[This Transcript is Unedited]

Department of Health and Human Services

National Committee on Vital and Health Statistics

Subcommittee on Privacy, Confidentiality, and Security

February 20, 2014

Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, D.C. 20024

Proceedings by:
CASET Associates, Ltd.
caset@caset.net

P R O C E E D I N G S

DR. FRANCIS: Hi, everybody on behalf of Linda Kloss and myself, this is Leslie Francis, and we’re going to get the Privacy, Confidentiality, and Security subcommittee meeting going. Our agenda starts with 20 minutes of discussion of our section of the HIPAA report. We’re actually going to truncate that, and Maya is going to give us just– since we had some discussion earlier of what goes into the HIPAA report more generally, Maya is just going to tell you, give you a brief overview of what’s in the draft, and then we’ll make sure that it’s up on the SharePoint for anybody who wants to make any substantive, “what did we leave out on the privacy front” kinds of comments. The real meat of this discussion is going to be what we are learning about stewardship. We only have I believe an hour for all of that. Let’s get going very quickly on the HIPAA report.

MS. BERNSTEIN: Thanks everyone. I’m just going to give you an overview of the sections of the report. The sense of the committee was to talk about the major accomplishments that have happened in the reporting period for the report, which is calendar year 2012 and 2013. Of course the major accomplishment for OCR is the omnibus privacy rule. We’ve talked about that before, that there are– it basically comprises four rules, modifying the privacy security enforcement and breach notification rules under the high-tech act and then implementing the privacy rule– changes to the privacy rule arising from GINA, the Genetic Information Non-discrimination Act. In the report we described those changes.

Then we talk about the upcoming rules that have not yet been acted on. That includes in particular the accounting for disclosures rule making and the recommendations of the tiger team on which a couple of you guys sit, which is part of Paul’s committee, for lack of a– and describe what happened, what their recommendations were, and so forth. Then I’ll just make mention that there are two other changes from the high tech act to limited data sets, and the sharing of civil monetary penalties, which OCR has not acted on yet.

Then we talk a lot about the similar things that Rachel talked to you about this morning, all the outreach that has happened to regulated communities and consumers, the nice things that have been happening– talking from the committee’s point of view– the nice things that have been happening on the website, the example notices, and the YouTube videos. Maybe Rachel saw me have a little laugh with Susan earlier today when she said– she picked out her favorite one, and I went to Susan to say, “Really, her favorite one? It wasn’t all my children, all my favorites?” Anyway, the nice work that they’ve been doing on outreach, and I described each of the topics that OCR has been working on there.

Then there are a few instances of other guidance of various kinds that I think Rachel mentioned this morning as well on their education initiative and so forth. There’s then the section on enforcement. I think Rachel mentioned that there are two reports that they’re coming out, and I expect that there will be more detailed information about the numbers, how many cases and that kind of thing on enforcement, how many resolved, how many not resolved, and which resulted in corrective action and so forth, which we will plug into this report when they’re ready, because it looks like the timing will be that those reports– they’re in clearance so who knows? It appears that those reports will come out before the committee’s report.

Then there is a discussion of the major cases, a description of the major cases and what the actions were. These things were mostly public on the website. We are not reporting on anything that’s a secret. Let’s see if that’s it. I think the other thing to say is that in accordance with the committee’s wishes, the tone of this section is very encouraging, hopeful, and optimistic about the work that OCR has been doing, the improvements that it has made to enforcement, the outreach and so forth, that that’s a good thing. It is a very positive section of the report. That meets with what I understand as the committee’s intention and direction for this section.

DR. FRANCIS: So if there is anything you think that we need to pay attention to when it goes up on the committee SharePoint that isn’t in there, I would just add to what Maya said that this is aimed to be dropped in, and that section six that we were talking about earlier during the standards discussion will be the final section. The goal of this section is to be informational about the encouraging developments.

MS. BERNSTEIN: Does anyone have questions, comments, or concerns?

DR. FRANCIS: So our next agenda item here is a status report on what’s been going on so far and what the subcommittee might be planning to do with respect to following up on community health data stewardship questions. I want to start by taking this opportunity to introduce a new name to folks around the table. On the phone we have Maureen Henry, who Debbie very helpfully worked out a contract for us with Maureen. Maureen got a JD from Boalt, the University of California at Berkley law school. She’s been the executive director of Utah’s commission on aging, and last year she was a health and aging policy fellow working in the office of Senator John Warner in Virginia– right Maureen? She’s now back in Utah, actually finishing her doctoral dissertation in nursing as well as doing various kinds of consulting things.

We’re extremely fortunate to have had Maureen helping us with the environmental scan and preliminary analysis that’s on these slides. Maureen– well, we could never have gotten as far as we are now in terms of progress report– Maureen has spent a lot of time on this. Although it is long distance, perhaps the most efficient thing might be instead of me talking Maureen to have you talk us through some of these slides if that would work for you? Or is that going to be a mess long distance?

MS. BERNSTEIN: Maureen, I am sitting in front of the slides, and I can turn them as you tell me. I’m sitting at the slide that says Number 2: Stewardship Progress Report Environmental Scan.

DR. FRANCIS: Are you there? Maybe, I will start going through them and Maureen, if I get anything wrong, please chime in, okay? So what we asked Maureen to do was to identify– something must have gone wrong with her phone. We asked Maureen to do an environmental scan with respect to the kinds of issues that needed to be addressed, what sorts of protections communities had in place, and what is going on with respect to what we’ve done already.

Maureen has worked to– she began by revisiting the next steps that our prior stewardship work had discussed. The next slide is just a reminder of the bullet points in the letter of last December, and what we were intending to do, which was begin to work on developing dynamic guidance resources that compiled best practices for experts, communities, and other data users to learn more about stewardship.

Those were to include, and this is again a summary from our earlier letter, how-to examples and case studies; discussion of the risks of disclosure in data reporting, for example aggregation, small groups; to look at day use agreements and how they might be used and their enforcement; to look at what some of the transparency and openness methods are out there, and to look at what’s been being done with respect to community engagement; and closing the loop with communities. Maureen, are you on the line there?

MS. HENRY: Yes I am. I’m sorry the hang up button was right next to the mute.

DR. FRANCIS: So I had suggested that if it would work reasonably for you to take us through the next set of slides with respect to what you did and what you found out. Would that work?

MS. HENRY: I’m happy to if you can hear okay.

MS. BERNSTEIN: We can hear you. Maureen, this is Maya. I’m now looking at the slide that says environmental scan de-identification.

DR. HORLICK: This is Gail Horlick. I just wanted to tell you I’m on the line.

DR. FRANCIS: Linda Kloss is on the line as well. So Maureen, would you like to get started on what we’ve done and how you summarized it here?

MS. HENRY: That sounds great. I was asked to do an environmental scan to follow up on some of the people who testified at several different hearings and whose experiences with using health data at the community level and the notion of stewardship in that context to see whether there had been any changes in the concept of privacy as they were addressing it. One of the things that I saw in both the environmental scan that Susan Kanaan had done as well as some of the hearings was that not all of the folks who testified at those hearings– not that they weren’t paying attention to privacy, but that it wasn’t a major focus necessarily.

What I found in reconnecting with many of those individuals was that de-identification continues to be a major approach to privacy in this context, that the safe harbor for identification under HIPAA provides protection as well as some of the state public health laws, that it is, along with aggregation, seems to be the primary means of privacy protection when communities use health data. Some examples of that I found were in the context of community commons as well as the Chicago health outlets.

Some of the risks of de-identification that remain is that it may never protect privacy. Again, this was mentioned at past hearings, that it isn’t a fail-safe, and especially increasingly with the rise of big data and the combination of privacy issues arising where de-identified individual data is being linked to publicly available data. At the community level I did not find many examples where de-identified data is being backed up by data use agreements that would prohibit re-identification attempts, although I know that this has presented a lot of state level public health agencies, and one of the other things, like Paula said, the provider’s privacy, especially things like quality reporting, sometimes are more prevalent in data use agreements where they exist than individual privacy concerns.

Some of the risks, there have been a couple of recent examples that have been pretty public. One of those is the AOL CEO’s disclosure of the two babies that were born that caused substantial impact on the cost of healthcare for the company. There has been some discussion around the privacy issue as raised by his public disclosure as well as the fail of state hospital data by Washington State that a researcher then connected back to the individual whose de-identified data was pulled and by looking at publicly available sources she was able to re-identify a number of people. That was published in Bloomberg News.

Going back to the outline of what a committee recommended in past letters to the secretary, there was a question about how-to examples and case studies about de-identified data. The recommendations between that and what I learned in the environmental scan was to provide some plain language information to community-level users of data, for example, a plain language description of what HIPAA de-identification is, some of the CDC requirements, the HCUP data set is one that several of the people I talked to referred me to, also what state health department laws and regulations said about de-identification and how they’re approaching de-identification, some of which are present in a recent report that was published.

DR. FRANCIS: I am going to just break in here to say there was discussion this morning about some work that’s going to be done at HHS involving some of the risks with respect to de-identification. We might add to that list some plain language thinking about how to talk– how to alert communities to what some of those risks are.

I think maybe an underlying theme of what you found out here is that communities need a lot more plain language explanations across the board on all of these. Maybe we should stop here for a minute and ask where we think committee, subcommittee next steps should be on the de-identification front. Should it be working with what HHS is doing and in particular emphasizing the importance of plain language explanations on all of these fronts, subcommittee folks?

MS. MILAM: I think the idea of plain language should be helpful to communities and to the state and public health organizations, but I think we have to figure it out first. I know we’re still challenged with, and I’m talking in the non-HIPAA environment, what disclosure limitation techniques to use and how to determine if they’re efficient. Do you need to look at other publicly available data sets? Do you need to look at your own features, your own geographies, what’s going on with your demography? How do you do that with the level of staff that you typically find in government organizations below the federal level and in communities? I think we need some easy to follow– we need to figure it out for those people and then put it in plain language.

MR. WALKER: What do we mean by “plain language”? Do we have a definition?

MS. MILAM: Maureen, did you pick up anything from the people you talked with? I know you talked to a lot of people.

MS. HENRY: What I heard was that what people see about things like HIPAA is very complex. I think by plain language I’m using it in not in any technical sense but in a practical sense of something that a community group could take and understand and apply at some level, not legal language but somewhat– relatively easy to understand concepts.

MR. WALKER: I would propose that as a contribution to the nation’s understanding of information and communication that we define it and something along the lines of language that’s understandable by 85 percent of the target population, and understanding that we’re not always going to have the money to measure that, at least it ought to have some kind of notional targets so that we at least we know what we’re talking about if someone did give us money to test it.

MS. BERNSTEIN: So I think there is actually a standard, at least that the department uses. My understanding, and I could be wrong about this, but the videos and other materials that Rachel subscribed to are shooting at an eighth grade reading level.

MR. WALKER: The specific reason I suggested what I suggested was that we have different target audiences. Surely, if it’s a lay audience, a population of patients for healthcare consumers or citizens, something like sixth or eighth grade, but it might be for these other groups that would make– if you’re trying to communicate anything at a professional level that becomes untenable, and besides, it would be irrelevant. What I’m saying is if 85 percent of the target population understands it and it is 13th grade reading level, hallelujah.

MS. BERNSTEIN: So there are also plain language, and I don’t know if they use the same standards, but the federal government also has plain language rules and– the president years ago had an executive order on regulatory language. We’re a regulated audience. We’re a professional audience, there are models we could look at is all I’m saying. It’s a great idea.

DR. COHEN: Maureen, I was very interested in getting more feedback in your conversations with community groups. I think one of the huge benefits we could make is increasing awareness of the importance of explicit stewardship practices with regard to data that communities hold, or as communities get into collecting data more this needs to be part of the culture of what they’re doing. Any thoughts or comments?

MS. HENRY: That was very much part of the discussion. It was part of what we set out to look at in that providing the framework– the frameworks that are out there cover some of the ground but maybe not all of the ground. A combination of a framework with specific elements but then backed up by a little bit of education, for example, about how you communicate a use agreement to back up de-identification that those are some of the– that it was both an explicit stewardship framework, but it was also education behind the stewardship framework, that it seems to be a desire. Some of that was expressed as what’s needed at the community level for communities using other data sources as well as collecting their own, but it was also expressed by public health officials at the county and state levels as well, that this could be very helpful not only to community groups but also to public health officials.

DR. STEAD: I think the reality is that with many of the things we’re talking about doing, as you point back to the conversation we had with the Data Work Group, this problem is getting exponentially harder. I think we need to be thinking more what are recipes that can be applied in this situation that work. I think if we don’t– it doesn’t necessarily get to be something we can automate, but if we don’t at least get it to a recipe, I think we have very little hope of effective uptake.

DR. TANG: It’s very much like Bill’s comment. I don’t know that turning a complex subject that’s even hard for very sophisticated users– I’m not sure it’s possible to turn it to plain language. I don’t even think that’s necessarily the goal. Raising the awareness is a goal, and that can be accomplished through common language, but I don’t think explaining this problem in common language — whatever the term you used.

I would go with Bill in the sense that I would almost go back to the checklist. We talked about consumer checklists so we can help educate consumers on what questions he would be concerned about or check your own concern level, and then what to ask.

The same thing here, it’s almost like a toolkit, as they were talking about at CMS, for how do I even know whether I have a problem. Well, you almost plug in the numbers. What’s your population, what population do you think this covers, you get the 4,000 point, and then it gives you an answer of here are the things that you should be concerned about.

Here are some ways you can mitigate that to some extent, but this is the only level that you’re going to be able to mitigate that, and here are the expert resources that you can– it really walked you through– and then get you right to the resource.

Sometimes it can be calculated to give you an answer and say, we can’t do this on 100 people. There’s no way you can de-identify that. Let’s not even take that project on. Or here are the resources, here’s a phone number, et cetera. I think that’s the value not turning something that’s impossibly complex into quote, plain language.

DR. FRANCIS: The three other areas that Maureen picked up on primarily were when she talked to people, were data aggregation, the data use agreements, and community engagement as aspects of stewardship that this committee could be very helpful in developing. We were just talking about de-identified. So, I’m a little worried about time. I was trying–

MS. HENRY: I would suggest we read the rest of the report, and then we would really benefit about everyone’s thought about what to do next because you’ll recall we did the joint hearing and came away from that with the recommendation that case studies would be useful. So environmental scanners are showing us that they’re in short supply. This discussion about framework, recipes is very helpful. That’s exactly what we’re trying to get to. Perhaps if we hear the other three areas, and then circle back to this, that would be great.

DR. TANG: A lot of this stuff we’ve covered, even in this discussion before, so do we need to hear that again, the environmental scan and the understanding of the problem, or should we get general principles like we’re talking about? Where’s the direction of recommendations?

DR. FRANCIS: I think it might be helpful– data aggregation we had some discussion of this morning. It might be helpful because I think it’s quite new to look at the data use agreement and community engagement sections. Could we pick up there?

MS. HENRY: Sure. So I am going back to slide 17– I’m sorry that’s not an aggregation. Slide 19 is data use agreements. Again, in talking to various people both at community and health department levels, there was discussion of data use agreements.

I found very few examples of data use agreements being used at the local level, whether by– I think virtually none within community level users that I talked to. With shared data sets, the sensitivity seems to be much more to the provider side and the providers not wanting information about their practices going out publicly. It was interesting that’s the area that’s been the focus, not on personal privacy.

I think there is wide agreement that data use agreements could be an effective back stop to the challenges of re-identification, in particular, and that one of the benefits of data use agreements that you can get to a level of granularity that you may lose when you start to de-identify or aggregate data if you have some kind of an enforceable mechanism.

The downside is that enforcement can be difficult and costly and that the theme I got from my scan was very similar to the recent hearings, which is that there is very little monitoring or follow up after data is shared and that there is not standardized language that’s used across data use agreements. That was one of the concerns.

I have been collecting examples, and one of the recommendations that we’ll put on the table is that we pull out of those examples some of the elements that if a community is looking at using data use agreements, that they make sure that they cover these specific elements.

But I think the larger message from the data use agreements is that they’re just not even on the radar of most of the community level users that I talked to and that the benefit here may be, as someone mentioned a toolkit, that would explain to community organizations why you would want to use data use agreements and how they can help to add an additional level of protection beyond aggregation in re-identification.

The last piece is the community engagement. This is really an interesting one in that it seems like it’s engaging communities in advance of the collection or repurposing, it’s not quite a panacea, but almost. It seems to avoid downstream problems like the ones that I know have been talked about in hearings before that have a supply(?) settlement as well as the destruction of blood spots in Texas.

It seems like it can also improve the quality of data collected when you have communities participating in identifying what the objective is then you can more effectively collect the data that answers the questions, and sometimes those questions are different from the community’s perspective versus the public health or research perspective.

A community engagement can help improve access to study participants. The PatientsLikeMe database is an example, and can improve design of data sets as well. One of the things that I heard several times in a lot of different settings is that there really isn’t the same concern about privacy in some of these community level data collection efforts that they say well, yeah, we know that it can be an issue, but people aren’t concerned.

Some examples that I heard about there, and I’m skipping down a couple of slides, that small ethnic communities find it more important to understand the true needs and to be asked about the issues than to not be asked at all. That’s the engagement upfront.

Another was privacy hasn’t been an immense issue. We try to keep data anonymous and confidential, but individuals are willing to forego privacy when they feel like it has the effect of educating others and promoting awareness. That was an interesting theme that came out, that was community engagement really does seem to change the way people view the privacy concerns. The recommendation here was to find and describe some of the effective models of community engagement and potentially use that. Again put that into something like a toolkit, although anyone who’s worked at the local level knows how difficult it can be to get community engagement. It can be very expensive to get community engagement. Would you like me to stop there, Leslie?

DR. FRANCIS: What I would like to do is to flip on now to what– we have some slides called “proposals for next steps”. That will of course start with synthesizing the findings and recommendations from past letters. Identifying communities, we have a much bigger list than the original list, and on aggregation and de-identification I think what we would be doing is separating out the technical stuff that HHS is going to be working on and then as that gets developed, trying to help figure out what would be toolkits, checklists, what to look for, and things of that sort for communities.

I’m summarizing the slide that was just up. What I was just going to say, I think I was just summarizing slide number 36.

MS. MILAM: My question is we’ve identified in these slides anonymization as a separate category, when it is really one of a variety of techniques used by folks in de-identification. You also have suppression. You have perturbation of the data. I’m wondering why are we calling out one technique, or are we really talking about the bigger question of de-identification?

DR. FRANCIS: It’s a placeholder for the bigger set of questions.

MS. BERNSTEIN: You are right. That’s not a precise use of language there.

DR. FRANCIS: Paul?

DR. TANG: I guess I’m having a little déjà vu. I thought we had this same set of issues, same set of findings, from our hearings with the communities, and we came up with same issues. I wonder if like the Data Use Workgroup, shouldn’t we move to something we can do tomorrow? That’s where I think the recipe and the toolkit may be more useful.

The de-identification problem doesn’t go away. It actually gets harder as we get to the community level. I think for the reasons that if HIPAA and BAAs worked perfectly we wouldn’t even have this discussion. They wouldn’t get out of the sources without the accompanying restrictions, et cetera. I’m not sure that we can place much hope on the data use agreements.

MS. BERNSTEIN: In general we’re talking about data that’s not covered by HIPAA.

DR. TANG: My point is if everybody knew, understood, and could perfectly execute HIPAA, then there are a lot of problems that would go away. The problem is the complexity and then the whole once it gets out of your hands, what happens to it. I think the same issues happen with data use agreements. It might actually be effectively applied with the very first transfer. I would actually have some skepticism about that just because of the complexity – you are nodding your head.

MS. BERNSTEIN: I think we are not talking about data that’s originally covered by HIPAA either. We’re not necessarily talking about HIPAA covered data. We’re talking about data that may be collected from the community, but it’s not necessarily medical record data or insurance data. Those are the things that are covered by HIPAA.

We’re talking about other things that need some kind of– as I understand the intention of the committee, other things that may be including HIPAA originally covered things, but things that the community might use, other data sources the community might use that have — they’re not–

DR. TANG: Let me step back and–

MS. BERNSTEIN: — treatment payment or a non-covered entity–

DR. TANG: –can we solve this risk with policy – policy and signed agreements. I’m not sure we can.

DR. FRANCIS: What I think the suggestion was here on the– I’ll go back to the de-identification and aggregation one first. Our next steps as a subcommittee, are going to be to work with HHS as it develops what it’s doing on the technical side and for us to get examples of how communities have been doing a variety of things in this space that could then be a toolkit for communities who want to use anonymization techniques as a helpful measure.

What should they be looking for? What should they be aware of as possible risks? What are some of the methodologies that they can use? We’re thinking informationally. As I understand it from Jim’s discussion earlier, we don’t even know what all those risks are. That’s part of what’s HHS is going to be working on with the pilots and other things.

DR. GREEN: I want to build on something Bill said a few minutes ago and then keep going from what Paul triggered off in me. There may be an analogous situation here to the discussion this morning about the workgroup letter. The positioning of this I think is– I would suggest it needs better positioning so that the end user in mind– can we introduce wanting to use data but understand what was being talked about here? There’s something akin to a taxonomy, but it’s not exactly a taxonomy of the issues that we’re presuming people know what a disease– a data use agreement is.

MS. BERNSTEIN: Sometimes it feels like a disease.

DR. GREEN: Paul alluded to– Maya’s response to one of Paula’s things, well, we’re not talking about HIPAA covered data. That is a big damn deal, right there. I spotted that in real time, in this room, this afternoon. Most community users don’t even know what that meant and why it was so important. Maya knows why it’s important, but they don’t. Upstream from the details that you’re working on there needs to be a funnel of some sort that says in the new data world proper use of data– who’s said it’s getting worse? Bill said this– it’s getting harder, not worse I’m sorry.

If it could be set up that way then these recommendations, which are needed– you don’t hear me arguing against that, but then if it’s thinking about the user in mind, they say, oh well, that’s why I need to pay attention to this. I don’t think that’s there yet. That’s part of Jim’s plain language stuff. It’s not the lip reading level, but it’s putting it into a position so that normal people can say this is why I need to pay attention to this. One more thing and I’ll hush is that we’ve also had prior discussions about use cases. You can see them coming up there–

DR. FRANCIS: Oh yeah, there are examples of them in here.

DR. GREEN: One thing might be to restrict the work in the latter to a limited number of use cases. You would use a limited number to call out high probability situations that communities all across America are going to face. When you work through that use case, you basically say we can do that. That’s like our problem. This is what we’re supposed to do–

DR. FRANCIS: This is sounding like almost what we want to be doing is producing something of an electronic report that says here are the major things communities need to be aware of out here, and then some hot buttons. Here’s your little HIPAA primer. Here’s your primer about what a data use agreement is, what their usefulness might be, what are some of the common elements you might want to have in a– maybe you use sample language even. This is not recommendation.

This is toolkit type stuff for a community that wants to do it, the same thing about engagement, the same thing about the use of various statistical techniques to mask or whatever– that’s kind of what it’s– and the letter would be to say secretary, keep supporting us as we produce this. This will need to be an ongoing set of educational materials in a way.

MS. BERNSTEIN: I had the idea as we were going to, or the subcommittee was proposing to make some kind of resource guide essentially, and if it’s electronic a pointer system to other re– to play out, as Leslie said, certain of the basic questions you could be asking, a la Bill’s suggestion, and then pointers to other resources where we have the information, simple discussion with– you could find more information here and here, a useful guide of some kind in whatever form that might take.

DR. FRANCIS: A community’s guide to data stewardship.

MR. TAGALICOD: I actually like where the conversation is going because I think it is as people mentioned risk. People have mentioned what is doable meaning a toolkit that’s available to communities. I think the context we have to understand, and I think this committee has even tackled it in its data stewardship papers as well as other places where it is all about risk management, because the data will be compromised and to assume that it will not be compromised is quite frankly unrealistic.

The question on the front end is this is what you do to minimize or mitigate the risk. Once it happens, inevitably it would happen, and it may be smaller, what do you do in order to address once there’s a violation or there is a breach? I think as part of the toolkit, although I think it should start off with discreet little pieces, what do we need to do, but I think it needs to be understood from a risks perspective. Yes, all those are techniques in order to– so, anonymization, pseudo-anonymization, et cetera, are some of the things that might be available to large and small communities.

DR. COHEN: I, too, think the flow of this conversation is spot on. It gets back to where we started with conversation many long hours ago around usability, utility, and usefulness to communities. What is useful for communities, what would maximally be useful is something that they could get so they can understand the issues, whether it’s written or a video or a combination, get what the issues are, what the problem is, and have options for solutions.

I think this really carries on– when we talk about communities as learning systems, this is a perfect example of where we can meet them where they are and really provide values. I really appreciate this discussion. I think it’s perfect.

MS. GOSS: Building on Bruce’s comment, it’s about the convergence of the HIPAA in high tech worlds. There’s a sweet spot already happening with the National Privacy and Security Framework and the decomposition work that’s happened over the last decade at the state level that needs to inform this discussion to connect the world to HIPAA or not to HIPAA but to do the right thing.

MS. MILAM: I would like us to, after this meeting probably, really focus on honing down these use cases so that we really understand what the communities’ needs are. When we had our workshops, I didn’t hear that communities were collecting or creating a lot of their own individually identifiable data. In fact, they weren’t even using a whole lot of that from others.

I’d like us to test the proposition as to whether they’re really going to be in the position of disclosing personally-identifiable data or whether they’re more often to be in the position of receiving a data use agreement to sign it to get data and really not know what it means that they’re signing or not know how to implement the controls that are in it. I think a little bit more work on that end would be useful because I don’t know that there will be that many communities that will actually need to have their own DUAs, at least based on what we heard in the last couple of roundtables.

MS. KLOSS: I think Maureen would confirm that based on the conversations we’ve had and our reason for doing an environmental scan to see if the tools can exist.

DR. FRANCIS: I think Maureen maybe you can comment on this, but what you found was that there was a lot of silence on that.

MS. HENRY: There was some silence on that. I think that where it’s going to be potentially increasing is with the emphasis on community-based participatory research and some of the outreach that’s happening, for example, through PCORI where you’ve got academic and to some degree even healthcare organizations reaching into the community to learn more about what’s happening at the community level from members of the community where there may in fact be the data collection process.

That’s one piece, and then the other piece is coming in the other direction that Sallie is talking about where they’re also going to be on the receiving end of it. I think I’ve heard a little bit of both, but there’s definitely an emerging trend toward collecting community-level data through CBPR as well as patient-centered within a community framework.

DR. HORLICK: This is Gail. I just wanted to make two comments. One is that I know the focus of this is on communities, but as you were talking about developing that resource with the primer on HIPAA and what these terms mean, I kept thinking that would be so valuable for us in public health. I talk about HIPAA all day long. CDC is not a covered entity. We get our data from covered entities, but I’ve been doing this for ten years. I’m getting that today, what does that mean.

I think just– we get things all the time about this is de-identified. Well yes, but if you put those facts in it’s identifiable. People that are not immersed in this that want to do the right thing are not aware of what is going on. That’s my daily experience, and I wanted to second the comments that were made about engaging the communities. That is being done in public health at the state and local levels, for example, where there’s mandatory reporting of CD4 and viral low counts. Previously that was never used to contact individuals. We had to maintain trust and strict confidentiality.

Now by engaging the community, they’re using the data differently with the community support because they know that it’s not necessarily the death sentence that it was, and there have been advances and changes in values. I know what the focus is, but as you were talking I thought we could really use this. I just wanted to share that.

DR. FRANCIS: So producing this seems to be our subcommittee work plan. If you go back to the agenda, this was– the status report of the next bullet was subcommittee work plan for the balance of 2014. Am I hearing something that sounds quite like a subcommittee work plan, continuing to develop where we’ve been going along these lines informed by obviously the rich discussion we’ve been having?

DR. MAYS: I want to pick up on what Sallie was saying. I think this is a really critical issue. Particularly if in the scan you’re doing and going back to the same people, I want to broaden what it is that we’re going to build on and what it is we’re thinking about. First, I think in terms of what we heard much earlier in terms of the hearings, it’s a little different than what we’re talking about.

The issue of whether what we’re doing fits what is a real HHS need or if what we’re doing fits a community need I think is very different. Communities actually need much more around trust building in terms of the process. It’s not like they’re going to really deal with HIPAA. They really want to deal with what happens with data. They’re interested in very specific data. It’s usually not data they collect.

It’s data that HHS collects or it’s data– usually it’s the state and department of public health. They’re more worried about STD data and when I tell my doctor x and y– they have mixed so many different sources of data up when you go and work with the community that we really have to have a lot of clarity because what’s happen in a survey is going to be so different in terms of what happens in terms of the data they give when they go into see a provider.

One, we have to be really clear what arena we’re playing. If it’s for HHS it may be around either clinical data or survey data. The second thing is that I think there’s a lot done that we probably need to go to. For example, the group called Campus Community Partnerships, they have research ethics. They have sample MOUs, NUAs to say when somebody wants to get data from you, use these things. They have things about research ethics and what have you. It’s usually the assumption not that the community is collecting the data but that other people are collecting the data, and you’re a subject or participant.

There’s also, and Larry can talk about this probably, is the CTSIs now have developed material. PCORI has developed material. There’s a lot of stuff, but what our job may be is to really figure out what kind of data, for whom, and what is it that HHS needs to really be the leader about. I don’t think they can be the leader in all data, but I think there’s certain data that their leadership is very much needed.

DR. FRANCIS: Perhaps as a suggestion, Maureen has prepared a whole set of appendix slides, back up slides. We should have these slides and the backup slides posted on NCVHS’ SharePoint, and people can suggest additional– Maureen has a whole list of everybody she’s talked to and all that sort of thing. Many of the– there’s an additional whole set that we have as backup. Obviously we only have 45 minutes for this discussion, so it’s been pretty truncated. What might also be helpful would be to have Maureen talk to members of the committee who have additional information that they might be willing to share about things like that. Does that make sense Maureen?

MS. HENRY: Absolutely, that sounds great.

DR. TANG: This morning I think we had a breakthrough in terms of– we had this abridged discussion about the data use, and then we had this narrow scope, and it made everything fall into place. I think maybe we need to make sure we understand– when you said we’re going to the next steps that we all have the same understanding of what’s the– I think a new way of framing it was the way I heard it described to me. So we might have originally wanted to go out seeking solutions that we could give people just disseminate– it’s a dissemination problem. Based on our hearings three years ago and reconfirmed by this environmental scan is there probably aren’t any of the kind that we originally envisioned. Maybe our goal is really to create informed communities that are getting value out of data both understanding the benefits and the risks. That’s a different goal, and it may have a different product from us. That’s what I took away from the discussion. I don’t know whether I’m on the right page or the same page with you, and it’d be useful to make sure we’re–

DR. FRANCIS: My understanding has been, and maybe we’re just using different terms, but that all along our aim has been to produce a resource guide.

DR. TANG: I don’t know if that is enough. I think that wasn’t Bill called a recipe or what I’d call a toolkit.

DR. FRANCIS: That’s just different words–

DR. TANG: There are plenty of resource guides that sit on the shelf, and we create some of those ourselves. Our new– I think we’re creating new products. We are creating new products. There was no amount of resources, no amount of libraries that were going to help the small providers do the security risk assessment. That was their conclusion. What they did was created a toolkit so anybody could walk up and be led through what it– I think we have the same problem. It’s not plain language we’re trying to create. It’s the toolkit of how anyone, any community could walk through– not just with links.

MR. WALKER: I don’t think it’s a toolkit either. I think that is pre-judging the answer. If I were responsible for building tools like this, which I am, the ideal would be to start with a cognitive work analysis and say what are people doing and assume from the outset, although it may not be true, that there be some things they’re doing that we can support with something we can build in some affordable way, and there would be other things we can’t support.

That’s part of the issue to say what can we support, what can’t we, what’s important enough to need support, prevalent enough in the– happens often enough, has a big enough impact on public health, pick your criteria, and then understand– and I think we have some of that, and I’m guessing Vickie and others have it in their heads. It’s just that I don’t. What actually is the process that’s going on, and is the issue that there are community organizers out there and the thing is to get them knowledgeable, get them tools and access to a phone number? What exactly is the insertion point into the process where we can make a difference?

Then, what is the thing that we would insert– I guess I’m trying to say– what I think Paul was trying to say is it isn’t clear to me what the question is that we’re trying to answer. I don’t think it’s crisp and specific. I think if we could say we think we can help people that have this kind of skill set and are trying to do these kinds of things with these kinds of information resources and what they would need is this kind of thing, and it’s an MOOC or whatever the heck it is. I think we could just be a lot crisper about that framing and not end up with another tool set that nobody can use. One of my– what people don’t want is a toolkit. They want a solution.

DR. COHEN: This reminds me a lot of the community readiness discussions because everybody is in a different place and there’s an enormous diversity of needs. Some communities exclusively use state data. Some communities actually are collecting their own data. What we’re discussing is more a management of the flow of the work that you guys are going to need to do in terms of clearly identifying your audience and your target for what I would say would be a series of primers, toolkits.

I think probably you two might end up being the best way to communicate the information with– whatever dissemination strategies, and this is something that we need to do collectively, is to focus on being more thoughtful to disseminate what we do in a way that is useful to the targets that we are trying to disseminate information to. I think what’s laid out here is not a one-year work plan but a several year work plan to provide utility to a whole diverse set of potential users, whether they’re from CDC or whether they’re from West Baltimore. Good luck.

DR. FRANCIS: Lynn has a card up and then I want to turn it to Linda to at least talk through briefly whether we need anymore guidance about where to go next.

DR. BLEWETT: I find it helpful to think about– if I was at the community level, what kind of data are you collecting or what do you need to be concerned and aware about? So just to think about what data you’re collecting and what kind of risk and things do you need to be worried about? If you’re collecting information about people’s health behaviors and health status, you go down this road. If you’re collecting aggregate data from the health department, you go down this road.

It’s what I know as a university professor. If I do anything I have to go through IRB, and they tell me if you’re doing this, this, or this, there are different ways to go. I think maybe that might help frame– and some of it’s going to be HIPAA. Some of it will be data use. Some things will be public data that you can use freely and put in with a bunch of other stuff and do your community assessment and it is fine. That’s just my two cents.

DR. FRANCIS: Thank you. Linda, do you want to chime in?

MS. KLOSS: One of the advantages of being remote and on the phone is that I have a chance to quietly listen and capture notes. As we heard earlier in the day, I think the overall consensus is that we narrow, we clarify our intended audience. It may be more narrow than we’d like to begin with, but to make sure we’re very clear on that. I think this last discussion was very instructive that one of the ways to do it, maybe rather than the audience, was to begin with the type of data. I think we can think that through. Originally our game plan for the next several months, and we’re happy to have had a chance to get reactions to our environmental scan, I think we had hoped we would find some great example, and we could– as you’ll see now I’m going back to the slide deck, if you’ll help me with that, Maya– I want to go to slide 39, our work plan.

What we’re working on is this plan 1A and 1B, starting with the environmental scan research with Q1. We had made an assumption that we would convene perhaps another workshop or another hearing out of this, but I think that maybe needs to regroup on whether that’s the right next step or whether the next step is to do the definitional work and just begin outlining and compiling what might be in the recipe book or whatever we call it. If not a toolkit, then I’ve thought about it being a checklist to condense what we’ve learned about over the last day. We’ll update that next step and move on from there thinking about that. It may not be that a Q2 or Q3 workshop, or in fact, it may be, but the test may be more of a design task, which was one of the ideas that we had as well.

We’re committed and determined to get a real product out of this exploration. What we heard today was environmental scans leading to a decision about what product– we did not see this as a– some of this is caught(?) by any means, and continuing to work in collaboration with public health standards and population and contribute in that regard. This has been helpful, and we’ve captured it all, and we’ll regroup as a subcommittee and figure out what next steps are and plan of attack.

The next step on our work plan if there aren’t any comments is to finalize the HIPAA report to Congress. The third work plan that we presented last fall calls for us to speak up this year. One additional privacy issue that may be something outstanding, maybe from HIPAA that needs attention. We certainly heard the discussion today about David’s presentation. Perhaps this fits into this emerging issue area as a live area for further work by the subcommittee. We’ll appreciate your thoughts on that also.

Our plan was really to decide on what that additional issue that represented our most pressing priorities, and to see that in June so that in the fall we could do the groundwork and have some kind of letter on this emerging issue ready for committee next February 15. I think we’re making progress on our game plan. I really thank Maureen for her great work and for partnering with us. We’ll move on from here. Back to you, Leslie. I think for the fourth item on our agenda, we have a few minutes left to close the loop on accounting for the closure which was our final agenda item.

DR. FRANCIS: Our final agenda is we’ve participated with the tiger team in a hearing– a virtual hearing on accounting for disclosures. The recommendations which went to the policy committee of ONC and which I guess were accepted and passed on to the secretary at HHS is– basically the recommendations were a step-wise set of accounts– start with accounting of disclosures outside the entity and for internal uses relied primarily on the patient’s right to request an investigation of inappropriate disclosure. I don’t know that there’s anything more that we have to do on this immediately other than to just say that’s the current status of things. Linda thanks for being remote, and Maureen thanks again for all the amazing help, and now it’s Larry’s turn.

DR. GREEN: I wanted to go back– Jim is passionately saying something that I want to know what he was saying.

MR. WALKER: Just an example question, whenever we decide who the target audience is, what are their preferred learning moments? Do we know that? If we did, then we could say is it a video? Is it just a well-written word document? Is it a checklist? Even just starting to answer that, even asking the questions would–

DR. GREEN: Leslie, I want to add a tangential comment. I want to ask you guys to add to your context for this three part– it’s three parts work now, because we think part four there’s nothing further to do right now. Communities are using data that are far outside of HHS’s jurisdiction. We need to not resist that but embrace that and begin to wrestle with the implications of that.

Going back to a comment I made this morning about the health affairs issue, the data have to be secured at their origin. When they’re developed, they have to be secure in transmission. They have to be secure in arrival. When data sets are mashed up from the federal communications commission with the department of commerce, we have a new set of problems that are going on in a town in South Carolina. I really like what someone said about this is not a 2014 work plan. It covers 2014, but this really is a vector pointing at a continuing piece of work. At this point, and I just want to urge consideration of it’s not just whether it’s HIPAA or not, it’s a lot more.

DR. FRANCIS: I think the whole way we’ve been thinking is that HHS is a leader in helping people about things that might not necessarily be the data they themselves collect.

DR. SUAREZ: Since Linda may be still on, I wanted to mention with respect to the data segmentation, I talked to a few people about the possibility of perhaps having a joint session with the standards, privacy, and security working group. I think there would– and even perhaps the tiger team because I think it would be valuable to have the three groups’ perspectives, listening to the technology developments and standard developments around data segmentation.

DR. FRANCIS: That would be great. Thank you. I think we’ve probably used up our time. Thank you all.

MS. JACKSON: In terms of next steps and communication it sounds like you can look forward to more conference calls and then I appreciated the work plan that Linda made sure we took a look at, because the infrastructure to get anything done still requires step by step. I’ll follow up with the subcommittee and with Maureen and pull together the direction you’re trying to get to.

DR. GREEN: I think we should have, by unanimous consent, that if Bruce wants to give a report about the data council, he can in this session. Otherwise we will get to it tomorrow.

DR. COHEN: Are we rolling into our next block? We’re in the 4:15 block. Do folks want one minute to break to stand up and stretch, do your Zumba routines?

(The subcommittee adjourned at 4:14 p.m.)