
limits in obtaining consent that that kind of research you need to let them go
home, talk with other people. You can’t be closing the deal here, you know,
okay, read it, ask me any questions you want, we’ll talk about it, and then
you’ll sign. And so one of the things that she was strongly advocating also was
to have a kind of peer mentor that they have a system of volunteers of people
who have been through this process. In her case, it was parents of children who
had been enrolled in clinical trials to help guide and serve as an advocate for
that person who’s in a very vulnerable position.

Can we totally remove the power relationship that’s there? No, because in
fact she was faced with a situation which is if I don’t do something, my kid is
going to die of this disease. And so the question was how she was going to
proceed. There were some options. But basically she was probably going to do
the clinical trial because that was the kid’s best hope.

Now she would have wished that she had been better informed about some of
the – you know when they said there may be an IQ drop, she didn’t really
understand they were talking to 70 IQ level, you know, that kind of thing. So I
think that there are some protections that you can build in, but that you’re
not going to erase the power imbalance entirely.

MR. REYNOLDS: Okay, I didn’t see other hands. Oh, good. Yes ma’am, if you’ll
introduce, please.

MS. SOLOVEICHIK. I’m Rachel Soloveichik from the Bureau of Economic
Analysis. One thing I’m concerned about with these consent forms is sometimes
when you tell people like they’ll get a headache that the suggestion gives them
a headache. Maybe a rational person would not read too closely because –

MS. BRACH: Well, let me speak to that in a couple of ways. One is that in
fact I think you’re all probably familiar that people who get placebos often
develop some of the side effects that they are told that they might get, and so
there is the placebo effect of side effects.

But more to the point in this conversation, you know, particularly Bernie
Schwetz who’s about to retire director, I’m sorry to say at the Office of Human
Rights Protection, talks about having a laundry list of side effects to the
extent that it makes it meaningless, that you know, if you list everything
under the sun that could potentially theoretically happen, you’ve effectively
negated getting useful information that’s going to help you make the decision.

And so it is going to be very tough for the lawyers and the advocates and
the IRBs, et cetera to hammer out what is a reasonable list of side effects to
include, you know, balancing the probability that’s going to happen versus the
severity of what it is that happens.

And if it wasn’t so late, I’d tell you a funny story about a true and funny
story about a release that included the possible side effect of spontaneous

MR. REYNOLDS: Michael?

DR. FITZMAURICE: I think that was funny even without the long story. Henry
Youngman tells about a doctor who says to a patient, here take this placebo and
if it doesn’t work, come back and I’ll give you one twice as strong.

AHRQ has a long history during the short life of the privacy rule including
proposing the limited data sets with agreements and working with states and the
American Hospital Association to bring it about. So we’re very cautious about
the conditions under which people get data, particularly for research.

Now I’m wondering, Cindy, many times our language that we use comes from
regulations. So we appear stilted, it’s because we’re trying to copy out that
language. Would you support having OHRP review informed consent language and
maybe trying to come up with a model based on as simple a language as they can
as a guide for researchers around the country.

MS. BRACH: Well, this is what I’ve been able to negotiate with OHRP, which
is they will not put their imprimature and say we bless this because it’s a
template, and whenever you take a template, you’re going to have to adapt it.
And what they’re concerned about is then an institution will use that as a
shield, and if there’s a compliance issue, they say, but we used your template
that you said was good, and so now you can’t come after us.

What they are willing to do is work with us and essentially say we have
reviewed this; we don’t find any problems with it; and in fact, we are
depending on that involvement from OHRP to at least get in the gates with IRBs
that our premise in engaging them early and often is that it’s a nonstarter
with IRBs if they feel that they’re going to get hammered by OHRP.

DR. FITZMAURICE: Let me pose it in a different way, then. Would it be
helpful if another agency prepared a simplistic informed consent and then
passed it by OHRP to say would this suffice, and if OHRP says yes, then it can
be put out, but not as something that you can hold up in a lawsuit, although if
it’s good, it ought to hold up in a lawsuit.

MS. BRACH: Well, and as I say, you know, just anything has to be tailored,
and the devil’s always in the details. So that when you add in the specifics,
you know, it should be fine, but there could be something that changes it that
makes it different.

I think that that would, there is no reason not to be doing that. OHRP, at
least under its current leadership, has been very supportive of this idea. And
in fact, we’ve formed a little HHS OHRP informed consent dialogue in the
department to kind of talk about these issues, share information across the
Department about what different approaches we’re taking. So that’s certainly
what I’m doing with the AHRQ template, and there’s no reason why the Department
couldn’t follow suit.

MR. REYNOLDS: And for the first time today, Steve Steindel.

DR. STEINDEL: No, I didn’t have a question, Harry.

MR. REYNOLDS: You had your hands up.

DR. STEINDEL: No, I didn’t. I was pointing to –

MR. REYNOLDS: Oh, okay. Let it be known that Steve was just pointing. He has
no question.

DR. STEINDEL: I have no question.

MR. REYNOLDS: Cindy, thank you.

MS. BRACH: You’re very welcome.

MR. REYNOLDS: And Mary Jo, a great job. Absolutely great job in summarizing.

DR. DEERING: It’s easy to be other people, you know. It’s harder to be

MR. REYNOLDS: And all of you were fast.

DR. DEERING: Well, I just wanted to make some sort of observations here. I’m
so pleased that the Workgroup wanted to have this panel. I think it’s a tribute
to everybody that they recognized that this is genuinely a problem.

And to the extent that the Workgroup and ONC believe that the success of the
NHIN depends on the trust factor and to the extent that they believe that the
consumers and patients must feel confident about the use of their information,
then I think what this panel, even though it’s virtual participants have said
that then the Department would therefore feel an obligation to ensure that any
consent processes, and you notice processes that help build that trust not only
“exist,” but that they have taken the extra step to make sure that
they are effective and contribute to knowledgeable, voluntary informed consent.
And I think that the material presented here also makes it clear that we’re not
talking about just public education, and I do hope that as the Workgroup moves
forward, it will change the whole section that it talks about this under beyond
just public education to information education support, and we can come up with
a wordsmith later. But we’re not talking here just about public education or a
campaign to help people understand what’s going to happen, and so I think
that’s been very effective.

Agenda Item: Work Group Discussion

MR. REYNOLDS: Okay. Right now, we’re going to open the microphone since we
had that on our agenda. If anybody wanted to come up and make any comments.
Okay, seeing nobody moving, what we’re now going to do and I’ll turn it over to
Simon to lead the discussion is basically go around the table and kind of get
the Committee’s feelings on what we heard today, what it meant, whether it
added or detracted from where we thought we might end up, and with that, Simon,
which way you want to start.

DR. COHN: Maybe I just need to make a couple comments before we sort of jump
into this, and obviously I have my list, but I think everybody else does also.
But I do want to just note a couple things.

Number one is that tomorrow morning we are going to get into the, and I
think we have a new version sort of a second draft of what will probably be the
15th draft by the time we get done with our report, but sort of the
next draft of the sort of framework, report, beginning to put some
recommendations in. So we’ll sort of start that right at 8:30 tomorrow morning.
So we won’t start jumping into that this afternoon. I think most of us have had
enough testimony that it probably makes sense not to do that.

Now another piece, and this is just sort of once again to alert you, I think
as you all know, you received a list of possible meeting and conference calls
for between now effectively and the beginning of November. I notice that some
people have responded; some people have lines crossed out; some people didn’t
even respond; and I’ve actually asked you all to sort of take a second look at
this, and of course Mark Overhage isn’t here right now since he’s one of those
that didn’t appear to even respond. I don’t see Mary Jo Deering on this one; I
don’t see Mike. I didn’t see Mike Fitzmaurice’s input. I think that there’s
something where if slight time changes would accommodate people better, I think
we need to – I mean, the recognition here is that if we have this meeting
today and tomorrow, if we have a conference call later in September which is
already scheduled, we have a full meeting of everyone in late September, and
then a day or a day and a half or whatever we’re doing in October, I don’t
really judge that that’s going to be enough getting from where we are now to
sort of final recommendations.

And so this is an opportunity hopefully for us to have some time to talk and
sort of move through various periods. Steve?

DR. VIGILANTE: We have a full meeting in late September?

DR. COHN: We have a full NCVHS meeting, not a full meeting of this group
separate. So I’m just sort of saying is I want everybody to sort of look
through these things. If there are things on these days that are not listed at
these times but are better suggestions, I think we’re happy to take them under
consideration. So I just want to alert you to that. I do notice that for
whatever reason there’s sort of lines out on a number of Kevin Vigilante’s
times, so he should relook at them. Paul Tang, we will have to communicate with
by email. But as I said, what we’d like to do is get maximum participation if
possible. So I just wanted to alert you to this one because obviously the
sooner we get this in place, and obviously I’d like to be able to announce
these by the end of tomorrow, the happier I think we will all be.

DR. W. SCANLON: There was one message with three dates on it, right?

DR. COHN: I think there was one message with four. Three dates of which one
dates had two different times on it. Yes. So anyway, I just wanted to alert you
to that.

Now what I do want to do, as I said, is to really give just people
opportunity, and I said I’ll make my comments I think after others maybe have
jumped in. But I think what we want to do is to try to capture while it’s still
fresh in your minds about any of your learnings, any comments that you think
fall into things that maybe help with our framing or maybe help with our
observations or recommendations at this point or any, and if anything rose to
the level of an epiphany, we’d also be happy to take those under consideration
knowing that we’re taking notes as we go.

And Kevin, since you look in a thoughtful mood, do you have some comments to

DR. VIGILANTE: You know, I’ve got to say that I don’t know that my thinking
has changed very much. Maybe that’s why I think that what I heard today, just
looking back over the speakers, although I was struck how Monica Jones made it
seem so much easier in the U.K. I was struck by that.

And I was also struck by the way they’re sort of very comfortable with the
use of the word secondary without any apologies for it, and even so I thought
that that was interesting.

DR. DEERING: If Monica were here, she actually would have corrected herself.
I raised that with her, and she said specifically that it’s in their title, but
they are not comfortable with it to the best of my knowledge. But, again, she
can speak for herself maybe at dinner or later.

DR. VIGILANTE: You know, it did make me think, though, because she did
allude to that. She said, well, it’s secondary. She did say that, you know,
it’s almost more important sometimes, and it made me think that really it’s by
using and I don’t want to get into a semantic debate, but by using the word
secondary, the point is not to describe its importance. It’s to describe it
relative to the primary intent of the original donor of the information. That
when the information was, when the possessor releases or relinquishes it or
donates it to the recipient, the primary intent of the original donor, the
patient, was for use and care, and that other uses are secondary to that
intent, they may be as important or more important than the primary purpose.
It’s not a comment on importance, but on intentionality.

I enjoyed the conflict with Sean and his opponent from the pharmaceutical
industry. That was interesting. And I thought that the testimony about the
presence of these database, the AMIS databases that of the PBMs was rather
chilling, and I think that together with the testimony about re-identification
really showed frankly the ease with which we can be identified and this data
can be used in ways that it was originally not intended.

So that brings me back to our original observations that transparency at the
point of collection where the donor is clear about how this data may ultimately
be used becomes all the more important. And certainly the way that’s
communicated in a transparent as we’ve heard towards the end of the day is all

So it’s been sort of a scatter shot of impressions, but I think it was more
confirmatory rather than new epiphanies about where we’re going.

DR. COHN: Michael?

DR. FITZMAURICE: I guess a couple. You mentioned the conflict with Sean
Flynn. I couldn’t help but think is he representing physicians who are willing
to give up the paid lunches, speaking engagements and trips. If so, just say no
is probably a good start as opposed to advocating that the states regulate data

Data mining isn’t the enemy, but I guess what you do with it could be the
enemy. And so it comes to another point, and that is it’s hard to read the
minds of the public. Now when it’s hard to read the minds of the public, the
answer is give them a choice, opt in, opt out. But this can harm public health,
it can harm research. So you anonymize, and pseudonomyze, and try to prevent as
much harm as possible.

But I don’t think I know yet where the line is between what the public would
be willing to support and what the public wouldn’t be willing to support. And
in the United States, we tend let’s go until somebody screams. And I don’t
know, I’m not advocating that as such. But I want a greater wing of benefits in
the public sector so they can see what the advantage of this data mining and
the data uniformity is separate from the NHIN.

And in my mind, finally, my mind gets back to what does ONC think that it
needs some kind of judgment about is it okay to use health data for other
purposes for which it was originally collected, maybe quality measures,
although some is collected directly for quality measures, paying for
performance. And also what is an appropriate sale of data to pass the REOs. I
have a problem with that. I would want to get more specific about what are
appropriate revenue producing activities with data that would be acceptable to
the public and under what conditions.

So I agree with Simon that it’s not quite, we’re not quite there yet, and
we’ll need more time to lull this over.

DR. COHN: Mike, thank you for your participation. Welcome back.

DR. FITZMAURICE: Well, thank you. It was good to be away, and I was on
conference calls to my cell phone and rang out in the car. I just love this

DR. R. SCANLON: I think the day was both reinforcing of kind of I think from
my mind the dimensions of what we’re dealing with, but also it was helpful in
terms of maybe sort of new practical information that we can keep in mind sort
of as we’re trying to deal with the bigger principles.

The discussion of New Hampshire brought for me sort of the issue of it’s not
just the use of the data, it’s who the user is because the user potentially can
have secondary, in a different sense, secondary uses that we may have problems
with, and that that creates a different situation.

Just as we go around the room at the beginning of a meeting talking about
conflicts of interest, there’s potential conflicts of interest. While someone
may be using something in a post-marketing surveillance sense to detect safety
problems, they can also be using it in a marketing sense which is a very
different sort of context. And I think that’s something that we need to keep in

The issue and I think a lot of our focus has been on this issue of
permission. You know, what’s the role of the patient saying my data should be
used or can be used for sort of the following purposes. I’d like to sort also
put on the table the issue of compulsion, and it may be, to take a phrase that
we heard today, it’s to break the glass from the social perspective. It’s to
say it’s important enough that we want your data.

And you know, we talked about it in the public health sense. I guess there’s
a question of sort of from a research perspective, from other perspectives, are
there any things that rise to sort of that level where we say you really need
to participate from a social perspective.

The other thing, Mark, you said earlier that we try to balance the privacy
of patients. I’d also like to put on the table balancing sort of issues of the
protections, not necessarily privacy, but protection of providers because just
we talked about an individual could be harmed because their information was
released and maybe used appropriately or maybe misused, but their employment
was affected, their life was affected, the same can happen for providers. I
mean, we’ve got an issue now that’s in this quality measurement, and we can
talk about it tomorrow, in our draft there’s an issue of what’s being done in
terms of quality measurement. What if the quality measurement is bad? Okay, I
mean, flawed measures, perfectly valid data but flawed measures. What are the
consequences there? Do we have to be thinking about it from the perspective of
protecting sort of providers legitimately as well.

And I think I have a long enough history of being hard on providers in other
context, but I can defend them sort of in this one, and that it’s not I’m soft
on them over here. They’re representative. But it’s just this idea that these
data are going to be powerful tools, sort of once we start to get them flowing
and we start to use them. And so the question is we’ve got to be very careful
about how we sort of allow that power to be used.

The U.K. discussion, I thought, was interesting. I think one from the
perspective of how easier some things seemed, and it’s kind of monopolies
sometimes have easier times, okay, even though they’re not quite a total
monopoly, but they’re pretty far along the way.

But a lot of it related, I think, to the user in many of their context which
was they’re users themselves, different branches of themselves, and that I
think affects things.

But then I also thought in response about sharing data with the drug
companies, there’s just a whole different sort of perspective there that we
wouldn’t share, and probably we wouldn’t share it because our situation is
different. I mean, they may be kind to the drug companies in sharing data, but
they’re incredibly tough in terms of prices and formularies. So it’s kind of
like what does it matter sort of after you’ve done this other if you’ve
exercised this kind of control.

So I think it was an interesting thing. But the question is how much can we
sort of apply in terms of our experience.

DR. COHN: We’ll remember this being the day that you actually protected the
provider, so thank you. Steve?

DR. STEINDEL: I didn’t ask any questions, and I essentially Kevin and Bill
said what I was going to say. Do I have to say anything? No, but I think that
pretty much sums what I heard today. I heard a tremendous amount of very good
detail that augments what we heard and in some cases supports what we’re
thinking from the past sessions, and I thought there was a lot of learning, a
lot of education as was pointed out by Kevin and Bill that I think is going to
prove some very, provide some very interesting reinforcement in our discussions
and in the document itself.

The big thing that I came away with was Latanya Sweeney who I’ve heard give
her talk before, so I was very familiar with what she was going to say, I
thought really drove home the concept of risk benefit when we talk about this
whole situation of secondary use of data. That you know, the basic I think take
home message from her talk and from Richard Dick’s talk and from some of the
other things that were said was most of that information is about you some
place, somehow and they can tie it to you no matter what you do about it.

And if going into it with that principle, then we’d have to start talking
about the risk benefit. If we’re moving this data into secondary purposes, what
is the risk benefit for doing it. And what reasonable level can we put on the
data so that the world won’t know who you are when they look at these
anonymized data sets or something like that. That was something I thought about
when we first started this panel and I think was driven home a lot during
today’s session.

DR. COHN: Steve, for having nothing to say, you actually had a fair amount
to say. So thank you. Mark Overhage. Marc, first of all, we would like to know
your availability for meetings in September and October. So that’s number one.
Number two is what we’re asking people is for any epiphanies, thoughts,

DR. OVERHAGE: Befuddlement.

DR. COHN: Befuddlement, okay.

DR. OVERHAGE: I guess I continue to struggle with finding clarity, and I
mean I haven’t heard much new. But I haven’t seen a shining path either emerge
out of it. And so I’m looking to all of the bright minds around the table for

DR. COHN: Mark Rothstein.

MR. ROTHSTEIN: Well, I thought today was extremely interesting and very
informative, high quality presentations. I want to thank Margaret and the
others who arranged it. You guys did a great job.

I’m not sure I have any new insights that are going to be directly
translated into new approaches to dealing with the issue, although I’m not sure
I agree with the view that we’re terribly far away at one level, and that is at
the sort of the broadest conceptual level. I mean, we’ve got a lot of work to
do in terms of the details. But we’ve heard very powerful testimony, not just
today, but at the two prior hearings. And I think in a general sense, just from
informal conversations as well as questions that we’re all in sort of the same
wavelength now. But how that translates into recommendations remains to be

But I’m optimistic that it’s not going to be hours and hours of sort of
hashing it out. Why? Because I’m comparing this to the privacy and
confidentiality, and everything looks brighter than that. And just on Bill’s
point about protecting providers, I mean, I agree with you that that’s
something that needs to be considered. But I’m not sure that I agree that the
way to protect providers is by limiting the disclosure of health information
about patients.

I mean, patients have an intrinsic and a consequential interest in the
information. They’re concerned about what happens as a result of the
disclosure. They might lose their jobs or insurance and so forth. But they’re
also subject to some level of personal embarrassment, stigma and so forth if
information is disclosed. Physicians only have the former, that is, sort of the
tangible harm that could happen to their practice and so forth, and I’m not
sure that we can’t protect that by other means. In other words, limiting what
these other bodies can do with the information that would harm physicians, in
other words, be dropped from a panel, suffer some loss of privileges or
whatever as a result of that.

But relatively speaking, I agree with your point.

DR. W. SCANLON: I actually think other means might be the appropriate way,
and the issue is, though, we should not be silent, that as we move forward
because if we really do move forward in terms of making this happen, it seems
to me there’s a lot more power out there in data, and that we need to make sure
that there is appropriate protections for all the parties involved.

MR. REYNOLDS: Gee, I guess a couple things. I think first we probably almost
have two messages, one that we base on today’s framework, and then we heard a
lot of stuff about where the future could be on some of these tools and some of
these consents.

And if you took dbMotion, for example, and being an implementer, if you took
dbMotion and an incredibly rich system on an incredible amount of business
decisions and other things would have to be made to ever get there. So I
commend people that are there, but that’s a big deal to get through some of
that that’s going on. So I think we have to make sure we kind of paint a
journey because this is more of a journey, not a solution, I mean what we’re
doing here.

So I think as we keep that in mind and build off of what we have. Obviously,
it was interesting to hear the central model from the U.K. because that’s kind
of where we were talking about a trust agent, whether people actually trust it
or not, but at least it’s a single point that it can be have governance around
it, and you can talk about that governance. And if you know that governance,
you could be maybe a little more cavalier like some of the other comments were
made as to what you can and can’t do, and what you’re doing don’t rule, and
we’re much more of a – she used a wild west. We’re much more of an
individualistic, especially as we talk about longitudinal records for somebody
because they’re seeing multiple doctors that have multiple disparate thoughts
and multiple consents and multiple other things going on at the same time
there’s a whole other ecosystem feeding off of that for information and so on.

So I think that’s something we have to absolutely, I like the idea of the
risk benefit. I think that was a good comment that was made. I think as we go
through the deliberations, the idea of win/lose will quickly derail maybe a
framework. So as we’re thinking about a framework, I think maybe we need to put
win/lose against it as a filter. Well, I mean, we always hear the doctor loses,
or the patient wins, or this person or that person or research or something
else. I think we need to talk about what we want to make sure as we’re doing
it, we probably have the courage to talk about a framework and then the resolve
to go through and put filters against it to make that what we would be talking
and doing would actually make sure that nobody was inadvertently put in a
situation that we wouldn’t them put in as we do it.

So I think that’s, because if this was easy, we wouldn’t have had to do it
and a lot of this. And I think the whole common good continues to be a key
thought. And then I loved the comments on simplified language because that’s
pretty sobering, the list of – sobering, well, I borrowed it from you. I
borrowed it from you, but I knew if I said it, you wouldn’t understand it. So
we’ll go from there.

But I think the thing about that is that we really have to realize that the
people that we’re really trying to get consent from are on that chart, not the
testifiers, not us sitting around the table. It’s really that chart, and we’ve
got to really keep that in mind. So thank you.

DR. COHN: I was going to go for a minute and then let Justine, if that’s
okay. Are you okay on that?

DR. CARR: I actually get the final word?


MR. REYNOLDS: Mary Jo gets the final word. You and the three people you

DR. COHN: First of all, I really want to thank Harry for running the
meeting. It’s actually fun to be a participant and scribble notes furiously.
Though being the physician that I am, of course trying to read them afterwards
is always an interesting experience.

You know, there were just a couple of observations and things, and some of
them maybe are new, some of them are probably just things that I’ve been
thinking about for the last while. The first piece I want to talk about is data
stewardship which I was in some ways hoping that we would have more
illumination of thought based on the work going on, and I’m sort of left to
feel that we’re going to have to sort to put this together ourselves, at least
for this report.

You know, from my view and I’m sort of thinking about data stewardship,
first of all I would say that data stewardship and fair information practices
seem to be sort of kins or cousins anyway. I mean, especially if you’re talking
about principles of data stewardship. Principles of data stewardship and fair
information practices are all sort of the same thing.

And certainly the piece that I was sort of, you know, as I thought about it,
I think that there’s actually data stewardship in many ways sort of permeates
the health care system. What I think we’re noticing is that there are certain
places where we feel that there’s less data stewardship or uncertain data
stewardship or uncertain rules around data stewardship, and this gets to be
that intentionality and going out into the third ring issue.

Now and at least that’s what I think. Because I mean, HIPAA in many ways is
a text around data stewardship if you think about it. Now in all of this, and I
know this is beginning to be in our draft that we’ll look at tomorrow. But I’m
maybe sort of wondering, you know, knowing that the end answer of course is
getting better privacy protections, Secretary supports that cover all entities,
making us look a little more like a comprehensive approach. But I am wondering
and I just sort of put it on the table that there may be some things that
business associate agreements, especially of strength and better monitored and
all this stuff about whether or not that can begin to close a lot of the gaps
that we’re talking about and then indeed in an environment where people can’t
quite figure out what they really want to do around data stewardships, business
associate agreements properly done, properly monitored, and I don’t have the
answer. I just ask the question knowing that I’m not a lawyer. But how far that
can really get us in terms of tightening things up in a world in which we exist
now. So I just want to put that on the table which I’m sure we’ll talk about

Now in terms of transparency, obviously we heard a lot about education. We
heard about understandable forms which of course would be, you know, we have
not done very well either for financial or for healthcare recently. But I
actually am wondering also just to put on the table the role of audit trails,
and I think we heard that from Richard. We heard that from others, from
dbMotion that there may be some role in there to help once again provide
increased trust for people. Now I also was keeping my eye open for things
having to do with minimizing risk, and I guess I’m wondering about tools,
approaches, other things like that to help decrease these issues. And I guess
I’m wondering about certification of de-identification, knowing that that may
still be sort of, I mean, given all the capabilities to link everything
together and even that may not be sufficient. But that might actually be, there
may be something around that that might help us or make us at least feel a
little more comfortable in terms of all of this.

I’m also wondering whether, I think we heard examples of places that
actually hold data as opposed to places that give. I mean, you could whatever
it is, I mean, it’s that issue if you’re controlling the data and what you’re
doing is getting queries and then giving responses, it obviously is a model
where there’s much less risk involved around the data. And I’m just wondering
if there’s something there that might – okay, well, right, and I guess
what I’m saying is that when you think about it, the models and once again I’m
thinking about what Latanya was sort of saying in all of this. She was talking
about, well, gee, you start de-identifying, you make things available, and
suddenly I’m linking things 12 different ways. And, of course, one of the
solutions to that is, well, you send me your query, I’ll run the query and I
will give you the result. But I’m not actually releasing the data out to
anyone, and therefore I can’t, nobody can link it. And so it decreases the
risk, and we saw that in Blue Cross when they were talking about things. I
mean, you’re right. I’m only suggesting that this may be a tool of some sort or
another, and you’re right, I mean, it is an interesting – well, that’s
right. I guess we’d have to retract our letter from before.

I just sort of bring it up as one tool in minimized risk. Now it’s probably
not the only solution, but it’s just one piece.

Now I still don’t know what to say about consent and the rule of consent
except that I think we will probably have some mold here as we go further. And
I think that that – oh, I actually thought that the Massachusetts
discussion was actually very interesting just because the rationale that they
provided around the issue of intentionality about how things were different,
and I know sometimes we struggle with where dividing lines are. I noticed
sometimes when Mark Rothstein talks about NHIN, I don’t know exactly where the
NHIN starts or ends. But I sure don’t know where the cleavage is between, I
mean, is a REO part of an NHIN or an HIE part of an NHIN or exactly where their
cleavage is, and I thought they provide some helpful concepts around all of
that. So anyway, those were my notes, and obviously some of them elicited some
questions as well as consternations. But that’s why you bring them up so you
can sort of throw them out and see what’s happening. Justine?

DR. CARR: Thank you, Simon. I also want to thank Harry and Simon for being
good teachers of how you co-chair and chair, and also for running the meeting.

And also I want to echo what everybody else said about the work that
Margaret and Erin and Mary Jo and Debbie have done in getting these expert
testimony, and I don’t want to forget Cynthia and Jeannine for all their good

What struck me is that our initial meeting and maybe our second set of
meetings, we had so much testimony on benefit, and today was all about risk, it
seems. So it really kind of changed things a bit.

One thing that impressed me was the risk of re-identification with or
without HIPAA limits. I think we’ve had this sense of security around HIPAA,
and we were pretty clearly shown today that it’s not going to begin and end
with those HIPAA limits.

A second is this, what impressed about Latanya is that it was an actual
quantification of risk. It appeals to the scientist in me, that is, something
we can really measure against.

Another risk that struck me is the risk of state legislative initiatives
that may not have had benefit of all the testimony that we’ve heard. I mean,
we’ve heard substantial testimony and are struggling with it. And yet, there’s
a lot of legislation that’s being proposed. And I worry about the asynchrony of
that and also about the balance of that with what’s out there.

Another topic that struck me was the privacy, sort of the juxtaposition of
protection. Stewardship on the one hand which is a concept that we can all
agree with, and then the privacy protection solutions we’ve heard today were so
technical. And yet, we ended up hearing that 36 percent of the population
doesn’t even have basic health literacy.

And so how you sign the thing, can you give it to CVS, can you give it to
Engenics, MedicAlert but not, I mean, that is a bit of a cognitive dissonance
for me of how we’re going to take that same population and help them make an
informed decision about that.

I continue to be concerned about unintended consequences of these solutions
on the practice of the doctor/patient encounter. It just is hard for me to
imagine because I’m probably going to be in that group of people that are old
fashioned doctors, old school, you know, and I’m sure all these computer geek
kids will come along as doctors, and they won’t understand how medicine used to
be practiced. But it’s hard for me to visualize that all of this technology
happens in the background, and things are masked and hidden and appear and
reappear in a just in time fashion and that relationship endures and is timely
and properly informed.

And then the final question is very concrete is a centralized database a
good thing or a bad thing, and is it even feasible. You know, we really heard
absolute statements it’s the best thing, and it’s the worse thing. And I guess
I don’t know the answer to that. So those are my thoughts.

DR. COHN: Margaret?

MS. AMATAYAKUL: I guess a few things that struck me probably very apparent,
nothing is easy. We’re not alone, but we are different. And I think that
comments, the quote that Richard Dick had from the Forrester Group, it’s only
going to worse. It’s something we really have to take seriously. The situation
of privacy issues is going to get worse.

The other thing that Latanya Sweeney commented on, she had two things in
addition to what you all have said. When she commented that something was not
covered by HIPAA, we all sort of went gasp and thought that was completely
wrong. It occurred to me that I think what she was doing was following the data
rather than following the entities. And I think we’ve put a lot of emphasis on
the entities. But very early in the first testimony, we heard, I think, ONC in
particular talk about follow the data. And that’s hard because it’s sort of not
what we’re used to doing. So I think we probably should keep that in mind.

The other thing that struck me was we’re all convinced that the HIPAA
de-identification process removes 18 data elements, and it really doesn’t. It
removes 17 data elements plus any other data elements that might cause you to
be able to identify the person, and that last element would enable us to
probably fill that 0.04 gap if we really paid attention to it, but nobody does.
Everybody just takes off the data elements and goes from there.

So something to think about, I thought, and Steve says no. But I mean,
that’s really anonymization.

DR. STEINDEL: No, we’re not saying no to what you said. We’re saying no to,
we don’t necessarily want to fill that gap, you know, because we can produce
the best set of de-identified HIPAA data and just send a totally random data
element number that doesn’t relate to anything, that removes all data elements
that could possibly identify anything concerning the record but is totally
useless. But it meets the requirement of 18.

MS. AMATAYAKUL: Right. So that’s the risk equation. The other thing, two
other things. I thought Sandman’s comments were very counter intuitive to what
we typically think of, and I think we need to really read those comments and
think about them. And actually two other things. Jonathan White had a little
side bar conversation, and he mentioned during the formal testimony, but if
we’re looking to have this national data stewardship entity which doesn’t exist
and was not the intent, and he mentioned this. It was not the intent of the RFI
to create that, but to judge get information. It sounded like, once again, we
have lots of people for and against, but whatever, it’s going to have to be a
pristine group of people, and that could be really tough to find that.

And then the last one was Cindy Brach, I think, made the comment that no
matter how literate we may be, and we may be at the top of the literate heap,
so to speak, when we’re faced with pain or a child’s illness or whatever,
literacy plummets. And I think we have to remember that, that it’s not just for
half the population or 75 percent of the population. It’s for all of us.


DR. OVERHAGE: I want to add one thing. I’m still befuddled. But there was
one thing that some of these comments triggered that I don’t think at the
beginning of this journey I have in my mind, but I think increasingly it’s true
or increasingly thinks so. And that is that I’m increasingly thinking that
trying to drive to individual patient awareness and consent and control is
insane, that we will lose. And the comments made just along the last few really
reinforce that.

There’s a very complicated risk benefit trade off with a lot of potential
benefits, a lot of potential risks. State legislators who don’t have the
benefit of this kind of depth and time and energy making silly decisions, it’s
a really – and patients’ literacy, the inability to understand, interpret
and put into context these decisions at a moment. And as you said, obviously
it’s a dynamic thing for patients. I mean, your utilities change when you’re
sitting having coffee at Starbucks versus when you’re in an emergency room not
able to breathe. You know, they’re all different.

I’m beginning to feel like the only pathway out of this morass is going to
be a societal decision about the levels and appropriateness of use, that trade
off, and there are going to be some people who think it’s really crazy and
they’re going to go live in a compound in Utah, testifiers, no. But they’re
going to go, and they’re going to make the choice that way.

But as a society, I think this is the kind of thing that we – and it’s
not being paternalistic and trying to protect people so much as saying, you
know, this is a really tough, difficult, complicated thing that if we let
everybody make their individual decision, they’re going to make them in
inconsistent ways and so on. And I know it’s a tough place to go, but –

DR. COHN: Marc, you’ve woken everybody up, and we have the other Mark, and
Harry will have comments, and then we’ll go back into order.

MR. ROTHSTEIN: I just want to comment briefly on what Marc O just said, and
even assuming that you’re right, I don’t think it necessarily follows that what
we should produce is something that is really prescriptive in terms of in this
situation this goes, and in that situation that goes because what we’re doing
is creating a political document basically, and I think politically it may well
be a non-starter to come up with a document that is seemingly paternalistic and
removes the choice from individuals, even assuming all of what you said is
right, which we might question.

So I just wanted to raise that point.

MR. REYNOLDS: One thing I had forgotten to say earlier was I really think
more and more after listening to Latanya and others today us really drilling
down on some clean definitions because the rhetoric where people start using
scrub, de-identified and some of this other stuff just absolutely blows the
whole discussion clear out of the water every time. So I think we need to
really narrow that down.

I think second in comment to one of Margaret’s statements, I think the
reason a lot of us are still using entity as kind of one of the prime drivers
is following the data, being an IT person, following the data is a long and
arduous journey that even when you find it all and you make the whole journey,
you still have to go back and figure out how to get somebody to protect it or
deal with it.

So I agree, and that’s why I was using that term filter earlier. I think
that once we would come up with whatever we would come up with, making sure
whether it’s the flow of the data, whether it’s the types of uses, whether it’s
this or that is put over that to make sure we haven’t missed something would be
probably an approach. So that’s a different sense of that one.

DR. COHN: Before I give it to Debbie, I would just sort of follow on to sort
of comment that if you just think about it, one of the HIPAA pieces obviously
is that there’s exceptions for state reporting. And I think that’s what she was
talking about. So once again, it’s covered by HIPAA, but that’s how it’s
covered. And I think we just as we fill in all these circles, we need to
remember that there’s all of this stuff even without extensive arduously
following the data.


DR. COHN: Debbie.

MS. JACKSON: Just the important role of communication, this panel today
really put a context for me from the U.K. to almost the sociological standpoint
from where Latanya was coming from. It really helped me get my head out of my
usual box and realize that the health data and the de-identification has some
relevance in comparison to what’s going on in the de-identifying in a mob. I
mean, the things that she really put in the description helped just put things
into perspective.

And this panel, as someone mentioned, risk versus more benefit, it just
helped make a whole comprehensive set for me.

DR. COHN: Mary Jo.

DR. DEERING: I’ll start with one very minor, just sort of – it was that
question to the Workgroup that I was going to ask. But it’s very small, and we
don’t need to dwell on it.

In the CA tissue functional requirements that I shared with you, they treat
the consent as PHI. And so I just thought that raises an interesting concept
because it’s written, it’s got the name and the signature on it and the date
and what they’re consenting to. And so I just waned to –

DR. COHN: Say that again.

DR. DEERING: The consent itself becomes PHI.

MR. REYNOLDS: What does that mean?

DR. DEERING: I don’t know what it means.

MR. REYNOLDS: Okay, so that makes two of us now, so help me.

DR. DEERING: Okay, I can set that aside. I can set that aside. One of the
things that I think Monica Jones didn’t go into as much detail in as I expected
her to because it’s come out in a couple of conversations that we had and I
hope I’m going to represent it carefully. First she starts with this idea of
data quality. But she in some conversations built on that, and I think it came
through in some of her comments where it seemed that she was talking almost
about streamlining the actual fields that are collected. So that she’s moving
away from the sense that it’s your whole health record that we’re interested in
as opposed to – I didn’t realize that there were so many commissioning
data sets and that you can nominate a new one and with enough justification,
you get a new data set.

So, again, from the point of view of what the data it is, what is the it
that you’re talking about when you’re talking about data, it sounds like they
are in fact taking a much more organized approach. And it might be interesting
to probe that. In other words, do they think they need just a dump, and in fact
is that what they’re aiming for. So I’ll just leave that open.

Another thing that I was interested in, and it gets to a little bit of this
issue of primary versus secondary. And we’ve heard that consent at a given
period of time like at the outset for multiple uses is possible. So if you talk
about primary and secondary about the intentionality of the person who’s giving
information, if at the time they say yes, they’re consenting to multiple uses,
then what’s secondary.

So I’m just saying that it – just as you thought it was safe to go back
in the water of primary versus secondary, it seems that – well, in which
case, all those uses are primary. But anyway, it is possible to consent in
advance. It’s technically possible, and I think we’ve heard that from a
communications point of view, it is possible. So I think that that’s

I wanted to pick up on – I was, as you could tell, very concerned about
this AMIS database and the fact that it’s got everything, and that in fact it
is already being used for exactly probably one of the greatest fears, one of
the two greatest fears of people, you know, my employer’s going to have it, my
insurer’s going to have it.

Yes, your insurer has everything about you already. So we don’t –
either we solve that question, or we’re not in the loop to solve that question,
and it shouldn’t be a burden on the NHIN to solve it.

DR. DICK: It’s with explicit permission. Yes, that’s with explicit patient

DR. DEERING: Right, but it’s coerced permission, right. Compelled, and my
question is they have a business, so they have it under coerced permission.
They clearly have a business deal to sell PHI, don’t they? Okay, they have the
data with permission or not. They have a business arrangement to give it to
you. Are they free to enter into business arrangements to give that personally
identifiable information to anybody else.

DR. COHN: Mary Jo, I’m sorry. You’re making these as statements. It sounds
to me like what you’re saying is just to calm things down a little bit, it
sounds to me like what you’re saying is that we ought to investigate what the
legal relationships are, what this is all about. I think that’s what you’re
saying. Am I right?

DR. DEERING: Well, I think it is because if indeed such a database is being
used for other purposes, and, again, I’m not saying that they may not be good

DR. DICK: Those AMIS systems, that’s an acronym for Archived Medications
Information System, okay. There are actually two sources of that data today.
One is from Milliman, and the other is from Engenics, okay. Both companies
compete in that space. Just to give you a parameter, kind of a data point,
probably most of you do not know how much a medical record is worth in the
underwriting process. A typical underwriter at New York Life or any of them you
want to name will pay $55 to $75 per copy of your medical record to get it to
do the underwriting. It has huge value and with all the risks that are out
there, they go after medical records, 1.2 per applicant, and they are many,
many millions of them, okay.

I can just tell you one company has dedicated to them a 727 every night of
the world loaded to the gills with copies of medical records arrived in Dallas,
Fort Worth, Texas, okay. Those records are going to various underwriters for
the purpose of underwriting, and 1.2 records on average are retrieved per
applicant per insurance. That’s life insurance.

Long term care insurance, they’ll go after every record. It’s something I
learned a lot more about than I ever wanted to learn. But the value
proposition, this AMIS system presents and in fact I shared with Kevin, I
believe, that Milliman did a study with the data, and they showed the
underwriter that 32 percent of the time this pharma data told the underwriter
about physicians you have been seeing that were not divulged in the application
for insurance. It has some pretty interesting implications in terms of value
proposition to them.

As I said, I was in the highway construction business building the highway
to the med studies, but building it on the backs of the life insurance
companies. Now these AMIS systems are sitting in the PBMs and, as I said I
think off line, what is it if your data is in ten systems in that PBM’s data
center, what is it if it’s in 11, it still enjoys the same electronic and other
privacy capabilities that that PBM has in their data center. That data will not
be accessed and cannot be accessed without actual presentation of a signed
consent, okay, or in the case of the insurance companies, quite frankly they’re
doing it on a case-by-case demand. They hold the authorization will produce it
whenever they need to because they all have them whenever you apply for

So I’m just saying the data is sitting there. It is only accessed with
consent and what You Take Control is trying to do is open up that with consent
to save lives and use it for what I would call more appropriate purposes than
just the underwriting.

I said it was tantamount to literally building the interstate highway system
and then saying only taxicabs could ride on it. How stupid is that? And so the
idea is that the data is sitting there. It is being used for purposes other
than what I certainly intended. But it is legitimate in that, yes, it’s in a
system that’s owned by Engenics in this case, and it is producing substantial
revenues to both the PBMs and to Engenics. These underwriters are paying very
handsomely for access to that data, and we simply believe that it’s got to be
used for a whole lot more than that. So I hope that helps, okay.

MR. REYNOLDS: I think one of the things that we’re making a lot of what I
call class action comments. We’re saying all insurers, all providers, all this,
all that, and I think there are many levels within there. So, you know, some
people are covered entities. Things are allowed to happen. Others aren’t. So I
think a lot of our rhetoric just, we like a word.

And so I think as we’re trying to get to where we’re going, I think it’s
going to be important to make sure that we keep that in mind because otherwise
then it will just ratchet it up the rhetoric because class action comments are
hard to debate. They’re hard to defend, and they’re hard to do anything with.
So I think maybe a little more preciseness in what we’re talking about would be
key as we drive to the end of this.

DR. DEERING: I have two more small comments that aren’t inflammatory. The
first was just picking up on Justine’s comments about is a centralized data
bank good or bad. With all due respect, I might say that’s the wrong question.
I’d say the question is, is it needed. And I think too often we’re not thinking
of what do we need the data for and working backward from that.

We’re saying we’re going to collect all the data, and then we’ll try and
devise the systems. So I think that from a policy point of view, we should
write policies to serve the purposes and to think what is the need that we have
as opposed to good and bad in the abstract, and can you get the data elsewhere.
I mean, as in the British system, okay, we don’t need to get it from you there
because we’re going to get it from other places. So I think that might simplify
some things.

And then just the final point, and I really appreciated Harry’s point where
you were talking about people who really mattered. I do sometimes still hear
almost an assumption that the consumer patient is them, and a presumption that
they’re adversaries, that they’re always going to say no, they want to hold on
to every piece of data, and we’re never going to be able to reach them, and
their starting point is that they refuse to share.

I believe that those are flawed assumptions. I believe they’re not tested.
Moreover, I think Peter Sandman who has worked in high stakes industries about
this communication would say that you lose more by trying to impose controls or
withhold information and choice because it probably won’t work. It will
unravel. And the loss of trust, the backlash, the anger, the outrage factor, I
mean, he advises his high stakes client don’t’ go that route unless you
absolutely have to. I mean, at least examine your assumptions and how you want
to get there.

So I only would like to say that I think we’ve heard ample through this is
that you can communicate simply. It really isn’t rocket science. There’s a lot
of basics. You don’t have to give them all that detail. You have to give them
the essentials. They can understand. And usually they’ll say yes. They’re happy
to. They really want to share. They can see the value.

So let’s not start with the assumption that they’re bad, they’re greedy and

DR. DICK: Could I ask could we get copies of all the presentations, and will
those be made available?

MS. JACKSON: Yes, all the slides and material go up on our website on our
home page within about three weeks.

DR. DICK: Thank you.

DR. COHN: Well, Mary Jo, thank you very much. I think this has been very
useful. May I just add to this other thing through my own notes. I also, just
to throw one final piece in which is sort of reminding ourselves once again
about another tool which is pseudonymization. And I have no idea what use it
has beyond public health, but it might. And so we should throw that into our
tool box just to see if there’s ways that it might help.

Now I think the debriefing has been really interesting, and I think will
bode us well as we begin to move into looking at the documents tomorrow
morning. Obviously, much of tomorrow is really talking through sort of where we
are, our conceptualizations, moving from themes into observations and
recommendations, sort of seeing where we are. We do have, I think, two
testifiers tomorrow and that, at least unless we come up with some other
testifiers really sort of closes the testimony for this topic. And from there,
we move into, as I said, sessions where we’re trying to put this together. I’m
glad that many of you feel that you’ve heard enough. And certainly for a number
of you sort of saying, well, these are reconfirming my findings, Mark, I do
share your comment about befuddlement which I think is sort of all this will
begin to come to earth as we begin to get a little more concrete hopefully
about what we’re thinking about, and we need to filter it through our own

MR. ROTHSTEIN: Simon, there’s a difference between feeling that you’ve heard
enough and feeling that you can’t take any more.

DR. COHN: Well, with that and after eight and a half hours of meetings
today, what we will do is to adjourn until 8:30 tomorrow morning.

[Whereupon, at 5:37 p.m., the subcommittee meeting was concluded.]