[This Transcript is Unedited]

Department of Health and Human Services

National Committee on Vital and Health Statistics

Subcommittee on Privacy, Confidentiality and Security

December 2, 2014

U.S. Department of Health and Human Services
HHH Building, Room 705-A
200 Independence Avenue, NW
Washington, D.C.

P R O C E E D I N G S (4:00 p.m.)

MS. KLOSS: The meeting of the Privacy and Confidentiality and Security Subcommittee will consist of discussing 2015 draft plans and I would say this is again up for discussion. Our subcommittee had a call and we patted ourselves on the back for having gotten approval of the toolkit.

Moving on, we felt that 2015 could be a time to turn our attention to some new areas and it’s in that spirit that we outline four objectives that we proposed to the full committee for 2015.

First, to address the topic I touched on this morning, the 1179 exception in HIPAA for financial institutions, as I think you know, will change some with HITECH. This topic was suggested to the Subcommittee by Joy Pritts at the last June meeting. It has been underscored by the office of Civil Rights as being an area that recommendations from the committee would be helpful.

There is a broad range in the way that that exception is being interpreted with some financial institutions being considered business associates and operating under the provisions of the business associate agreement, and other operating perhaps in a role such as a clearinghouse but not under business associate agreements. Broad range of interpretations and a need for some clarifications as the relationship of financial institutions to how they handle protected health information is evolving.

We think that this definitely converges with the work of the Standards Subcommittee so we would look to strong participation by Standards in this because HIPAA standard and how it is being executed and how it aligns with administrator simplification functions does suggest convergent function.

We are envisioning it, while we don’t think it is a simple issue, we think it is relatively limited. Narrower than a breadbox if you will, who knows what happens once we dig into it. We thought it was in the Committee’s bandwidth and it does what we stated we wanted to do last year, that once we wrapped up the toolkit we wanted to get to a topic that was an emerging topic back in the HIPAA space.

If we proceed with this, we would see this as starting the year with a hearing. We talked about February or perhaps March, but not necessarily tied to one of our committee meetings. We’ll see how that scheduling goes. Our goal as we thought about it would be to move from a hearing to a draft letter for approval in May.

First half to the year activity on a topic that we know has some compelling need and we think could be framed and somewhat limited. Let me stop there and see if there are any questions or discussions.

Maya, you have joined us. We’re happy to have you and Maya has been advising the subcommittee with respect to this issue and had the initial conversation with Joy. If there is any elaboration you have on the importance of this topic, we would appreciate that. Rachel is here too, just so we all kind of understand this.

MS. SEEGER: In the ten years plus since HIPAA has been around, the landscape has really changed, as Linda had mentioned, especially with respect to financial institutions, many are doing multiple jobs on behalf of covered entities, and this has become an area of confusion.

HHS has also heard that many businesses associates and or financial institutions have concern about overlapping regulations in different spaces with respect to privacy and security. I think a hearing is an outstanding idea.

MS. BERNSTEIN: When I sat down to talk with Joy about this, I actually was not aware of this issue and she talked to me about it, and I guess with the expansion of banking and other institutions into different kinds of businesses, as far as I know, OCR has done some looking at it but not very much, and they have many other things their plate and I think it would be — Joy said it would be useful for us to get out there and find out what people are doing, how they are looking ahead. I didn’t know anything about it. I thought it would be an interesting thing where the committees particular expertise would be useful and we would get back to, as you were saying, the kind of work we were more traditionally doing.

There was some movement to try to do that in the committee so I was looking for particular topics. This is one of them, there are several others, but I thought it was particularly interesting and I thought the committee could really help us in this area by using (microphone problems).

MS. KLOSS: So we wouldn’t see this as the last word but rather the first word and educate ourselves and then understand where to go from there.

DR. FRANCIS: I might just add in that we did have a subcommittee conference call in which we worked out these objectives.

DR. SUAREZ: Just to maybe ask for clarification of the scope. There seems to be two areas here about the applicability of HIPAA to financial institution, one is the standards side and one is the privacy and security side.

We know in the standards side they are certainly engaged with respect to the use of standards for payment, particularly electronic fund transfer transactions. So the question I would have is, are we targeting both topics or are we targeting primarily the privacy and security component?

The second question I would have is really about the outcome, the output. We always do letters that highlight observations and findings and possible recommendations. This will be recommendations, not to begin to already frame them or anything, but these will be recommendations that would go to OCR and ONC, back to HHS of course, but that can be operationalized by OCR.

For example, I’m just trying to get a handle of what things would be helpful, because this is a statutory exception so would really have to change the law, but it could be guidance since there is confusion and there is need for clarity that could be recommendations about developing guidance and talking about the content of the guidance. Is that kind of one of the possible outcomes?

MS. KLOSS: It could, I guess in my simplistic way of viewing this, it seems to me the essential question is, under what circumstances does the exception apply? And when does the nature of the financial transaction or business go beyond what the intent of that exception was?

And just to learn through a hearing what the range of interpretations are, and bring those to light and depending on how much we learn, determine whether we can, at this first step, frame recommendations or whether as you say, the recommendations are more in the form of needing additional guidance.

MS. BERNSTEIN: Jim can correct me, but the committee is not that limited in the kinds of recommendations it can make. We recommended we put out a report, we put out a report or guidance, but if the committee sees a need for legislation that there is something in the law the committee can recommend, that the Secretary seek legislation. There is a wide range of stuff you can tell the Department to do, depending on what the findings are.

It’s not so limited. I just encourage you to think expansively about the types recommendations you might make.

MS. KLOSS: Good point. Any other comments? That is our objective, number one, this would be a new topic, at least as we are considering it now, we would see it as first half of the year activity. If you are all right, we will go to the next objective. Thank you so much, Rachel. Advance the slide, please.

This one is a big one, not that the first one wasn’t, but we are putting forth here a possible work area to step back, as we said, we are how many years into implementation of HIPAA now, 13 years, 14 years, really a long time. As it relates to privacy and security to do a state of play of HIPAA, how are we doing as a nation?

We are taking a page out of the Standards Subcommittee with the annual state of the standards kind of hearing where we really are stepping back, surveying the understanding implementation level among small providers, other covered entities, perhaps not scoping this for large health care systems or even pairs, but in the areas that we know are still struggling or are not up to snuff based on OCR audit information in other areas.

Again, we have not scoped this, but we think it would be helpful to our National Committee to know what additional HIPAA responsibilities would be useful. We thought about it in terms of tying the state of play to what we know about how technologies, tools, circumstances are evolving.

We have talked from time to time about where does HIPAA go, how is it relating to community use and all of the new uses of data. We know that ONC is through the privacy and security work group, looking at big data and privacy, how does this converge?

Again this is a big picture, stepping back, and I don’t know if this is something the National Committee has done in the past anywhere along the course of the HIPAA privacy and security implementation or if this would be a first endeavor.

In which case, we saw a planning effort just to plan what the hearing would be and take our February meeting and begin to do that, but look to spring or even fall for an actual hearing on the state of play. We sort of saw this as after we largely complete the work on 1179.

MS. BERNSTEIN: I was not available during the time of the conference call and so I did not hear the whole discussion and I just looking at the timing of planning this in February when we’re also having a hearing on the other thing, looks like a lot of overlap. I’m guessing it is not very realistic.

MS. KLOSS: We may be envisioning this as the second half of the year effort and the other as the first half, more realistically.

DR. SUAREZ: Maya, the overlap that you see, there is no hearing in February. The 1179 is a hearing in February and that is it. This one is planning between now and May, and then it will be a May or June hearing.

MS. BERNSTEIN: What do you mean that’s it? We plan a hearing, usually something comes out of that.

DR. SUAREZ: Sure, we are not overlapping hearings is what I am trying to say.

MS. BERNSTEIN: I understand that, but you’re going to have discussion about your recommendations. There will be a letter being put together.

DR. SUAREZ: There will be. I am not arguing anything. I just wanted to clarify because I thought you had said that this is overlapping hearings. There is no overlapping hearing.

DR. FRANCIS: I might just add in, some of the timing occurred before we knew that Larry and I were not going to be permitted to stay on the Committee, even for this meeting.

MS. KLOSS: So timing aside, I guess it would be really helpful to have the Committee’s feedback on the value of this kind of effort.

MR. SCANLON: The idea is to, I am trying to think of how you get this information, because it is basically non-compliance and then (off microphone). Somebody said they don’t know, but it is kind of non-compliance. How would you measure? Who would know?

DR. FRANCIS: Jim, you are asking the question, how do we know about non-compliance?

MR. SCANLON: Yes, this would be looking at the state of play, which presumably among those who seem to not know about it. So number one, how would you get such information? You’re not going to do a survey. Why would anybody say, I’m not complying?

Who would know? It sounds like you have one party talking about another party. How would you actually measure the knowledge about HIPAA in small entities, knowledge about the privacy and the security and compliance? You could look at data that OCR has. Those small entities turn up more.

DR. FRANCIS: The suggestion actually came from Rachel and she said that the levels of understanding and non-compliance with audits turn out to be, that’s where the trouble is. When I heard her, what I envisioned was not talking to somebody who is a non-compliant person, having them, quote, admit their guilt, or something like that.

What I assumed would be the case is that there are organizations that would have high levels of membership by small office practice, physicians, for example. Let’s just try this out.

I don’t know whether this would be true, but say the American Academy of Family Physicians, getting somebody from that organization to speak to the challenges faced by both their educational efforts with small office providers and small office providers in HIPAA compliance.

Her suggestion was very much the smaller practice folks. It seemed to me that the way to go would be people who could speak for them on an organizational basis.

MS. KLOSS: And if we have the planning for this done long enough in advance, there could be some data collected by those organizations. We have a member of the public

MR. RODE: Dan Rode, I am a private consultant and educator working with a project called Share to Care and Cure. This may not fit with your hearing scope, but one of the areas I think needs to be addressed, it certainly came up during the AMI meetings a couple weeks ago, is the whole issues of what blockage, if you will, HIPAA privacy and security may have with information now that we are 10 years into the regulation.

Specifically an area we’re working in with the 21st Century Taskforce in the House of Energy and Commerce Committee, is a question of whether, for instance, HIPAA should be modified to allow for data research. Can we take the operations portion of HIPAA to the point where more than one facility can share data and use that data to improve quality or do other kinds of work.

Right now the interpretation is that only within a health system can information be exchange. Can that be larger? We have got all this data now with the electronic health records. Can we expand it?

The other issue that kind of comes with that, and I don’t personally want to attach it but I will tell you it’s there, that is the whole issue of still how does research occur under HIPAA and what are some of the roadblocks that are still being experienced in that particular area?

I would recommend the former of can we look at some of the blockages that may still be there with HIPAA? We haven’t looked at that in this committee to my knowledge, for several years now.

DR. SUAREZ: I guess as the person who actually brought it up during the call and suggested, the thought that I had originally was we have a chance to really look back and, this is like the 10 year anniversary almost because it really almost like 10 years since the actual implementation started – 2003 to 2013 – so about 11 years.

I think the goal was really not so much look at how many faults or how many problems, because you’re right, we’re not going to have testifiers, but I think the most important part is really what have been the most challenging things and what are the thing you would change that need to be adjusted.

Because as Dan mentioned, it has been 10 years and a lot of technology has changed in the last 10 years and a lot of things have evolved, including mobile health and virtual care and telehealth, and a lot of other things, and data analytics and genomics, what would be things you would see needing to be adjusted? With the intent to really make recommendations for changes potentially to the original statute all the way to sound regulations?

I don’t think it was the intent to really be non-compliant, but more inviting testifiers from the health care industry. Providers, researchers, health plans, clearinghouses, vendors, others, to really talk about what are some of the things they have seen work and things they believe would be important to consider adjusting because of the evolving nature of the health care industry.

MR. SCANLON: Challenges and accomplishments.

MS. GOSS: It sounds to me that this becomes a component of a larger roadmap discussion. It is easier if we’re identifying barriers and aspects that are preventing us from achieving, as I like to refer to it, as the Triple Aim. It sort of all feeds back into our earlier conversation.

MS. KLOSS: Rachel, any comments?

MS. SEEGER: I think that would be very helpful. See how far we have come and where we need to be. The concern I would have in the form of a hearing is that the scope of the feedback is going to be so wide. We hear from many different sectors of industry about how HIPAA needs to be changed.

The app developers, medical device community, we are working very closely right now with FDA in a way we haven’t previously, in trying to have discussion around privacy and security related to emerging devices that are coming up the pipeline. Telehealth is something we hear about constantly, wearables, PHRs, the technology is emerging so quickly.

The laws been around, as many of you know, for a long time now, and many are questioning whether or not it is elastic enough. My concern with a hearing would be that unless it is tailored, what you are going to get in terms of feedback is just overwhelming.

MS. KLOSS: It may be that this is one of those initiatives that is worthy and the subcommittee needs to do another round of discussion on how to get our arms around it and be more explicit on goals and even look at it, time frame, there is nothing magic about a calendar year. I think our goal here is to get a sense of the group, is this a worthy undertaking and should we be spending time on it?

DR. MAYS: Let me just comment, I have had my card up for a while. I just want to talk about this and then the next piece that you have, which is the data stewardship. I want to try and flip them a little bit. The data stewardship, it almost feels like it is going to go away or you feel finished with it.

I had a sense that there was still a lot, especially with what just happened in terms of the populations community issues. It’s almost like, I would say there is some HIPAA concerns that are out there that the community doesn’t understand and it’s almost like in data stewardship. It’s almost like if we did it backwards, you would actually get at some different levels.

Rachel started talking about the very ones that people are starting to ask a lot about, is in terms of the apps and the way the apps are intervening in terms of in the health care setting and with their physicians and who owns what and what the rules are.

As one who just works in the development side as a researcher, there is a lot of things that are still some gray areas about momentary assessments and how it’s covered and where it’s covered and whether it is a piece of research or whether it’s in the health care. Because you then go and do something like you walk around with a monitor and you bring the information back for someone to look at but you may have done the monitor yourself and then you bring the information in and ask them to look.

There is all this stuff going on, but at the same time, if we are going to do some things at the level of the consumers, I am going to get back to this Meaningful Use at the consumer level, I would say that getting at that as well as getting at health care, we did really health in the data stewardship before, and in here is a comment about health care, and I think that is a different domain.

I would almost want to make sure that before we undertake this, that we finish some different things in the data stewardship.

DR. FRANCIS: This is in my role as a public consultant, there are a variety of directions to go here. One of them is to simply look at classic HIPAA and where are the strains. That way of looking at it, I think according to Rachel, was the biggest issues they are seeing concerns not the large health care systems, but HIPAA outside of the large health care systems. That is very much within the HIPAA space.

Another direction to go is modifying HIPAA with respect to some of the important HIPAA distinctions. For example, how HIPAA treats public health and research. One of the reasons in recent times we have steered clear of the question of data that our HIPAA covered and research, is the whole beyond the HIPAA privacy rule question.

The document that was published a couple of years ago, looking at research and HIPAA, and then the ANPRM that came out about the common rule and whether there is, what the role is there, I do not have a clue about because I don’t know what’s going on with respect to any kinds of proposals within HHS about revising the common rule, but there was the ANPRM. That is a second direction.

A third direction to go in is the whole question of what’s a covered entity, and the whole covered entity non-covered entity. For apps and personal health records that are via business associate agreements with covered entities, the HITECH Act pulls them in through the business associate agreement deal. So if a diabetes treatment center offers a PHR to its patients or has a PHR portal, that is a tethered, and we did a letter bunch of a years ago making the distinction between tethered and non-tethered PHRs.

I am reminded of an amazing book my children had which is a Sesame Street book. It was the Everything in the Whole Wide World Museum and at the end of it you opened the door and you tour the museum and there is a room of this kind of thing and a room of this kind of thing. At the end, the rest of the museum is the whole wide world. Well, we’ve got the whole wide world out there, which could be anything from the carrot that’s just closing, to Map My Run, to FitBit, to whatever the latest diet app, wearable, you name it, and that is a whole change in the whole understanding of what a HIPAA covered entity is.

If people are trying to limit, one way to try to limit is be within the traditional HIPAA space and look at where there are tensions.

Another is to think about some changes in the HIPAA rules like the intersection with research and public health, and a third is HIPAA scope and the great wide world of apps.

MR. SCANLON: May I comment? The common rule is being revised. A proposal is being worked on and it’s hard to say when, but possibly in the spring it will be available for public comment. It would be contained interactions between HIPAA privacy and IRB. So certainly the subcommittee might want to look at that in dealing with that issue. Is it better, is it worse?

The whole idea of the revision of the common rule in many cases was to where the risk is that all of the requirements and the burden and the procedures should be proportioned to the risk of the individual. If there is minimal or no risk, don’t regulate for the sake of regulation.

Where there is risk and there are some new areas, then that is where you should be focusing, so in terms of interaction with research, I think that may be the best avenue to pursue.

MS. BERNSTEIN: Jim, could I say something about the timing of that, and we don’t know when it is going to come out, but it seems to me that it would not be timely for the committee to do work before that NPRM came out.

MR. SCANLON: I would wait and offer this perspective on the NCVHS in terms of commenting on that. It will be spring or later, so that I would not think you would want to do now.

This is just another risk assessment. As the coach of Ohio State used to say, Woody Hayes, five things can happen when you throw a forward pass, five things can happen when you say you want to change HIPAA or ACA or something else, and four of them are bad. Again, it’s a risk assessment. Do you want to risk the accomplishments you have in HIPAA now because you don’t know what will happen if you open it up.

Same thing with ACA and other things, or is the climate such that you think you could actually get some positive movement. I think you have to be the judge of that. I think it would make sense to focus on a more modest approach rather than let us change HIPAA law. It is extremely unlikely that it will be done, and if it is done it won’t be in the direction you’re asking. It just doesn’t happen that way, we’re not in that kind of a situation anymore. Again, this is just perspective for the committee.

If there is a focus on where are we having trouble getting the basic HIPAA protection across, and we think it is small providers, under five or whatever, it would be a legitimate place to do it in a positive way, not a compliance way.

I should say that there are a lot of folks looking at, in terms of interoperability and other things, what needs to change with HIPAA. You heard Lucia this morning. You might want to see where that takes us before we get out front, because these same questions are coming up in a lot of other settings.

MS. KLOSS: Bill, did you have your tent card up?

DR. STEAD: My itch has been well scratched.

MS. KLOSS: Walter.

DR. SUAREZ: There is always that risk. It doesn’t necessarily mean we would suggest to recommend changes to the laws itself, maybe there are other ways too. There is also, I totally agree there is the opportunity to focus on the priority concerns, and small providers seems to be one place. I can assure you some large systems also have concerns and problems and issues.

If you bring in the research community, did you have – then it is an even bigger series of concerns. It is interesting for 20 years now with HIPAA, we have been talking about something called the covered entity. And for privacy purposes, when the data, the same identifiable health information of me is in the hands of someone, is actually protected by HIPAA, but if that same data moves out and is put some place else, it’s not protected.

I think it is an interesting opportunity to consider talking about covered data rather than covered entities, because if we protect the data regardless of where it is, I think it is a much more potentially appropriate place.

This is just my personal opinion and has nothing to do with anybody else, but I think it is an interesting point. I think we have been talking about covered entities and there has always been who is a covered entity and if I don’t do transaction electronically then I am not subject to HIPAA privacy because I am not a covered entity and for a provider to be a covered entity you have to conduct transactions electronically. And to be covered under HIPAA privacy you have to conduct transactions electronically.

There are ways of going around and around, and it was an interesting approach 20 years ago to use the covered entity concept, and not tie it to the data itself, regardless of where the data resides.

MR. SCANLON: If you remember, some of us will remember that this committee, it’s not the approach this committee recommended to HHS and it’s not the approach HHS recommended to Congress. It was the model that Europe uses, where if you have the information, you’re covered. The protections apply to you, but there were a lot of billable hours from our lawyers to carve out, remember Congress did not give us substantive privacy provisions.

So we had to work out the authority to use what we had to make something sensible about of it. You’re right, nowadays it probably doesn’t work as well, but again, I don’t know where we go from there in the sense of what is likely to change.

Those are statutory changes that would be required. But at any rate.

MR. SCANLON: I think others will be looking at this. I think ONC will be looking at it, in terms of interoperability. You can’t have it both ways. You can have a balanced approach. I think Lucia is looking at – tell me what you want to do and we will see how it can be done. She’s not looking at – no you can’t do it.

I think this will come up in the interoperability roadmap about where are the obstacles to sharing this information that can’t be overcome through partnerships or things like that.

MS. KLOSS: The charge is in our wheel house.

MS. BERNSTEIN: Just quickly, most privacy laws are structured the way that Walter is describing. That is, the Privacy Act, which is having its 40th anniversary this year, is structured that way, depending on who is the custodian of the data, they have certain responsibilities. And in fact, this committee after the time Jim is talking about, is certainly correct that the time in 1996, when we were developing the original rules, this is what we came to.

Since then, in 2006, this committee actually made recommendations of the sort that Walter is talking about. They said that medical data, wherever it resides, should be protected. That is in fact a standing recommendation of this committee, which for better or worse, is not likely to be acted on in the way you’re talking about, given the current industry climate or political climate or whatever you want to say. But it is on the record of this committee that this scope should be expanded.

It may not be necessary to say it again, but to go in a more I think, more narrow or more realistic direction.

MR. SCANLON: If there were some statutory modifications that we have the authority to make, that would at least be a place to start.

MS. KLOSS: I think based on this discussion that this is a ripe topic for dialogue. I think what the subcommittee might do is scope it and tee up another discussion at the Full Committee before we decide what course should be taken.

MS. BERNSTEIN: In the meantime be working on the other project.

MS. KLOSS: Exactly, we would in the meantime be working on the 1179.

Our third area, getting to Vickie’s point, was not to lose sight, continue to work with Populations, Data Use Subcommittee, on privacy, confidentially and security aspects of that work. So we weren’t moving away from that.

We didn’t carve out a specific new initiative there but continued to collaborate because privacy dimensions come up in every single discussion in the population health space.

Our fourth area, which has been rolled into here, is to deliberately go forward and work on dissemination of the toolkit because it hasn’t even been released yet, to get it to final polished format.

Vickie had some great discussions on suggestions in our recent subcommittee call, that we think about this as an official launch, but we might put it on the website and do a soft launch, that we do a press release, that we do a tweet-athon or whatever, all these things she laid out for us to do. In the interest of the communication of the committee, we are going to do this launch thing and figure out how to make some noise around our toolkit. Our goal is to put together a communication plan over the next few months.

DR. SUAREZ: This will be quarter one or quarter two?

MS. KLOSS: Quarter one. Any other new things we should do?

DR. MAYS: The work group is actually going to help them so the language they used doesn’t matter. Tomorrow that’s on the agenda for the launch. I still want to go back, and I may be stepping in the Populations side a bit more, and that is I just thought the data stewardship was really important. I am not ready to just say, we have a report and we put it out.

The stewardship issue came up a lot of ways. Is there training you want to follow this up with? IS there going to be an evaluation? I guess I’m just asking and I would have to let POP say what it wants, but it seems to go well with them that the space you have for it just seemed like, we’ll wait and hear. But I thought there was actually very active things to do to keep the community part going.

MS. KLOSS: We did talk about the ideal would be two-way communication where we got feedback from communities on what was helpful or not helpful or what additional questions the toolkit or framework raises because that is a piece of work that could also be updated.

But we’re not sure we have the infrastructure to do that as a committee, to do community building or chats or other things to really have effective two-way communication. So I think as a subcommittee we decided what we needed to do was launch this and encourage groups because it is in the public domain, use it adapt it, then periodically revisit how it is being used.

I think we were gung ho and the pulled back because we realized we didn’t have the infrastructure to do some of the multimedia ways.

DR. MAYS: Some of them, I think depends upon and I don’t know what the rules are about using federal websites, but there are things as simple as every time someone downloads it they give you information, they agree to do things like evaluate it for you, whether or not you want people talking about it and leaving even a comment, one after the other. I used it for this.

We often ask people, what did you use this for? And then you will see in the comment section, they do it and it’s just there. It’s very passive. This may be if you want to have the discussion with the Work Group, they can give you ideas which will range from way up here to just very –

MS. KLOSS: I know they will have a full range, but do we have the infrastructure to manage something like that?

DR. MAYS: We have a new web site and we launch a lot of these things just using our website.

DR. STEAD: I have a couple of thoughts that tie into our plan. First, one of the things we’re going to talk about in the morning is how we can stand up a community of practice around the data engagement roundtable and whether we can use the platform that the community commons has to do that. Because if we can figure that out, it would be equally applicable here and we might end up with a way that we could do a set of things at the National Committee was part of facilitating, we need to think through what we can and cannot do. That would be one way.

The other thought, as we think through how to take the next steps with the framework, one of the things we’re thinking about is topical webinars. We need to sit down an systematically say, which parts of the stewardship toolkit should be represented as in the taxonomy as things that can become metadata links. Which parts are resources that should be linked to the taxonomy as a resource that you would get if you got that link?

That could be a useful, targeted, where maybe I or somebody else from framework, did something directly with the full Privacy Subcommittee, and not just the Framework Work Group.

MS. KLOSS: I think that makes sense because the toolkit becomes useful when it’s part of a targeted use case, not just in the abstract, do you like it?

DR. FRANCIS: I just wanted to say I thought the way we were thinking about this is not that we’re stepping away from it but that we don’t currently envision a new project. What we envision is pushing this one. To the extent that it does turn up to be important in the linkages with you folks and other things that the committee is doing, to expand it or push it, but we weren’t going to launch a whole new toolkit project.

DR. COHEN: I totally agree with you, Leslie. I think we have to talk the talk and walk the walk. If we are recommending to communities and hearing from them it’s actionable data they need and not more data, we don’t need more reports, we need to model disseminating what we do more effectively through a variety of mechanisms.

I think as we look forward as one of the themes in our work plan for this coming year, it should be – Linda you have opened my eyes to this on several occasions – we need to focus on our strategies for dissemination to the communities that we effect. I hope that is an underlying theme that repeats itself throughout our 2015 work plan.

MS. KLOSS: Is there anything else for the Privacy Confidentiality and Security Subcommittee?

MS. BERNSTEIN: If you want to have a hearing in February, I need to get on it, so I need to know what sort of people you want to come talk to you.

Can we think about that for a little bit, because it’s going to be December and it’s good to invite the kind of people we want to invite as soon as we can to nail down the dates and to figure out what sort folks you want to talk to. If we can get a sense of that, it would be helpful.

MS. KLOSS: I’m not sure we can do that in the next three minutes.

DR. SUAREZ: One suggestion, the Standards Subcommittee we have been talking about doing a hearing in February, so first we need to figure out the actual date. Then the development of the content for the hearing we were probably going to do it in discussions offline as well, but I think we can, and tomorrow –

MS. BERNSTEIN: It is December, I’m just worried about people going on vacation. We have you all here, I want to use your brainpower for the next ten minutes.

MS. KLOSS: We are returning now, we flip back to 1179. That hearing, that topic.

MS. BERNSTEIN: The usual format for a hearing, as opposed to the ones we did most recently, which were much more complex, I imagine you’re looking at more traditional hearings. We usually have three people on a panel three panels or four panels a day during a day-long hearing or if you have a day and a half.

The next Full Committee meeting is on a Tuesday and Wednesday, and there’s some reason why, relevant to your scheduling anymore, about who can be here on which day and which days Leslie is teaching, I think we were looking at. I think we were looking at Thursday so you didn’t have to miss your Monday and Wednesday class.

DR. SUAREZ: The Standards Subcommittee was looking at Thursday as well.

MS. BERNSTEIN: Of course, it’s the more attractive day.

MS. GOSS: (Off mic comment)

MS. BRNSTEIN: Right, it’s the more attractive day as opposed to Monday, when people have to travel on Sunday.

DR. SUAREZ: Another consideration is whether this will be a full day hearing. If it’s one topic, it could be half a day with two panels, two hours, three panels, whatever.

MS. BERNSTEIN: We can arrange the schedule for committee meeting differently. We have the Data Work Group, for some reason, every time for the half day after. We could have it the morning before. There are lots of different ways we could arrange the schedule so it would make sense for whoever is going to be there and whoever we want to participate. We might want to look at that as well.

Sometimes we have an afternoon and a morning, for example, it wasn’t clear to me. Maybe I am talking heresy, but it’s not clear to me that the Data Work Group has to meet every time we meet. We get an hour and they get a half a day. There is other time in there we may be able to work with that is adjustable, right?

MS. JACKSON: I don’t know. As you’re looking at the roles of the various components of the Committee, you might want to be real clear about the significance of this group that is a tie in with all the subcommittees.

MS. BERNSTEIN: We might want to overlap with them, we might want some of those people to be able to be available. That means maybe we could use some of their time, maybe we don’t. Just being open-minded about the schedule.

MS. KLOSS: I know the schedule is really important but I would like to scope the hearing first and see what topics are essential to explore, and then we would know if it’s two panels or four panels and then we can go look at whether it’s part of February.

MS. BERNSTEIN: Or a separate standalone hearing in March.

MS. KLOSS: I think the complexity of this is that we are going to be talking with some groups that we haven’t heard as much from and that we probably don’t know as much about. There is a medical banking association, there is the clearinghouse group, financial institutions themselves.

DR. SUAREZ: There are two separate topics that we can talk about. One is the standards and the other is privacy and security. In both of them, as I see it, the financial institution themselves, there are consumer groups that are where potentially some concerns come from with respect to the exception, that is part of what we want to hear, not just what the perspective of the accepted institutions are, but more importantly what is the perspective of consumers, for example.

Then there is the other, which is the covered entities, including the entities that use the financial institutions to do either payments or receive payments. Those are three at least. Again, this is financial institutions, consumers and covered entities.

DR. FRANCIS: Just on the consumer side, if I could add in there the primary worry is that medical information would bleed into financial information, particularly credit and mortgage kinds of questions. I know that before she went to ONC, Joy Pritts did a report on consumer views in this area.

This was one of the number one privacy worries that people had, that if their medical information was known by their bank, they wouldn’t be able to get a mortgage or a line of credit. Somebody in the consumer mortgage space, there is a standard privacy advocate that’s the sort of personal information kind of stuff, I don’t think that’s what we want. I think we want the consumer credit end of things.

PARTICIPANT: Along those lines, you might want to think a little non-traditionally, like the Consumer Finance Protection Bureau is doing some very interesting work in that, the entity, that Senator Warrens set up.

MS. BERNSTEIN: That is the regulators. The banking regulator committee, they are definitely a regulator, and they were made up of the consumer protection pieces of the banking regulating committee, we can certainly get someone from CFPB?

PARTICIPANT: There’s some other entities that have been looking at it. California’s attorney general has done some interesting work in all of this and there is a white paper, I’m pleased to share this with you. It’s about 18 months old or so, at this point. There is some other interesting things going around about e-patients, electronic empowered patients, some of them have a lot of overlap with PCORI. Some of them have some overlap with Stanford’s MX initiative.

DR. STEAD: As I listen to this I wonder if this needs to be a two-stage process. Do we need a fact finding first, that tells us what is the state of affairs now? To what degree is this a problem and where is it a problem?

If we had our hands around that, we could then design a hearing to know how to respond to the problem or what people’s views were on different ways you could respond to it or how big it was.

It seems to me, first we’ve got to get a clear definition of scope of the problem.

MS. BERNSTEIN: You are talking about two hearings.

DR. STEAD: I’m talking about a fact finding process, I don’t know if it has to be a hearing.

MS. BERNSTEIN: That’s a hearing.

MS. GOSS: I am hearing you say it differently. I’m hearing instead of a fact finding, I apologize if I’m stepping in inappropriately, I hear you want us to scope this out further, do some internal work, get our arms around it, maybe come back some further conversation, and it leverages the discussion we had earlier about overlapping the committees work for prioritization? Did I hear you right?

DR. STEAD: Yes, ma’am.

MR. SCANLON: If Joy was working on this then she would be willing to — I think Bill is right, you need to start with a diagnosis before you can figure out the cure. Just finding out what the lay of the land is and what people think.

MS. KLOSS: I think we’re on the same page. Maya’s point is that we use the hearing as fact finding, but before we can even figure out what the panels are and what the right set of questions are, we need to know more about the landscape. We need a landscape step.

DR. FRANCIS: There are some pieces of the landscape that we’re quite familiar with. One piece is that among financial institutions, there is some level of concern about when are they clearinghouses and when are they 1179 exempt. Just knowing where they are feeling uncertainty, but that requires a hearing because we have to get them here to tell us that.

DR. STEAD: That would be a very targeted question.

DR. SUAREZ: Among a number of other questions as well.

DR. FRANCIS: That’s one of the things I was seeing as a panel.

DR. SUAREZ: I would agree that we may not be here in this moment at 5:20 articulating necessarily the actual frame of the hearing. I think we understand and can scope out with facts that we have already found an some we might find also, the content, but it doesn’t mean that we cannot do it between now and the end of December in time to prepare for the hearing itself in February.

That is my sense. I think we have enough time to scope out this and then identify the right questions and the right people to address those questions.

MS. BERNSTEIN: Part of the process of starting with the parts we know very well, is to talk to those people on the phone when I invite them, and say who else should I get and what do you think the questions are and they will tell us. It helps us to scope out who else we get for the other panels where we are less familiar.

I can do some of that but we don’t have a lot of staff to do another kind of fact finding other than producing a hearing. The question is about inviting the right people to the hearing. As Leslie said, some of them we know, we can put together a hearing there.

I think these are, the entities you have mentioned, or the kinds of groups that you have mentioned, financial institutions, regulatory entities, consumer groups, covered entities, maybe the California AG or other states that are already working this area, patients, we can make a whole day hearing out of that group of people and find different representatives from those kinds of things.

If it takes more than one hearing, we surface more questions, we can certainly have another follow up hearing in which it looks sort of like what Bill is suggesting, which is the first one is fact finding and the second is more targeted.

DR. MAYS: I think I am hearing the difference is the fact finding is for the questions and not the people, necessarily. So it is really going into the hearing with a very clear set of questions and then getting the people, as opposed to the people and then another layer from the people finding out, oh there is another set of questions.

I am always amazed by how much work Standard is able to get done, and I think some of it is very clear idea of the questions. Unless I am not hearing it right, it was to spend some time to get the question clearer.

DR. FRANCIS: Can I give you ac couple of questions?

MR. LAZARUS: I was part of a task group that WEDI conducted four or five years ago, that looked at some aspects of these issues. The group was chaired by Lee Barrett, a report was put out and the word banking and financial institution representatives as well as health care representatives, took part in a six to nine month effort.

It will not provide you all of the information but it will provide some of the issues. What the interpretation was and why. As I recall, we should also as background information, look at the legislative intent from the discussion at the time of the legislation, which reveals a lot about what the intention of what this exemption was.

DR. FRANCIS: I was going to give you just a couple of questions. One is, what are the understandings of 1179 and where are there confusions on the part of the financial industry? That’s a pretty focused question we could get an answer to. Another set of questions is, what are the articulated consumer concerns?

A third set of questions is, and this is probably much more from the regulators, to what extent is there data that supports these concerns, that is, is there evidence that as banks function in one way or another with respect to health transactions, are there any examples where the information has bled that may be regarded as problematic?

Those are some questions that we need a hearing to get answers to. There are others that are gently in that space but those are at least three.

DR. SUAREZ: Just to share some perspectives from the Standards Subcommittee, being in standards we have a template for preparing for a hearing. The template includes various elements, including the background of the issues or the issue that will be addressed by the hearing, the specific question that will be asked to different stakeholders.

All of that is created based on the discussion of the National Committee by working with staff and subcommittee members, in defining and drafting the actual two page document that then gets used to communicate with potential testifiers.

All of that is prepared in the background, if you will, as part of the development of the plans for the hearing and then the process of identifying and inviting people to the hearing and confirming them, then announcing the hearing and getting others to submit written comments.

MS. KLOSS: Our subcommittee has held hearings. Maya does knows what it takes.

DR. SUAREZ: I am not doubting at all. I am just suggesting that we are within the timeframe that usually we at the Standards Subcommittee use to create a hearing between now and February. This is a topic that is somewhat of a priority.

MS. KLOSS: I think there is one difference and that is we know less about this topic probably than what Standards knows about its territory. This 15 minutes has been very helpful. Thank you for not letting me adjourn at 5:00, which is when I thought we were adjourning. We got a lot of good ideas and good places to start.

I think what we will do is schedule a subcommittee call before Christmas. Is that a plan? Anything else for the good of the cause?

MS. JACKSON: I will follow up in looking at some of the logistics. As Maya said, December winds up being an unusual month. Productivity in the first two weeks and then people disappear until the beginning of the year. So if you’re trying to get some work done, this is the time to do it.

This is crunch time, because you will be looking in the next three to four weeks, pulling together text for Federal Register Notice, and that kind of thing. Even before then, sometimes in the next week or so, we will take a look at a doodle poll to see who is available to get a critical mass from both of these groups to start looking at your time period.

If you are identifying that day, you don’t want just set a day and go forth until you find out how many people in your subcommittee are going to be available on that day. We will work out the logistics like that.

MS. KLOSS: Very good. I think we are adjourned.

MR. SCANLON: I think we have come to the part of the meeting where we see if there is any public comment either one the phone or the audience.

(No response)

None here in the room. Any public comment? Do I hear a motion to adjourn?

(Whereupon, the Subcommittee adjourned.)