[This Transcript is Unedited]

DEPARTMENT OF HEALTH AND HUMAN SERVICES

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

February 13, 2007

Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, D.C. 20201

Proceedings by:
CASET Associates, Ltd.
10201 Lee Highway
Fairfax, Virginia 22030

TABLE OF CONTENTS

P R O C E E D I N G S (9:10 a.m.)

Agenda Item: Call to Order, Welcome and Introductions

DR. COHN: I want to call this meeting to order.

This is the first day of two days of meetings of the National Committee on
Vital and Health Statistics.

The National Committee is the public advisory committee to the U.S.
Department of Health and Human Services on national health information policy.

I am Simon Cohn. I am the Associate executive Director of Kaiser Permanente
and chair of the committee.

I want to welcome committee members, HHS staff and others here in person.

I also want to welcome those listening in on the internet, and I want to
especially welcome our four new committee members whose terms began on December
1, 2006.

First is Garland Land, and, Garland, thank you for coming. This is your
second meeting. Garland is currently the Executive Director for the National
Association for Public Health Statistics and Information Systems, NAPHSIS, and
I think we introduced you a little bit last time, but we obviously just want to
recognize your previous background with public health and public health
informatics in Missouri. So thank you for joining us for a second meeting and
your first as actually a formal member.

Our next is Leslie Pickering Francis, and, Leslie, thank you for joining
us. I didn’t get a chance to say hello to you beforehand, but we are
pleased that you are here.

Leslie is the Chair and Professor of the Department of Philosophy, as well
— and we are going to have to talk about this offline — as well as Professor
of Law at the University of Utah, which I think is a very — it seems very
appropriate, I guess, but somehow surprising.

Obviously, we are very pleased to have you join us.

Leslie has testified before the Privacy and Confidentiality Subcommittee,
and she brings an expertise in ethics, public health, privacy and
confidentiality, consumer and patient issues to the committee. So we obviously
are very pleased that you could join us, at least over the phone at the Privacy
and Confidentiality Subcommittee meeting, and, obviously, we are very pleased
to have you here in person. So welcome.

Dr. Larry Green is a nationally-known researcher and a professor of family
practice at the University of Colorado, and, obviously, with the way the
weather is outside, I don’t think you feel like you’ve probably left
Denver at this point.

He is also a Senior Scholar in residence at the Robert Graham Center for
Studies in Family Medicine and Primary Care located here in Washington.

So, obviously, pleased to have you joining us.

Now, finally, we have Marc Overhage, who is an internationally-recognized
health informatics expert.

He is President and CEO of the Indiana Health Information Exchange, a
Professor of Medicine at Indiana University, and — head of the Regenstrief
Institute.

DR. OVERHAGE: Director.

DR. COHN: Director. Excuse me. Director of the Regenstrief Institute,
replacing Clem McDonald, who, as I think as you all may remember, was a former
member of the committee. So we are obviously —

PARTICIPANT: Who is here at HHS.

DR. COHN: Yes, who is now in HHS, exactly.

Marc also has testified frequently before the committee and especially
Standards and Security, and, obviously, we are very pleased to have you join us
and look forward to your active participation.

With that, let’s have introductions around the table and then around
the room.

For those on the national committee — and this includes also the new
members — I would ask if you have any conflicts of interest related to any of
the issues coming before us today, would you please so publicly state during
the introductions?

And I want to begin by observing that I have no conflicts of interest
today.

Marjorie.

MS. GREENBERG: I am Marjorie Greenberg from the National Center for Health
Statistics, CDC and Executive Secretary to the committee, and I think from
those introductions, it is obvious that it is a little dangerous to testify
before the committee. We may recruit you to be a member.

MR. ROTHSTEIN: Mark Rothstein, University of Louisville, School of
Medicine, member of the committee. No conflicts.

DR. CARR: Justine Carr, Beth Israel Deaconess Medical Center, member of the
committee. No conflicts.

MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield of North Carolina,
member of the committee. No conflicts.

DR. WARREN: Judy Warren, University of Kansas, School of Nursing, member of
the committee and no conflicts.

MR. LAND: Garland Land with NAPHSIS, member of the committee. No conflicts.

DR. VIGILANTE: Kevin Vigilante, Booz-Allen and Hamilton, member of the
committee. No conflicts.

MR. HOUSTON: John Houston, University of Pittsburgh Medical Center, member
of the committee. No conflicts.

DR. FRANCIS: Leslie Francis. University of Utah, College of Law and
Department of Philosophy, and I have no conflicts.

MS. TRUDEL: Karen Trudel, Centers for Medicare, Medicaid Services. Liaison
to the full committee. Staff to the Subcommittee on Standards and Security.

MS. MC ANDREW: Sue McAndrew, Office for Civil Rights. Privacy liaison to
the subcommittee.

DR. STEUERLE: I am Eugene Steuerle from the Urban Institute, member of the
committee. No conflicts.

DR. SCANLON: Bill Scanlon from Health Policy R&D. Member of the
committee. No conflicts.

DR. GREEN: Larry Green, University of Colorado. No conflicts.

DR. FITZMAURICE: Michael Fitzmaurice, liaison to the national committee,
and staff to the Subcommittee on Standards and Security.

DR. OVERHAGE: Marc Overhage, Indiana University and Indiana Health
Information Exchange. Member of the committee and no conflicts.

DR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention,
liaison to the full committee.

MR. BLAIR: Jeff Blair, member of the committee. Lovelace Clinic Foundation.
No conflicts.

MR. SCANLON: Good morning. I am Jim Scanlon from the HHS Office of Planning
and Evaluation, and I am the Executive Staff Director for the full committee.

MS. SIDNEY: Cynthia Sidney, staff to the committee.

MS. JONES: Katherine Jones, CDC, NCHS. Staff to the executive committee.

MS. JACKSON: Debbie Jackson, National Center for Health Statistics, CDC,
committee staff.

MS. HORLICK: Gail Horlick, CDC Atlanta. Staff to the Subcommittee on
Privacy and Confidentiality.

MS. BUENNING: Denise Buenning, CMS, Office of E-Health Standards and
Services, lead staff to the Subcommittee on Standards and Security.

MS. WILLIAMSON: Michelle Williamson, National Center for Health Statistics,
CDC.

MS. VIOLA: Allison Viola(?), American Health Information Management
Association.

DR. COHN: OK. Well, I want to welcome those in person.

Now, we want to sort of test out — We understand that there are,
hopefully, some other members who have been calling in.

Is Don Steinwachs or Paul Tang there?

DR. STEINWACHS: This is Don Steinwachs, Johns Hopkins University, member of
the committee. No conflicts.

MS. MC CALL: This is Carol McCall, member of the committee. No known
conflicts.

DR. COHN: Welcome.

DR. TANG: And Paul Tang, Palo Alto Medical Foundation, member of the
committee. No conflicts.

DR. COHN: OK. Well, I want to thank you for joining us on the phone.
Obviously want to especially welcome the intrepid souls who came all the way to
Washington for this sort of snowy, wintery mix, which we’ll reflect on a
little later.

But, obviously, we want to thank you for being on the phone, and we’ll
do our best to, as always, speak clearly and into the microphone, which we want
to remind everyone, both current members and new members, because these
microphones are a little tricky, and certainly pipe up on the phone if you
can’t hear us.

Now, before we move into the agenda review, I want to make a couple of
opening comments, and then we’ll move to the agenda review and then do the
department review.

Since our last meeting in November, our work continues at a speedy fast
pace. This reflects the increasing importance and the federal intention being
placed on health information technology and the role, of course, that it can
play to improve the quality and reduce the cost of health care, as well as,
hopefully, improve the health of all Americans.

Within HHS, Secretary Leavitt continues to consider promotion of
interoperable HIT one of his key priorities, and his leadership on this issue I
think we all recognize as being phenomenal.

And, of course, in all of this, the NCVHS continues to play an important
role directly advising the Secretary and the department, as well as providing
expertise and liaisons to other HHS initiatives, moving the vision of the NHII
forward, including, of course, the AHIC workgroups.

I want to thank those of you who are actually liaison members.

This, of course, is against the backdrop of significant congressional
activity this past year, and we should expect to see continued interest in the
current session.

As many of you remember, we testified before the House Ways and Means
Committee on HIPAA and health information technology last year.

Mark Rothstein, I think — since our last meeting — actually had the
opportunity to testify also on HIT issues, though as a private citizen, and we
should certainly be expecting continued interest in our work and thoughts as we
move into this year.

Now, the NCVHS activities since November have included an opportunity to
actually formally brief Secretary Leavitt and ONC on our work to define a
minimum, but inclusive, set of functional requirements for the initial
definition of a nationwide health-information network.

This work has been very well received both within HHS and by the industry,
and we anticipate additional opportunities for such ad hoc activities as this
year proceeds.

Privacy and confidentiality, as I commented, continues to move forward at
what I describe as an augmented pace.

They produced the excellent report in June on privacy and NHIN. I see this
document now being used in the wider health-care community as a primer, an
important resource document as groups begin to deal with the issues of privacy
as we move forward with extended use of RIOS(?) and the nationwide health
information network.

There have been two hearings by the Privacy Subcommittee, since our
November full-committee meeting, and I know Mark Rothstein will be briefing the
committee later on today on issues in preparation for a letter coming out in
June.

Populations had a hearing this past fall on data linkages, and assuming
weather permits, we’ll have a hearing tomorrow afternoon on surge
capacity, following a full committee meeting.

Quality Workgroup has been active and is forging a strong relationship with
AHRQ on a variety of performance measurement and longer-term issues.

The Subcommittee on Standards and Security has been very active this year,
and since our last meeting has held hearings on national provider identifier
implementation issues, as well as HIPAA next steps, and we’ll be bringing
a letter forward later on today on NPI implementation.

In a word — in a phrase, there is obviously a lot going on, and this will
obviously continue through the year.

Agenda Item: Review of Agenda

DR. COHN: Let’s now move into the agenda review.

This morning, we begin with a department update. Jim Scanlon, our Executive
Director, will lead off with the department perspective, followed by Karen
Trudel of CMS, and, then, Sue McAndrew or do I have that wrong? That’s OK.
Sue McAndrew of OCR.

Then we are pleased, I think weather permitting, to have John Loonsk — he
is the Director for the Office of the National Coordinator — to give us an
update on the work of ONC.

Following the morning break, we move in discussions of the letter on the
national provider identifier.

As you know, the NCVHS has statutory responsibility to advise HHS and CMS
on HIPAA implementation of which the NPI is an important piece.

After lunch, we will have discussions on privacy and confidentiality in
preparation for the letter, as I commented.

Then, I think we are going to be having an opportunity to discuss the HIPAA
annual report. Now, as I say that, I am looking at Jim Scanlon, hopefully, that
we will have something, but we will discuss that.

Now, finally, we are hoping to have an opportunity — I know Don is on the
phone — to discuss, I think, some issues coming out of the populations
subcommittee, again, an issues paper with the idea — and I think Bill Scanlon
will help lead this conversation since he’ll be here — in preparation,
hopefully, for a letter in June, but I think the committee — the subcommittee
wants to get the views of the full committee as they begin to develop
recommendations and a paper.

Now, at about 3:30 p.m., we will adjourn the full committee and break into
sessions for populations as well as standards and security.

At this point, I think we are also intending to have a 5:00 p.m. to 6:00
p.m. meeting of the workgroup on the national health information
infrastructure.

Dinner, I think, as we commented — in your information is at 7:00 p.m.

Now, let me make a couple of comments, given the weather conditions
outside, and I think most of you — and those of you on the phone just be aware
that we are dealing with what is described as a wintery mix of weather in
Washington, D.C., which is — best I can tell, means the likelihood of
hazardous weather conditions are likely on the rise as the day progresses.

I would certainly encourage the committee — knowing that tonight may be
icy, there may be road closures, we aren’t clear whether the government
will start up promptly tomorrow morning — that any action items we should pay
particular attention to trying to deal with today while we are here, while we
are all together, and I would just sort of emphasize that.

The other piece is is that we do have a committee dinner tonight. Marjorie
and I were talking, and, whereas, I think we want to invite members of the
committee, especially those from out of town, we are going to encourage staff
to make it home while you still can, and so I think there will likely be a —

DR. VIGILANTE: That is rather ominous, while you still can.

DR. COHN: Well, Kevin, you live here. I mean, maybe you would like to
comment about this in a different —

DR. VIGILANTE: No, no. I think we live in a world or weather wimps here.

DR. COHN: Yes, exactly. Well —

DR. VIGILANTE: We have an eighth-of-an-inch of snow.

MS. GREENBERG: I grew up in North Dakota. Snow does not bother me, but ice
does. Ice does —

DR. COHN: OK. Well, I think everyone is effectively agreeing with me in
their own words.

DR. VIGILANTE(?): I agree.

DR. COHN: OK. And, Marjorie, I guess I would ask how do you want to
ascertain the numbers for dinner?

MS. GREENBERG: I guess if we could just have a show of hands. I mean, for
those of you who don’t know the area, the restaurant is not that far from
here, and I don’t see any reason —

DR. COHN: Centrally located, yes.

MS. GREENBERG: — why people who are staying in the hotel downtown
can’t proceed with your plans, but I think it might be wiser for some of
the staff maybe to get home before it gets too late and too icy, or local
people.

But, anyway, so how many people would plan to be going to the dinner?

OK. Eleven, is that it? Twelve? Yes. OK. So I don’t know if we are
expecting Janine or somebody will call the — So 12, and I am sure — I would
think with the weather being as iffy as it is that they’ll understand if
there’s a little change, but we were supposed to give them a number by ten
o’clock.

And speaking of socials, there are pictures here from the barbeque in
September, if you haven’t seen them or if you weren’t there and want
to look at them. Yes, you want to feel like you were —

DR. COHN: Well, OK.

MS. GREENBERG: — encourage me to —

DR. COHN: Well, we’ll deal with that during breaks.

Agenda Item: Update from the Department

DR. COHN: With that, why don’t we move into the department review,
and, Jim, why don’t you — if you would please lead off.

MR. SCANLON: Thank you, Simon, and good morning, everyone.

I guess we last met in November. So this is our first full meeting of the
new year, and I thought what I would do is probably look ahead a little bit.

I am going to talk about the budget that the President sent up on February
5th and some of the health IT and data policy initiatives there, and
a sort of a look ahead on the legislative front as well, and then there’s
some specific projects that I wanted to update the committee on.

But, first of all, on the legislative front — and I preface this by saying
no one makes a living trying to forecast what Congress is going to do — but,
at any rate, there were a number of health IT bills introduced in the
109th Congress, the last Congress. Some of them involved this
committee.

There were some new tasks for this committee. There were some broader
health IT bills that would create grant programs and all sorts of things to
promote or accelerate interoperable health IT.

And, then, there were some other bills that were directed at pretty much
the federal health plans in the work forces, and they were, more or less,
trying to stimulate personal health records and so on for federal health plans
and so on.

And I don’t believe that there have been any bills introduced, so far,
in the 110th Congress, but I think everyone — the best intelligence
is that there will be continued interest, even renewed and expanded interests
in health IT in the coming year, and it will probably follow some of the bills
that were introduced last year and possibly some additional issues as well.

There’ll probably be a fair amount of interest in privacy as well.
Simon mentioned that Mark testified on his own behalf before a hearing in the
House that was following up — in the Senate, I’m sorry — that was
following up on a GAO report on how is the department and others — how are we
coordinating all of the privacy issues associated with the national health
information network.

So we don’t have any specifics. We’ll be monitoring the situation
closely, but I think we can probably look for great interest in the coming days
on the Hill on health IT legislation.

On the budget side, the President’s budget for fiscal year 2008 was
sent to Congress on February 5th, and it continues to support a
number of health IT investments that this committee was involved in and is very
supportive of, and let me update you on that.

In terms of the total budget — this is not health IT — the total budget
for HHS is almost $700 billion. Now, that includes — that would probably make
us larger than Fortune 1, than the largest Fortune company, I think, but, at
any rate, much of that is entitlements — Medicare, Medicaid, TANIF and so on.

The discretionary part of that budget is about $68 billion. That includes
funding for NIH and for CDC and FDA and so on — and AHRQ and so on.

On the health IT side, the funding is actually continuing at levels we have
seen in the past.

The budget for the office of the national coordinator — and John will
update you on this more when he gets here — is $118 million, which is actually
quite a bit more than their fiscal year ‘06 and ‘07 budget, and
I’ll tell you a little bit more about what is in there, but they are
continuing basically current efforts, and there would be an effort to transform
the AHIC apparatus into a public/private partnership. I forget what the name
being considered is. I think it is Health Care Improvement Partnership,
Partnership for Health and Health Care Improvement.

But, at any rate, the idea would be– As the Secretary has said a number of
times to the AHIC itself, the idea would be to begin to transform the AHIC,
which is now a federal advisory committee, to a public/private partnership,
where it would have — in essence, be able to carry out its work in that vein.

And, then, in the ONC budget, which John will tell you, there are a couple
of other initiatives.

One of the initiatives that I think we are very pleased with — and I know
the committee is as well — there will now be in the ONC budget — we kind of
placed it there — $5 million to establish a fund within HHS for health data
standards, development for mapping, for interagency standards development,
assessment and mapping work.

You’ll remember that previously, this fund — thanks to the good
graces of AHRQ — was placed in AHRQ for a three-year period, I think, Mike,
and then — but we agreed that we wouldn’t ask to absorb this any — I
mean, beyond ‘06.

So the department and OMB and everyone agree that this was a good
investment. So hopefully, now — That is $5 million. It is about the level we
had in ‘06, I think.

So this will support much of the — this supported the work on RX Norm, on
Daily Med, on the mapping of the various terminology sets to each other, and we
hope we’ll be able to move forward on that as well.

There was also a — I think I talked to the group previously about the
Secretary’s top 10 priorities, and I think we discussed those previously.

One of those is this concept of personalized health care, and the idea here
was to bring the fruits of research and technology in health care to — and
prevention — including pharmaco genomics and so on — to everyday health care
in the U.S., and the Secretary refers to this as personalized health care, and
a big part of this will involve genomics and so on. There is some work underway
here already. The AHIC has established a working group, but, for the budget,
there is a $15 million initiative in the AHRQ budget that will support efforts
along these lines, and a fair amount of that budget will be used for — if I
can describe — it would undertake pioneering work into utilization of health
IT for linking clinical care with research and available genomic data to
accelerate clinical breakthroughs and integrate them into the everyday health
care setting. So that should be an exciting and an interesting development as
well.

On the population health side and population health data, most of our major
HHS statistical systems and public health data systems are being funded pretty
much at the level — previous year’s level, though there is an increase in
the National Center for Health Statistics of about $900,000 for a new home and
hospice survey, which I think has been in the works for a while.

Otherwise, I think for most of our major surveys and data systems, I think
we are continuing them at current levels, which is actually quite an
accomplishment, given the pressure on domestic discretionary spending these
days.

Agenda Item: Data Council

MR. SCANLON: As I said, within HHS, our Data Council is looking at how our
data and statistical systems can support the Secretary’s top 10
priorities, which we discussed previously, and, in February — I think later
this week — the Data Council will be looking at how the department can improve
access and the utility of our data and statistical and analytical products,
especially for policy research and program utility, and, at the meeting in
February, we will be looking specifically at our various research data centers.

We have at least three research data centers in HHS, and we have other
agencies who have parts of research data centers. This is in addition to
public-use data files and reports and tables that the agencies produce.

The research data centers are designed to provide access to micro-level
data under very protected and selected circumstances. So you can protect
privacy and still allow researchers and public health workers and others to be
able to analyze the data. No one walks away with any identifiable data, but you
do walk away with your analysis. So you sort of achieve both purposes.

So we’ll be looking at that, and we may — depending on what the
populations subcommittee sort of sets forward in terms of recommendations and
our discussion at the Data Council on Wednesday, we may decide to take some
further work in that area.

That probably is the way, given the technology for — just as we move
forward on confidentiality in data, it seems that the technology moves ahead as
well on the side of threats to privacy and confidentiality as well.

So there have always been — there’s always been attention to this
issue in research and statistics, and, now, we are looking ahead to the form
that will take in the future.

One other thing, two other projects I think I have talked a little bit to
the committee about before. We have started a project with NCHS and other
statistical programs within HHS on the potential of using — this is, again,
future looking — electronic health record data and so on for a health survey
and statistical purposes.

And, again, we’ll — I think I briefed the committee as well on this.
We have started a study — we are well along now — looking at the quality, the
comparability and utility of the income data and asset data that is collected
in our major surveys. This is usually one of the major policy variables in our
surveys. Most federal programs and other policy research looks at that variable
as one of the dimensions, and we are well along and we are looking at about a
dozen of the major federal surveys and how they collect income data, how is it
comparable, what does it benchmark to and how good is it, and how could it be
made more useful.

MR. BLAIR: — income data. You are talking about the income of the patient
or consumer?

MR. SCANLON: The household, yes. The household. Yes, these are household
surveys, for the most part, yes.

And let me to stop there.

DR. COHN: Any questions for Jim? Mike.

DR. FITZMAURICE: Jim, do you want to mention where those three data centers
are located?

MR. SCANLON: Oh, sure, sure. Three data centers in HHS. Research data
centers. These are not the regular IT processing data centers.

One is at the Agency for Health Care Research and Quality, Mike’s
agency. Second one is at the Center for Medicare, Medicaid Services, and a
third is at the National Center for Health Statistics at CDC.

And we have a couple of other agencies that — they don’t have
full-blown research data centers, but they do have Web sites and other analytic
services on the Web, for example, where you can generate your own tables. So we
are going to talk about those as well, and we might be looking at how can we
sort of tie these all together in a way for the department.

I might say that it is not easy to use these data centers, necessarily.
Sometimes, you have to be there physically. Other times, it is a complicated
sort of situation. So —

Census Bureau has one as well.

MR. BLAIR: I am not sure if you could clarify things in more detail in this
area, but I think that you mentioned that for the National Library of Medicine
there was $5 million allocated, and you mentioned referencing covering
continuing work on RX Norm, and do you know, at this point, that — If there is
going to be continuing work on the mapping to UMLS(?) and continuing work with
SNO Med(?) in concept-oriented data, it might need more. Is there a different
pot of money for the mapping work or is that all within the $5 million?

MR. SCANLON: First of all, this is fiscal year ‘08. So this is more of
a request than an actuality, but the idea is to — and the $5 million would be
placed in ONC, but, presumably, when ‘08 rolls around, if we get this
funding, some of it would support — wherever we are with the mapping, Jeff, at
that point, and RX Norm and Daily Med.

MR. BLAIR: But all of those topics are considered to be within the $5
million.

MR. SCANLON: Well, we’ll see what the research plan would be, but,
yes, yes. There are supplementary funding — really what agencies can find on
their own — and NLM, certainly — I won’t speak for Betsy, but NLM
usually supports some of this funding anyway, even aside from this.

MS. GREENBERG: Jim, I might mention, particularly for the benefit of the
new members, that one of the letters that was sent to the Secretary from this
committee in November specifically encouraged that this type of funding be —
continue to be devoted to or dedicated to this type of standards work. So that
is very positive.

MR. SCANLON: It worked very well in previous years. Again, we had an AHRQ
ASPI fund, and even OMB liked it, and they always say no. So it must be doing
something right.

DR. SCANLON: This is both a comment and a question, and it is in the
context of the populations subcommittee thinking about the data needs for the
21st Century; and, Jim, I think you did a very nice job of
describing the glass as half full, saying the surveys are going to be continued
at current levels.

And I guess it is — I think it is important to bring up that these current
levels are not levels that we were used to, if I understand that right, that we
have actually had to make some sacrifices in terms of what we are collecting.

And, then, I think, in terms of the subcommittee’s work for the
future, that there is probably the reality that we really need to be collecting
a lot more information, that it is really, in some respects, an investment to
try and — If we want to sort of be able to, from a public policy perspective,
manage our health care system better, we need to know a lot more about how it
operates, and that the need for that kind of information is going to become
more and more important as we move forward.

But am I right that we are not necessarily at levels that we used to be in
terms of —

MR. SCANLON: Well, I think it is — I was talking about the ‘08
budget. We’ll be looking at — ‘07, I should mention, for the current
fiscal year, we are — and most federal agencies are on a — the continuing
resolution, which is — really, we are sort of straight lined at the levels of
last year or some other level, and the chances are we will have a resolution
like that for the rest of the year.

I think it is fair to say, though, that the needs for data are — always
exceed — the demand for data and the needs for data always exceed the
resources available and it is always a prioritization issue, and, yet, I think,
folks, when the President proposed this health access tax breaks and so on for
health insurance coverage, much of the analysis there was based on data from
HHS surveys, from the MEPS and from other surveys. So it takes a fairly big
investment to have that available, whether you use it or not, and that is kind
of — So, in a way, it is not visible ‘til you call on it, and if you
haven’t made the investment already, it is too late.

So I think we really do — To be honest, I do think we need to rethink some
of the surveys in terms of — I don’t think we are going to get a lot more
money. That is just not going to happen. So I think everyone has to become
prudent planners and analysts and get the best out of our surveys.

DR. STEUERLE: Just one comment and then a question.

The comment is I think when you say straight line, I think you are talking
about nominal dollars, right? So —

MR. SCANLON: Yes.

DR. STEUERLE: So in real dollars, it is going down with inflation, which
using three percent or four percent inflation every year that’s a real cut
of about three or four percent per year. Compounded, it really starts adding
up.

I hope, Jim — and I am sure you will — that you’ll help us think
out, in terms of when we do things like our workshop on data linkages, you
know, there were a number of suggestions that came through there. There is
always this question of how do we integrate it in in a broader budgetary
context. I certainly hope you’ll help us think about how we can be most
useful to that process.

My question is a little more specific on when you talk about continuing
existing surveys, there’s a number of surveys, for instance, where there
are a lot of improvements could be made if we could figure out ways to
integrate them with other data sets, which was part of our workshop, or where
we would like something more like a better time series data or we’d like
to link with wealth data.

HRS — Health and Retirement Survey is one of the few that really does a
good job, I think, on the income and wealth side, but then you only get a
certain subpopulation.

So when you say continue existing surveys, does that pretty much confine
them to their existing status, so Health and Retirement Survey only does 51- to
61-year-olds and you can’t link up additional years or is there
flexibility within these budgets —

MR. SCANLON: Well, yes, I think — All I was referring to was the dollar
level. We always have — and I think that is why I guess rethinking is probably
not the best.

Statistical agencies tend to be fairly conservative, for a good reason. You
are protecting time series, and I think we have to be a little more nimble and
sort of open up things analytically. I think that is sort of what you are
talking about, and even structurally for some of the surveys, and I think that
is — I don’t think the levels of funding will be much more than they are,
but — except NCHS will be getting funding for this Home and Hospice Survey,
which is actually a new — Well, I think it was done previously, but it will be
done again.

So I think it is — Certainly, Gene, I think making better use and analytic
use and even design of the surveys, I think that is always open.

DR. STEUERLE: Just a related question. The President recently proposed two
very major health initiatives, one of them on which I have worked, and I know
your office worked was this limitation on tax —

MR. SCANLON: On tax —

DR. STEUERLE: — exclusion.

MR. SCANLON: Yes.

DR. STEUERLE: And Treasury, as well as HHS, I am sure, worked long and hard
on trying to make estimates, and, as you know, based on very, very weak data in
terms of integration of what actually health insurance costs per employee
projected out to the future so on and so forth.

I mean, I wonder if there is also not a play here in terms of just pushing
a little bit for more research where we know there are policy initiatives or
there have been policy initiatives, where we can admit a little more readily
the weakness of what we had to rely on to make —

MR. SCANLON: Well, we always use secretarial and presidential initiatives
as a horse to ride for more funding.

DR. STEUERLE: We are making —

DR. COHN: OK. Garland, and then we’ll move on, hopefully, to the next
presentation.

MR. LAND: I know we are interested in the national surveys, but I want to
make sure that we —

DR. COHN: Garland, you need to get closer.

MR. LAND: I want to make sure that we understand what I think is a real
crisis coming up in terms of the vital statistics system.

With the level of funding for ‘07, and now the level funding for
‘08, the national center is faced with some very difficult decisions of
what to do, because there is not sufficient money to purchase 12 months of
data, and they are looking at some scenarios I don’t think anybody would
favor, possibly only having seven months — collecting seven months of data in
‘07 — that would be birth and death data — possibility in ‘08, if
they fund ‘07 calendar-year data with ‘08 monies, then they will not
be able to purchase 12 months or any data for ‘08 for mortality data, and
other scenarios are just as drastic.

So we really are facing a serious crisis for the — if we think that having
birth and death data for the nation is important, which I think most of us
would agree, that the money isn’t there right now, and they are really
struggling with what to do about that situation.

DR. COHN: I think Jim is nodding his head.

MR. SCANLON: Yes. Well, I think Ed — I think we have to have Ed come back
and report periodically.

I have to say we have not — The current year is ‘07, and I think we
— Since the funding available is not clear yet, though looks pretty clear, we
haven’t really looked at where would we be in ‘07, but I think you
are right. I think the vital-statistic system has always been — it is little
recognized for its importance. It is the foundation for all the other health
statistics and there is always difficulty in funding. In fact, we ended up
eliminating two components of it in the past. So —

DR. COHN: And given that we have had a couple of questions, now, as we move
on to Karen, I do want to just observe that, obviously, this is an area where
there have been a number of issues brought up by members of the populations
subcommittee.

This may actually be something that you may want to work into a letter,
hold hearings on or otherwise, if you feel that this is something that should
be — I mean, it is one thing to talk about it. It is another thing to send a
letter raising the issues.

OK. Listen, thank you, Jim.

Agenda Item: Health Insurance Portability and
Accountability Act of 1996

DR. COHN: And our next presenter is Karen Trudel, and, Karen, thank you.

And this time, obviously, we are having sort of a change of pace in terms
of the presentations, because, rather than just a general HIPAA update, we are
actually going to be looking more to a specific area that I think Karen wanted
to bring to our attention. So, Karen.

MS. TRUDEL: Right. Thank you.

I am going to concentrate on a guidance document that CMS published
recently that provides specific guidance for applying the HIPAA security rule
to situations of remote access and remote use of electronic protected health
information.

This is something of a landmark in that this is the first time since the
security rule was published that we have issued formal guidance on this
document.

Previously, we had provided — we have published educational materials.

This is the first official guidance document. It was released on December
28th of last year, and I would highlight the fact that it does not
change the security rule. It simply examines the backdrop of the security rule
and how it specifically applies in cases of use of data remotely and remote
access.

I probably didn’t need to provide this slide: Why a new guidance?
Obviously, there has been enormous change in the technology. Mobile devices,
BlackBerrys, the storage media have become smaller and smaller and more and
more portable; and, of course, I think everyone is aware of recent security
incidents having to do with either thefts of laptops with EPHI on them, thefts
of media containing EPHI that were taken off a campus, reports of access by
unauthorized users, problems with inappropriate destruction of EPHI that allows
it to be utilized, and the original security rule was intentionally broad. So
the need to bring some of these broad concepts home and distill them to a
remote access scenario was pretty considerable.

In terms of what has affected the list on this slide is just the tip of the
iceberg — laptops, home PCs, PDAs, PCs in libraries and hotels and other
public places, wireless access points, flash drives, smart cards. All of these
things are anticipated in this guidance.

One of the Guiding Principles that we wanted to bring to people’s
attention was that there is a real need to be deliberate about remote use of
electronic PHI. In other words, when EPHI leaves one’s premises, there
ought to be a good solid business reason for doing it, not simply because you
were taking a laptop off site and it happened to have a lot of data on it.

So that is one of the things that we are trying to stress here, and that
the release requires risk analysis, policy and procedures and risk mitigation
strategies, just as any other security procedure or process.

Here are some example business cases for remote use of EPHI: A home health
nurse updating electronic records during a patient visit; physicians reviewing
refill requests at home for e-prescribing; for continuity of operations, EPHI
being maintained in an off-site data center for disaster recovery.

All of these things are appropriate uses of EPHI remotely, and there are a
host of others that we haven’t specified here.

Again, this is the backdrop against which we are looking at these
remote-access factors, and that is risk analysis.

There is a requirement in the security rule to analyze risks and mitigation
factors, and, in general, to look at size, complexity and capabilities of the
entity, the technical infrastructure, the security measures and the probability
and criticality of potential risks.

In terms of policy development we are talking about the normal training,
compliance workforce awareness, and our guidance specifically talks about three
areas: Access, storage and transmission of EPHI.

Some examples of the data access strategy and the guidance document itself
presents these in matrix form, talk about things like lost passwords,
unattended workstations, failure to log off public machines. We have had an
incident recently with someone using a hotel computer and data being
inadvertently retained.

Some of the things that we need to address are stronger authentication,
clearance and training, but, specifically, again, limiting access to EPHI to
users with specific requirements and authorizations, session termination. These
things seem very simple and almost no brainers, but we did not get to this
level of detail in the security rule, and we felt that we needed to go to this
level to bring this awareness to covered entities and make sure that, as they
consider their risk analysis and their mitigation strategies ongoing that they
take some of these specific considerations into consideration.

Data storage strategies. Some of the risks are EPHI on lost or stolen
portable devices, unauthorized use of EPHI after faulty device disposal, loss
of data, viruses via portable storage.

And some of the mitigation strategies that could be useful would be
procedures to track devices in location; encryption of EPHI, so that even if
the file is lost it can’t be accessed; appropriate deletion and disposal
procedures for media; and appropriate security policies for PDAs, smart phones,
BlackBerrys, et cetera.

MR. BLAIR(?): Is this a presentation we’ll have a copy of?

MS. TRUDEL: Yes, you have. Yes.

In terms of data transmission strategies, clearly, the main risk is data
being intercepted or modified during transmission and we do make a stronger
point about encryption and use of open networks in this guidance than we did in
the original security rule. We do talk about where it is practical and
appropriate prohibiting transmission of EPHI via open networks, using secure
connections for email, mandatory encryption for Web systems, et cetera.

Our next steps will be to obtain additional industry input. In the guidance
device itself, we provided a feedback mechanism.

We intend to develop a proposed rule that will include at least the
information that is in the security guidance, and that is specifically for the
purpose of assuring that the guidance, once it is part of a rule, will take on
the same strength, in terms of enforcement action, as the existing security
rules themselves.

However, we are not limiting ourselves necessarily to simply codifying what
is in the guidance document, and we do want to use some opportunities over the
next four to six months to get some industry input. We have reached out to the
Workgroup for Electronic Data Interchange, and we have talked to the NCVHS
Committee on Standards and Security, and, in part of their May hearing, there
will be some discussions about security, and, hopefully, not just related to
this guidance document, but any other issues related to the HIPAA security rule
that are felt to require either additional clarification or new specificity.

That is my presentation, and I’d be glad to take any questions.

DR. COHN: OK. I just want to start out, Karen, by thanking you for
obviously bringing this up to everyone’s attention.

I know when I saw the guidance document — and I think most of the industry
considered these documents effectively being the same as a rule — but I think
it makes sense to, obviously, bring it forward in the way you have, and,
obviously, I am very pleased that Standards and Security will be reviewing
this.

I am also, obviously, expecting John Houston, hopefully, to join in those
hearings, since you are a security expert.

Now, with that, Harry, John Houston, and, then, Jeff, and, then, Mike.

MR. REYNOLDS: Yes, Karen, I would like to commend you for doing this, all
of you at CMS, because I think, as these regulations have come out, business
people trying to grasp — and there’s a difference between people that
really are down in the bowels of security or down in the bowels of
understanding these things may read the regulations and understand them.

But I like the terms that are used here, because it raises it more to where
pretty much any business person in a company — executive level down — should
be able to read this and get it, and I think that’s the one task that we
all have as we pass these new things is trying to help people understand how to
live by them in a context of their words, not a context of the words and
acronyms that we love to use as we are reviewing something.

So I think this goes a long way, and we look forward to spending more time
with you on it in the hearings.

But I think this really goes a long way to start having the dialogue at the
business level, rather than just at a detailed standard or a detailed acronym
and really puts people, you know, to some kind of sense that executives can
start making the right decisions to help their companies, rather than just
leave it to somebody else to try to understand what the heck is happening to
them.

So thank you for the —

MS. TRUDEL: Thanks. That was our intent.

MR. HOUSTON: I think overall this guidance is very valuable. The one thing,
though, after reading it, that I sort of —

DR. COHN: John, you get a little closer?

MR. HOUSTON: OK. I thought the document, overall, was really valuable. The
one thing, though, after I read it, I thought to myself, You know, a lot of
what is being described here is probably things that apply not just to remote
use of EPHI, but, frankly, is probably applicable within the four walls of a
hospital or any other covered entity, and some of them are not, but, in large
measure, they are, and I think there are some things that — some awareness
that needs to be raised within industry, and I’ll give you a good example
of that in one of the things that we are doing where I am at.

We are in the process of encrypting all devices on our network, because of
the fact that devices get stolen, they get taken out of use. Sometimes, they
are disposed of appropriately, but, sometimes, you’ve got to — you have
to use a lot of diligence to make sure that when something comes out of
production that somebody is actually going through and wiping the hard drive,
and I know that sounds obvious, but the practical reality is is in a lot of
cases, you hear stories of people not doing that.

So I guess my point in all of this is that it almost doesn’t go far
enough. I think there’s this heightened awareness to remote access, but it
is — I think a lot of the risks are — and a lot of the things that you are
describing here are things that really do have broad applicability, and I think
they are things that frankly need to get a little bit of play in the industry.

And, again, I use the idea of encrypting hard drives on desk-top devices as
an example. It doesn’t cost very much. It doesn’t affect performance
very much, but if that device is stolen or it is taken out of production and
then not disposed of appropriately, because the device isn’t encrypted,
the net effect is that data can be inappropriately accessed.

So I almost want to take this a little bit further and say there’s
other guidance I’d want to do that really is related and it doesn’t
take much effort, I think, to extend it to that, but I think it would be really
valuable in the industry.

MS. TRUDEL: Thanks.

MR. BLAIR: Karen, this is timely and appreciated, and I just wanted to — I
didn’t hear you, maybe it is on the paper. Are you receiving input from
the privacy and security specifically authentication authorization issues that
might be impediments to health information exchange from the prime contractor,
RTI, on the privacy and security project, otherwise called the HISPIC(?)
Project?

MS. TRUDEL: No, we have not had a dialogue with them at this point. I think
they definitely do need to be part of the dialogue when we begin to talk about
what would be in a subsequent regulation.

MR. BLAIR: OK. Because that project has already gone through stages of
identifying a lot of these issues, and this is the same issues, and then coming
up with solutions in January, and, now, we are coming up with implementation
plans, and they won’t be finalized like until late March or early April.

The information is already there on the issues and the suggested solutions,
and I think it would be unfortunate if you don’t get those until the
April-May time frame, because that information really is available now from
RTI, and it seems like it directly correlates to what you are doing, but I
don’t know if you look at health information exchange networks as a
different context. I look on it as an extension of at least what I was hearing
you saying, and I think it is really relevant, because they are impediments to
us moving forward with RIOS and the NHIN.

So, in short, I think that information you should be able to get from RTI.
I don’t know what we need to do to — I could encourage — They are going
to have a national meeting, actually, on March 4th and
5th here in Washington, where they are going to be reviewing a lot
of the findings, as we are getting close to finishing off, and I think, at that
point, a lot of that information ought to get communicated to your group.

MS. TRUDEL: We can touch base with the Office of the National Coordinator
on that.

Thank you.

DR. FITZMAURICE: I want to join in the accolades to you and to CMS also on
the guidance, Karen. While not having the force of regulation, it does show the
current thinking of CMS on these issues, and it is kind of a brush of good
win(?) to come out and tell everybody what CMS is thinking.

So I have a question. Will this guidance help the Medicare program speed up
the access by Medicare beneficiaries to information about their claims,
eligibility, deductible levels and year-to-date payments when accessed over the
Internet?

And, then, secondly, will it help Medicare programs speed up the electronic
submission of claims by providers via the Internet? Will this help form a basis
for that?

MS. TRUDEL: As far as the first issue is concerned, I think that we are
already well on our way with our beneficiary portal under MyMedicare.gov to
providing that kind of access already, and we are using standard security
procedures to accomplish that, and we are finding that it is being well
received by beneficiaries. They get not only information about eligibility,
they can look at claim status. They get information on immunizations or other
preventive procedures that are appropriate for them, and I think that program
has been well underway.

We are working on some fairly long-term PHR-type pilots that I don’t
think this implicates right now, but certainly will later.

In terms of the access to Internet claims, I think this policy will inform
how that occurs, but putting the infrastructure in place to do that, for us, is
a significant issue, and so I don’t think this will accelerate that
process at all.

DR. FITZMAURICE: Thank you, Karen.

DR. STEUERLE: I, too, am impressed by your taking charge and charging —
the law requiring it. I really like providing the guidance here and in other
areas.

I just have one comment, and I have made it before with respect to HIPAA in
general when we analyze risk, and that is that there are obviously two types of
risk. Statisticians often call them Type 1 and Type 2 risk.

The analogy here is there is the risk, of course, that we do something and
it violates somebody’s privacy, but the other risk is impose a regulation
or a standard or a guidance that actually increases the risk that something
useful in health care might not be done.

And I would just — This is just a suggestion. I would suggest that any
report, you always sort of list both types of risk and then basically say this
is, on balance, where you came out.

I mean, here, I see no objection to what you have done here, but I always
worry when we focus on the one type of risk, because I think it always leads
towards lack of concern, and although I don’t see it here, in other areas
where we have talked about HIPAA, I have seen where I sense that HIPAA has
prevented certain information from being passed on, and, therefore, has
introduced new risk to the population, and I just think it is always worth
listing them both in almost any HIPAA-related report.

MS. TRUDEL: I absolutely agree that while we have specified that here, our
take on security is also always trying to balance those two things, and part of
the reason that we have maintained flexibility in here and not required
everyone to do everything the same way is to maintain some of that flexibility,
so that the other risk that you were referencing doesn’t occur, but it is
probably better to be explicit about it, I agree.

DR. STEUERLE: But it also allows if somebody wants to comment back, they
feel that that is an appropriate area to give you comments back as well, not
that — they probably wouldn’t anyway.

MS. TRUDEL: Right.

DR. STEUERLE: But —

MS. TRUDEL: Thank you.

DR. COHN: Well, Karen, thank you very much, and, obviously, thank you for
raising it to everyone’s attention, and, obviously, we’ll be working
with you and CMS to, hopefully, help move forward revisions to the security
rule, and thank you.

Agenda Item: Privacy Rule Compliance Update

DR. COHN: Susan McAndrew, thank you for joining us.

MS. MC ANDREW: Thank you for having me.

I will try to keep my remarks short, and there was some strange press after
my last appearance here, where some of the information seemed to have been
translated in the press as being received with shock and awe, and I will try to
low-key that. I mean, there’s really not much shock and awe coming out of
here right now.

The complaint activity related to privacy continues apace. Through the end
of January, we have received just slightly over 25,000 complaints. A little
less than a quarter of those cases are still open.

We continue to develop more data related to the types of cases that we are
closing, and approximately a third of all closures are the result of
investigated cases. So that means about two-thirds of the cases that we receive
and close are done for reasons that the case is beyond our jurisdiction or
doesn’t really raise a facial(?) violation of the privacy rule.

Of the cases that we do investigate, we have taken and achieved corrective
action in two-thirds of those cases. So since the beginning of our compliance
program, we have actually achieved corrective action in over 4,000 cases, and
we got corrective action in 1,500 cases in last calendar year alone.

So I think both the volume of cases in which we are getting corrective
action continues to increase, and the percentage of those cases in which we are
achieving corrective action also is increasing.

MR. HOUSTON: Excuse me. Can I —

MS. MC ANDREW: Um-hum.

MR. HOUSTON: Corrective action as being equivalent to
voluntary compliance or — I mean, that seems to be a new term.

MS. MC ANDREW: Well, it is — we are closing the cases because we have
achieved informal resolution. The informal resolution is because the covered
entity has agreed voluntarily to come into compliance.

The way they achieve that is through providing us with some sort of
corrective action. Most of the time, it is a change to their policies and
procedures to make sure that whatever the incident was that it doesn’t
occur. Where there was an individual involved that, for instance, did not get
access, part of that corrective action is ensuring that that individual, as
well, is provided the access that is required under the rule, as well as making
sure that the procedures are in place, so that others dealing with that entity
will get access as required by the rule.

MR. HOUSTON: Thanks.

MS. MC ANDREW: We are continuing, as I mentioned before, to work on both —
to get out a clearer message and more useful information through our Web on the
enforcement actions that our office is engaged in.

We are developing a Web page that will be devoted to compliance activities.
It is still in the developmental stage, but we are hoping to populate that with
statistics as well as success stories and case examples of how corrective
action was achieved and what problems have been solved through this kind of
voluntary compliance by covered entities.

Eventually, it would also be where we would post any civil monetary
penalties or other monetary settlements that are achieved through our
compliance activities.

We are, as I say, still in the development stage. So ideas, suggestions are
always welcome. If you have any thoughts, just please let me know, and we will
see if we can work them into our plans going forward.

I would like to let you know, in addition — just to update you on some
other activities that my office is involved in on a regular basis — we clearly
are very actively involved with ONC and the AHIC on the health IT projects. We
participate in the consumer empowerment workgroup, and, recently, at the last
AHIC, there were recommendations for specific tasks that my office will be
working on with this workgroup, including some mapping of the privacy rule to
some scenarios with personal health records.

We also continue to work with the confidentiality, privacy and security
workgroup under AHIC, and I expect — certainly, following the congressional
testimony on the intersection of privacy processes and how the network is going
forward — that this workgroup is going to become extremely active.

They made their virgin report to the AHIC on security and identity proofing
for patients, and so, now, they have made their maiden voyage and they can —
got their feet wet, and, now, they can — I think they are prepared to tackle
more meatier issues as they go forward.

As I think I mentioned last time, we continue to work with the research
communities within the department to try to harmonize the rule structures from
HIPAA as well as under FDA and the common rule to make sure that all of those
rules are working together and facilitating the research endeavors that are
being undertaken.

Two additional areas that have gotten increasingly active, and I expect
will remain active the next year probably. The first, again, comes out of the
Secretary’s priority for personalized health care, and that is the
intersection of privacy and genetic information.

There have been several workgroups that have been formed within the
department to take a look at that as well as it is on the agenda of one of the
AHIC workgroups now, and we are watching the — there was a discrimination bill
that was, I think, passed the Senate — passed one of the Houses, I think —
which would prohibit discrimination based on genetic information in insurance
and in employment situations. So we are expecting that we will be spending a
lot of staff time working out what genetic information is and how to adequately
protect it.

The other area that continues to be hot, in terms of activity within the
department, and that is disaster and emergency preparedness activities.

So we are — my office is also helping to staff a number of groups that are
emerging within the department to make sure that emergency response is done in
a way that respects confidentiality of the information while still enabling
this information to be available to ensure treatment in these kinds of chaotic
and often disassociated settings.

So we have a lot on our plates, and, this year has been especially
challenging, given the continuing resolution and the uncertainty with future
funding, and just the increasing demands on resources is always a fun juggle.

But I think all of these initiatives are extremely interesting and
challenging, and we are really looking forward to keeping privacy and
confidentiality in the forefront of all of these discussions.

DR. COHN: Well, Susan, you are right. I don’t think we have any shock
and awe today.

Mark, John, Leslie, and, then, Jeff.

MR. ROTHSTEIN: Thank you.

I have a question and a comment.

The question has to do with the privacy rule/common rule harmonization,
which, as you know, is an area that we have been interested in over the years,
and we were — Speaking for myself, I was very pleased to hear at the last — I
guess in November, when you announced that this harmonization process was in
the works.

Can you give us any sense of how that is going or whether you are hitting
any sort of major snags along the way to do that or whether you are optimistic
that something will be done over the next six months or year or — Can you give
us more information?

MS. MC ANDREW: Other than to say that I know the group has been meeting
regularly — I think monthly is the schedule that they are on — there has not
been — I think there is still a little — struggling a little bit in terms of
setting their agenda. As far as I know, they have not come to us with any solid
proposals either for areas of guidance or —

MR. ROTHSTEIN: So when you say they, this is sort of an OHRP/OCR working
group, something like that?

MS. MC ANDREW: Yes. There is a committee that is formed and it includes
OHRP, FDA, NIH. I think ASPI has representatives on it as well as OCR. So it is
a broad — I am not even sure that there aren’t other research entities —
AHRQ is on it.

So it is really cross cutting. The interests are very disparate, and I know
that they are — I don’t have a precise update where you — but I can
certainly have that for the next meeting of the committee, if you would like
that.

MR. ROTHSTEIN: Well, I just — I am very anxious to see progress made, and
it is something that we have heard from in hearings from members of the
research community for years, and we have promised them, as a committee, that
we would recommend it to the department, and, now, the department has taken our
recommendation and/or from other sources is doing that, and I am anxious to
have the payoff, basically.

My comment deals with your remarks regarding protecting genetic
information, and, although I think that it is very important to do, just as a
comment, I would say that it needs to be done in the right way, and I think a
lot of what is being done, both in Congress and elsewhere, is maybe not the
best way to protect genetic information, and there are many people who feel
that by treating genetic information separately and regulating it separately,
you further stigmatize genetic information, and, in a sense, make the problem
worse, in some respects, and as anyone will quickly find when they are trying
to work with this, it is also impossible to define.

And so my comment/suggestion would be that OCR and the department, more
generally, not be committed to sort of this genetic exceptionalism model and be
flexible in trying to achieve the same goals, but through considering other
options besides another sort of separate layer of genetic-specific regulation.

MS. MC ANDREW: I just would want to clarify that, clearly, that is the
major area of discussion, and I did not mean to imply, in any of my remarks,
that the department has decided on or even supports genetic exceptionalism.
That is clearly one of the core issues that all of these debates and these
workgroups will be focused on.

MR. ROTHSTEIN: Good.

That concludes my question and comment, Simon. No additional shock and awe.

MR. HOUSTON: I was just about to comment about how I thought it was a
really great thing that people were actually thinking about looking at genetics
and privacy, and it actually came up in a conversation I had yesterday.

And I think that the time is ripe to understand the issue and to really be
proactive in trying to establish the appropriate framework for addressing
people’s reasonable concerns about genetic privacy.

I think that, in a few years — whether it be 10 or 15 years down the road
— I think genetics are going to be so powerful in testing, and the
implications, that I think if we don’t get them right now, if we
don’t understand fully, then I think we are going to develop systems and
things in a way that, if we had to go back and overlay a different level of
understanding of genetics, that we are going to be at a real — we are going to
be trying to do a patchwork that is not going to work.

So I applaud you for that, and I think that you can’t start soon
enough to work on that particular issue, and I am just glad you are.

DR. FRANCIS: I actually wanted to second Mark’s comment about a bit of
skepticism about genetic exceptionalism.

But the question I had was with respect to the complaints. Are you noticing
any discernible patterns that it might be useful for — that is, as types of
complaints, kinds of violations that it might be useful for this committee to
know about?

MS. MC ANDREW: Actually, there have been a number of discussions with the
committee about what trends can and can’t be discerned from the pattern of
complaints, and I do believe part of that was a conversation that might be
continued following either this meeting or tomorrow’s meeting — if there
is a tomorrow — but, right now, I would say that we haven’t noticed —
One of the things we have gotten from the compliant data are the most frequent
allegations as well as the types of entities against whom these complaints are
filed most often, and neither of those categories has changed significantly
over time.

So we are not really seeing — Other than the fact that complaints
concerning failure to get notice, your notice of privacy practices has tailed
off since the early days, which one would expect, but not really anything
unusual or startling has —

DR. COHN: OK. Thank you.

MS. MC ANDREW: You’re welcome.

MR. BLAIR: Susan, about a year ago, you introduced an individual to us — I
don’t remember his name — who is —

MS. MC ANDREW: That was a hell of an introduction, then —

MR. BLAIR: I apologize.

DR. COHN: I think it was maybe the director of the office of civil —

MS. MC ANDREWS: Oh, Mr. Wilkinson?

MR. BLAIR: The individual was going to have responsibility for directing a
program of public education for people — for consumers and patients — so that
they would have a better understanding of the rights that exist, now, to
protect — you know, for protected health information, and I hadn’t heard
anything since then about a public-education program or what has happened with
that.

And, now, you can tell me the name of the individual that I apologize that
I forget; but what has happened with that program for public education of the
privacy rights that do exist under HIPAA regs?

MS. MC ANDREWS: I believe you are probably referring to Patrick Hadley(?),
who we brought on about a year-and-a-half ago to be our outreach and public
education team lead senior advisor.

As it turns out, as luck would have it, Friday is Patrick’s last day.
He —

PARTICIPANT: — the job done?

PARTICIPANT: His work is done?

MS. MC ANDREW: He has decided to move to Atlanta, and so he is — He is
down there, actually, now, and he will be leaving us as of Friday.

The efforts that he was able to accomplish while he was here included a
number of consumer education activities and materials that have been posted on
the Web. There have been — We have a number of fact sheets, and he did help
coordinate with the other side of the office, the Office for Civil Rights, on a
fact sheet that combined the two sets of rights that the office enforces.

There is still, clearly, much more work to be done in that area, and it is,
again, always something that we struggle, in terms of being able to allocate
sufficient resources to, both in terms of being able to get out, as well as to
develop consumer-oriented materials for the Web site, but we continue to try to
move along as fast as we can in that area, but it is — I do consider it to be
a loss that Patrick has decided to put his talents to other uses, and we will
miss him.

In the interim, the responsibility for heading up our public education and
outreach efforts has been transferred to Linda Sanchez, who I believe some of
you may know from her past work. She has a long history with the privacy rule
and brings a lot of expertise to this effort. So she will be leading our public
education —

MR. BLAIR: She’ll be within the Office of Civil Rights.

MS. MC ANDREW: Yes.

MR. BLAIR: And is there any plans to provide public education beyond
posting the rights on a Web site?

MS. MC ANDREW: She and Patrick are tasked with coming up with a proactive
outreach plan for ‘07, and when that plan is vetted, we will share that
with you.

DR. COHN: Well, Susan, thank you very much.

MS. MC ANDREW: You’re welcome.

DR. COHN: Obviously, we appreciate this.

And we do believe there will be a tomorrow. The government will be open as
part of it. We will, obviously, wait an see, but thank you.

Agenda Item: Office of the National Coordinator
Update

DR. COHN: Our next presentation is from John Loonsk. John, thank you for
joining us.

John is a Director of the Office of the National Coordinator, and his
charge focuses on interoperability in standards, and it is a pleasure to see
you back again.

DR. LOONSK: Good morning. Thank you, Simon.

DR. COHN: Thank you for joining us.

DR. LOONSK: It is a pleasure to be here. Thank you for having me.

I am going to give an update on several items from the Office of the
National Coordinator. There is a lot going on, and I am, by no means, going to
talk about everything that is going on, but I will talk about three important
things.

One is the recent Secretarial actions regarding interoperability
specifications from the Health Information Technology Standards Panel.

Second is the next step use cases from the American Health Information
Community.

And, then, the third is an update on where we are with the Nationwide
Health Information Network, which I think was one of the principal reasons you
had me here today, and, then, hopefully, we can have time for questions.

Recently — actually, December 2006 — Secretary Leavitt accepted three
HITSP — Health Information Technology Standards Panel — interoperability
specifications. He accepted these, and, in his letter of acceptance, identified
the fact that he intends to recognize them formally in December of 2007. So
accepted in December of 2006 with the intent of recognizing them in December of
2007, assuming that there are only minor changes of a technical nature between
those two versions.

The intent here is to have a process that roughly parallels the activities
on the private sector regarding the certification commission for health
information technology and its progress in moving interoperability
specifications and standards into certification criteria for electronic health
records and, eventually, for networks.

So what we have here is an effort by the government on the federal side to
parallel basically a year’s worth of time between the availability of
implementation-level guidance and when there can be an expectation for
implementation of those guidance, in this case, relative to the Executive Order
federal systems and contracts.

So accepted these three interoperability specifications December 2006 with
the intent to recognize them in 2007.

At that point, once they are recognized, there are activities that are
induced by the Executive Order that suggest that, indeed, upgrades to federal
systems and new federal implementations of health information technology
systems will need to incorporate those standards into them.

And, as I indicated, this is grossly an attempt to also parallel the
process where a certification commission for health information technology has
identified as general guidance the desire to have a year’s availability of
implementation-level guidance before standards can be expected to show up in
certification criteria and then be tested accordingly.

That was an important step in moving forward with a broad health IT agenda
the first round of interoperability specifications from the health information
technology standards panel put on a course for their involvement in federal and
private systems.

Another significant action from the American health information community
has been the identification of the next step use cases to move forward into the
national agenda, and, if you’ll remember, the use cases are articulations
of priority areas that the AHIC has been discussing, priority areas and issues,
an effort to the use cases document what some of the needs are in regard to
those activities, so that they can then be fed in the broad apparatus of the
national agenda and the many different organizations and individuals that are
participating in that can work on them and have a shared point of focus for
their activities.

Last year, we had consumer empowerment, medication history and registration
data. We had EHR use cases around labs. We also had the biosurveillance use
case, which focused on the use of clinical-care data to support biosurveillance
purposes.

In mid cycle, the community EHR working group of the American health
information community identified the need for an emergency responder EHR use
case.

That was advanced. We had two rounds of public comment on that, and that
was actually publically posted in December of last year. That will form one of
the areas of focus for the next-step activities.

Important in this use case are the ability to exchange a summary patient
record in emergency situations, as well as issues around provider
authentication authorization and credentialing, which were apparent, for
example, post-Katrina, where access to patient information was — while there
were some electronic data available, accessing them in the context of emergency
care was a challenge.

There are other enabling technologies associated with that use case, but
that use case is publicly available, and, among other activities, the health
information technology standards panel will be working on this use case in its
next cycle.

Similarly, as I will talk about later, these use cases feed into efforts of
the nationwide health information network, as well as the certification
commission and other discussions as well.

The American health information community identified a new use case to be
worked in the area of medication management, and, in this case, the related
areas include things such as medication reconciliation, pharmacy and allergy
data, monitoring of medication, ordering transmission dispensing.

Essentially, one of the needs that had been advanced to the community, both
from the working groups, in terms of priority areas coming forward, and from
the certification commission on health information technology, was the fact
that, although e-prescribing has standards identified and has regulation
associated with it, there are ancillary areas in medication management that
also need to be attended to in this very important area for clinical care.

The prominence of medication use and issues in the context of clinical care
raised the attention of the community to this activity. The intent is not to
duplicate the work of e-prescribing and the regulations that exist in that
area, but to, indeed, compliment those activities with appropriate standards
and processes and issues discussion in associated areas around medication
management, and it is one that received a lot of support at the community level
in terms of those discussions.

There is an aspect to this as well around clinical-decision support, and I
hesitate to put that on the slide, because, for many, that is evocative of a
lot of different things.

I think, in this context, it is meant to suggest some really introductory
issues associated with providing information to providers, to clinicians in the
context of making medication decisions, and so we shouldn’t think of this
as the full-blown vision for clinical-decision support that many people have,
but maybe an incremental step forward in that direction.

Another area that the community approved in this next round was consumer
access to clinical information, and the community still clearly puts a high
premium on the role of the consumer in moving forward with the health
information technology infrastructure.

We have positioned this as an extension of the existing consumer
empowerment use case, and one of the things that we are attempting to do with
these next round of use cases is to try to make sure that they are coordinated
among the different working groups.

We have a multitude of different American health information community
working groups now. They are coming forward with priorities at a significant
clip. Over 120 different priorities and issues were raised in the course of
their work over the last few months.

We have attempted to embody as many of those priorities into these
different packages as we can in terms of advancing them, though we don’t
— and we readily admit that we can’t necessarily attend to all of them or
attend to all of them in complete detail, because there are so many.

Nevertheless, by building on the existing use cases and by trying to put
these in rational groupings, we think we can advance a good number of these
things in the next round.

The Secretary, during the AHIC meeting, when these decisions were made,
made a request that we begin to work up all of these use cases with the intent
of having them primed and ready for the next round of activity as soon as that
can be.

There are obviously some other activities that have working groups and have
general little areas of interest, including personalized health care, which
will probably also be on the agenda for next steps, but the Secretary has asked
that we work all these up, and as soon as we work up this first round, we will
turn around and start to work up the next round, so they are available as well.

This extension to the consumer empowerment use case references specifically
lab results, as needed by the patients, list of conditions and allergies,
health problems and diagnoses codes, and we have also identified a number of
enabling technologies associated with these that are important in two contexts.

One, they are important in the context of this specific area, the specific
use case, the specific breakthrough that is being advanced.

But, two, we have also reconciled those with the needs of the nationwide
health information network in terms of standards and architecture moving
forward.

And so there is a great synergy between some of the enabling technologies
here and the next steps of the NHIN, as I’ll mention in a couple of
minutes.

So some of the enabling technologies in this area include management of
links between consumers and providers, consumer access control and how
consumers can express their interests in access to their data, PHR portability
methods and access auditing.

The final use case for this coming round is identified as one around
quality, and we are terming this as an extension to the biosurveillance use
case, because, although this is in the general area of population, formally
known as secondary use, no one wants to be seen as secondary. So the general
area of population data access and use for population purposes is what is
referenced here.

The quality use case has a number of important associations.

One, there is the suggestion that it will need to involve a core set of
inpatient and a core set of ambulatory measures — focus on core set — that
will be advanced in this context.

Two, there is the fact that a prominent part of this is clinician access to
these information. So while, frequently, people think of quality reporting as
what this area is about, it came through loud and clear that clinician access
to data is a critical part of this moving forward, and that will play a
prominent role in the use case in the subsequent discussions.

And then there are a number of enabling technologies associated with that
use case as well.

So three new use cases. Two of them are extensions of existing ones, and,
then, the emergency responder EHR, which is already developed and advanced.

The third area I wanted to touch on was an update on the nationwide health
information network.

We had recently a third public forum for the nationwide health information
network. It was very well attended.

We also had a presentation at the last American health information
community meeting, and both these events focused on two things.

One, they focused on the business models for how these type of services
could become self sustaining, and the other area of attention was the software
prototypes.

Now, there is a great tendency in software development to — and in systems
architecture — to think that — you know, software is very evocative, and I
think that was both a plus and a minus of the activities that went on. So
people were able to envision, indeed, some things that had been talked about
very frequently in abstract ways.

But it is important to recognize as well that what had the four consortia
demonstrate were really applications that were connecting to architectures —
network architectures. They are not the network themselves.

And so at the same time that we had, I think, some very compelling
presentations of the work that was done, it was only a fraction of the work
that was accomplished over the last year.

When we initiated the nationwide health information contract, we roughly
asked that the consortia spend about 80 percent of their time on architecture
issues and about 20 percent of their time on the software prototypes that
validated that their architectures were viable, but, nevertheless, this was a
very — I think there was a lot of excitement at this forum. It was much more
tangible than many of the architecture activities that had been carried on
heretofore, and people could actually put a face, if you will, on what the
kinds of services and capabilities could be when we get to this vision of
having a nationwide health information network that can foster these types of
activities.

Important in that is that NHIN is part of a broader cycle, and we have
consistently described the fact that there are iterations to this cycle, that
we are going to get at this in an iterative fashion.

We have, in some ways, gotten through most of one cycle. I wouldn’t
say we’ve gotten through the complete cycle, but we have taken the first
round of use cases, the breakthroughs from the community, put them into use
cases, put them out to the NHIN for prototype architecture work, put them to
the HITSP for standards work. We have had focused discussions on policies and
regulation issues associated with those. We have talked about business
deployment and sustainability issues, and we have shown a path for how they can
— these can influence next steps from a certification perspective as well. It
is part of a broader process.

What we are advancing, in terms of the NHIN, is a network of networks to
connect providers and consumers and interconnect state, regional and
non-geographic health information exchanges.

Visually, we are focused on, to a significant degree, on the
interconnection between exchanges. So it is a network of networks, and the
needs for health information exchanges to be able to work with each other
across some very complicated issues.

We are also focused on the ways in which those health information
exchanges, to an extent, interact with provider organizations and other
networks and systems that they connect up, but I think that it is important to
differentiate some of these interfaces.

We think that there is an important role for the personal health record
connection in this regard, but not all of these three interfaces may be dealt
with completely in the same way. The needs for health exchange to health
exchange connections are going to be highly specific and highly standardized,
if that is going to work.

On the other hand, some of the needs, in terms of engaging provider
organizations, and, potentially, consumer organizations, systems and networks,
will have to have some flexibility to sustain this activity where the service
provider, the group, the health exchange that is doing that connection may,
indeed, lead to work to help get those groups up and running involved and
participating.

And so these are different kinds of interfaces, different kinds of
interconnections, and I think you’ll see, when we talk about the next
steps for the NHIN, that that will play an important role.

We have also been talking about the fact that there is a need to
potentially have service providers that can support health exchange, and this
gets into a complicated discussion of potential acronyms and other terms, but
to have successful health information exchange, a number of elements are
necessary. There are business needs. There are trust needs. There are
governance needs, and there are technical needs and simple service provision
capabilities, and not all organizations are going to fill each of those
functions.

So we are identifying, in the next steps of the NHIN, some important
constituent aspects, attributes that need to be participant, and some of it is
having the technical and service wherewithal to advance this activity, but,
clearly, a very important part is also having developed a trust at a regional,
state and potentially cross-regional level to be able to support health
information exchange and to have governance that can support that.

This is one of the products from this year’s work, which is a
depiction of some of the kinds of services that health information service
providers may be providing, and, clearly, as the discussions have gone on,
there has been a lot of good interchange between what services are viable to
support health information exchange, what ones may need to be there — such as
security and secure transport — which ones may be added value, additional
roles and participation that may be specific to a particular community or
specific to a particular region, and there needs to be a flexibility between
having some core capabilities that allow people to trust this kind of health
exchange and for the health exchanges to work together at the same time that
there may be — there are needs for flexibility in terms of the types of
services that may catch on, if you will, in different communities to move
forward.

So the third forum, as I mentioned before, focused on prototype
architecture presentations through these software manifestations. It did focus
on the three use cases from last time, and core network services.

So that was, I think, important to recognize that the work that was done
did have a particular emphasis in the consumer empowerment electronic health
record and biosurveillance realms as per those use cases.

It did put a face on these efforts that I think was compelling and
represents — and so some really important issues came forward in the course of
the discussion, and some potential approaches for how to advance this kind of
exchange came forward out of this prototype architecture work, including
different approaches or connection of both commercial and tethered personal
health records, opportunities and approaches for ways in which consumers can
manage PHR data, considerations for how consumers could express the way in
which their data could be managed, even beyond their PHR, potentially, in terms
of network exchange. In one model, coming forward with approaches to the
exchange of access management emanating from a PHR, but potentially applied to
network exchange as well.

Clearly, a need for tracking providers associated with patients, and, here,
you’ll see one of those synergies between the next use cases and some of
the NHIN needs as well. Routing of lab data.

There were presentations on both portal- and EHR-based retrieval of
historical results. There was not a one-size-fits-all for this, and they were
both important, in the end, in terms of the presentations.

Notification technologies for how new data are available, making people
aware of when new data are available. Some of the work of routing non-ordering
providers of care, data to non-ordering providers of care, and, then, a number
of issues about the importance of comparability across provider sites, data
comparability and the importance to other activities that that engendered.

We have said, steadfastly, that the approach of the NHIN is going to be
incremental, that we are going to take steps to this — this slide is from the
first forum — that we have been working on first prototype architectures and
producing a number of architectural products.

We are going to, then, take the next step, which is to trial
implementations, and I will talk a little bit about what that will look like in
a moment, but — and, then, move on in subsequent steps from there, each time
taking the products of the previous work and applying them to the next work.

So one of the things that we have identified, in terms of the next step of
trial implementations, is that we will be taking the work that has been
proceeding over the course of the last year and applying it in the context of
the next-step contract and the next-step procurement.

I think that this is not necessarily the complete — it is certainly not
the complete approach to addressing the incremental development of the NHIN,
but it is an important tool in trying to help advance some of these areas and
some of these activities that are going on now at state and regional level.

So the types of products that will become parts of the guidance for the
next step include the standards that have been — from HITSP, the security
model considerations, the work that the National Committee on Vital and Health
Statistics has done on recommendations in the context of privacy and
confidentiality for the NHIN, the work of the confidentiality, privacy and
security working group, the vast amount of public input we have received in the
context of the now three NHIN fora that have occurred.

The use cases that I have mentioned and talked about before will also
figure prominently into the next round of activities, the functional
requirements that NCVHS has worked on in the context of helping to define in
simple, declarative terms the kinds of activities that need to be carried out.

We will be coordinating with the certification criteria for ambulatory care
and inpatient, and particularly network certification criteria, as they become
available in the next round of the certification activity, the work on business
models, and, importantly, a report that we are going to have delivered from
Gartner(?) Consulting on the 2006 NHIN work. We expect it to become available
in the March 2007 time frame, and focus specifically on the interfaces.

We did a pretty deep dive into some of the technology in the last year, and
I think that was appropriate from a prototype architecture standpoint, but,
now, in the next steps, in trial implementations, we are going to step back a
little bit from that and talk particularly at the interfaces where there are
great needs for standardization and needs for systems and networks to work
together, and to bring, in the context of the next-step activities, some of
these attributes that are necessary for health information exchange.

Obviously, providers and systems need to be engaged. Health IT adoption is
a critical part of the business models that have been discussed in terms of
making this sustainable. Consumers need to be involved. Security has to be
provided. Governance has to be in place. Trust has to be enabled, and, then,
business services and technical capabilities have to be brought to the table as
well.

So the next round of the NHIN activity we have termed trial implementation.
So 2006 prototype architectures, 2007 trial implementations.

We are in the midst of initiating the procurement for this activity. So
there are some things that I can’t talk about in that regard, but the
important concepts I can allude to, which are, one, we are going to bring
together the products of the 2006 work, some of which NCVHS was critical in
helping to form.

We are going to try to bring together some of the technical accomplishments
of the prototype architectures. We think that those technical capabilities and
some of the other businesses that are out there working in this health
information exchange area need to be brought together with directly engaging
state and regional health exchange.

So an important difference here is that the next round of the NHIN
procurement will directly engage state and regional health information exchange
and focus on the interfaces by way of moving forward with next-step activities.

We anticipate that there’ll be a request for proposals in a
March-April time frame with awards made in June and July to represent the next
steps of the NHIN.

So, with that, I thank you for your attention this morning, and I’d be
pleased to try to answer any questions you may have.

DR. COHN: John, thank you. Quite an overview of a year’s worth of very
hard work.

I guess we will start Mark and then Justine, Harry, Kevin — actually, John
and then Leslie —

MR. ROTHSTEIN: Maybe you ought to take hands of all the people who
don’t want to — Well, I’ll be brief, then.

John, as you know, the GAO report was very critical about — 84(?), its
lack of efforts in the area of privacy in the NHIN, and I notice that your
presentation had a de minimis amount of privacy to report to us. Maybe you
wanted to keep it private.

What is ONC going to do in terms of ratcheting up its privacy efforts
before privacy falls hopelessly behind the technology developments?

DR. LOONSK: Thank you for your question, Mark, and I certainly recognize
your concerns in this area, and I, in fact, have read the GAO report, and I
find it to be a very — a reasoned detailing of a vast number of activities
that are going on right now in the area of privacy and security.

I think the headline certainly caught a lot of people’s attention,
but, in detailed reading of the report, there actually were — there was a
listing of a great number of activities that are going on.

We have tried to articulate the fact that this is going to be an
incremental and iterative activity, and I tried to point that out in the
context of my comments on the NHIN. We are not going to production systems as
the next round. We are going to trial implementations, partly because we still
feel we need to tease out more of the issues and work more of the privacy and
security and some of the other related issues as we move forward in that
regard.

So the plan is an iterative one. It is one that involves a vast number of
different people and organizations in bringing forward issues, some of which,
to be quite honest, are at the state and regional level that they need to be
addressed.

We are working to try to offer new technical approaches to how some of
those things can be advanced. I think some of the work in the NIHN prototype
architectures around the ways in which consumers can influence how data could
be managed are very promising in terms of what they potentially offer in terms
of moving things forward, but they still have to be potentially tried in trial
implementations to determine whether they are fully viable. So an incremental
approach, trying to bring forward the issues, trying to bring them forward.

I think what the GAO pointed out, and I think it was one of the issues that
we discussed with them in fair detail, was that when you have as many people
working on these varied activities as there are, that you can’t always
have distinct milestones and say this is when this issue will be addressed and
this is when that issue will be addressed because of the iterative nature of
this, and I think that that is an area where I think the Office of the National
Coordinator differed with the GAO, who really was focused on — in terms of the
message — having distinct milestones.

We certainly are as intent as we can be on having milestones identified
wherever they possibly can, but there is still an aspect of discovery that is
going on in the context of what the issues are at the state and local level
that need to be addressed. So it is certainly an area that is — our attentions
are heavily focused on, and there’s still a lot to do.

DR. CARR: Thanks for a great presentation.

I have a question about medication management. Medication reconciliation
is, as you know, one of the national patient safety goals for JAYCO(?). So my
question is is there a new work group that will be working on this and —

DR. LOONSK: No. So, essentially, I think we have seven working groups of
the American health information community, and what we were starting to see was
that there were common priorities coming out of different working groups and
potentially being addressed in different fashions.

So these use cases attempted to bridge some of that, and a lot of the
medication reconciliation issues come out of the EHR working group and needs
for — although they are frequently about presentation at a clinical care
setting and how medications can be reconciled at that time relative to
historical medications, what the patient is actually taking, any
over-the-counter medications, et cetera.

So the principal focus for that one, I think, would be the EHR working
group, but these use cases will not necessarily mean that there is one working
group that is working on those issues alone.

DR. CARR: Thank you.

MR. REYNOLDS: The question I have is on the patient identity
reconciliation, you mentioned it on your slide under Emergency Responders, and,
then, under Medication Management.

As you know, the committee has had some hearings on matching patients to
their records.

Do you see a drive towards one type of matching criteria, obviously without
the prominent use of Social Security number, without an individual identifier
and some of those other things, if everybody picks their own and — So where do
you see that heading? Because it is showing up consistently throughout your
presentations and a lot of other presentations that are going on about the
subject, but where do you see it going?

DR. LOONSK: So the focus of the prototype architecture activities and the
focus of the trial implementations will obviously be trying to make health
exchange work when there is no national patient identifier and Social Security
number is not used in the context of that identification.

So what that begs is the identification of demographic data that are
available in the context of doing that reconciliation.

We think that an important aspect of the next step work will be on the
ability for health information to health information reconciliation of patients
as information needs to be exchanged, and there is a goodly amount of work
going on in that area.

We think that is a critical component to getting to a network of networks,
so that when one health exchange is routing data through another health
exchange or vice versa, that there is a — that the shared patient attributes
necessary to do a reconciliation, but that is going to be a communication. It
is not a single transaction. It’s gotta be more than one transaction that
occurs, and that is part of what we anticipate will be a focus for the next
round of the trial implementation.

MR. REYNOLDS: Thanks.

MR. HOUSTON: Having attended the forum, I actually thought it was really
interesting, and there are two themes that you really didn’t talk too much
about. I saw in your notes somewhat, but I think it probably bears a little
discussion, and the things I know I at least had discussions about at the
forum, one was sustainability and the other one was secondary uses.

I thought there was — At least in the circle I was in, there was a lot of
discussion about both. I mean, I don’t — What I hate to open up is a sort
of a broad discussion point, but I didn’t really hear you talk about the,
but, yet, they seem to be topics of interest of a lot of people.

DR. LOONSK: And there was absolutely a lot of interest in — For the third
forum, the first day was on the prototype and demonstrations of the prototype
software. The second day was around sustainability of health information
exchange, and there was a very robust discussion that may not have been fully
captured in my slides.

Interestingly, a number of the models, indeed, pointed to a similar time
point of about eight years, seven, eight years out for achieving sustainability
for some of the exchange efforts, which I thought was encouraging just from the
standpoint of that there was some commonality of approach in that regard.

You are right that there were a number of issues about secondary use and
discussion of secondary use, and, in those business discussions, many people
point to secondary use as potentially something that plays an important role in
sustainability.

I think part of what needs to occur, though, is further investigation into
which of the different services are indeed viable and what added value service
providers can provide, how much doing data translation and mappings. Can that
be a service that they can potentially sell to some of the provider — engaged
provider organizations, for example, to bring people on board and get them
engaged.

And so I think there are still a number of other models, but you are right
that that was one of the things that was prominently presented.

DR. FRANCIS: Obviously, one of the privacy and confidentiality issues that
this does highlight is questions about data security, but I want to just
underline an entirely different range of questions.

Obviously, there are questions about control over information getting into
the network in the first place from a privacy and confidentiality point of
view, and, related to that, in the technical architecture design, the
possibility of secure envelopes within, and I would hope that there is
attention, as infrastructure is being looked at, in that set of questions as
well as the data security questions.

DR. LOONSK: Thank you.

I think there has been a good amount of discussion about security
approaches, auditing, encryption, where — issues around data persistence and
where that occurs. So there are a number of different discussions and products
in the work that has been done.

DR. COHN: OK. Now, we move to the other side of the room. Jeff and Marc. Do
you have a question also, Mike and Larry — OK.

And, then, hopefully, after that, we’ll be able to take a break. So
remember, your questions, you are standing between us and the break.

PARTICIPANT: We have better questions over here.

MR. BLAIR: John, first of all, I want to express my appreciation for the
fact that — you know, it has been obvious for some time that ONC has been
moving forward with a number of parallel initiatives, and what you outlined
today was that, for the first time, that I was able to see how these things
might converge and build on the results of each other and then go into further
iterations. I really appreciated seeing that.

It is obviously going to be difficult, and it may be difficult to keep them
on schedule, and it may not be as fast as we want in all areas, but the
convergence, the iterations kind of gave us, for the first time, a little bit
of a road map, and I really appreciated that.

One area that you mentioned that probably I had less concern about as a
techie type person, until my recent experience in New Mexico with our health
information exchange, is — and this gets to the area of convergence and how
this fits in, because, in some sense, while we move forward with a lot of
things that you discussed, the functional requirements for the network and all
of the pieces and how everything works together, we are finding that the
community is very interested in the health information exchange network for
different reasons than we expected, and we are finding ourselves, in order to
be responsive, redefining what we are doing every few months, and it is being
driven by business models.

You mentioned business models, and I would like to have a better
understanding, and maybe I’ll just give two quick examples of this,
because we are finding that the business case, in some cases where we thought
there was one, it was weak, and we are finding that there’s business cases
where we didn’t expect to find them as we try to be responsive to our
community.

One of these that is especially strong and was struggling, because not all
the pieces are there for us to put it together, is that as different health
care institutions begin to say yes, they are signing agreements to be able to
share data, they are realizing that folks outside of their health plan, health
facility will now begin to have access to their health care information, and it
isn’t just the technical authentication standards that are not there, it
is the policies, the practices, the authorization, the authentication, this
whole area, in terms of not just a covered entity, but a community-wide network
for coming together with agreements on all of these. That turns out to be a
major positive business-case driver for these entities.

And so that is just one example, but I am giving that example, because, I
am really, really interested in how you will be constructing the business-case
piece because I would think it would need to be responsive to the emerging
business cases in the various health information exchange networks across the
country.

So whatever you have done to begin to think out how we would do this, I
would really be interested in this, because this may be driving a lot of the
other pieces instead of vice versa.

DR. LOONSK: Thank you for your comments, Jeff.

I think you have pointed to a number of very challenging areas, and so one
— I think one conclusion from that, and one that we have held for some time,
is that we, the country, do not know all the activities or how they will look
on the Health Internet, and that, like the Internet, it is incumbent upon us to
not assume that we know what it will look like completely in a number of years,
and that has to flavor the way in which we pursue things, that we should not
stifle certain activities unduly lest we don’t understand what the
implications are relative to moving forward with that.

So the general model, I think, is to move forward iteratively, to try to be
specific where one needs to be specific, but also to allow for the development
to proceed, and that is a challenge.

I think there a few different aspects to the business activities. One is
that the AHIC basically is making an estimate as to what activities they think
have a business case when they identify a breakthrough, and they are doing it
really in anticipation of the rest of the activities and in anticipation of how
that plays out at times, based on the best information available, but certainly
without knowing conclusively how that will look at the end of what is a cycle
of activities and movement toward implementation.

But they are making an estimate. They are trying to identify breakthrough
areas where services can potentially be sustainable, where there are needs for
those services, even if there isn’t completely identified the relationship
between entities that would cause a self-sustaining service.

So moving forward with those areas, those breakthroughs through the use
cases, advancing them through the entire activity, they press on different
issues in different places along the way.

At certification time, for example, there is a heavy emphasis on why the
EHR vendor should implement those services. Is there a compelling case that
people will want to buy EHRs that implement those services.

At the architecture level, there is the issue of how do health exchanges be
able to be — how can they be self sustaining in terms of providing services,
et cetera, et cetera. So there are a number of different glimpses at that, a
number of different lenses that are put on that.

But I think the simple answer is that what we are trying to do is to
encourage the development as we proceed through this, recognizing that, indeed,
work flows are going to change, different services are going to change, what
the complete capabilities are of the Health Internet, if you will, are not
completely known, and that we have to be very strategic in terms of how to
foster the movement in this direction without impeding its progress.

MR. BLAIR: The philosophy that you have just expressed, I completely agree
with.

Now, the only piece that I would be concerned about is that if people
looked at what appeared to be positive business cases six months or nine months
ago, they are shifting, and they are shifting quickly as people understand the
strengths and limitations of these networks, and so if there is any way to
communicate that that AHIC group would need to have current information from a
diversity of health information exchange networks that are out there as we are
finding out that as people understand these networks better, the perception of
what the business case is is shifting significantly and quickly.

Is there some way for us to —

DR. LOONSK: We see that, too, and I think that what you’ll see in the
next round of the NHIN activities is some flexibility in terms of which of the
breakthroughs and which of these additional focus areas can be implemented as
they move forward with trial implementations, because not only are there
shifting priorities at times, but they vary, in terms of the particular region
and what will work there and what will work somewhere else.

So we need to maintain that flexibility for both those reasons, and we
agree with you that that is a critical aspect of moving forward.

DR. OVERHAGE: I can’t tell you how much fun it is to get to ask you
questions, instead of the other way around. Now about that other deliverable —

I had a number of questions, but I guess I might role them up into one
broad question, and you probably can’t answer this, but I’ll let you
take a stab at it anyway.

One of the concerns that I have is there are myriad forces spinning off
activities for ONC in this area, and it feels very fragmented and disconnected
to me, as I look at the overall picture, and, as Jeff said, I think there is an
architecture. There is a direction.

I am worried a little bit, though, that the pieces aren’t tied
together enough to make real progress.

So, for example, the HITSP recommendations that you talked about, when you
look at those — and, frankly, I haven’t read them all, and I do this for
a living, and I — I mean, there’s just too much, and part of that, I
think, is organization, presentation and focus that makes it harder to digest
and track, but part of it is this myriad of pieces that are out there moving.

C-CHET(?), as another example, we started out and focused on electronic
health record certification. We can’t quite get to interoperability yet.
We’ve got to go through this other process, all right and good, and, yet,
most of the data that we look at in the systems today are in laboratory systems
and pharmacy systems and radiology systems and things like that, and not NEHRs
or anything else that C-CHET has looked at yet.

So a very broad concern is too strong a word, I guess, but maybe the
question is is do you have thoughts about how we can help corral this a little
bit better, so we can actually make real progress?

I think there is broad progress being made, but I am a little worried that
it is broad progress at the 100,000-foot level, and that the 10,000-foot to the
ground level, there is so much diversity and so much fragmentation, I am
worried that we are not going to get done what we really want to get done,
although the trial implementations and things like that, I think, are a step in
that direction.

DR. LOONSK: Well, thank you for your comments.

A few responses, a few points. One is that this is complicated. This is not
a trivial thing, and just take the interoperability specifications, at the same
time that you and others may be overwhelmed by 800 pages worth of
implementation guidance, we clearly need that kind of specificity to get to a
level of interoperability which is really got to show value in terms of
connecting systems.

I mean, we know for some time that we have to talk about how standards are
implemented, not just what standards there are, and that basically compels that
level of specificity.

We also know that this health exchange is not going to be a simple thing
and that we need to advance it in a way that is coordinated. We know that it is
going forward at state and local levels. We know that if it goes forward
without coordination, we are going to not have the kinds of security
necessarily built in in every implementation that we would like. We are not
going to have them be interoperable with each other, because they are going to
go and do things in their own way at times to meet their own compelling needs,
and so I think this is a complicated activity.

We have a number of things going on. A number of them are about discovery,
and a number of them are trying to identify. If you think about the activity
with the state and local implementations of HIPAA and how we still have lessons
to learn from that.

We are still early in this process, and so it is a balancing of the fact
that we are — we have some time to go. We have to go through a number of
iterations. Some of these processes still have to produce products, so that
they can be fed into the next round, like the — limitations and how I describe
that here, and I think that things will look much more cohesive when we start
to get into that cycle and start to implement those things.

But, at the same time, we are also very — there are needs to move forward
and to move forward fast, because we know that there is a lot going on, and so
it is a balancing of those two things and the communication thereof.

So I think that, as things progress, you’ll start to see the way in
which they start to fit together, the way in which we can take the product from
one activity and feed it into the next step activity and that that is basically
what coordinating is about.

DR. FITZMAURICE: I gotta say, by the end of that answer, much as I’d
like to say, Gee, it is all fragment(?) and everything, it is complex and it is
hard to get your mind around, but I find that quite a few minds are getting
around it, and as I see us working ahead, I see us pulling in more and more
things to the overall picture, not just reaching out with more and more arms of
an octopus without a head. It does — it is better coordinated than say a year
ago, because we have learned more, and so I buy into your statement.

For interoperability in trial sites, it would be useful if we looked at how
the codes and terms that are exchanged are understandable, understandable to
clinicians at both ends of the transmission, and, indeed, we’d like their
computers to be able to accurately identify the concepts and use them for
information retrieval and decision support.

But sometimes we have difference in terminologies and codes, even across
the named or recognized standards. So it would be useful to have a look-up tool
to guide vendors and clinicians in achieving the interoperability of this
message content that is exchanged.

So I want to ask you have you given consideration about how to improve the
interoperability of the data elements and the name standards and the use-case
information exchanges?

For example, you might encourage electronic access to the name standards,
maybe for a price, make a deal with the SDOs and say, When you put them
electronically, we want the vendors, the people who are making the systems
work, be able to hone in on the particular standard that they need, and the
terminology. Maybe electronic access to terminology services to guide vendors
to the right terms and codes. There are some in DOD, NCI. National Library of
Medicine may have one, and, then, you might support an analysis of the
differences in terminology among the name standards with a goal of harmonizing
these differences.

As you move into the trial implementations, are these some of the
considerations that you are pondering or do you think that they are beyond the
scope of interest at this time and best left to the private sector to do?

DR. LOONSK: Well, I think you point to some very important issues, and I
would also like to reference some of the work that is going on at the National
Library of Medicine in regard to projects to relate terminologies and be
assistance in that regard.

We do see that there are a number of needs out there that will need to be
advanced. Clearly, as we get to more and more implementation of standards,
there will be demands on services for terminology mappings and terminology
accessibility.

It is one of the things that has been discussed around health information
service providers that might help support a health exchange and support the
NHIN is that that kind of technical capability may be a key service that they
could help provide, particularly if they are offering out data mappings and
message transformation to others in helping to bring them in.

We do have to be a little bit realistic, though, in terms of the amount
that can be bitten off in the next round of the NHIN, and we think that there
is an important area of focus for highly constraining, being very specific
about health exchange to health exchange translations.

Here, the standards really need to be as well implemented as possible. I
think that can offer lessons learned, so the kind of discussions you are
having, that the health information service providers may, indeed, in the
process of that, identify needs for terminology services that — as those that
you are alluding to, and that that could be a productive outcome, and then
allow some flexibility in terms of some of the other interfaces as we move to
the business model for supporting these services as well as adoption, because
we know that we can’t rip and replace all the health information
technology that is out there in the different participating organizations, and
there will be needs for some flexibility in terms of — for some time to come.

DR. FITZMAURICE: I guess what I am seeing is that at the AHIC and the NHIN
conference, when the business case was presented, I think 50 percent of the
revenue was projected to come from secondary uses of the data.

Not only do we want to have a good understanding of the information
exchanges, but as that data get stored in a repository, it is more valuable and
adds to the business case if it is more uniform.

DR. LOONSK: And I would note here that one of the areas that we look
forward to potentially working with NCVHS moving forward is in the area of
secondary uses of data, because we think this is a very important area where
the technical expertise of NCVHS could be helpful in some next steps as well.

DR. GREEN: I am Larry Green, John. I am one of the four new members. I feel
like I have been drinking from the fire hydrant since last December trying to
get — All of you, I presume, were once new members also.

Your presentation was enormously helpful to me. I want to thank you for it.

I would like to ask you to go back up to 30,000-, 40,000-foot level from
all these interesting details.

I have been looking and reading and trying to understand the logic model
here, and I would just like to hear it from you how you see the logic that
leads to the conclusion that we need a national health information network.

The H — I mean, I have been reading up and listening. I can understand why
we need a national information network, and I can understand why we would have
health applications in it, but as I listened to you talk about the network of
networks and this thing that we have the article T-H-E in front of — The
National Health Information Network, I am still struggling for the logic that
comes to the conclusion that we need The National Health Information Network
sort of as a discrete thing. Can you help me with that?

DR. LOONSK: Certainly.

I think one of the issues with terminology is that if you do use a capital
The or you use a term like network, that it necessarily becomes very concrete
for people and that they — on the one hand, it is something that they can
associate with, but they can say this is an organizing principle that we can
work around.

On the other hand, they very much see it as a physical entity which would
sit somewhere and look like something and be owned by someone.

And I think that it is the — sort of the challenge and the opportunity of
moving forward with a nationwide initiative is that you need to rally people
around some coordination.

It would be, I think, a tremendous loss if every region and state went
about developing health information exchange differently, they didn’t
learn from what others did, they weren’t interoperable, so that you could
have your information be portable if you moved from one jurisdiction to
another. The benefits of population data that come from multiple jurisdictions
that would be impacted by complete differences in that implementation, those
all would be, I think, great losses in terms of moving forward.

On the other hand, what we are trying to articulate is not a server that
sits somewhere, but when we say a network of networks, we mean a network of
networks. We mean by having the networks come together, use shared approaches,
use common technologies for interchange, that we can knit together something
that can meet security issues, meet concerns about how information can flow,
add value and allow for a great flourishing of secondary-use data opportunities
and other opportunities in terms of what a health information Internet could
be.

So it is a challenge with the language, but we are, in this nationwide
health information network, talking about an initiative, a nationwide health
information network initiative that has the intent of bringing together a
collaborative of networks and service providers who could work together to make
for this vision.

We are not talking about a common shared server or physical network that
would be run by the government or by any other single organization or entity.

And these are complicated issues and complicated challenges to articulate
and communicate, but that is the vision we have been trying to articulate
around the NHIN.

DR. COHN: John, thank you for those comments. I think that was a vision we
also tried to instill into the functional requirements document that we
produced — recently.

I want to thank you. I think it has been a very interesting conversation.

I think you’ll all be aware that we are running significantly behind,
but I thought it was an important conversation for us to all have, and I think
we are all sort of in agreement with that.

John, I want to thank you.

I actually want to thank the committee members, especially note that, with
this first session, we have actually engaged all of the new committee members
in the conversation. So we are always very pleased at that. We don’t have
shy new members. So that is great.

But, with that, let’s take about a 15 minute break.

We’ll come back at about 10 to 12 —

(Break).

Agenda Item: Subcommittee on Standards and Security
Letter

DR. COHN: Will everyone please be seated? We are going to get started.

I will turn this over to Harry Reynolds and Jeff Blair for review of a
letter on the National Provider Identifier —

MR. REYNOLDS: Jeff, you want to make a comment before we start or anything?

MR. BLAIR: No, not at this time. Harry, take it.

MR. REYNOLDS: All right. Since we’ve got some new members of the
committee and we are going to ask you to approve a letter, I want to give you a
little quick warmup, so that you are not completely — Yes, a little warmup
would be good here.

PARTICIPANT: Brace yourselves.

MR. REYNOLDS: So as a matter of fact, you can stand up and do jumping jacks
while I am talking, if you want.

The National Provider ID was established so that a single provider would
have a single number to be identified with in the country, and, then,
institutions could have multiples defining themselves. That is what was
originally set up, a two-year implementation period was put in place, and also
a single implementation date for everyone was established, so there was no
staging. So it was everybody running to a single goal line, and everybody had
to get there, not only themselves, but they had to get there with everybody
else that they work with.

So that is kind of the background of what this national provider ID is
about.

We heard testimony a couple of times, and you’ll hear in the letter
that we did.

On our most recent hearing, we had 16 different testifiers representing an
incredible cross section of the industry, just about everybody that is involved
in one way or the other.

What we clearly heard, again, is that the May 23rd deadline is
not really going to be doable for everybody together to get it done. So even if
a doctor got their NPI, whether or not all the payers or clearinghouses and
everyone that they worked with would be ready would be questioned. So
you’ll hear all this in the letter, though.

But we also felt that May 23rd should have some meaning as an
implementation date, because, as we kind of looked at our lessons learned back
from HIPAA and other things, if there is a due date and it is — even if it has
a transition period or anything aligned to it, if the due date doesn’t
mean something and doesn’t have some kind of significance, then, as we
continue to roll these out — which those of us who are on standards and
security know that we’ll be continuing to roll these out — that was a
concern to us also. So you’ll hear our statement as to what we feel about
that.

We do feel there needs to be some kind of a transition period to make sure
everybody works together after they do their initial things, and you’ll
hear that clearly.

And we also recommend in here that we will be holding other hearings to
monitor that and comment, not necessarily just monitor it, but in our hearings,
we will hear from the industry as to where it is going and then make further
recommendations or considerations to the Secretary, as necessary.

So that is kind of an overview to give you a sense of what we have been
through, what it is and what the situation is.

And if there aren’t any questions, Simon, I’ll go ahead and read
the letter you should have it in front of you.

Dear Secretary Leavitt, the National Committee on Vital and Health
Statistics is responsible for assisting and advising the Department of Health
and Human Services in adopting the administrative simplification provisions of
the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In that role, we have continued to monitor the health care industry’s
progress toward meeting the May 23, 2007, compliance date for implementation of
the national provider identifier NPI.

We last reported NPI status to you on November 29, 2006, and, at that time,
concluded there were several impediments to meeting the statutory deadline.

While we have observed some progress since November, we remain skeptical
that the industry will be able to meet the target date for NPI compliance.

On January 24, 2007, we again heard testimony from the health care industry
and the Centers for Medicare and Medicaid Services, CMS, regarding the
industry’s general readiness to implement NPI by the May 23rd
deadline.

There were participants from associations representing providers,
pharmacies, plans, health-care/ software vendors and third-party billing
companies. All expressed a great degree of concern and agreed that many in the
industry would not be able to meet the May 23, 2007, compliance date.

Two types of challenges were identified. The first is the challenge of
achieving full enumeration. The second is a challenge of data exchanging and
testing; 1.7 million NPIs have been enumerated, but many providers have still
not applied for a number. Reasons include procrastination and/or lack of
awareness of the need to obtain the number.

Despite significant outreach efforts on behalf of CMS in partnership with
industry groups, some providers remain unaware of the need to obtain an NPI and
the critical need to test the NPI with health plans.

Some providers believe themselves to be exempt, because they do not do
electronic billing or they do not participate in Medicare. Still others who
care for under-served populations may not bill for services.

Testifiers stressed that additional educational efforts in outreach are
required to assure providers are aware of what they need to do to be compliant.

Many industry representatives also conceded that significant progress could
still be made towards increasing the number of providers who obtain MPIs by May
23rd, but there was not unanimity, and no testifiers believe full
enumeration was possible by that date.

The second challenge is software testing, and I am going to substitute
information system testing in place of software has been in the recommendation.
So you’ll hear that in the next sentence also.

MR. HOUSTON: Harry, one of the things I did notice when I read through it
was that in your prior paragraph, you describe the second challenge of data
exchange and testing. So if you want to be consistent —

MR. REYNOLDS: OK. We will make sure we make that consistent.

A significant impediment to — whatever we change it to — testing — is
continued lack of access to data from the national plan/provider enumeration
system, NPPES.

Many plans need NPPES data to build crosswalks between legacy systems and
NPIs in their own systems to ensure validation of the NPIs given to them by
providers and to ensure timely processing of transactions.

In addition, providers also need to obtain the NPIs of other providers
because claims require the provision of both primary billing provider and the
ordering or referring provider.

For example, pharmacies need the NPI of the prescribing physician in order
to submit a valid claim.

Testifiers stressed that successful implementation depends heavily upon
access to NPPES data.

Testing among trading partners is critical to assuring that accurate
payments are made to the right providers.

This testing would include providers submitting transactions (for example,
claims) containing NPIs to plans and plans processing the transaction and
creating appropriate transactions (for example, remittance devices).

Very little testing has occurred to date, and testifiers indicated that all
industry segments require more time to complete testing and ensure a seamless
exchange of data between trading partners.

Without this testing, providers especially are concerned that payments for
their services will be substantially delayed. Delay in filling a patient’s
prescription is also a possibility.

As we stated in our last letter to you on this subject, NPPES data cannot
be released until HHS publishes a data-dissemination notice in the Federal
Register.

We continue to strongly encourage HHS to publish this notice as delays in
doing so will further impede progress toward industry compliance and improving
health care system efficiency.

Based on expert testimony at the subcommittee hearings and our own public
deliberations, we have the following observations and recommendations.

DR. COHN: Yes, Harry, do you want to hold up just a second to see if
anybody has any comments about any of the sort of the —

MR. BLAIR: Background.

DR. COHN: — the background information?

MR. HOUSTON: I read through it and had some little nits and things. Should
I just give them, rather than trying to describe them?

DR. COHN: Yes, if they are wordsmithing stuff, I think we can —

MR. HOUSTON: There are. So —

DR. COHN: Yes, I mean, is there anything substantive or just —

MR. HOUSTON: No, I think it is —

Let me just say one thing where we are starting now, though, I think there
is a little redundancy between what we are going to talk about now and what was
in the prior paragraphs, at least the first two observations and
recommendations. It seems like you really talked about them before. So —

MR. REYNOLDS: Yes, we agree with that —

MR. HOUSTON: But it seems like there’s a little bit of redundancy. I
am not sure whether it needs — whether that is good or bad.

MR. BLAIR: We have a breakout session this afternoon, and maybe those
wordsmithing things can be accommodated at that time.

DR. COHN: Yes, I think we can — I mean, if it is minor wordsmithing, we
can take it offline. If it is major issues with the construction of the letter,
we can deal with that, but I do want to, once again, remind everybody that
there may not be a meeting tomorrow.

MR. HOUSTON: Oh, really?

DR. COHN: Well, given the weather reports. So I think we just need to be
mindful of that as we deal with this particular issue.

DR. FITZMAURICE(?): Simon, I just want to make the point that sometimes the
redundancy is intentional. We want to restate something that leads into —
observation that leads into a recommendation. So it is — it is useful.

DR. COHN: Okay. We’ll take minor wordsmithing offline and deal with it
in the final production of the letter.

MR. REYNOLDS: What we could do, Simon, is I could look at those with John
at lunch, and if there is anything that is substantive, we can mention it right
after lunch to make sure we move forward.

Okay. Observation one. There is a clear need for more outreach to inform
providers, especially small-program and minority providers, of the need to
acquire NPIs.

Education is also needed for a wider range of providers and plans, so they
understand the need for sharing NPIs among their trading partners.

Recommendation one. NCVHS recommends that HHS/CMS take the lead in this
additional needed education, while also enlisting the participation of
organizations that represent the industry. Several of these organizations
expressed a willingness to provide assistance in the effort.

Observation two.

DR. COHN: Well, why don’t we stop after each recommendation and just
make sure that everybody is sort of aligned right.

Anything in relationship to that first observation recommendation?

MR. REYNOLDS: Okay. Observation Two. Industry must have access to the NPPES
data. This is critical to its ability to build crosswalks and reprogram its
systems to accommodate NPI-based transactions.

This is possible only if HHS publishes a data-dissemination notice
describing the data that will be made available and the mechanisms for
obtaining it.

Recommendation number two. NCVHS strongly recommends that HHS decides what
information will be made available to the industry, issue a data-dissemination
notice and make the data available at the earliest possible date. We believe
this essential to the success of the NPI implementation.

One thing I didn’t explain to the group, which I’ll do quickly,
is the whole thing about NPPES is that it is a national database that has the
NPIs that the providers have gone out and gotten, and so it is a single place
for people to go out and find out who has NPIs and what they are and so on. So
I think that is what this — and some people in the industry did build their
implementation around that being available, since there had been discussion —

Okay. Moving to Observation Three. All covered entities should be able to
accomplish the internal tasks needed to comply with the May 23, 2007, date;
that is, providers should be able to obtain their NPIs and plans and
clearinghouses should be able to complete their system changes needed to accept
NPIs on HIPAA transactions.

Recommendation Three, and I am going to read it differently than it is
currently formulated, so that — also, I’ll read it slower than I would
normally.

So, Recommendation Number Three. NCVHS recommends that providers obtain
their NPIs, health plans and clearinghouses complete the system changes needed
to accept NPIs on HIPAA transactions by the May 23, 2007, compliance date. That
is how we would say it.

So what we are basically doing here — and as I mentioned earlier, there
should be substantial progress made by May 23rd, and we recommend
that each individual entity should be able to do those things by May
23rd.

MR. HOUSTON: Don’t you want to state that in terms of — the
compliance deadline should be modified or some — it is not just our
recommendation, but we are recommending that the compliance deadline be sort of
bifurcated, such that there is an obligation for them to get their NPIs —

MR. REYNOLDS: What we feel is that we would want to leave that up to the
department —

MR. HOUSTON: How they are going to —

MR. REYNOLDS: — actually, as to how that would be addressed.

MR. BLAIR: If I might state, I think that this was deliberately not going
into those other — this sentence. The following sentences that Harry is about
to read will indicate other requirements for a later time on this
recommendation, but we wanted to make a very clear statement kind of restating
the compliance date of May 23, 2007. So that was the intent of this sentence.

And then the following sentences will indicate other requirements that will
have extended dates.

MR. REYNOLDS: OK. Yes, Bill.

DR. SCANLON: But in changing the language, haven’t you made a
recommendation, not to the Secretary, but to providers and to the
clearinghouses, and — I mean, the original sentence was to preserve the
deadline, which puts a burden on providers and clearinghouses, and it is the
Secretary’s prerogative to preserve the deadline —

MR. BLAIR: Maybe if we read the paragraph as a whole, the recommendation as
a whole, and then maybe you could still see whether you still feel the same way
that you just articulated.

MR. REYNOLDS: Bill, tell me your concern again, please.

DR. SCANLON: Well, the concern was that in changing the wording of the
recommendation. The recommendation was actually directed at providers. Forgot
the other part — and that we don’t write to providers. We write to the
Secretary. The Secretary creates the pressure for providers to comply by
preserving the May 23rd deadline, and that the original
recommendation did that. The original recommendation said to the Secretary,
Don’t change the deadline.

PARTICIPANT: That is a good point.

PARTICIPANT: Yes, I see what you are saying.

PARTICIPANT: Right. The recommendation has to be addressed to the
Secretary, not to the providers to comply —

PARTICIPANT: Yes.

PARTICIPANT: — basically what you are —

MR. BLAIR: Secretary retain that deadline for that piece of it, yes.

PARTICIPANT: Which would require, and then you can state the rest of the
recommendation.

MR. LAND: It seems to me that if it is going to be a recommendation to the
Secretary, and we are talking about a requirement, then, the issue is what is
the penalty if somebody doesn’t obtain their number by this date, and that
is what — I don’t know if that is in here or not or if that has been
discussed earlier, but that is really — the teeth behind this is what happens
if a provider doesn’t do it.

DR. FITZMAURICE: It is $100 per violation, per HIPAA.

MR. REYNOLDS: Well, again, what we were hoping for is, obviously, if it
stays there, whatever we decide that it is, at that point, somebody could
complain to CMS that, in fact, somebody else that they are working with did not
reach a certain point, and, at that point, it goes to whatever it goes through
in the normal process, which is no different than now.

In other words, if May 23rd was left in place, that is exactly
what would occur, and then there’d be a process and whatever that meant.

So we are trying not to be prescriptive as to what should happen, but, on
the other hand, we are going to talk about a transition, too. So we want it to
be — May 23rd to mean something, but it doesn’t mean the end,
and so that is what we are trying to formulate with this statement. So
it’s —

DR. WARREN: I think for the new members, another way to look at this is the
regulation already requires people to comply by May 23rd. So there
is nothing that this committee can do to change that regulation.

What we are doing is saying that when we heard testimony, there were some
things that we agreed could still be accomplished by May 23rd, and
that is what this recommendation is about.

There are some other things that we believe cannot be accomplished by May
23rd, and that is what Recommendation four is about.

So it is separating those two out to be very specific, and we dialogued
long and hard about how to do that.

So does that help, Bill, in understanding —

DR. SCANLON: Well, it does if it was only an observation, if we were
observing that we thought these things could be done by May 23rd.

It is the idea that when we make a recommendation in a letter to the
Secretary, we are telling the Secretary to do something, and so if we were to
eliminate the recommendation in this case and simply make the observation that
we think that providers and clearinghouses, et cetera, should do this, and can
do this, then, I would — I mean, I am just —

MR. REYNOLDS: But if we left it as a recommendation, how would you term it?

DR. SCANLON: Beg your pardon?

MR. REYNOLDS: If we left it as a recommendation —

DR. SCANLON: I would have left it the way there. It is basically telling
the Secretary, Don’t change the deadline.

MR. REYNOLDS: OK. Well, for those certain tasks.

DR. SCANLON: Right.

MR. REYNOLDS: Yes.

MS. TRUDEL: I don’t know whether this would make the situation a
little bit more understandable, but it might be possible to combine Observation
Three and Four and have them be Three and Three A, and simply have the
recommendation from Recommendation Four be the sole recommendation under those
two observations.

It may be premature for me to suggest that, because we haven’t read
the fourth one yet, but that is an option.

MR. REYNOLDS: Well, let’s read Observation Four and Recommendation
Four. Let’s go through that, and, then, let’s come back — You OK
with that?

DR. COHN: That’s a great —

MR. REYNOLDS: Let’s do that. Yes, let’s do that.

OK. So let’s move along. So Observation Four. Any covered entities
will likely not be able to complete the collaborative tasks needed to fully
test NPI usage.

MS. GREENBERG: Should probably say by —

MR. REYNOLDS: I know. Yes, I had that on the other copy. Yes, by May
23rd.

OK. That is, Provider software may not accommodate the NPI on HIPAA
transactions and plans and clearinghouses may not be able to complete crosswalk
construction.

After hearing testimony, we are convinced that requiring complete
compliance with the NPI standard on May 23, 2007, will be onerous and create
widespread billing and payment problems.

Recommendation Four. NCVHS recommends that HHS publish contingency guidance
similar to the one utilized for transaction and code sets and standards in
2003.

Such guidance would protect otherwise compliant covered entities from
enforcement action if they develop and implement contingency plans, such as
continuing to accept legacy identifiers to assure continuity of operations.

We suggest it would be prudent to institute a six-month contingency using
the following conditions:

If HHS issues a data dissemination notice and makes NPPES data available to
the industry prior to or on May 23, 2007, the contingency period would extend
six months after that date.

If HHS issues a dissemination notice and makes the NPPES data available
after May 23rd, the contingency period would start six months after
the date the data is available.

PARTICIPANT: Would end.

MR. REYNOLDS: Would end six months after the datas are available.

OK. So, Karen, so now that we have read that, tell me what you are
recommending again.

MS. TRUDEL: Combining Observation Three and Observation Four and have them
be A and B, under Observation Three, and then having the recommendation for
Observation Four be the sole recommendation under that observation.

DR. COHN: Well, Karen, just make sure I understand —

MR. REYNOLDS: I don’t get —

DR. COHN: — what you are doing is basically suggesting that we don’t
move forward with Recommendation Three and that we otherwise take the
Observation Three, combine it with Observation Four and —

MS. TRUDEL: Yes.

DR. COHN: — and just have the recommendations in Four be the pertinent
recommendations there.

MS. TRUDEL: Yes, in that that responds to Bill’s concern about what
are we recommending to the Secretary.

DR. SCANLON: And, in response, I mean, Recommendation Three is don’t
do anything. So when you leave it out, in some respects, that remains the
recommendation — OK? — telling the Secretary, Don’t change the date, and
in leaving it out, what you are doing is leave the date alone, but make — this
contingency for these other tasks.

You can go either way. I mean, you can either make it explicit all to the
date or you can leave it out and it is implicit —

MR. REYNOLDS: Marjorie, then Jeff.

MS. GREENBERG: Well, you could sort of compromise between those two, I
agree, but I think the idea of making this all one observation is a good one,
in that, otherwise, I think it is a little confusing the way it is, but you
could make this observation that is currently under Three, and, then, just, as
part of the observation, say, Therefore, we see no need to change the May
23rd compliance date for accomplishing these tasks.

PARTICIPANT: That is a recommendation.

PARTICIPANT: We can’t change the date.

DR. COHN: Yes, CMS doesn’t have the authority to change the
implementation date anyway.

MS. GREENBERG: OK. Well, but if — Let’s say you did need people —
Let’s say you had come to a different conclusion. There would be something
that could be done. You’d have to go to Congress, I guess? Or —

MR. REYNOLDS: Jeff, I see your hand. I’ll get to you.

MS. GREENBERG: I mean, is this not even an option at this point to change
that requirement? Is there no capacity to change the requirement that people
accomplish these tasks? I mean, it could be part of the contingency plan.

PARTICIPANT: It is a statute.

MS. GREENBERG: Right?

MR. REYNOLDS: It is a statute. So I don’t see how you change —

MS. GREENBERG: Hum?

PARTICIPANT: It is a statute.

PARTICIPANT: It is a statute.

MS. GREENBERG: It’s a statue — two years after the implementation,
but, then, I mean, how can you have a contingency plan at all if the statute is
controlling? That doesn’t exactly make — I am just saying if you
don’t think that it is — If you think this can be done by then, it could
be explicit that — about what you were trying to say without making it a
recommendation in Three, if it is nothing that anyone could address anyway,
then —

MR. REYNOLDS: Before I turn it over to Karen — Jeff, Karen is going to
make a comment on Marjorie’s statement, and then I’ll get to you.

We consider this a pivotal time as we look at standards, and that is one of
the reasons we tried to mess with this Observation Three is because, with
HIPAA, there is a long contingency period. With this, there is a period. We got
50/10(?) coming. We got ICD 10 coming. We got a whole lot of big change coming
on here. John mentioned things. Those standards are going to have to be
implemented and so on.

We were trying to discuss some kind of a — Anytime you do a project, you
need to have milestones, and, at some point, even if you don’t finish the
project, if you don’t have any milestones and you keep blowing right
through them, then you don’t have a plan, and so we are really, really
trying — and, again, this has been difficult to deal with because we know you
got a statute that we can’t change the date. Whether or not the Secretary
can change the date — We are playing off of the fact that there can be
guidance given on contingency plans and other things that we’re playing
off of HIPAA, that happened.

But we are trying to keep some kind of an oomph behind May 23rd,
because the next time the industry lines up again and then they line up again
and then they line up again — We heard testimony that people were just going
to start ignoring — that doesn’t matter anymore. I am going to wait —
You know, we heard people literally testify, I’ll wait ‘til the date,
and then I’ll figure out what I might do, because it is probably going to
take longer than that.

So I think that is the thing we are trying to deal with in this piece, and,
obviously, it’s got to be an artful dealing that we are messing with, and
we figured this is — I mean, this is kind of where it hits the road and how do
we do it in a reasonable way.

Jeff, you had a comment, and then Steve —

MR. BLAIR: Yes, and my comment —

MR. REYNOLDS: I’m sorry. Karen, you had a comment before that.

MS. TRUDEL: I just wanted to clarify the Secretary’s authority to
publish contingency guidance comes from a part of the statute that encourages
voluntary compliance and gives people who are not compliant the opportunity to
become compliant and cure periods and educational opportunities.

So that is where the contingency authority comes from, but it isn’t
across the board. It is not an authority to move a date. It is an authority to
look upon a complaint or an enforcement action with a different context.

Ms. GREENBERG: Thank you.

MR. REYNOLDS: And, again, I think supports our position on May
23rd, as having — still having some meaning.

Jeff, and, then, Steve.

MR. BLAIR: My comment is very much in support of what Harry just said, but
let me try to make it a little bit explicit, because I think it is essential in
this letter to have Recommendation Three and Recommendation Four separated and
for us to actually recommend that the Secretary retain the deadline for
specific functions. That is clear. That is unambiguous. OK?

And the reason is because Harry alluded to the fact of the broader context.
This letter and this situation for NPI adoption and compliance is not in
isolation. We have gone through the HIPAA transaction standards, which went
through significant delays. This is a — compared to other things that are
coming down the pike during this next year or two, this is relatively
straightforward. If this becomes the second time that the deadlines that have
been set forth gets ignored, there is a precedent that will become harder and
harder for us to overcome in the future.

Now, in this case, we heard from the industry, and we have tremendous
respect for the industry, and we listened very, very carefully to the pieces
where they could not comply, and we separated them out, and that is what Three
and Four does. It separates out clearly what they are capable of doing and what
they are not capable of doing by May 23rd, and, for that reason, I
think it is important that we keep each of these recommendations separate and
unambiguous.

DR. STEINDEL: I’d like to really just echo what Jeff just said.
Harry’s eloquence a few moments ago convinced me that we do need to keep
these two separate, and Bill’s comments on how we should word it convinced
me that we shouldn’t change the wording.

MR. REYNOLDS: Let me make one other — Bill.

DR. SCANLON: Could I amend my comment?

MR. REYNOLDS: Yes. Can you amend your good idea, yes.

DR. SCANLON: Right. Having heard that this is a statutory requirement, I
mean, you don’t recommend to the Secretary follow the statute.

I mean, what I think I hear you saying, in terms of trying to strike this
balance, is in Recommendation Three, that you want to maintain the May
23rd deadline for certain tasks and that you don’t want any
contingencies for those tasks.

And, then, in Recommendation Four, what you are saying, for other tasks,
that you would be willing to grant some contingencies, but for a limited time,
and that is where the subtlety and the balance comes in, that you distinguish
the tasks and you also put a time limit on how long you are going to be willing
to be tolerant about non-compliance.

And so I think that, potentially, in Recommendation Three, since we know
the Secretary doesn’t have the statutory authority to change that date,
that you talk about maintain this date and not provide for any contingencies,
and, then, in Recommendation Four, you talk about these other tasks, which you
think may not be done, and, for them, you provide contingencies over a limited
time period.

That makes sense to me.

MR. REYNOLDS: Mark, you had a question, I think, and then I’ve got
some other possible language —

MR. ROTHSTEIN: I just wanted to follow up on that and raise the question of
whether, in Recommendation Four, this language, Contingency Guidance, gives the
impression that HHS is more flexible than we want the agency to be or the
department to be, and would it be better if we said something like, instead of
publishing contingency guidance, publishing enforcement guidance, and saying
that, for a period of time for these external collaborative measures,
enforcement will take into account blah, blah, blah, but only for a limited
period of time.

By bringing in transaction code sets and making people think of the — sort
of the delays that were built in, that give the impression that I think
everyone wants to give in this letter.

MR. REYNOLDS: Karen, what is your feeling on that wording?

MS. TRUDEL: I think it was originally worded that way, because it was a
process that people were familiar with, and they kind of knew how it worked,
but it is six of one, half a dozen of the other, because, really, what we call
contingency guidance was enforcement flexibility.

MR. ROTHSTEIN: Right.

MR. REYNOLDS: Well, enforcement would probably send a more — I don’t
know. Interesting — Let me go back to Three, Mark, and then I want to come
back to Four. OK? Let me go back to Three.

What about the idea — Recommendation Three. NCVHS recommends that HHS
expect providers, plans and clearinghouses to accomplish these tasks by the May
23, 2007, compliance date. Then, it is directed —

MS. GREENBERG: Continue to expect?

MR. REYNOLDS: Just expect. Just expect.

MR. BLAIR: Well, could you say retain the current deadline? Because if you
say retain, what is the current HHS deadline —

MR. REYNOLDS: No, no, no. I didn’t say that, Jeff. I said NCVHS
recommends that HHS expect providers, plans and clearinghouses to accomplish
these tasks by the May 23, 2007, compliance date.

MR. BLAIR: I just felt like the word expect is kind of weak. So I was just
trying to get that a little stronger.

MR. REYNOLDS: What word? I didn’t understand. What word were you —
You’re saying require?

MR. BLAIR: I would feel better that — Yes.

MR. ROTHSTEIN: Could you say that we recommend that HHS enforce the May
23rd compliance date with respect to these issues?

DR. COHN: Let me just make a general comment, because I feel that we are I
think, at the end of the day, a statuary public advisory committee that, I
think, among other things, is trying to represent the public interest and
advise CMS the right path in terms of this implementation.

I’m getting here, in some of these conversations, that we are somehow
trying to become the enforcers ourselves, as opposed to advise on the
appropriate method of enforcement in all of this. So I just would have you all
— I mean, I think that we — once again, we are advising CMS. I think we
don’t serve ourselves or the country very well by trying to micro manage
at too great a level specificity. So I would just advise you on that. That is
just my personal feelings.

I thought Harry had some very good wording —

MR. REYNOLDS: Well, I think the word “expect” allows them to
decide what “expect” means.

MS. GREENBERG: That’s why I thought “continue to expect”,
because they expect it now. Right?

MR. REYNOLDS: But they expect the whole thing.

MS. GREENBERG: All right. So this is —

MR. REYNOLDS: We are modifying —

MS. GREENBERG: — continue to expect.

MR. REYNOLDS: All right. So let me read it again.

You want continue in there? Okay. Well, no. No, I am serious. I want to
know. I want to read it for approval.

MS. GREENBERG: Well, I recommended that, but this is for the members to
decide.

MR. REYNOLDS: Okay. Well, let me read it with “continue” in
there, and then people can — Okay. NCVHS recommends that HHS continue to
expect providers, plans and clearinghouses to accomplish these tasks by May 23,
2007’s compliance date.

DR. STEINDEL: I like the original wording.

MR. REYNOLDS: You mean “expect”?

DR. STEINDEL: No, as it is written in the document.

MS. GREENBERG: Required?

DR. STEINDEL: Yes. Yes. Recommends that covered entities be required to
accomplish these tasks by May 23, 2007, compliance date.

I think it is very simple, straightforward and specific, and if HHS decides
they don’t want to require it, they can introduce contingency plans.

I think we are saying very bluntly there we are going to stick to that
enforcement date, as NCVHS. That is our recommendation.

MR. REYNOLDS: That is a firm recommendation that that date means something.

DR. STEINDEL: Yes.

MR. REYNOLDS: OK. Anybody have a problem with going back to the original
wording?

Oay. Moving on. Observation Four. We read it. We have one recommendation —
Let me read Recommendation Four again with Mark’s change.

DR. COHN: Well, I thought we were going to discuss Mark’s change. I
mean, Mark is talking about changing this to enforcement —

MR. ROTHSTEIN: Flexibility —

MR. REYNOLDS: Just let me read the first sentence, so you see where it
fits, and then — So everybody —

NCVHS recommends that HHS publish enforcement guidance rather than
contingency guidance. That is what we are talking about.

Karen, I’d like a comment from you before — Steve.

DR. STEINDEL: I think we heard Karen earlier on that.

Contingency guidance in HIPAA is now a term of art, and, as Karen pointed
out, it really means the same thing as enforcement, because that is what they
are asking for contingency on, to allow them some guidance and leverage on
enforcing things, and I think enforcement is just not a term of art, if we
start using it here, it is going to be — introduce some difficulties.

MR. ROTHSTEIN: I have no problem with that.

MR. REYNOLDS: Yes, with Recommendation Three back as it was, I would have
no problem either leaving it as contingency.

So, Simon, that means that Observation Four, except for including by May
23rd at the end of the first sentence and Recommendation Four stand
as is.

And, then, our last statement is, We will continue to monitor the
implementation progress and report to you.

So we have a hearing in May, and we have another hearing in October. So if
it were to be the — six months. If the NPPES came out and the date started May
23rd, then six months from that is — well, what’s that? That
is — that’s 11. So we would have had two shots at it to make comments
between then and then with our two hearings that we have in place. So —

With that, Simon, except for John’s wordsmithing at lunch, which I can
take a look at, I would assume —

MR. HOUSTON: Well, I think things — my wordsmithing has gotten more minor,
based upon that last — the conversation about Observations Three and Four. So

MR. REYNOLDS: OK. All right.

MR. HOUSTON: They’re pretty minor.

MR. LAND: You could simplify, I think, the two statements there by just
saying that whenever —

MR. REYNOLDS: Get to the mike. Well, where are you? Make sure everybody
knows where you are.

MR. LAND: Where you have your two different options of when the contingency
period right to the start, I think you could just say whenever the NPS data is
available, then, it’ll be six months after that.

MR. REYNOLDS: Well, but we want to still keep intact May 23rd.
Okay. In other words —

MR. LAND: Well, but it if it before —

MR. REYNOLDS: If it is before, we have already said above, the people are
only going to get to a certain point by May 23rd. So we kind of
started that earlier than we said. So that is why we did it — We want them to
have ‘til May 23rd, because that is what the regulation says,
or later than that, if the dissemination —

MR. ROTHSTEIN: I have a question, Harry. I am not exactly sure how to read
this. The first one, suppose HHS issues the dissemination notice on April
1st

MR. REYNOLDS: Yes.

MR. ROTHSTEIN: Okay. Does the contingency period end October 1st
or November 23rd?

MR. REYNOLDS: November 23rd.

MS. GREENBERG: After what date? I read it the other way around.

MR. ROTHSTEIN: See, I am trying to figure out what that date means. So can
we — Maybe we should just put November 23rd.

MS. GREENBERG: Yes.

PARTICIPANT: Because they still may never have gotten disseminated —

MR. ROTHSTEIN: No, but in the first contingency — the first — If they
have done it by May 23rd.

MR. REYNOLDS: No, after — Okay. It would be —

MS. GREENBERG: You are not abbreviating the six months —

MR. REYNOLDS: No, no, gotcha. It is six months from May 23rd.
Yes. Good catch. Good catch. We’ll just put the date 11-23 —

MS. GREENBERG: Would end November — Okay —

MR. REYNOLDS: 11-23-07. Good catch. That is a good catch.

MR. BLAIR: Yes.

MR. REYNOLDS: And, then, the second one stands as is.

PARTICIPANT: Right.

MR. REYNOLDS: Simon, would you want to take a vote to approve the letter,
and, then, we’ll look at the changes and if any of them are substantive, I
promise we will bring it back right away.

DR. COHN: Yes, and I think we would obviously want — Any consideration of
this would need to, obviously, include the opportunity for minor wordsmithing

MR. REYNOLDS: Yes.

DR. COHN: — at the discretion of the Chair.

Is there a motion —

MR. HOUSTON: I’ll motion that the letter be approved with minor
wordsmithing permitted.

DR. COHN: OK. Second?

DR. WARREN: Second.

DR. COHN: Okay. Any further discussion on this letter?

MR. BLAIR: The only thing I have is that if, by chance — is there some way
for the committee to — How do I want to say this? I guess we are approving
this at this point, so that if we don’t meet tomorrow, the wordsmithing
then goes to what? The Executive Committee?

PARTICIPANT: No.

MR. BLAIR: Or it goes —

PARTICIPANT: It’s approved.

MR. BLAIR: It is approved, period. Okay.

DR. COHN: Yes. I think this was at the discretion of the Chair, in terms of
wordsmithing.

So other questions or discussions?

OK. Well, all in favor —

(A chorus of ayes).

DR. COHN: Opposed?

Anyone on the phone want to vote?

MS. MC CALL(?): Aye. In favor.

MR. BLAIR: You have to be louder.

DR. COHN: Anybody on the phone?

MS. MC CALL(?): Yes, can you hear me?

DR. COHN: Now, I can hear you. Are you voting affirmative?

MS. MC CALL(?): In favor.

MR. BLAIR: Don’t we have some other folks on the phone? Steinwachs?

DR. COHN: I guess not. Okay. Well, with that, the motion is passed, and
thank you.

MR. REYNOLDS: Thank you. Thank you, everyone.

DR. COHN: Yes.

Now, it is 12:40. Why don’t we take a break for lunch and we will
reconvene at 1:30?

(Luncheon recess was taken at 12:40 p.m.)

AFTERNOON SESSION (1:40 p.m.)

DR. COHN: It has come to our attention that apparently at two o’clock,
federal offices in the Washington, D.C. area are closing due to severe weather.

MS. GREENBERG: Predicted.

DR. COHN: Predicted.

MS. GREENBERG: Due to inclement weather, yes.

DR. COHN: Due to inclement weather.

So that may impact some of our planned subcommittee meetings and other
sessions this afternoon.

Now, but I would, first of all, say that I think we will intend, unless
there is a —

MS. GREENBERG: If the government reopens in the morning —

DR. COHN: Yes, what we will do is to reconvene tomorrow morning.

MS. GREENBERG: When they reopen.

DR. COHN: Yes. Well, if they open at 11 o’clock, we are probably not
going to reconvene for an hour. So, basically, if they open at regular time or
at 10:00 a.m., we will reconvene tomorrow morning. Anything later than that, we
will, obviously, just cancel the meetings tomorrow, at least for our full
committee, — Obviously, there’s hearings scheduled for tomorrow
afternoon, which all that is happening is that it is a late start to the
government day. Those will obviously continue.

Now, obviously, I am looking through to sort of see what other action items
we have, and the only other action item we have has to do with the HIPAA annual
report. Given that we don’t actually have that in our hands yet, there is
no action we can take. So, hopefully, if we can get back together tomorrow
morning — Now, hopefully, we get back together tomorrow morning, we’ll
have a chance to look at that and at least provisionally approve it to put it
over to the Executive Subcommittee for final revision.

PARTICIPANT: We are getting an Executive Summary

DR. COHN: I think we’ll need to review that.

Now, with that, I think what I am going to suggest is that we move forward
with the agenda as we have it and ask Mark to talk briefly about issues coming
up from the Subcommittee on Privacy and Confidentiality.

If, indeed, we do go on tomorrow morning, which, hopefully, we will, we
will rejigger the agenda a little bit, and, Marjorie, I hope you don’t
mind, but I think probably we’ll try to include some things on populations
and move the agenda around a little bit, but we’ll figure that one out.

MS. GREENBERG: Should I provide this hot-line number?

DR. COHN: Oh, please. I am sorry.

MS. GREENBERG: Yes. NCHS does have a hot-line number that employees can
call, but it tells what the status of government opening and closure is, et
cetera. So I will share it with you. I actually wanted to prior to today, but I
couldn’t figure out what it was. So I have it now. So it is
1-888-NCHS-TEL.

MR. BLAIR: Could you give us those in numbers, please?

MS. GREENBERG: 1-888- — I frankly don’t know — What are those
numbers? NCHS-TEL. Does someone know what — Does anyone have a phone?

(Several participants at once).

DR. COHN: Yes, and, actually, I’d like to comment, one of our new
members, Laurie Green, was asking if these are sort of how meetings are usually
run, and I would say that, yes, except for the emergency weather closure —

PARTICIPANT: Three seasons out of the year —

DR. COHN: Yes.

(Several participants at once).

MR. HOUSTON: Even though the particular website is not coming up right now,
there is an Office of Personnel — is it Office of Personnel Management?

PARTICIPANT: Yes.

MR. HOUSTON: Website where you can actually get the same notice off of it,
and if it comes up in the room, I can give you the ERL for it, but it seems
like it is either down or —

MS. GREENBERG: OPM.

MR. HOUSTON: Oh, wait. Here it goes. It is
http://www.opm.gov/topics.asp, and
when you come to that page, there is a selection for — under O — for
open/close status of federal government, D.C. area, and if you click on that,
it’ll actually tell you the current status of the government.

PARTICIPANT: That is a well-kept secret, isn’t it?

DR. COHN: Well, with that, now that we have talked about — OK. We are
going to transact business for the next 20 minutes, ‘til we adjourn. Mark.

Agenda Item: Subcommittee on Privacy and
Confidentiality

MR. ROTHSTEIN: Yes, thank you, Simon.

MR. HOUSTON: By the way, it says right now the current status of the
government is open, though.

I’ll check it at two o’clock.

MR. ROTHSTEIN: I want to bring you up to date on what the Subcommittee on
Privacy and Confidentiality is doing, and about two letters that we plan to
have to the full committee at our June meeting.

And for the new members, and to remind the old members as well, in our June
22nd letter to the Secretary on the NHIN, one of our recommendations
addressed the issue of whether health privacy regulations should be extended
beyond the three covered entities currently covered under HIPAA, and,
specifically, the recommendation, which is R-12, reads, HHS should work with
other federal agencies and the Congress to ensure the privacy and
confidentiality rules apply to all individuals and entities that create,
compile, store, transmit or use personal health information in any form and in
any setting, including employers, insurers, financial institutions, commercial
data providers, application service providers and schools.

We have held three subcommittee hearings on the coverage issue in
September, November and January. We wanted to explore the effect of a possible
expansion of coverage on employers, life insurers, banks, financial
institutions and other entities currently not covered by the HIPAA privacy
rule. How are they regulated? What problems might they encounter, et cetera.

We also wanted to hear from health-care providers who are currently not
covered entities under HIPAA, and there are quite a few, and I’ll talk
about that in just a minute.

To make a long story short, we considered a variety of options and issues,
and we have, thus far, decided on two areas in which we want to draft letters
and recommendations for the Secretary.

And the first one deals with the use of health information in schools and
the gaps and overlaps between HIPAA and FIRPA.

We heard testimony from experts at both K-12 level and also college health
personnel that health-care providers and public-health officials are having a
difficult time exchanging essential information about children, for example, in
schools. They can’t get access to immunization data. The schools that have
information can’t report it to public-health authorities, et cetera, and
we want to explore the issues of both, and this goes to a point that Gene made
this morning both protecting privacy and not making sure that the privacy rules
have the effect of stifling the interchange of essential information for health
and public-health purposes.

So, fortunately, Gail Horlick, who is an expert on national immunization
policy in schools, will be able to help us draft that letter.

OK. And happy to do so, I might add.

And the other letter is on the issue of expanding coverage, and, of course,
in our June letter, the purpose of that recommendation was to recognize that
the HIPAA Privacy Rule and the NHIN are intended to do totally different things
and we felt that if you are going to have a comprehensive system of electronic
health records that we need comprehensive health privacy protections, and that
is behind the reasoning in this recommendation in June.

We held hearings most recently last month and heard from a variety of
non-covered health-care providers and put together a list of who might be on
that group, and the number of non-covered health-care providers, frankly — I
don’t know about the other subcommittees — it just staggered me. I
didn’t realize there were so many health-care providers who are not
currently covered by the HIPAA Privacy Rule.

MR. BLAIR: — you are saying providers, it is — or enterprises?

MR. ROTHSTEIN: No, I am talking about different types of providers.
Enterprises as well, but providers.

Let me give you some examples. Employer health clinics. If you get sick on
the job, some large employers, you just go down there, they treat you. They
don’t charge you. They are not HIPAA-covered entities. Cosmetic medicine
providers, urgent-care facilities, certain kinds of concierge medical
practices, home testing laboratories, athletic trainers, massage therapists,
reproductive-health counselors. The list goes on and on and on.

And, basically, what we are going to be talking about is a recommendation
to the Secretary and the language that was approved in June to extend some
level of privacy and confidentiality for protection to these providers, not
necessarily HIPAA Privacy Rule, but some sort of coverage, and, of course, it
may well require legislation, in which case we would recommend to the Secretary
that the Secretary pursue such a thing with Congress.

We also may want to consider — and, here again, I am not speaking for the
subcommittee, because we haven’t really addressed this issue. We may also
recommend that the Secretary undertake a more comprehensive study to determine
the actual number of people that we are talking about.

We heard witnesses, but we just have sort of on-the-back-of-an-envelope
kind of guesses as to how many people we are talking about would be covered,
and it may be appropriate for the department to do — You know, they’ve
got a lot more resources and expertise than the subcommittee and can generate a
more accurate tally of the number of providers in the various categories, and
also possibly come up with the most efficient way to protect them.

There may be existing legislation, for example, that could be extended, not
HIPAA, but other laws that would apply.

So, for example, blood banks are not covered entities under HIPAA, by and
large. It may be that we want to regulate them through the laws that regulate
blood banks, in terms of privacy, or some of these other entities.

So that is what we are contemplating doing, and we’ve got some time.
The purpose of today’s briefing is just to alert you to what our current
priorities are, and we’ll be meeting, perhaps, tomorrow morning to discuss
these issues, as well as to plan some of our future hearings on other privacy
topics.

Anybody have any questions? Yes.

MR. LAND: You mentioned FIRPA and immunizations. I hope it is not
restricted to just immunizations.

One of the other big issues that public-health agencies are faced with
right now is new-born hearing programs. They have registries, but they cannot
get the information from the school districts when the child has been followed
up and has had an audiological exam, and that is really creating a major
problem for them in determining which children have been followed up and which
have not been followed up.

MR. ROTHSTEIN: Yes, I thank you for mentioning that. It is a very good
point. We did have a witness who spoke about that, about the inability to get
those kinds of audiology reports, and that will be included as well. I
mentioned immunization as just one of the other examples that we are —

But there really is a major gap between HIPAA and FIRPA, and, in some
settings, you’ve got situations where both rules apply or no rule applies,
and, for example, college health service — and we heard testimony about this
— if they take care of a student, then, FIRPA applies, but if it is a staff
member and they are going to bill somebody, then HIPAA applies, and if they are
not going to bill anybody, then — and it is a staff member, then nobody —
neither regulation applies. So that is what we are going to take a look at.

MR. HOUSTON: And just to make the point obvious is I think we heard as much
comment about the fact I think people would just like to know what they need to
comply with. They want to have clarity as to what applies, and so if it was one
rule that had more broad application, I think they would be happier than having
to figure out what do you do when and what applies and what doesn’t apply,
and I got that sense through the testimony, too, or at least afterwards.

MR. ROTHSTEIN: Yes, we had testimony at our last hearing from the Athletic
Trainers Association, and he had major problems in deciding which set of rules
his group had to comply with, and many of the other witnesses were just — They
didn’t even know that they weren’t even covered.

We heard from a witness at our last hearing who is the CEO of one of the —
I think the largest home test laboratory in the country. So if you want to
anonymously get tested for Hepatitis C or HIV and you buy a kit at the drug
store, you mail all this stuff in, his lab is the one that tests them, and he
was very proud of the fact that his lab was totally HIPAA compliant, and we
suggested to him that that was a good thing to be, but it wasn’t required.
and so — I mean, there is just a lot of confusion.

Thank you, Simon.

DR. FRANCIS: Just as a new member, I might say that the overwhelming
impression in some of these cases is risks to patient care of the gaps or
people thinking that they can’t share information when they could or lots
of confusion, and that underlies your point —

DR. GREEN: Mark, I’d like to ask a question about this committee. Does
this committee work with a model of how they think health care is being
delivered and is going to be delivered?

MR. ROTHSTEIN: Can you give me a little more detail on that question?

DR. GREEN: Yes, I’ll try. So let’s take the example that you used
at the child in school —

MR. ROTHSTEIN: Right.

DR. GREEN: And so let’s say the child has asthma, and there is
information that the school nurses have about the child and how the child is
doing with their asthma, and maybe the child also sees a pulmonologist and
maybe an allergist and maybe a pediatrician, and so they all have pieces of
this kid’s data.

The gist I took is that this committee is looking at the fact that we are
looking for a comprehensive solution that allows this kid — my representative
of the public’s interest — to be taken really — have great care and —
went very well without unnecessary impediments or barriers.

Has the committee or the subcommittee made explicit the model of the
health-care delivery process that we think we are planning for and we are
preparing for and that we are creating a national health information network
for, and, if so what is it? And, if not, how do we proceed without some
agreement about that?

MR. ROTHSTEIN: Simon, do you want to address that?

DR. COHN: Well, I think without — I mean, I would certainly not tell you
that I think the committee has come up with the vision of health care in the
future.

On the other hand, what we have done is we have visioned out — and there
is a document called the National Health Information Infrastructure document
that really — Information for Health, which I think I would suggest to you —

MR. LAND: I think I have seen that.

DR. COHN: Yes, does provide —

MR. LAND: Isn’t that on the Web site?

DR. COHN: Yes, it is on the Web site. It was done about 1991 or ‘02 —

PARTICIPANT: No, it was done —

DR. COHN: 2001. I’m sorry. 2001-2002. Post lunch. Definitely begins to
lay out a vision not of the actual mechanics of health care, but a vision where
information is available to support health care wherever it needs to occur, and
I would — I mean, Mark, I don’t know if you were going to go to that one
or not, but —

MR. ROTHSTEIN: Well, what I was going to say is our recommendations,
typically — and, in this context as well, usually don’t go into those
sorts of systemic assumptions about health-care delivery.

What we try to do is to come up with broad recommendations that we deem to
be appropriate under any system of health-care delivery.

I mean, you haven’t been around that long, but I am sure, over time,
you’ll realize that it is often a very difficult process getting any
recommendation dealing with privacy through the committee in a unanimous — If
we tagged onto that — Oh, and by the way, this is what we think the
health-care system should look like, too, then we might have one lead opinion
and 17 separate concurring opinions.

I mean, not to be flip about it. I mean, what we need to do, I think, is
try to reach agreement on sort of the broadest principles to recommend to the
Secretary, and there are other people in the department who are working on the
issues that you suggest.

MR. BLAIR: There is one other piece. Our scope is health information
policy, and that word, information, bounds us. So we are not going beyond
health information —

DR. GREEN: Just for the — for future discussions, it is not immediately
clear to me how the charge to look at information and information management
can actually proceed without us making assumptions about how the information
will be used, and the implications for that seem to me to be — whether they
are articulated or not — every one of us at the table is working with a set of
assumptions about how this information is going to be used, who is going to use
it, where they are going to use it, how they are going to be integrated.

I accept the point that this is complicated and not the charge of the
mission to prescribe the structure and the function of the health-care delivery
system, but I am not sure I am yet prepared to accept the notion that we are
not working without assumptions about the structure and function of the
health-care delivery system and what — As a newcomer, what I am a little
worried about is I am not real thrilled about planning for the past.

MR. ROTHSTEIN: I think that is a very fair and perceptive comment, and I
hope that you will hold our feet to the fire on that, and if some document
comes through — especially via the privacy and confidentiality subcommittee —
that seems to be overly sort of confined by a singular vision — stated or
unstated — that you’ll call us on that, because it is a good point.

MR. REYNOLDS: Larry, what were the last two words of your comments? You
said you couldn’t plan —

DR. GREEN: Well, I was just saying that — Well, I was implying that it is
quite a challenging proposition that we are undertaking to help plan for the
information needs of a delivery system that appears to be in transformative
change, and that it sounds to me as if the answer to my question is no, the
committee does not have an agreed model in mind. We each bring our own
individual ideas about the model to the table. We discuss things, and, somehow
or other, we iron this out.

DR. COHN: Well, Larry, I think maybe I would actually maybe even frame it a
little differently.

Number one is I would actually like you to look at the NHII document,
because I think you actually might find it to be very interesting.

The other piece is that you mentioned in your last couple of sentences
transformation of health care, and I think that the committee charge is
actually a little broader than just health care, and I would have you actually
think about this, as I think we are all recognizing that there is actually a
transformation of health, and I think that we tend to think of it, actually,
even though many of us have M.D.s after our names, you and myself included,
that we really need to be thinking from that broader context.

So we can talk about personal health records or the personal dimension of
the NHII, you are really thinking of something potentially a little broader,
but I think we do need to engage you in this conversation, and I think you are
right that — I think there are sort of unstated either assumptions or beliefs
we have about how all of this is playing out that do impact both where we
choose to put our energy as well as the nature of the conversation, but I think
we obviously — this is the beginning of that conversation, not the end of it.

MR. BLAIR: Simon, I’d like to add one other thought.

DR. COHN: Sure.

MR. BLAIR: Because one of the things that caused me to really think about
what you said was, you know, you would be frustrated if you felt like we were
dealing with things in the past, and I think many of us have — as we have
started to look into the opportunities to provide information-system solutions,
but more than information-system solutions, as Simon just mentioned, the
National Health Information Infrastructure, if we are able to move forward in
information infrastructure for health care, we do transform it, and we do begin
to address a lot of the dysfunctional areas of health care. So we do tend to
think that we are moving health care into the future, but our principal vehicle
to do so is with the information — creating a health-information
infrastructure for the nation. So I don’t know if that is helpful or not.

DR. COHN: Well, we will continue — I wanted to move onto another topic,
but, Marjorie, what was your —

MS. GREENBERG: Well, again — and I hate to end at this —

DR. COHN: Well, we are not.

MS. GREENBERG: It is such an interesting discussion — even though it is
two o’clock.

DR. COHN: Well, we are moving onto another conversation.

MS. GREENBERG: Okay. But I did want you to know what the actual OPM
announcement is, and that is that everybody but emergency employees are
supposed to depart at 2:00 p.m., and, as much as we feel important, I guess we
not emergency employees, but, also, due to pending inclement weather — and,
then, it says road conditions are expected to deteriorate later this afternoon.
It is essential to get federal workers home before dark, so transportation
authorities can treat the roads.

We will continue to monitor the weather conditions and announce the status
of government for tomorrow as soon as possible.

Agenda Item: HIPAA 8th Annual Report, Action
February 14

DR. COHN: Okay. Now, what I was going to ask for was, obviously, knowing
that we are already even a couple of minutes beyond the two o’clock time,
I did want to — assuming everyone is OK with it — ask Maya to at least
briefly discuss the document, which is the HIPAA report, and what I would
suggest is that, since we haven’t seen this before, I want her to briefly
reference it. You all have copies of it.

If we do meet tomorrow, it will be an action item that we’ll be
considering.

If not, what we will do is to schedule a conference call. Yes — to handle
the work that we didn’t get done at this meeting.

MS. BERNSTEIN: My sense is you will not want to be voting on it tomorrow in
the condition that it is in.

However, so I apologize for not having it to you earlier and for not having
done this — I dropped the ball, essentially, but I was focused on the comments
that I got from the privacy, confidentiality subcommittee, which are —
Basically, all of the comments that I got were from either members of that
subcommittee or staff associated with that subcommittee.

If I missed another committee member’s comments on the report, we
would still, actually, like to get them.

So you are on that committee, so —

MR. REYNOLDS: And I am also on Standards and Security.

MS. BERNSTEIN: But, I mean, I count you, because I know you from my
subcommittee. Yes, you have made other comments.

(Several participants at once).

MS. BERNSTEIN: If you have ever been to a Privacy and Confidentiality
meeting, I think I have your comment, but if you don’t normally attend
those meetings, I do not have your comments, and if you do have comments, would
love to have them.

I also recognize that we have some new members of the committee who might
not have had an opportunity at the November meeting to see this and are maybe
seeing this for the first time.

So the main part of the discussion at the November meeting was essentially
about the structure of the document, which was sort of half executive summary
and half text or substantive part, which is not normally the structure of a
report.

So the main part of what we have to do is to condense executive summary, so
that it really is an executive summary, and I tried to do that in two pages,
which you have.

There’s a couple of little notes in the margin, just for sort of dates
and things that I wanted to make sure of, but, basically, this summarizes those
items that are activities that happened during the reporting period for this
report, which is May 2005 to November 2006.

If it didn’t happen during that time period, I left it out, basically,
except for a small note at the end, which says we took a 10-year overview of
HIPAA and we summarized those observations in the text of the report.

Other than that, everything that is in summary is only that which happened
during that reporting period.

And then Simon made some changes to the text of the letter itself, which
you also have a copy of. It is another double-sided thing.

And I have just handed you what is the current draft of the substance of
the report, which needs some more work.

Essentially, I took the first real hard look at it last week, and, in
addition to the structural problems, what I see is that a lot of the text of
this report is borrowed language from previous reports or from other things
that we have issued.

And the other thing I have noticed is that it is almost entirely
procedural. It is as we issued a rule on such-and-such a date. There were so
many comments. Doesn’t say what the rule says, and I am guessing that is
not a real report. What a report is about is a small summary of what exactly
the enforcement rule is about, instead of just how it took us — what kind of
procedures we used to get to the final rule.

So that is what I am going to try to work on, but, basically, that is sort
of mostly — I wouldn’t call it wordsmithing, but not really changing the
content or the sort of topics that the report covers, but mostly organization
and trying to beef it up a little with more interesting factual data about what
we really did.

I also — you’ll notice — divided the executive summary and probably
will finish the report that way into department activities, which the committee
is reporting about, and the committee’s own activities, which during the
November meeting actually looked over — and thanks to Gail for her help —
looking over the transcript of that meeting to find out, well, what do we
really say about this report, and there was some discussion about how much you
wanted to just limit it to things that are directly related to HIPAA and how
much you wanted to take the opportunity to talk about other activities that
NCVHS does, such as the NHIN work and things that are not directly HIPAA
related.

And you decided that you would like to take that opportunity briefly, as
long as that didn’t become the center of the report. So that is still in
there.

I think the other thing is, though, that, previously, no one commented on
the points that I was making, in that it looks the same as previous reports.

I literally went to the 2007 report and there’s the same — So maybe
that is our — You know, my office’s issue in drafting, and part of it is
nobody commented on it, so we kind of didn’t notice before, but, now, I am
noticing.

And if you want that to change, I am happy to change it in the way that you
direct me.

So I will say that because the comments mostly came from the Privacy and
Confidentiality subcommittee. That is where the most substantive change was
made in the report, and, if you like, I can actually read out loud what the
sort of paragraph in the Executive Summary says and the two paragraphs in the
Substantive Report say about that.

So let me read from the Executive Summary the paragraph that now describes
the privacy work.

It says, As of October 31, 2006, more than three years after the compliance
date, the number of privacy complaints to the Office for Civil Rights totaled
23,268, and more than three-quarters have been closed.

About two-thirds of the closures are due to lack of jurisdiction,
deficiency in the complaint or because no violation is alleged by the facts of
the complaint.

Over 346 cases were referred to OCR by the Department of Justice for
criminal investigation based solely on facts alleged in those complaints with
no investigation by OCR.

To date, no prosecutions have arisen from these referrals. Neither has OCR
yet brought a civil enforcement action.

OCR attempts to resolve problems that lead to complaints directly with the
covered entities by providing technical assistance to facilitate compliance.

We applaud the focus on improving the protections at the covered-entity
level. Nonetheless, prospective general improvements by a covered entity often
do not satisfy the individual who makes the complaint, nor reassure the public
that the law is being enforced adequately.

Commitment to aggressive enforcement on the part of federal regulators is
necessary to ensure the adoption and success of the Secretary’s Nationwide
Health Information Network Initiative.

I will say that this language comes directly from the June 22nd
privacy letter. So the facts are the facts, and then the part that is more
opinion or recommendations comes directly from the language that this committee
has already —

Does anyone have any comments now on that paragraph?

OK. Let me — I did not mark what page it is on.

OK. And then there are — well, it is like a page. There’s three
paragraphs actually on page 9 and 10 of the draft of the full letter that you
have from that —

Shall I go ahead? Is that all right?

OK. So this is a section on protecting privacy and confidentiality in the
National Health Information Network.

The NCVHS Subcommittee on Privacy and Confidentiality held a number of
hearings in the past year focusing on privacy and confidentiality
considerations in the emerging National Health Information Network.

Based on those hearings, the NCVHS submitted findings and recommendations
to HHS in June 2006. The report, Privacy and Confidentiality in the Nationwide
Health Information Network, is the culmination of five hearings, three
in-person meetings and numerous conference calls between January 2005 and June
2006, an 18-month process of learning and deliberation.

The Subcommittee on Privacy and Confidentiality held three hearings in
Washington, D.C., one in Chicago and one in San Francisco.

At each hearing, witnesses representing different constituencies concerned
about the privacy and confidentiality of health information testified,
including hospitals, providers, payers, medical informatics experts, experts in
health law, ethicists, integrated health systems, regional health information
organizations and consumer and patient advocacy groups.

We also heard testimony from representatives of nationwide health networks
in Australia, Canada and Denmark.

The hearings were followed by a series of conference calls and public
meetings to discuss findings and prepare this report for the committee to
submit to HHS.

The report covers several topics central to the challenges for safeguarding
health privacy in the NHIN environment, the role of individuals in making
decisions about the use of their personal health information, policies for
controlling disclosures across the NHIN, regulatory issues, such as
jurisdiction and enforcement, use of information by non-health-care entities
and establishing and maintaining the public trust that is necessary to ensure
NHIN is a success.

In particular, the subcommittee came to the conclusion that the definition
of covered entity in the current HIPAA privacy rule is outdated, as it was
based on assumptions made in the 1990s that are no longer valid.

The move toward an NHIN stresses the original definitions, because new
business models and new entities not contemplated at the time of HIPAA are
arising, and the concept of a covered entity is inefficient and limiting.

Based on this work, the committee made the following recommendations with
respect to HIPAA.

And, there, I have listed four recommendations that specifically were from
that letter that specifically related to HIPAA. The other ones, I left out.

These are: HHS should work with other federal agencies and the Congress to
ensure that privacy and confidentiality rules apply to all individuals and
entities that create, compile, store, transmit or use personal health
information in any form and in any setting, including employers, insurers,
financial institutions, commercial data providers, application service
providers and schools.

The next one is HHS should explore ways to preserve some degree of state
variation in health privacy law without losing systemic interoperability and
essential protections for privacy and confidentiality.

HHS should harmonize the rules governing the NHIN with the HIPAA privacy
rule, as well as other relevant federal regulations, including those regulating
substance abuse treatment records.

And, then, the fourth is NCVHS endorses strong enforcement of the HIPAA
privacy rule with regard to business associates, and, if necessary, HHS should
amend the rule to increase the responsibility of covered entities to control
the privacy, confidentiality and security practices of business associates.

In presenting this report, the NCVHS acknowledged that the broad contour of
the NHIN is still being determined, and the NCVHS will continue to update and
refine these recommendations as the architecture and functional requirements of
the NHIN advance.

So that is one little section on privacy, and it is the one that is most
substantively changed. We added a bunch of information in there, some of which
is descriptive, and we added the recommendations and so forth.

The rest of the report really — there were some kind of wordsmithing
changes. We added some things for clarity, but, in substance, it is really
quite similar.

I know that there are people who want to get out of here, because of the
weather, but if you have comments now, I’ll be happy to take a note of
them. If you want to look at it overnight and give it to me tomorrow morning —
I don’t know what we are going to be doing tomorrow. So please let me know
how you want to handle this.

I have to say that I don’t think the report, in my view, is ready to
be voted on tomorrow —

DR. COHN: Yes. Well, let me tell you what my thoughts were. I’ll ask
the committee for their perspective on this one.

None of you have seen this before, and, Maya, I appreciate you reading the
pertinent sections, but I do think people need an opportunity at least to look
at it.

Now, if the committee actually — if the meeting occurs tomorrow, and
we’ll obviously have a meeting if government is open at its regular time,
but I think, given that we would have a 12 noon adjournment anyway, if we start
here about 11 o’clock, start to the government, or even a 10 o’clock
start, I’d say that, at that point, you probably ought to just — you know
— this would be the end of the meeting, and other activities can occur as they
might.

But if, indeed, the meeting occurs tomorrow, you can all read this tonight,
bring your thoughts in.

My own view is is that if this were to be passed, it would be passed in the
sense of being referred to the Executive Committee — the Executive
Subcommittee to further work it, refine the content and all that, but with no
new conclusions or additional content than what you are seeing, and so that
would be certainly one option, and so —

MS. BERNSTEIN: Can I just add one other thing, which I forgot to mention,
which is —

DR. COHN: Sure.

MS. BERNSTEIN: Since you are talking about the conclusions. The conclusion
paragraph is also exactly the same as last year.

DR. COHN: OK. But —

MS. BERNSTEIN: So if you, Simon, or the committee wants to actually make —
suggest some actual conclusions, that would be good.

DR. COHN: You know, I think we need to be careful — We had talked about
this at the last meeting about starting to go far beyond where any of our
testimony, letters or deliberations, which occurred last year. Because there
are some additional things I would like to put in here, but they are my good
ideas generally. And I would suggest if you have additions for the cover
letter, which is where we can go a little further, that is fine.

But, once again, I think what I am saying is we have an option tomorrow, if
we meet, to basically adopt this, refer it to the Executive — or not adopt
this, but basically refer it to the Executive Subcommittee to complete and get
out.

If we don’t have a meeting tomorrow, then I am going to suggest that
what we need to do is, within the next several weeks, is to put together a
conference call of the full committee to consider this as well as any other
items and get this dealt with at that point.

So I think those are sort of the two outcomes, unless others have other
ideas.

Marc.

DR. OVERHAGE: Being ignorant, I can ask these things.

DR. COHN: Please.

MS. GREENBERG: Talk into the microphone.

DR. OVERHAGE: Thank you.

DR. COHN: You can only ask things if you get to the microphone.

DR. OVERHAGE: I can do that.

You made the comment —

MS. BERNSTEIN: (Off mike). Stupidity.

DR. OVERHAGE: — feels very mechanistic —

MS. BERNSTEIN: Yes.

DR. OVERHAGE: — and it does, and, I mean, it seems to me, if I were a
member of Congress, the question that I’d want to know the answer to is
did we achieve any of the aims that we wrote this legislation to achieve, and
this framework doesn’t really lend itself to that.

And I heard your comment about we can’t go beyond what we heard, but,
on the other hand, it seems to me that there’s a level of synthesis of
what we have heard that might speak to that.

And being a newbee, I can ask stupid questions, and being old me, I still
ask stupid questions.

DR. COHN: No, no. Let me address it — you know, in the cover letter, I
made a couple of additions talking about moving from implementation to
optimization.

And, at least from my view, and based on some work I had to do last year
really trying to synthesize what has happened over the last couple of years, I
am actually personally becoming convinced that we are actually — that that
transition is beginning to take place — things like WEEDIE(?), CAQH, other
things really taking the basic substrate and turning them into business
opportunities, hoping to really improve administrative simplification.

Now, unfortunately, I don’t think we ever got to that level of putting
it together at the full committee level, and so that is why I put it in the
front cover letter, but didn’t try to stick it into the body of the text,
even though that would have been my preference, and probably would have
addressed your concerns a little more.

Now, Maya, you had a comment, and, Marjorie, you have a comment.

MS. BERNSTEIN: Yes. I should have mentioned, Simon did make a substantive
change sort of in the middle of the third paragraph of the cover letter, as he
said, talking about the move from implementation toward optimization of — That
is all I had to say.

Marjorie.

MS. GREENBERG: Obviously, I haven’t had a chance to read this yet, but
I think a rather significant part of the report does deal with the
lessons-learned section from the letter that was done by the committee. So, in
that sense, Marc, I think there is — there was an effort by the committee,
held hearings on return on investment and all of that, and did synthesize that
in this lessons-learned letter that has already been sent, but is included in
here.

I would say there is one really new thing about this report. This is the
seventh annual or something? For the very first time, the cover letter says,
Dear Madam Speaker.

MS. BERNSTEIN: The one that I got handed, actually, last week still had
Hastert’s name on it. I thought, Hum. That is not a good sign, because we
haven’t looked at it in a while. So —

MS. GREENBERG: I will say, too, that —

PARTICIPANT: — November.

MS. GREENBERG: — if we have a conference call —

MS. BERNSTEIN: — early November. It hadn’t happened yet.

MS. GREENBERG: If we end up voting on this in a conference call, it will be
an open conference call, open to the public.

DR. COHN: Sure.

DR. TANG: Can we send out a copy to the hinterland, please?

MS. BERNSTEIN: Absolutely. I will, this evening, electronically send it to
everyone.

Is that Paul?

PARTICIPANT: Yes.

DR. COHN: It is Paul.

DR. TANG: Correct.

MR. BLAIR: It is Paul in the hinterland.

MS. GREENBERG: And Carol and Don are not here —

MS. BERNSTEIN: I’ll just send it, or have your office, Marjorie, send
it to the full committee, so they have an electronic copy. That might be more
useful to them, because we don’t know what is going to happen tomorrow.

MS. GREENBERG: Okay.

MS. BERNSTEIN: So just everyone will have it.

DR. COHN: Yes, I actually just wanted to also further go back to
Marc’s comments, because I think he actually did a great job of, I think,
bringing up, I think, one of the essential issue that we were, I think, all
trying to get our arms around, which it would be nice, given that this is the
10th anniversary of HIPAA, to do something that was a little more
thoughtful, I think, as Marc, has described.

If we have some more time, we can certainly do that, because there may
actually be some external data that really does help us begin to put some of
the pieces together, some of which may not be from testimony.

But, once again, I mean, if we agree to the broad themes, and I think that
a reasonable question, I think, Marc is asking is, Geez, it his moving us
towards administrative simplification, and is that providing some value to the
industry, I think is what you are asking, right?

DR. OVERHAGE: Better said, yes.

DR. COHN: And if we all think that that is a reasonable piece, if there is
some data that we can put together, that would, I think, be a useful part of
this thing, but not to be done between today and tomorrow.

Yes.

MS. BERNSTEIN: Right, and, actually, let me ask the question: It occurs to
me that the requirement for this report is only to report on HIPAA, and we
could confine ourselves just to that for this report in order to get it out and
meet that requirement.

And I am not sure, but I don’t think there — you know, let me ask. Is
there any reason why the committee couldn’t separate the 10-year kind of
lessons learned or 10-year overview that you wanted or retrospective that you
want to do on HIPAA into some other document?

You can generate a document, I think, whenever you want to, if the
committee agrees, and you could have more time to develop something like that.

I mean, let me — is there any reason why we couldn’t do something
like that, if you really wanted to spend more time and make it say something
different?

What I am asking is do we have to use this report as the vehicle? Can we do
a separate document on that —

DR. TANG: I think we can actually accomplish what Marc is proposing in the
scope of this document.

For example, I do like what you wrote about privacy, because, in a sense, I
thought it was forward looking. It referred, in a backward way, to say, Well,
what were conditions back in 1996, this isn’t true in 2007, and here are
some four things you can act on going forward to protect Americans’ health
information going forward in the next 10 years.

And I think there are other similar comments in some of the other areas,
whether it is security, as we just heard earlier this morning, or the
streamlined way we had to deal with data standards.

So there’s a lot of ways that we can use this letter to talk about
some of what we did in the past 10 years, but also how the world has changed
and what needs to be done in the next five even.

So I think it is a great springboard, and Marc’s idea is a good — a
good perspective to take with this, and, as I say, as an example, I think we
did that with privacy.

DR. COHN: Yes.

John Paul.

MR. HOUSTON: In terms of protocol, this is our opportunity — I mean, in
the sense that there is an obligation for us to issue this report, really, and
it is issued directly to Congress — correct? — that this is really the one
time that we have sort of the statutory right and obligation to make this
report.

Otherwise, isn’t it really more protocol for any other types of
reports to go to the Secretary?

So this is the one time that we can decide what subjects are related to
HIPAA — one opportunity to put those into a document and have them go to
somebody other than the Secretary.

I think they need to be reasonably related to HIPAA. Then we can decide how
narrowly or broadly we want to add to the document, but I think, otherwise, I
think if we really wanted to do some other type of document, we need to send it
to the Secretary for first consideration.

MS. GREENBERG: Well, and we will be doing an biannual report, which we do
on the entire committee.

MS. BERNSTEIN: And to whom is that sent, that report? I am just —

MS. GREENBERG: That goes to the Secretary, though sometimes we send copies
around.

MS. BERNSTEIN: Does the charter — I am just asking, because I don’t
know — the charter of this group say that it advises only the Secretary or the
Secretary and the Congress?

MS. GREENBERG: No, not the Congress —

DR. COHN: Yes.

MR. SCANLON: But the statute —

MS. BERNSTEIN: The statue gives us —

MR. HOUSTON: But that is the opportunity for us to — so —

DR. COHN: Yes.

MS. BERNSTEIN: The obligation there is to report on HIPAA, not all the
other activities.

MR. HOUSTON: And I agree with it, but my point is is we — if we want to be
a little expansive in looking at HIPAA and issues with re HIPAA and
applicability and how it might be — need to be amended to address some of
these other current topics and issues and technologies and whatever else, and I
think that is reasonably within our right to add it to this report, but, again,
I think it is this report that is a vehicle —

MR. SCANLON: And some of it does. The 10-year look-back, I think, actually
identifies areas that need another look as well as privacy and —

But, presumably, all of the content here has already been sent to the
Secretary, for example.

MS. BERNSTEIN: Right. I mean, I appreciate that, Jim, because that is the
caution I would want to make is that the report traditionally has been a report
on activities that have already happened, and, to the extent that you want to
look forward, there is a risk that you would be getting into areas where the
committee has not acted and has not, as a committee, formed an opinion.

So that is just a little bit of a dangerous edge there.

DR. COHN: Yes.

Jeff, and then we need to wrap up.

MR. BLAIR: OK. I suspect that this would broaden the scope beyond what we
are capable of doing. So I’ll mention it just in case it is possible.

Obviously, we have to do this report in terms of HIPAA.

The scope of the NCVHS has expanded far beyond that, and a lot of the
things that we have done that I think that are most compelling and help the
nation the most have gone beyond that, including the recommendations for the
National Health Information Infrastructure, the follow-on work we have done
with the National Health Information Network, responding to Congress’
directive for e-prescribing, the work that we are about to go into, maybe, with
secondaries of data, for lack of a better phrase, the populations work, the
quality work, the privacy work.

So my question is is there any ability for us to say, OK. Congress has
asked us to produce this letter. However, essentially, the scope of NCVHS has
— we have built off of the platform that Congress has given us with HIPAA. We
have expanded the committee. We have gone ahead and done what HIPAA specified,
but we have begun to go far beyond that, and, somehow, this document would wind
up listing the greater role of NCVHS than for Congress to just perceive us as
the executor of HIPAA standards.

DR. STEINDEL: Jeff, I’d like to interject a comment. I think the
latest figure is what, Marjorie? Fifty-seven years old is what this committee
is?

MS. GREENBERG: 1949, going on 58.

DR. STEINDEL: Fifty-eight, and 10 of those years were HIPAA.

I think there’s a lot of history behind that and a lot of what we are
doing today actually relate back to some of those early charges as well.

MS. GREENBERG: Thank you. I didn’t even pay you to say that.

(Several participants at once).

MS. GREENBERG: But we do have to close.

MR. SCANLON: Yes, let’s close.

No, the other thing is we have been including other activities beyond
HIPAA, Jeff, actually for the past three or four reports, as long as it is
somehow related, in terms of NHII or e-prescribing standards and so on. So we
sort of took it where it was a natural path.

I don’t think we want this to be a report on committee activities —

DR. COHN: Yes, I think it is a delicate —

MS. BERNSTEIN: We could also just clearly label those.

DR. COHN: Yes, I think it is a delicate balance.

Now, Kevin has a question or a comment, and then I do need to wrap up,
because Marjorie tells me we do need to —

DR. VIGILANTE: Right. And this is just about — if there is a tomorrow.

So the Population Subcommittee has a scheduled hearing from 1:30 to 5:30
with a lot of external guests coming in to testify on the data needs for surge
capacity.

So if the — say we start late — assuming if the government is closed,
that is off. If we start late tomorrow, is the whole schedule going to be
pushed back, and, therefore, ending our committee meeting or could we still
hold that meeting?

DR. COHN: Let’s get this settled before we leave, but let’s
finish up this thing for just a minute here, which is, Maya, you’ve gotten
some input. We will obviously work with you on it. As I said, there are two
outcomes. Either tomorrow we talk about it again, and, hopefully, we’ll
get a chance to review it tonight, regardless, and provide input even if we
don’t see each other.

If we don’t meet tomorrow as a full committee, then what’ll
happen is that we’ll do a conference call, and, hopefully, look at a more
refined version that has all of this together.

So, Maya, is that helpful for you?

MS. BERNSTEIN: Yes. My only concern is that having just handed this out in
paper form today that may disadvantage some members of the committee who
won’t be able to review it tonight, have other obligations, or, for
whatever reason, can’t review tonight, and won’t be able to get back
to me by tomorrow.

I don’t want to push people into — you know —

— because of my failing —

DR. COHN: If we act on it tomorrow, it would be being referred to the
Executive Committee, okay?

MS. BERNSTEIN: I appreciate that.

DR. COHN: Now, Okay. So that is one outcome of this thing.

Now, Kevin is asking the larger question of what do we do tomorrow?

Now, first of all, if this building is open, if Washington is functioning,
which I think we have every reason to expect that by noon tomorrow, if we keep
our fingers crossed, that things will be functioning.

My understanding is is that the hearing will go on as planned. I mean, we
aren’t pushing back this meeting and then going to start at three
o’clock and go to seven or eight tomorrow night for that hearing. I mean,
we are very respectful of the fact that you have gone to a lot of effort to try
to schedule that.

So, as I said, the only reason that won’t happen is that there is such
a storm tonight that they actually close the offices all day tomorrow.

So let’s talk about tomorrow morning.

Now, we can handle tomorrow morning a couple of different ways, and I have
said a couple of different things just in the course of the last hour and a
half.

Now, obviously, if the buildings are open tomorrow morning, we just
continue on, and we start at eight o’clock in the morning with —

PARTICIPANT: Quality Workgroup and Privacy.

DR. COHN: With Privacy and Quality Workgroup, and then we go to a full
meeting at nine o’clock.

Now, it is very clear to me that if the buildings are closed to 11, that it
doesn’t make sense for us to convene and we ought to just cancel the
meetings.

Now, the only thing that I need some advice on is is that —

PARTICIPANT: Excuse me, Simon. Cancel everything?

DR. COHN: No, no. Just —

MS. BERNSTEIN(?): Just the morning meeting, full committee.

PARTICIPANT: The morning meeting.

DR. COHN: Yes. I mean, if the buildings are closed to 11, the full
committee is cancelled, right?

MS. BERNSTEIN: They will usually give us like a two-hour delay, but
whenever your work schedule is — right?

MR. SCANLON: It’ll be referred to, most likely, unless it is closed
completely as a late opening.

MS. BERNSTEIN: A late opening.

MR. SCANLON: Whether it is — for some folks, that’ll be nine. For
some folks, that’ll be 10.

MS. BERNSTEIN: If your usual work hours are seven to four, then your start
time is nine. They stagger the commute times, Simon, so that people aren’t
all commuting at the same —

MS. GREENBERG: Well, I think the question is since — I know I was talking
to Justine at lunch that the majority of her subcommittee members or workgroup
members were going to be on the phone, in any event.

DR. CARR: I have a new one.

MS. GREENBERG: So if we have a call-in number, can they have that call by
phone?

DR. CARR: Sure. We have a call-in number.

MS. GREENBERG: We have a call-in number, right?

DR. CARR: Yes.

MS. GREENBERG: It doesn’t require someone to — or maybe it does
require someone to initiate it, but you can give me the information or
something. You don’t have to make the call from this building, right? Just
a leader code. Yes.

So maybe, if you want to just say the quality group is going to meet at
eight o’clock by phone.

MS. MC CALL(?): Is there a dial-in number already for that? I didn’t
see it on the agenda. I may have missed it.

DR. CARR: There is a dial-in number, yes. We might want to repeat it.

MS. GREENBERG: Is there a dial-in number?

I mean, do you want to go ahead with that, as a call?

DR. CARR: Sure.

MS. GREENBERG: Since it was going to be a call anyway, probably, mostly.

DR. CARR: Yes, I would like to.

MS. GREENBERG: I’ll call in.

MR. BLAIR: That number is —

DR. CARR: All right.

PARTICIPANT: The number is —

MS. GREENBERG: OK. So here is the number for Populations and Quality —
well, populations will not be meeting this afternoon, but this is for tomorrow
morning, if the building is not open.

If we are opening at regular time, we’ll just come down here, but if
there is a delayed opening or the building is closed or the federal government
is closed, if you want to have the call, you can at 866-810-6849, and the
participant code — that is for everybody, right? — is 953-3543.

And then I’ll just have to get the leader code.

DR. COHN: And that is for the Quality Workgroup.

MS. GREENBERG: That is for the Quality Workgroup.

DR. COHN: Yes. Now, for the full committee, if everything opens up, we are
here, we start at nine o’clock, as previously specified.

If it is a delayed opening — and I have obviously been informed by Jim and
Marjorie about what delayed openings mean — I’d say we start at 10
o’clock, and we’ll go for two hours and then adjourn. OK?

But, obviously, if it is anything beyond that, then we are just cancelling
the meeting — cancelling the full committee meeting tomorrow. Okay?

Is everybody clear about that? Does everybody —

DR. STEUERLE: Could I suggest —

DR. COHN: Gene, please.

DR. STEUERLE: For the afternoon meeting, I think you’ve got an
additional problem — people who will be traveling in need to know — they
can’t be told —

DR. VIGILANTE: We don’t have too many of those. We only have two,
maybe three from CDC, but —

DR. STEUERLE: Can someone call them —

DR. VIGILANTE: We are going to have a contingency plan. We are going to
send an email tonight, keep everybody posted, and then follow up in the
morning.

Hopefully, they will begin their travels in the morning.

MS. BERNSTEIN: OPM will make that announcement quite early in the morning,
generally —

MS. MC CALL(?): Well, how will this entire group know what the status is?
What is the best way to find out?

MS. BERNSTEIN: OPM’s website? Radio?

MR. HOUSTON: There is a website you can go to, and the website is, again
OPM.gov —

PARTICIPANT: (Off mike).

DR. TANG: Actually, we couldn’t hear on the phone.

PARTICIPANT: If you just go to OPM.gov —

PARTICIPANT: OPM.gov.

MR. HOUSTON: www.OPM.gov

PARTICIPANT: That’s good enough. You can navigate —

MR. HOUSTON: Actually, if you go to status, it is even easier. So
OPM.gov/status, and, from there, you would select — there is something that
talks about whether the government is open. It is under O in the index.

DR. COHN: Yes. Or for those of you who maybe are — like to use the
telephone, you can actually call the NCHS number, which is 1-888-NCHS-TEL.

MS. GREENBERG: I may have given you the wrong participant number. Got two
different numbers here. I’m sorry. Did I give you the 160-5430 for
quality?

PARTICIPANT: No.

MS. GREENBERG: That’s what I was afraid of. That is — the quality is
the 866-809-2782. I think I gave you —

(Several participants at once).

MS. GREENBERG: All right. I gave you the NHII.

MR. BLAIR: Start at the beginning.

MS. GREENBERG: I am completely confused now. No, what I gave you is
correct.

PARTICIPANT: You — say it one more time, just —

MS. GREENBERG: Yes. Right. I gave you the right — It starts with 866 and
it is 953-3543. Yes, I gave you the right one.

DR. CARR(?): That is the participant code for the call-in number?

PARTICIPANT: Yes.

MS. GREENBERG: Everything I gave you was correct. There are two different
numbers here, and it is a little confusing, but that is correct for the
quality. I just need to get the leader code.

And I think we are just cancelling out on the restaurant.

DR. TANG: So, Simon, are you going to cover the other workgroups or are we
having similar calls or what is going on there?

DR. COHN: No, we are cancelling the other workgroups.

MS. GREENBERG: The only working session that will be held by phone, if not
held in person, is this quality one.

DR. COHN: Yes.

DR. TANG: OK.

DR. COHN: Yes. The other workgroups will handle various conference calls to
deal with the work that they would have done face to face.

OK. Well, with that, is everybody reasonably clear about what the plan is?

MS. GREENBERG: Dinner is cancelled.

DR. COHN: And those who deal with the cancelled dinner can talk among
themselves and see if they still want to go out for dinner later on.

Anyway, with that, our meeting is adjourned. Thank you very much.

(Whereupon, the meeting adjourned at 2:44 p.m.)