[This Transcript is Unedited]

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

AD HOC WORK GROUP FOR SECONDARY USES OF HEALTH DATA

August 24, 2007

Hubert H. Humphrey Building
200 Independence Avenue, S.W.,
Room 305A
Washington, D.C.

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax, Virginia 22030
(703)352-0091

TABLE OF CONTENTS

  • Work Group Discussion
  • Health Data Protection Solutions needed in HIE
    • Emily Welabob
    • Elisabeth Belmont
  • Work Group Discussion

P R O C E E D I N G S (8:30 A.M.)

Agenda Item: Work Group Discussion

DR. COHN: Okay this is a meeting of the Ad Hoc

Workgroup on Secondary Uses of Health Information of the National Committee on Vital and Health Statistics. The national committee is a statutory public advisory committee to the US Department of Health and Human Services on National Health Information Policy. I am Simon Cohn. I am the Associate Executive Director for Kaiser Permanente and Chair of the committee and this workgroup. I want to welcome committee members, HHS Staff, and others here in person as well as those listening on the Internet. I guess I should just check. We are on the Internet? Yes, okay. So, welcome.

Obviously, I want everyone to speak clearly and

into the microphone. With that, let us have introductions around table and then around the room. For those on the National Committee, I would ask if there are any conflicts of interest related to any issues coming before us today, would you so publicly indicate during your introduction? I want to begin by observing that I have no conflict of interest.

DR. CARR: Justine Carr, Beth Israel Deaconess Medical Center, member of the committee, and co-chair of the workgroup. No conflicts.

MS. JACKSON: Debbie Jackson, National Center for Health Statistics, committee staff.

DR. DEERING: Mary Jo Deering, National Cancer Institute, staff to the workgroup.

MS. AMATAYAKUL: Margaret Amatayakul, contractor to the workgroup.

MS. GRANT: Erin Grant, Booz Allen Hamilton, contractor to the workgroup.

MS. ANDERSON: Kristine Martin Anderson, Booz Allen Hamilton, contractor to the workgroup.

DR. FITZMAURICE: Michael Fitzmaurice, Agency for Health Care Research and Quality, liaison to the full committee, staff to the workgroup.

DR. W. SCANLON: William Scanlon, Health Policy R&D, member of the committee and member of the workgroup. No conflicts.

DR. STEINDEL: Steve Steindel, Center for Disease Control and Prevention, staff to the workgroup, and liaison to the full committee.

DR. OVERHAGE: Mark Overhage, Regenstreif Institute in the Indiana University School of Medicine. While I have no conflicts, I do want to disclose that Emily Welabob will be testifying later as an employee of Health Information Exchange, which I was CEO of.

MR. ROTHSTEIN: Mark Rothstein, University of Louisville School of Medicine, member of the committee and the workgroup. No conflicts.

MR. REYNOLDS: Harry Reynolds, Blue Cross and Blue Shield of North Carolina, member of the committee and member of the subgroup. No conflicts.

[Introductions around the room.]

DR. COHN: Well, good morning everyone in

California. I want to welcome everybody to a very early morning. I want to thank everyone for their participation and involvement. Certainly the co-chairs have been a value including getting up early this morning to help us sort of work through and prepare this morning’s discussions. Obviously, our liaisons, we would not be making progress without them. Of course, all of our staff. Debbie Jackson, Jeannine, Cynthia, thank you for your ongoing help and support in all of this.

I think that the good news is that today is the final combination hearing on this topic that we will have. Obviously, if new issues come up, we will provide time into conference calls or subsequently in other face to face venues to hear additional issues or otherwise. Certainly at this point, this is really our final hearing. From here we will be arranging a variety of conference calls, which we will be scheduling. I think the intent of these will need to be open calls since we will be talking about substance and recommendations and all of that. So, be publicly noting those. Those will be published on the website as otherwise NCH does for us.

I think the intent will be for us to bring forward a draft, a set of letter, and a set of recommendations report for the full committee meeting late in November. At that point, it is a week or a week and half after the workgroup will plan on meeting to sort of finalize recommendations and the report. So, hopefully by early to mid October, hopefully we will have things substantially done. Obviously as I have said, I thought it is easier to talk about this one. Of course, we have not began to move seriously into the recommendations yet. We have just begun to do that.

Now, most of today and most of this morning is really devoted to discussion. What we will doing is beginning to go through some sort of very draft observations and recommendations. I think we have all been drawing pictures, none of which anybody has liked. We have all been reminded of some things. The reason I asked Margaret to do is to put down the substance and the implicit things that we have been talking about in terms of the sort of – the recommendations are really implicit and some of the drawings to help us sort of go through these things recognizing that we can come to agreements on sort of the thoughts and the pieces, it may help us get back to drawings that we may like, or we can decide that we do not need the drawings after all. Certainly, in our experience with NHIN requirements, we made lots of drawings and at the end used very, very few if any at all as I remember.

So, between now and about 10:00 we are going to be having conversation around some of these draft recommendations. At 9:45 we will have a break, and then we will have our last two testifiers from 10:00 to about 11:00 and then we will continue on with the observations. If we have time, go back into the actual substance of what we had written previously. This is obviously draft, pre-decisional, no one should take anything that is written here as anything other than sort of draft and hopefully will be generated in the right direction. These things will be considerably refined through conference calls and just sort of group input to a point we hope have all consensus on this. Adjournment is 12:30. We will do a time checks as one of our members is going to be leaving a bit before that will be checking with others.

Now, with that, and assuming everybody is okay with it, I was going to ask Margaret to sort of begin to walk us through some of the very drafty observations and recommendations assuming that everyone is comfortable with that. Okay, Margaret?

MS. AMATAYAKUL: So, what I did was try to

identify observations and recommendations associated with each observation in sort of top down broad perspective to more narrow perspective. The first one you see here is improving data stewardship. However, we have been talking a lot about the need for promoting privacy legislation, full inclusive privacy legislation. I did not include that in here. That probably should be number one. I hate to start off by saying, let us add something before we even start looking at reading something. That does seem to make more sense to put before anything else. So, rather than try to frame words, I am wondering if just adding, promote inclusive privacy legislation, and in the absence of that address some of these other issues and potentially changes and regulations.

DR. OVERHAGE: I guess the question I raise is for

saying promoting inclusive privacy legislation looks like and that the word principles you are trying to get out there – I assume it is to plug the leaks, if you will. Have we convinced ourselves that there are leaks in legislation or that there are leaks in the process? There are clearly leaks, but are the in the legislation or in the implementation and process?

DR. COHN: I think we have a new question. I guess

I defer to the other Mark next to you to maybe talk a little more about it. We actually have a letter that we actually approved in June in the year before that talked about the fact that there were places where personal health data really was not covered by entities. We felt that there needed to be uniform protection. My view is, it really isn’t promoting inclusive privacy legislation. It is actually asking secretary to advocate for more inclusive privacy legislations. So, it is an absolute fact, but it sort of like that is one piece and there are all these other things that need to happen. That would be how I would be framing this. Mark, you probably have additional comments on this.

MR. ROTHSTEIN: Right, in our June 2006 letter on

Privacy and Confidentiality in the NHIN, we recommended that there be comprehensive federal health information privacy laws so that all individuals and entities that use and disclose and so forth – we didn’t use protected health information, but personally identifiable health information would be covered. So, that would include a whole range of individuals and entities that are not covered, which wouldn’t be employers, life insurers, long-term disability insurers and so forth. We wanted to bring those in. That was sort of the general recommendation.

This June, we followed that up with a second letter in which we flushed out the rationale and the specifics of covering currently uncovered healthcare entities, which would include all of those entities that pay cash for treatment and so forth as well as the entities that are primarily not healthcare entities that get information. Keep in mind that our intent was not to focus on the rogues and the scallywags. These are entities that have a lawful and legitimate reason for accessing information.

DR. COHN: Thank you. Mark, I would say on this

one that we need to nuance this one appropriately so that it does not – because if you are not doing that, you aren’t doing anything else either. I think we also need to see my records and incorporate thoughts from that previous letter. Bill Scanlon, do you have a comment?

DR. W. SCANLON: Yes, Mark’s comments actually

helped in terms of clarifying. When we started off, it was just inclusive. That was worrisome in the sense of how broad are we going? It is still very inclusive. I am concerned that we are not helping sort of the people reading this in terms of being clear enough about what we are talking about. The early part of the report gives the impression that quality is everything, and that everything can be construed in some way as to being related to quality. Okay? If that is what we are about, that is a much bigger set of issues. Then, when we get into later recommendations, we start to make a distinction between quality and research. The question is why isn’t research part of quality? Okay? So, there is this issue we started off with secondary uses of which there is a whole set, quality measurement being one of them. I think quality measurement is actually a more specific term than quality. The issue is that if we deal with a full set of secondary uses, that I think is potentially a better framework for recommendations because that starts to introduce, okay, wait a minute. This use involves these benefits and these risks. Here is the set of guidelines that should apply to that versus trying to be sort of too broad in terms of nonspecific sort of recommendations.

We are punting in a lot of our recommendations.

This is the one we are starting with now. What would this more inclusive federal privacy regulate legislation sort of entail with respect to sort of different entities, different uses, et cetera. That is the kind of thing. We obviously cannot finish this all by mid-September, but it is anticipating sort of how there needs to be distinctions. I think it is important for us to be able to address that and warn people about the need to make these distinctions in what we are talking about.

DR. DEERING: I was wondering, since I am not

intimately familiar with both of the privacy letters, whether does this workgroup believe that the recommendations in those letters in and of themselves are fully sufficient to cover anything we would want to do in this workgroup? If so, do we just say that bluntly and refer people to them? To the extent that they might not be, because we have uncovered new areas, new issues, and new concerns, then can we establish to what extent those are the baselines? We have already set them. We have already agreed on the language, and we know what that language is. Then, focus on whatever is supplemental over and above the recommendations that we have already articulated?

MR. ROTHSTEIN: The answer to that is, no. To

repeat the question to what the no answer is to, the privacy letters are not sufficient to deal with the issues that this workgroup is considering. Let me explain why. Basically, our view was that protections need to follow the data wherever it might reside. So, we would say, for example, an employer is currently what we would call a covered entity. If they were a covered entity, than they could not sell the information and use it beyond the purposes for which it was collected and so forth. Some healthcare providers are now covered entities, yet because of the TPO provision there is a lot of stuff in healthcare operations that allows greater latitude than we may decide is appropriate. So, just because they are covered does not mean that everything is honky-dory. We are, I think, in this group drilling down to what other permissible uses of that information by covered entities. I think you can look at the earlier privacy letters as being sort of more general in terms of what should the scope of privacy protection be, and the letter we are working on now – what does that mean in terms of quality measurement and all the uses that we are talking about.

DR. DEERING: I think that is a very good preface

to a statement to include that language somewhere. The letters of XYZ set the broad context within which we want to look at this. This particular recommendation will focus on dealing down et cetera, et cetera. Just as an introductory clause to set people up and to refer them back as they should to what we have already written.

DR. FITZMAURICE: I want to bring us back to what

Bill said because this whole report could be another privacy report, which would be good in and of itself, but I think it may not be the charge. After I get done reading the report in October, I will want to know, are uses of healthcare data for quality measurement appropriate? Secondly, I will want to know what uses are appropriate for generating revenue for RIO’s and under what conditions? Those are the concrete questions. Now, we are putting out a framework, and maybe we cannot answer those questions completely, but we can put out a framework by which you would approach the answers to those questions. It is getting into what specific uses are egregious, what specific uses are so beneficial that almost nobody would question the uses of live data for that good, and then how do we decide what is in between?

MR. ROTHSTEIN: May I answer that? I think what we

are doing at this point is setting the boundaries on each side of the debate. In other words, what uses are sort of beyond the pale, and what uses are expected and currently are covered by the newer privacy practices which merely disclosing what you are doing with them is okay. I think what you are concerned about is really the essence of what we are going to be getting to. I view what we are talking about now is just framing the issue, and not replacing the concerns that you are raising.

DR. FITZMAURICE: I guess I see the issue not

framed in terms of what is a privacy law allow us to do, but what is beneficial and what is not beneficial for the man in the street? How is somebody who wants to do something with the data, how are they to approach this? Yes, they have to take into account the privacy rule and a bunch of other laws and regulations, but when it gets down to it, they do not want to wind up on the front page of the paper. How do we provide a framework for them to say, yes, the benefits are these, and yes, there are some of these costs, but we deem the benefits to be greater than the cost. Do we recommend that a body, like an IRB judge these things? I do not want to put a lot over hit into this. Given the principles, given the framework, and some of the examples I think would be really beneficial.

DR. COHN: I will let Justine comment also, but

Michael I know you have brought this up a number of times. I would say that I think Margaret has received it previously, but do me a favor and resend because you have some very specific questions. At the end of the day, I think we need to hold up whatever we are doing to make sure that we are addressing the level of decal that you are describing. However, I do not think that is the first question that we need to answer today. I think you would agree with that one. We just need to make sure that we are covering things such as you are suggesting. Does that make sense?

DR. FITZMAURICE: Agreed. It makes a lot of sense.

DR. COHN: Justine?

DR. CARR: Yes, because I am a person who likes

pictures, I want to just think about this a little bit differently and getting a little bit closer to what Michael is saying. As we reflect upon what we have heard in the last three hearings, we think about the compartments. There is the patient, there is the covered entity, there are the business associates, and there are other that fall outside of those. The levers that we have heard about are: consent is one, expanding the definition of covered entities and/or business associates, enhancing and getting more detailed in the oversight and accountability of covered entities and business associates, and then finally having greater clarity about what is De-Identified data. So, as I think about this continuum, I think about – let me just say, transparency is also apart of this for the patient. So, how do we make this come out right? First of all, where are we getting is the trouble. I think Michael said exactly the areas that are in these in between phases. If we thought about what interventions we were going to use, than how would it help address these gray zones that seem to be so troublesome? I feel if we start spending a whole lot of time on privacy – I mean, I would rather say, here is our menu of levers, and here are the places where they can be used, and let us walk through from a more practical standpoint. We have heard the various testimony – now who fits where and what were those troublesome areas that we didn’t understand where they fit? What levers would we pull to make sure that there is greater clarity?

DR. COHN: Okay, Margaret, I think we will turn it back over to you again.

MS. AMATAYAKUL: Okay. So, obviously we have got

some food for thought here, and we can go back and draft an initial recommendation here. Can we go on or do you want to–

DR. COHN: We can go on. I think these are high

level initial comments, and I do not know if we do great benefit by wordsmithing them right now.

MS. AMATAYAKUL: Right, okay. So, the second one

is improving data stewardship, and you can see there that the observation addresses some of the things that we heard about AHRQ and the information about the potential data stewardship entity and AQA’s recommendations and so forth. So, the recommendations that I have listed here include, HHS should broaden the scope of the proposed national health data stewardship entity to serve as an entity that would provide the framework that would supply guidance for all uses of health data including those for all forms of quality measurement reporting and improvement and be for all other uses of health data acceptance described under HIPAA treatment and payment and when required by law or otherwise regulated.

I think that first the statement – I think the

first two probably would fall under what John yesterday talked about. I am concerned that the third one, the caution that he described in this group being sent high above everybody else may make the third one difficult to achieve or recommend. So, the second one is that the stewardship entity should be informed by the framework outlined in this report for further guidance. Then, the national stewardship entity should be poised to serve as a certification body to certify entities as data stewards. This is somewhat consistent with their first recommended functional requirement of the NHIN, which was certification.

DR. CARR: So, just again making this concrete.

When we say entity, we are talking about covered entity? What is an entity?

MS. AMATAYAKUL: The national data stewardship

entity?

DR. CARR: To serve as an entity. HHS should

broaden the scope of health data stewardship entity to serve as an entity that would provide the framework and supply guidance for all uses of health data including quality measurement. So, are you saying that they provide oversight like the Caldecott Guardians or that they get prescriptive in terms of valid data aggregation? What exactly is this sort of —

MS. AMATAYAKUL: I tried to go from a more general

because we really do not have all the data from that report. The entity is not a covered entity or a business associate or anything like that because they do not have protected health information.

DR. CARR: So it is a certifying body that

certifies entities? What entities does it certify?

MS. AMATAYAKUL: It could be, but initially the recommendation is just to provide guidance.

DR. CARR: I guess it goes from macro to micro. It is going to certify – certification body for entities that are not covered by HIPAA? I am just trying to think. We are on a continuum, so stewardship is going to refer to entities not covered by HIPAA? Or it is going to certify entities not covered by HIPAA? What is it going to do for entities covered by HIPAA?

MS. AMATAYAKUL: If you are not covered by HIPAA and you receive individually identifiable data, and you are than a data steward. You have stewardship responsibilities and some organizations may not fully know what that means. The data stewardship entity would provide that guidance. I think that was what the essence was. Do we need something like that?

DR. CARR: It covers non-HIPAA entities? It does not have anything to do with HIPAA entities?

MS. AMATAYAKUL: That is the way that I have written that, but that does not mean that we could not have guidance in number one to all entities. Covered entities are data stewards also, right?

DR. COHN: I am looking at this – Sleeping overnight and looking at things with a fresh eye. We all have to be aware that this is – I mean, try to sort of figure out what things make sense. Is this a lever as Justine described that we are looking to help influence non-covered entities? Is that what you are describing this as? For example, PHR’s that are not sponsored by covered entities and things like this. I do not know if that is what AHRQ was thinking.

MS. AMATAYAKUL: Yes that is what I said. I think that – because I wrote this before yesterday with the information we have from the RFI. I think some of this needs to be reframed, but I think the RFI was only to seek information. It was not even to create the entities they proposed. I was hoping to say, go ahead and create that entity.

DR. STEINDEL: That is what I was going to comment on is I do not believe that there is consensus that there is going to be a national health data steward entity. So, I think this is – the whole premise of this concept either we want to make a statement that there should be one, and I do not know if we could get consensus around this room that there should be. I am happy with the third rephrased not in terms of a national data stewardship entity, but rephrased in terms of certification for those types of bodies. As pointing out that there is a body, I am not happy about that.

DR. CARR: Again, I would ask the question, is it stewardship about how the data is used in terms of statistical uses, identification uses, or sharing? What aspect of the data? I am a non-covered entity. I have data. What will the stewardship – what will it tell me?

DR. SCANLON: It was similar to Steve’s. I guess after yesterday I was thinking that there is no guarantee there is going to be an entity. The question would be here, did we have a vision of what we thought the stewardship organization should be, and would that be the recommendation? The second thing related to that would be, exactly what kinds of powers would you want this sort of organization to have? Does that imply that there needs to be some statutory basis for it? Would we have a recommendation with respect to that as well? Steve may be right in terms of maybe we could not get consensus around the table as to what the vision is. It seems like we cannot start with the assumption that we are going to have one. The question is, where are we going to go from there?

DR. DEERING: What I am hearing is that there is some support for the concept of setting principles and guidelines. I am not worried about organizations yet, but I am talking about the what, that there needs to be perhaps some way of developing through some reputable process a set of guidelines, a framework, and standards for data stewardship. What I am wondering is, is there in fact support for a statement like that, but leaving the process by which it is accomplished open? For example, in the absence of an organization, you can convene IOM or some other body and say, we want to create a very robust process by which there will emerge a compendium of guidelines and principles and standards for data stewardship. You do not have to have an organization at all, and the IOM takes its million dollars and goes away. We could make that kind of a statement that it is a statement of principle. This needs to be accomplished. There are multiple paths by which it can be accomplished. In the absence of an organization, it could be accomplished through other channels.

Then you get into these much more operational details and that could be treated as a separate question for the workgroup. To what extent do we believe that we need some operating organization to do some stuff? What is that stuff? In other words, you do not have to throw out the baby with the bathwater if you indeed believe that the framework for principles is important and you are not sure of your organization, than do not tie it exclusively to the organization.

DR. COHN: Justine?

DR. CARR: Just two things. IOM actually already had a meeting, and they recommended a data stewardship entity. I am just reading from the Federal Register. The proposed scope of work is very much about data aggregation, validation, data collection, and all of that. Also, data sharing and reporting, so it is both. It is really the logistics of how you use the data. That is why I would question, why would we only use it with non-covered entities? I think we have seen and heard that many of the organizations want everyone to have rules of the road about how you use data. The part that might apply to the non-covered entity is data sharing and reporting. Even that goes with it. I guess I am responding to the fact that this is a concept that is out there. It has been out there for a couple of years, and where it is going to fit is still a matter of discussion. I am not sure that we want to talk about an entity as much as a concept. I think also, I want to be clear about – is this a guardian of privacy, or is this a data integrity function because I have heard both?

MR. ROTHSTEIN: Thank you, Justine. That helps. I think the problem here is that we are conflating three separate things. The concept of data stewardship in the abstract independent data stewardship organizations, and a national data stewardship organization. There are three separate things. I think we aught to comment on the pros and cons of various approaches even if we do not come up with a specific recommendation that there aught to be an X or a Y or a Z. I agree with Steve. I do not think we are going to get that agreement, but we did hear from yesterday about a single national data stewards model, and then there are obviously, you can imagine, multiple data stewards that are somehow certified or have common principles. If we set those out, I think we will be advancing the discussion.

DR. COHN: Steve and then Marc?

MR. ROTHSTEIN: Just a specific response, and that is that we heard about one data steward entity from the UK. There are more. In other words, you have to be careful. We only heard about the one that sounds all coherent and nice. There are other pathways that people are getting and using data in the UK besides through US. So, it looks nice and pretty. We heard about one of many.

MS. AMATAYAKUL: Mark, you suggested there were three approaches, an independent data steward organization, a national organization.

MR. ROTHSTEIN: The other was not approach. It was just talking about the concept of data stewardship that we can have without such an organization. In other words, anyone who owns records is a steward and owes certain responsibilities.

MR. VIGILANTE: Well I think it comes back to a definitional issue. I think stewardship is just this concept of caring or holding something that is not your own. We should point out that when we talk about stewardship, there are principles of stewardship in this case that we think correlate to good stewardship. Then, when we talk about stewards that can be a variety of both. You could be talking about a central entity that is an organization that either has oversight or control at a national level, or you could have almost anybody being a steward who is holding this information. So, there is this concept of stewardship. Then, various entities with the apt to adhere to certain principles of stewardship and I think once we clarify those terms, then we can use them intelligently.

DR. COHN: Well said. Steve and then we can begin to do something with this?

DR. STEINDEL: Yes, I do not know how much I have to add to what the Marks and Kevin have just said. The thing that I want to point out is one of the purposes I understand to be AHRQ RFI is to establish a lot of these things that we are asking. There is going to be a kind of simultaneous release of the RFI and this letter. How far do we want to go down areas that we think are going to be covered?

DR. COHN: Well, I think if we know enough to be able to support things that we think are good, that would obviously be a good thing. Of course, at this point we do not.

DR. STEINDEL: I think I am asking more on the basis of hearing our comments from my distinguished colleague on AHRQ on how far we want to go. I personally feel that since the document is not out there, we should stake our positions.

DR. COHN: Okay. I guess we were looking at this one this morning. I am hearing from everybody as well as wondering myself is it is the issue of what problem are we trying to solve here? I think we are all a little vague. We talked yesterday, and I think we are all very supportive of the concept, and we want people to be good data stewards. The question is, are there areas where we think that there is either ambiguity or uncertainty and what do we need to do about that to help everyone be good data stewards? That is really what we are trying to do. I think we just need to think about it in that context. It may be that we are gluing down too quickly with the answer as apposed to clear delineation of the problem here.

As I said, when I looked at this initially, I said, that looks pretty good. You know, at least for discussion here, and I think everybody is having the same sort of reflection of all of this. We may come back and discover that there are unique places where this could be very valuable and help, especially in the areas where there are non-covered entities. If you think about it, HIPAA privacy is a document about data stewardship. Think of it that way. That is really what it is. So, I think this was at least an attempt to say, well, there has got to be one some way – one level we have is to potentially leverage something like this to deal with areas which is outside. The question is whether that becomes a reasonable framing of something and may not be a national steward. All of those things are to be determined. You all have to think about whether or not this section might be one of the tools or levers that might be helpful to that.

Now, I want to give it to Harry to help frame things a little bit, because I know he has been writing like mad here.

MR. REYNOLDS: No, I would say amen to framing and to this being a tool. As I have tried to look at this, if we start out framing this – we do have a privacy statement that we make. That is just a fact. We have set it in letters that we have concern – but concurrently, because we know that we have heard a lot about tools and governments and technologies that are going to take a long time to end up in the mainstream. So, we heard all of this stuff yesterday and a lot of it is going to take a whole long time. We cannot get MPI employees and some of these other things. It will be a long time before we fix that.

Currently, we came up – we talked about things and have discussed things to build on current HIPAA. There are issues between covered entities and business associates. We have kicked around things like atha stations and we have kicked around things like, remember the payers and providers do have a relationship with the individual by contract and by selection. They need to have much better transparency at a readable level. We heard a lot of other things like that. We also have heard clearly that definitions are misunderstood. So, right now, the rhetoric is such that everyone is making their own definition, and a lot of the reason is to expand operations and satisfy business purposes, which then makes it feel like the Wild West and data stewardship starts jumping up as a tool all over the place. Just start making a big difference about that because devoid of clarity, you want to put something in place that says, help me clear that out.

Concurrently with all of that as we are trying to build on what we would say could improve what is going on right now, we have talked about research. We have talked about selling the data. We talked about marketing. We talked about secret databases. We talked about all kinds of stuff yesterday. We talked about informed consent, possible harms, concurrent oversights of the above of which, using Simon’s word tool, data stewardship is a great tool for starting to monitor those things if you put those things in some kind of a category together. Again, the impreciseness of that list, do not go with right now. I am just saying, you look at data stewardship. You look at required consent. You look at rules of engagement to sell and market and then the whole readable understandable actionable consent. So, if you step back, and we are going to have to paint a picture and make recommendations within that picture. I mean paint it with words. I am not talking about painting pictures. But if we started to add tools we start talking about tools – if our recommendations are tools, than I do not see how we all agree that we have all the right pieces.

I think we are going to weave through the weeds and we have not decided where – I still have not heard the committee whether we think building on current HIPAA is good or bad. If it isn’t, than we really have to go after this because you are coming up on a whole new premise. That is, I guess, where I am going. So, if we do not build on something that we have as a base structure, I do not know how we would go.

DR. COHN: Let us see what Mark has to say.

MR. ROTHSTEIN: I think ultimately we are going to have to decide what order we want to put the recommendations in. I cannot imagine a situation where I want this to be first. That almost does not really matter now because once we get the pieces we can move them around. I think what we might be looking for would be some general statement of where we are having gone through this exercise for these several months. What are our general observations? Do we think that there is a problem? What are the sort of approaches that we think that we aught to take to resolve that? After we have the sort of general observations, then go to more specific observations and recommendations for each. So, we will kind of lay the groundwork for each of these. I think starting with this may be kind of getting our focus a little off track.

DR. COHN: Let me see if we can move back up a step here and see if we can do something that is going to work. I am in agreement. I am not sure we want to beat this one up anymore. Now, we have about fifteen minutes before we take a break, and then we have our first presenters. Maybe what we should do, and I am just suggesting to see if everybody is going to nod is I am maybe ask Margaret to run through at a high level the other pieces that we have here. Not so much dwelling on all of the recommendations, but on all the other pieces with the question being for everybody to think about is, are these reasonable pieces and what else needs to be here? Mark, I think begins to address your issue. As we begin to do that, then we may time to go back and look at the substance of all of this. Margaret, can you help us with that?

MS. AMATAYAKUL: So, the next one was strengthening the use of HIPAA business associate contracts, and we have got some observations there. The recommendations would be —

DR. COHN: Let us have the rationale before we get to the recommendations.

MS. AMATAYAKUL: Okay, so strengthening the business associate contracts, it was observed for one thing that the term that is frequently used is in agreement which may not be as strong as the term Harry has been using, contract, which I think he has repeated over and over again as an important point. The findings reported to confusion over HIPAA in several areas. There is other anecdotal evidence that specificity isn’t very great in permitted uses. HIPAA requirements surrounding business associate contracts requires a business associate to ensure any agents including subcontractors agree to that information, but there is no requirement for a specific contract. The business associate contract stopped making a provision for a renewal or review of the contract, only termination. It was also observed that provisions for accountability by the officers of the public company has worked well, and they serve as a model for healthcare.

So, the recommendations are that HHS should provide guidance on how covered entities should specify permitted uses in the business associate contracts. It might be in the form of a model checklist or additional wording and may lead to increased transparency.

Second one should provide guidance on how covered entities should require in their permitted uses specific information about when and how De-Identified health data will be used, and that the business associate is required to obtain certification on the De-Identification process. Just throwing out there to see your reaction, HHS should promote use of a business associate contract between business associates and their agents as a means to establish a chain of trust, and HHS should promote use of a atha station process whereby the covered entity annually conducts a review of its business associate contracts in which the BA provides an annual atha station to the covered entity that its actions remain consistent with the permitted uses. Its agents have not changed or new agents have been properly engaged by contract that the business associate and its clients are in compliance are with all other applicable provisions of the BA contract.

Improving transparency, we heard from, for example, the Federal Trade Commission. We could even add the research group identified need for improvement in its definitions, and there is obviously a mandate for transparency. In the NHIN recommendations, there were a number of areas where increased transparency was identified. So, here the recommendations are suggested as something like, HHS should provide guidance on enhancing the HIPAA notice of privacy practices to clarify uses of how to make the acknowledgement of receiving more meaningful process. As an initial step, writing model notices and plain language and offering other tools to enhance understanding that contribute to consistency across healthcare entities. I think maybe we heard yesterday that perhaps adding the opportunity for a request for additional information that might be a list of the business associates that you attest to on an annual basis as opposed to just a model language. It seemed like model language was about something HHS might be comfortable with. HHS should fund an experienced contractor to develop a national campaign that would enhance transparency regarding uses of health data.

Clarifying uses of health data for quality and comparison to research. We heard a lot about that many times you start out with quality activity then it flows into a project that looks like and may actually be researched. The recommendations are that HHS should widely disseminate the clarifying work of the office for human research protecting. Limiting such dissemination only to the research community can limit its usefulness for providers and others who may not consider themselves researchers, but who may become engaged in quality work that ultimately is within the scope of research on human subjects.

This last one, I think we heard again that may be difficult, but HHS should consider enhancing guidance to IRBs to improve consistency and application of common rule. This may be through standard checklists of what tool to help make a decision regarding whether a use of health data is research or use cases. This one may be through a web-based tool to help make a decision. We heard about the office willing to review IRB guidance as opposed to a model form. Then I had identified specific types of permissions for types of uses, heightened enforcement, and model data restrictions on protecting personal health records when offered outside of a covered entity.

MR. REYNOLDS: I do not see any recommendation on definition.

MS. AMATAYAKUL: Yes, we didn’t have enough information for me to build that. Let me add that.

DR. COHN: I think sort of building on Harry’s earlier framing, obviously a lot of this is with the assumption that HIPAA is not a bad framework to start with, but there are certain levers as Justine as described where things need to be strengthened. There are areas where – the only real questions I keep asking are – not being a lawyer – and maybe on a more strategic sense is this issue of how far we can extend and strengthen business associate agreements to deal with what I describe as either holes or issues that people may be concerned about. Certainly, we are hearing at least from some entities that they have bene able – a rigorously enforced business associate agreement while not perfect may get you a long way there. Certainly the government as it deals with areas that it has not contemplated is regularly using business associate agreements to sort of extend protections. We see that with BQIs and other things like this. So, the question is, is that in the absence of sort of this vision of comprehensive federal privacy legislation that covers data as it travels through the system, does this extend the chain of trust? What do we need to do about it? I guess I would sort of try to frame some of these things from more of a strategic issue that I think is sort of the intent of the business associate piece of all of this. Obviously transparency which does sort of get into that issue of – maybe also the question about whether or not there is the need at certain places to consent on things?

MR. VIGILANTE: How do you – I do not know what model this is relevant to, but when you give informed consent to a patient and you say, I am going to do this lumbar puncture on you. You may have a headache. It may last for a couple of days, but nothing serious is likely to happen and headache is likely to get better. Or there is a procedure. Note whether a coronary aortic bypass is an elective procedure. We can tell you if there is a risk of negative outcomes in X percent of cases. Or chemotherapy, with/without here is your five-year survival. You can give people a sense of risk that has some quantitative attachment to it if it is serious risk. With this kind of risk, you know, privacy risk where you may be re-identified and things may – how do you structure that in a consent form that gives a person an adequate sense of the kind of choice they are making without creating excessive alarm so that even if the risk is small sort of giving a very heightened response, or – what strikes me here is that this is an area in which even knowing how to create transparence is a little squishy and problematic. To what extent is that part of our charge here or part of what we need to address here?

MR. ROTHSTEIN: I think it is important to focus on the risk and how we are going to explain it and how we are going to try to minimize it wherever possible. Just to answer your specific questions in terms of informed consent for treatment, it is not necessary that clinicians have divulged every possible risk, only the risks that are deemed to be reasonably foreseeable because many drugs that are commonly used will have 40, 50, or 60 contrary indications in PDR. After you get through number three, the patient says, enough. I do not understand it anymore. I am on overload. Just tell me. The question of how do you explain the risks of information when you are not sure what they might be is something that has been dealt with in a couple of settings already. One is in genetic counseling where people under go genetic testing, their counselors want to make sure that they understand the potential test taker understands how it might affect them psychologically, in their interpersonal reactions with their family members, how the information might get out and be used to their detriment and commercial transactions. That same approach in little different context is also used in forms of research where the researcher will say, we will make every attempt to make your information confidential, but we cannot guarantee it. Then you have to think about the possible consequences if the information did get out. So, we are not entering into totally uncharted waters here. I do not think that we should be dissuaded from dealing with the issue of risk because we cannot quantify it.

MR. VIGILANTE: Quite the opposite, I was putting on the table – not that we should not address it, but in fact it is something that we should address because if we are talking about risk benefit ratios, we are making judgments about risks and benefits. I guess I am making the point is that it is harder to get your arms around both the risks and the benefits at both the social level and the individual level here. How that translates into – how you structure the interaction where transparency is created. You know, the information that you are giving to somebody is a choice. I think it presents some unique challenges that may be even different than in genetic counseling and elsewhere. It just strikes me as a challenging and difficult area.

MR. ROTHSTEIN: But you have touched on a point that we should probably mention somewhere in the report and that is, we should not think of individuals with information in monolithic terms. They differ very widely in their risk tolerance. There may be all sorts of crystal reasons why they are concerned about one thing being disclosed and that suggests the certain responses that we should consider. I think it is important to mention that people differ widely on their perceptions of the risks and benefits of the information disclosure.

DR. CARR: I think following up on what Harry said too. If we are thinking about patient consent, informed consent and opting out, are we talking about it within TPO or outside TPO?

MR. VIGILANTE: Well, I think what we have learned is that if you are just talking about it within TPO, you are not adequately covering the broader range —

DR. CARR: No, right now we do not require informed consent for uses of data within TPO and HIPAA. I am asking the question to Harry’s point. Are we revisiting that, or are we talking about consent for uses of data outside of HIPAA and TPO?

MR. VIGILANTE: I do not know if I understand the question correctly, but I think this creates a different – I think the fact that even though you do not ask for consent within the TPO, the fact that that data required within TPO may be used for other purposes creates an issue of transparency that needs to be addressed in some way.

DR. CARR: So, that is why I am saying we have levers. If we say we are accepting HIPAA and we are saying within that that we agree that patients need some transparency and reassurance, maybe they have the option of opting out for data that goes outside of TPO. Or we think about business associates and covered entities, and do we have the proper contracts, agreements, accountability, oversight, or whatever? I think it is a fundamental thing that we have to address whether or not when we think about introducing opt out consent whether we are opting out only when it goes outside of covered entities and business associates.

DR. W. SCANLON: I think the issue of operations is an important one. To me, it was illustrated in the mail presentation, which is that what I would regard as the same use changed when someone wanted to publish it. That does not make any sense. The risks to the individual may not change because they want to publish it. The benefit are potentially sort of very different. If a mail or a Kaiser through their internal operations discover something important, the idea that we have this very big barrier to sharing that. Particularly if the populations they are looking at is large enough that there is no risk in disclosure. How can we say that whole set of different rules apply to get this valuable information out? I think this operations issue is important from that perspective. Than there is the negative side of it, which is what happens when operations go amuck and there are things that are done under the guise of operations that are not appropriate?

DR. CARR: I think we just have to decide. Can we solve Bill’s issue on the consent side, or do we solve it by guidance or direction on other areas?

MR. VIGILANTE: They are really both very important. I think we should capture these two specific questions because these are not going to be easy things to sort out.

DR. COHN: I guess to frame this maybe a little bit differently, I mean, obviously this is why – I think we all saw this issue. There are two issues we are describing. One is almost described as the higher level of operations. I think we have described that there is a lot of operations that is not an issue as it begins to move up and beyond. That is the question, Kevin that you were beginning to ask. Obviously, Bill is beginning to address this issue, which I think we are trying to hit head on, which is this disconnect seemingly around the quality research paradigm and that – it seems to be – Bill, you commented on it that people should have a clear idea and do the right thing and all of that. I do not consider that running amuck, but I do think that people should not under a quality paradigm be able to affectively do research. I do not think that is really the intent here. So is there anything to clarify that?

Now, Harry you were going to add some things? Then I think we do need to give everybody a break for a couple of minutes.

MR. REYNOLDS: Margaret I want number ten to be definitions and not just the identification. We have other definitions, I think, in our initiative.

MS. AMATAYAKUL: We do have a whole appendix on the taxonomies. Do you want —

MR. REYNOLDS: No that is fine. I just wanted to make sure that I had that on the table. The second is, I agree with Bill’s comment earlier that this is not – everything should not lead to quality, but I think we need to be purposeful, especially as we talk about operations or this most recent discussion, what is allowable as quality because it is part of our assignment? I think we need to be purposeful in how we address it, not just give way to everything. Not to say that everything is quality.

DR. COHN: In my experience, maybe everything is quality, but not everything is quality improvement, measurement, and recorded.

MR. ROTHSTEIN: I just want to add very quickly on to what Harry said. I think if we think that there are some areas in healthcare operations where it goes beyond the scope of what we think that people would consider healthcare operations, I think it would be very valuable to give examples. Where we say the HIPAA privacy rule under healthcare operations allows covered entities through X, Y, and Z. But it also, and perhaps was not contemplated, does not prohibit A, B, C, D, and E from taking place, and that is where there is a problem. Privacy rule also allows you to do this, but allows you to do this extension of that. That is the area where we have concerns.

MR. REYNOLDS: When I mentioned definitions, healthcare operations may be one of those definitions that we want to talk about.

DR. COHN: I think we agree on Harry’s definition of healthcare operations. That is one of the easier —

DR. OVERHAGE: The one thing that I have looked over all of these, these are all very much on the protection negative side, if you will. I fear maybe it just comes out in the rationale and the balancing of some of these things, but there is a positive side to data stewardship that I think is really important to emphasize in this in the sense that somebody who is a holder of a patient’s data has an obligation to do quality improvement, for example. They have an obligation to contribute to the knowledge base of society. I think we need not to lose that. It is easy to get caught up in the, how are we going to protect the patient, and that is the right thing to do. There is a balance, and we need to have both sides represented somewhere. That might just be in rationale.

DR. COHN: I am trying to give everybody a break before our last testifiers. I think it makes sense to stop at this point. Let us take fifteen minutes. We will come back about five after ten with our last testimony and then get back into conversation.

[Break.)

MR. REYNOLDS: Okay, let us go ahead and get started if we could, please. Let’s go. Our next testimony is having to do with health data protection solutions needed in HIE. It is a continuation of some of the things we heard yesterday. We will go in order. First, instead of Tom Penno who was on your agenda, we are going to hear from Emily Welabob, and then we are going to hear from Elisabeth Belmont from MaineHealth. So, Emily, welcome. If you will proceed please?

Agenda Item: Health Data Protection Solutions Needed in HIE.

MS. WELABOB: Good morning. Tom is not here, so on behalf of Tom and Indiana Health Information exchange, I am here today. Good morning, I am Emily Welabob. I am Vice President for strategic development at the Indiana Health Information Exchange. For the next fifteen-twenty minutes, I will refer to that as IHIE, which you may be familiar with. We are in Indianapolis , Indiana. Today, we would really like to discuss with the workgroup in efforts to understand issues related to using health information for improving health and healthcare. During my presentation, I will share with you experiences relative to the use of laws and regulations through health information exchange on access controls that we use oversight, accountability, transparency and individual empowerment over health information uses that I was fortunate enough to hear you touch upon this morning.

MR. REYNOLDS: Emily, could you get a little closer to that microphone? Thank you.

MS. WELABOB: We are founded as a nonprofit 5013C incorporated company in February, 2004. So, just a little background first about IHIE. BY a collaboration of institutions representing a multi-stakeholder group being hospitals, healthcare providers, researchers, public health organizations, and economic development groups within the Indiana area. As you may know, IHIE has demonstrated success and sustainability in establishing and operating a real world clinical health information exchange with technologies and processes and a purchase created by the institute over the last three decades.

There are various sources of functions that are available, but the main services are as follows. I will just give you a little bit of information about the services because I will refer to those as examples for the rest of the testimony. First and foremost, I am going to mention the Indiana Network for Patient Care or INPC as I will refer to it. INPC is a working local health information exchange that includes information from five Indiana major health systems with just over one billion entries.

Second, IHIE has incorporated another application called Docs for Docs, which is a community-wide clinical messaging service, which has been operational for about thirty years. If you are familiar with it, it will electronically deliver test results and other clinical information securely and efficiently to physicians and their office practices. Currently through Docs for Docs we deliver over one million clinical messages per month to over 5,000 providers within the Indiana healthcare market.

Another program to mention, in 2007 we launched the Quality Health First Program, which is a clinical quality improvement program for health in chronic disease management. This community service provides standardized quality measures used by physicians and health insurance insurers together. Quality Health First is directly associated with quality measurement reporting and improvement. Currently within our first implementation is focused on primary care providers from a quality metric perspective.

The workgroup offered us several questions, which there are about six that I am going to address. You can see on the hardcopy you can see the bold text are the questions, and I will give answers to those questions for you. The first question, are there legal and/or operational constraints on the use of health data for quality measurement reporting and improvement? Currently, privacy and security laws are in place and there are several initiatives and progress to discuss for a code of conduct for the secondary use or use of healthcare data from a health information exchange. Where there may be a gap however is in laws explicitly governing electronic health information. There are already several statutory or regulatory protections in place such as HIPAA that can be used as a reference for instituting their code of conduct for the use of healthcare information.

As an example, the code could cover the following four points. I will go over those now. The first one, notice of information use. The patient should be told about healthcare – how their health information will be used. Second, review capability. Patients should be able to find out how their information has been used. Third, data security standards. There would have to be certain minimum requisites within respect to data security and integrity that would protect against illegal alterations, destruction, and access of data. Lastly, accountability standards and/or data stewardship. The code could innumerate stringent standards for accountability and enforcement in issues that you discussed today this morning around data stewardship or the policies that would govern the data steward.

Our national efforts to utilize health information to improve our nation’s health and healthcare delivery systems should be accomplished in a secure and confidential manner. To ensure that our personal health information is used appropriately to protect privacy and to create a climate of public trust, the custodians of our health data should adhere to a code of conduct and should comply with the federal and state laws.

In creating quality health – the QHS program, IHIE has created an approach within existing law and regulations to utilize health data for quality measurement, reporting, and improvement. The primary vehicle under which we have addressed this usage is through the HIPAA healthcare operations provision. All participants in the Quality Health First Program are collectively using the data for quality improvement. Payers contract with IHIE including a business associate agreement that controls the data use. Claims data for Medicare are currently incorporated through the BQI or Better Quality Information initiative program and a data use agreement that controls data use. Other data can be drawn form the IMPC with approval to use the data for this purpose by the IMPC Management Committee. So, there is a committee in place for review. Data for quality improvement are securely delivered to providers for their patients and to the payers for the beneficiaries to be used for quality improvement.

The second question, do you think the individuals whose data was being used or the providers who created the data know about this use? We viewed an organization’s control over the data at three levels. I will explain those three levels. The first one being agreement, the second policy, and the third access controls. The first for agreements, each participating organization should enter into an agreement with the health information exchange governing body that defines and limits the use of their data. No use or viewing of the data outside what is defined in that agreement as permitted. Secondly the policy, the policies for the use of the system and access to the data within it should be determined by such governing body in which each organization contributing data is represented in that body. Thirdly access control, the access controls within the system itself limit access to what has been defined in the agreement and determined by the governing body and such policies.

To give you an example that we used in Indiana, in the emergency department scenario, someone is using the Indiana Network for patient care. Data for a given patient is only viewable to clinicians under certain conditions. Those conditions are as follows: one, the patient has been registered in that emergency department. Two, the clinician is credentialed at that organization. Three, the viewing of the data is within 23 hours of the patient being registered to such ED. Lastly, the IP number of the device attempting to access the data from that emergency department is on records as being located at the hospital making the inquiry. The rules for access differ by each clinical scenario and should be determined by that governing body.

The organizations including providers, data sources, and payers who are custodians of the data being used for Quality Health First are clearly and inexplicitly aware of this usage either through the IMPC management committee, processes, or through explicit contracts they signed to participate in Quality Health First.

So, now looking at another example in Quality Health First. Patients as individuals are notified through privacy policy statements that data will be used for healthcare operations such as those in Quality Health First. Of course you may question how will patients understand these types of uses. We do believe that by having consistent statements and privacy policies across almost all providers that the chance that patients will understand what is being done with the data does improve or can improve. In addition, Indiana Health Information Exchange continues to describe and distribute the Quality Health First program to the public through a variety of means of outreach including press releases and through distribution of information and values of the program through pairs. Also, our board of directors has recently tasked us to create a consumer advisory board. This advisory board will not focus exclusively on the service of Quality Health First, but will also incorporate all of the services that Indiana Health Information Exchange distributes.

Number three, do you think these persons or entities should know more about this use? What are the logistics for achieving this transparency? Based on our experience in Indiana, openness and transparency are crucial. Trust does require transparency. You may have seen in another research study by E-Health Initiative around consumer research work where they found this is also important when defining health information exchange to focus on the following: security, how does it work, patient permission, who has access, and benefits of the exchange to the patient and the physician. Again, enhancing trust with that relationship. Today at Indiana we have no functionality in the system however for individual patients to control access to their data. The system does support an opt out by patients. We adopted this approach to address the challenges that partial data can create. In other words, if a patient is allowed to opt out selectively, a clinician may have a difficult time knowing how to utilize that incomplete data. In Indianapolis, the process the community has adopted is not to allow patients to opt out, but to notify patients through the privacy policy notification and rely on a broad based management committee to make decisions for the community about the appropriate uses within the policies established by the privacy policy and legislations such as HIPAA and state laws. We believe that patients expect that their providers and in some cases their payers will also use their data that they hold for the patient’s benefit to include improving the quality of the care that they receive. IHIE supports the Quality Health First program under a business associate agreement, data use agreements, or other explicit agreements within the providers and payer. Any subcontractor that we might utilize, such as our partner Regenstrief Institute, are bound by specific data use agreements so that we can ensure that the patient’s data is always protected.

Fourth question, do you anticipate any harm that might arise if you do or do not attempt to achieve this level of transparency? This question, as you can guess, without doubt is unanimously yes. Specifically working with AMIA at a secondary data conference defined transparency as: the extent to which the practice is governing the use of patients’ health data are known and understood by those who disclose or use data and to the patients whose data are subject to use. Based upon this definition we should or we could conduct a simulation exercise for data use transparency. Such as today where pilots use simulation for landing a plane or hospitals simulate disasters on a regular basis for experience. Health information exchange organizations should conduct simulations of when harm could occur. However, harm can be defined in two ways. One could be either harm to patient or harm to the organization if transparency is compromised at any point. Today, we have checks and balances in place that assist in maintaining a high level of transparency and hopefully trust with our patients and data sources. The IRB application of rules and a set of criteria for use of data for non-clinical purposes, and we have several committees, security planning, and management committees who focus on transparency, security, and the use of data.

Question number five, do you supply any data you collect from providers to others? Do you know if they supply the data yet still to others? As mentioned earlier, we have access controls and business rules which dictate who gets what data and when. I will further discuss this question by referring to the IMPC as an example. A repository service, which as you know is the IMPC, operates under a mutual contract that adheres to all HIPAA requirements and allows the use of the repository data for prescribed treatment, public health, research, and healthcare operations. This agreement established the IMPC Management Committee to make the decisions. Such a committee is the oversight body and consists of representatives of all of our data participants. All proposals and actions regarding IMPC are reviewed by legal council and are fully disclosed and discussed in the IMPC management committee in their meetings.

We deduce supplied aggregate or De-Identified data is in the Quality Health First program to provide quality reporting to physicians and health plans on the patients and members using a standardized common set of quality metrics. The Quality Health First reports that populated with data from participating payers claims and enrollment data along with clinical data that is in existence to the IMPC are repository. Our system is designed to generate monthly reports to physicians along with alerts in clinical decisions support of patients who have missed opportunities for testing or screening and reminders of patients who are due for procedures or screening based on our standard quality metrics. However, we also provide identified patients specific data to provide our end payers for their individual patients or beneficiaries. So, we do provide specifically defined data collected from providers to payers. For example, the Hemoglobin captured from an outpatient laboratory would be delivered to a payer since one of the quality measures that were addressing in Quality Health First is the level of diabetes control. The payer would not however have access to the patient’s other clinical data such as a syphilis serology result for example, but only those, again, that are specific to the Quality Health First program. The example I just gave you to the diabetic patient. As I have described previously, any subcontractor that we work with that participates under strict agreements that restrain the use of data. We do have audit rights and have audited our subcontractors’ compliance with the data in the past.

The last question number six, how do you establish trust through this chain from individuals and providers to you and on to others? We consider information security to be as our highest priority. We ensure that the system meets all of the latest security measures and have periodic testing done to ensure that the system meets all encryption and authentication specifications as well as periodic intrusion testing to be sure that we do not have any holes open. This information has been reported back to our various committees such as the security committee to be sure that the service providers know that we consider this a top priority. In general, we should consider the following to gain trust. First, involvement of consumer groups in the development of strategies for the specific healthcare information or the secondary use of health data. Even consumers will increase the consumer’s knowledge about the misuse of health data and ensure public support and also act as education for them.

Secondly, more education and dissemination of lessons learned. We can create an inventory of projects from various organizations and stakeholders that are doing this today on using health information for various purposes and possibly collect agreements. For example, we can interview large research organizations or health information exchanges whom are conducting projects with secondary uses of health data, and again, possibly help establish some of the principles and best practices out there.

Thirdly, create a very basic guide of definitions. Every day various terms are used, even in the room this morning, from data stewardship to secondary use to personal health information, public health information, and population based health information. Are all these the same, or are they different? Is de-identified or anonymized information the same? Looking in our community and building upon work for developing taxonomy of the nine clinical uses of personal health information may be a good springboard, but we certainly do need to be all working from the same book about agreed upon definitions.

Lastly, the issue of compliance with state laws will be more complicated because of the variations amongst the states concerning statutes and regulations governing the use and disclosure of health information. As you know, health information exchange and those across states, so we need to maintain a compendium of state laws that impact health information exchange as we all, probably even in this room, cross state lines for healthcare in our everyday world.

In conclusion, NCVHS can leverage work in the field that is being done today around secondary use frameworks such as AMIA as I mentioned and its recommendations for moving toward a national framework. A QA data sharing and aggregation workgroup on national health data stewardship and work also being done by connecting for health and other various health information exchanges across our nation. We must balance the need to keep individual health information confidential with other public health, social, safety, and research benefits. There are already several groups as I mentioned focusing on the barriers to using health information for secondary purposes. Instead, it is critical to provide real insight about how to implement this so we can maximize benefits yet avoid negative impacts or harm to our individuals or to our own organizations. I thank you this morning for the invitation to speak and letting me switch with Tom this morning and look forward to continuing this dialogue with you and sharing our experience.

MR. REYNOLDS: Emily, thank you. We will hold questions until – Elisabeth are you ready?

MS. BELMONT: Yes, thank you.

MR. REYNOLDS: Are you just going to read your testimony? You do not have slides do you?

MS. BELMONT: No, unfortunately I do not have slides.

MR. REYNOLDS: No that is fine. I just wanted to make sure we were prepared. Thank you.

MS. BELMONT: What I thought I would do in the interest of time is the following. When Erin Grant contacted me and we discussed the scope of my testimony, Erin thought you may have an interest in hearing about some secondary data uses that perhaps have not been addressed by others. For purposes of my testimony this morning, I thought I would focus on the emerging issue of the use of medidata. For the purposes of our discussion this morning, the term medidata is defined as data about data, or data that describes the structure in working with an organization’s use of information in which describes the systems it uses to manage that information. Medidata which is generated by electron health record systems may lead to increased opportunities for inadvertent misuse or disclosure of protected health information, which is why I thought it was important to discuss this morning.

In way of background, I serve as in-house council for MainHealth, which is the largest healthcare system north of Boston, but also currently serving as president of the American Health Lawyers Association. My testimony this morning is in conjunction with Marylyn Lemar, who is also a former chair of AHLA’s Health Information and Technology Practice Group. The three areas that I thought would focus on this morning are medi data and data steward on legacy systems, discover issues, and the increasing concern of medical identity theft.

First issue I would like to address is standards such as for medi data and data steward on legacy systems. With the increased use of electronic health record drug interaction alerts, clinical protocols, automated anesthesia record keeping systems, and other health information technology, there is one precedent amount of data that is being generated on a daily basis. This explosion of data includes medi data. For example, the system that sends drug interaction alerts is likely to record whether or not the prescription was subsequently changed in accordance with the alert. From electronic health record in a prescribing system requires a physician to enter a reason for disregarding an alert or protocol. Clinicians, however, may be unaware that a record of disregarded alerts or protocols has been created and such information may be used for purposes of credentialing in quality assurance or as evidence of malpractice in a subsequent lawsuit. Gaps in data created by an automated anesthesia record keeping system also have had a significant factor in settling an anesthesia malpractice case for a significant sum even though the anesthesiologist didn’t realize at the time that the system had failed to record important information.

Secondary uses of data created by electronic health record systems including medi data are likely to include malpractice litigation as the assistance for more widely used by providers and understood by lawyers for both plaintiff and defendant. Ironically, this expectation has made some physicians reluctant to adopt additional health information technology systems due to a fear of increased malpractice litigation even though many experts believe that use of electronic health record systems will reduce errors.

While secondary uses of health data and malpractice litigation is inevitable and may be beneficial, we suspect that significant resources will be extended in discovering electronic evidence and in attempting to draw negative instances regarding how much electronic information as been maintained and for how long. Providers may respond defensively with a keep everything approach that is unlikely to be an affective use of limited healthcare dollars. The committee may wish to consider encouraging professional organizations to establish nonbinding standards or best practices for the retention and deletion of data from health information technology systems and time periods for retention and disposal. In our view, patient care should be the primary focus so these standards should be based upon generally accepted clinical protocols and major quality indicators that are generally recognized at the time and updated periodically.

The second issue I would like to address are some discovery issues that we are now seeing. Healthcare organizations need an integrated and collaborative approach to develop new discovery policies and procedures in advance. Recent amendment to the federal rules of federal procedure regarding electronic discovery clarify that all relevant electronically stored information is discoverable. Many states are expected to adopt similar amendments. It is important to determine what medi data will be preserved and in what form so the process is manageable and information is available to defend against claims. Electronic health records, computerized physician order entry systems, and other health information systems generate enormous amounts of medi data often with the doubt that exceeds medi data generated by other systems. For example, with the word processing program, they typically record only the person who last accessed the document and when. This is due in part to the audit trails retied by the HIPAA security rule.

In addition, some of the medi data may be relevant to the decisions made in the course of patient care. For example, when a drug interaction alerts where overridden. For example, electronic health records generally include the same information found in a paper chart as well as medi data identifying who made or edited each entry, who merely accessed the record, and when any such activity occurred. Additionally, health care electronically stored information can reside in numerous locations, many of which are controlled by physicians, labs, and others who are not employees of the litigants. Responses to discovery laws also need to be carefully controlled so that databases of privileged pier review and quality assurance data are not inadvertently disclosed. Medi data can show, for example, exactly who has access to the databases and a plaintiff council can use this information in order to argue that the requirements the privilege were not satisfied. For these reasons, the committee may wish to consider encouraging professional organizations to establish standards or best practices or electronic document retention that addresses these issues, which are unique to healthcare providers.

The last issue that I would like to address is the issue of medical identity theft. If you look at the current cases of medical identity theft, you are seeing that they often arise as the result of the inadvertent misuse or disclosure of secondary health data that is not fully identified. Medical identity theft occurs when someone uses an individual’s name and sometimes other parts of their identity such as insurance information without the individual’s knowledge or consent to obtain medical services or goods, or uses that person’s identity to make false claims for medical services or goods. Medical identity theft frequently results in erroneous sentries being placed into existing medical records and can involve the creation of fictitious medical records in the victim’s name.

The National Health Information Network may make individuals more vulnerable to medical identity theft by making PHI more acceptable to criminals since digitized information is much more portable and lends itself to rapid transmission. Secondly, the National Health Information Network has currently conceived and they perpetuate and transmit medical errors and the information recorded in electronic health records that have potentially negative consequences.

Errors in medical charts arising from medical identity theft could, if left uncorrected as they often are, progress through a nationwide system with a result that patients who have incorrect medical information will find the same erroneous information is available to all providers and insurers who use that network. Additionally, these errors can accept the actually accuracy and quality of medical research and public health interventions based upon that data. Victims of medical identity theft may receive the incorrect medical treatment, find that their health insurance benefits have been depleted, become uninsurable for both life and health insurance coverage, and fail physical exams for employment due to the presence of diseases in their health record that do not belong to them. The crime also entails financial losses to healthcare providers and insurers.

Importantly, victims of medical identity theft do not have clear pathways for recourse and recovery. The Fair Credit Reporting Act allows for greater resource victims of identity theft and the HIPAA Privacy Rules provide for victims of medical identity theft. For example, victims of medical identity theft do not have the legal right to demand correction of their medical information that was not created by the provider or insurer currently maintaining or using the information. It therefore may be difficult or impossible for a medical identity theft victim to erase false entries from a medical or insurance record. This is true even when false entries were placed in the record during the commission of a crime such as healthcare fraud. The Federal Trade Commission, which has studied financial identity theft, is not responsible for addressing medical issues. These fall within the province of the Department of Health and Human Services, which has not published focused studies or guidance relating to medical identity theft to date. The Health and Human Services office of the Inspector General investigates cases of generalized health care fraud and abuse, which may only touch the issue conjunctionally -– regarding medical identity theft address the importance of not using more information than is necessary. For example, such as avoiding the use of social security numbers as patient identifiers.

Care also must be taken with respect to the storage of patient information on portable devices such as laptops, PDAs, and USB drives that may be easily lost or stolen. For example, in May of 2006, the Nations Affairs Department revealed that personal identifying data including names, social security numbers, dates of birth, and disability and numerical rankings for as many as 26 million American veterans was stolen from an employee’s home. The employee had taken files home as part of department work on a data collation project to simplify some VA processes. Subsequently, someone broke into the employee’s home and stole his laptop computer on which the data was stored. The committee may wish to consider the expansion of individual rights to cracked errors in their medical records to allow them to remove false information, to obtain an expanded accounting of disclosures of protected health information, and to receive notification of health data breeches including secondary uses where the patient data was not fully identified.

At this point, why do not I stop there and be guided by what else you would like to hear.

MR. REYNOLDS: Thank you very much. I appreciate the testimony of both of you. I think it fits nicely into our earlier deliberations as we try to formulate what we aught to go forward with. So, with that, I will open up to questions from the committee. Bill?

DR. W. SCANLON: Thank you. I think both of you really helped a lot. I have a question for Emily. It’s two parts. In terms of someone wanting to use your data, you have got these relationships, which mostly seem to fall into the area of TPO. I am wondering about someone from outside of that realm. If I am a researcher and I come to you and say, wow this is an incredible database. What is going to be the terms under which I might or might not have access? I guess related to that, it goes to the question that Michael raised earlier which is – you may be in a different position, but it is the issue of a health information exchange and the potential revenue from being able to share data. When I say you may be in a different position is that has the number of health information exchanges proliferate, they may not have all the revenue sources that you have had being a pioneer. Maybe your situation will change too after you are less of a pioneer. But there is this issue that Michael raised earlier about revenue potential. Thanks.

MS. WELABOB: Let me answer your first question, and then I am going to defer it to Marc a little bit just to give you probably more detail than I can give you around that. I think your question though is in a sense for researchers outside of our current members and how do they get access to IMPC in order to do research. Your second question being about with new health information exchanges cropping up, can they use this as potential revenue for their sustainability model in a sense of selling data for a lack of any better term. I think the first question – as I talked about, we have the IMPC Management Committee. There is a lot of formal processes in place that folks do go through. Marc, if you want to expand a little more about that?

DR. OVERHAGE: Certainly, thank you Emily. Just to be specific, if somebody would like to use data for a research purpose, research is specifically addressed in the participation agreements that include a BAA. In other words, a laboratory, physician practice, or a hospital who participate with the IMPC and has signed a contract saying, we understand that research is a potential use. These are now the organizations, not the patients. If somebody would like to use the data, they number one have to approach an IRB and achieve either an IRB approval or be declared by the IRB, not by themselves as being exempt. So, we want the IRB to tell us that, not the investigator.

Once it has done that, they then bring in the safeguard statement, the same sort of information that they bring to the IRB to the IMPC Management Committee, which is made up of representatives of the various participants who then review it. They have a couple of options. One thing that commonly happens is they have a bunch of questions, and they actually improve the study a lot, which is a lot of fun because they are actually looking at the science as much as they are at the human protection. Second, they have the opportunity to take that study to their individual IRB’s if they want to. They are not required to do that, but they may. Well, we did that very early on. It was a painful process for these IRB’s, which were used to improving a simple drug protocol and so on. So, by having a master IRB that is used to dealing with these issues and concepts to understand them as working through that always have the option if they chose of taking it to their institutional IRB if they have any question or discomfort about the level of patient protection. Then, once they achieve approval by the IMPC Management Committee –

So, IRB first, IMPC Management Committee second, and they may have to go back to the IRB for a revised based on that. Then, they can request data, which is done through a data center, through a group of data managers who actually retrieve the data and De-Identify it. They would do typically merging with other datasets and then hand them back a De-Identified dataset. There is also a completely anonymous query tool that is used for IRB approved research where approved researchers who have gone through the training course and are specifically authorized can use the tool. This was developed as part of the NCI’s spin or share pathology information network, retrieve a code of order of patients, review their data in a completely De-Identified fashion so that even the text reports are scrubbed of identifiers and dates and things of that nature that can review a lot of detail. Again, carry that forward into statistical analysis including genomic analyses and things like that. Obviously, once you start getting portion of the interesting challenges in the genomic analyses and how you make sure those are completely De-Identified. Although, if you are focusing on certain genes and so on, it becomes much more feasible.

MS. WELABOB: Your second question around health information exchange and sustainability. First and foremost, I do not think from a health information exchange perspective we know enough yet to really say, this is a good revenue model for you in a sense it is going to keep you sustainable. I do not think anyone can say that today nor do I think that if that is your sustainability model, you may not be around for long in a sense of, what benefits are the participant in that IHIE do I receive? I think if health information exchange organizations today go down that avenue as a potential revenue for the sheer fact of, hey, we have this commodity and we are going to sell it. It is the wrong thing to do as opposed to, we are doing it in order to improve our patients and our healthcare delivery.

MR. REYNOLDS: Justine?

DR. CARR: Thanks for two excellent presentations.

I wanted to follow up with Emily more on the issue that we have been grappling with of what is De-Identified and who is a business associate. So, under question five that you responded to, do you supply any data you collect from providers to others? Then, second paragraph where we do supply aggregate De-Identified data is in the Quality Health First Program to provide quality reporting to physicians and health plans populated with data from payers claims. So, we were hearing about – I guess I am wondering, what is your definition of De-Identified, because obviously if we know the physician and enough information to feedback on the patient. What is the definition of De-Identified? Also, is this a business associate agreement or the data as you report back?

DR. OVERHAGE: The aggregated data that goes back to payers and physicians is not identifiable by physician to the position. So in other words, the physician sees who they are, but do not see who all the others are even though the see information about their aggregated scores. I will show you an example of that in a minute perhaps.

MR. REYNOLDS: Marc, is the patient De-Identified?

DR. OVERHAGE: There are a couple of parts here.

So, there is a report that goes to physicians, which is De-Identified as far as patients completely and De-Identified as far as their piers completely. What I mean by that, is–

MR. REYNOLDS: HIPAA completely or Indiana completely?

DR. OVERHAGE: It does not matter. There is no

identifying information about patients or the other providers other than their performance scores in those summary reports that go to physicians. So they can see where they are relative to the market, but they cannot see necessarily who the other people are. Hopefully we will get there in a second. They payers, the information is identified by a physician. They can identify the physician, but the physicians have signed a participation agreement that allows that. So, they have specifically been provided permission to do that. I thought I had the slide up. It was being slow. The other patient identifiable part though is physicians and payers do get individually patient identifiable information specific to those quality improvement measures. So, for example, one of those measures is level of hemoglobin control, so the physician will receive feedback that says Sally Jones hemoglobin was 9.8 on this date and got her testing done at Lab Core or whatever. Likewise, the payers will receive that similar level of data for their beneficiaries who they have permission to receive that data for.

So a physician is obviously just a slide version to talk from – so the physician might receive something like this that says, this is where you were relative to the market a quarter ago and where you are today. Then, they can roll out into the details of those measurements at an overall practice and drill down to the individual patient level. I apologize for the silly printing thing. But also then get specific reminders about the patient and the information that is specific to that patient that they might need for clinical decision making. This is the chronic disease management sorts of functions. The important thing though is the patients have authorized their payers to receive this information. The physicians have authorized the payers to receive their identifiable information through a contract. The data that is displayed is only the data relevant to the specific quality improvement measures, and only the payer or physician who have an accountability for the patient receive that patient’s individual data.

DR. CARR: You were saying, there is an opt out opportunity? Is it possible that you can sign an agreement but say, I do not want my data aggregated in this —

DR. OVERHAGE: The physician or the patient?

DR. CARR: Either.

DR. OVERHAGE: The physicians can choose not to participate. The implication of that is that – well, they can choose not to participate. The patients really do not have a choice because they have signed up with that health plan which this is part of their quality improvement effort and the physician that they are receiving care from is signed up for it as part of their quality improvement effort.

DR. CARR: Thanks.

MR. REYNOLDS: Okay, I have a question and then

Mary Jo. Elisabeth, are you still with us?

MS. BELMONT: Yes.

MR. REYNOLDS: In reading your testimony, I know you didn’t do it in exact order, but go to page three and the first and second bullet under number two. We have talked about transparency to patients and individuals. You seem to be touching here, especially when you are talking about the E-prescribing and some of the others, you are touching transparency to the physicians. But different than the patient, it seems to me that in any cases like this the physician has signed up or their institution has signed up in one way or another to be a part of the E-prescribing or the EHR or the other things. That physician would, in my opinion, have been involved in that. So, can you help me understand your second bullet a little more as to what kind of transparency you think is missing?

MS. BELMONT: Yes, and I want to make sure because the pagination may be a little bit different. I apologize that I am doing this long distance. Is it the bullet that starts, clinicians may be unaware?

MR. REYNOLDS: Yes.

MS. BELMONT: Okay, the concern I have here is many physicians who do not have the IS background do not even think about this in the course of the day. They have a number of other pressures, and as they practice medicine, many physicians do not realize they are leaving a data trail that may say something about the way in which they practice medicine. I run into this on a regular bases with malpractice litigation here for MaineHealth. We have had the ability for some time to go back and see if someone in fact changed an entry in the medical record or did someone add some information or basically how they turned off alerts and disregarded those alerts. I guess my concern is here, I think physicians need to be aware there is different types of medi data being captured about the way they are practicing medicine. Does that answer your question?

MR. REYNOLDS: No that is great. So you are differentiating between turning off alerts versus not changing the drug based on an alert?

MS. BELMONT: Yes.

MR. REYNOLDS: Okay, thank you. That is what I needed to understand. Mary Jo?

DR. DEERING: Yes, thank you very much. These were very interesting. Maybe I will start with Elisabeth. I know you very thoughtfully did not read everything in your text, and while I was – I do not believe at the top of our page five, there are a couple of bullets, and I do not believe you read those. I just wanted to be sure I understood what you were saying there. Just for your information, we did hear earlier from vendors who are in fact doing what you suggest here that are in fact obtaining or buying the data from the systems that they have sold to their providers, and in some instances it sounds like it goes with the purchase although we didn’t get into that. So, yes indeed, the vendors are collecting this, and they are reselling it in some instances.

Now, if I understand what is the first bullet on the top of the page, you are suggesting that that in fact poses some risks to the providers that they may not know about.

MS. BELMONT: Yes, I deal with a large number of bias agreements for my system. This language is varied in the boilerplate. I think first of all, it may not be readily apparent. Secondly, the vendors, as you know, in the course of servicing the system have access to everything that is in there. I typically include special confidentiality provisions because I do not want vendors browsing through our data even under the guise of providing support.

DR. DEERING: I do not know what the implications are for this workgroup, it just to me was an interesting adjunct since we had heard about that malpractice so widely. Then a follow up question for Emily, and actually it may go to Marc since I know Emily you have only been there a little while.

DR. OVERHAGE: She can only claim to be the newest employee for another week or two though.

MS. BELMONT: If I may just quickly talk about what the implications would be for the workgroup?

DR. DEERING: Oh, yes, please.

MS. BELMONT: I think that you are looking at ways to appropriately control secondary uses of data. I think making providers aware that this exists and that if they are going to engage in this practice making certain that what they are selling is not patient identifiable information unless they have appropriate patient authorization. Thank you.

DR. DEERING: Thank you. We learned yesterday that there is almost no way to make unidentifiable. So, for Emily or for Marc, if I understand from your answers on page two and three, you achieve transparency through the privacy notice. That is the patient’s – that is the sole mechanism by which patients are informed of the use of their data. That is a correct statement? There is no other activities that is the privacy notice?

DR. OVERHAGE: But there are ongoing efforts and press releases about Quality Health First programs describing things, various public forums where that is discussed and presented, not at an individual level but at a community level there is additional outreach.

DR. DEERING: Just around the quality improvement activities, right? You mentioned that you have consistent statements and privacy policies across almost all providers. I could not tell that that meant that you do have them, and you feel that therefore accomplishes something?

DR. OVERHAGE: All participants in the IMPC, part of the contractual obligations that they have is, before they can become a member they have to include a core set of language in their privacy statement. They can tweak it, but the legal review has to agree it is substantially the same as the core language that everybody uses. In fact, we strongly encourage – and I think there is one example where they tweaked it. So, all IMPC participants have that same language in their privacy statement.

DR. DEERING: How long are your statements?

DR. OVERHAGE: A page and a half.

MS. WELABOB: A lot of the HIE’s in the nation are asking for one across all of their entities.

DR. DEERING: So achieving one that communicates clearly what the issues are could go far in facilitating consistent understanding.

MS. WELABOB: It would save some time.

MR. REYNOLDS: Okay, I didn’t see any other hands.

Again, thanks to both of you. You have helped us solidify out thinking further. We really appreciate you taking your time. Elisabeth, thank you for joining us on the phone.

MS. BELMONT: Thank you very much.

MR. REYNOLDS: Okay, thanks. All right, Simon?

Agenda Item: Work Group Discussion

DR. COHN: Thank you. I think that concludes our testimony for these hearings. Obviously, absent –- actually, we will talk a little bit about next steps. Obviously, that concludes the formal testimonies in relationship to secondary uses. We will be moving to reports and recommendations and discussion.

Now, let me just talk a little bit about next steps just generally, and we will do a little time check for people just to sort of realistically understand how long this conversation will go. I know, first of all, Mark Overhage will need to be leaving in about half an hour. I will ask Mark R. if he is —

MR. ROTHSTEIN: I am here until the bitter end.

DR. OVERHAGE: I just need to be gone for twenty minutes or so.

DR. COHN: Okay, if we continue the conversation,

then we can do that. I do want to just spend a minute and just review a little bit of timeframe just to make sure everybody is on the same page of all of this. Obviously, we leave today still talking about draft. What is going to happen is that we do have a few conference calls scheduled for September 6th from two to five Eastern Time. As I commented, we will be talking about recommendations. This will be an open call. The public is invited. I wanted to communicate with you to make sure we have enough lines and all of that available. Certainly, this is not something we are all voting on letters as the months go on to September and beyond. So, the next call that I am announcing is September 14th from 11:00 am to 1:00 pm. Not everyone can be there, but most of the committee can be there. Obviously, we will be taking input from others offline. From there, we will have time during the full committee to discuss the issues. We have a meeting in Washington currently scheduled for October 4th and 5th to take the input from the

Full Committee and hopefully come to sort of final resolution on all of this. Now, we can all talk about it. I think our current thought is that knowing that we need some time for drafting also that it may very well be the morning of the 4th and the morning of the 5th with the afternoon of the 4th being devoted to privacy subcommittee activities. In other words, tie in for both days.

Now, finally, we are going to be looking for a date on the 17th or 19th as a whole date for final call. I sort of think waiting for Mike Fitzmaurice to give us his input, but I will tell you that it is looking like October 17th, 2:00 to 4:00 Eastern Time. I guess I would say, Mike I hope you are available for that.

DR. FITZMAURICE: On October 17th? Whoops, I put it in September.

DR. COHN: There is a face to face meeting on the

4th and 5th of October in Washington. We have Full Committee meetings on the 25th and 26th. Then, what we are doing is having a conference call on September 14th.

MR. VIGILANTE: What time is that one?

DR. COHN: That one is 11:00 to 1:00. October 17th is 2:00 to 4:00 Eastern Time. I think our intent, assuming we can do all of it, we have to have conversations on privacy and a couple of other things to put on the plate, but the idea is that we will have meetings on the 4th. We would let our lead consultant go off and make revisions to documents that afternoon, and then come back the morning of the 5th with the afternoon of the 4th being privacy subcommittee business. That last piece Marc and I still need to work out and make sure everybody is place. I am just saying that because you are all around here. Hopefully, this means that we can all make it work.

Now, what I think may make most sense for the remainder of this session is rather than going back into our recommendations again, I am going to suggest that we go back sort of into the actual document itself. I think the view — and I was sort of struck by some of Justine’s comments. We all know it is very hard to start at the end and sort of know that you know all of the stuff from earlier on. I think that she was more concerned about some of the framing elements of were they really there or not? I also know that Bill Scanlon, I believe you are not going to be on the calls in September, and have actually looked at the documents. So, these may provide also an opportunity for you to express some of your views on the earlier parts of the document. So, is everybody game with that sort of an idea of looking through – once again, this is not meant to be the ultimate wordsmith. It is way too early for that, but we are trying to unearth conceptual issues, things that we are missing, themes especially that seem to be lacking, especially now as we look at this additional information that we see from hearings today and initial conversation. Margaret, are you game on this one?

MS. AMATAYAKUL: Yes.

DR. COHN: Once again, just recognize that you are not going to be around in September, and you had told me that you had actually done your reading.

DR. W.SCANLON: In fact I expressed the one thought I had in my readings, not that it was that productive. It was this issue of sort of what is our focus? It is fine to say quality is our focus as long as we recognize that there is a world beyond quality, but we are concentrating on quality because that was the principle charge that we had. In doing it, we keep in mind that the other uses were not doing any harm to them. That, I guess, is part of it. It is fine to be focused as long as you do not ignore the externalities that your actions create. So, if there is something where we think there is harm being caused, then we need to be observant of that and potentially comment on that. We wouldn’t do anything with respect trying to promote views of data for quality that would be harmful to something else. That was really the principle thing. It is kind of a setup. It is kind of the issue in terms of what people are going to expect when they read the report. I thought we were giving quality too broad of a context.

Actually, today, we talked about quality measurement, which narrows this tremendously. In our questions to the witnesses, we have asked how can the data be used to improve health and healthcare? That goes beyond sort of the quality issue. So there is a question of where we want to be in this report. That was my one takeaway from my reading.

MS. AMATAYAKUL: As I was listening to the comments, several times I think Harry has kind of gone through an exercise where we have got covered entities. We have TPO. We have what is included in covered entities. We have business associates. We have definitions. We have identifiable terms, De-Identified, et cetera. I think what he was really trying to do at the break is really still to bring a framework together. I put a placeholder in here to talk about a framework maybe saying we could have a tool or a picture or whatever. I also think that in listening to Harry and thinking about that framework, that really is what is in Appendix C, which we have labeled taxonomy glossary of terms. Terms used to describe information — first and foremost, terms used to describe oversight, the covered entity, business associate, et cetera. Terms used to describe identification status and others that build off of the AMIA framework that maybe this really should not be an Appendix, but maybe aught to be brought in as this framework that Harry keeps kind of mentioning.

MR. REYNOLDS: You were talking about a framework, but not necessarily that one.

MS. AMATAYAKUL: A framework that we could obviously agree on. That is consistent with what you have been saying, with the AMIA that we have been using to build upon and pull those together.

DR. STEINDEL: I have always used Appendix C as just what it is, a taxonomy and a glossary of terms. I do not view it as a framework or as a basis for a framework. I think it is very specific for organizing concepts that people are using in this area. I think we are talking, not at the concept level, we are talking about statements concerning policy. This does not organize or describe policy statements.

MR. VIGILANTE: Margaret, are you suggesting not the terms, but what the terms describe such as permission to access or use or disclose or do you have transparency or description of – would it be the topics themselves are the subject of the framework?

MS. AMATAYAKUL: Harry has said many times in the course of the discussion that we need to start with covered entities to understand TPO, who is in a covered entity, what their relationship is to the individual, who is a business associate, definitions are misunderstood and need to be defined, and identifiable De-Identified ranges between operations et cetera. He has put together essentially is what we have in Appendix C with maybe some variations. I hear this from him frequently enough that I am concerned that either the recommendations need to be structured in that manner or that a framework needs to be in the middle between the general content and the recommendations or something. It felt to me like something was missing. He has proposed this structure and sort of framework, and I am asking, is that something you want to incorporate directly in here or whatever?

MR. REYNOLDS: Let me say it differently. What is going to be the flaw? I do not care if this mind is right or wrong. What is flow of what we are supposed to say? Steven mentioned policy statements. That talks about frameworks. What is it going to be?

DR. W. SCANLON: For me, I was looking for a different flow. Maybe it is consistent with Justine liking pictures. I wanted the flow of the information, and in some respects the things that are in this appendix right now would be hung off sort of various points in that flow. I give my information to my provider. My provider turns around and gives it to my payer. The question is, what else is happening in terms of these flows? Dealing with some of Harry’s terms, if I am a covered entity, well these rules apply. Okay? This is what I may be doing. Okay? If I am not a covered entity, than this is what is going to apply. For people coming to this code, that kind of a diagram with the specificity of all the things that are here would be very meaningful. Right now, somebody is going to go through this appendix and they are not going to put it all together. They might be able to put it together if they understand sort of in a very practical sense, okay, here is how data are flowing. Here is the data being used. Here is what is governing those different areas. We are going to comment on what might be added in terms of, look, there is a hole here that is of a concerned, and it should be filled.

DR. CARR: Thank you. As I read the introduction of this, I am not sure that we want to put all of this stuff about quality in. As we think about what we are trying to do, we want to uphold good and prevent harm. We have a structure in place that predated the NHIN as it is evolving. So, perhaps we want to say, this is what we have so far. Here are the new issues that are introduced by NHIN. Also, what we have so far may not have been so great anyway, so now we are going to forward and quality is a piece of how we are going to think about that. I agree with Harry and Bill that we want to have the flow. What are the tools available to the patient about the covered entity? How do they protect it? Is it enough? Also, getting definitions around De-Identification.

My other question with this description of quality is – who would be the audience? I know we have heard many things beginning with John to say we need education and so on. This feels a little bit about informing the larger community why quality is good. It seems like it is not quite aligned with who the broader audience of this document is going to be. I would, for now, suggest taking it out and when we put something in changing it a little bit. I am looking at purpose and scope, initial consideration, and then there is line 63 through 76 give a lot of information about what quality measurement reporting is, examples, and it is – I am not sure it begins in our first three paragraphs.

DR. COHN: You want them somewhere, but not quite there.

DR. CARR: Right, and if we say something about quality, this wouldn’t be what I would say about it in this detail.

MR. REYNOLDS: I am playing off of something Mark Overhage said earlier and what Justine just said. Obviously, the early themes about we are trying to prevent harm, but there is also common good. I think that is what Mark Overhage was saying that we balance the discussion. We do want to protect people, but we also want common good and that is where quality and some of the other things fall in. That up front too as part of the vision of really what we have that we are going to, not that we are fighting against or saying cannot happen or that we are using that as kind of a goal. What do we use that is current? What do we use that we want to add? What would be the future? That is why I mentioned some of these other things, because some of the things we saw yesterday five to ten years from now how we get consents and how we do things and how we act is going to be a big different in some ways. Some of that technology is going to take a long time to put in place, but once it is in place it goes at a whole different degree. You are going to have to also bring the whole level of the general public up to use it and think about it. So, just a thought.

MR. ROTHSTEIN: I am going to follow up on something that Harry said that I think is very important and also suggest a possible order of the report. I think initially here is a lot of introductory stuff that we have to have in there, but a part of that has to be what the report isn’t. In other words, it is not talking specifically about public health. It is not specifically talking about clinical research and all these other uses because we were asked to take a look primarily at the issue of quality measurement. I think the starting point has to be to give a framework under the current HIPAA regime. How does HIPAA currently deal with the issue of quality measurement, and that requires us to go into the TPO and what is that all about. Then, I think we aught to talk on how quality measurement is currently done within the HIPAA regime. What are the current benefits of quality measurement? What are the current risks to privacy and elsewhere from the current? Then, I think it is very important for us, and this ties in with what Harry just said. The report needs to be forward thinking. It is not to assess where we are today, but it is to assess the potential benefits of health information exchange for quality measurement as well as the potential risks.

I mean, you can imagine what all the time you can do in terms of putting stuff together when she has got 100 more very refined databases. From there, based on that, then we need to put forth what our overall approach is supposed to be. From that, work to the specific recommendations. How are we going to implement this framework that we are setting out? I think in general terms, that is where we need to go, but I would definitely start with a description where quality measurement currently is, and what are the problems specifically with examples of the current regime.

MS. AMATAYAKUL: So first of all, you said what a report is not, that this is not about research, public health, et cetera. Yet, we heard a lot of issues concerning secondary uses, quality research, and we heard testimony from all of them. I am all confused as to whether that is something we say this report is not about that, but then we do address it?

MR. ROTHSTEIN: Well, we can say something to the affect that although we touch on issues related to public health and research, it is not specifically to address those issues because in terms of the HIPAA framework, they are in totally different boxes. Okay? Research is pursuant to an authorization and a special provision. Public health disclosures, there is a special provision and it can be disclosed for public health purposes without any consent of the individual. It is for that reason that I want to mention that because when we go through the TPO framework, the TPO framework does not cover those specific other uses.

DR. W. SCANLON: When you are talking quality measurement, you are talking about where we are in terms of this is a concept that we might use not that we have succeeded yet because I think that would become very controversial.

MR. ROTHSTEIN: Correct. I am talking about what is currently going on under the rubric of quality however defined, and where do we see the field going, and where would we like it to go in terms of how are we going to maximize the utilization of data, and at the same time, recognize the risked individuals of the data.

DR. COHN: Kevin?

MR. VIGILANTE: So, as we think about structure report, we go back to our last call where we talk about going from the particular to the general to the particular. Starting out with the drivers of this report that the quality, the mission that was given to us under the rubric of quality. Then talking about as you say, the role of HIPAA on the current environment. I think that inevitably brings you though to the leakage that occurs that leaks out into uses that could be for other quality intent. That brings you to the general, and so the principles’ that start to create in terms of transparency. Then come back to the quality case to serve the use case objectives that we discussed, and that is our closer point.

MR. ROTHSTEIN: I agree.

MR. REYNOLDS: I am in a same point. We are at the Ad Hoc Committee on secondary uses whether we like the term or not. I want to make sure that we give quality the focus, but I think if we leave these things in next summer will be the Ad Hoc Committee on secondary uses other than quality. I think one of our goals was to look at the whole subject. I think what Kevin just said, you may not go as deep as you do in some of the quality discussions, but I think if we leave all this other stuff we have heard, and all this other stuff we have covered off the table, I think we would be going in a direction within —

MR. ROTHSTEIN: To clarify, maybe I misspoke somewhat. I want to in the beginning mention that quality is our task and we are going to emphasize that, but it is related to all these others.

DR. COHN: I think that is consistent with the way I introduce a lot of our meetings talking about the broader framework, but also the initial consideration or in depth review of the quality area. Mike?

DR. FITZMAURICE: As I think about the report structure, if I read the report what I want to see is secondary uses of health data. What is it? Then I want to see, give me some examples. What are the categories of use? This is where taxonomy would fit in including quality as use and including categories of commercial uses. Then I would like to see, well what are the risks associated with these uses? What are the benefits associated with these uses? Then another section on, what are the constraints on use? Then we get into HIPAA, state laws, public opinion, lack of transparency, and maybe toward the end a – how do you decide on what is a permissible or acceptable use? What are the avenues of the responses? Do you start with IRB’s? Do you start with a local group of people to decipher the locality? Do you have a national data steward make decisions or decide the principles? So, the recommendations that come from a report are addressing these things at different levels or not as the committee feels.

DR. COHN: Mark is going to have a wide latitude on how he structures – Mary Jo?

DR. DEERING: I am just wondering whether we have moved away from something that Jim originally said that everybody nodded their head to also which was about telling the story of following the data. I wanted to see whether it was possible to weave it into how the workgroup has more recently been nodding its head around some of these structures at least to my understanding didn’t necessarily pick up on that theme. I wondered whether — as I mentioned, I call this a framework – again, this notion of the affirmation of secondary uses as well as the protective side and whether you could use these threads, because quality is the first among many of the affirmative positive uses of data. You follow that data and what happens to it from quality reporting point of view, and then you can see what is either needed to strengthen it formatively. In other words, what does not work now to help strengthen our quality reporting? Where do we need to improve anything in the regulatory or policy framework? Do the same, and I think I am challenging Paul Tang who keeps saying, there are only two things that people think are really, really bad and that is selling my data, and I have already forgotten what the other one is. Selling it twice. I am trying to enable us to keep the storyline of following the data and blending it with the sense that there are affirmative uses as well as protective actions and bad uses. I think that would resonate with a lot of audiences who would be reading this report. If we just go directly to quality that sounds policy wonkish from the beginning. Granted, our audience and our customers are policy wonks who need to write policy. But I think we have said all along that we want this report to be understandable to a wider audience. So, I am just trying to give it a theme.

DR. SCANLON: This is maybe related, and it is actually a second takeaway from my reading, which is on page seven. The second bullet under B is about potential for group based harm arising when aggregated data are inappropriately reported. I was not sure what – maybe there examples that would allay my concerns, but the concern I had was that we are now suddenly talking about, how do we prevent bad findings from getting out there? It is aggregated data, and it is a group that is being hurt. So, presumably, it is not a privacy issue. I do think that group based harm occurs when bad research is put out there or bad information is put out there, but there is a question of whether it is in the scope of the kinds of things that we are thinking about because it seems to open up a different set of remedies than we have been talking about. Maybe there are some examples that we can put in there that would be group-based harm that would sort of clarify this and make it within our scope.

DR. COHN: I was actually going to ask Kristen Anderson, if you are willing to speak publicly a little bit just in terms of some of the issues and concerns reflecting coming out of the AHIC workgroup. I could not think of a better time than that for those sorts of comments.

MS. ANDERSON: The AHIC Quality Workgroup had come up with a vision for quality measurement and improvement in the long term. It was published, and it is very much about patient centered longitudinal view of quality with much more rapid feedback to clinicians that are stronger ties to national priorities. After that exercise, we were talking about what set of recommendations we would then make to the secretary from the quality workgroup. We decided to frame it around an analysis that we are doing, which will go public on Monday. It will be posted, which looks at how does health IT have to evolve to support this end state future vision? We are immediately into many of the issues that are in front of this committee. In fact, we are struggling with the timeline, of course. We want to see what comes out of here rather than grappling with them again. But around the fact that in our fractured healthcare system, even if data comes out De-Identified in the HIPAA manner, and then you want to merge it with data from other entities on patient centered level, there are some issues around De-Identification occurs.

There are issues around whoever has identified data needs to make this rapid feedback loop work. Issues around when you build longitudinal data and even if it is De-Identified for each individual counter, when it is aggregated it is really re-identified effectively based on what we heard yesterday. These issues are germane to whether or not the vision for quality can move forward. If it can, what is the technical environment it should be in? What types of entities could manage this data? Where does it get identified and De-Identified? It is just so entangled in this topic, which is why the quality workgroup in particular is really looking forward to the output of the committee. We have other issues that are also tangled, but they are not in front of this committee.

DR. W. SCANLON: I would bring the issue of re-identification into the context of individual harm. It is the group-based harm that I am hung up on in terms of knowing what that means. Maybe Mark can help me.

MR. ROTHSTEIN: There are lots of ways in which individuals can be identified as members of a group in which they are stigmatized in which all members of the group are stigmatized. The most common example is genetic information. You do not need individual identifiers, but you do an assessment of what are the characteristics of patients who are not improving in certain kind of therapy. It may reflect some genetic information, a type which we are unaware. It may reflect social information of which we are not aware. When someone publishes data that says XYZ, National Origin Group for example based on our studies is not successfully treated for alcoholism for the following reasons. Or a rift is posited between a certain physical condition and a mental condition, or when data is posted about environmental or occupational exposures and all sorts of outcomes. You do not have to be personally identified to suffer harms from this information even though the information may be accurate. The question is, I am not suggesting that the benefits of the research may not outweigh the potential harms to the individual. What I am suggesting is that if individuals do not have any notice and are not informed in advance of these prior uses and then read in the newspaper about a study that was published based on their health data, and there at least adverse psychological possibly social and possibly economic effects to them. Then I think there is a legitimate concern among those individuals.

DR. CARR: The longitudinal data is part of how we — will be episodes of care, so we can understand across all over time and across multiple interventions. It would seem to me that that falls under TPO. I guess the question would be, who is the covered entity? Is that the issue? If this data is coming from covered entity, and is part of the quality enterprise care, group good, and individual good, why is it a challenge?

MR. ROTHSTEIN: I would say that this kind of quality research is at the moment permissible under TPO as stemming from quality and healthcare under the broad healthcare organization. I think it helps to make the case that healthcare organizations is now too broad in terms of the category of uses and disclosures for which only notice to individuals in the NPP is adequate. I would say that this brushes up against the area where we would say, here is Mary Jo/Paul’s view that you should not sell it perhaps without some sort of permission. I would say that there is some kind of – As soon as you publish it – So, here is where I would use this as an example of maybe we need to revisit the broad exemption from further permission under healthcare operations.

DR. CARR: I disagree. I think that if you want to know how a person’s heart failure is, you need to know how did they do in their clinical visit? How did they do at home? That is the quality of care. If you want to publish it, you go with the rules of publishing. That is one of the things on the table, but the act – Indiana has data from inpatient and outpatient care. They can aggregate that until longitudinal data of how the patient is doing over time with a particular condition. I think that is just the same as quality. If you want to publish it, if you want to sell it, if you want to send it somewhere else that all things we have been saying all along apply, but I do not see that it is different from what we currently have in TPO.

MR. REYNOLDS: This is actually a good conversation. I know Steve wants to go up next, though I am looking at Justine a little funnily just because I have heard testimony yesterday from Massachusetts, a state that Justine lives in, where they are talking about their E-Health work where they came up with some reasonable argument about why putting things all together such as we are describing in a NHIN environment maybe as a little different. They are proactively asking for opt in a consensual basis, which is not exactly cornered by TPO. So, not saying there is a right answer or wrong answer, but to sort of put it up for thought.

DR. CARR: Are you saying there is a conflict of interest?

MR. REYNOLDS: No—

DR. CARR: The levers we have to push are structured around covered entities, business associates. We also have clearly defined that informing patients, transparency, and then where we give them the opt in/out. Just because they do it from Massachusetts and just because I am from Massachusetts, the home of the Red Sox and the Patriots, does not mean that I cannot push the envelope here.

MR. ROTHSTEIN: I want to just add that even though Justine and I are at the moment in disagreement, I think this is the issue that needs to be resolved. I think the other stuff is important, but when you come down to it, the question is, are there any things that are okay today that maybe we think should not be okay in the future in terms of this healthcare operations exemption. This is the kind of discussion that we need to have sort of substantively not structurally to try to work this out.

DR. COHN: Steve?

DR. STEINDEL: Actually, Justine’s discussion made me somewhat convinced of the closeness of what Justine and Mark were saying, not the differences. The big problem I have had with this statement is potential for group-based harm arising from aggregate data period. I think we are well aware of that. This part that I had problems with was are inappropriately reported. Justine just really clarified instances when it is appropriately used and when it is inappropriately used, even in Massachusetts, which I would like to point out that Harry traded for England. I think there really was a good clarification in that discussion about what really as Mark pointed out is very much the sticky part of what we are going towards is, when is the use of this data inappropriate?

MS. AMATAYAKUL: So, could we come up with one example of when it is okay and one example of what we think is not okay because I think that will really help us get to a higher level that we can extrapolate from.

DR. SCANLON: Are you defining okay as not causing harm, or are you talking about situations where it is okay when it causes harm? I guess what I am having trouble with since we are talking about this more is what are the remedies here? The remedies here are very different than the remedies we have been talking about with respect to individuals. I can opt out. We are giving the opportunity to opt out and say, you are not going to use my data, so therefore I am not going to be identified. Therefore, I am not going to be at risk. Now, I cannot opt out of a group. If we ask for permission for some research and everybody that is a member of the group that we ask says yes and we do the research and then we report it, even though I was not part of that research group, I am affected. So, it creates a different situation in terms of remedy. Is that going to be the remedy? That is where I am.

DR. COHN: I am actually stepping back where Margaret was, which was coming up with examples that despite what Bill said are probably on the – you can also say, yes, those are reasonable things. I guess I am more wondering almost than anything, because I am listening to Mark with his example here, and maybe we need to get a list of examples of that from Mark. This is an area – Margaret is right. We did not get into the genomic secondary uses of data. I would absolutely agree that that is a secondary use that until we started to bring up I always presumed there was another subcommittee that Mark is on that deals with these issues. It is a secondary – Potentially, these things are secondary uses or could become secondary uses. I think if the framework is including that, we obviously need to single that out. Beyond that, I am having a little trouble figuring out the actual substantive examples of what we are —

MR. ROTHSTEIN: I can work on that, but this is not the keystone to my argument. If this falls, I am still in the ballgame I think. In answer to what Margaret raised about what is okay and what is not okay, I think how I would translate that is under current rules. So, there are lots of uses for quality that are permissible today and that without any further permission, just the notice, and that is probably the way it aught to be. We can find lots of examples of that, and maybe on the other extreme, you have sail of health information. It is as you get closer to the middle where you say, well, I do not know.

MR. REYNOLDS: Interesting example, if you just take what was discussed by Mark and Justine and Bill and others, if you remember the slide that was put up by Carol Brach yesterday, the one on literacy and how we need to do transparency. If I listen to both of this, I could actually put that chart on both sides of the ledger. I could take that exact chart, and I could put it on both sides because read by some people, it could create harm for certain subsets of that chart guaranteed. It is a statement. The one on transparency. Who can understand what? I am saying I could take exactly the same data on this chart that she had, and I could put you on both sides of that street immediately.

MR. VIGILANTE: I see, that is an example.

MR. REYNOLDS: This is a perfect example right here. It is fact based on this study, but if I step back from it, I can go Mark and I can go Bill. I can go with anybody who wants to go with it because it is something that creates issues. It does not mean they’re good or bad or different. So, all of this stuff is going to do it. Let me go to my other point. I just wanted to use – if you look at that chart, you can take everything they have been saying, and boy you could walk on both sides of that street real quick and actually debate both sides of that street with the same piece of data.

My earlier comment, and I know yesterday I made a comment when Margaret talked about following the data. I think it is great for discussion, but I think if you look at everything – the jurisdiction of everything, the data is going to be all over the place. We heard that yesterday from everybody. It is all over the place. Only the entities are protecting it because people have it whether I own this database or somebody has that database or somebody does this business or somebody is in HIE or somebody is on the NHIN or something else. So, the problem that we have is, everything that we have so far dealt with the current entities to current flows to current uses. What we are really trying to figure out, what of those can we build on and what has to be different because the data – the data is already out there in a lot of places. So, who the entities are and what governances over them, and then which ones are outside of them is really – So, following the data, I could sit here for the next three days and chase you with a piece of data. I would still be saying the same thing. Who has it? What is the governance of them? What are the laws? What are the regulations? What are the controls with HIPAA being one and state law being another and so on? I think it is great because it shows people how their data can flow around. It is good as a discussion point. It is not good as coming up with the answer. That is where I am going.

DR. SCANLON: I was just going to say, Harry, in following the data, all of the points that we are going to be stopping to look at are going to involve entities. We have to know sort of how do these people get these data? I think this framework is going to be okay because it will involve both.

DR. DEERING: What I was thinking was, Harry you are quite right in concept and in reality the data could go a billion places. From the time my blood pressure is taken here, it could end up who knows where. I think we might consider the concept of use of cases or scenarios and just pick some core scenarios or use cases. The first one begins in the physician’s office. Blood pressure or something is taken or whatever it is and then key use cases that illustrate both the good, the affirmative use, where it is at, who has got it, what are the policies governing those entities that either help protect it or may inadvertently keep it from being used as best it could be like in this future scenario like the AHIC workgroup came out with. They realized that current policy does not enable some of the types of sharing and exchanges because it is not in place yet for some of these consents or getting it here or there. So, there are some things that just because of the way that HIPAA was designed to regulate paper flows, it may in fact not pose an inadvertent barrier as we have heard to appropriate uses.

DR. COHN: Maybe just to clarify that, I guess I am reminded that actually AHIC spent a considerable amount of money and time in consultant resources developing process laws. So, we probably aught to at least review them. I know Margaret has reviewed them a number of times, but I think that is sort of what we are talking about so we should not reinvent that. I am not sure where they actually gets us, but I think it something to review, and maybe we review and put circles around things or something like that. Justine?

DR. CARR: I agree. I think that the diagram from the quality workgroup use case is very helpful to just go to each point and say, where would they form? To Margaret’s question of what is appropriate and inappropriate use, I think in many ways, it at least maps to who is the entity. So, serial medication over time being looked at for quality is an important thing. Is an ACE inhibitor for heart failure used over time at discharge and home and so on. ACE inhibitor over time using by a pharmaceutical company to change provider-prescribing practices to increase the use of a new state of the art thing is a separate indication. Hopefully, it will get to by what means do they get access to that data.

MS. AMATAYAKUL: My question was not related to the individual. I think the individual harm are fairly well understood and we can provide a lot of examples. I think the concern was with this group-based harm.

DR. CARR: This is where I think stewardship comes in too. Now you say, you are the entity. You are a covered entity. You are a business associate, and by the way here is stewardship principles of how you use data, how you take it. I think the Indiana model is a very good one because they have created kinds of checks and balances in terms of who is getting the data and how sophisticated is the use of the data to accurately answer the question being asked.

MS. AMATAYAKUL: I guess I am still trying to grapple between you and Mark I guess because Mark is saying that today with the notice of privacy practices, there are some quality uses that are just fine that we do not need to mess with. Then there are other uses that we know are probably very clear like selling data is not something we are comfortable with should be addressed. It happens today. It should be addressed today. But tomorrow, we have other uses that we want to anticipate. Some of the uses we have today that are okay strictly under the letter of the law may not be okay in the future. That is what I am trying to tease out is, what do we think is okay today, but in the future it may not be okay? Can we identify some of those?

MR. VIGILANTE: So, today you can collect data under the rubric of TPO. Once you have that data, it is not clear if there is any restrictions on what you can then do with that data under HIPAA. You can then go on and use that for – you could sell it if you wanted. That is under their current regulatory environment. That is okay. I guess what you are saying is, in the future, do you want that to still be okay or not? That is the heart of some of —

DR. COHN: Actually, you bring up a good issue because that is a very concrete issue that you talk about De-Identified data now and then we talk about linked De-Identified data of the future. Maybe there is a different – That is one where maybe we are so bent on thinking that we do not even realize it, but that is one where we are so advanced on thinking we do not even realize it. Could we all go – a different standard and review of De-Identification because even though it may be, by definition, De-Identified prove that time you put together 30 encounters, a long history of somebody to be identified at that point. So we may need to go through something subsequent. Good, thank you. Marc?

DR. OVERHAGE: Just to follow up on your comment. I think of the example where you are thinking of these terminologies of De-Identified synonymized and have all of these challenges, and if you go back to kind of the framework notion of effort to re-identify might help. At the end of the day, you are sort of really thinking the future as we can aggregate more data, the work to re-identify may get lower because we have more stuff. At the end of the day, that is sort of the tradeoff that I think we are making as the privacy versus benefit tradeoff for the effort to re-identify and sort of the effort to re-identify on some scale might be the thing we want to talk about as opposed to De-Identified.

DR. DEERING: I just want to maybe clarify Margaret’s question because when you say there are things that are okay now that may not be okay in the future, one of the things I heard Mark say that would change the way you would pose that somewhat is that my understanding is, when we say okay, it is not that we approve of them necessarily, it is that they are permissible.

DR. COHN: I guess –- Margaret?

MS. AMATAYAKUL: I think the example of selling data is something we all understand. We have talked a lot about that there is that today and tomorrow. I get the sense that there are other things besides blatant selling that are of concern that we have not teased out. There is a continuum. There is this middle area. We are all okay with it. It is okay, but we are not all okay with it. We know we are not, but what is in the middle. That is what I am trying to understand. What is in the middle?

MR. ROTHSTEIN: I think one example would be – my middle is going to be different from other people’s middle. Where your data are linked with other data systems throughout the country and sent all over without any notice and without any choice on your part.

DR. SCANLON: I think it is not a clear selling alone because the issue is when is it not selling, but actually the receipt of essential revenue in order to maintain an HIE that is providing benefit to a community. It is the issue of, what are you receiving the money for, and how is the recipient of the data going to use it? It goes back to what is an acceptable use and what is not? That is always going to be on the table.

MS. ANDERSON: I just had a comment related to the allowable and permissible. I think if you take the spirit of HIPAA, which was pointed out as the .04 percent chance, et cetera that even if you were to sell data that was aggregated from multiple entities, if it went through a process that got it to that same risk level, which can be done. Many have to ask, is it useful at that risk level? But for a lot of issues for research and others, it still would be even if it is remove anything – for instance, if you do not know any location anywhere in the country, but you know somebody has five services in a row, but you do not know if it happened in the North East or in Southern California. You probably have a much more difficult time identifying that person. So, I think it is about the process of making that data safe to raise that cost of re-identification through some process rather than getting too hung up in what someone uses it for if it is truly safe.

DR. COHN: I think you are referencing tools, which I think is a very good point.

DR. OVERHAGE: Selling data that raises a set of questions. Those sort of questions, I think, revolve around the benefit that occurs. In some ways, how does a patient feel at the hospital? So, their data makes 100 million dollars. That is one question. The other question is, what use is going to be made of the data? Selling data to a pharmaceutical allows them to identify adverse drug events, and it is not used in any kind of a patient identifiable way. I do not know if people would object to that use of their data. They might be really mad if their data was used for marketing and so on. It is not so much the selling although there is a separate dimension there as the use.

MR. ROTHSTEIN: I do not think that the only harm to individuals flows from whether their data can be re-identified. I think one of the harms that we want to try to avoid is the breach of trust that would occur. If I found out that my doc, without my knowledge or consent or permission or anything else was using patient derived data, including mine, and for uses that I did not approve of. It could be commercial uses, marketing, or whatever. I would be very unhappy and would find another doctor. That has nothing to do with whether I could be identified individually because I trust my doctor not to do that.

DR. OVERHAGE: Say the uses again.

MR. ROTHSTEIN: Commercial uses for marketing. I do not care whether I am identified as such. My doc has breached my trust by doing that. I do not think they aught to be able to do that whether it is identifiable or not.

DR. OVERHAGE: I agree completely.

DR. DEERING: My clarifying question is, that is permissible today, correct?

MR. ROTHSTEIN: No. So that is why I said the issue is not whether it is .04 or .05. It could be .0000 and I still would be unhappy.

DR. COHN: Mark, so just following along your logic, and I think this is a lot more complicated than we are sort of making it out here. So, you change your position, now what happens if you De-Identified pharmacy data as being sold? Do you change pharmacies? Do you change insurance companies? Do you change PBM’s? What are you doing? Or is that not a subject?

MR. ROTHSTEIN: No, because I have not trust in my pharmacy. I know and expect that they do that. I do have trust in my physician.

MR. VIGILANTE: One of the most highly trusted actors in the entire healthcare scheme are pharmacists, even above physicians. It is interesting. We are on to them.

MR. REYNOLDS: I would like to comment. Mark, let me ask you a question. So, you say you trust your physician, but the minute your physician captures your data, it goes to an entity. At that point – take the physician in a large university. It is going to that university system. So, yes, when you are going to that practice it is still going outside of there. It very quickly moves from a person.

MR. VIGILANTE: If I knew – I go to the doc and give him the information, which I think is mostly so he can take care of me or she can take care of me. Then okay, there is this HIPAA thing where you need to measure your quality performance and operations. I sign this paper I do not understand, but I signed it. If you explain it to me after the fact, I would be fine with it. If I knew you were running a little business on the side that funded your Lexus, where you are selling all our data for all sorts of things that people are going to be sending me junk mail about. That would kind of irritate me. If you told me about it, I might feel better about it, but I might have to think about whether I want to do it. It depends on what you are going to use it for. If you told me you were going to use it or research, I would probably say okay. If you told me you were going to use is to fund the uninsured patients in this practice that you take care of, I would say okay. For the Lexus, I would probably, no. I do think this is where you come back to transparency. There is a loophole today. The semi-permeable membrane that enables you to do whatever you want with it in a nontransparent way.

DR. COHN: Harry did not feel that he had his time? I want to sort of bring things together so that we can finish.

MR. REYNOLDS: This is almost four-dimensional. Who has my data? What data do they have? What is their intent to use it? What process is playing off what Kristine said, what process have they used to deal with it whether that is steward, whether that is identified, whether that is some of the other things. That is why it is so complicated. Kevin just made it perfect. Kevin just went through this four for himself and said, now I am in, or no, I am out. That is the hardest thing is because there are so many entities. There is much intent. There is so much data, and there are so many processes that when you really look at it, every time you say one thing, everybody spins it four ways. Just a thought.

DR. COHN: Hence no pictures today since it is hard to draw four-dimensional pictures.

DR. DEERING: The fifth dimension is what policy surround it. I just wanted to repeat something I mentioned yesterday about what Peter gave to us. I read something that I had noted that was not in your written testimony, but it is very pertinent to this conversation. Again, it gets at what is the definition of this equation where risk equals hazard plus outrage. To note that what constitutes, what contributes to outrage is trust, control, voluntariness, dread, and familiarity. So, to the extent that that can have tangible results, like Mark said, and you draw from your provider relationship or otherwise. Those are very live factors to be considered in any policy recommendations.

DR. COHN: It is about fifteen minutes after twelve. I do think we need to begin to wrap up. From my own perspective, obviously we will next be talking in early September from 2:00 to 5:00 Eastern Time. Obviously, at that point we will have our next version. Hopefully we will be e-mailing some of you to get some of your additional thoughts. The chairs and co-chairs will be working with Margaret on the key staff to try to move us to the next version so that people have things to react to. Obviously, we have got probably ten versions left to get it sort of right on all of this, but I think we need to begin to sort of find a structure. We need to look and remind ourselves since we did this at the very beginning looking at the quality use case and the players there. I said yesterday that we needed some ways that suspend belief and listen to the testimony. I continue to believe that things are a little complicated. While I agree with semi-permeable membranes may be so permeable that you cannot tell what is on one side or another. The question gets to be, I think we have to reflect back that there is a reason why HIPAA was so hard to write in the first place. It is a political environment. Obviously, a lot of tradeoffs were made. The question is fine-tuning. The question is unintended uses. The question is structures that really strengthen the structure and give it greater integrity as well as transparency in the process here and really move things forward. Certainly, I am confident that perfection sometimes gets in the way of good. We do have to realize that we do live in a political environment. This is likely not to be the perfect document. Will either of us win every single argument that we bring forward to this including our thoughts? So, we just need to continue talking and continue working to sort of learn better how to do this.

One thing I would ask everyone – I think is a really good time to review notes, to review previous testimonies, to look back at the AHIC use cases. There has been a lot of things we have heard in the last three months. I know I am going to devote some time next week to sort of try to look through things and remind myself not just what happened today and yesterday, but with the various pieces. As you identify pieces that you think are important that are not in the current draft – I mean, Margaret does not need a ten-page version, but short points. Things that aren’t there that should be, key points, conceptualizations that you have that help move the thinking forward I think are all really welcome in this. These include things. These include areas for recommendations that we have not even thought about. All of that kind of weaves it together so we can really begin to see more of the whole context of all of this. By the time you begin to see it, an appropriate build-up of the issues framed right, the themes that hopefully should lead into the observations and recommendations. Obviously, we need to get all of that together the way we feel is complete. I think Kristen Martin Anderson raised some very interesting questions about reminding us that it isn’t just today. This issue of lots more intended uses in the future, and of course there is this issue of people who have this data that are going to be doing these sorts of new uses. Well, what rights do they have to use the data? This may be a place – Once again, I have high hopes that strong business associate contracts may help us with some of that as a tool. You all may have other ideas, and they may even be better levers that hadn’t occurred to me. It is a time for thought, and it is a time for review of information.

Does anyone have a final comment? Final thoughts? Hopefully nothing terribly controversial? Justine?

DR. CARR: I just wanted to say it is an honor to be a part of this group. The great insights and thoughts and analyses are just really rich, and I have a lot of confidence in the process.

DR. COHN: Justine, thank you. It is a pleasure to work with everyone. It is an honor. The meeting is adjourned.

[Whereupon 12:30 pm the meeting was adjourned.]