[This Transcript is Unedited]

DEPARTMENT OF HEALTH AND HUMAN SERVICES

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

Subcommittee on Privacy and Confidentiality

February 24, 2005

Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, D.C. 20201

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 160
Fairfax, Virginia 22030
(703) 352-0091

TABLE OF CONTENTS

P R O C E E D I N G S [9:09 a.m.]

Agenda Item: Introductions and Opening Remarks – Mark Rothstein, Chair

MR. ROTHSTEIN: Good morning. I want to welcome you all to the
second day of our first round of hearings on the National Health Information
Network. I especially appreciate your coming on a day of inclement weather here
in Washington.

My name is Mark Rothstein. I’m the Director of the Institute
for Bioethics Health Policy and Law at the University of Louisville School of
Medicine and Chair of the Subcommittee on Privacy and Confidentiality of the
National Committee on Vital and Health Statistics. The NCVHS is a Federal
advisory committee consisting of private citizens that makes recommendations to
the Secretary of HHS on health information policy.

We are being broadcast live over the Internet and I want to
also welcome our Internet listeners.

We will have some schedule changes that I’ll tell you all about
as they become clearer.

We’ll begin with introductions of the members of the
Subcommittee, staff, witnesses and guests. I would invite Subcommittee members
at this time to disclose any conflicts of interest they may have. I’ll begin by
noting that I have no conflicts of interest on this particular topic.

[Introductions; no conflicts of interest stated.]

MR. ROTHSTEIN: Welcome to all of you.

Witnesses have been asked to limit their initial remarks to 20
minutes. After all the witnesses on a panel have testified, we will have open
questions and discussion. Witnesses may submit additional written testimony to
Marietta Squire within two weeks of the hearing if they so desire.

I would request that witnesses and guests turn off their cell
phones if they have them with them. Also, during the hearing, we all need to
speak clearly into the microphones so that those listening on the Internet can
hear what we have to say.

Before proceeding to the first panel of the day, I just want
to take a few minutes to discuss some testimony that was not presented
yesterday orally. We had asked, as part of our Panel No. 2 yesterday on Privacy
in Health Care in Society – we wanted to get testimony on the implications
of electronic health records and health care records in general on minority
populations and we were not able to get anyone because of scheduling problems
to actually appear.

I do have written testimony from Michelle Bratcher Goodwin and
her testimony, which was submitted to us in writing, will be entered into the
Record. But for the benefit of those who are listening on the Internet as well
as those who are here, I would just like to take a few minutes and summarize
some of the remarks that she made so that those are recorded in the Official
Transcript of the hearings. So this will take maybe five minutes or so.

Summary of Written Testimony by MICHELE BRATCHER
GOODWIN

“I’m Michele Bratcher Goodwin, a Professor of Law at
DePaul University College of Law. I’m the Director of the Health Law Institute
and the Center for the Study of Race and Bioethics. I teach courses on health
care regulations, health care policy, legal ethics, and tort law.

“Today, I would like to draw your attention to issues you
are familiar with but which deserve serious consideration as you forth with
your deliberations on privacy and data collection. These issues include
informed consent, patient/physician trust and treatment of vulnerable subjects.

“These issues stand alone, but also intersect, not only
for vulnerable populations such as the low-income and of color but for all
Americans. For the poor in the United States who lack economic power, social
influence and political might, these issues are critically important. I thank
you for giving me an opportunity to discuss some of these issues with you.

“Currently, there is no Federal statute or regulation
that affords privacy protection to race data or race information. Collecting or
disseminating data about race or ethnicity is not considered discriminatory per
se. In fact, the dissemination of some race data can serve a positive social
purpose. Collecting and disseminating data as a monitoring and tracking service
for public health purposes to determine whether we have achieved social goals
to eradicate racism and unequal treatment in health care in the United States
are a positive governmental effort.

“However, using unfavorable medical data for
discriminatory purposes is clearly a violation of trust and should be treated
as a form of discrimination, which is punishable by law. Discrimination based
on race is illegal in most U.S. settings such as housing, employment and
education, and to engage in such conduct in public spheres brings penalties,
and remedies are afforded to the victims.

“However, technology generally outpaces law, and to the
extent that racially discriminatory practices occur in the realm of
biotechnology, the law has been historically slow to answer.

“According to Peter Solovitz, about one-fifth of all
Americans believe personal health information is used improperly. Privacy
proponents are concerned about the disclosure, acquisition, use and
dissemination of data that individually identifies health information. In other
words, data that are traceable to an individual is of great concern to many
Americans and particularly persons of color who have experienced health care
discrimination both in the way of services offered and received and as
uninformed research participants.

“The data sets of concern include demographic information
collected from an individual by a health care provider, health plan, employer,
or health clearinghouse that relates to past, present or future mental or
physical condition. Personal health information includes race, gender, and
Social Security number.

“It is important to determine the independent value of
collecting portable data. What do we plan on such data resolving? Which classes
of Americans are best served by the collection of such data? Who is disserved?

“The value of collecting the data must be weighed against
the possibilities for abuse. In recent times, we have borne witness to the
abuse of medical data and the awkward and untenable position in which
physicians have found themselves in an effort to comply with local regulation.

“As biotechnology outpaces the law, it is important to
harness the products derived from that technology and chart safe passageways.
Absolute proscriptions on the dissemination of race-related medical data could
have a detrimental effect, and this concerns me. However, I am mindful, and the
case law provides evidence of abuse in the collection and dissemination of
medical data based on race, as well as the difficulty with insuring consent for
data release is truly informed and patients are aware of the full scope of
exposure release of data could mean.

“I suggest that the Committee proceed cautiously, paying
attention to a legacy of discrimination and violation of certain populations in
the United States. Protection of the vulnerable should be at the heart of your
deliberations. Indeed, those most vulnerable, particularly those who rely upon
the state for medical services, are the canaries in the coal mine, the first to
experience the harms that we would all wish to avoid.

“Thank you for the opportunity to share my concerns on
culture and privacy.”

MR. ROTHSTEIN: So with that, the full statement will be entered
into the Record, but I wanted this to be on the Transcript as well.

So without further ado or delay, let me introduce the members
of the first panel this morning and without objection from the panel members,
we will proceed in the order in which your names appear on the Agenda, and that
would mean that our first witness this morning is Dr. Lichtenfeld.

Agenda item: Presentation – Dr. Len
Lichtenfeld

DR. LICHTENFELD: Thank you, Mr. Chairman, members of the
Subcommittee, and guests. Good morning.

My name is Len Lichtenfeld, and I’m Deputy Chief Medical
Officer for the American Cancer Society. Today it’s my privilege to appear
before you on behalf of the Society to discuss the Internet, its impact on our
organization, our collaborators and those we serve.

My discussion will address several areas. First, I will review
our Internet-based information strategy and some of our specific programs. And
then I will discuss the National Cancer Database which is operated by the
American College of Surgeons and supported by the American Cancer Society. And
finally, I will present additional comments regarding electronic health records
and related technologies. My goal is to share with you how privacy issues
impact our activities, how we address privacy concerns, and some observations
as to how privacy is viewed by those we serve.

Beginning in 1966, the American Cancer Society made a decision
to reach out to its constituents nationwide –

TELEPHONE OPERATOR: Excuse me. Simon Cohn is joining.

DR. LICHTENFELD: May I continue?

MR. ROTHSTEIN: Good morning, Simon.

DR. COHN (on phone): Good morning, Mark. Sorry for running
late.

MR. ROTHSTEIN: Okay, thank you.

DR. COHN: Early here.

MR. ROTHSTEIN: Dr. Lichtenfeld has just begun his testimony.

DR. LICHTENFELD: Thank you.

MR. ROTHSTEIN: Sorry for the interruption.

DR. COHN: My apologies.

DR. LICHTENFELD: Beginning in 1996, the American Cancer Society
made a decision to reach out to its constituents nationwide with a broad-based
information strategy. In 1977, we established a call center which is available
any time to anyone who has any question about any aspect of cancer. In
mid-1997, we initiated our efforts to strengthen Cancer.org, our Internet-based
information service, where many of the same questions can be addressed.

We have been fortunate to experience incredible growth and
acceptance of both of these services. I’m pleased to share with you that we now
have approximately 1.5 million visitors to our website every month and almost
100,000 callers to our call center during the same time.

We take pride in this accomplishment and devote considerable
organizational resources to these efforts. We have made a commitment that the
information we provide is accurate and evidence-based as possible.

From the beginning, when it came to privacy, we realized that
it was not sufficient to meet the letter of the law and the expectations of
those who turn to us for help and information. We needed to exceed those
expectations. I would point out to you that although this is a very wordy
slide, you do have hand-outs in your material that have the same information.

The Society realized we had obligations that extended beyond
HIPAA and we had to make our own commitment to protect the medical privacy of
our constituents. To that end, we developed Health Information Confidentiality
Principles which were finalized in September, 2000, and guide our privacy
activities to this day.

In those principles, the American Cancer Society established
strict guidelines for its staff and reassurance to the community that we took
privacy concerns very seriously and had every intent of incorporating those
principles into our operational objectives.

It is one thing to say what you’re going to do, and another to
actually do it. I would now like to take you on a brief tour of some of the
products we offer through Cancer.org and share with you some observations
regarding the information people will actually provide on line which may be a
surprise to some of us in this room and on the Internet today.

Cancer.org is our flagship website and that provides
considerable resources on various topics relevant to cancer. As I mentioned
previously, we host over 1.5 million visitors to Cancer.org every month and the
numbers continue to grow. We do have a privacy statement on the site, but the
practical privacy policy is very simple: We collect no information and require
no information about or from visitors to Cancer.org. Beyond using cookies to
help direct people to areas of individual interest on the site, visitors enjoy
free access.

Unless someone wishes to make a donation to the Society, there
is no data request, no data accumulation, no demographic analysis, no entry
into our customer relation management system.

As you might expect, we don’t receive much feedback, or any
feedback, for that matter, positive or negative, regarding privacy issues on
Cancer.org. We do get some feedback from others within our organization who
would like to have the information about visitors to our site, but the decision
has been made to keep the site free of any obligations for those visitors.

Within Cancer.org, we do provide other services to our
constituents that may require more information sharing, but only if they seek
those services.

We have a calendar and reminder service. That has had limited
usage. In comparison, we have had considerable success with our interactive
Cancer Survivors Network. This online community, which requires 2-1/2 FTEs to
maintain and operate, has developed into a very effective support mechanism for
its members. Since its launch in July of 2000, CSN has had over 1.4 million
visitors and has registered 54,000 active members of the community. New member
registrations range from 1,200 to 4,500 monthly.

I wish that time permitted me to go into detail about this
wonderful network and its accomplishments. Cancer Survivors Network offers
support to its members in a variety of ways, including message boards, private
and secure internal CSN email, and personal web pages to use in whatever way
the members see fit. There are few rules and regulations, and we don’t permit
members to provide medical advice, but it’s okay to say in your words what you
are experiencing and feeling either during treatment or as a survivor, care
giver, or both.

This network is built on trust and respect, and although
monitored by the Society for violations of site terms and conditions, it is in
its own way self-policing. If someone wants to see what the network has to
offer, they are able to view unrestricted areas of the site through Cancer.org
without a specific registration.

But if someone wants to be an active participant and view
restricted areas of the site where the chat rooms, email and web pages are
located, then they must register. Once again, registration information is
limited to a screen name, a password, a valid email address, and a zip code.
They could also provide personal profile information about themselves such as
their disease and its status. This information actually lets patients find
others similar to themselves by whatever criteria they choose for the sole
purpose of sharing experiences.

It’s important to note that the Society does not use
identifiable information gathered on this site or Cancer.org for its internal
activities. We do gather aggregate information for the purposes of tracking and
trending. In the opinion of staff, it is this absolute commitment to protect
the community participants that has led to the success of this venture.

What is interesting to those who work regularly with the
network is the degree to which people make their information available through
the network. CSN members can remain completely anonymous. However, we have
found that names, addresses, personal interests are regularly provided openly
by members of the network to other members of the community. Movement in the
Information Age requires caution on everyone’s part, especially since posting
information on unrestricted areas is searchable, but anecdotally, at least,
there have not been serious breaches as a result of this information freedom.

Our observation about the exchange of information on this
network, as stated by one of our staff, is that “By and large” –
in the quote – “people determine they are all in the same boat and
they share a lot, a little, or as much as they want to say. It’s like being in
a relationship.”

Two other programs on Cancer.org have significant requirements
for disease specific information. One is our treatment profiler, in cooperation
with NexCura, the other our clinical trials matching service in cooperating
with EmergingMed. Both of these programs require specific data entry. The
treatment profiler uses an opt-out strategy for further products or responses
based on data entry. The matching services uses an opt-in approach.

The matching service privacy policy has been created in close
collaboration between EmergingMed and the American Cancer Society while the
treatment profiler privacy policy has been created by a company in cooperation
with other well-recognized, not-for-profit voluntary health organizations.

As simple as opt-out versus opt-in may seem, there are
significant differences in their implications, and what can be done with the
information as a result of the approach utilized. Whether consumers truly
appreciate the differences is uncertain, but we suspect they do not.

With the opt-out strategy, consumers give the organization
– in this case, not the American Cancer Society – the opportunity to
maintain a database and use that information to advise patients of various
opportunities regarding medications, treatments or clinical trials. These
messages are not infrequently commercially supported and go beyond the initial
intent of entering data into the system, which is to determine the best
treatment options for a specific type of cancer in a particular stage or
circumstance.

Although one might suspect that such sharing of information
with commercial entities resulting in emails or potentially other forms of
contact would be a concern to patients with cancer, there is nothing in the
Society’s experience which would suggest that to be the case. In fact, if
anything is the impression of our staff, the patients and families actually
look to the information as a welcome, useful addition to their knowledge.

In comparison, the clinical trials matching service is an
opt-in service where the data remains completely under the control of the
patient or family member who provides it. This service has been designed from
its inception to be certain that patients have control of their data, that it
is used for no purpose other than linking them to clinical trials through
matching algorithms.

In this program, the need to proactively protect privacy is
paramount. Privacy was a crucial element of the negotiations between
EmergingMed and the Society when the program was designed.

What we have discovered about providing personal health-related
information on the Internet is once again surprising. Almost all patients who
pursue information regarding clinical trials on our website are willing to
provide detailed information about themselves and their disease.

We have also learned that there must be telephone backup to
complete the process. As noted by an executive from EmergingMed, most people
who seek us on the Web are email literate but not Internet literate. It’s one
thing to email a grandchild, another to order from Amazon.com.

Since cancer is primarily a disease of older persons with a
median age of diagnosis of 67, this is a distinction worth noting. It also
means that we must provide choices to meet the needs of our constituents
effectively.

Another area of interest – the American Cancer Society
works closely with the American College of Surgeons and their Commission on
Cancer, or CoC, which operates the National Cancer Database, or NCDB. The
experience of this database highlights an entirely different issue, which is,
namely, the ability to effectively gather and utilize data to improve the
quality of care for patients with cancer.

For many years, the CoC has accredited cancer programs in
hospitals throughout the United States. Presently, there are 1,425 accredited
cancer programs, all of whom submit data to the NCDB on a regular basis. Here
we have an outstanding opportunity to obtain information about patients with
cancer diagnosed nationwide, their treatment, the effectiveness of those
treatments, and the survivals of those patients entered into this data system.

Although data is submitted to NCDB electronically, it is
gathered pretty much the old-fashioned way, by having registrars going through
charts, relaying on sources outside the hospital to provide periodic follow-up
information.

From a research and reporting perspective, the delay in
obtaining that information limits the usefulness of the data. With the clear
trend to more diagnoses being made and treatments being offered outside of the
traditional hospital setting, there are additional limits to the quality and
value of the information obtained.

The Commission on Cancer and the American Cancer Society are
well aware of these limitations and established goals to improve the ease,
completeness and timeliness of data collection reporting and analysis. All data
collected by the NCDB has been de-identified and is reported in aggregate and
will always remain so.

But we need to have a better way to find that data wherever it
may reside, whether in the hospital, independent laboratory, the doctor’s
office, or elsewhere. Working with Intel, a three-phase initiative has been
proposed and funding is being sought to implement the plan to improve those
data processes.

Will we ever be able to be as efficient as we need to be to
accurately collect, collate and report the data? Will we ever be able to
provide valuable feedback to hospitals and practitioners in something close to
real time? As we speak, NCDB is engaged in a project to obtain real time
information in cooperation with a national hospital system to impact the
quality of care by providing rapid feedback to physicians.

We know we can develop the technology, but with new technology
comes new challenges, and the NCDB experience serves as a reminder of those
challenges. The NCDB systems are already HIPAA compliant. The creation of a
health information network with the data element standards in place would be
big step forward. Currently, to function properly, NCDB has negotiated separate
privacy agreements with each of their cancer programs. They had to take into
account the varying rules regarding privacy protection in all 50 states.

They are working to establish a link to the National Death
Index to get information on whether a patient has died and determine the
official causes of death. To date, this remains a work in progress. When
Federal and state laws conflict on privacy protection, the state law is more
strict and state law prevails.

As this discussion demonstrates, we may be able to develop the
systems, but we also need to develop a nationwide commitment to make them
operational and effective. We need to strike a balance between the various
institutional, legislative, regulatory and legal frameworks that exist on a
local, state and national basis to protect patient privacy and our need to have
access to information necessary to improve the quality of care we provide our
patients.

All of us will have to work together to address these broad
legislative, regulatory, legal and ethical issues in order to achieve the
important goals envisioned by many of us here today. We look forward to a
system that can transmit information, accelerates our ability to understand
what’s happening to our patients, provides adequate protection for individual
privacy.

We must constantly be mindful of addressing concerns about who
will have access to an individual’s medical information and must always act to
avoid compromising an individual’s privacy or allowing the information to be
used for discriminatory purposes.

We need to advance clinical and laboratory science-based
programs that improve our health while not compromising respect for the
individual. We need clearly understood rules to avoid institutional paranoia
that could inhibit valid research and quality improvement undertakings. We need
guidance that permits us to share information across state borders.

Imagine what we could accomplish if we were successful. With
access to better data, we would be able to remind people that they need to be
screened for cancer at appropriate intervals. We could develop quality
algorithms to monitor the diagnosis and treatment of cancer and access and
assess patients’ quality of life after they receive their treatment. We could
learn to analyze medical records and inform patients if they are eligible for
clinical trials. We could find a way to quickly determine which new cancer
treatments work and which do not.

The American Cancer Society hopes that as we enter this new
Information Age, policies will be developed that support our mission to educate
the public, to collect data to improve the quality of cancer care, and allow
the conduct of research using the Internet.

However, the Society does not believe we have to start at
Square One to convince cancer patients, their families and their care givers of
the importance of obtaining and using this information.

As one senior researcher said to me in preparing for this
presentation today, and I quote, “Cancer patients are different. They
really are willing to cooperate with people they trust. They view their
participation as an opportunity for themselves and those who are helping them.
They don’t want to be protected to death.”

Our experience at the American Cancer Society supports that
viewpoint. We enjoy enormous trust around the nation and throughout the world.
Our attention to privacy must mirror that trust, and it does.

In exploring the development of the National Health Information
Network, we believe that patients, families and care givers of cancer patients
are well aware of the value equations.

Perhaps cancer patients are different, and perhaps they do
“get it” better than most. After all, they are dealing, in many
cases, with a potentially life-threatening disease. To them, information is
crucial, time is of the essence, and accuracy is critical.

They trust us to do the right thing, and we respect that trust.
We are optimistic that through public and private partnerships creating
effective information systems and data-gathering opportunities that we will be
able to provide them with what they expect from us.

In closing, I would like to acknowledge the many people who
assisted very willingly and extensively in the preparation of this testimony
today.

Thank you again for this opportunity, and I look forward to
answering your questions.

MR. ROTHSTEIN: Thank you very much, Dr. Lichtenfeld. We, I’m
sure, will have questions for you at the end of the panel presentations.

And now I’d like to invite Dr. Levine to testify.

Agenda Item: Presentation – Dr Robert
Levine

DR. LEVINE: Thank you. Mr. Chairman, thank you, Committee
members, guests, listeners. Good morning. I am Dr. Robert Levine. I appreciate
the opportunity to present comments to this important process as a long-time
volunteer leader and a former international board member of the Juvenile
Diabetes Research Foundation.

For those of you who aren’t familiar with the JDRF, it was
founded in 1970 by the parents of children with Type 1 diabetes who each made a
promise to their loved one that they would do all they could to find a cure.

As a direct result of the passion and drive of its volunteer
leaders and the skills of its professional staff, JDRF has grown to become the
world’s largest non-profit, non-governmental contributor to diabetes research,
providing over $800 million since its founding and projecting to fund over a
hundred million dollars this year alone.

I should note at the outset that I was asked by JDRF to offer
testimony today because of my known special interest in the National Health
Information Infrastructure and as an active member of the community of people
personally affected by diabetes. My wife has had Type 1 for nearly 40 years.

As such, my testimony is my own and does not represent policy
of the JDRF; rather hopefully, it fairly represents concerns of JDRF’s key
constituents.

Also relevant to my participation in these proceedings are my
service as the Chairman of the Health Priorities Project for the Progressive
Policy Institute, a policy think tank of the Center’s DLC, my past board
membership of the Foundation for Accountability, and my history of leadership
involvement in a number of ad hoc stakeholder collaboratives whose purpose was
to envision an Information Age health care system focused on helping every
American achieve optimal health-related quality of life and function.

I want to start my remarks with the same sort of warning that
Dr. Lawrence Summers gave for the Harvard faculty recently, but hopefully

MR. ROTHSTEIN: Hopefully, you will get a better reception!

[Laughter.]

DR. LEVINE: Yes, I would say exactly my point. Hopefully, I’ll
fare better than when looking back on them.

That is, some of what I will say is meant to be provocative,
but certainly never to be disrespectful, and to me it’s not worth spending your
valuable time to simply present conventional thinking or repeat what you’ve
heard from others, and I hope most of you will judge my comments constructive.
And I think I’m going to be considerably higher altitude than my fellows on
this panel today.

This Subcommittee’s charge is to address issues of privacy,
confidentiality and the protection of patient information relating to the
establishment and use of a national health information infrastructure. In
confronting this challenge, I have no doubt that you’re making substantial
efforts to detail all the relevant risks, uncover leading edge methods of
mitigation, and that many of your panels have already done a good job raising
necessary questions and offering ideas for solutions.

But I have to ask in doing so: Are we collectively missing the
forest for the trees? I say this because I believe strongly that
notwithstanding all the legitimate concerns about privacy made more intense
daily by the too frequent and frightening stories about accidental release and
deliberate theft of sensitive information, it seems to me the greatest threat
and the biggest risk to people with diabetes or heart disease or cancer or
HIV/AIDS or any number of other chronic diseases or disabilities seems not to
be from unauthorized sharing or use of their personal health information;
rather, it’s from the failure to share, or the inadequate use of that
information, and sometimes even valuing protecting privacy over protecting an
individual’s life, their health, and the health of their families, friends and
neighbors.

To make my point, please allow me to read, with some editorial
license, directly from the abstract of a paper presented by the University
Health System Consortium Diabetes Benchmarking Project team which was published
in February, 2005 in Diabetes Care, and I must say, reading the details
of this study, it’s even more alarming. The title of the paper is “Quality
of Diabetes Care in U.S. Academic Medical Centers: Low Rates of Medical Regimen
Change.” It’s from the Grant-Buse group at General Med division at MGH in
Harvard.

Their objective, they state, was to assess both the standard
and novel diabetes quality measures in a national sample of U.S. academic
medical centers. Their design was a retrospective cohortstudy
conducted from January, 2000, to January, 2002, and involved 30 top U.S.
academic medical centers which contributed data from 44 clinics – 27
primary care, 17 endocrinology diabetes specialty clinics – with 1,765
eligible adult patients with both Type 1 or Type 2 diabetes with at least two
clinic visits in the 24 months before January, 2002, including one visit in the
six months before January, 2002.

The study group assessed measurement and control of hemoglobin
A1C, blood pressure, and cholesterol and corresponding medical regimen changes
at the most clinic visit.

The results. In this ethnically and economically diverse
cohort,annual testing rates were very high — 97.4 percent for
A1Cs, 96.6 percentfor blood pressures, 87.6 percent for total
cholesterol. The abstract is very safe. They say fewerpatients were
at hemoglobin A1c goal; that is to say, only 34 percent of the patients were at
goal, of less than seven. Or blood pressuregoal, only 33 percent
were at blood pressure of less than 130 over 80. Or at lipid goal, 65 percent
were at a total cholesterol of less than 200, but if you look at LDL, only 46
percent had LDL of less than 100.

Only10.0% of the cohort met the recommended goals
for all three riskfactors. Now, that is a problem to start. But the
worst problem, for me, is that at the most recent clinic visit as they state in
their abstract and is further detailed in the study, only 40 percent of the
patientswith hemoglobin A1c concentrations above goal underwent
adjustment oftheir corresponding regimens. Among untreated patients
with high blood pressure, only 10 percent were initiated on therapy.

Of previously untreated patients with elevated LDL
cholesterols, only 5.6 percent had therapy initiated at the time of their last
visit.

As I said, the details of the study present a more profound
commentary on the lack of use of critical information that demonstrated the
lack of achievement of clinical goals. Patients with Type 2diabetes
were no less likely to be intensified than patientswith Type 1.

So their conclusion was that high rates of risk factor testing
do notnecessarily translate to effective metabolic control. Low
ratesof medication adjustment among patients with levels above
goalsuggest a specific and novel target for quality
improvementmeasurement.

I would put it another way, because I’ve been looking at these
issues for more than just a few years.

At some point, it is going to become impossible for us to
continue to explain away this poor performance with comments like
“everyone is working hard against odds and difficult circumstances and
doing the best they can.” And we’re going to start to walk right up to the
threshold of what some people will, you know, reasonably construe, constitutes
mass negligence.

These are the most prestigious academic medical centers in the
country. They are collecting critical data at 90-plus percent rate efficiency.
And yet, their interventions on a timely basis as the result of having that
information available, they can’t even get to 40 percent in some of the
critical areas.

To add a further exclamation point, there’s the following from
Rich Lowry of the National Review, writing recently on dramatic
reductions in incidence of HIV/AIDS in newborns in New York state in an article
he titled “Civil Libertarians versus Public Health: A Dangerous
Impulse.”

I should note that I have edited some of Mr. Lowry’s partisan
invective but I believe I’ve remained true to his principal points. He says,
and I quote, “Do we as a society prefer sick or healthy babies? Do we want
babies to be infected with a potentially deadly virus or not? The answers seem
obvious.

“But in a decade-long debate, a host of groups, in effect,
came down on the wrong side.

“Fortunately in New York City, once the epicenter of the
epidemic of babies born with HIV, these privacy concerns, the privacy
obsessions, were rejected, and now the scourge of newborns infected with HIV
has been all but eliminated.”

Now, I must say, aside, I was the house staff officer at Mount
Sinai Hospital at the time that grid was first identified. I know what the
devastation was, not only professionally but personally. Many of my friends in
the entertainment community lost their lives; my wife’s agent died as a result
of HIV/AIDS.

So I’m not discounting or ignoring the impact or concerns of
that community in quoting Lowry on these issues. I just mean to make a point,
when protecting privacy sometimes has the unintended consequence of doing harm.

Lowry continues:

“According to The New York Times in 1990, there
were 321 newborns infected with HIV in New York City. In 2003, there were five.

“A decade ago, many pregnant mothers didn’t know they were
HIV positive.” Again, this is Lowry, from Lowry’s piece. “They
weren’t urged to get tested, and so they couldn’t take drugs that would make it
less likely their babies would be infected.

“Newborns were tested, but in blind tests, meaning the
mothers wouldn’t be informed of the results. The mother wouldn’t know their
treatment of her child or herself.” He further states:

“According to NJM, a study in the ‘90s, two-thirds of
children with pneumocystis carinii pneumonia weren’t getting treatment because
no one knew they had HIV.

“New York Assemblywoman Nettie Mayerson was appalled. When
she learned of the situation, she resolved to pass a law mandating that all
newborns be tested and their mothers informed. For this, Mayerson, a Democrat,
liberal, seemingly bought the enmity of many of her past supporters.
“Numerous activist groups as well as the ACLU,” quoting from Lowry,
“opposed her on privacy grounds and supposedly proposing to violate the
reproductive rights of women. Her District office was picketed. Opponents
argued that pregnant mothers just couldn’t handle testing.”

“Finally, just the opposite is happening,” Lowry
quotes Mayerson as saying. “After a three-year fight, her bill was passed
in 1996. It revolutionized public health in New York, according to
Assemblywoman Mayerson,” he says.

“The way they used to do counseling, they told women if
you get tested and test positive, you will lose your home and lose your job.
After the law passed, they told women, ‘Your baby is going to get tested
away, so if you get tested now, you can do something to keep your baby from
being born HIV positive.'”

I’ve chosen to lead my comments with these references as a way
to affirm what I believe I think we all agree needs to be the first order
purpose of a national health information infrastructure – that is, to
dynamically support the achievement of optimal health-related quality of life
and function for all — I know you’ve heard that from others – and to
eliminate the atrogenic or even unintended policy-related harm.

It is in the context of this first order purpose and related
purpose-driven design activities that privacy and confidentiality issues are
best addressed, and I know I’m telling you something that you all think about
all the time.

I want to acknowledge here the important and substantive work
of the (?) Child Initiative, its collaborative participants and in particular
my colleague and friend David Lansky.

But in reading through the collaborative response to the ONCHIT
RFI, I was struck by a note which red-flagged for me, at least, what I believe
is another first order principle for the NHII, one I don’t believe has been
widely addressed and does have implications for overall design and
functionality as well as privacy protection policy and technical specs.

Reading from Line 429 on page 10 of the collaborative response
having to do with the detailed design principles of the proposed health
information environment, Item 8: “Designed to respect” – that is
to say the health information environment is designed to respect “and
serve patients in addition to the health system and the public.”

They say the health information environment is “premised
on a model of patient authorization and control. Patients must be able to
choose whether or not to participate in sharing personally identifiable
information, exercise their rights under HIPAA, control who has access to their
records, whether in whole or in part, see who has access to their information,
review, contribute and amend their records without unreasonable fees. Receive
paper or electronic copies of their information and reliably and securely share
all or portions of their records among institutions. One patient consent has
been granted.

Once a patient consent has been granted for a certain type of
information access, however, information should be able to be accessed freely
in a trusted environment.”

Well, as agreeable and thoughtful a consensus statement as this is, it suffers
what seems to be, at least to me, flaws relevant to what I believe are
fundamental principles of NHII design and privacy policy. For me, these flaws
are exposed by the note that patients should be able to “review,
contribute and amend their records without unreasonable fees.”

It may not be obvious at all, but on reading and re-reading
this Item 8, it occurred to me that nowhere in the collaborative response had
there been a reference to the issue of ownership of health information and the
quote “without unreasonable fees” forced me to conclude that the
group was missing in action on the assertion of what I believe is a fundamental
principle. That is, whereas third parties might be individual health record
keepers and therefore have some proprietary rights in those records, the
information resident in all such records is owned by the individual.

This principle is, I believe, critically important because with
the rightful assignment ownership of personal health information to the
individual, we tacitly acknowledge that the information has tangible value,
which it most certainly does, and further, that users of that information,
whether it’s identified or de-identified, are doing so for the most part in the
context of a voluntary exchange of value or definable direct benefit to the
individual.

Put simply, every individual is owner of what is a form of
digital representation of self, should be in essence – and I put this in
quotes because the definition of paid is one of social benefit, personal
benefit and also possibly financial benefit – they should be paid,
individuals should be essentially paid for each use unless otherwise agreed,
and the expectation is that that payment or direct benefit should be as
immediate to the value exchanged.

I think in the questioning we can deal with the horror of this
in terms of the technical issues associated with the concept of ownership. I’m
talking about the high concept issue of who owns the information, how that
drives our decision-making and design.

This principle is important in the context of developing
privacy protections because it frames the relevant issues not from the
perspective of fear of inappropriate use but from the perspective of assessable
risk and definable, palpable and often immediate benefit to the individual. It
is, in fact, a more real reflection of the calculus individuals use. And this
was already said when, for instance, deciding to tell the airport bartender or
the spring break fling the most extraordinary personal details about
themselves, details that even the people closest to them do not know. That is,
what is the risk this guy or gal knows anybody that I know, and what do I
expect to gain by laying myself bare?

It also challenges us to find the means to close the loop on
information sharing as it is related to the exchange of value. That is to say,
the cheat from the diabetes care and academics center’s revelation. If the
hospital record shows sub-optimal achievement of therapeutal goals, who is the
right and recipient of that information?

If we start with the assumption that the hospital owns the
record, then we most certainly will face years and years of the same dismal
outcomes result, doubtless continuing to show that even when the information is
acquired and available to the provider, it is not reliably and proactively used
to inform specific individual actions to improve outcomes, broadly written.

If alternatively we start from the assumption that the
individual both owns personal health information no matter where it resides and
has a right therefore to benefit from it as a part of the agreed exchange of
value when he’s subjected himself to the blood draw, paid for its analysis, and
allowed the hospital to hold the information in its records for its purposes,
including gaining further reimbursement or completing performance report cards
required for their certification or doing research, then this information
should be immediately transmitted to the patient, its owner, along with a
statement of the benchmark goals for people like him and suggestions for
therapeutic enhancement, self-care and follow-up.

To take this further, let’s carry this concept of personal
ownership of health information and the concept of value exchange or fair
compensation for its use to the realm of outcomes of health delivery for
epidemiologic research or whatever in which de-identified data is utilized.
Without the framework established by this principle, most would allow that once
permission is granted to use a de-identified data for research, there is no
further obligation on the part of the researcher or intermediary.

But is this right? The individual is contributing value by
giving access to his or her unique health information and there is no question
in my mind, regardless of the consents involved or otherwise, and this I
believe is true for clinical trials as well, disclaimers notwithstanding,
especially regarding parents giving permission for participation by their minor
children.

As the motivator behind such a contribution, particularly for
people with chronic illness in their families, is the expectation or hope for
direct personal benefit. In thinking then about privacy protection, the methods
of de-identification and related system design, if we adopt this concept of
individual ownership, we would need to be equally concerned with designing in
methods of automatic – even if arm’s length – (?) identification and
timely patient notification, so if the research result and findings that could
benefit the individual contributors of information, they would not have to wait
the five or 10 or 15 years for that new evidence to unreliably and
non-specifically make its way through the maze of publication, guideline
development, clinical adoption, and optimal utilization.

Rather, the information owner as a contributor of value to
these results would be notified immediately of the relevant findings and
informed who they might call for further information and counsel and action.
That is, the owner is provided their expected benefit from their contribution.
And I should say as a sideline, we’ve put ourselves in this position because we
have not been good stewards of the health information we have as professionals,
because our patients are not getting the best care in a reliable fashion across
the spectrum of people who can benefit.

You know, if we were better stewards and more capable of more
consistently doing the best we could in terms of making the benchmark outcomes
achievable for everyone – and I wouldn’t be as animated about this as I
am, but clearly we’re not great stewards of the information so at least we
should acknowledge that people own their own health information and should be
able to have some awareness of it if not the animated and activated use of it
for their benefit.

This concept of individual ownership can also inform our
approach to pursued protection and punishment of violators. As I’ve suggested,
an individual’s health information constitutes a form of digital representation
of self. And not only is it property; it is self.

I make this stretch, and I acknowledge it’s a stretch, to
emphasize the importance of crafting our judicial response to violations in a
way that reflects what should be societal revulsion on an order of magnitude
near our response to kidnapping.

Why? Because to fully benefit from an NHII, there really needs
to be public confidence and a fairly extensive and open exchange of sensitive
digital self information between trusted parties. Just like to fully benefit
from a free society, people need to feel fairly secure that if they venture
from their homes unprotected, they won’t be snatched off the streets.

Well, I’m going to go over the top again with this analogy as a
device to emphasize the sort of energy I think we must place behind our
pursuit, prosecution and punishment of violators, using a quote from former New
York Mayor Rudy Giuliani, and this is, again, this is high altitude, and he is
in the context of discussion of the difference between the United States’
success in limiting kidnapping and Mexico as the example of not. So the quote
from Mr. Giuliani:

“Kidnapping should be a much bigger problem in the United
States than it is in Mexico. We’re richer. There are more people to kidnap from
which you can get huge ransoms. Why is kidnapping a systemic problem in Mexico
City and Mexico but not a systemic problem in the United States? Because the
United States,” Mr. Giuliani suggests, “dealt with kidnapping very
early on.”

He said, “The United States decided with the horrible
Lindbergh kidnapping in 1932 that got so much attention that we would not
negotiate with kidnappers, we would not pay ransom, and we would make it a
horrible, horrific crime.”

And when a kidnapping takes place since then in the United
States, it’s a major national event. The police all join together, the FBI
joins with them, every resource is used to try and catch the kidnapper and to
end the kidnapping in as successful a way as possible. And then when the people
were caught, the people were punished in ways that horrified so the people
won’t do it in the future. So kidnapping has become in the United States a
very, very high risk crime even though there’d be a high reward.

Again, I’m using these analogies to emphasize, you know, the
point of the need if we’re going to create a regime that is focused on helping
people, we need this marketplace of information exchange. It needs to be
relatively free. There can’t be barriers at every door. But in order to feel
secure in that, the way in which we deal with violators has to be obvious to
the public and severe, at least in my view.

As I noted, I know this analogy may be over the top –

MR. ROTHSTEIN: Could you wrap this up, please, so we’re running
a little late?

DR. LEVINE: Yes, I will. I will.

MR. ROTHSTEIN: Thank you.

DR. LEVINE: And thank you. I’m sorry, Mr. Chairman. Let me just
finish with a little analogy because I appreciate your patience.

Let me, to further benefit this argument, take the risk and
share with you a personal health anecdote to explain my willingness to be so
assertive.

Last year I underwent what was to be routine elective walk-in
surgery at a famous New York City hospital. As is usually the case, my
pre-admission screening was set for the week before this, and I arrived at the
appointed time for administrative sign-in, labs and EKG. I was met by a lovely
admissions clerk clearly doing her very best to get me through the process
expeditiously.

And this was essentially the problem. She was gracious and
thoughtful, but she had her checklist to get through, and that was her focus.
And here’s what the checklist included:

She handed me the HIPAA book and had me confirm by my signature
that I’d received it and understood my HIPAA right – no discussion
offered. It was clear at least to me that her training had focused on getting
the necessary things done. She certainly didn’t know a lot about HIPAA.

She had me sign a profoundly general consent for whatever was
deemed necessary by unnamed providers and a waiver not for the surgery but
simply in advance of getting my blood drawn and an EKG done.

I protested, suggesting it was so absurd as a proposed informed
consent that it couldn’t possibly stand up to real ethical legal scrutiny. She
smiled and nodded and indicated she was just getting done what she had to get
done. And I could certainly cross things out or write things up in the margins
if I wanted.

She asked me to fill up the required New York State Advanced
Directive detailing who my medical power was and what I wanted to do in case of
this, that or whatever. You all know what these things say. They’re not the
sort of things that an otherwise healthy a person going in for elective surgery
would expect to be confronted by, especially in the context of not having an
opportunity to talk to a health professional about it, or their family.

She asked me to sign a general permission then for the hospital
and all their minions and relationships to use whatever information gathered
about me for whatever purpose they needed to use it for – to prepare for
insurance reimbursement, whatever. Again, since I objected, I was allowed to
write whatever I wanted on the paper before signing.

As I said, it’s all done in an amiable fashion, thoughtful
clerk, knew little if anything about health law, medical procedure, what HIPAA
rights were, and certainly was in no position to gain informed consent for
anything, or even to get a real acknowledgment of patient’s awareness of their
rights. You know, what she did was to complete a pre-admission checklist.

So I know this makes a point, but let me give you a capper.
Unfortunately, my immediate surgical recovery was complicated by the need for
emergency re-op due to uncontrolled and significant bleeding.

On the first day post-op, I got a call from my mother – I
live in Manhattan; she works on Long Island, she’s a mental health
professional. She told me that she had an interesting call from a colleague of
hers who was inquiring as to how I was doing. Well, my mom didn’t tell anyone
that I was in the hospital, so she asked her colleague, why was she asking?

Well, it seems that the daughter of a patient of one of this
colleague of my mother had been scheduled for surgery in the same hospital on
the same day as me, but she had to be bumped from the schedule because Dr.
Robert Levine, Mary Tyler Moore’s husband, had had a problem requiring
emergency re-operation. So much – you know what I – I could stop
there. The summation is just that, you know, I believe that our interests are
best served by the value of personal health information and the value is best
cured by a system that’s designed and executed based on the acceptance of an
agreed upon overarching first order purpose for the system that is to
dynamically support the achievement of optimal health-related quality of life
and function for all and to eliminate harm.

The acknowledgment that individuals are the owners of their
health information and the reasonableness of the expectation that the
individual should be, to the fullest and most immediate extent possible, the
direct beneficiaries, of its collection and every use and recognition that in
order to create a safe and trusted space in which all health stakeholders can
confidently share sensitive information. Abusers of trust must be actively
pursued and harshly – and further, the technical means to assist in
evidence-gathering and prosecution must be designed into this.

Thank you.

MR. ROTHSTEIN: Thank you very much for that, as you said,
animated testimony, and I’m sure we will have perhaps not as animated questions
for you, but questions nonetheless.

Agenda Item: Presentation – Linda
Rosenberg

And our third witness on this panel is Linda Rosenberg.

MS. ROSENBERG: Hi. Good morning. I’m very pleased to be here.
I represent a segment of health care that is often under-involved in dialogues
such as this one, and so it really is a great privilege to be here and to
listen to such animated discussion.

In fact, Dr. Levine very eloquently pointed out something that
is truly at the heart of the privacy issue in mental health, which is, you
know, the discrimination against people with mental illness that continues to
this day versus the importance of really an automated system in which we can
raise the clinical floor, and we have a great, great divide in mental health
between what we know is effective and what people get every day.

I really represent a trade association. The National Council
for Community Behavioral Health is probably the nation’s oldest trade
association representing community-based providers of mental health and
substance abuse services, many of whom also work with people with a
developmental disability.

Our members include community mental health centers, hospitals,
state associations of providers and local behavioral health authorities. Each
year, our members serve – I forgot to use my slides; that’s not good
– each year, our members serve more than four and a half million people
and employ more than a quarter of a million staff. And they serve people in a
range of settings – schools, jails, clinics; our members are in every
state across this country – rural areas, urban areas, and suburban areas.
They provide clinical treatment and rehabilitation and housing services.

In 2003, the President had something called the New Freedom
Commission and its report was issued in 2004, and it was really an examination
of the mental health system in this country. And there were six goals that came
out of that report, and the sixth goal really was around really the use of
technology to access mental health care and information.

And there were two recommendations included in that goal –
use of health care technology and tele-health to improve access and
coordination of mental health care, especially for Americans in remote areas or
in underserved populations, and the second recommendation was develop and
implement integrated health record and personal information systems. And I’d
like to take a few minutes today to address the importance and challenges of a
national health information system for the field of mental health.

Specifically, I want to cover three topics – why an
electronic health record is important for the field, the obstacles we have been
facing, and what assistance is needed to leverage a national health information
system to first and foremost improve the quality of mental health care and
protect patients’ safety, privacy and confidentiality.

The Federal Center for Mental Health Services estimates that in
any given year, 21.4 percent of adults experience a mental health disorder and
five to seven percent of the population suffers from a serious mental illness.
Twenty percent of young people in a given year experience a diagnosable
disorder, with five to nine percent of children and adolescents having a
serious emotional disorder.

A substantial portion of individuals with serious mental
illness or serious emotional disturbance who seek treatment are served by the
public mental health system. They’re served in the public mental health system
either because they’re uninsured, they have Medicaid or Medicare, or their
private insurance has a limited health benefit. I don’t have to tell all of you
that till today, we still don’t have parity between the treatment of mental
health issues and physical health. And so in many ways, the public dollar, and
often the Medicaid dollar, is underwriting really the work of private health
insurers.

The care of these individuals generally follows two basic
patterns that impact electronic health records.

Individuals with a low to moderate mental health complexity
often require one or more brief episodes of care during the course of their
illness, generally provided by a single provider in a clinic.

Individuals with chronic and persistent disorders often require
long-term care that includes multiple levels of care, the involvement of teams
of clinicians, and may include one or more episodes of a psychiatric crisis
with the involvement of police, emergency rooms and/or psychiatric crisis
workers.

In mental health, the basic clinical experience for both groups
often includes an initial screening by phone or in person, followed up by a
face-to-face assessment resulting in a written care plan that guides which
services are provided by whom in what setting.

In the majority of mental health provider organizations, those
clinical activities are supported by paper and pencil. This results in several
problems that have a substantial, cumulative, economic impact.

One of our National Council consultants completed a study at a
community mental health center in California, and I want to share with you some
of the results of that study. He did it to really determine the cost savings
and additional revenue that could be generated by the implementation of an
electronic health record to support the basic mental health clinical flow.

And what the study found – and you can see on this chart
– is that 3,000 to 10,000 hours of care were going undocumented, with an
annual value of between $360,000 and $1 million to that agency. Twenty-five
thousand to 42,000 of clinician time were lost due to inefficiencies in the
manual paperwork completion process with an annual value of between $2.2 and
$3.7 million.

Thirteen thousand to 20,000 hours of support staff time was
spent on unnecessary medical records work, with an annual value of between
$500,000 and $700,000.

With an annual budget of $26 million, the identified
inefficiencies are between $3 million and $5.5 million represent 12 to 21
percent of that organization’s resources.

The public mental health system, the community-based system, is
an under-funded system, by all accounts. Losses such as this really mean that
there are people who go unserved.

Communities with well-organized mental health crisis systems
have many front doors. In fact, it’s been the gold standard of a community that
no door is the wrong door. And persons who experience a mental health crisis
include, and often come to the attention of our crisis call center, mobile
crisis teams, urgent walk-in clinics, and staff stationed in hospital emergency
rooms.

In most cases when a crisis worker has a contact with a person
experiencing a mental health crisis, even clients that have been in service for
many years, little or no clinical information is available. And if the crisis
worker doesn’t have a personal history with the client, the worker flies blind.
Far too often, the result is costly and unnecessary hospital admission, less
than ideal handling of the crisis, and lost ground in the recovery of the
individual.

In a small number of communities, this is starting to change.
Providers in these communities are implementing electronic health records with
crisis management components. And some of the emerging best practices include
the development of online crisis plans with at risk clients before a crisis
occurs, computerization of key portions of the clinical record including
medication histories, information of prior episodes, information about
allergies, client releases of information, because just as Dr. Levine very
eloquently pointed out, very often the price becomes a barrier to effective
treatment and involvement with family, and with someone with a serious
psychiatric disorder, their family is their support network.

And all too often, families have come to me in the position I’m
in now, in the position I held prior to this, to complain that they had no
information about their loved one when truly they were the only resource that
loved one had.

Electronic crisis episode tracking systems are being put in
place and laptop computers for crisis workers with encrypted cellular modem
cards that allow secure access to the relevant clinical records, crisis plans
and crisis management software are occurring in some communities.

The difference in outcomes for individuals in crisis who live
in communities with these technologies have not yet been studied, but the
organizations using these systems are experiencing dramatic changes in their
ability to know substantially more about a person’s clinical history, the
medications they’re taking and whether the person is currently in care.

The President’s New Freedom Commission noted in a transformed
mental health system, consistent use of evidence-based, state-of-the-art
medications, and psychotherapies will be standard practice throughout the
mental health system.

One of the things we are learning as we try to narrow that gap
between what is known through research, multiple research trials, and what is
practice, is that there is not only that gap, but there is literally a lack of
information and skill in the workforce. We really have a de-skilled workforce
with psychiatric technicians, social workers right out of social work school
providing care to the most ill, the most seriously psychiatrically ill adults
and children.

In the process, one of the things we found in states as diverse
as New York, South Carolina and Oregon is that the presence of an electronic
health record positively impacts the ability to provide evidence-based care.
There are three major reasons for this.

A number of electronic health record products allow for the
entry of online assessment instruments that can take advantage of branching
logic as the clinician and the client proceed through the assessment. If
configured properly, this increases the likelihood that a proper diagnosis will
be made and functional impairment identified, the first step in matching
treatment to the needs of the client.

I cannot tell you how many times I have sat in treatment
planning meetings where the same treatment has been applied year after year to
someone when the original clinical formulation was wrong. It is the hope and
really the prayer that the automated medical health information record will
help correct some of these ongoing problems.

Many of the software packages also have the ability to add
treatment plan libraries right into the software. A clinician can immediately
connect to the treatment that has evidence for the diagnosis.

Also, it is very difficult to practice evidence-based care with
paper and pencil because in effect you’re a data-free environment. You have
absolutely no tracking of outcomes either on the individual’s level, an
individual recipient’s levels, on a program level or on a population level.

And all too often, mental health services really are anecdotal
and data-free, and that has very little likelihood of changing until we have an
automated system with built-in scales where we can really get that information.
Hunches are sometimes right, but they’re sometimes wrong.

Another obstacle to implementing the electronic record is
really vendor mismatch. In 2003, 27 California counties developed a coalition
to complete a search for software vendors to provide software. Over 140 vendors
were contacted.

When it came time for requests for information to go out, they
got 45 responses, a 33 percent response rate. Only 15 of those 45 submitted a
proposal, and that was about 10 percent of those who had been contacted. Of the
15, only three were on the health care informatics list of the top 100 health
care information technology companies and 10 were very small companies with
less than 100 employees. And all but two were niche behavioral health software
vendors.

These statistics, and the lack of interest in the software
community, really hinder our ability to use and to benefit from technology.

In the early 1980s, the community-based mental health system
was devolved from Federal oversight to state oversight, differently than
community health centers. As a result of that, we have 50 state and 50 sets of
rules. We had hoped that HIPAA really would help the standardization, but 16
months later, that is not the case. There are still states demanding very
unique codes for treatment, diagnosis, assessment.

Mental health vendors who are contracted by mental health
provider agencies have enormous difficulties around this variation. One example
of this is in Oregon where a vendor started out in Oregon and is now in eight
states and has over 7,000 data elements in their database.

So it’s not an accident that major information technology
vendors have shied away from working in mental health.

Throughout the history, there is dramatic difference between
the availability of in-house information technology resources in hospitals and
general medical clinics versus mental health centers. And there was a study in
2001 which really compared the banking and financial industries and what they
spent versus what health care spent and at that time, banking and financial
industries spent an average of 6.9 percent of revenues on IT in 2000, 6.5 in
2001, compared to 4.8 percent in 2000 and 4.2 percent in 2001 for health care.

As an under-funded subset of that, the statistics for mental
health care are really very, very dramatic, as you can well imagine.

The other issue for us is the difficult transition in going
from a pencil and paper system to an electronic system. Because of the
complexity of the mental health environment and the volume of forms, a
phased-in approach is an absolute must, and this means by definition two
systems, and this significantly increased the cost and complexity of
implementation and support.

Let me get to privacy concerns.

One of the things President Bush said was that Americans must
understand and send this message: Mental disability is not a scandal; it is an
illness. And like physical illness, it is treatable, especially when the
treatment comes early.

Unfortunately, this is not yet the case. There is still
enormous discrimination against people who have psychiatric disorders, both
adults and children.

And so as we proceed, it becomes an even more complex issue in
terms of safeguarding people’s privacy. But for those of you – and I’m
sure many of you know this, just as I do who have worked in hospital and clinic
settings – paper medical records are everywhere.

There is no guarantee of privacy right now in a paper medical
record. In fact, there is probably more built-in safeguards in an electronic
health record than in a paper health record.

And so, again, you know, as Dr. Levine very eloquently pointed
out, there is this balance, but we mustn’t go too far in the balance and not
get the benefits of what I think, and we all believe, electronic health records
will bring us.

What assistance to we need as a special, really, and often
under-attended to community?

First of all, the work begins at home, and I have to say that
our own organization has been quite negligent. And we need to step up to the
plate. So we need to work with our thousands of providers across the country to
insure that we are at the table, just as we are today, and also that we stay on
the radar screen of the major players in the health care information technology
industry.

And if we don’t step up our involvement, the specific needs of
the mental health system will be missed.

Number two, we also need to work closely with our member
organizations to develop an electronic health record strategic plan. And we
have just started, really, to talk about that – bringing people together
to say, this is what we’re going to own and we’re going to do.

Fourth, we ask that specific Federal funding and technical
assistance be earmarked to support the efforts in mental health. A portion of
the funding already in the pipeline for demonstration projects and loans should
be made readily available to the behavioral health care system so we don’t fall
further behind.

And last, states as major mental health purchases, must place
an increased value on information, electronic information, and reflect this
commitment in their financing mechanisms and technical assistance structures.

California last November passed what may be the most sweeping
mental health financing reform in the nation, Proposition 63. One percent of
the income of everyone earning over $1 million. It will be dedicated to mental
health services for adults and children.

And what they said in that Proposition, very smartly, is that
they earmarked a portion of it for infrastructure development, including
technology.

The efforts must be coordinated and organized so they are in
sync with all of your efforts right here in this building because we very much
want to help President Bush in his New Freedom Commission really make a reality
of transforming the mental health care in America.

And I thank you very much for this opportunity.

Questions, Answers and Comments

MR. ROTHSTEIN: Thank you very much. And we now have an
opportunity to engage our three panel members with questions. I’ll recognize my
colleagues in turn. Okay. Steve?

MR. STEINDEL: Oh, I get to go first. Well, thank you.

MR. ROTHSTEIN: That’s because I’ve got three dozen questions of
my own and if you don’t get it in now – [laughs].

MR. STEINDEL: That’s what I was wondering, Mark. You usually
lead off and I was going to sit back and wait. Thank you.

This is somewhat in the area of comments and questions for all
three panelists, and it revolves somewhat around the same thoughts. Dr.
Lichtenfeld, in your talk, you gave a very good example of what we’ve observed
many times in this Committee, and I’m going to put this in terms of CDC’s
interest, which is where we get to diabetes in another area.

Dr. Gerberding is reorganizing CDC to be much more effective in
the area of prevention, and we find that we’re going to have to start doing
more and more in the area of prevention. Prevention is before the fact. Cancer
is after the fact. And we have found that people are very willing to share
information after the fact.

And what we have found is they’re not very willing to share
information before the fact, and this also has influence on diabetes and
evidence-based care, et cetera, because we get all this information, we’re
doing all this evidence-based care on diabetes, we know what tests we should
do, what to advise the patients, et cetera.

But in the area of diabetes, in the area of prevention of
cancer before the fact, and as we’ve pointed out, sometimes in the area of
mental health, the environment can offer many stimulants in that area.

How do we influence life style behavior in the area of –
where we’re dealing with, as Mark was talking about earlier, from groups that
really want to protect the privacy of their life styles’ behavior? We heard Dr.
Levine talk very eloquently about what happened in New York City to prevent HIV
transmission, which is a life style behavior.

Do you have any advice from the three panelists on how we can
effect that change? That’s the major change that we have to effect.

DR. LICHTENFELD: Every time I thought I knew what the question
was that you were going to ask, you asked a different question, so –

[Laughter.]

DR. LICHTENFELD: — that’s why I’m a little hesitant here. And
they’re all obviously part and parcel of the same issue.

I would just like to add, for the benefit of the Committee, I
also serve as the manager, the director, whatever, of our cancer control
science department which sets our guidelines which many of you are familiar
with in a variety of areas.

And also I’d like to emphasize that we have now formed a
partnership with the American Diabetes Association and the American Heart
Association coming together and the major message and the major mission is
exactly that prevention and trying to get that message.

Not only that, and alluding to the comments from my colleague
to my left, trying to figure out what exactly the elements of prevention are
that we need to be emphasizing, which we really don’t know.

So that’s really complex, and if you’d like to come back
another day, we can have a discussion. From our point of view, we do a lousy
job of prevention in this country, we really do, you know, the life style
change issues and then actually implementing them, but we do a lousy job on
many, many levels.

We do a lousy job on the public health level by sending out the
message and we do a lousy job on what I call – I shouldn’t say
“lousy” so much, but it’s true – on the transactional level,
that is, when a health care professional actually has somebody sitting in front
of them and you’re saying A, B, C, D, E, this is what you should be doing.

We also know by the same token that if a physician or another
health care professional who’s in primary care did everything they were
supposed to do every day, it would take them literally – the study was
about 7.4 hours a day out of their day and their professional practice to
counsel their patients about prevention.

So we have got to find different systems. And that probably
goes far beyond the concern of this Committee, but very briefly, we need
systems that send the message. We need that consistent message at a very public
level. The Legacy Foundation ads were very effective as long as the money was
there – that’s the smoking cessation ads – but the money’s
disappeared. Actually, there was an article in The Wall Street Journal
just the other day to that point. We were hearing that a year and a half ago.
They really had an impact and don’t work.

And we need systems. We recognize that we need systems in
practitioners’ and providers’ offices that remind them of what has to be done,
and we need to make information available to patients.

Now, you know, sitting here in this room talking about health
infrastructures networks and privacy and information, how do we get our
colorectal cancer screening rate from 40 percent up to the 80 percent where it
should be? How do we make sure that women who need mammography get it every
year on schedule, which is a critically important part?

Other countries — and we had this conversation before we
started today – other countries have solved that problem. We do believe
it’s part and parcel of the electronic health record and probably at some level
part of a national health infrastructure process as well.

So it’s not just a “this is the answer or that’s the
answer or do this or do that.” It’s a combination. It’s a combination at
the public level, it’s a combination at the personal level, a combination at
the practitioner level to make that happen.

And we need to have systems in the broadest sense of the word
at all levels that are going to make it work.

Now, the privacy thing – I mean, you know, we think that
people do want to know about prevention, that when people are asked what makes
them get, in this situation, colorectal cancer screening, the answer invariably
is “my doctor told me to do it.” That was the answer.

But, you know, if the doctor doesn’t remember, or the health
care professional or somebody in that office – it doesn’t have to be a
doctor, for gosh sakes – doesn’t remember to do it, it doesn’t get done.

Now, I looked at that and said, well, that’s the record of the
doctor’s office. How far do we expand that beyond? It’s something that, you
know, we’re going to have to figure out.

But we have to start someplace. We’re not doing the job we
should be doing.

I don’t know if that’s responsive to your question but –

MR. STEINDEL: Right. Thank you. Really, as you pointed out,
there’s not a good response to that question and —

DR. LICHTENFELD: Hope it’s not my fault.

MR. STEINDEL: No.

[Laughter.]

MR. STEINDEL: And, you know, I wanted to raise the issue
because it does have privacy implications about the type of information we
collect. We can just look in the newspapers today about just gathering
information on obesity in school children and the opposition to that.

MS. ROSENBERG: We have right now a raging debate in the public
policy sector of mental health around early screening of children. One of the
recommendations is screening the school-age children for emotional disorders
and there is literally a campaign against that happening, strangely enough with
Scientology often at the heart of it, very powerful, very well financed.

And so these are not simple issues because they’re also
politicized issues. It’s very difficult.

MR. ROTHSTEIN: Okay. Mr. Reynolds?

MR. REYNOLDS: Yes. Thanks to all of you for your testimony.

DR. LEVINE: That’s all right – I can answer it but it’s

MR. REYNOLDS: Oh, I’m sorry.

DR. LEVINE: No, no –

MR. ROTHSTEIN: You can work in your answer to the next
question.

DR. LEVINE: Yes.

[Laughter.]

MR. REYNOLDS: Dr. Lichtenfeld, when you were talking about your
website, you mentioned there were no serious breaches.

DR. LICHTENFELD: Yes, that’s right.

MR. REYNOLDS: That would –

DR. LICHTENFELD: Well, interesting phrase there.

[Laughter.]

DR. LICHTENFELD: We’re in Washington, so –

MR. REYNOLDS: People pick their words carefully!

DR. LICHTENFELD: I mean, the answer to that is people –
that’s why I referred to about information freedom has its consequences. People
will put their name or their telephone number or something in a chat room or a
question and the QA stuff is publicly visible. And there have been some people
who have been called. Or they may say, within a protected environment of the
community, behind the password protection, there are people who have been,
shall we say, bothered by others who they didn’t want to be bothered by, having
exchanged some more personal information.

The key point is within that community, the password protected,
people give out a tremendous amount of personal information willingly. For the
information they give out, the number of problems that arise are limited, and
matter of fact, what we have seen is the development of true community –
that is, I mean, security issues, policing issues, whatever, and the community
comes to respond.

The number of people who call and say, you know, so-and-so
called me and said, you know, I didn’t want them to bother me, and we had to
take an action are really very few, as I said, on a practical basis.

MR. REYNOLDS: A question for all three of you. We’ve heard
significant testimony yesterday about the trust and about the HIPAA privacy
rule as it stands now, and each of you somewhat mentioned people cooperate with
who they trust and Dr. Levine, you mentioned misuse of PHI should be considered
a type of a more serious –

DR. LEVINE: Hangable.

[Laughter.]

MR. REYNOLDS: Yes, that’s right; I didn’t write down exactly
what you called it.

[Laughter.]

MR. REYNOLDS: But your point was that it should be ratcheted up
as a CH consideration. So we’ve heard discussion about the privacy rule as it’s
out there now, we’ve heard discussion about covered entities and other things.
I’d love to hear just a brief comment from each of you on just how you would
see this focus on privacy, some attempt to try to do that in a reasonable way.

DR. LEVINE: It’s very difficult because my sense is that the
more we take kind of a regulatory approach, a prescriptive approach, as opposed
to a professional approach, the worse things get because the only response can
be this sort of bureaucratization of the compliance checklist so that you get
to a point, which is what I experienced not just in my own admission but also
every time I’ve interacted now with family members with hospitals or with
doctors or otherwise, it’s always the same routine.

Here’s the book, you understand your rights, sign here, we need
to use the information; otherwise you’re not getting the care that you need.
There’s little understanding at that moment on either the asker’s side or the
signer’s side what really they’re doing or what they’re signing or why.

And yet, from the regulatory side, if someone, you know, JCAHO
comes in or whoever comes in and sees all the checklists done and all the
signatures on, then there’s been compliance.

It perverts everything. My – you know, bless her, my
wife’s aunt, who was her second mother, just died yesterday. When she was ill
in the hospital, her doctor would not talk to me. This lady, now passed, was my
wife’s only living close relative, was her durable power of medical attorney,
and the clinician taking care of her wouldn’t talk to me. And Mary wanted me to
talk because I’m a clinician, I would understand what was going on with this
lady who was having multiple strokes.

So right now, I don’t think people understand HIPAA, and I
don’t think they know how to comply. So I think they’re kind of like that old
Skinner experiment of random reinforcement of the chicken with his arm
underneath his wing and there’s one leg up.

And we have to get back to the ethos, the culture of trust,
between providers and patients and build a system that supports that trust
rather than creates an adversarial relationship between providers and
everybody.

DR. LICHTENFELD: Once again, a difficult question. I have
colleagues primarily on the research end that wanted my entire talk to say
“take away the regulations, make the data open, and let us have access to
it. Yes, we recognize e-privacy but we want that information.” So I’ve
delivered the message and done my job and I can go home with a clear
conscience. They felt very, very strongly about that, in all sincerity. We’re
sort of kidding around here a little bit, but that’s what they felt.

Having talked to everybody that I’ve talked to to try to
prepare for this, I tried to emphasize in the talk when we get here, we have a
monumental task that you don’t hear a lot of people addressing. You alluded to
it very nicely. That is, we have many, many different layers of requirements to
cross before we even get to the question of what data we’re going to collect.
We have inside – I mentioned institutional, and I mean institutional,
institutions that change from day to day because perhaps they’ve
over-interpreted a rule that it was well-intentioned. We have obviously state,
we have some perhaps local, we have Federal requirements.

The plea would be to make it – and this is the
impossibility and I know, and I’m here in Washington and I know some of the
people in this room – make it clear, make it uniform, make it
understandable, and let us be able to open up this information to access with
the appropriate protections.

But I think it’s that clarity. If we don’t get past the
state-by-state issue, and – I don’t know; I don’t want to get in the
political mix here and I’m speaking individually – if we don’t figure out
a way so that we can make this work across the board, and I would include
Federal health care institutions, they’ve not been mentioned here.

I will tell you that one of my collaborators in this talk
pointed out that the toughest place for them to work with to get information
were in the Federal organizations that provide health care, those when they had
to get into, and I don’t want to mention – I’ll tell you afterwards –
when they had to get in there to get the information for their various
databases, that’s been the toughest negotiation they had. We need it uniform,
simple, clear, understandable, and we need to know something that people can
apply reasonably and be able to talk to Dr. Levine.

You know, it’s like that situation where the man – you
know, we all read it, I guess – the man jumped out of the window because
nobody was allowed to say by HIPAA that he was a seriously ill gentleman. You
know, that’s the kind of thing that just common sense suggests that we need to
deal with, we figure how to deal with it. How we structure that, I leave that
to others. It’s beyond me. I mean, that’s going to be a tough proposition.

DR. LEVINE: I would only add – I’m sorry – the health
professionals, any professionals, react to the circumstances they’re confronted
with.

So in the case of my personal information being revealed, it
was a clerk in the recovery room where the anesthesia was where they schedule a
nurse, you know, who had a mother who was concerned about her daughter running
after her saying, why have you cancelled my surgery? At that instant, that
individual decided that her day would be made easier. The threat of $250,000
fines, five to 10 years in prison, whatever, was not real. What was real was
that mother yelling at her. So she said, I have a piece of information that’s
going to get me out of this because I’m going to use a celebrity name and I’m
going to tell her why – it’s not my fault. It’s his fault that your
daughter was bumped.

So, I mean, that is what happens, that is what’s always going
to happen because of this –

MR. ROTHSTEIN: Let me make an observation and then proceed to a
few of the questions I had intended to ask.

It’s interesting that this part of our two-day hearing was
earmarked to hear from disease and health advocacy groups on the issue of
privacy. We’re going to be hearing later on today from consumer advocacy groups
and so forth.

I think in the public view and in many places the misconception
is that sort of the big picture of privacy pits the patients against the
providers and the researchers and the public health people and so forth where
the patients are digging their heels in and don’t want to share any information
with these other groups. And so it’s the public interest against the private
interest of the individuals.

When taken as a whole, your testimony reinforces the notion
that the patients have a very strong interest in research and a very strong
interest in public health, and to say that patients are on one side of the
equation would be, I think, misleading.

And so it’s not that we don’t have to balance the interest of
the patient, of privacy, of patient information against research and clinical
care and so forth. It’s just that patients are on both sides of this balance.

I want to ask Ms. Rosenberg a question and it’s something that
you didn’t address specifically but it was raised sort of implicitly by your
call for more e-health use in the mental health setting. And that is whether
you’re concerned that individuals will refuse care if their records are not
confidential. That is, mental health care.

One of the other task forces that I serve on is to deal with
the largely under appreciated – I don’t want to say epidemic, but
substantial rate of physician suicide in the United States because they are
afraid that if they seek professional care, their license will be pulled and so
on and so forth. We see this with medical students, we see this with law
students who don’t get care because they think that they won’t be able to get
licensed. And that is in a largely paper-based system where it’s reported to
the licensing board and not as easily retrievable. So, what are your thoughts
on that issue?

MS. ROSENBERG: As you said, I think it is really unconnected to
the electronic issue. I think it is the issue of discrimination against people
with mental illness.

And I think you’re absolutely right. I know people who have
literally paid out of pocket rather than had bills go to their insurance
company which required a psychiatric diagnosis, people who were able to do that
financially.

You know, I think we’ve come a long way. I think it is far more
acceptable to talk today about depression, taking, you know, medication for
depression, even electro-shock for people, you know, in middle age, my age, who
were depressed.

But we have a very long way to go, and it is of course a great
tragedy and you are right. The dangers, I think, appear more inherent because
of electronic retrievability and it never goes away even when you want it to go
away, but I think the overriding anxiety about having a mental illness –
and I think part of it, too, is our limited technology in effective treatment
that also adds to people’s fear about being stigmatized. You almost don’t want
to deal with it yourself, much less have other people know about it.

I think that is the primary issue, and I don’t know that people
are really focused on it’s going to be worse now that, you know, we’re going to
have an electronic health record. I’ve never heard that expressed.

MR. ROTHSTEIN: See, I think in the long run – I don’t know
what the long run is – we won’t treat mental illness differently from
physical illness –

MS. ROSENBERG: That’s right.

MR. ROTHSTEIN: — and we won’t have this irrational
discrimination –

MS. ROSENBERG: Right.

MR. ROTHSTEIN: — and so forth, but I’m concerned that in the
short run, if we’re not somehow vigilant about some other things I’m going to
raise later, things might get worse in terms of people foregoing treatment when
it would be beneficial, and I think that’s something that maybe the Committee
needs to deal with.

I have a question for Dr. Levine. Your suggestion about patient
ownership of the health record is very intriguing. I want to sort of flesh this
out a little bit.

I think there’s another way that we can get to where you want
to go without using the ownership route. Calling it “ownership
interest” I think is problematic. For example, Oregon in 1999 enacted a
law that said that individuals had an ownership interest in their DNA and it
basically caused the biotech industry and the pharmaceutical research industry
in Oregon to grind to a

halt because they couldn’t re-contact all the people who had
submitted samples because some of them were dead and some were anonymous and
they couldn’t use it and they had to repeal the law.

So here’s what I’m thinking, and this is a long question. What
you’re suggesting is very interesting. It seems to me to be a clinical
application of a rule that we already have in research where IRBs don’t approve
research unless the issue of re-contact is considered, and if there’s research
where there would be clinical utility to re-contact the subjects, the subjects
have to be given an option as to whether they want to be re-contacted and so
forth.

But now, it seems to me that in the clinical setting, the duty
to re-contact is not because something was done on the basis of their record
but it’s that we actually can do something that we’ve learned and using some
sort of information technology, we recognize that you will benefit from this
that exists. So it’s not my record that you’re borrowing my property; it’s the
fact that we’re in a professional relationship. Now you know something that
will help me that should be the sort of the ethical imperative to do that.

DR. LEVINE: Yes, I mean, I think that’s basically the point I
was making, although I will clarify for you.

I said the patient owns the information no matter in what
record it exists and it is the keeper of those records that owns the record
itself. And I expressed it that way for exactly the purposes that you’ve now
outlined.

It’s a design construct that suggests treat the information as
if it were owned by the individual and then design the system in such a fashion
as you would design that would respect that ownership interest which provides
for what I’m loosely calling a right to be informed about that information no
matter who was holding it and its relevance to promoting that individual’s
health on a timely basis, which does extend the IRB notion to the clinical
circumstance.

And actually it suggests that where there are evidence-based
standards of practice that are not being adhered to, there’s some kind of a
fail-safe that at least notices the primary physician and the patient in much
the same way as the (?) program that FACCT developed does. It says, listen, you
know, you should know that. Here’s what the benchmark is for people like you,
here’s what’s happening, here’s what your results are that we’re aware of. You
know, you can choose to do something about it or not, but at least people are
aware.

MR. ROTHSTEIN: And the electronic health record could be much
more efficient in –

DR. LEVINE: Right.

MR. ROTHSTEIN: — those prompts. Dr. Lichtenfeld, you wanted to
comment?

DR. LICHTENFELD: Yes, thank you, Mr. Chairman. I just have to
enter into here with a comment that I suddenly became aware of during my
research. And when you were giving your testimony, I heard what you said and it
immediately sent bells off, and I’m not going to say pro or con, but I’d like
to put the concept out there of what we’re talking about here.

What we’re saying is, in the discussion with the national
cancer database, we are really trying to figure out a way – many of us
are, not only with NCDB but elsewhere throughout our process and systems –
how to improve quality of care.

At a very elemental level, NCDB wants to be able to collect the
information about what happens to a patient in a particular circumstance at a
particular time and be able to feed it back. Right now, they’re delayed by
years; I mean, it doesn’t happen.

Taking Dr. Levine’s concept, they would collect the data,
benchmark the data by hospital, benchmark the data by individual, and then
theoretically – again, I’m just putting it on the table – then they
would have to go back and tell that individual, you know, you’re in this
hospital and you didn’t get this treatment.

Now, I asked the NCDB folks who are in the process of doing
that in colorectal cancer trying to benchmark the institution at a macro level.
I said, I personally find it very hard to believe without the protection of
various laws, you know, in terms of doing quality improvement work within the
states – we have no Federal statute – but doing quality improvement,
I find it very hard to see that the institution would want to see that they’re
doing lousy, because that becomes discoverable.

And the response was – and this is the surprising thing;
it didn’t get into the testimony, and I think it needs to be made – the
surprising response to me was that every institution participating in this
program, that’s all of them, all 1,425, those that they have talked to, and
there are many they’d talked to, are thrilled and can’t wait to get the
information.

Now, either, with no protection, no protection whatsoever, take
it to the individual level, and again, I just want to put it on the table, take
it to the individual, I would raise the question: What would happen to true
quality improvement and benchmarking data if there was a requirement that
someone who’s entering the data would have to then have the responsibility to
notify an individual they didn’t comply?

The good news is we can do it. Some people might have a very
serious question. You know, I’m not the lawyer. That raises a very, very
interesting question, and I don’t think we have an answer, but I don’t want it
to go unnoticed.

MR. ROTHSTEIN: Thank you, Dr. Lichtenfeld. We’ll ask the
questions.

[Laughter.]

MR. ROTHSTEIN: Bob?

MR. HUNGATE: The subject is complex. I have been on the
purchaser side of this game for a long time and have believed in quality
improvement.

There’s a recent article in The New Yorker by Dr.
Gawande, the bell-shaped curve, which exposes some of the same content that
we’ve articulated so that it reinforces the growing discomfort on the part of
patients as to whether they are well served by the system.

The kind of evidence of variation in diabetes management I’ve
heard for years – you know, it’s not new news in an intellectual sense.
But the disappointing thing is there is no apparent response.

Now, I’m trying to get at what’s the cause for no response, and
I think it’s another piece of the privacy

issue which is the provider side of it which is tied to the
malpractice threat. At least that’s a conclusion that I’m kind of putting out
there and wondering if it isn’t a piece of this, and whether we don’t have to
deal with the issues of patient safety and medical error in some professional
protective way in order to get a better measure of result.

Now, I give an example. I’m head of the quality work group.
We’re trying to improve the measurement system. The purchasers have pushed hard
for lab values in order to get hemoglobin A1c measurement to be an accountable
measurement. Tremendous push-back from the provider community.

The basis of the push-back, as I understand it, is that we
cannot dictate patient behavior, that there are two people in this game.
There’s the one who says, here’s what we need to do, and then there’s the
patient who decides what they’re going to do, and I retain the right to do
that.

But someplace in here there’s the valid information that makes
me behave better, and I think you were getting at that, Dr. Levine. But I don’t
know what are the stumbling blocks in this structure that we have that stop us
from making the next step. I have the feeling it’s the threat of suit, and I
wonder what your reaction is.

MS. ROSENBERG: I just wanted to quickly say because there are
people far more knowledgeable than I am, in mental health it truly is not the
threat of suit. Suit is very rare in mental health, and I have sometimes myself
thought that some lawsuits might do some good, actually; they very often have
been very helpful in moving an entire state’s mental health system. The right
to treatment, you know, lawsuits have kept the system in Alabama, a decent
mental health system, for 30 years.

So, you know, I don’t think in mental health it is the fear of
suit. And I think there is a lot of effort in trying to narrow that gap. At
every level in the system, it is not necessarily from lack of trying. There is
always the initial, “well, we do do evidence-based practice.” Well,
of course, when you begin to ask, that is not what the case is. But once you
get over that, once you get over people arguing that the data was wrong — you
put it together wrong; that’s why I look bad – once you get beyond that,
people are struggling with this.

I think we have a complex health system in this country. We
cannot do what they did in Great Britain around mental health about four or
five years ago. They actually did a major reform with clear standards around
evidence-based practices in the treatment of psychiatric illness. But they have
a single payer system. They were able to drive that route in a very clear and
specific way.

We can drive nothing in a clear and specific way here. We have
very little line responsibility. We have lots of different layers, different
payers, different purchasers, and I think that does add – I’m sure it is
not the whole story – but I think it does add to the complexity of
improving our system.

DR. LEVINE: And I would just say it’s about episodes of care
versus continuity of care, and, you know, view of a very elemental level of
health care is really about action taken at the intersection of two information
flows. You have the expert and you have the personal.

So decisions about what actions to take are in the context of a
relationship, right, and that relationship is informed by an ever-growing
knowledge base that is contributed to by that particular interaction but also
on a growing knowledge base.

So outcomes depend on access to and immersion in those changing
information flows and the frequency of sampling and the quality of
interpretation and the quality of communication of dependent relationships.

So, you can get better outcomes with patients with diabetes,
certainly patients with Type 1 diabetes, based on kind of an immersive
relationship with the patient and their family and continuous observation
because health

decision making generally in chronic illness is not definitive,
it’s iterative. Well, iteration doesn’t work if it’s Q-six months or Q-year
with a family practitioner who’s a non-expert in a particular complex problem.
It just doesn’t work.

MR. ROTHSTEIN: Dr. Harding?

DR. HARDING: Just quickly – I was thinking about the same
thing Dr. Levine was talking about, that the failure to use data equaled –
maybe my word – negligence.

DR. LEVINE: Could be construed as equaling negligence.

DR. HARDING: Okay. And since it is a two-way street, that was
kind of where I was coming from and had some problems, and I don’t know if
there’s more to talk about on that.

DR. LICHTENFELD: I can make a brief comment. I have colleagues
of mine, many of whom are non-physician colleagues, who have said, well, the
way to solve the screening problem in this country is to go ahead and start
suing doctors who don’t do it. And that’s not the way it’s going to get solved.
It’s exactly the wrong thing. And we do have to develop an environment.

So I don’t think the threat of litigation should be the means
of improving the public health. I think we have to find better partnerships to
make that happen.

DR. LEVINE: Well, in fact, it’s part of the problem. I mean, I
grew up – maybe I’m old now; I graduated medical school in ’79 – when
doctors thought of themselves as collaborators, partners, you know, with the
patient, and the patients thought of their doctors as trusted agents of their
well-being. And that partnership, that collaboration was paramount, and the
system revolved around it.

And I’m not suggesting we go back to Marcus Welby. All I’m
suggesting is that we should look, from the standpoint of system planning, at
how do we bring doctors and patients closer together so they could reestablish
ties and make those collaborative decisions that are necessary and productive,
as opposed to finding ways to separate them by the right of suit or otherwise?
That doesn’t make any sense at all.

MR. ROTHSTEIN: Richard?

DR. HARDING: Ms. Rosenberg, a couple things that you said that
I had thoughts about. One was that you mentioned the decrease in the skill of
the workforce. I agree with you. I worry, though; were you implying that an
EMR, an electronic medical record, would replace some of that skill?

MS. ROSENBERG: I don’t think it would replace some of that
skill, but I think it would make apparent the

lack of skill, for starters, which now I think is quite hidden.
It is not a transparent system at all. It takes place behind closed doors.

I think there are even problems in terms of engagement of
people and keeping people in treatment because of the lack of engagement
skills. So that is a major issue.

But I do think for someone who is basically skilled, you know,
the electronic health record with built-in decision prompts and help is a
terrific boon.

DR. HARDING: The other issue that was raised yesterday, it was
the issue of in effect entering information into the electronic medical record.

I have a colleague at a VA – you didn’t want to mention
any Federal things, but he spends three and a half hours a day in front of his
computer and interviews patients like this, inputting. That’s the only way he
can do it. He’d be there till 10 o’clock every night putting data in.

Now that, in psychiatry, that’s a problem because you’re
sitting there looking at the computer while you’re asking somebody about
sensitive issues. I don’t know what to do with that, so to speak. The VA
electronic medical record is a wonderful thing as far as treatment in the long
term, but those kinds of issues are going to be very hard to resolve.

DR. LEVINE: I think Don Berwick’s group, the Institute for
Health Care Improvement, has looked at this issue and has talked a lot about
using abbreviated versions, kind of the 80 percent rule – you know, if you
get these six variables into these circumstances, you’re covering 60 or 70
percent of the landscape, and that’s huge. Don’t try to push to the nth degree,
you know, and there are fields to fill.

DR. HARDING: Yes, I know those, and there are fields, yes.

[Laughter.]

DR. LICHTENFELD: I just wanted to say a concept I’ve written
down here; you just touched right on it. Electronic health records are
enterprise efficient, not physician efficient, and maybe we have to figure out
a different way of doing it, but until we get there, we won’t get there. You
talk to docs who use the VA record, my colleagues, they love the VA record,
they love the fact – but they say, I can’t get to the core of what’s going
on with the patient, so we have to work on the physician piece in order to make
this work. That’s what we’re really looking for.

MR. ROTHSTEIN: Okay. Last question? Dr. Fitzmaurice.

DR. FITZMAURICE: Yes. Yesterday, we heard from Tom McLellan,
the Executive Director of the Treatment Research Institute, and his spot on the
line was that mental health and substance abuse data should be integrated into
the electronic health record. Why? Well, for patient safety reasons, for
patient care reasons, and for knowledge development, or for research.

Steve asked a prevention question – sure, he comes from
CDC –

[Laughter.]

DR. FITZMAURICE: I’ll ask a research question, and I come from
the Agency for Healthcare Research and Quality.

As I hear you talk, I think all of you want protected health
information to be well-protected, may be used only for the patient’s benefit.
But the blinders are open; someone say, can it be used when the benefits to
society exceed the cost to society, including the patient’s benefits? But the
patient is probably more paramount in that calculation because it’s the patient
who would suffer the embarrassment, the job discrimination, the insurance
discrimination.

So I think I heard certainly Linda Rosenberg and perhaps all of
you say there’s got to be greater use for the electronic health records for
behavioral health.

Does this translate – and I didn’t hear you say it –
to greater use of electronic health data for research to get more unbiased and
more scientific research about what work and what doesn’t seem to work in this
area?

I didn’t hear you say we should have uniform patient
identifiers probably because that there’s this great personal harm. But do you
believe that there should be greater use of electronic health record data for
research and do you think that current research protections of the privacy rule
are sufficient for research? Do they go too far, too little? I’ll leave it at
that.

I’m not looking for a long answer, just a sensitive – what
we should be concerned with.

DR. LEVINE: Yes, the short answer is I’ve written often about
the systematic assessment of everyday practices is a major contributor to the
development of what I call real time best practice. And that infers that every
interaction, every clinical interaction, should be part of a big clinical trial
in a sense, idealized sense, because what emerges from that is you aggregate
enough patient exposure and enough patients with various attributes and complex
chronic illnesses, you’ll start to have emerge from that compilation, as you
know, new hints as to how to identify problems earlier, how to detect trends
earlier and so forth. And in drug screening and drug post-marketing assessment
and so forth, the same thing goes.

But you need to have that big iron kind of an approach of
capture every bit of data you possibly can with the circumstances of clinical
engagement and try and, you know, have the basis of the kind of little
interrogating elements that can go in there and drag things out.

Yes, I support that, and are the protections adequate? I use
the value proposition, value exchange, notion because I think it’s, like
anything else, it’s a balance, and that’s why we all have said that patients
with chronic illness want to talk about their problem. They want to learn from
peers, they want to learn from their doctors, they want to learn from research,
because they see a real exchange of value there for them that’s immediate.

So I think the protections are as adequate as the value that
you’re putting back.

DR. LICHTENFELD: I think that unless we get to some sort of a
potable, standardized set of datasets, data formatting, that we’ll never get
the answers to the questions that we have to have, and that is, are our
treatments working? Are treatments working, and if they’re working, what are
the problems people are seeing five, 10, 15, 20 years out, because we don’t
know the answer to those questions.

Interestingly, NCDB has done a survey on the impact of HIPAA on
clinical research, and I’ve got to tell you that I have sat in rooms perhaps
with some of you here in this room, I have sat in conferences where physicians
have gone ballistic, researchers have gone ballistic about the impact of HIPAA.

And I’m afraid to say this publicly, but this is what the data
shows: Out of the several hundred institutions queried by NCDB that responded,
a decided minority felt that HIPAA had adversely impacted their ability to do
research. And yet the perception is that it has.

So we cannot undervalue the sentinel effect of HIPAA on the
research equation and it’s a very real thing. So, have there been violations?
You know, I don’t know. But it’s viewed as being onerous and that’s why it has
to be made reasonable and consistent and understandable. But we have to get
there if we’re going to have some really decent answers to some very important
questions.

MR. ROTHSTEIN: Thank you all for your testimony and your
thoughtful answers to our questions. I allowed this to run over because of the
importance of the issue and also because our Subcommittee discussion period
from 11 to 11:45, we’re not going to need all that time for our discussions.
But we will now take a 10-minute break and reconvene with the Subcommittee
discussion before lunch.

[Break from 11:12 A.M. to 11:29 A.M.]

Agenda Item: Subcommittee Discussion

MR. ROTHSTEIN: Are we all ready? We are back with our hearing
of the Subcommittee on Privacy and Confidentiality of the National Committee on
Vital and Health Statistics.

This period on Subcommittee discussion I would like to focus
on discussing hearing number three in our series, so after today, our next
hearing is scheduled March 30 and 31st in Chicago, and at that time
we’ll be hearing from provider individuals and groups, so that was the purpose
of going to Chicago, of course, so we can hear from the AMA, the AHA, the ANA
and so forth. And we’re going to be talking to them about their interests and
issues and concerns in the new national health information network.

And the third hearing, as I’ve envisioned it, we would be
moving to a more concrete level of discussion and hearing from plans that have
already adopted electronic health records, what their privacy concerns and
practices are, hearing from designers of electronic health records, getting a
sense of what’s realistic, what’s possible, in terms of how we might protect
privacy in future systems.

So the timing is that we’ve got our March 30th and
31st hearing, and now the question is when do you think it would be
appropriate to schedule the next round of hearings?

Let me just go over a couple of dates for you. Of course, next
week, March 3rd and 4th, we will be having the full
Committee meeting, and the next meeting of the NCVHS, the full Committee
meeting in June, is scheduled for the 29th and 30th. So
I’d like to have it sometime, our third hearing, probably in Washington, unless
someone can make a compelling case that we ought to go elsewhere, and before
the June meeting of the full Committee.

That doesn’t mean that we’re going to have a report for the
full Committee in June. It’s much more likely that it would be in the September
meeting of the Committee when we’ll have something to share. So does anyone
have any suggestions? We could do it, you know, sort of any time before, I
think probably would be better, but maybe not, before the last week in June.
Kathleen?

MS. FYFFE: Clarification question. This third round of
hearings, could you say again what we would like to focus on?

MR. ROTHSTEIN: Sure, and this is just a suggestion, and the
Subcommittee members may want to amend this. We will have had, by the end of
the second round of hearings, input from experts on privacy and bioethics,
which we heard yesterday; we will have heard from disease advocacy groups,
consumer advocacy groups. We will have heard in our second round of hearings
from providers and provider groups about their concerns.

And as I envisioned it, the third round of hearings would be
going from a more general level to a more specific level, so we would be
hearing from perhaps someone from the VA system, perhaps some people who were
familiar with the electronic health records systems in the U.K. or Sweden or
Iceland or some other country that has a lot of experience. We would hear from
experts in electronic health records system design who could answer questions
that we might have concerning the retrieval restrictions or exclusion criteria
or some of the other concepts that we talked about.

So that was the thinking on the third hearing, although I’m
certainly willing to entertain suggestions for a different kind of third
hearing or whether we’ve omitted something and maybe we need a fourth hearing
or a fifth hearing or any other suggestions. Bob?

MR. HUNGATE: I don’t know whether it’s a suggestion or a
question. The developers of electronic health records are hard at work as we
speak, you know, trying to tap a market that they see coming in front of them.

I’m wondering whether we can pose a set of questions for those
people that are drawn from the testimony we’ve got so far. You know, people
have made

suggestions about what ought to be in the content relating to
privacy. Call it a straw man, call it what you will. Is there a way to
composite those inputs into a “what if” statement of what the
structure of privacy might need to be to meet what has been asked?

MR. ROTHSTEIN: I think that’s a terrific suggestion, but maybe
what I would like to suggest is that we do that after the next round of
hearings once we hear the concerns of the providers and then perhaps at our
Subcommittee discussion time in Chicago begin the process of formulating those
questions and then if necessary circulate drafts of emails or even have a
conference call and then supply not necessarily things that every witness would
have to address but the kinds of things that are on our mind and maybe they
could sort of tailor their testimony to that.

MR. HUNGATE: The premise that I’m kind of working from is that
we’re going to be dealing with a chaotic situation and that the simpler
questions that we can get posed that would work at a patient level are what has
to then drive the information structure downstream. So, trying to respond to
our first speakers’ yesterday admonition to make it a simple set.

MR. ROTHSTEIN: Right.

MR. HUNGATE: I’m trying to think about could we come up with
that simple set at that time as a test?

MR. ROTHSTEIN: Yes. I think that needs discussion –

MR. HUNGATE: I’m sure it does.

MR. ROTHSTEIN: — whether we would want to go in that
direction, whether we think that that’s in fact our responsibility. We may
recommend that a simple set be developed with an admonition that we want to
have a simple set but it may be much more complicated and require much more
input and we may recommend something that Alan Westin suggested yesterday, that
there be some other body that is given the responsibility of coming up with
those sets, or something.

So I’m not sure we need to do that now, although I do like
your idea a great deal about trying to give as much guidance to the third round
of testifiers as possible so that we can really have them address things that
are on our mind.

The first two rounds, we want to hear what’s on their mind.
But maybe in the third round, we want the experts to help guide us and deal
with some of the things that we’ve distilled from the first two rounds. Harry?

MR. REYNOLDS: Yes. To play off Bob’s comment, even if we went
as basic as to say I think we’ve heard really that some of the testimony has
recommended that the medical record be segmented and that it’d be owned by the
patient in some way and some kind of consent go on, which I think – I
mean, I’ve been a developer; if you’re putting something together, those basic
premise, not actually how it would happen or what we would want it to look
like, but the basic premise, because having reviewed a number of medical
records recently, I believe most of them are designed to be owned by the
provider.

And they are systems that are delivered to the provider, not
necessarily where if a patient said I don’t want this to happen that they could
easily parse that out and do things.

And so I think – you know, we’re hearing some basic
premise from the first couple hearings – ownership by the patient, some
kind of control over where it goes, and so on. And so consequently, just
exactly what that would be would be what we may want to even just paint that
basic picture.

MR. ROTHSTEIN: And I don’t even know what assumptions the
developers are using now. I mean, they obviously recognize that privacy is
something that they’re going to have to deal with, and what are those
assumptions?

And of course we’ve got the statements of Dr. Brailer and
others who, you know, indicate that privacy is important and some level of
patient control is important.

And, well, what are they doing on the basis of those sort of
broad admonitions and how does that square with what we heard?

So those are the kinds of things that I’m very anxious to hear
from this third group of hearings. Mary Jo?

DR. DEERING: I just wanted to make a refinement of what I
think I heard from both of you, which is that – and frame it in a way that
could be posed to the developers. You say, what are they doing now? And my
understanding of what they’re doing now is they are working at the level of the
entire record.

And what we have heard over the last two days is that it is
more useful to perhaps set aside the record as the unit at which policy is
directed and instead direct policy and practice toward the content and to
deconstruct the record, in which case the question both to providers on the
30th and to vendors and those practitioners of EHRs who are building
them in June, is that concept more palatable, less palatable, does it make
privacy easier from a practice point of view, from the requirements of your
institutions? Is that something that would simplify things, complicate things,
for you from a design point of view? Is that easy or hard to do?

Because I think that that is the direction that a lot of the
thinking is trying to move.

MR. ROTHSTEIN: Right, exactly. And I think the March hearings
in Chicago are going to be very interesting because I think the providers, not
to speak for such a diverse group, are going to have some issues –
[laughs] – with the concept of them not having access to everything even
for treatment purposes. In other words, I think providers have some qualms
about patients filtering what they get.

And so we’re going to have to discuss the parameters of that
and what the implications are and all the different contexts. But that’s
certainly a theme that emerged from yesterday’s discussions and even
discussions before that. Richard, and then Bob?

DR. HARDING: It is – I mean, Harry is right. It’s going to
be very complicated because I think medical records are being developed for
doctors, for insurance companies, that meet the needs of those individuals as
opposed to patients. And as Dr. Lichtenfeld mentioned, that until it’s easy,
the input, and it saves time and it’s efficient and it makes better outcomes,
you know, providers are going to be really reluctant to get into it.

But in doing that, I think it’s going to decrease patient
control. And so it seemed like there’s some kind of a thing going on here that
somebody’s going to have to come up with a real Gordian knot cutting to get
through that in some way, just trying to think of how to go from here.

MR. ROTHSTEIN: Well, everything that I hear suggests to me that
there are going to be incredible transition problems. I hear things – you
know, short-term, long-term, we’re not going to be able to afford to take, you
know, every extant paper record and immediately translate them. I don’t think
anybody’s contemplating this, into electronic.

So we’re talking about a prospective system and, you know, a
legacy system at the same time, and then, as was indicated from Ms. Rosenberg
or in our colloquy, we may have, I think, some problems in the short run in
terms of people being deterred from obtaining treatment unless we figure out
some ways of working that out.

So, I mean, any way you want to slice it, on a timeline, by
disease state, by individual, by you name it, there are issues. It’s sort of
seven-dimensional, and we’re just going to have to try to figure out what it is
that we can recommend that’s feasible, that’s palatable, that achieves the
goals that I think we all share.

So in terms of the timing, having not heard any sort of major
objections to that timetable, what I’m going to ask Marietta to do is to
circulate to all the

Subcommittee members a calendar running from, say, April, May
and June, and then we’ll try to identify the time for a two-day hearing at some
juncture between April and the end of June when we can have our next round, our
third round, of hearings, and then after that we’ll decide whether we need more
hearings or whether we want to invite people to submit testimony or ask
questions of various people.

Are there other questions related to the hearing sequence that
we need to discuss now?

Are there questions related to the witnesses that we’ve got
identified? Kathleen, I think, how would you describe – or Mary Jo –
the state of our witness list for the Chicago hearing?

MS. DEERING: As you know, the NHII workgroup staff, Michelle
Williamson and I are working with Kathleen and your staff, and we have
approximately, I would say, six. I think Michelle is working on AHIP, Tom
Wilder. We’re trying to identify – you’re working on AMA and AHA.

MS. FYFFE: Are the nurses – what about the nurses?

MS. WILLIAMSON: We didn’t discuss nurses for the privacy, but
I’d be happy to do that if you’d like for us to include them.

MR. ROTHSTEIN: I think for sure we ought to hear from nurses
and the American Nursing Association?

MS. DEERING: How about AHIMA? Has anyone – you wanted
health care provider organizations –

MR. ROTHSTEIN: Right.

MS. DEERING: — so we were not looking at –

MR. ROTHSTEIN: Yes. I would think that if we wanted to hear
from AHIMA, they would be on the third group.

MS. DEERING: I was just thinking they’re based in Chicago.

MS. FYFFE: There are two other testifiers. One is Jim Pyles,
who represents – is it the American Psychoanalytical Association? And also
I made the suggestion to Mark earlier that we also invite the Health Care
Leadership Council because they have a confidentiality coalition that is very
broad-based and they might be able to provide helpful information to the
Subcommittee.

MS. DEERING: We’re also looking at three of the professional
colleges. I know we have the AFP. We’re looking at the College of Emergency
Physicians. And the third one I keep blanking out. I think it’s the American
College of Physicians, but there was a third of those organizations that we
have also identified. And I have actually a proposed name for all of those.

MR. ROTHSTEIN: Okay. And we discussed this morning – I
can’t remember who I was talking with – I think

ACOG would be a good group to talk with because they deal with
sensitive information. The American Academy of Pediatrics might be a good group
to deal with. I guess it was Beverly I mentioned this to. And possibly the
infectious disease docs who also deal with sensitive information.

MS. DOZIER-PEEPLES: And you also mentioned reproductive health?

MR. ROTHSTEIN: Well, we’re going to have ACOG.

MS. DOZIER-PEEPLES: Okay.

MR. ROTHSTEIN: We could hear from the Society for Reproductive
Medicine, but I think ACOG would probably have a broader range of things and
their witness probably would be competent to answer questions like, you know,
assisted reproduction and things like that.

So if you have any additional suggestions on speakers for the
second round of hearings, the Chicago hearings, please let us know and as well
the third round when we settle on a time.

MS. FYFFE: I had to step out of the room; I’m sorry. Have we
talked about the timing of the draft recommendation letter to the full
Committee and whether it’s going to be coming after each of these hearings or
we’re going to wait till after the third hearing, et cetera?

MR. ROTHSTEIN: Well, my tentative plan is to have something for
the September NCVHS meeting and not do anything, not have any recommendation
after Hearing 1 or Hearing 2 or Hearing 3. It’s going to be the composite
recommendation that we’ll have the summer to deal with and the September
meeting – I’m checking my calendar – is on September 8th
and 9th. So we should have plenty of time unless we decide we need
more hearings or more deliberation.

MS. DEERING: Mark, one of the things that I’m observing –
I know this has always plagued the NHII work group – is that the world is
moving faster than it is, and to the extent that the Office of the National
Coordinator is going to be preparing its response to the input and start
putting out guidance, literally every week counts in terms of policies that may
be fact locked in.

And so perhaps – I know that this is NCVHS. The NHII work
group always tries to stay about a year ahead because it can’t possibly keep
it, and this is a challenge, because you’re working on one of the core issues
for the NHIN and they will in fact be making decisions probably beginning over
the course – I don’t know.

MR. ROTHSTEIN: Well, let me ask Kathleen. Is that proposed
timetable not responsive to your needs?

MS. FYFFE: I have mixed ideas about that because on the one
hand it would be helpful to provide feedback sooner, i.e., the beginning or
mid-summer, but on the other hand, your recommendations might be better because
you will have received input all the way around and deliver all those in a
very, you know, thoughtful, coherent manner in September. So I’m actually
conflicted about which way to go.

MR. ROTHSTEIN: Michael?

DR. FITZMAURICE: I think I would agree with the second half of
Kathleen’s answer in that –

MR. ROTHSTEIN: That she’s conflicted?

[Laughter.]

DR. FITZMAURICE: No, no!

MS. FYFFE: You know, if you know me, you usually know I’m not
conflicted. [Laughs.] But in this case, I am conflicted.

DR. FITZMAURICE: In that the value of NCVHS is to be able to
obtain public opinion from a lot of different areas, some of it is
self-selected by us; we reach out to these areas, so we can reach out and get a
broad dispersion of opinion than the self-selected people who write in in
response to an RFI.

I’m not sure which one is better; I think both are very good. I
think that what NCVHS does is of such value that having a letter in September
won’t detract from the message that it carries.

DR. COHN (on phone): Mark, this is Simon. Maybe I can comment
also.

MR. ROTHSTEIN: Please.

DR. COHN: Can you hear me?

MR. ROTHSTEIN: Here.

DR. COHN: Okay. People are sort of dropping in and out and
others may have said this.

I’m sort of listening to this question of like when will there
be a letter, and I oftentimes tend to think that the work sort of helps dictate
when letters are ready, and I certainly am not hearing anything so far that
makes me feel like there’s a letter ready now.

And I think as we begin to have the second and hopefully the
third hearing, either we will find low-hanging fruit that are pretty obvious
that we can begin to report on or we will say, gee, this is very complex and we
really need to vent it extensively through the industry. And it’ll probably be
some sort of a combination of A and B.

So it’s probably a little early for us to be too certain
exactly when something will come forward to the full Committee, though
certainly I think September and/or June – I mean, and September sounds
like a very good time – but there may be some early findings that we might
want to communicate in June.

MS. GREENBERG: Exactly what I was going to say.

MR. ROTHSTEIN: And Marjorie, it was your suggestion years ago
when we had our first HIPAA hearing when we found stuff that was troubling to
the Committee that we write an interim letter to the Secretary.

MS. GREENBERG: Yes. I started remembering after the Boston

MR. ROTHSTEIN: Boston.

MS. GREENBERG: Whatever, Right. So I would suggest –
again, I was going to suggest that same approach.

MR. ROTHSTEIN: Yes, if we find – that’s fine. And I
certainly would support that.

My view is that we need to get all the evidence in front of us.
I mean, the people who are designing and the NHIN, they’re experts, it’s their
full-time job, they’re thinking about the same issues we are. We’re not any
smarter than they are.

And what contribution we have to make in this process is maybe
we’re going to be hearing from people that they haven’t had the time to hear
from and so we’re going to go out and get the views of as many people as we
think are relevant and we’re going to distill them and debate them and try to
take the big picture view.

And until we have that information, even though we may all have
strong ideas, everybody’s got strong ideas, and it doesn’t have the weight
until we have the evidence behind it. And the evidence may be, you know,
subjective, but at least it is the viewpoint, represent the multiple viewpoints
of all these diverse groups that we’re hearing from.

So that’s why I’m a little reluctant to sort of get to my
keyboard and crank out something, not to mention the fact that I have no idea
what I would crank out. Bob?

MR. HUNGATE: Understanding that, I still keep making my
tentative list of what are the things that might come out of this sometime, and
I have no sense of whether my list is at all like anybody else’s list.

One of the things that I heard, I think from Alan Westin, was
the perhaps suggestion that there needed to be a DSMO around privacy, and it
sounded like there isn’t one now, that that doesn’t exist.

Given that those things take time, I wonder did anybody else
hear that, or am I just leaping to a conclusion that is invalid?

MR. ROTHSTEIN: I heard him say that.

MS. BERNSTEIN: Excuse me; what is a DSMO?

MS. FYFFE: Yes, DSMO – Data Standards Maintenance
Organization.

PARTICIPANT: Designated.

MS. FYFFE: Designated? Oh, sorry.

MS. GREENBERG: What did you hear him say?

MR. HUNGATE: He basically said there needs to be a
standard-setting activity in the area of privacy. At least that’s what I –

MR. REYNOLDS: Or was it standards monitoring?

MR. HUNGATE: Well, I don’t know.

MR. ROTHSTEIN: He didn’t use DSMO as such.

MR. HUNGATE: Yes, he did.

MR. REYNOLDS: He didn’t go there.

MR. ROTHSTEIN: He, I think, clearly suggested that privacy is
an integral part and should have a much higher profile in the deliberative
process, that it be funded or even external funding should be made available a
la the LC program of the genome project and so on.

And I think those are very interesting ideas for us to debate,
but I’m not sure that I would be willing to support a sort of a Marjorie
interim recommendation along those lines yet.

MR. HUNGATE: No, I agree.

MR. ROTHSTEIN: Okay.

MR. HUNGATE: But I just wasn’t sure whether that was even
something that was on the table —

MR. ROTHSTEIN: Oh, absolutely. I mean –

MR. HUNGATE: — for discussion, you know. I just don’t know if

MR. ROTHSTEIN: Oh, everything’s on the table for discussion and
that is certainly one of them because I think he made some wonderful concrete
suggestions that we definitely should have on the agenda and I think
everybody’s taken notes and maybe at some point we –

MR. HUNGATE: Well, the problem I have relates to my experience
with the quality work group, with having inherited an agenda which I had no
knowledge of the content that went into it, and maybe it’s my advancing age but
my ability to remember diminishes. And so it seems to me that some kind of, you
know, summary of what we pick away from this first set is an input to the later
set. And that’s where I —

MR. ROTHSTEIN: Well, maybe what we need to do is circulate a
draft Minutes or summary and then let everyone add to that so that we have a
composite, even though we don’t necessarily have to have agreement on it –

MR. HUNGATE: Right.

MR. ROTHSTEIN: — a composite document.

MR. HUNGATE: Right.

MR. ROTHSTEIN: And is there someone who’s got a – all
right; I’ll do it.

[Laughter.]

MS. GREENBERG: Well, there will be Minutes eventually from the
meeting.

MR. ROTHSTEIN: Well, is there someone who would like to prepare
a draft outline that summarizes what we heard from the various witnesses of
things for us to consider? I mean, you don’t have to make their arguments. What
in the testimony that we heard, like the Alan Westin points, should we put on
our agenda to discuss? Is that what you’re saying, Bob?

MR. HUNGATE: I’d be happy to put an input into that. I’m not
sure that I –

DR. FITZMAURICE: I would be happy to share my notes with
someone who would prepare it.

MS. FYFFE: Okay.

MR. ROTHSTEIN: Michael takes exquisite notes.

MS. FYFFE: Yes, he does. I would be willing, with the help of a
couple of other people who I hope will volunteer to put together a summary. I
would be most appreciative of all input. Send those emails as soon as you can.

MR. ROTHSTEIN: Okay, thank you. Harry?

MR. REYNOLDS: As you think of it, when you talk about moving
the letter, as you talk about moving forward, you know right now we’re
balancing hearing stuff about public good, patient good, provider good,
research good, and then there’s one we haven’t heard about, so we come to some
agreement on what all those are and how they might work together and what they
might be, the real capability to make it work, you know, as far as changing all
these environments to make it work.

So I guess as we continue, I would like to at some point have
the Committee have that kind of discussion, and I will give my picture on
industry on that, because I think in the end, you know, we’re hearing from
everyone but there’s no real negotiation going on as to – you know –
you got the public and the personal ownership.

How do we adjudicate that in our mind, even come up with
something that we could even recommend as to under what jurisdiction it would
be overlaid or where – you know. We talked about the HIPAA privacy rule,
we talked about lot of other things, and so how that all really in the end gets
adjudicated – I’m not very comfortable with all – everybody that has
testified I think has very clearly testified in their bubble.

MR. ROTHSTEIN: Right.

MR. REYNOLDS: But to move between the bubbles and the
connection of the bubbles and the reality of a health care environment that
truly delivers the real worth of what every one of these testifiers is –
because every one of them, I hand it them, people have been passionate but not
hysterical, and I think they’ve tried to move a little outside the bubble but
it might expand the bubble. Nothing’s broken; nobody’s moved over to help
anybody else right now.

And so that’s the trouble I have right now. That’s the trouble
I have with thinking about a letter or thinking about exactly what to do in it
because we haven’t really had anybody come and tell us how to tie it together
or if tying it together is even feasible, and as I know what Dr. Brailer and
others are doing, they’re trying to implement a reality that could occur and
that’s what I hope our next two or three hearings help us get closer to, is
what that morality might be and how we might be able to help them structure
some idea.

MR. ROTHSTEIN: Well, the theory was to go from the most general
to the most specific and I’m hoping we’re going to get there and we’re going to
need sort of increasing reality checks along the way, and that’s why I hope to
hear from like the VA system or maybe Kaiser or Mayo or somebody about
“well, we tried that and here’s the problem with that” before we go
off and recommend that something be done.

MR. REYNOLDS: I also want to make sure that we invite more than
closed systems, closed environments.

MS. FYFFE: Implying that the VA is a closed –

MR. REYNOLDS: That would be correct. You know, you have a
captive audience. Some of the HMO models. Because, again, a lot of this, the
issue in those environments is that it philosophically could be viewed as owned
by the provider and the patient comes in there.

But when you start dispersing people all over society and they
go to another doctor that isn’t in there, they change this or they do that is
where that electronic medical record and its longevity goes with you wherever
you might be and that’s where I think where it’s going to get a little more
complicated. And those are great findings as to how it actually works, but then
can we extrapolate those and make recommendations to the Secretary and others
and Dr. Brailer and others about how that would extrapolate is what I hope we
get to.

MR. ROTHSTEIN: Okay. Marjorie?

MS. GREENBERG: Yes. Bob and I were sort of making eye contact
here because what Harry was saying about these different viewpoints, all of
which have validity and come from good ethical positions, is exactly it seemed
to me what we heard with the quality work group. And of course it’s not
unrelated because what you’re talking about is balancing the public good but
also sort of the improvement of the health care system with privacy concerns
and whether it be the privacy of the clinician or the privacy of the patient,
what have you, and sort of, you know, how you get those working together is
clearly challenging.

And I don’t have an answer at this point. I mean, I doubt I
will or I would probably be in a different position if I actually have the
answer.

I wasn’t able to be here yesterday and I’m sorry I was in
another meeting, but what really came through to me today is something that
came through to me when we did that round of hearings that you were recalling
– Boston, Salt Lake City and –

MR. ROTHSTEIN: Baltimore.

MS. GREENBERG: — Baltimore, right. I knew it was somewhere
south of Washington; didn’t get as far south as we had hoped, as I recall.

MR. ROTHSTEIN: No, we were supposed to go to South Carolina

MS. GREENBERG: Yes.

MR. ROTHSTEIN: — and then we went to Baltimore.

MS. GREENBERG: Yes. But in any event – and I think did get
into one of the Committee’s letters, but was the need for a lot of public
education, and it might be around – I mean, it’s not irrelevant to the
quality issue, either. It’s easier said than done and it’s not easy to identify
whose responsibility that is and how it might be taken. But I certainly heard
today, and I think continue to hear, that, you know, there’s a lot of confusion
and also a lot of misinterpretation and not good communication of public good
and not clear understanding of rights and responsibilities and other related
issues.

And I’m not saying that to criticize anybody. I mean, this is
really complicated stuff. And it might be that until the public really gets
engaged and pushes for certain things or, you know – and of course you’re
always going to have people feeling different; it’s not like you’re going to
get one common view in the public. But until you really engage, you know,
people, on these issues that we’re not going to be able to break through those
diametrical different views of responsible professionals.

So I just come back to that because I think it’s – and I
guess we’re going to hear from consumer advocacy groups. And it’s hard to know
who the groups are whose responsibility it is to tie to, you know, public
education or public dialogues with public building communities, you know. I’m
getting too philosophical here.

But, I mean, this goes back to years ago. I remember the
Committee considering – maybe right around when we started talking about
the NHII – you know, how we could – we even dabbled briefly with this
idea of like having some kind of a contract. Remember? Were you around then?

MS. FYFFE: I’m sorry – contract for what?

MS. GREENBERG: Sort of like a marketing, kind of like public
service marketing or something, on the whole issue of what are the benefits of,
you know, going to this electronic society and, you know, what are the risks
and engaging people on these issues. And we decided it was beyond our
resources, maybe even our mission.

But, I mean, it keeps coming back, and I just put that on the
table as something that struck me.

MR. ROTHSTEIN: Mary Jo, and then Michael.

MS. DEERING: Two things. First, the Markle Foundation
Connecting for Health is going to make public education one of its major
pushes, and they’re putting the weight of their collaborative behind.

MR. ROTHSTEIN: You mean public education?

MS. DEERING: Yes. Exactly that kind of an effort.

The other thing that I wanted to raise about the tenor of
things here that Harry and Marjorie said and even Mark, you talk about the
diametrically opposed interests et cetera. But, Mark, you made a statement in
your response to the comments that there had also been the conventional wisdom
that it was the public and the patients against research, the public and the
patients against this, and what you were hearing, and I think correctly, is
that is not the case.

I would say that it would be very important as we engage
providers not to presume adversarial interests in this and perhaps in our list
of questions to put to them to help them look for points of agreement and where
their interests do overlap, because the goal of all of this is to strengthen
the clinical – well, one of the goals is to strengthen the clinical
relationship.

And the questions that you pose to people, you know, dictate
the answers that you get, and I think that it would be very useful to find out
the extent to which they would – you know, some of these things, again,
could serve their purposes.

For example, we talked about the whole record and who owns it,
and one of the things that came out of the recent NHII hearings from the
providers who were talking to us was that many of them felt that the medical
record doesn’t exist to serve the providers; the medical record exists to serve
the administrative, financial and legal interests of the institution, not the
health care provider.

So that before we get too wrapped up in thinking again about
the medical record as the unit of attention and presuming that the health care
providers would share that, I think we might want to at least explore whether
there are opportunities to get the providers also to agree that “the whole
record” is as we construe it legally, financially and as a record of care
is perhaps not what they would necessarily want or need to provide of quality
of care.

So just to make sure that we don’t have any assumptions going
in to our questions.

MR. ROTHSTEIN: Oh, those are two or three good things that we
should put on our list, our fact sheet, our FAQs, to send to the witnesses for
the second round. Michael?

DR. FITZMAURICE: Just a couple of quick thoughts. What is it
that we produce? We produce recommendations to the Secretary. We produce a
reading of the pulse of the people who testify, and we infer from that that the
pulse of the nation, the pulse of the people out there.

The lever that we have in front of us – the biggest lever
we have I think is the HIPAA privacy rule. And the testimony I heard, I didn’t
hear anybody saying that the privacy rule wasn’t doing the job of protecting
the data. I did hear some comment about burden, particularly burden on
research, but I didn’t hear anybody say the privacy rule wasn’t enough, the
privacy rule was too much; it’s become accepted in the three years that it’s
been in force. They might want to increase the scope beyond just covered
entities to cover more people; there are proposals – not proposals; there
are thoughts flying around about how people would want to change the privacy
rule.

But when I think of what recommendations do we want to make for
whom to do what, it’s basically here’s what we’re hearing. Take it into account
as you move into the national health information infrastructure. Here are some
considerations about the privacy rule, some burdens, some about scope, which I
didn’t hear, that you might want to take into consideration. I didn’t hear any
driving need to I think change, otherwise something bad is going to happen. I
heard that the system has adopted the privacy rule and we’re working our way
through it.

Some people would like to have a stronger privacy protection,
others would like to have less burden. So we’re not pleasing everybody, but
it’s remarkably successful at this point.

MR. ROTHSTEIN: Harry?

MR. REYNOLDS: I’m not sure I can go quite that far yet. I think
we’ve heard testimony in Standards and Security and with e-prescribing and I
think we’ve heard it here is that the whole idea of the covered entity and the
fact that there are a lot of people who would be touching this medical record
along with everything else that’s going on are not directly affected by the
law. They’re in some relationships affected by the law.

But as you think of an electronic medical record, it’s never
owned by a singular provider because since the PPO world has won so far in the
United States, people go to many, many doctors for many, many things, so
there’s no single holder. So nobody knows exactly where their data’s going and
how it’s happening.

So I’m not sure I could completely agree because the covered
entity thing still has significant holes when you draw the diagrams of how data
flows network to network, person to person, group to group. And some of those
groups that handle it and have it and touch it and see it aren’t necessarily
covered under that. That does, I think, leave a significant opening in a
comfort level that somebody may have. We’ve heard that.

DR. FITZMAURICE: I would add to what Harry’s saying. As more
and more people want to get copies of their own records, then you can’t point
the finger at a hospital, at a provider, and say, “You let my information
out,” because it might be on your desk that somebody else who visited your
house had seen. So it creates a larger burden of who’s responsible for the
release of that information once it’s out beyond the hands of the covered
entity and in the hands of the person you’re trying to protect.

MR. ROTHSTEIN: Okay. I’m going to have to put an end to our
Subcommittee discussion period. We have two action items that are going to go
forward. First, Kathleen is going to take the lead in summarizing the testimony
from the first – Kathleen and Maya – from the first round of hearings
and then that will be circulated and Subcommittee members can add things that
they want to the summary.

The second thing is we will be circulating a poll for the third
set of privacy hearings which will be either April, May or June.

And then finally on our schedule, let me tell you what our
tentative plan for the schedule is. We’re going to break in just a minute for
lunch, which will conclude at 1 o’clock, and we will start Panel IV at 1
o’clock.

We only have two witnesses instead of the four who were
scheduled, so instead of an hour and a half, we are going to allocate one hour
for Panel Number IV and that will go from 1 to 2. And then we will skip the
break and then move to what’s called Panel V where we only have two witnesses,
and then we will go from 2 to 3 and adjourn at 3 o’clock. Adjourn at 3 this
afternoon.

MS. GREENBERG: Who is not coming in Panel V?

MS. FYFFE: Phil Marshall. Also with respect to Panel V, instead
of David Harrington, the representative from MedAlert will be Dr. Janet
Martino, that’s MD, Janet Martino, MD.

MR. ROTHSTEIN: Okay. So thank you all very much and those in
the Internet, we’ll be back on at 1 o’clock with Panel Number IV.

[Lunch break from 12:18 P.M. to l:07 P.M.]

MR. ROTHSTEIN: Good afternoon. We are back with Panel Number
IV, on consumer advocacy groups. And to just inform the Internet listeners who
are just tuning in and did not hear the earlier announcement, Panel 4 will run
from 1 to 2; there will be no break, and then we’ll continue from 2 to 3 with
Panel V and then adjourn for the day and try to go to wherever it is we’re
going. Well –

So I want to welcome our first witness, Joyce Dubow, and
invite her to present her story now.

Agenda Item: Presentation – Joyce
Dubow

MS. DUBOW: Thank you. I appreciate the opportunity to be here.

I couldn’t help but be engaged as an interested listener to
your discussion a little ago. I was actually taking notes about things that I
hope you’ll ask me about.

Otherwise, I want to volunteer some comments, particularly
around the consumer and public education initiative around the notion about the
adversarial, or the purported adversarial, relationship among the various
stakeholders with respect to this whole issue.

And then, somebody said something about the privacy rule and
consumer – I have a note here that says “consumer awareness” and
I don’t think most consumers are particularly aware of that and I think that
the GAO report that reviewed the complaints that have been filed with respect
to HIPAA sort of addresses this issue that most people don’t really have a very
good knowledge about HIPAA, to wit, half of the complaints that they received
were tossed out because they were totally not applicable, and they just
demonstrated a lack of understanding of HIPAA generally. And I think that most
consumer organizations are aware of that.

But to the subject at hand. I think you have copies of my
testimony, and I’m really going to summarize because I do think this is an
opportunity to have a discussion rather than to go verbatim what I have here.
Let me just say that the AARP Public Policy Institute is charged at AARP with
doing policy research and analysis that informs our work. We produce commission
research that tries to stimulate public debate about issues that are of
importance to midlife and older people.

AARP, for those of you who don’t know, now has over 35 million
members. It’s not exactly a 50-50 split but we have members who are under 65 as
well. About half the membership is under 65, half are over 65, which means that
we span commercial insurance and the Medicare program, and so our policy
interests are very diverse.

Clearly, with 35 million members, our membership is diverse as
well, and I would not suggest in any way that there is any common view of PHRs
or HIT or privacy among our members. We are very diverse. We have well-heeled
members, we have many, many who live – you know, who rely on Social
Security for their income. We have well-educated people, people who have less
schooling. It’s a very, very diverse population and it’s very difficult to
generalize.

But we believe that there are some core values that all
consumers have and we try to represent the interest of midlife and older
Americans.

I want to just say that our interest in HIT is grounded in our
conviction that there are quality problems in the United States. We have
carefully studied the works – several works – from the IOM on medical
error; the Quality Chasm Report, it talks about the imperative to have system
change to improve quality care, the quality of health care in the United
States. We see this as a pressing problem and we see the opportunities that
health information technology present to hasten improvement. We see HIT as a
means to the end, which is the improvement of quality and not an end in itself.

I know that some people are jazzed by all the techie stuff but
our interest is to improve health care quality, and we see the value that
electronic records bring to decision support for physicians to accelerate
knowledge, to disseminate knowledge, to insure that appropriate care is
provided, to reduce error. We see the value in patients having access to
information about their own health care to enable them to become more activated
patients.

Particularly for people with chronic illness, we are familiar
with the research that sees that people who are more engaged in their health
care feel better with their chronic illnesses. You know, we’re familiar with
the Wagner model of chronic care in terms of self-management. We see that IT
presents enormous opportunities for both patients and providers.

We also think that having access to the information helps
patients be on a more even playing field with their providers and it will
enhance patient communication. We recognize the value that HIT brings to the
patient/physician experience.

I think that we should recognize up front the definitions are
an issue here. You had previous testimony. You had an interesting discussion
with David Lansky at one of your January meetings about the lack of a commonly
accepted definition of PHR. I think that’s very important. Even when we talk
here, I’m not sure that we’re all talking about the same thing. Clearly,
consumers, if they know anything about a PHR at all, they certainly don’t have
a common understanding of it. We know from the research that most people have
the greatest interest in the transactional opportunities that a PHR brings in
terms of opportunities for e-consultation, getting lab and X-ray results on
line, communicating with their doctor, that sort of stuff; that seems to be
very salient. People can understand that.

But the research that has been produced by the Markle
Foundation, the qualitative stuff that Harris Interactive has provided, really
does indicate that we need a whole lot more research to better understand
consumer perspectives on this issue. I think we don’t really understand it.

AARP itself has done no explicit work in terms of
understanding what our members think about EHRs. We have the tiniest bit of
qualitative feedback that we received from an evaluation that we did in
connection with a navigation pilot project that we launched last summer that is
intended to provide good information to people to help them sort out the good
and the bad on the Web and we asked them about the kind of information they
would like to see and some actually volunteered that they would like to be able
to have access to some kind of an electronic tool that would help them manage
their own personal health information. That was an open-ended question, so I
think it’s interesting that we had an unsolicited – there were a few who
actually volunteered that this was an opportunity to gain better control about
their information. But that’s all we have; we haven’t done anything more.

In the public policy arena, we are beginning to look at this
quietly. We are going to commission a study that looks internationally to
compare among a few countries, see how they’re using PHRs, to see if we can we
can inform our own understanding of what’s going on here, if there are lessons
learned for the United States.

But we’re just in the beginning now. I think Consumers are
really just at the threshold and we’re very pleased that Dr. Brailer and others
are reaching out to consumers to see if we can stimulate more interest among
consumers, and there’s a lot of work to be done in that area and I’ll come back
to that in a minute.

I think that the issue of privacy and confidentiality cannot
be underestimated. It’s very, very important to consumers. And again, you know,
there are surveys that indicate – I think Pew did work that indicates that
a very substantial proportion of the population would not trust to have their
private information on the Web. They don’t trust it.

I think also that it’s very interesting that, you know, some
people who are knowledgeable about the value of HIT assure consumers that that
information is much better protected if it is in an electronic format, that
paper is un-private, you know, that electronic information is carefully
protected and you can’t access it if they’re not properly authorized.

Consumers, however, see it in a completely different light, I
think. They see that the single keystroke is enough to get their information
scattered hither and yon and worry that somebody could make a mistake.
Everybody’s had the unfortunate experience of sending an email to the wrong
people at the wrong time and consumers are worried about that and so they’re
not so sure about this “better protection” of their information just
because it’s electronic. They see the opportunity for mistakes and that there
are consequences that they don’t want to confront.

So I think that there is a lot of room here for clarifying
people’s assessment and perceptions of how safe it actually is. I think there’s
reason for some disagreement.

I want to tell you just a little bit about AARP’s policy on
privacy and confidentiality because I think that it’s relevant to this
conversation.

I was chatting with Mary Jo before and I mentioned to her that
our policy was formulated in the days when the HIPAA rules were being
promulgated and you’ll see that a lot of it reflects some of that discussion.
But I just would point you to the section in my statement that enumerates the
policies – it’s towards the end – that enumerates AARP’s policy
positions on privacy and confidentiality.

They do reflect what I said earlier, that we want to be able
to see compatible procedures that allow health care delivery to take place, for
research to take place, but clearly we have concerns about patients being able
to control and to know about who has access to their privacy information. It’s
on Page 10 of the testimony, 10 and 11.

MS. FYFFE: We have single-spaced –

MS. DUBOW: Towards the end. I’m reading from a double-spaced
page.

PARTICIPANT: Page 4.

MS. FYFFE: Okay.

MS. DUBOW: Okay? Do you see it? I mean, I can reiterate it,
but I don’t want to take the time.

MS. FYFFE: We’ve got it. You might – for purposes –

MS. DUBOW: Of the record? Do you want me to just –

MS. FYFFE: People on the Internet —

MS. DUBOW: Okay. Well, let me just say then that in broadest
terms, we believe that individuals should have the right to examine and copy
the contents of their health records and know the identities of people who have
examined their records.

We believe that individuals have the right to determine who
may have access to personally identifiable health information and for what
purpose.

We oppose the disclosure of an individual’s medical
information except as authorized by the patient for public health reporting as
required by law; for enforcement of the financial integrity of publicly funded
health programs, provided that personal identifiers have been removed whenever
possible; and for research and quality assessment and improvement, again
provided that the personal identifiers have been removed whenever possible.

We support actions that make individually identifiable health
information less vulnerable to inappropriate disclosure and misuse, and
although HIPAA standards constitute a step forward for health privacy, some
provisions concern AARP.

Written consent should be required before information is shared
for treatment, payment and health care operations. Mere notification to
patients of a provider’s own privacy policies is inadequate because it denies
consumers the opportunity to exercise the right to privacy. In spite of the way
the regs came out, we still hold that we don’t think the notice itself is
adequate.

We think that covered entities should be required, on request,
to account for the information disclosures that they make when treatment,
payment and health care operations occur. And patients should be able to learn
who has obtained access to their individually identifiable health information.

I think that gives a flavor for it. I don’t want to go on.

So just to summarize, AARP believes that the relationship
between health care quality and IT are very, very closely linked. We see
privacy and confidentiality crossing all of the issues that pertain to this.

We appreciate your interest in bringing the consumer view to
the table. We think that’s very, very important. I think that that’s an
important model that we hope more will follow as we engage in this dialogue
that we’re now, for consumers anyway, starting. Consumers are not fully
involved or engaged in this discussion yet.

AARP does intend to participate in the discussion and we do
want to be part of this dialogue. And again, we appreciate your giving us this
opportunity to be here.

So if we could have a conversation, that would be great.

MR. ROTHSTEIN: We certainly will, but we’re just going to defer
it for just a few minutes. And Ms. Golodner, I apologize for the scheduling
snafu. Sometimes our ambitions don’t pan out in terms of what we hope to
accomplish, but I thank you for joining us, and if you’re ready, we’re anxious
to hear your testimony.

Agenda Item: Presentation –Linda
Golodner

MS. GOLODNER: Having been on some committees, I understand the
problems with scheduling and making sure that you can keep on schedule,
especially on a day like today.

The National Consumers League appreciates being invited today
to present our views on consumers on this very important privacy concern. I’m
here today to provide the patient-oriented perspective of the issue of privacy
in the context of health information technology.

I will begin my comments telling you a little bit about the
National Consumers League and then transition to discussion of key privacy
principles that should be used to govern the development of the national health
information network.

Some of the principles that I will be talking about are
similar to those consumer groups worked with the Markle Foundation on, but some
are those that the National Consumers League has worked on.

The National Consumers League is a non-profit private group
and we have been around since 1899, working on a number of different issues.
We’re the nation’s oldest consumer organization and we get involved in issues
such as child labor, privacy, food safety, health care, financial services and
fraud.

And we’ve been involved in examining and commenting and
testifying on the issue of privacy for a number of years. In fact, we held a
privacy conference and some of the same people are still involved. Alan Westin
was a speaker at that conference. And we did focus on privacy in health care
which was probably pretty early, 15 years ago, to think of those issues, but
they were important and we recognized with the advent of technology that there
would be changes in people’s ability to collect and manipulate information.

The natural extension of our work in health care is the recent
initiation of a coalition called SOS Rx and there we focus on medication safety
initially among seniors. And one of the coalition’s efforts is directed at
improving medication safety through encouraging broader use of electronic
prescribing systems.

And really they just represent sort of the tip of the iceberg.
Our recent exploration of the topic has stimulated a broader consideration of
how to retain consumer-focused privacy principles as we move forward just in
that one area.

For both patient safety and health care system efficiency
reasons, NCL believes it’s critical that we build and drive a movement toward
rapid development of a national health information network. We must not,
however, in a rush to deliver something, abandon the very principles of privacy
that enabled patients and providers to forge a relationship of trust.

Dr. Brailer last week mentioned that the patient issue is on
the forefront, and it was on the forefront of the nearly 500 RFI responses his
office received last month with regard to information networks.

In developing an NHIN, NCL urges policy makers within HHS to
integrate these following principles:

One is, information access and control. At a minimum, the
structure and rules must facilitate the ability of people to exercise their
personal health information rights under HIPAA.

People must have the ability to control and to access and to
give permission for others to access their information.

If people fear inappropriate disclosure and do not trust the
network, they may become less willing to seek care or to provide consent or to
share information, for instance, about various health professionals that
they’re going to or conditions that they might have.

People should have the ability to review accesses made to their
personal health information by others.

No personal health information should be available to a
provider or health professional that is also not available to the person it
describes.

Unreasonable and unaffordable fees should not impair the
ability of each person to review and contribute to their personal health
record.

People must be able to, at their liberty, add comments or
annotations to their personal health record.

And people must be able to request amendment or correction to
their records.

It must provide a sound method for allowing secure access and
authenticating individual patient users that does not require physician or
institutional mediation.

People must have the ability to designate the health care
professionals who they want to access their information.

There must be disclosure and accountability for the provider.
They should fully understand the policies in place before they give
information.

Information elements central to network functioning such as
identifiers, authorizations and permissions, accessing history, must be
presented in easily understood terms and formats that patients and consumers
and others who may be the care givers, for instance, would understand and be
able to review.

People should be informed of all the possible ways their
information may be used and may be able to choose whether to make their
personal health data available to various systems. It must permit for a
distinction between data storage and data use. For logical reasons, maintaining
all patient information in the network may prove necessary; however, all
stakeholders need to understand that just because the data is physically
available, this does not necessarily mean that they can be accessed for use.

Communications with people about policies and uses of their
information in the exchange must be conducted in a simple and easily understood
language and languages that consumers do understand if they don’t have English
as their first language.

States should adopt common operating standards for the security
and patient privacy protection.

People must be able to receive complete paper copies of any of
their information available across the national network.

It must also provide the capability for people to reliably and
securely move all portions of their personal record from one health care entity
to another and it should permit the aggregation of non-identifiable data in
support of quality measurement, provider and institutional performance
assessment.

Implementation of NHIN must be accompanied by a significant
public education program so the people in fact understand what it is and that
they aren’t afraid and are not intimidated by the fact that their information
will be available in an electronic form.

NHIN must permit patients to transmit information to their
health care providers as well as receive information from them.

The governance of a system should include patient advocates and
consumer advocates. They must have significant representation not only in the
governance but also in the standards setting and in the operational entity
itself.

And it must be public, transparent and accountable.

In considering these principles, we suggest that you view them
in their totality and not just take just some pieces and say, okay, we’ll take
this one and not another one because it’s important that all of them work
together so that there be an understanding of consumers that their privacy will
be protected and it will build a trust in the network.

We strongly urge HHS to leverage the interests of consumer
advocacy groups in this arena. We look forward to working with you on this.

I just want to mention there is one organization that I’ve been
part of, I’m on the board. It’s called the Patient Safety Institute, which in
fact is interoperable and it’s, A, an electronic record and it’s been working
in some pilot projects and has a lot of the components that those talk about
networks have discussed, and I would hope that when you do have further
hearings, you might have either Jack Lewin, who is the Executive Vice President
of the California Medical Association, who is the Chair of that group, or
Johnnie Walker, who is the Executive Director, to present information about our
experiences in that network.

And just on a personal note, I was at George Washington
University recently just having a colonoscopy and I’m there in my hospital
gown, you know, laid out, and I’m handed a clipboard to fill out my history
and, you know, what medications are you taking, like, you know – [laughs]
– you’re in a very vulnerable position then.

But it’s so unfair to consumers that there isn’t an electronic
way to have this information there at a major health care institution like
George Washington University, that you’re filling out these forms and trying to
remember when you had your last tonsillectomy or something. It’s just very bad.

Questions, Answers and Comments

MR. ROTHSTEIN: Thank you very much for that testimony, and we
have questions, I’m sure, from our panel members.

While my colleagues are formulating theirs, I will ask one of
both of you in an attempt to sort of compare and contrast your two policies,
and I thank you for giving us some specifics which in many cases we have not
gotten before.

Let me pose this situation. There’s a 55-year-old person who
decides that now is the time to purchase long-term care insurance and people
who need skilled nursing care cost at least twice as much as people who don’t
need skilled nursing care in long-term care facilities. And to make that
determination, for example, risk of Alzheimer’s disease and so forth, the
long-term care insurance company wants access to the complete medical records
of the applicant for the policy.

Now, as I read the AARP policy, nothing would prohibit the
long-term care insurer from making as a

condition of applying for the policy the signing of an
authorization. As I read 1B under the National Consumers League policy, that
would somehow be impermissible because the decision to share should be made
without coercion and pressure and that would be considered coercive.

Am I correct in my reading of that? Ms. Dubow, do you want to

MS. DUBOW: Well, let me just say that AARP was – we
subscribe to those principles as well. We were at that meeting as part of the
consumer thinking when Markle helped us think through some of those issues. We
were a party to that.

And it’s interesting that you raised this issue because we
actually had a conversation at that meeting about this issue and there was some
discussion around the reality of what kind of information you have to provide
if you want to buy insurance, that the consumer is not in a very good position
in that situation to be able to control the information. Nobody’s coercing the
consumer into buying the insurance policy; if the insurer is going to be
underwriting the policy, then that’s the information that they’re going to
provide.

So we had a discussion and a debate amongst ourselves about to
what extent consumers could realistically control their information with
respect to purchase of insurance.

I think a flip side, though, is that, you know, there are
instances where insurers, after somebody already has bought coverage, could see
what sites you look at on the Web to make determinations about changing
premiums, for example, where there would be certainly an invasion of one’s
privacy and the concern that people don’t want insurers to be able to access
that kind of information.

Our policy is not that explicit to take into account every
situation. But I think that we recognize that insurers are in a position to be
inquiring and obtaining information so that the consumer is not always in the
position to control this.

MR. ROTHSTEIN: Well, before I get your answer, your recognition
of that is not the same thing as a recommendation to do something about it. I
mean, are you sort of resigned to that’s the way things are going to be?

MS. DUBOW: Aside from the policies that you have around privacy
and confidentiality, we have extensive policy on insurance coverage, and we try
to balance the need to insure coverage for people and other issues, and to be
perfectly candid, we’ve waffled over the years on issues of community rating
because of our interest in seeing opportunities for more people to gain
insurance.

So I think that it’s very difficult to give you a black and
white answer. It’s a very complicated area and we try to balance our interest
in a variety of policy areas. And I think what we have is compromise.

MR. ROTHSTEIN: Okay. Ms. Golodner?

MS. GOLODNER: I think consumers will have to compromise
probably when dealing with getting insurance coverage. Sort of like when you
get a mortgage and you give up all your tax information. And I think consumers
I guess get used to the invasion of privacy in order to get that mortgage or to
get an insurance policy.

I still think that you should look closely at scenarios that
you just posed and see if there can be ways to balance the need for information
that the insurance company might have or that the long-term care facility might
have and the invasion of privacy of the individual consumer.

MR. ROTHSTEIN: Well, one thing that we talked about yesterday
was control of the nature of the information that would be disclosed, so, in
other words, matters that were deemed by somebody to be irrelevant to the use
for which it was put would perhaps under some system not be sent whereas, as
the sort of the current paper-based system, you practically get everything when
you ask for any of this.

I think an important point that I’m trying to make with this
question is that sometimes what is presented as an issue of privacy, or health
privacy, is really not a privacy issue; it’s more a substantive issue as to who
has the right of access to health insurance, for example, or on the basis of
what information may medical underwriting take place, or so on and so forth.
And if we wanted to take on those issues, it would be like our jurisdiction
would be unlimited.

And so there really is a limit to what you can do in regulating
privacy per se in terms of dealing with all these other access issues where
third parties have the economic leverage over individuals.

Well, perhaps I’ve gotten a rise out of you. I’ll just go this
way – Kathleen, then Harry, then –

MS. FYFFE: Thank you very much. I have a specific question for
each of you. Linda, you mentioned the Patient Safety Institute?

MS. GOLODNER: Yes.

MS. FYFFE: Is that discussed in your written testimony?

MS. GOLODNER: No, it isn’t. I was here a little earlier and I
heard your conversation of the Committee and it just seemed like it would be
good information to give you about the Patient Safety Institute because it
sounded like you were going to be going into having further hearing with
institutions and you talked about the Kaiser or a closed system –

P ALIGN=”left”>MS. FYFFE: Yes.

MS. GOLODNER: — and this would be a more of an open system
that I thought would be interesting –

MS. FYFFE: Right.

MS. GOLODNER: — for you to –

MS. FYFFE: We appreciate that, and I do have information about
the Patient Safety Institute.

My next question is – so you’re not really endorsing, or
you’re not a member of what the Patient Safety Institute is doing over in
Delaware, for example?

MS. GOLODNER: Oh, I am on the Board of Directors.

MS. FYFFE: You are?

MS. GOLODNER: Yes.

MS. FYFFE: Oh, fabulous. Okay.

MS. GOLODNER: And the Board of Directors is a balance of –
there are three consumers, three medical or health professionals, and three
institutions, and it’s a combination that has the dynamics I think that a
governance would be. It has the dynamics of providing the balance of the
questions that institutions have about privacy, that health professionals have
about accessing, and that consumers, the concerns that consumers have.

MS. FYFFE: If I recall correctly, there is a component of their
model that has to do with the trusted third party who holds information?

MS. GOLODNER: Yes.

MS. FYFFE: I don’t want to get into too much detail, but we’ve
got that recorded, thank you.

MS. GOLODNER: You might, you know, just want to look at that

MS. FYFFE: Okay.

MS. GOLODNER: — system as a model for governance and also in
interoperability.

MS. FYFFE: Okay, thank you.

Joyce, did I hear you mention during your oral remarks
something about an international study, and is that mentioned in your written
remarks?

MS. DUBOW: No, it was just an aside. And it’s a study that we
are about to commission. It’s just an opportunity for us. AARP has a global
aging program –

MS. FYFFE: Okay.

MS. DUBOW: — and we are interested in seeing whether there are
lessons from abroad to inform our understanding about PHRs.

MS. FYFFE: Okay.

MS. DUBOW: So it’s something we are going to do.

MS. FYFFE: Right. Can you just give us a general idea of the
time frame and, you know, it could be that the Subcommittee would be very
interested, or NCVHS would be very interested in the outcome obviously of any
study.

MS. DUBOW: Yes, I think we should probably have a study by the
end of the year.

MS. FYFFE: Okay.

MS. DUBOW: This year. But this is a sort of a broad brush
overview, again, to provide us with information that could give us lessons
learned.

MS. FYFFE: Fabulous, okay.

MS. DUBOW: So – I think we have to be careful about how we
define PHR to be sure that we understand what we’re getting, but that’s
probably by the end of the year.

MS. FYFFE: Super, super. Thank you.

MR. ROTHSTEIN: Mr. Reynolds?

MR. REYNOLDS: Thank you. You both have very clearly spelled out
both your requests and issues.

The question that I have is as we talk about quality, and both
of you noted in your testimony that from a quality standpoint you wanted to
make sure that personal identifiers are removed as much as possible. And as we
have other committees at NCVHS looking at populations and looking at other
things, de-identified for the HIPAA definition really says that passes as a
record. De-identification from a quality basis, when you’re trying to look
across populations, may not go as far.

Have you thought which of those definitions you truly are
dealing with because de-identified is a term of art right now? Devoid of
personal identifiers is open to the eyes of the beholder. So where were you
planning to go with that, and how do you see that playing out?

MS. DUBOW: We both know what you’re talking about.

MS. GOLODNER: Yes.

[Laughter.]

MS. DUBOW: Shall I go first?

MS. GOLODNER: Yes, go ahead.

MS. DUBOW: Well, I mean, I think it’s a fair point, and I think
we need to give the issue more consider as we move deeper into this HIT arena.
I think that our policy is developed by our volunteers. We have a national
legislative council of volunteers who propose public policy positions to our
Board of Directors. And staff brings to the attention of these volunteers
issues that are emerging that need to be considered.

And I think that this is an area where we need raise the issue.
They may decide to leave it alone, to give us as much opportunity to maneuver
as possible, but I think that our policy positions will evolve as we become
more knowledgeable about the specifics with respect to this.

We absolutely understand the point that you’re making. We want
to see de-identified information used as much as possible, but we do recognize
that at some point in order to really address quality concerns that there may
be a need to have more specific information, and we just haven’t grappled with
that yet.

MS. GOLODNER: I think we support the de-identified information
very strongly. However, it also is a matter of consumer choice, and if a
consumer wants to be identified or wants to be within a class that might be
reviewed or there might be a clinical trial that they want to be informed about
or want others to have their information, I should think that must be the
consumer’s choice.

MR. REYNOLDS: An example. I know in North Carolina Medicare
asked a number of the hospitals for X-amount of quality data to really take a
look across the providers as to what the quality was. In AARP’s testimony, you
mentioned that the patient would need to authorize that for public health
reporting, so, you know, you have some of these situations where as we move
into quality, trying to understand which providers are doing what, how they’re
doing it, what it means, and then on each one of those situations having the
patient consent to that quality – and one thing, if you were here earlier,
I mentioned how does it really work, because if you go through both of these
lists and look at the requests of all the places that the patient would do
something, and understand, I’m not pushing for or against, I’m asking the
question, that process of doing that seems almost dramatically more burdensome
than even now.

And so how do we get a balance, and how do you see that
occurring, based on what you’ve looked at?

MS. GOLODNER: This is a personal opinion. [Laughs.] And just
having, you know, participated in the health care system and watched people who
don’t really understand even why HIPAA’s there and are annoyed with it, perhaps
there should be some way that consumers can say, I don’t want to be asked this
question anymore; I don’t care about my privacy, and have a blanket permission
to use their information. I’ve just seen it sort of in the health care
marketplace where people get very annoyed with dealing with HIPAA.

MS. DUBOW: You know, I would hate to see that we make a
decision about this, or respond to this question, because of inertia or because
people are just so exhausted with the bombardment of inquiries that they get.

I think that thinking about it from a quality perspective,
we’re not going to get a good handle if we have inadequate information, which
would suggest, on the one hand, that we need to be able to delve adequately
into information on performance at the provider level, for example, which would
suggest that we may need some de-identified information.

On the other hand, I think that the vast majority of patients
are utterly and completely uninformed about what the quality information is
used for, why it’s necessary. I think they are uninformed about how the privacy
and confidentiality of their information is preserved or not preserved.

I think until we have a better understanding of how consumers
view this and a better public education campaign that helps explain to people
why we need to do things in a certain way – if there is a right way of
doing it – that we’re not going to arrive at a good solution to your
inquiry.

I think there are very good arguments. Health care quality,
after all, is the consumer objective, you know, and we’re not doing this
because we’re badgering providers to give us information; we’re doing it
because only 55 percent of the population gets recommended care. It’s in
consumers’ interest to see the quality improve.

So to characterize this as an issue that violates consumer
rights on the one hand and protect them on the other hand is not correct. This
information is supposed to inform our ability to improve care, which advances
consumer interest.

So I think that we need to engage in more education and provide
more information to people so that they have a better understanding, number
one, that there is a quality problem, and. number two, how we have to go about
solving the problem.

MR. REYNOLDS: Yes, I’d just to reiterate I wasn’t pushing for
you to decide that. I was making sure that we have a discussion, so –

MS. DUBOW: Okay.

MR. ROTHSTEIN: Marjorie?

MS. GREENBERG: Actually, Harry alluded to this, but I just
wanted to seek clarifications from Joyce. And hearing in your policies, you say
AARP opposes “the use or disclosure of an individual’s medical information
except as authorized by the patient for public health reporting as required by
law.” And my understanding is that HIPAA right now allows public health
reporting, certainly public health reporting that is required by law without
patient authorization.

So are you advocating that there should need to be patient
authorization?

MS. DUBOW: You have to understand the policies don’t
necessarily reflect what the law.

MS. GREENBERG: No, I realize that.

MS. DUBOW: At some point, we throw up our hands and we say,
okay, we know it’s the law. But sometimes, the policies reflect the views that
describe the way we think things ought to be.

MS. GREENBERG: Well, I just wanted to make sure that in fact if
you feel that your position is that information is to be provided for public
health reporting only if authorized by the patient. I mean, that’s fine, if
that’s your position. I just wanted to make sure.

MS. DUBOW: That is a fair representation of our policies right
now.

MR. ROTHSTEIN: Richard?

DR. HARDING: Thank you both. I kind of like your idea of
getting out of HIPAA free pass as you were saying, you know –

[Laughter.]

DR. HARDING: Get a card, and I’m out of HIPAA, you know! That’s
it.

MR. ROTHSTEIN: I think there’d be a long line of covered
entities waiting for that card, too.

[Laughter.]

MS. GOLODNER: Misused in the marketplace.

DR. HARDING: It was a nice thought, I agree.

What I was wanting to ask, and Joyce just kind of brushed up
against it in your last comments, was the educational task that we have about
HIPAA. And what I’d like to do is ask you all – we’ve had difficulty as a
government and committee and so forth really educating people about HIPAA, and
wondered if you had resources, ideas and so forth that would help in shaping
education, attitudes, capacity of people.

You know, we’re talking about the older population who have so
many complex medical problems that they’re all carrying and their children are
trying to carry for them and so forth. Is that something that you all could
help with? Should there be articles in your journal about the good news about
HIPAA, or what HIPAA has done, what it hasn’t done, what you should know about
it? I mean, I’ve seen some of those, but it just seems like there’s a lot more
we could do.

MS. GOLODNER: Certainly, there is a lot more we can do. But it
isn’t just the public, it isn’t just the patient, the consumer; it’s the
institution that has to make sure that they communicate what this paper is that
they hand to people and say, just sign here.

It is not simple, it is not clear, and it should be. And those
people, usually a clerk, who hands it to you to fill out, that’s where the
whole – it falls apart.

I think that there has to be an understanding on both sides
what it’s about and why it’s there. It isn’t just the consumer and patient.

On the other hand, we certainly can inform consumers about
privacy issues and inform them about HIPAA, but it’s a two-way street. It just
can’t be, you know, accepted, and these are long forms, and you’re not going to
read it. I mean, you’re there; you want your procedure done or you want to get
past that. But there’s a miscommunication between the health professional and
the consumer.

MS. DUBOW: May I say something? I think I would answer that
question in a couple of ways.

It happens that we have two papers that will be published soon
that look at HIPAA with respect to how it’s been used in health care quality
and research. And, frankly, the motivation for this paper was the fact that
there was so much misinformation about HIPAA in relation to these areas –
that it’s used as an excuse all the time not to do things that are well within
the purview of the entity.

So, you know, the Public Policy Institute, as I said before,
tries to stimulate and inform the debate and we have objective research that is
peer reviewed and we thought that this area required some clarity, and so we
are publishing – and there’s another one that we have coming out that’s
related in terms of medical records, a smaller paper, but it has to do with the
patient’s access to medical records.

In terms of whether AARP wearing its hat of advocacy, its
advocacy activities, would engage in a campaign on HIPAA per se, it’s not on
the agenda at the moment.

I think, though, health care quality certainly is, and
certainly it’s important as we discuss health care quality and health
information technology that people need to understand the implications that
HIPAA brings, and so I could see that we would address that issue not directly,
as you suggest, but to incorporate that into how we go about doing it.

There’s nothing on the table now that anticipates, as far as I
know, a broad campaign that would bring AARP resources to this. We’re a little
preoccupied with Social Security and the prescription drug bill that you might
have heard of.

DR. HARDING: Yes. But on the other hand, I think when you’re
looking at priorities, I’ll bet you that the issue of access to medical care of
elderly and what their families can see and be told in those kinds of things

MS. DUBOW: Absolutely.

DR. HARDING: — because of HIPAA is a big deal to a lot of the
population.

MS. DUBOW: Absolutely. There’s no question about it. As I say,
I think that if the question was would we explicitly direct our attention to
HIPAA, my inclination is that we would not. Would it implicitly be incorporated
into how we address these issues? Absolutely, for the reasons that you
addressed.

DR. HARDING: Thank you.

MR. ROTHSTEIN: Time for a couple quick questions and quick
answers.

DR. FITZMAURICE: Right. I wanted to revisit a little bit what
Harry was asking about in terms of identifiable data. It would seem to me that
researchers’ mouths would start salivating at the prospect of even the
de-identified 100 percent of a population, because then when you look at 100
percent, you get all the rare events that you might miss when you’re getting
every other one or so forth. And the issues of bias become much smaller because
the rare events and the lack of bias, even with the de-identified, research
would really be happy with it. And it helps the consumers and general public to
be more fully informed about the whole picture.

But for some things like for following up particular kinds of
treatments or quality patient safety events, you would want to have some
identification – not that you need to know who the patient is but just to
link the data. And if you link the data over time, then you can get
readmissions to the hospital. So you can do it with a smaller sample, but you
have to make sure that it’s unbiased.

So is there a question in all of this? IRBs look over what
researchers do, and the privacy rule requires that for privacy, the common rule
requires that universities pledge that all the research will undergo the
privacy rule or undergo the common rule or if they receive Federal funds.

Today, should consumers trust IRBs to represent the consumer’s
interest in health services research, the records kinds of research? And then,
secondly, has the privacy rule been a net plus for consumers? Are we consumers
better off it than without it?

MS. GOLODNER: I think we could trust the IRBs as long as
there’s consumer representation on them so that you get the consumer interest
represented. And what was the second?

DR. FITZMAURICE: The second one – has the HIPAA privacy
rule for consumers, has it been a net plus or a net minus? Has the burden been
greater than the protection?

MS. GOLODNER: Net plus because it lets consumers think about
privacy and they think about: What are they doing with my information? That’s
one of the pluses.

And I think it also puts the institution or the health
professional on guard that they have to be a little more sensitive to the
privacy of an individual.

MS. DUBOW: This isn’t AARP policy. I think that the IRBs are
– I mean, you want IRBs, you want IRB. I think that there needs to be
– I mean, I know there are certifying bodies now that are actually looking
at IRBs in terms of their organizations and their practices and I don’t believe
that every IRB is as good as others. I think there’s a lot of variation, so,
you know, for what that’s worth, I’m skeptical.

I think that with respect to HIPAA on balance, I think it’s
certainly important that we have this piece of legislation. I think there are
areas where it could be improved. I allude to a few places in the statement
that I provided. But I think I agree with Linda. I think the awareness both on
the consumer side as well as on those who are handling the data, and I think
that’s a very important achievement. We can improve, but I think that’s an
important achievement.

MR. ROTHSTEIN: I have one quick final question.

One of the purported benefits of an electronic health record
system is that consumers would have the ability to access their own records
electronically and do all sorts of things.

Older people are the least connected and the least electronic
savvy and so forth. Are you concerned that if we create – well, as we
create such a system that we’ll have an effect of sort of a two-tiered health
information system where the older population is sort of stuck where we are
from their access perspective, no gain, whereas younger and more computer savvy
people will be able to do all these things? And if so, what sort of things are
you doing or might we recommend doing so that the older population gets the
benefits of an electronic health records system?

MS. DUBOW: There’s clearly a divide. I mean, we saw that in the
very recent Kaiser Family Foundation study that looked at Internet and computer
use among people 50 and older and you can see clear differences between the
population 50 to 64 and those who are over 65.

Everybody always says that this is going to be a short-lived
problem because those of us who are approaching 65 are savvy and do use
computers and feel more comfortable in that environment.

I’m hesitant to draw any conclusions because I think that when
people age, they also bring other attributes, if you will. So I’m not a hundred
percent persuaded that a savvy techie, you know, who is under 65, at 85 is
going to necessarily feel confident.

Well, you know, it’s hard. I think the screens are hard to use;
I think people have less confidence in their decision-making abilities just in
terms of visual impairment. I think that this is something that is
researchable. We can’t do it yet, but I think that we ought to be examining
this to have a full understanding of what happens when the generation that is
now comfortable begins to age in and we’ll see what happens.

Nevertheless, I think that this is an area of improvement, if
you will, that is happening. I think that there will always be a need to target
communication and interventions to meet the specific needs of the population
we’re dealing with. There will undoubtedly be some people even, you know, the
old-old, who are comfortable. My Aunt Sarah is 90 years old and she uses a
computer. If I’m lucky, I’ll have inherited that side of the family’s genes.

But, you know, I can also name a lot of people who are not able
to do it. We have to have targeted approaches, and we can’t rely on knowing
that there’s one size to fit all.

MR. ROTHSTEIN: Ms. Golodner?

MS. GOLODNER: It has to be available in paper also if someone
asks for it, so, I mean, that’s one answer.

Also, by the time that techie is 85, I think the technology
will have changed so rapidly that it will be something – you’ll probably
have a little chip in your –

MS. DUBOW: Right.

MR. ROTHSTEIN: Well, I was also thinking that –

MS. GOLODNER: — elbow.

MR. ROTHSTEIN: — maybe it would allow them to become computer
savvy.

MS. DUBOW: But they may not want that burden. There’s an
information burden that they may not be willing to assume, so –

MR. ROTHSTEIN: Right.

MS. DUBOW: — I think we need to be very careful about drawing
conclusions one way or the other. There will be some who feel that way, and
there are going to be others who want their doctors to be making the decisions
for them and controlling their information.

MR. ROTHSTEIN: Yes. I thank both of you for your testimony.

And without any interruption, we’re ready for Panel Number V,
and so I want to welcome both of you and thank you, Dr. Martino, for
pinch-hitting for us, and we’re anxious to hear your comments.

Agenda Item: Presentation – Dr. Janet
Martino

DR. MARTINO: Okay. Sorry to jump the gun on the light show,
but I knew you wanted to move along. I just want to send David Harrington’s
apologies. He had some business out in California with his board that had to be
attended to, so I’ll be standing in for him.

This is of course the second time MedicAlert has briefed the
NCVHS, not in this particular Committee, so I’ll try to keep it brief about the
background.

MedicAlert sees itself as being in the business of protecting
and saving lives. We try to enhance patient safety and improve quality care by
providing secure data, collection and storage and accurate and easy transfer of
the medical information to health and safety professionals 24 hours a day
anywhere in the world.

So with that behind us, our basis, one of the newer areas of
services that MedicAlert is developing and probably will offer later on this
year will be personal electronic health records in collaboration with Wendy’s
group, CapMed. MedicAlert has had an EHR for managing medical information for
our members.

This EHR is designed to be compatible with health care
industry standards, and we anticipate that the data will be coming in from many
new sources beyond the patient-entered data. The CapMed personal health record
product will allow our members to maintain their own information and their own
records with bi-directional updates to and from the MedicAlert EHR, and of
course this would all be at the direction of the patients. These records can
then be made accessible from the MedicAlert website, from the personal health
record carried on a USB key which Wendy will discuss after me, or by calling
the 24-hour call center.

Other services that MedicAlert offers would be the document
repository services. Here, we’re really talking about written advance
directives and pre-hospital DNR orders. MedicAlert is officially recognized as
a provider of pre-hospital DNR orders in 10 states which allows a responding
paramedic team to call up to MedicAlert or look at the bracelet or emblem and
accept the DNR before providing extraordinary care in the field. Once they hit
the hospital, another document would need to take over.

I’ve had experiences where friends have had where that would
have been very nice to have to prevent episodes that were just not necessary.

We do some professional education and training. This is mostly
addressed to emergency responders. Through our links into the PHR application
and the websites, we are trying to enhance patient education by linking them to
medical information and allowing them to use sites, websites, that are
specifically disease specific.

And, of course, we do family notification services in the case
of emergency.

Today, our privacy and confidentiality policies are that all
medical data is directly provided by our members. When they register for
MedicAlert, they give us prior written approval for all storage and transfers.
There’s essentially a standing order with respect to emergency care which is
the primary service that MedicAlert offers.

Our emergency response team, which handles all incoming calls
and requests for patient information, has a 10-step protocol to authorize that
the person calling is who they say they are and is authorized to receive the
information.

The website and the technology piece of this is pretty
standard – things like member number/password, allowing patient-specified
additional information: What was your pet’s name and where did you go to
elementary school? That kind of thing.

And, of course, we use secure encrypted transfer of
information.

Now, MedicAlert, as it expands its business model, has
recognized that we need to be much more broadly interoperable. Our EHR needs to
be able to not only accept

data but also send data to various other organizations. Our
next generation enterprise architecture will include the standards that would
be necessary, such as the HL7 reference information model and the functional
outline. And, of course, we’re looking and working with the OMG HL7 services
specification, which is the technology to enable this interoperability.

Why we need this is we want to expand our scope of information
sources for our patients and members, try to get information more directly from
provider ERHs, payers, labs. One of the things I noticed as I used the PHR, it
took a long time to enter the data, especially the first time, and even for
data quality issues, it would be much better to have these things come in
electronically more directly.

We also intend to expand the scope of drug utilization
reviews, working and interoperating with chain drug stores, pharmacies and
pharmacy benefits providers.

Now, we’re talking about the management. All of this requires
the management of patient-directed authorizations for release of information.
As you heard from the earlier panelists – I’m actually sorry they’re not
in the room because I want to pick up on some of the things they said –
these needs are going to really drive a lot of the requirements of how we do
this interoperability. Now it’s not a simple matter of MedicAlert having an
authorization standing and allowing us to give data. The minute we want to
start collecting data, every one of those external partners are going to also
need authorizations to send us the data, and it becomes a lot more complex.

In order to proceed down the line we’re heading, we’re trying
to enhance all of our security measures and these are in various stages of
deployment. This is a couple of slides for the technically minded here. We’re
offering multi-tiered data access authorization, internal network domains with
firewalls, internal hacking and intrusion detection as well as external because
that’s a very common way of privacy being invaded is by the internal workers of
an organization.

We’re obviously using audit trails, one of the policies that
they insisted on – they want to know who, what, when, why that record was
accessed. Much of that can’t be done on paper, so if the patients really want
that, they have to allow electronic records to give them that level of control
and information.

We’re also using password guesser algorithms to test the
quality of the passwords that people are using. We can now pretend hack –
pretend hackers, to see that the passwords are holding.

Encryption of course is going to be critical. Externally,
access hardware in a DMZ.

I started to ask the question like, what does that really
entail? And immediately got drawn into the networking weeds, so I’m going to
leave it at it’s the preferred method of external access to secure networks.
And if you need any more detail than that, we’ll just have to bring somebody
who knows a lot more about it than I do.

Another interesting addition is the data source notations so
that we know who is putting the data in and where it came from. I know
physicians, as they use the data, and other health care providers, need to know
where it came from and how hard core it is and how valuable it is, you know? We
don’t trust anything.

And this is the requisite techie slide. Basically, it’s just
showing at the bottom the logical movement of data – see if this works, I
believe – from something like, for instance, the CapMed key through their
hub over the Internet, hitting a firewall, going through an authorization
protocol, and then Web services and components that are internal to MedicAlert
to manage some of the policies before data is actually entered into the
database.

The concerns here are a security layer, an identity and access
management layer, and then the management services, the technology services,
that are being provided with our business logic.

The top is just a list of products that we happen to choose to
do this. We’re not advocating for any of those in particular, but just to show
what we’re doing.

Upcoming issues. Three major issues that I think we’re going to
have to face, and I’ll go into each one a little bit more detail, authorization
management for the release of information, since much of our potential business
with external partners falls outside of that umbrella of direct medical care
and treatment.

We would like to improve the authorization of emergency
responders for release of information. And one thing that I really wanted to
challenge our consumer organizations was taking part in member education and
consumer education with respect to the implications of the decisions they make
to either release or withhold.

As an internist, I want it all. I need to have all of it to
make sure that I’m actually making correct decisions for my patients, so I’m a
little bit – and this is personal – I’m a little bit nervous about
patients withholding data because they’re not trained to understand what’s
relevant and what isn’t. And I’ll get into that more. It’s a little bit my own
hobby horse.

Authorization management. We understand, and we’ve heard here
very, very clearly that the patients want to be in control of who sees what and
for what purpose. As I mentioned earlier, as we expand to our provider health
pure electronic records, our payers, employers, pharmacy benefits managers,
laboratories, on and on and on, we want to be able to collect data directly
from these organizations.

As I was sitting here listening to this discussion earlier, I’m
thinking – I tend to make an analogy between a PHR and Quicken. I’m an
inveterate Quicken user, being again a very precision-oriented internist. I
followed a male group where fairly technically savvy people who already
self-selected as people who liked keeping their checkbooks on their computer
– you know – having all sorts of problems and going on and on as they
attempt to make direct connections with their banks and financial brokerage
houses or whatever to download their financial data. It can be done, but it
requires a lot of fiddling and know how on the part of the users of that
software.

So for broad acceptability, I don’t see that in the future that
patients who have their medical Quicken, their PHR software, being able to
effectively keep their records up to date by downloading information from all
the various sources out there – their labs, their doctors’ notes, their
hospitalizations and whatever. It’s a large burden technically to expect people
to learn to do this.

So I think MedicAlert, as posed as the sort of the information
bank and facilitator for this, would like to envision an environment where this
information can be drawn into the MedicAlert EHR and repository and then
through our secure connections it could be used to upload much of the data to
the PHR key.

This is a future vision. Clearly, we would have to have all
sorts of authorizations in place for this, and managing those authorizations I
think is going to be a huge technical issue. I think we need to start thinking
about how we would implement such a service.

Right now, absolutely you shouldn’t be on a table ready for
colonoscopy with the draft coming in the back trying to think about signing a
HIPAA form. That should be there; it should be online, available to whatever
providers need it.

With respect to authorization of release of information out to
callers for information, clearly role-based access privileging as a technology
will be critical to us. The current paradigm, as you see in the last bullet, is
authorizing emergency responders who are calling in – “Hi, I’m Dr.
So-and-So from Such-and-Such Hospital. We have Patient X. Can you give us their
MedicAlert data?” We have to be able to manually, if you will, authorize
who those people are.

And it’s adequate to today, but I don’t think it will be
adequate for the future to just try to ask them a series of questions. So I’m
thinking about: What else can we do to enhance their ability to authorize
themselves to our responders?

I’m wondering about potentially the use of the provider and
facility identifiers. I know if I walk into a local pharmacy and hand them a
prescription that I’ve written, they want to know who I am. They ask my DEA
number to try to validate that I’m authorized to do that. And potentially we
could use some of these facility identifiers in that manner.

I’m very active in the services specification project which is
a very new project that’s been stood up. It’s a joint, very synergistic
activity between HL7 and the object management group health care domain task
force.

We right now have defined sort of a long list of services,
common services, that need to be addressed, and we’re going to be shortening
that list to probably the top three for the next year.

But this will address primarily technical requirements for
interoperability. And over the years that I’ve been working in computer-based
patient records as they used to be known, the one place that I really found
difficulty, the people tend to not think about the functional requirements
required for the levels of security and privacy and access that we’ve been
talking about today.

So an organization like this, especially in terms of the
recommends to the NHII, and Dr. Brailer’s group, on what can the government do
to enable and enhance and foster and incentivize work that would help us get
the job done, there are some areas I thought might be of use.

The first is a standard list of common roles. I remember some
years ago finding out, I think through HIPAA, a standard list of
sub-specialists and specialists’ names, okay? And everyone would say, okay,
this is the list of types of docs and types of physical therapists and types of
whatever, a group to really think through.

Okay, what are the kinds of roles we’re imagining here and what
a role it would be on your primary care physician, the ER doc, the consultant
who comes in to see you in ER or a hospital. Those need to be defined.

And the situations, the common situations and contexts. When
one looks at role-based access privileging, it’s more than who you are, what
your role is, but also the context, so that I may be able as internist be able
to be authorized to see more about a patient who is my primary patient than
potentially I would when I’m consulting for some other physician on a specific
problem. So outlining what those are would be useful.

And clearly, guidelines for policies. What should our policies
be? Who should be allowed to see what?

I know a lot of that’s been left to the individual institutions
to sort out between themselves. But I think the Federal government can really
help by initiative a panel to start having these discussions with consumer
groups, with health care groups, everybody concerned, all of the stakeholders.

We need to start hammering this stuff out because I believe
that technically we’ll be able to do it – I mean, I know products out
there that can handle role-based security and access privileging at this level,
okay?

What’s missing is the content of those decision engines, the
contents that say, who do we think should see what? And as far as I’m
concerned, that’s the hard part, okay? So that’s a plea from those of us who
are trying to develop systems.

And the last area of concern, which my computer will hopefully
show to you, is the consumer education and counseling, okay? It’s not enough
for us to tell our patients: You are in charge. You can tell us what we get and
what we don’t get. They are not the people with the medical education to
understand what’s relevant.

Now again, as a global thinker and an internist, I had a hard
time thinking of a good example of where it would be okay for a patient to
withhold information from me. Like I say, I want to know it all. But, for
instance, if you break your leg during a softball game and you end up in the
ER, the ER probably doesn’t need to know that you had an abortion three years
ago.

On the other hand, when you look at MedicAlert, from a
MedicAlert point of view, should a patient allow his HIV status to be released
when he’s in an emergency room, in an emergency situation? Many patients may
say – oh, no, that’s – I’m not telling anybody, I mean – and
these are subtle things, you know? I would really like to see health care
counselors assigned to discuss situations with patients.

I was a little bit upset that AARP said oh, no, we’re not going
to deal with HIPAA right now because we’re dealing with Social Security. When I
read all of these journals from AARP, other health care – consumer
organizations, when I read Newsweek or Time or the business
section or whatever, every week I see multiple articles on: How do I handle my
retirement finances? How do I do asset allocation? What’s the difference
between stocks and bonds? And this and that and spiders and cubes and whatever.
I have an excellent information source on financial matters and it’s out there
every single week in many of these journals.

And what I don’t see are the same level of articles discussing
these kinds of issues, okay? Consumers don’t need to be educated about HIPAA.
They need to be educated about what they should be doing with their information
and where it’s critical and where it’s not.

So this is a little bit of a personal hobby horse. You got me
all wound up with that –

[Laughter.]

DR. MARTINO: — previous discussion.

MR. ROTHSTEIN: You should have been here this morning!

[Laughter.]

DR. MARTINO: Ah – yeah! Then I never would have shut up!
[Laughs.]

But anyway, those are the issues that we see coming down the
pike that are going to impact how MedicAlert does its business. We see
ourselves as part of a broad community including government as well as
consumers and health care organizations, and I’d like to thank you very much
for this opportunity to vent.

MR. ROTHSTEIN: Thank you for your venting, and we will have
some questions for you after the next presentation. Ms. Angst, as soon as
you’re set up, take it away.

Agenda Item: Presentation – Wendy
Angst

MS. ANGST: Okay. Well, I do have a little voice, so if anyone
can’t hear me, please let me know. My name is Wendy Angst, and I am the General
Manager of CapMed, and we’re an organization that is focused on personal health
records, so the discussion that was starting to go on I found very interesting
because sort of the default for a personal health record is people assume that
it gives the patient a view into a physician’s electronic system or that it
provides an online vehicle for patients to self-enter information and they do
this on an online website.

That is not CapMed’s model; we’re a little bit of a different
bird, but we consider ourselves very consumer- centric and very flexible as far
as finding the best way to engage consumers in doing a better job in partnering
on their health care.

So our model again is consumer-centric, and as Janet had
indicated with the Quicken model, we use that analogy quite a bit because like
with Quicken when it initially began as a software program, people could use it
to self-track their financial information. And as banks increasingly began
offering that information electronically, you could exchange information with
your different brokers, with your different financial institutions, and you as
a consumer could aggregate that financial data into your own financial
management tool.

So that’s a similar model that we’re approaching with health
care for a variety of reasons, least of which is that there’s not a lot of
electronic data available today. So we’ll touch on that as we go.

So we view our model, our personal health record model, as an
untethered personal health record. It does have the ability to aggregate
information from electronic health records that are going to export data. Most
recently at HIMSS last week, we were a part of the interoperability showcase
where we demonstrated how we could take information out into E’s(?) medical
record and NextGen’s medical record and a variety of different EMR vendors and
enable the patient to bring that down into one system.

We also have the ability to interface with home monitoring
devices, so blood pressure monitors, glucose meters, electronic scales, things
that a consumer is doing in their home to monitor and manage their own health.

And thirdly, the ability for consumers to self-enter
information. So we do that through pick-lists and through wizards and we think
that that is always going to be a critical piece of any electronic record
because you always need some level of information that’s input by the patient.

So bundling all of that together to create a true
patient-centric record that can provide a lot of value to the different
entities that provide health care today.

We have 400,000 health records distributed, with another
100,000 set to be distributed through a hospital in March. And patent pending
on our personal health key. And I did bring along a couple of samples for
anyone who’s interested just to get the visual of the concept, but it literally
is a CD-rom, so it’s tangible, it can help consumers, you know, understand,
feel that they own and control this, and I wanted to touch on this because some
research that I’ll point to – earlier, when we were talking about age of
users, the CapMed users that we interviewed about the product and how they’re
using it and what they’re doing it, our largest age group was age 51 to 60,
followed by people 61 to 70.

And I think a big part of that is because we’re not mandating
that people have to go to www.anything to
become active in managing this information.

Our products are Internet-enabled so they can be stored on the
desktop and directly link patients to electronically exchange information.

And the other product, too, is the portable health key, so it’s
the same health record, just in a different form factor that’s completely
contained on a portable device.

CapMed was acquired by a publicly traded company in November of
last year, so we now have the ability to be present at a lot of shows and do a
lot of good things, which is great. But our roots do go back to the early
‘90s. We began as an extension of an electronic medical record and have
been focused on patient health records since 1996.

So again, with our consumer-centric connectivity, we’re putting
the patient in the middle of helping to connect all of these pieces and helping
to make sure that their information is getting to the right place at the right
time.

We have four levels of CapMed PHR users – those who want
complete control and store their information on their desktop, and again, that
has been the model that we’ve started with and the bulk of our personal health
records that are out there have been in CD-rom where people literally are
managing their information on their own PC.

If they’re choosing to exchange information then with a
provider, they’re either printing it out and hand-carrying a report with them
and then more recently they can transport it again with a portable device and
then most recently, which Janet had alluded to, we have begun offering a hub
service for the exchange of information electronically.

Secondly, those who want information portable, and the term
that we use for that is the individual’s the “chauffeur” of their own
health record. And again, using the portable health key device, the consumer
can take their information with them wherever they go.

Thirdly, where the consumers serve as a gatekeeper, so they
control the access of who has information to it, and we think that both the hub
and the health key fit in with that.

And then storing health information in a trusted bank which
also is, we think, a phenomenal service, as with our partnership with
MedicAlert, an extremely, you know, high brand, trusted brand, for consumers,
so they have a great deal of credibility to be that third party mutual source
to help consumers store and make that information available when needed.

So the way that our health record works.

And I’m going to share with you some research that we’ve
recently been involved with is that we give consumers the ability to deposit
information into their own personal health record. So this is just looking
actually what we did for HIMSS, so I could download information for a
participating EMR vendor, I could download information that may be transferred
at the point of care with my portable device, download information from my
devices at home or self-enter my own information.

Additionally, I can also transfer/withdraw information out of
my health record, and when I choose to do that, I have the ability of taking a
provider-entered report which we’ve been following on the continuity of care
standard that’s emerging, but take that standard and without manipulating it at
all as a consumer, transfer it from Physician A to Physician B and just sort of
be a mechanism for that transport.

Secondarily, we also give consumers the ability to aggregate
all of that data from different EMR vendors, bundle it up with some of their
own information if they choose, and export that back, and that does follow the
appropriate data codifications so that that can be exchanged and imported
directly into a physician’s system.

And third, from any report within our health record from family
history to graphing lab values to medical images can be put into a report and
transferred out of the patient’s record.

So the way that we are viewing the information exchange
currently is if you have your patient at home, which the majority of patients
these days do have a PC, they have a personal health record which could be a
CD-rom,

it could be online access, it could be the portable device, and
through the secure hub, they’re able to send information out, and for those
providers that have electronic records, a notification is sent to those
providers that information is available on the hub from the patient and the
physician can go out and view that information and choose to print that or
bring that into their EMR.

But realistically speaking – I mean, as I’m sure everyone
in this room is well aware – you have 15 percent of providers with EMR,
you really have a lot more of the guys at the bottom with the paper chart. So
part of our belief in promoting the portable health key model is that even if a
physician does not have EMRs — the majority of them do not – 99 percent
of physicians do at least have a computer in their office.

So, practically speaking today, there are solutions and ways
that consumers can be involved to help with the private and secure transmission
of their information to make sure it gets to providers at the point of care,
because realistically there’s not many other ways to do it with the way the
system exists.

So the benefits of using a PHR and I know a lot of people have
been quoting the Connecting for Health Study – I was involved with that
research as well and think it was phenomenal – but just the overview of
patients have better care and it’s more reliable, more efficient. They have
greater satisfaction.

So I wanted to just highlight these benefits that we’re all
aware of of why it’s important for consumers to use the personal health record
to set the stage for some of the research I’m going to introduce you to next,
which is really looking at from the standpoint of a study that addresses why
consumers are and are not using personal health records.

Before I do that, research on our personal health record users
that was conducted in 2002 by the Smith School of Business is that 95 percent
of those surveyed do think it’s valuable to keep their information in one
place. Close to 80 percent would rather keep it on their PC than the Web. Most
managing a chronic condition believe it’ll decrease the chance of errors –
actually believe it improves their physical health, by 39 percent. And less
than four percent thinks that their physicians want them to use a PHR, which I
think is a pretty interesting statistic.

But focusing on the privacy aspects, that 80 percent would
rather keep their information on a PC than the Web, and I agree – I mean,
a lot of that is education; people don’t necessarily trust the Web today. But I
would ask each of you to consider how many use financial programs today where
you store all of your financial information on the Web. There’s a lot of
parallels that can be made between financial information and health
information.

And then the other PHR research, again with FACCT, that 91
percent of the respondents in their survey reported being very concerned about
the privacy and security of that information. And with Harris Interactive, of
the 13 percent who did keep electronic records, only one in 13 kept them
online.

And again, this is not saying that that’s not the right model.
It’s just that it’s not the only model, and there’s, you know, a lot of
different needs we need to address.

So research that we conducted in conjunction with the new
Center for Health Information Decision Systems at the Robert H. Smith School of
Business looked at how familiar people were with personal health records, how
involved they are in currently managing their own health.

It went through the process of defining, for those who didn’t
know, what a medical record was, both from the standpoint of what a physician
would do with one as well as what a patient should do with one.

We provided photos and examples of five different models of a
personal health record from keeping a paper-based diary to using an online tool
like a CapMed PHR or like a Quicken program to track their information to using
a system that you would manage all of your information on line to where you
managed it with a portable device and then a hybrid. So we describe each of
those scenarios, provided pictures, and then used that as the basis of what
people’s understanding was of these types of examples and how they’d like to
use them.

So what would cause their desire? Do they travel? Do they have
an illness? Are they a care giver? And what primary features would they use?
And then, what would encourage versus prohibit?

So I’m not going to present all of this research because this
research is currently in an active paper, but if you look across the bottom, we
have physicians, hospitals, employers, pharmacists, pharmaceutical companies, a
special interest group, and an insurance company. So those were the categories
that we used to break down who should be a sponsor or an encourager of a
patient to use a personal health record, because all of these groups right now
are playing in this space in some way, shape or form and there’s good reason
for even a company like CapMed to want to say, okay, employer, we’ll customize
this health record for you and you can distribute it because you have the
resources to get it into the appropriate hands.

What we found to be very interesting, though, was the fact that
you had people who were very uncomfortable with an employer and a
pharmaceutical company providing a personal health record.

I’m sure that’s not surprising for many of you, but if you look
at models – even I was interested that WebMD was going to be here with the
WellMed product – it is a model that a lot of people are promoting because
an employer does care if you, the employee, are healthy, so it would make sense
for them to provide you, the patient, with the tool to manage your health.

And alternatively at the end, if you look at the 40.1 percent
would like to get their health record from a physician, which makes sense; it’s
the most trusted source.

I was a little surprised by the special interest group. We did
give the example of a special interest group as AARP, who unfortunately has
since left, and people weren’t that trusting, so I was surprised by that
because I would assume that that would be a group that they would trust to
provide the health record.

So employer and pharmaceutical being the worst and physician
and hospital being the two highest rated sources for trust.

So if you aggregate the ratings because it was looking at
“I’m uncomfortable,” “I’m moderately uncomfortable,”
“I’m very uncomfortable” versus “neutral comfortable,”
“moderately comfortable” and “very comfortable,” I
aggregated those together and if you look at from the standpoint of, again,
special interest group and pharmaceutical and employer were the three groups
that had the highest rating of not being comfortable in aggregate with
different varying levels of being uncomfortable.

Similarly, you had your hospital, your PCP, your pharmacist and
your insurance company as all being rated as fair with your doc and PCP
obviously being the most trusted source to encourage a patient to use a
personal health record.

Just looking at this a little bit of a different way, we asked
the statement: What are concerns that keep you from using or endorsing a
personal health record? And the highest one was cost, which is a little bit
surprising, but we address in the study: If you as a consumer were going to buy
your own personal health record, what would you pay, and would you pay for
someone to help you maintain it and to get access to that data?

So people are concerned about the cost. I mean, they like the
idea, but they don’t want to pay for it.

But secondly, the biggest concern was the privacy of their
information. We did delve into that a little bit

about what that means because as I think Mark had alluded to
earlier, I mean, there’s a lot of different things of what privacy means. Is it
access, is it sharing the information? I mean, privacy has a lot of different
connotations to it.

So we, again, addressed that a little bit in the study, and
those results will be presented at TEPR in May.

And finally, the value statement of privacy and security
concerns that would keep me from using any PHR that is either stored or
transferred on the Internet. We had the bulk of folks strongly agree that
privacy and security concerns would indeed prohibit them from storing or
transferring their health information over the Internet.

And which type of personal health record would you choose if it
were provided by – and it’s the same group across the bottom there, your
physician, your hospital, your employer, your pharmacist – but what I
thought was interesting is that a group would most likely choose
“none” if the health record came from a pharmaceutical company or
from an employer; they would rather use nothing.

However, if you look at what they would use, they chose the
hybrid Internet USB product which again was described as a combination between
having sort of an online ability to exchange information and access information
but your ability to also have it in your hand and to know that this information
is going with you and you’re designating who has access to it.

So we thought that was interesting obviously it supports our
model which, you know, we sort of wanted to do, but the fact that it was
unbiased research. But getting this hybrid personal health record from the
physician again and the hospital are the two most trusted locations.

So in summary, the value of the PHR use is undisputed. I mean,
everybody recognizes the fact that patients who are more involved in their own
health care do have better outcomes, and everybody wants that. The privacy is a
variable that you have to look at, not only the access but also the sharing of
that information and who has ownership of that information. And that’s
something that will be as variable as — happy to hear AARP say that their
members don’t have one standard position on that; it’s something that is
flexible and it’s as flexible I’m sure everyone in this room might have their
own idea of how they’d like to control, manage and access their own health
information.

So it’s really not about having a personal health record
available but providing the right solution for consumers that will work for
them.

Questions, Answers and Comments

MR. ROTHSTEIN: Thank you very much. Let me just start by asking
a simple question, I think. What right or ability does the individual have to
edit the information?

MS. ANGST: Well, our model is really designed that you as a
patient could completely use your personal health record without having to
input any information electronically from your physician. It’s really designed
as a patient-centric tool.

So, again, with the analogy of Quicken. You could walk into a
store, you could buy Quicken and go home and begin tracking your information.
It’s the same thing with our product.

When you look at the interfaces that we do electronically with
EMRs – NextGen, for example, we have a relationship with them where they
promote our PHRs as an extension of their EMR product. The way that that is
designed is you would be able to receive a record from the NextGen EMR product
into the patient system and that would provide an audit trail within the
patient’s record so they could see that a report came in and then attachment of
that report is there that the patient can’t change.

MR. ROTHSTEIN: You’ve gone way beyond my question. Let me just
ask you this –

MS. ANGST: Sure.

MR. ROTHSTEIN: — okay? You’re my doc, all right? And I’ve got
your system.

MS. ANGST: Right.

MR. ROTHSTEIN: And I want to download my electronic health
record from your system to me.

MS. ANGST: Right.

MR. ROTHSTEIN: Okay. I can do that, correct?

MS. ANGST: Yes.

MR. ROTHSTEIN: Okay, now I go to Dr. Martino, and I want to be
her patient, and I’m going to transfer to her my electronic health record, and
why is she going to trust that it’s complete? That’s something you alluded to
in your remarks if now I have the ability, as I think I understand you saying,
to, you know, delete stuff that I want to delete – am I essentially
correct in describing that?

MS. ANGST: Well, what I was mentioning with the audit trail, if
you received in your record from the physician electronically –

MR. ROTHSTEIN: Right.

MS. ANGST: — it would say “record came in from Dr.
Smith.” And an actual snapshot that you as a patient cannot change is
attached in the audit trail as the file. So there’s a snapshot of what you
received that is unchangeable by you, the patient.

MR. ROTHSTEIN: So that’s my question.

MS. ANGST: Yes. Then you can also take that information,
though, and build it into your own personal record.

MR. ROTHSTEIN: So when I go take or transfer my records to Dr.
Martino, there is some element that I can’t disturb?

MS. ANGST: Absolutely, right. But the bulk of the patient
record, though, will have some semblance of information that maybe came from
that physician report but it will also have information that came from you, the
patient, and it’s sourced what came from you, the patient, versus what came
from the physician.

So what I’m trying to get across is there’s really two ways.
There’s one, that audit trail that will have the report attached within your
personal record. And then there’s also within your aggregate of all of your
data, it’s sourced. It may not mean that you as a patient have selected to
input everything that came from that EMR. If you chose not to include the fact
that that physician diagnosed you with HIV, you could choose as a patient to
not build that into your own personal record that you’re carrying with you.

MR. ROTHSTEIN: Right, but that would get to –

MS. ANGST: It would, yes.

MS. FYFFE: Let me help.

MS. ANGST: Okay.

MR. ROTHSTEIN: Hurry up. Help would be much appreciated.

MS. FYFFE: Yes, okay. Let’s say I had, as Dr. Martino pointed
out as an example, I had an abortion three years ago and the record that I
downloaded from you as the physician has that in there –

MS. ANGST: Right.

MS. FYFFE: — the only way for me not to include that
information when I go to Dr. Martino is to completely exclude that record and
not have it be part of this personal health rate that I’m porting over to Dr.
Martino, because otherwise – okay, and so then the fact that I’ve had
allergies and all this other benign stuff which would be helpful to her she
wouldn’t have because I’ve decided, you know, it’s all or nothing.

MS. ANGST: Right, right. But I guess what I’m to get across is
the personal health record by design enables the patient to aggregate health
information, so I can aggregate that report that I took from Dr. Smith and I
can also input my own information.

MS. FYFFE: Sure.

MS. ANGST: But I could choose, as I’m aggregating all of that
together, to not include everything that came from Dr. Smith because as a
patient health record, I have the right of what is going to be in my own
personal health record.

MS. GREENBERG: You can delete it from your personal health
record but you can’t delete it from the record –

MS. ANGST: You can’t delete the report, right, right. Does that
answer your question? I guess it’s sort of a different –

DR. MARTINO: The patient has a choice of what is sent out from
the PHR as well.

MS. ANGST: They do.

DR. MARTINO: They can say “I don’t want this information
passed on,” but I can pass on the – it’s not all or none. The only
thing that’s all or none is the actual scan of the document that the physician
gave.

MS. FYFFE: Okay. Let’s say I’ve been to a psychiatrist, okay?
Or a cancer specialist, an oncologist. And that stuff has come in, and there’s
an audit trail of it.

If I don’t want my next doctor to know about that, I simply
don’t have that whole chunk, right?

DR. MARTINO: I believe you can have it in your own record

MS. FYFFE: But I’m not talking about the consumer personal
health record. I’m talking about the actual legal medical record that one
doctor has put into my thing, my USB port. There’s no flexibility for the
consumer to pick and choose what information is going to be included if it’s
come from a doctor’s office.

MS. ANGST: That is absolutely correct, right. So, yes, and if
you follow the continuity of care record standard, the physician is the author
of what information they’re choosing to disclose.

What we give the patient the ability of as a personal health
record owner is the ability of what they’re choosing to accept and build into
their own living record. They can’t change the audit trail, but I can change
what’s in my own living record and I can update, which is sources being updated
by me, a patient, and it’s also sources that comes from a physician.

DR. MARTINO: From my point of view of seeing the patient, it
weakens my acceptance of that particular data because I can’t see the full
note, if you will, or the full record that came from the physician. I know that
whatever the patient is giving me is being filtered through what they choose to
send me. But no different than it is today!

MR. ROTHSTEIN: But you can supplement that by asking additional
questions –

DR. MARTINO: Sure.

MR. ROTHSTEIN: — you think that are missed. So one way of
describing our continuing struggle I think is really represented by this.

On the one hand, there are certain patient groups, individuals,
what have you, that want to control what is their health record for purposes of
others, and others could be physicians, it could be employers, insurers. So
that’s one set of interests.

And then there’s another set of interests that I hope aren’t
automatically incompatible of the health care providers where they want enough
information so that they can do their jobs and then there are probably the
interest of other third party users as well in terms of what’s relevant to a
life insurer and so forth.

So your system – and this is not meant to denigrate it
– doesn’t forward or advance the privacy interest of the patient as some
would have it to edit what goes out because the physician is going to get all
the physician records. You can edit what you keep on your desktop for your own
purposes, but she’s going to get everything.

MS. ANGST: If Physician Smith is sending information directly
to Dr. Martino, they would likely do that without first sending it to me as a
patient and to my patient record.

MR. ROTHSTEIN: Right.

MS. ANGST: What we’re really providing is a tool to just get
the patient involved. They’re not necessarily going to edit the information
that Dr. Smith is sending to Dr. Martino.

MR. ROTHSTEIN: Right. Okay. That’s – okay. Now I’m up to
some level that I don’t want to characterize what it is.

MS. ANGST: It’s a very complex thing to explain when we talk on
the patient record side because there’s a lot of different pieces, a lot of
different rules. And we always promote, you know, especially with – when
we’re talking with NextGen, you have different physician groups that really
want to limit some of the patient control, and those are capabilities that we
have.

But, you know, everything comes with a tradeoff, and to get
consumer use, you need to keep the consumer’s issues at the forefront of your
mind. And obviously to get physician adoption, you need to make sure that it’s
not going to get them into trouble, either.

MS. FYFFE: So – excuse me – if I had a three-ring
binder, if I’m chronically ill and I have this three-ring binder, and I’ve got
all kinds of stuff in there, I can just pull out a few pages that I wouldn’t
want Dr. Martino to know about. So it’s similar – I mean, I’ve already
figured out how to do it, how to exclude things from your record.

MR. ROTHSTEIN: Dr. Fitzmaurice?

DR. FITZMAURICE: When the Chairman asked the question about he
wanted to take it from here and he wanted to give it to there, I thought he was
going in a different direction than he turned out to go, and I want to go in
that direction that I was thinking of, and that is the interoperability. How do
you make this medical information interoperable?

I’m really excited about what you’re talking about because
you’re getting down to the level that can benefit me and my family. I keep a
lot of this stuff on a spreadsheet; it takes a lot of time. And that’s just
keeping track of the visit, not the lab values or anything.

So, if I go to you and I get the information on a portable USB
port and I come over and plug it into Janet’s product and then I leave Janet
and I come back and plug it into your product, how do we make that stuff
interoperate so that she can see the pictures that you in – maybe it’s a
PDF file – so that she can pull the same variables that you put in and put
it in the right places into her record? Do you use like HL7 for the message
framework? Can you export CCR, how that’s –

MS. ANGST: That’s a question I can answer; I like that one.

DR. FITZMAURICE: And do you have other content than the CCR
that you can export? And then, what vocabulary do you use? Do you map these
variables to the concept of SNOMED CT or do you use some other vocabulary?

MS. ANGST: We began down the path of looking at the medicine
nomenclature. We’ve since – for example, with NextGen, and I’m just using
that one because that’s the largest CMR partner we have that we’re actively,
you know, exchanging data with. They have a certain level of most frequently
used terms, and so we basically mapped the pick list within our product to
NextGen’s pick list because, again, the CCR standard is not done.

We have designed our product to create a patient-generated CCR,
so everything is codified appropriately that it can be exchanged. And that’s
the same way that we’re able to map and populate the patient’s record at the
field level, is by having the appropriate codes and terminology built into the
product.

Incidentally, it also maps everything in a problem-oriented
format and has the ability then to link patients to education and automatic
reminders.

But within the application itself, everything is self-contained
on the device, so you can be anywhere in the world and have everything you need
to view, manage and update your health record within the personal health view.

So that’s part of the beauty of that as a technology of why it
makes so much sense for our medical partners because, you know, it’s hand in
glove with their membership model of having immediate access to emergency data.

DR. FITZMAURICE: Dr. Martino, what do you use your information
from like hers to hers? Can yours put out the CCR content and do you have the
vocabulary use to represent the –

DR. MARTINO: We are in the midst of addressing just those
issues. I should give you a little bit of my background. I was the Deputy PM
for GCPR some years ago –

PARTICIPANT: What is the acronym?

DR. MARTINO: I’m sorry. Government Computer-Based Patient
Record, which is carrying on with a new acronym that I won’t even attempt to
get into, but basically the philosophy was creating a framework for
interoperability that would allow cross-mappings to common information models
and common terminology models.

No one has actually done this, but it needs to be done –
and I hope to get it done before I die. [Laughs.]

But that’s the direction that we’re heading, is to start
identifying common information models that would allow to map different data
structures to each other. I mean, if you know anything about XML, everyone
thinks that’s the answer to all interoperability because every field is tagged
– you know, this is a first name, this is a last name, so on and so forth.

Well, that’s fine, except your tagging may not match his
tagging. So you need the common data structure model, information structure, to
know that when you say “first name” here it means the same thing as
“F Name” there. So that’s the information structure.

And then the terminology, likewise, which is the content of
all those fields needs also to be mapped to a common standard. SNOMED obviously
is coming forth as one of the strongest.

DR. FITZMAURICE: Let me say that the reason for my question is
not so much techie; it’s a matter of patient safety. If I take it from her and
I plug it into your machine, I want the variables to mean the same thing in the
two different doctors’ minds. And there’s communicating by computer, so the
computers have to understand it where the doctors can communicate that way.

DR. MARTINO: And again, these things like the CCR or the HL7
CDA will help us with that because, again, we’re using the common models.

I think that from a patient safety point of view, I don’t
think we’ll ever go beyond what currently exists today with respect to
believing the patient rather than any external data. Right now, if I order a
lab on somebody and that lab doesn’t make sense to what I in my clinical
judgment know about that patient, I’ve got to question that lab and I don’t
care where it came from or how authorized it is. I have to question it.

And I think we need to still leave human beings in their
judgment calls in the loop for many of these things.

There’s a difference between –

[Fire Alarm Sounds about Fire Reported in Building]

MR. ROTHSTEIN: We are in adjournment.

[Hearing was adjourned at 3:05 P.M.]

[The Chairman resumed the meeting several minutes later, the emergency
having passed. Two to three minutes of the hearing were not recorded.]

MR. HUNGATE: — one was in identification of the individual
either seeking the information or providing the information. Is my conclusion
correct?

MS. ANGST: From CapMed’s perspective, no. So I would have to
say that that would then reflect to MedicAlert. We do have authentication for
the patient to be able to log on to the hub and to access information. They
have to authenticate their identity, as well as for information to be sent from
the hub to a different provider, same thing, uses 12 AS bit encryption to
authenticate and to communicate that information.

So that obviously applies then to MedicAlert through our hub
because that’s part of our exchange.

MR. HUNGATE: The impression I have is that people often lump
privacy into security and that being able to say that those are cold is an
important part of giving privacy assurance.

The second case of it relates to – and maybe my
understanding isn’t fully correct here – but I think physicians in general
do not treat themselves, that that’s an admonition within the profession.
Patients do treat themselves and assume a doctorial role in that sense.

Now, if we’re trying for accurate information, in the business
world when you want things to be done right, you make sure there are always two
people involved so that you know things work in an accurate way. I don’t think
we’ve thought about how that fits in health care in the patient/physician
relationship and the verification of data.

You mentioned I don’t want to give this data to that
physician. When I go to the doctor’s office and they ask me how much I weigh, I
may be five or 10 pounds below what the scale will say and that difference may
be important.

Now, how do we get the right information into that record when
the patient feels like they need to control it and the physician needs to
control it? You’ve said that if the patient just brought their information that
you were going to suspect it in effect, knowing that there’s stuff that’s
withheld. How do we grapple with that in the context of quality improvement,
knowing that we do need good information in order to make clinical judgments
downstream?

DR. MARTINO: Well, I think the first answer to that is going
to be the relationship between the provider and the patient, because if you
don’t have that relationship, I don’t care what kind of electronic records you
have.

Even today, you know, we sort of jokingly say, oh, patients
lie to us all the time. They come in, you ask the question, you may get ten
pounds less. So, you know, that kind of discussion is important and that kind
of relationship is important.

I’d like to also bring up again the idea of a broader public
discussion about implications of what you tell and what you withhold. We’re
giving people, the consumers, the power to withhold in a very big way, but
we’re not giving them the information they need to responsibly wield this
power. You know, in the same way that an electronic record gives us great power
to protect and audit the records, it also gives the consumers great power to
control the access, much more than they have with paper.

I’m not sure that’s answering your question –

MR. HUNGATE: I have the feeling that what I’d like to be able
to say as a consumer is that I want every element of my personal risk that
affects the judgment by some other physician to get communicated to that
physician, and I feel like I need my PCPs partnership in identifying those
characteristics of me that are important so that I might want to put my
information in, but I think I’d want my primary care physician to look at it
and say, yes, I agree; that’s an accurate representation of Bob as a medical
entity.

So that’s just a consumer input, I guess.

DR. MARTINO: I’m still remembering the last time I was here at
a hearing. There was a woman sitting back there who was a consumer and I don’t
know if she represented any particular group, but she was pretty adamant about
having control over her record.

And the scenario that she laid out was her dad having an
illness, cancer, I think, and they didn’t trust what they were hearing from
this set of doctors, so she wanted to try and get a second opinion. She
specifically did not want the second set of physicians to know what the first
set had done or said so that she had a truly unbiased view. And it was a very
aggressive “I need to be able to do this.”

So people have many reasons.

MR. ROTHSTEIN: We have Mary Jo and then Richard.

MS. DEERING: This is as much a request to Janet as it is a
question, and it gets to the issue of the operationalization of consent and the
communication of consent, and it’s important not only in PHRs but fundamentally
across the NHIN.

The model that we can glean from the RFI that went out and
what we know about RHIOs is that certainly among the provider organizations
there will be business transactions that are codified about who has access to
what information so that we know that from the institutional point of view
there will be deep and robust policy examination of exactly what those
permissions are, et cetera.

From the point of view of the hearings in the last two days
when we’re interested in patient authorizations and consent, it appears to me
that maybe two things are needed. The first is an equally robust and
comprehensive delineation of the entire menu of potential patient consumer
authorizations and consents.

And related to that, even more important, is the plain language
communication of those consents and their implications, so that at some point
in time you could have like a drop-down box so that your first level
permissions were just a drop-down box but they were hot-linked for further
information if you needed it, and you can check one or many.

And the reason that it seems to me this could be a great
service is that we have heard that with explanation and understanding, you are
likely to get more consents and authorizations rather than less.

So how can we build something like that into the system?

DR. MARTINO: Well, I’m firmly in favor of reducing
free-floating anxiety, and I think a lot of the “I’m going to hold my data
and not show it to anybody” is because of free-floating anxiety. They
don’t know who’s going to see what when.

And I think the more control you give to people, the less the
anxiety becomes free-floating and more specific and targeted so they know
exactly what they’re worried about, rather than this great big unknown.

So, absolutely. I like the idea of the various forms and pick
lists and especially for every form in legalese, there should come up almost
automatically a large print, common language discussion of what that particular
form is saying.

And I think as technologists we need to give some thought as to
how we would implement such a thing as a service that a RHIO, a physician’s
office, a PBM, a lab can use to access electronically so that many of these
things can be handled electronically. Part of the problem right now is they’re
lying on the table and having to sign something. It’d be really good if there
were an electronic form of that that the appropriate person could access.

One of my concerns is organizations like PBMs or commercial
labs, you know, they also have a CYA mentality; they’re not going to want to
release data unless they have all sorts of coverage in the form of
authorizations from the patients.

So if you want high volume work, like a PBM does thousands of
transactions an hour, if you want to get that data, we really do need to have
at least a semi-automated way so that there could be standing authorization for
certain types of data sharing.

If I’m a PHR user, I could sign an authorization that says
“I allow this lab and that pharmacy to send data to my MedicAlert account
so I can bring it down to my PHR.” That can be a standing order, you know.
It’s not quite signing out of HIPAA or opting out of HIPAA, but it’s just
giving people the chance to say it once and have it stand without having to say
it every single time they go to a new situation.

MR. ROTHSTEIN: Thank you very much.

This brings a close two very interesting and stimulating days
of hearings that we’ve had, the first of our set of hearings of three that are
planned, next one being in Chicago March 30th and 31st.

I want to thank all of our witnesses and the Subcommittee
members and staff. I especially want to thank Kathleen Fyffe and Mary Jo
Deering for taking the lead role in lining up all the wonderful witnesses that
we’ve had. And our logistics folks, Marietta and Jeannine, appreciate that, and
also Donald and Pat for their usual fine work.

And so, thank you all and we are adjourned.

[The hearing adjourned at 3:18 P.M.]