[This Transcript is Unedited]



February 25, 2009

Hubert Humphrey Building
200 Independence Avenue SW
Washington, DC

Proceedings by:
CASET Associates, Ltd.
Fairfax, Virginia 22030
(703) 352-0091

Table of Contents

P R O C E E D I N G S (9:00 a.m.)

Call to Order, Welcome

MR. REYNOLDS: Everybody ready to get started please. I’d like to welcome
everybody to the first of two days of the meeting of the National Committee on
Vital and Health Statistics. The National Committee is the main public advisory
committee to HHS on national health information policy.

I’m Harry Reynolds from Blue Cross Blue Shield North Carolina, and the Chair
of the Committee.

I want to welcome Committee members, HHS staff, and others here in person,
and also those listening on the internet. I would like to remind everyone to
speak clearly and into the microphone.

Let’s now have introductions around the table and then around the room. For
those on the National Committee, I would ask if you have any conflicts of
interest related to any issues coming before us today would you please so
publicly indicate during your introduction.

I have no conflicts.

MR. SCANLON: Good morning, this is Jim Scanlon, I’m the Deputy Assistant
Secretary for Planning and Evaluation here at HHS, and I’m the Executive Staff
Director for the Full Committee.

MR. BLAIR: I’m Jeff Blair, Director of Health Informatics at Lovelace Clinic
Foundation. There is one relationship that if the subject comes up might be a
conflict of interest. Lovelace Clinic Foundation is one of the recipients of
NHIN trial implementation contracts for the NHIN.

DR. WILLIAM SCANLON: Bill Scanlon, Health Policy Research and Development,
member of the Committee, no conflicts.

DR. STEINWACHS: Don Steinwachs, Johns Hopkins University, member of the
Committee, no conflicts.

DR. FITZMAURICE: Michael Fitzmaurice, Agency for Healthcare Research and
Quality, not a member of the Committee but a liaison to the National Committee,
and staff to several subcommittees.

MS. TRUDEL: Karen Trudel, Centers for Medicare and Medicaid Services,
liaison to the Committee.

DR. SUAREZ: Walter Suarez, I’m with the Institute for HIPAA/HIT Education
and Research, and also a member of the Health Information Technology Standards
Panel, a board member, and a chair of one of the subcommittees or technical
committees. I think that if anything comes up with respect there might be some
potential conflicts, although I am a volunteer member of that committee. I am
also a member of the Technical Advisory Panel to the Health Information
Security and Privacy Collaborative, and a member of one of committees of the
Certification Commission on Health Information Technology. So those three
projects might come up today might create some potential conflicts.

MS. MILAM: Good morning, I’m Sallie Milam, Chief Privacy Officer for West
Virginia’s Executive Branch Healthcare Authority. And I’m also the Executive
Director for West Virginia Health Information Network. And we are also, like
Jeff, a prime contractor with the NHIN.

MS. MCCALL: Carol McCall, Vice President of Research and Development in
Humana Center. No known conflicts.

MR. LAND: Garland Land, National Association for Public Health Statistics
and Information Systems, member of the Committee, and no conflicts.

DR. FERRER: Jorge Ferrer, Veteran’s Health Administration.

DR. GREEN: Larry Green, member of the Committee, University of Colorado, no

DR. OVERHAGE: Marc Overhage, Regenstrief Institute, and Indiana Health
Information Exchange, member of the Committee, and we too are an NHIN
contractor should that come up.

DR. HORNBROOK: Mark Hornbrook, member of the Committee, Kaiser Permanente,
no conflicts.

DR. CARR: Justine Carr, Caritas Christi Healthcare, member of the Committee,
no conflicts.

DR. WARREN: Judy Warren, University of Kansas School of Nursing, member of
the Committee, no conflicts.

DR. FRANCIS: Leslie Francis, University of Utah, member of the Committee,
and no conflicts.

MS. GREENBERG: Marjorie Greenberg, National Center for Health Statistics,
CDC, and Executive Secretary to the Committee.

MS. WISEMAN: Jennifer Wiseman, Personalized Healthcare Initiative here at

MS. KANAAN: Susan Kanaan, writer for the Committee.

MS. JACKSON: Debbie Jackson, National Center for Health Statistics, CDC,
Committee staff.

DR. KYLE: Frank Kyle, American Dental Association.

MS. MILLER: Laura Miller, Executive Director for the National eHealth

MR. WANG: Wang, Social Security Administration.

MS. JAMISON: Missy Jamison, National Center for Health Statistics, CDC.

MS. BUENNING: Denise Buenning, CMS, Office of eHealth Standards and
Services, and lead staff to the Standards Subcommittee.

MR. DECARLO: Michael DeCarlo, Blue Cross Blue Shield Association.

MS. VIOLA: Allison Viola, American Health Information Management

MR. REYNOLDS: Before we start the rest of the agenda, I’m going to let
Marjorie talk a little bit about movements throughout the building. Most of us
who were here yesterday for the hearing understand that, and the rest of you
will shortly.

MS. GREENBERG: This is mostly for the benefit of people who don’t have
federal IDs. I just learned that a few of our members have just had theirs
confiscated, because I guess they had expired. So please let Katherine Jones,
who is here right now, or Cynthia, know if you do not have a valid or unexpired
federal ID, which you would need in any event in any federal building. Since we
last met here we have learned really only on Monday that there are new upgraded
security procedures, I guess you might call them upgraded, in this building.
What impacts us most significantly is that the guards will no longer sign
people in or call up here if someone needs to be signed in and escorted up. We
have somebody posted full-time. Unfortunately they’re behind the guard station,
so I myself had trouble finding them. But in any event, you have to be
obviously signed in by somebody we provide, and in addition we have been told
that if you do not have a federal ID you must be escorted at all times when
you’re in the building including going to lunch, going to the restrooms, what
have you. That if you are not wearing your federal ID and are unescorted you
are at risk of being escorted out of the building. This we ask your forbearance
on this, and I think, although we’ll confirm this later, we probably will not
be meeting in this building the rest of the year. We do have backup
reservations at NCHS. I know people like to meet down here, but like my
secretary is downstairs the entire week, and it’s not exactly a good use of her
time. So I apologize for any inconvenience, and particularly to our non-federal
if there are any visitors. I know we had quite a few yesterday, and we’ll just
try to work it out. But if you run into any additional problems just let us
know, we’ll try to work them out.

On a happier note, you see we are having a dinner social. Can I have a show
of hands as to who is planning to go to that tonight? Okay, great. If anyone of
you decides later they want to go, just let us know. We usually can accommodate
additional people. I think that will do it. I do want to thank my staff in
particular. This has been a challenge for them.

And if you’ll just let me, I would like to thank Judy and Jeff for the
outstanding hearing that they organized yesterday, and you’ll be hearing more
about that.

MR. REYNOLDS: Next thing we want to do is turn it over to Jim Scanlon to
give us the department update, and start our journey through all the changes
that are going on, all the opportunities that are available, so it would be a
good time to start taking notes, because this is going to be a full day.

Department Update; Transition Update; CMS

MR. SCANLON: Good morning, everyone.

Since we met in I guess November, a lot has happened, a lot of very big
things. Let me update you this morning on the transition and new leadership in
the new administration and where we are, and then I’ll talk a little bit about
the Recovery Act, which actually contains funding for almost all the things the
Committee has been advocating and promoting. A lot of money there for health IT
and other things. Then I’ll bring you up on the budget normally, and a little
bit about health policy and health reform.

First, just a quick update on transition. Obviously, the President was sworn
in on the 20th and the transition was officially over. Cabinet heads
have been named and been confirmed for many of the departments, obviously. For
HHS we are still awaiting a nomination, so we may be one of the last cabinet
departments to actually get a secretary. But in the meantime, probably two
dozen political staff and leadership are already here in HHS. They are taking
over some roles, and obviously we consult with the political leadership before
we do anything.

In addition, all of the agencies and offices within HHS are headed now by
the senior career deputy official, so really in most cases it was the deputy of
the agency. These are very highly qualified experienced folks who run things
anyway, so from an operational programmatic point of view there’s no
interruption in operations or services and so on, and all of that continues. We
will just look to the weeks ahead in terms of a secretary designate, and then
following up from that.

Secondly, the budget process is a little more complicated this year than
normal. There are probably three budgets going on at any one time. And, of
course, we have the Recovery Act, which provided for a large infusion of funds
to HHS and other agencies. In many cases it’s a one-time infusion, but I’ll go
through some of the provisions here. Many of them are areas that the Committee
has worked on and made recommendations in for quite a while.

Just quickly on the budget. As you know, we are now in fiscal year 2009, and
we basically had a continuing resolution until March 6th, so we will
technically run out of money on March 6th. But the Congress is
acting on an Omnibus Budget Bill for the rest of the year that will provide
funding. We don’t have details yet, but it probably will be somewhere between
what the Senate and the House versions previously for ’09 were, and it looks
fairly reasonable for HHS.

Again, it’s hard to predict what happens. This is the House bill, the Senate
has to have its own bill, they’ll go back and forth about where exactly the
numbers should be. You don’t win any bets predicting how this is going to turn
out, but at any rate that process is under way.

For 2010, which begins in October, the President last night gave – this
will be the first budget for the new president – the President kind of
gave an overview last night of not so much a detailed budget but an overview of
what will be initiatives in the 2010 budget. A more detailed budget will
follow, and the full budget submission I think will occur in April, just
catching up to the budget, and then Congress will have to deal with that. Then
before long we’ll be working on the 2011 budget. So we’re always dealing with
three budget years at any one time.

The biggest budget news probably though, and certainly the biggest health IT
news, is the American Recovery and Reinvest Act, or the Recovery Act. That has
provided a large infusion of funds to HHS and other agencies. Let me take you
through that, and let me take a little bit of time there.

The Act, and it’s abbreviated apparently as AARA, so we call it the Recovery
Act, for HHS it actually gives us about $137 billion. Some of this is one-time
spending, some of it is a couple years spending, but the whole idea of the
Stimulus obviously was kind of a one-time infusion of funds that would create
jobs and otherwise do good and otherwise be transformative. So I think those
are the criteria that we’re looking at.

Tremendous pressure now that it’s passed to get the money out to the states.
Much of the Recovery Act is geared towards state fiscal relief, but like other
parts, these are all to do good and preferably it will be transformative as
well. In many cases you could view some of the health provisions here as the
first stages of health reform or health systems change. These are things that
have been proposed for a long time.

Back to HHS, roughly $137 billion total over a couple years, at least until
the following September. Of that $22 billion is on the discretionary side, and
the rest of that money is associated with entitlement programs like Medicare
and Medicaid and the welfare programs.

On the health IT side, the Act provides a total of $20 billion dollars,
that’s billion, not million, $20 billion, unheard of numbers previously. Let me
take you through that carefully here. $2 billion dollars would go to the Office
of the National Coordinator for various activities, and the rest of that for
the most part, $17.6 billion I think it is, would come downstream a bit through
Medicare and Medicaid. This would be incentives to hospitals to doctor’s
offices on the Medicare side and then on the Medicaid side to adopt and
implement electronic health records. There is a scale that would provide
funding over a three or four year period, and then would drop down to zero, and
in fact you would be penalized if you didn’t have some sort of system at the
end of that period. And I will take you through that. But that is a little
downstream. It begins in 2011, those incentives begin in 2011.

Prior to that obviously a lot of work would need to be done. Again, the
details would need to be worked out, but the idea would be for qualified or
certified electronic health systems, not just anything you could buy, but there
would be some criteria about what makes – and there are some features in
the law that say what’s in mind in terms of criteria for such systems.

In addition, we have about $85 in the Indian Health Service. Actually, it’s
more than that, it could be used for health IT enhancements or for
construction. We will have to see how that’s divided up. And in the HRSA, the
Community Health Center Program, I think there’s about a half billion there
too, $500 million for health IT enhancements with community health centers and
other safety net providers. Those will probably be grants. Again, I think the
Department will be looking at what exactly qualifies if you get this assistance
what kind of a system are we talking about. It’s not just anything you could
buy, it would have to meet certain standards of interoperability, and meet the
standards adopted, and so on.

The Act also, number one, codifies and establishes the Office of the
National Coordinator. So it would be officially in the statute. In addition, it
sets out a process to promote and adopt standards in a number of other areas.
Again, you have seen earlier drafts of this bill, but essentially it creates a
process whereby HHS recognizes standards. I think the assumption is that this
is cumulative, so all of the work done previously relating to standards would
be part of that foundation. Hopefully we don’t have to start all over again

It creates a policy committee, a health IT policy committee, which would be
a FACA. It creates a standards committee, which would be a FACA. And it
provides a number, probably half a dozen grant programs, loan programs,
demonstration programs and so on, to assist states and others in the adoption
of health IT. It also provides funding that was mentioned to Harry previously,
it provides funding for the education of clinical and health workers in using
health IT and in developing curricula, and it also provides funding for
training in health IT. This is really everything from certificate programs to
courses to doctoral degrees. So this is looking at the workforce as well.

Also, $300 million is earmarked for regional or sub-national efforts. We
made health information exchange, so again we’ll have to work through what the
mechanism is there. And $20 million is transferred to NIST in its role of kind
of working with the industry on testing capacities and capabilities and so on.
There is also funding to create this concept much like the agricultural
extension service for health IT assistance. How that will look in the health
sector we’ll have to see, but there’s funding to create an extension service
and research centers as well.

So it really cuts across the whole board in terms of assistance and to
promote interoperable electronic health records and health IT. It also includes
some additional provisions in privacy and security. For example, it expands
HIPAA, it establishes a federal breach notification requirement. Again, there
would be some threshold there. It applies HIPAA security standards and privacy
rules to business associates, and there are some other details there, so we’ll
have to work on that as well. It also provides for education relating to health
information privacy.

The Department has already started, obviously, working through these
provisions, what would the mechanisms be, what would the amounts be, and how
would we actually accomplish this.

Jeff, I think you had a question there?

MR. BLAIR: Should I save it to the end until you’re finished?

MR. SCANLON: Let me finish. I have one more thing, Jeff.

Let me turn to the population public health side for a minute. There is, let
me look at my summary table here, we have in terms of public health some ideas
that have been talked about for quite a while. There was created a prevention
and wellness fund in HHS for $1 billion. Some of that money goes to CDC
directly and other places, but some of it is in the Office of the Secretary
too, to work out. It includes some earmarks for healthcare associated infection
reduction strategies program and a number of other things. But basically this
is a concept that a number of folks had proposed in the past, a health
prevention and wellness fund that would be used for a variety of purposes.

Comparative effectiveness, $1.1 billion. Some of the money goes to AHRQ and
NIH, and $400 million stays in the Office of the Secretary for the priorities
that might be developed there. This is, again, the focus is actually on the
comparative effectiveness research, comparing one treatment, one intervention,
with another, that sort of thing.

There is money on the welfare side, $10 billion goes to the National
Institute of Health. Some of that money will go to buildings and facilities,
instrumentation and extramural lab construction renovation. Remember now that
one of the focuses here was on job creation and getting the money out right
away, shovel-ready projects for the most part. And literally at the NIH
campuses, in pretty much every state and county has some NIH facility, there
would be funds available for construction and renovation as well. Again, the
NIH structure is generally through grants. Grant opportunities are announced
and people apply for those.

As I said, the Health Resource and Services Center, there is money there for
community health centers modernization for health professions and for health
IT. On the welfare side we have a couple of other things as well.

This is a very broad infusion of funds. I think the idea here is that some
of these things, the prevention and wellness fund, comparative effectiveness,
and health IT, are probably elements of health reform change anyway, and I
think many folks view that as essential to and probably prerequisites to some
sort of health reform.

Again, the President announced last night that among his priorities were
health reform. So we should see in the 2010 budget at least a down payment on
some of the elements of health reform there, and the details will emerge over
the next few days. Let me stop there. A lot to absorb, for the public health
and for health IT, I think this is really a quantum leap. It’s not just more of
the same, but it actually provides some of this as new territory, the amount is
so much larger that it could be transformative. I think the idea here is that
you can always spend money, obviously. That’s not the issue. HHS can spend
money, all of you can spend money. The idea was to do some good with it and do
something transformative with it if possible, in terms of public health and
health reform.

Let me stop there.

MR. REYNOLDS: I have Jeff, Jorge, Garland.

MR. BLAIR: Of the $300 million distributed to health information exchange
networks, originally that was a line item that was listed under immediate
funding under section 3011 in the House Bill, it was Item 8 under B.

MR. SCANLON: I’m impressed, Jeff.

MR. BLAIR: And in the conference report Item 8 was gone, but you still
referenced the $300 million is still there?


MR. BLAIR: Is it now under 3013, which is under state funding? In other
words, do the funds go through the states under the states designate who the
HIE is? Or what is the process for that?

MR. SCANLON: We are working on it, you’re right, we’ve gone through several
versions of this bill that it went into a conference, and we kept track of all
of the titles and so on. Some of them, I’m not sure what happened.

But in terms of the implementation of the parameters of that program and
some others, we’re working on that within HHS. We are working on implementation
plans for every title and subtitle, what’s the program created, is it an
existing program, and how would we do it.

MR. BLAIR: I would express an opinion on that, and that is if the intent is
for immediate funding if it does go through state governments there could be
significant delays in getting the money out. So I just expressed that thought.


MR. BLAIR: The other thing is could you explain the significance of
codifying ONC? What actual changes in the operations of ONC or its authority is
implied with codifying ONC?

MR. SCANLON: Number one, remember the office was created by an executive
order. Any president can reverse an executive order or do another executive
order. It is always preferable for a federal agency to be based in statutes,
and to have specific authorities and budgets, just as a general principle.

I think what it does is it creates statutory authority for the office. It
probably gives them more things to do as well, and probably gets them on more
solid budget footing. Again, that’s sort of a year to year thing. In general,
otherwise, Jeff, it’s administrative discretion. A president could eliminate
that or change it. The secretary could just decide they’re not going to do it
anymore. For something of a high priority, it’s not unusual to codify it and
say this is the way, this is how it operates, this is how it organized, this is
what budgets we have in mind, this is what the functions are. Then most
agencies would want to be there. It is much preferable to have a statute for
your establishment.


DR. FERRER: Jim, are the funds for the – is that just for an
adjustment, or is there actual – for –

MR. SCANLON: Karen, you can help me here. We’re working through this. But
basically this is a little downstream. You’re talking about the Medicare and
the Medicaid provisions?

DR. FERRER: Right.

MR. SCANLON: We actually have a workgroup working through these, but Karen
will probably have the details. There is a formula for meaningful use of the
EHRs, there is some threshold, and it actually provides funding for those
hospitals and those professions. Harry, probably has –

DR. FERRER: But the initial cost is borne by the hospital and the
physician’s office, correct?

MR. SCANLON: Karen is going to answer that.

MS. TRUDEL: The incentives are not based on amount expended; they’re based
on a formula that’s in the statute. Now, the logistics for computing and
pushing out those funds are still very much under discussion.

MR. REYNOLDS: We have Garland.

MR. LAND: I understand that there is a potential for the National Center for
Health Statistics to obtain some of this money for national surveys in vital
statistics. Can you speak to any of that process? I know that CDC is going to
be reviewing National Center requests, and somebody here in the department is
going to be reviewing their requests. Can you speak to that process? That is
question number one.

And then secondly, I know the President referred to there will be a website
to track whatever is coming out of this. Will that be specific enough for
what’s happening within the Department, or will you have your own website? How
can we find out? You know, you’re talking about twenty-some billion dollars in
discretionary money, and how do we find out more about where that’s going and
how that’s going, and so forth?

MR. SCANLON: Let me answer the second question first. The website is
recovery.gov, and that will be the central government website for all the money
in the Recovery Act. It is going to be fairly detailed in terms of what the
amount was, what the purpose. The intent is to track, and we’re certainly
working on this already in HHS. Literally, every grant dollar in terms of what
was it for, who got it, and how was it used. Sometimes it’s the state, and
sometimes it’s not governmental organizations, and sometimes it’s contractors.
All of that should be on recovery.gov. That is already active, so there is some
information on there already. And it will be populated with further detail as
the money works its way through.

We’ve already announced through HHS, for example, for the Medicaid
assistance, the increase in Medicaid match for the states. We announced that on
Monday, so that is going to be going out, and we’ll be announcing some others
right away. We’re trying to get this money out if it’s going to serve the
Stimulus. But anyway, recovery.gov will be the main website.

If we have one, Garland, it will be supportive of. I don’t think every
agency is going to create its own website, but we may. If we create one it will
be supportive of the main website, recovery.gov.

On the other side in terms of spending, there were some versions of these
bills that actually mentioned money for the National Center for Health
Statistics as part of the prevention and wellness fund. That did not make it
in, from what we could see, in any language. But again in HHS we are now
implementing these provisions. For the prevention fund, for example, we are
entertaining proposals consistent with the intent of the Act and the purpose,
for how the funding – some of it is earmarked, so there’s no question it
has to be immunization or hospital acquired infections, and so on. But there is
still a pool, and those proposals are being – folks are developing
proposals, they go to workgroups and so on and there will be decisions made
about how to allocate that money, if not fairly quickly.


DR. FRANCIS: What’s your understanding about how it’s going to get worked
out about who does what, both in terms of – I mean there’s an incredible
possibility for reduplication of efforts on all of this, and obviously privacy
is one place where that could happen, standards is another. With the
codification of the Office of the National Coordinator, will they be doing
that? Should each of us as subcommittees just be thinking about what
interesting input we could give on these questions, running the risk of being
voices out in the wilderness? I don’t have any sense of that at all, and any
wisdom you have on that would be much appreciated.

MR. SCANLON: For our parts of the bill, HHS, we are deciding in terms of
implementation who exactly carries out that provision, and who is associated
with it, in terms of the agencies. If it’s privacy, there are specific offices
that are either mentioned in the statute or it would be the logical place in

So I think in HHS we have processes under way, and they’re moving very
quickly, that will basically go through every provision in the statute, we know
how to do this in HHS, and what we think the dollar amount associated, what we
think the mechanism is, what’s the deliverables the regulation is –
announcement, and so on, so we have folks doing that right now. A very high
priority, probably the highest priority in HHS at the moment.

In terms of the agencies, and maybe working with another agency, that will
all be, if it’s not already stated in the statute, it will be very clear, and
there will be accountability for these things.

In terms of how you work with these things, it’s a little bit like it’s
clearly a fast moving train here. I think there are provisions in the statute
that indicate that, and the process standards and adoption part of the statute,
the first subtitle, for the overall process of how standards are proposed,
adopted, and so on, there are provisions that indicate that the secretary can
consider the recommendations, so the NCVHS in these matters.

The other thing is, again, I’ve always urged the Committee, you know, don’t
go off on tantrums unless we have the client, unless somebody’s asked for or we
can anticipate that somebody will ask for it. We’re not a regulatory body,
we’re not a government agency, but there are numerous things here I could see
where there will be regulations, for example, on these privacy provisions,
there will be some policy development before that, and I think there I
certainly would urge the Department to ask the Committee to provide the input
wherever they can. It is just the specifics I can’t give you now, because we’re
just sorting it all through.

MR. REYNOLDS: I would like to make a comment on that, too. Obviously, I
spent some time with Rob Kolodner, and Jim and I spent some time, and we had a
hearing on standards yesterday where everybody was talking about the same
things. Laura Miller’s going to talk about NHIC. You are going to hear from Rob
and Charles Friedman on ONC. Then you notice we have a little bit of time to
discuss some things afterwards, and throughout the next couple of days. So I
think that’s part of our assignment, and I think we can list some notes of how
we see some of our subjects playing, and so on. I think that’s going to be key.

So I would ask you to listen intently this first part of this, and a lot of
us got to listen all day intently yesterday, as to how things are going on.
Then we have Karen and some others who can help us.

I think having jumped to the conclusion this morning, listen intently, and
then we’ll see how it plays as we go forward.

DR. FRANCIS: Could I just follow up? The reason I asked that question right
now is that there are plans going forward to put some hearings in place and it
feels a little chicken and eggish. So the more guidance we can have –

MR. REYNOLDS: You will get guidance, that’s what I’m trying to say. Just
listen through this morning, and then we’ll all work some guidance. That is
part of the job.

Okay. We have Walter.

DR. SUAREZ: Thank you. I have three quick questions. The first one is about
the $300 for HIEs. I believe that is part of the $2 billion allocated to ONC,
so ONC would be the one responsible for dispersing the money and working with
the states?

MR. SCANLON: It would be the administrative home. There are workgroups
thinking about what that means, what those provisions mean and how –

DR. SUAREZ: The second question is about the research center. There are two
I can’t understand, one created by NIST, or that will be created by NIST, the
Healthcare Information Enterprise Integration Research Center, a long confusing
name, Healthcare Information Enterprise Integration Research Center, mostly a
testing facility approach, correct?


DR. SUAREZ: The other one is Health Information Technology Research Center
located or created by HHS, and then the corresponding regional research
centers, the extension center, regional extension center is what they call it.
Those last two, the Health Information Technology Research Center and the
Health Information Technology Regional Extension Center, is that also or has
that been – broadly – Secretary Shaw(?), so is that an activity that will
be headed? I know that probably hasn’t been decided, but is it going to be
headed by ONC, is it going to be headed by another group within HHS?

MR. SCANLON: The NIST statute is very clear. NIST gets, and this relates to
the committees on the Hill, NIST gets $20 million. We will be providing $20
million under an agreement of what they’re to do, and it’s in consultation with
HHS, for some of that work, for the testing and so on, and possibly for some of
the other work as well.

We’re sorting that out now, Walter, so what part is of the extension centers
and overall research centers, we’re still sorting that out. But within HHS,
again, I think ONC is where the $2 billion is placed in ONC, and basically
they’ll get a lot of advice. A lot of folks are working this through in terms
of what’s the best thinking and how do you do this.

We have grant programs, we have contracting, we have research grants,
assistance grants, and so on, and the likelihood is we would use those systems
to carry this out. We would not be creating entirely new processes and
procedures, particularly if we want to get the money out fairly quickly. But,
again, we’re in the middle of sorting this out now. We are literally going
through all of those provisions, some of them are not clear, as you know, you
could interpret them in different ways, but all I can describe is the process,
it’s all being sorted out.

MR. REYNOLDS: I’m going to hold you at two for right now, because I have
four more people, okay, so I want to make sure everybody gets a chance. We have
Mark, and he gives his time to Paul.

DR. TANG: As you mentioned, Jim, this is an unprecedented and I think a
welcome investment in the HIT part that we’ve talked about for a long time. And
I think now it’s possible for the community to live up to the responsibility
and the challenge to find a way to, as you say, do good and be transformative.
I think we have to be very deliberate about that.

Can I ask a couple of questions? They may be more detailed, but it’s sort of
figuring out where the levers are, and it has to do with the incentives. One is
the progressive or the incentive, these are presumably that’s to Medicare
providers, and I’m guessing there’s some threshold of what patient population
is covered by Medicare and Medicaid, and I don’t know how much detail there is
about that right now.

The other is in releases in media the ranges specified is 44,000 to 64,000.
I can easily find a 44,000 in the 18 to 12, etcetera, I can’t find the other
20,000, and I’m wondering whether those are adding up 2 percent here and that
kind of thing. So just a little clarity, if that’s available.

MR. SCANLON: I’ll defer, Karen probably knows the details. Again, there are
sections in that title of the Act that it is for Medicare, number one, hospital
providers, and then I guess the professional providers, and then there’s a
Medicaid section. Then, again, the figures are in the statute.

Karen, I don’t know that we have other figures. We will be using those in
the statute in terms of what the formula is.

MS. TRUDEL: Right. And the formulas aren’t a flat amount. In many cases
there are upper limits, and in some cases, like for instance with hospitals,
the hospital can receive both Medicare and Medicaid incentives where the
professionals have to select one or the other.

There is an awful lot of detail that is still up in the air, and it’s those
details will have a significant impact on the formulas and the amounts and how
the money is distributed.

MR. SCANLON: Remember now, these incentives take in 2011, obviously you
don’t wait until then if there’s not a lot of preparation –

MS. TRUDEL: We would be really clear for professionals, it’s calendar year
2011, for hospitals it’s fiscal year 11, which begins in 2010. There’s even
less time than we think.

MR. SCANLON: That’s what I think, it’s downstream in a sense, the Medicare
and Medicaid incentive, it’s downstream compared to the $2 billion immediate,
but it’s not that far.

DR. TANG: One clarification on the 2011, it sounded like the incentives
would be paid in 2011, presumably then that’s about your efforts and
accomplishments in 2010. If that’s true then, wow, it’s right around the
corner. But maybe clarification on that?

MS. TRUDEL: Again, these issues are very much up in the air. The way the
statute is written it is for those years. Then the question is how quickly do
we compute the incentives, do we do it at the end of the year, do we do it
periodically through the year, exactly how that works is going to be critical.

MR. SCANLON: That is left to us in terms of regulations, and we’ll figure it
out, don’t worry. But I think it’s not that much time, I think the main point
is you need some of the developmental work. The interesting thing is though
that the assumption for the incentives, I think to some extent, is the first
title of the Act, which is the process and the standards, the standards are
adopted, systems are qualified or certified and so on, so there is
theoretically this timeline, but actually it all happens together

MR. REYNOLDS: Is that both your questions? Okay. So we got Larry, Carol, and
Mark, and that is going to shut it down. I want to give Karen time. Again,
intermittently throughout this we’re going to have plenty of discussion.

DR. HORNBROOK: Harry, can I have a clarification on Paul’s?

MR. REYNOLDS: Yes, go ahead.

DR. HORNBROOK: I talked to our lobbyist and the interesting thing is that
they have in the bill there are provisions of course for systems and have
already purchased HIT –

MR. REYNOLDS: Say that one more time?

DR. HORNBROOK: There are incentive payments for systems that have already
converted to EMRs. So Kaiser spent $5 billion, they’re still going to get
incentive payments. There is a way to get Medicare incentive payments through
risk contracting programs. So if you’re a risk contractor and you already have
an EMR you will also collect bonus payments through your ACE ECC(?) payments.
The incentive is covering both fee for service and capitated systems, and it
rewards people who have already purchased health information systems because
they will get them certified and then qualify for the bonus, which is capped,
and then the systems that are still not on will have to buy a qualified system
and then submit that in their billing, and it will come across as a fixed
payment for their bill.

MR. SCANLON: As Karen and I have said, all of this will be made clear.

MR. REYNOLDS: Let it be known that the Committee will get much closer to HHS
and – the lobbyist, no matter who they are. Larry and then Carol.

DR. GREEN: It is interesting to me how the Committee is rapidly gravitating
in unison towards acceleration of our vision of getting the country national
information network. Virtually all of our questions are unified around that
theme. Mark’s last comment was really about capitalization in this regulatory
environment. These issues that Medicare has to deal with, if there’s not –
it’s not going to happen for a big bulk of the system, and we know this.

Our interest here as NCVHS is quite clear, it seems to me, and we’re looking
for the enablers to move this forward.

One thing that no one has asked about, Jim, that I wish you could say more
about, is even with privacy help, even with the hardware and software, even
with the standards adoption, widespread adoption is a pretty huge barrier that
we’ve learned a lot about over the last couple of years, and you mentioned
something like the cooperative extension agency. A few questions, where in the
budget did that money land, whose office, or where is that located? And is
there any read on what part of HHS is going to be accountable for that?

MR. SCANLON: Again, I don’t think I have a definitive answer. The money will
start off in ONC, I mean that’s where the money is being placed
administratively. And this needs to be sorted out. This concept, as you
remember, goes way back, the idea of why is there not a locally based service
of providing technical assistance and advice to the healthcare community at a
local level. Much like the idea is sort of the USDA extension service. I’m not
personally sure that’s the analogy I would have looked for, but at any rate, we
understand the idea. It is having that capacity in the market area, the local
area, where the boots hit the ground. So we’ll be working that through. That
along with the Health Information Exchange Fund, as well as the money that goes
to NIST, we’re sorting out what that looks like exactly, where is the base, you
know, where is the unit that extension service actually resides locally. The
USDA is sort of university-based, as you know, extension service, and that’s
why many of the state universities have them and then counties have it as well
in rural counties. So I’m not sure that was exactly the model, but that was the
notion I think. And we will have to think how would you do that in health, so
just think that through.

Clearly we’ll work with other agencies, but the funding will be, the $2
billion, that will come out of the $2 billion, and it’s here in HHS, and it’s
on the ONC line. There are a lot of folks who are from virtually every agency
and staff office in HHS are working through how this works. These will be
secretarial level decisions ultimately about how do we want to spend it, does
that make sense. So it will be kind of collective decision making in terms of
what does this process look like.

We’ll have more details later, but we’re only at the stage now where we’re
taking each of those provisions and figuring out how it would work.

MR. REYNOLDS: Carol, last question.

MS. MCCALL: First a comment, then a question. A comment for you. This is
just moving so fast. I’m hoping that you can stay on for the full eight
seconds, so good luck with that.

Your comment about – and then I think we will do well to heed both don’t do
things unless a client asks for it, and also do a lot of listening, but for us
I think it’s going to be pay attention to what we need to focus on to add the
most value.

My question for you, Jim, are there any specific monies for what we’ll call
the Health Statistics Enterprise for the 21st Century? The reason
that I ask is that I think there’s always an assumption that in the science and
technology world what we need is a technology, and that everything else takes
care of itself, when the data is there and it flows. And I know this not to be
the case, and it’s going to become extreme.

I think one of the things I would add to the list is to look for discussion
around the health statistics enterprise, and it’s a 21st century
one, which will be even different than our vision for it in the 20th
century, then the computational science and all of that. So is there any money
there, is there any discussion there specifically around that?

MR. SCANLON: I agree with you, Carol. I think health statistics for the
21st century is a lot different. I mean it builds upon, but it’s a
lot different, and it’s not an agency so much – it is an agency, there is
an infrastructure, but it’s more than that.

If I remember, there is no mention specifically for health statistics. It’s
implied in a number of cases. You couldn’t do these other things without having
it. The way we’re approaching it, and I don’t have this, it will come out, but
the folks who are looking at the various provisions, and to some extent this
fits in with the comparative effectiveness and the Prevention and Wellness
Fund, particularly, not so much the health IT, you could see where the
interface would be, folks are looking there for opportunities for activities
there that would support health statistics methodology for how you actually use
the data from large databases, claims databases, electronic health records, and
of course the Foundation for Health Statistics as well. But, again, that’s very
early planning across it.

There is nothing specific that I could see on the bill that deals with that
specifically. It is implied, I think. And, again, remember, these bills are
written as the Kaiser lobbyist and others come in, and they help write this
bill. It’s written at a fairly high level and in many cases the provisions are
there so that you know how you would fit in. Actually getting this done is
another matter, and that’s what we’re here about, that’s how the Committee has
helped in the past. A lot of the work of this Committee, a lot of the work of
our agencies, can be seen, can be recognized in this bill.

So, again, we’ll have to figure out how, the Prevention and Wellness Fund,
for example, is that it’s written at a fairly, other than a couple of earmarks,
it’s at a fairly high level about how you do this. That is the process for how
these proposals would be entertained.

MR. REYNOLDS: To play off that, I wish now we had some of the thought
leaders that we had for the Standards Subcommittee yesterday, maybe even be
part of today, because I think exactly what you just said, Carol, came out loud
and clear even in the futuristic look at standards. This whole idea of adoption
in communication and the value-based, and what are the outcomes, and so I’d say
probably 30 to 40 percent of the discussion kept moving back there, not just
the exact standard that would happen, because the standard’s a record, the
standard is a format. So it was a wonderful discussion both from a thought
leader standpoint and then from how do we roll this out, how does this happen
faster now, so I think that was great. Your point is absolutely on.

I think the thing that was exciting to me is that it’s also now showing up
in the other discussions that were more specific discussions in the past. If
you talk about a HIPAA claim you talk about the HIPAA claim, you didn’t talk
about the ecosystem around it. I think yesterday what we heard with the new
standards and the things that are going on, discussing the whole ecosystem
that’s going to have to be in place to make all this go, was a dramatically
different discussion. Again, I would echo that I think Jeff and Judy put
together a great group to come in and discuss that. The thought leaders up
front kicked that off, and then we happened to – so Don Detmer and Carol
Diamond were up near the front, and then Bill Stead was near the end. So we
kind of had what we called bookends, we kind of had bookends of future
thinking, and then we went into the HITSPs and some of the other stuff in the
middle then some of the standards. All in all it was a good discussion about
how this was going to ebb and flow, not just make a standard and then as you
said you buy a system and everything works great. I think a lot of that was
discussed at great length yesterday, and was very helpful to those of us that
were involved, and we need to get a lot of those notes and data out to
everybody, I think would be very, very helpful.

MR. SCANLON: If there are no more questions, I would just end with looking
forward to Friday, the Populations Subcommittee will be holding a panel on
looking at our capacity for modeling for health policy data, health policy
analysis data, relates some to this point as well. I think we’re getting
virtually all of the modelers within HHS and the private side, and what the
capacities are where our strengths lay, and where some of the gaps are in
looking forward for the future. Internally we’ve been doing that in the Data
Council as well, we’ve been gearing up for health policy in terms of where our
data and statistics capacities stand, our modeling our actuarial support, our
policy research, our capacity, so we’re already well into that and we’ll look
forward to the Subcommittee’s recommendation. We’ve invited a lot of folks to
come to the discussion, and many of these folks have already – many of
these models have already been used in health policy impact analyses, so the
Department is certainly looking forward to seeing the results of that as well.

MR. REYNOLDS: Okay, Karen, in our goal today of continuing to show you new
and fast things of things that have gone on.

MS. TRUDEL: I can take a hint.

MR. REYNOLDS: No, I said you’re handling things very quickly, I didn’t say
you have to speak any faster.

MS. TRUDEL: Okay, thank you. I’ll start out by talking about e-prescribing.
And I’ll apologize in advance, because for some of you who were appearing
yesterday, some of this was covered by Doug Bell’s testimony.

But we are working on a pilot right now to test two of the three remaining
three standards that were identified as part of the original suite, but where
the standards were not ready for primetime after the last round of pilot tests.
We are looking at RxNorm terminology, which is the description of the drug at
the clinician’s level, and the structured and codified sig, which actually
structures the blank section of the prescription form where the physician
writes in his instructions, take two as needed for pain, take one every twelve
hours, whatever.

And we are working with Rand, and they have pulled together a consortium to
– both lab tests and real life test, both of the standards. We’re making
good progress there.

The electronic prior authorization, which was the last of the group of
standards, we’ve done some additional work on the prior authorization, and have
looked at the original standard that was put forward, which was seen in the
pilot test to be in need of significant restructuring. We have come to the
conclusion after some research that we’ve done in partnership with AHRQ, that
we need to start over again and begin to look for another standard to develop a
standard that will actually do this work. So we are beginning to have some
discussions with AHRQ and others to find out how to sponsor some of this work.

We are also working with the DEA. They are working on responding to the
comments they received on their proposed rule about e-prescribing for
controlled substances. Received a great deal of very, very useful comments from
industry in terms of what was needed, in terms of what would work, what
wouldn’t work, safeguards that were already in place that could contribute to
improved capabilities around controlled substances. And we’re working in
concert with DEA and the Office of the National Coordinator and others in HHS
to help them step through those comments and try to develop responsive and
potentially alternative solutions in the final rule that can maintain what they
need in terms of control, and also be workable and scalable in the industry as
a whole.

Moving on to personal health records. We’ve been doing a lot of work in that
area and it is very exciting. The personal health record project we have that
is piloting in South Carolina, which is called MyPHRSC, is approaching the
completion of its first year of operation. We have 4,000 registered users,
which is quite a bit more than my mental number for success. We’re finding that
the users are very engaged, they’re very excited about it, and we’re actually
hearing input from folks who are not residents of South Carolina, or are in
managed care plans, or are outside the area where we’ve been targeting with our
outreach efforts saying we’d like to have this too.

We just in January added a partnership with TRICARE, the ability for a
TRICARE beneficiary to load their active net from the TRICARE file into their
PHR along with their claims data from Medicare. So we now have Part A and B
claims and active meds for the TRICARE beneficiaries. We’re starting to hear a
lot of interest from folks about that.

We also in January rolled out a new PHR pilot called PHR Choice. It’s in the
states of Arizona and Utah. And it differs from my MyPHRSC in that instead of
contracting with one PHR vendor we basically pre-qualified four PHR vendors,
and our Medicare administrative contractor in the states of Arizona and Utah
are providing the Part A and B claims data to those vendors based on which ones
the beneficiaries select. So the fee for service beneficiaries in those states
have the ability to select either NoMoreClipboard, Passport MD, Healthtrio, and
Google Health. Those four PHRs were pre-qualified, as I said. Some of them
charge a nominal fee, some of them don’t, they all have different capabilities,
but we’re giving the beneficiaries the ability to select which capabilities
work for them, and that will give us a basically whole new perspective on this
notion. Since we rolled it out in January we have 700 registrants.

Then I move onto HIPAA.

MS. MCCALL: Quick question on that. If I choose one of them and I don’t like
it, is one of the qualifications that you insist the vendors allow portability
from one of them to the other?

MS. TRUDEL: We did not require portability. But what we can do is if the
beneficiary wishes to cease their association with one vendor and start up with
another, we will just reload the data with the new vendor.

MS. MCCALL: So they can get a do-over?

MS. TRUDEL: Exactly, they can get a do-over. However, some of the
capabilities on these PHRs are that you can enter your own data, and if that
happens then that’s –

MS. MCCALL: I understand.

MR. REYNOLDS: Is this a clarifying question?

DR. OVERHAGE: Just a quick fact. You mentioned some adoption figures. Of the
7,000 in the Carolina work, how many beneficiaries were offered the opportunity
to participate in this, and same for the western states effort? In other words,
the –

MS. TRUDEL: It is 4,000 in North Carolina.

DR. OVERHAGE: Right. But how many were offered the opportunity to

MS. TRUDEL: They can’t, they –

DR. OVERHAGE: How many people, of the 4,000 how many who knew about it and
had the option to participate?

MS. TRUDEL: Oh, oh. All Medicare and fee for service in South Carolina, and
I’m sorry, I don’t have that number off the top of my head.

DR. OVERHAGE: The ballpark?

MS. TRUDEL: It’s a lot.

MR. SCANLON: Susan in our office has the evaluation.

MS. KANAAN: 100,000 in the seven counties.

MS. TRUDEL: 100,000 in the seven counties in which we concentrated our
outreach, and that is where most of the beneficiary who enrolled are. Thanks,

DR. OVERHAGE: So, 4 percent adoption, something like that?

MS. TRUDEL: Uh-huh.

MR. SCANLON: I might just add that ASPE is working with Karen’s office on
the evaluation of the South Carolina pilot. So we are looking at functionality,
preferences, usage, and so on. It’s amazing what you learn when you actually
provide these services. We’re working with Karen’s office on the western PHR
choice project as well, on the evaluation. We’ll try to learn something from
all of these. We like to learn something from all.


DR. FRANCIS: This is actually a follow-up on the question about the pickup
rate. Are you talking to people who didn’t register to find out why?

MS. TRUDEL: Susie says yes.

MR. REYNOLDS: Okay, Karen.

MS. TRUDEL: I would offer if the Committee is interested in more information
about the evaluation metrics, my office can partner with Jim’s and we can
develop a short one-pager and just send it out to the members.

MR. REYNOLDS: I think it would be helpful, because just taking Carol’s
comment earlier, and some of the things we heard yesterday, that whole
socialization and whole communication and whole structure around it and the
results are more important than just the facts. That would be great.

MS. TRUDEL: Let me move on to HIPAA then. Although many other things have
eclipsed this accomplishment, in January we did publish the final rules
adopting the ICD-10 and the new 5010 transactions. The amount of depth of
analysis in terms of the industry comments we received was quite extensive. It
was a very interesting process balancing and weighing the different
perspectives from all different parts of the spectrum. I would say that a
large, large number of the commentors did references the NCVHS recommendations
to bolster the positions that they were bringing forth. So those
recommendations were widely read and carefully considered.

We did in the final rule significantly change the timetable to move the 5010
transactions from April of 2010 to January of 2012, and the ICD-10
implementation dates from October 2011 to October 2013. We have gotten a
certain amount of feedback in the industry that points that people think that
that’s a lot more workable. It may not be what everyone wanted, but we are
beginning to see a coalescence around those dates and a willingness to roll up
sleeves and begin to work towards them.

The other thing I would mention though is that those regulations, because
those effective dates will have not yet occurred, are subject to the regulatory
review for the administration, and that discussion is still under review.

Let me move onto the Recovery Act. I think Jim said almost everything that –

MR. REYNOLDS: Wait a minute. Justine has a follow-up.

DR. CARR: Two questions. One is, do we have an estimate of what it will cost
to implement ICD-10? Also, do we have a sense of when ICD-11 is coming in and
how that integration will happen?

MS. GREENBERG: You take the first part and I’ll take the second part.

MS. TRUDEL: I can even do part of the second part.

There were a few comments about why don’t we wait until ICD-11. And when we
went back and basically projected an entire timeline for ICD-11, when you went
through the World Health Organization version, which is not really close at
this point, and then you look at the time it takes to do an American clinical
modification, then any testing implementation regulations you get out towards
2020. So that was not because of that reason. When you look at the whole
timeline, not really a viable option considering the fact that we’re running
out of – very soon.

In terms of the cost, I’m sorry, I should have that number right on the top
of my head, but I don’t. It is in the final rule. There is an extensive impact
analysis that is re-published in the final rule, and it basically explains all
of our alternatives and assumptions in terms of the cost benefit.

DR. CARR: Will there be any money for infrastructure for that

MS. TRUDEL: Again, the HIPAA statute is not written with appropriations
attached to it. So in terms of implementation, covered entities need to work
this into existing activities upgrades, whatever. And are you asking if it’s in
some ways an unfunded mandate? Yes, it is.

MS. GREENBERG: You did a great job. I’ll just add one or two things. One is
that as people are developing electronic health records, I think it’s very
helpful for them to know that the country’s moving to ICD-10 code sets, because
a big part of what needs to be done obviously is making sure that those –
the timing actually turns out to be quite nice, for 2013 and 2014. So I think
the funding for electronic health records could certainly facilitate the whole
mapping issues with SNOMED and other things. Although I agree completely with
what Karen said, but I don’t think that should be ignored, because they really
need to work together.

And the other thing is that what she said about the timeline for ICD-11 is
completely true. But what I can tell you, that there are now more than a dozen
I think technical advisory groups working on the different chapters or the
different components of ICD-11, and many of them are starting with ICD-10CM and
the other clinical modifications, which also have been considerably informed by
ICD-10CM, even though we haven’t adopted it.

I think that our goal is to have a much more seamless transition from 10CM
to 11 when that happens, because 11 will be greatly informed by the
enhancements that we’ve already made. But I encourage the Committee to continue
to stay engaged on that.

MR. REYNOLDS: And I spoke to Tony Trenkle last night, and we will need to
probably in the third quarter start taking a hard look at this and maybe even
frame it around the thought of how do we make ICD-10 some kind of a strategic

And a lot of the seminars and everything that you’ll see coming out this
year, because a lot of us are on the planning of it, are trying to focus on
that. How can we all not make this just another conversion? So trying to make
people come to the table and talk about what things could come out of this.
Information is going to be one of them, so back to your earlier comment.

Carol, you had a comment.

MS. MCCALL: I agree 110 percent about how to make it a strategic advantage.
My question to both Karen and maybe to Jim, have there been any discussions
about creating an incentive around early adoption, not about adoption at all
like health IT. But, as we all know, there are so many things in the ecosystem
to make all these things valuable, there’s externalities, standards are one,
and there’s a discontinuity between ICD-9 and 10, 9 to 10 is big; 10 to 11
hopefully is smaller. Has anybody talked about having some sort of incentive
that falls off and becomes a penalty? And maybe their incentives maybe not for
– and that would be for early adoption. Or maybe an incentive to novel use
or different uses that actually has value that – I’m just so painfully
aware that there are incentives for the adoption of health IT, but there’s
nothing that’s going to make me want to do it at all, let alone early, for
things that are absolutely vital to actually put through the pipe.

MR. REYNOLDS: Paul, do you have a comment on this?

DR. TANG: Maybe to pickup on your making it a strategic advantage. May I
open another question, which is from an EHR point of few, or a clinical concept
point of view, could we consider looking at SNOMED or discuss the use of SNOMED
in the EHRs of the future? It clearly will have a map that’s built in the ISDO
to ICD-10. So we would not be implementing billing or classification
terminology set, we would in fact be implementing a concept terminology, which
is appropriate for an EHR, so thinking strategically.

MR. REYNOLDS: And, again, playing off of yesterday, SNOMED and other things
were mentioned yesterday, and as people look at EHRs, using your point, if
people look at EHRs and then making sure that that’s part of what’s going to
come out of part of EHRs.

MS. MCCALL: As a follow-on. I’ll confess, I was not thinking about
clinicians or SNOMED. I was thinking about all the other covered entities where
this is an unfunded mandate, and why do I want to pay now, and thinking about
health plans. Have there been any discussions around creating an incentive for
early adoption? It’s simple, have there been any discussions around that?

MR. SCANLON: I’m not aware of any, but Medicaid programs for changes like
this that are systems related, health IT related, I think it’s a 9010 match, if
I’m not mistaken, for everyone else. I have not heard of any incentive for –

MS. GREENBERG: I do want to comment on the issue of early adoption. I mean,
the thing is there is a date certain, and because the DRGs, everything, will be
based on the new code sets I don’t think there’s really a desire to have people
– I mean adopt early or at different times. I mean certainly encourage
people to be starting early, but to have some on ICD-9CM and some on 10CM and
some on 10PCS, I mean it could be a nightmare. It’s not what the rule calls
for, and I don’t think the community supported that either. I think the main
thing is not to delay it beyond when it is.

What you mentioned about the SNOMED, the thing is it will still be an
imperfect mapping because that’s what it is, but the goal, as you know, for
ICD-11 is to have it be much more seamless in that regard too, because there
will be a terminological underpinning to ICD-11. I know yesterday there was
some talk about the SNOMED coming up with the core sets in a sense, as opposed
to the whole thing. There you could actually make changes in 10CM and SNOMED to
make them work better together.

But I really think that this is, you know, everyone’s been talking SNOMED
and now there is real money, and I think this is going to be a huge challenge.

DR. TANG: Can I tie these ideas together? We are basically putting forward
an incentive to implement early, as we said, 2011 or 10 is around the corner.

The proposal is to try to move up and to reward those people who do adopt
earlyish. The logical choice in terms of a terminology would be SNOMED for the
clinicians. And because there is a built-in both a mapping and a transition to
ICD-10 and 11, if you were to adopt SNOMED as part of your EHR it seems that
would be the most strategic roadmap to get from here, early adoption accurate
coding of clinical concepts, to the future classification scheme.

MS. GREENBERG: There is a mapping that we’re doing in the U.S. to 9CMs
between SNOMEDs.

DR. TANG: Well, just the transition.

MS. GREENBERG: That’s a work in progress with the National Library of
Medicine. But I think all of this is worth exploration.

MR. REYNOLDS: I’ve listed this as some for further discussion later in the
day, too. I got Bill, I got Larry.

MS. TRUDEL: And I’m not done yet.

MR. REYNOLDS: I noticed you’re not. Judy, I’m still working across. I got
you, you’re in the official one, the rest are jumping in.

MS. TRUDEL: You know, if I could finish it might tie some things together.
Because the last thing I was going to talk about was the Recovery Act.

I think Jim covered the high spots very ably. We are looking in particular
of course at the incentives where eligible professionals and for hospitals,
both on the Medicare and the Medicaid perspective. There are some very
interesting issues that we’re going to have to tackle, for instance, what
“meaningful use” means, how we are going to compute and distribute
and audit these large amounts of funds, how we’re going to be able to report
back on what kind of progress we’re making, how to make sure we have metrics to
express our success or lack thereof, and progress.

One of the other things I think it’s important to point out is that there
are – I’m not considering the incentives as a one-time shot. They start in
2011, but it was very clear that Congress intended us to raise the bar over
time in terms of meaningful use, and that the EHR landscape, the products
capabilities in certification terms in 2011 will not necessarily be where we
ultimately want to go. They were very clear about raising the bar over time and
redesigning meaningful use, and redefining what a certified EHR is. I think we
have to think about opportunities similar to the one that Paul mentioned, and
link up with things like ICD-10, because people that we talked to yesterday
about the Recovery Act and standards all said the HR adoption and incentives
this is all happening at the same time as ICD-10, and the point I think they
were trying to make is limited resources. But I would flip it around and say
possibilities for synergy over time.

MR. REYNOLDS: Is that it?

MS. TRUDEL: That’s it.

MR. REYNOLDS: I’ve got Judy first, Walter and Bill and Larry.

DR. WARREN: What I wanted to comment was back in the e-prescribing pilot,
and it really kind of wraps up with the Recovery Act.

One of the phenomenal things that Dr. Bell reported yesterday in the pilots
about e-prescribing is that as they began to find difficulty in the standards
in implementing those, they immediately reported back to the standards
development organization that developed the standard and gave feedback as to
the testing that they did. As a result, those organization immediately went to
the standard and changed it where it worked within the pilot. Again and again,
what we heard when Harry said earlier about the ecosystem of standards
development, this is what we’re talking about, because that feedback loop has
not really been around before.

So I think that as we start looking at incentives and grants and stuff like
that, one of the things HHS looks at is whether or not people who are writing
these grants have that feedback loop to feed back into really creating the
standards. We are really coming into a really exciting time.

The other thing that was about that was this whole notion of as we worked on
our standards, and so you looked at HIPAA and looked at e-prescribing, a lot of
the work was really focused on the standard itself and IT, and we were really
kind of pushed, enlightened, I’m not sure exactly what the adjectives are, to
also think about communications standards. Again, looking at the context these
standards are operating in, and start using that to really take a look at them.

So I think we’re kind of coming into a whole new way of us thinking about
standards that this Stimulus package is really going to support. But that was
one piece that really kind of excited me that I think we really need to look at
a lot more.


DR. SUAREZ: With respect to the comments on ICD-10, I think that one of the
preconditions to allow the ICD-10 is to go to 5010 first. Then as much as we
want to talk about how to integrate ICD-10 EHRs by doing the priority for the
industry is to go first to 5010 and adopt 5010, without ICD-10 – is not going
to happen.

I wanted to highlight and point that out because I think the critical path
is really to start with 5010. I think it’s interesting going into the EHRs, and
then just integrate the financial aspect of healthcare into the EHR is going to
be a much larger and longer term interest. I mean 2014 is the goal to get most
of the electronic health records out there.

One of my questions to Karen was about the other HIPAA regulations. Do you
have any updates on the claim attachments and help on ID?

MS. TRUDEL: I don’t right now because the change in administration the
regulation agenda is being reassessed and redefined, and I don’t think we’ve
seen the new version.

DR. SUAREZ: So the final rules on claim attachments are not yet? Right now
we have the proposed rules?

MS. TRUDEL: Right. The regulatory agenda, which is agreed to by the
Secretary and OMB, is our marching orders in terms of what we’re planning to
publish within the next year. And we don’t actually have a new one in place

DR. SUAREZ: The other question I have is on PHRs. I don’t think that there
was much on the Recovery Act on PHRs. There was a lot of discussion about
certified EHRs, actually certified electronic health records, not electronic
health record systems. Which is a point that is creating some concern about
what is it that we’re exactly looking at when we talk about certified
electronic health records, defining is what people informatics electronic
health record systems, or software applications.

That aside, do you see or what do you see the affect of the Recovery Act
will be on the PHRs, particularly in light of the pilots that are being done by
Medicare? Is there going to be expectation that the incentives on EHRs would
extend to PHRs or some other mechanisms to promote the adoption of PHRs?

MS. TRUDEL: Again, the way the incentives are structured, they are directed
to physicians and healthcare and hospitals. So I guess to the extent that those
entities have environments that contain both EHRs and PHRs there would be some
synergy there.

What I think would be the largest factor though would be that the more
providers you have with electronic health records the more likelihood there is
that they could establish a standards based interoperable link to push clinical
data into PHRs. And if you add to that the information network grant, then you
establish a way to get that data from point A to point B.

I think basically it is a significant step forward in terms of –

MR. REYNOLDS: Bill, Larry, and then break.

DR. WILLIAM SCANLON: This is a comment. It’s about what I think what
expectations we should be having. As far as the idea of the ICD-10 being an
unfunded mandate, and I’m not sure technically whether it is an unfunded
mandate, because participation sort of in the public program is all voluntary.
So anything we have asked of providers and plans is in prior circumstances I
think is regarded as not an unfunded mandate.

I think this goes more broadly, particularly this week, since we have had
this White House summit on how do we deal with this spending over time, and if
the simple projection of health spending is that it’s going to reach more than
100 percent of GDP, we have an issue here. Then we’ll be healthy, right.

So there’s this question of how do we go forward, and what can we ask of
participants in the health sector, and I think the answer at least on some
parts is we can ask a lot, because the revenues in this sector has been
significant enough that it’s not unreasonable to say do more. You know, the $20
billion going into health IT is one way to get to the objectives that we’ve had
in mind for a long time. There is another camp that had a similar objective
that said all we should be doing is saying you can’t participate unless you do
this. You can make it happen out of the revenues you already have. That was not
an unreasonable position either. We’ve now made a decision, but the issue is as
we think in the future about how we’re going to turn this into our advantage,
let’s not be timid about what we’re asking for.

MR. REYNOLDS: Larry. I know there’s other people that might want questions
later. We have some time for discussion. I have to keep in mind the other
speakers. We got people that have tight schedules, so I need to defer to them
and not just us.

Okay, Paul has to make a statement.

DR. TANG: Well, Walter asked about PHR in the Recovery Act. There is one
piece of it that could pertain to NCVHS. That is the Secretary must make a
report within eighteen months about the need or lack of need for additional
privacy statements and regulations about concerning PHRs. So the Privacy and
Security Subcommittee could take that on to participate in that.

MR. REYNOLDS: Okay. With that we’ll take a break. Be back at 10:50, 15
minutes, and we’re going to start promptly at 10:50.


MR. REYNOLDS: We’re going to move onto our next presenter. We are welcoming
back Laura Miller, who is going to give us an update on the eHealth

Laura, thank you very much for joining us, and we’re sorry for the little
bit of delay, but the richness of the discussion was hard to cut off. Please
continue, and thank you.

National eHealth Collaborative Update

MS. MILLER: Good morning, everybody, and good morning to those online. It’s
a pleasure to be back here again, and to be back here with the new name, which
is the National eHealth Collaborative.

I was interested in the early morning discussion. Obviously there is a lot
going on, and I’m impressed with how quickly HHS is moving things along in a
period of some uncertainty. We have had the mandate from our President and from
the administration, and the National eHealth Collaborative is certainly ready
and willing to help with that mandate.

This is a reminder of our mission, that we are an independent, trusted, and
collaborative public private organization. I note that the term public private
has come up more frequently in the last few days, we maybe we have some
additional cache around that phrase.

We were created to accelerate the momentum and progress being made with the
implementation and effective use of health IT. We are a voluntary consensus
standards body, and are charged with bringing together across the healthcare
industry consumers, professionals, the public health community, government and
industry, to establish in a transparent way the priorities for moving forward
and to leverage the knowledge and resources of the private sector while
collaborating with the government.

As I said, we are trying to focus that expertise and resources in
prioritizing and addressing needs, and at the same time assuring that the
solutions are sensible and that they can be integrated across the healthcare

We are a membership organization, and these are just some of our current
members. We actually started accepting membership applications only a few
weeks, and we are pleased with the interest and the involvement of a number of
our partners. If you are interested in that possibility, I would encourage you
to visit our website, which is www.nationalehealth.org.

Our organization is in terms of three committees, and I’m laying them out
here for you and for those online. We have a policy committee, and this is not
intended to be policy in the sense of government policy, but maybe with a small
‘p’ which addresses overarching obstacles to adoption and implementation,
and that promotes health information policies and technical approaches.

The policy committee is chaired by Lori Evans from New York, with
vice-chairs of Lisa Simpson from Cincinnati and Jody Daniel from the Office of
the National Coordinator. We also have a mission development committee, which
monitors the impact of health IT adoption. It’s to take a strategic view of the
requirements for health information exchange, and is charged with continuing
the work that was begun and wasn’t yet completed by the American Health
Information community. The chair of that committee is Charles Kennedy from
– Point, and vice-chaired by Debbie Summers.

Then lastly, the value cases steering committee, which is charged with
identifying strategies to increase interoperability by prioritizing what are
submitted from stakeholders as value cases, and chairing that committee is Paul
Tang, who is on your advisory committee, and I think will be adding some
comments after, and co-chaired or vice-chaired by John Glasser from Partners

What we call the national interoperability prioritization process is an
opportunity for stakeholders to collaborate together to submit value cases that
would increase interoperability and basically prioritize their own needs, and
submit them for national action. In the process we would emphasize the value of
each of the proposed set of interoperability initiatives in our review of it.

There can be various types of value cases. A lot of your discussion
yesterday was on standards. In our organization, as we’ve talked about it,
we’ve identified that there are many barriers to implementation that go beyond
the focus on standards per se. So value case types can go beyond standards
harmonization to other elements, to model processes, to best practices such as
how to incorporate e-prescribing and provide a workflow, and to frameworks
which could include the service oriented architecture based model for an HIE.

This slide is a walk-through of the process. I’m not going to read through
all the individual steps. I just want to comment on three elements. First of
all, there would be a letter of intent element to the submission of a value
case in order that the National eHealth Collaborative and staff could support
the thinking and perhaps involve other who might have an interest to
collaborate in that specific value case.

Secondly, there would be a solicitation for public input in order to help
understand other parties, comments, and interests about the value of the
particular proposal.

Third, there would be due diligence subcommittees who would be convened to
evaluate once the full proposal is submitted. Those would be people who have
subject matter expertise in the area who can use criteria that have been
developed to determine whether the proposed value case should go forward as a

The due diligence criteria would address both the value overall, what is the
value proposition for the health community, what problems does the proposal
solve? It would include feasibility criteria, can the submitting organization
or organizations complete the proposed initiative? Then finally, what are the
business criteria, can the health industry readily implement and absorb the
successfully executed value case?

We have developed a template for what a value case proposal should include.
As you might expect, executive summary requirements justification, the value
and impact, how it would impact the health information exchange scenario, the
technology assessment if that’s relevant, stakeholder committee, and industry
adoption readiness.

Let me pause there and say since we are fortunate to have Dr. Tang on our
AHIC Board, and as the chair of the value case steering committee, and see if
Paul wants to add any comments before I move onto another topic.

DR. TANG: Sure, thanks, Laura.

I think the value case is one of the most important propositions for this
new organization, which is a public private entity. The reason is because it’s,
as Laura mentioned, a stakeholder initiated feet on the ground driven by
clinical and business needs kind of approach. So these folks are working at
this interoperability interface, and they have run into major problems. We
anticipate it’s not going to be mostly about standards. It is probably going to
be all the other things, and Carol started talking about it, that prevent
people from either adopting EHRs or sharing the data from their EHRs. Because
as we all know, that is a major stumbling block for small or large

That is the problem domain we’re looking to address. And what we want to do
is find the people who exemplify something that’s going to be generally
applicable to many of these local and regional initiatives, and try to solve
them as a nation, as a community. We would put out this call asking for people
to come forward with a broad group of stakeholders involved in that particular
effort, and either asking or proposing breakthrough strategies to get through
the problems and advance something that can be used more widely throughout the

Where standards are involved it may go through the pathway of going through
HITSP and CCHIT. Where it is policy or best practice or implementation
strategies such as the extension program we’ve heard about, that might be
something we bring in other things. We could convene meetings, convene summits,
convene parties together as one of the possible, I mean we still have to work
this through, what are the ways NHIC can provide value to the regional efforts.

Let me just give another couple of ideas, not that they’re coming forward,
but the things that NHIC might deal with as far as national priorities. One
might be quality measures derived from EHRs. That is something that NQF is
working on. It was working on this trying to anticipate what might be needed,
and suddenly with the Recovery Act there is a real need I think.

So the three elements let’s say of incentives, one is the certified EHR, and
another is you have to exchange information with other people than yourselves,
and the third is you have to report on quality. And the language talked about
clinical quality reporting, which you could interpret as being more than
administrative, more than reports based on administrative data. Most of the NQF
endorsed measures, the vast majority, are all based on administrative data.
What we’d like to do is skate to where the puck is and say how can we get data
and make use of data from the EHR. So that might be an example of quote,
“value cases.” It has to do with standards of a sort, you have to
incorporate standards, but it’s a new kind of standard of the kind that NQF is
dealing with.

Other things could include policy frameworks, because when you work amongst
organizations some of the work that Mark has done, how do you use that? That is
offered to the community, but how do you take advantage of that and bootstrap
your efforts in the region?

Those are sort of the things that we’re thinking about as far as what are
value cases that could benefit services – to be an example.

MS. MILLER: Thanks, Paul.

Moving on to another major topic that we’ve been dealing with, and it has to
do with NHI and governance framework. I am pleased to see Jeff here, who is a
member of a workgroup that we have jointly convened with ONC. NHIC has a
contract with a supporting legal firm to help develop a white paper on the
issue of a governance framework.

A governance framework is really essential at this point. The NHIN is
evolving, and the organizational infrastructure needs to support both the
emergent NHIN as well as eventually the mature NHIN. So we are trying to strike
a balance between not too broad and not too narrow in terms of what the
framework should look like initially. We want to primarily support the needs of
the participants in the emerging and the evolving NHIN. And this is going to be
an iterative process and an open process, with multiple opportunities for
stakeholder involvement.

The core principle, however, is that the governance is going to need to
support the needs of the participants, and it must be deployed through an open
process that involves stakeholders. Consequently, we expect it will be a
collaborative framework.

We also note that until the final governance decisions, which according to
the new legislation ONC has the responsibility for establishing right now and
continuing, ONC has the overarching responsibility to ensure appropriate

So the NHIN governance framework planning workgroup, as I said, was formed
jointly by NHIC and the Office of the National Coordinator. It is comprised of
representatives from HIEs, the NHIC Board of Directors, from consumer
organizations and not only ONC representatives but other federal
representatives. It was established to build on the preliminary functions that
were identified for the NHIN. And it is charged with developing what the
structure would look like that would meet the needs of the operational or the,
quote, unquote, “production in NHIN.” There will be a collaborative
process and a public comment period.

These are the workgroup members. As you can see, they’re membership from
across a broad range of organizations. Most recently we’ve added two additional
federal members, Jim Garvie from the Indian Health Service, and Henry Chao from
the centers of Medicare and Medicaid. We also have involved additional consumer
representatives who I think bring a unique perspective to our Board.

Our objectives are to preserve the privacy and security of all health data
exchanged through the NHIN and to foster the effective use of interoperable
health information, bottom line, to improve the health and well-being of all
and reduce health disparities; to initiate and facilitate health IT strategies
that lead to the improvement of the overall performance of healthcare and
related systems; to establish trust among stakeholders, and this is a key
element. And one of the reasons why it’s important to have both consumers and
public comment periods and opportunity for input throughout the process,
because the HIEs and their participation in the NHIN requires an ongoing trust
agreement. And finally, to look toward the creation of a sustainable business
model for NHIN operations in governance.

We have some foundational principles. We have started with the idea that we
do not know what it should look like, and so we’re going to evaluate the
functions. And from the functions and our understanding of how those work to
come to a better understanding of the formats required to support them, we do
acknowledge that it’s likely to be a distributed governance process. It should
include the ability for the participating HIEs to be represented, so likely it
will also have representative components.

Again, because of the need for the trust element and the importance of the
agreements going forward, it has to function with transparency and openness. We
will need to be responsive to not only the participating HIEs and their needs,
but also to the broader healthcare community and to those whose data is being
transported across the national health information network. And it needs to
finally be accountable, because again those who are responsible for this data
occupy a position of public trust.

Here is a listing of the seven major functional areas that we envision will
need to be accomplished by the NHIN governance structure.

The development of the strategic directions. Both the hands-on development
for to realize its growth and to expand, but also its strategic thinking about
the future.

The development of the operational infrastructure. There will need to be
policies and procedures both operational and technical standards-based
interface data specifications, test plans, and methods that can support the

The development of the legal infrastructure. Right now there is the
continuing development and management of the DURSA for those who are the
initial participants in the first production NHIN, which is just starting up
between MedVirginia and the Social Security Administration. But there will
likely be other legal elements as we move forward that we’ll need to support
the data exchange.

Participant Management. The admission and enrollment of new NHIEs and their
oversight of existing NHIEs to ensure compliance and enforce performance

Next is dispute resolution. There will need to be active management of a
multi-tiered dispute resolution process that can help the NHIN participants to
avoid any litigation. There could very well be disputes between participating
organizations. And those organizations may answer to other legal entities,
state or federal, or corporate, and so we want in some ways a mechanism to
ensure that we don’t need to go very far down the path of a dispute before we
have resolved it.

Next is the authority to engage support services for the NHIN. The NHIN
itself may need to have multiple supporting entities, contractors, or other
entities to assure its operational efficiency.

Lastly, managing security incidents. The prevention and management of
security incidents and follow-up or oversight of any improvement or correction
activities after a data breach would be something that the NHIN would have to

These are the seven major functional areas that have to be fleshed out for a
governance structure. Under each of these are multiple specific functions. And
our next steps are in the steps we’ve been involved in, are to take these seven
areas, expand upon them with some specificity, and then begin to look at what
attributes an organization would have to have in order to support these seven

Our anticipated next steps. There is for the National eHealth Collaborative
a group called the Interim Interagency Coordinator, which includes members from
across the various federal departments and agencies. And those members and
other federal representatives were asked to provide some initial feedback to
the first draft of this paper, and have given us some terrific feedback that is
currently being incorporated. There are special briefings for key stakeholder
groups that are available.

As we continue refining the governance framework, including what the
competencies will be for a governance multiple or distributed governance
authorities, we will be seeking input from the NeHC Board and a public comment
period before all of that comes back to the Office of the National Coordinator,
presumably for review at the level of the Secretary and others in the

I think John Halamka said it well, now is the time to invest, we’re at the
tipping point. Wise investment with accountability for use of electronic health
records and incentives to achieve coordinated quality care is needed to
transform healthcare in the U.S.

In working jointly to this point with HITSP and CCHIT we see a shared vision
on how to move forward to build on the momentum and trust and leadership that’s
been established. We recognize that we’re in a time of transition and change,
and that there may be decisions that impact the way we envision moving forward,
but right now we are one stop. Our momentum and are anticipating that we can
bring some value, as Dr. Tang has talked about, with the value case, and are
prepared to release the call for value cases before the end of the month likely

With that I will stop and see if there are any questions or comments. I’m
glad that both staff and Paul are here in case I need help.

MR. REYNOLDS: Are you able to stay with us until noon?


MR. REYNOLDS: What I thought I would do – Rob, you go ahead and talk,
because I think the subjects are so interwoven that I’d rather hear both like
we talked about earlier, and then spend some time discussing it.

With that, Dr. Kolodner, the actual National Coordinator, is going to be
presenting this.

Linda, thank you, that was excellent. I’m not pushing you off, I think it’s
kind of hard to discuss, I mean we’re likely to pull Rob into three-fourths of
the questions that you got asked. It might be easier to just do it all at once.

ONC Update on the NHIN Conference

DR. KOLODNER: Good morning, it’s delightful to be with you all again. And I
bring regrets from Chuck Friedman who is not here, because I’ve asked him to
help coordinate our staff as we develop and spend time on other things that are
a result of the Recovery Act that we’ll be talking about in just a moment. So I
get to talk with you and have fun.

One thing I noticed in your material that may need updating, since I’m the
National Coordinator, although as we’ll see in the Bill the National
Coordinator function now that it’s not under Executive Order but under statute.
In fact, it needs to be appointed by the Secretary, so when we have a Secretary
the Secretary will then appoint a national coordinator that is now
transitioning into statute.

What I would like to do is to briefly run through a few areas and then Jodi
is going to also follow the areas I was going to cover, was the HITECH Act the
America Recovery and Reinvestment Act – but I understand that Jim covered
some of it, so I wasn’t able to be here, so I’m not sure how much you’d like me
to spend on that, but I can spend as much or as little as you like.

MR. REYNOLDS: It might be helpful to cover it maybe from the opinion of how
you’re going to approach it. I think between Karen and Jim this morning they
really took us through all of the pieces. I think what would be really helpful
for us is how you’re going to approach it, and then obviously Linda, how your
group fits in. That would probably be a good way to do it.

DR. KOLODNER: Then I was going to briefly touch on some previous business
that is the acceptance of some standards that occurred, so you can see that.
There was on the original agenda some request about a summary of the NIHN from
December. Again, I can cover that if you’d like.

MR. REYNOLDS: I think the business of the day would be what you just
previously talked about. Because I think a lot of it is the outcome of what
you’ve been driving. Having been at the conference I think that would be good.

DR. KOLODNER: And then Jodi will catch you up to date with the privacy
activity we did in December and the framework and toolkit, and also briefly
touch on the privacy aspects of the Bill if Karen didn’t do so already.

The Bill at a high level has really five major sections. Without drilling
down too much, one essentially establishes the Office of the National
Coordinator, and actually sets up the standards promotion and the policy and
the standards committee, HIT policy and standards committees, and a process for
accepting or adopting the standards, a new term that we’ll be using, which will
be by rulemaking. And we would be interested in understanding a little bit the
issues of how one does rulemaking and provides the maximum flexibility for
version updates and things.

There’s a section that has to do with NIST. There are two parts, one is the
testing that goes with the standards, the other is a grant function. There is
that particular grant, plus five other grants that really give great
flexibility to the Department in terms of how to roll out the funds, and this
is where most of the funds will be distributed.

There is a section that has to do with infrastructure, and it’s entitled
Immediate Funding. Some includes some funding that may go within the Department
to be able to get ready to respond or to help foster the exchange. But it
mentions, for example, tele-medicine, among other things.

Then there is a section on privacy. And finally where the biggest bucks,
which are in the incentives for Medicare and Medicaid, which won’t get started
until 2011. So those are the sections.

In terms of how we’re planning on proceeding, we do have to set up two
FACAs. So we have what was one FACA under AHIC now is two, one of which the
policy committee has a very defined who gets to nominate the different members.
And the second, the standards committee, has a distribution that’s identified
but not is essentially set up by the Department. Now, within that there are
statements about the role of NeHC, with NeHC making certain changes, and those
the Secretary then has the option to recognize the NeHC for either the policy
or the standards committee, which may be some of the – that’s there
because now that the policy committee is kind of assigned by different people
it’s a little harder for the Secretary to do that, given the way the law is

There is need to set up very quickly, because there is also the charge to
have an initial set of adopted standards by the end of the year, by December
31st. Because it’s rulemaking, we did say that we could use the
interim final rulemaking in order to meet that deadline, rather than the full
rulemaking. There is also the statement that that can draw on the existing
standards that have been promulgated before and recognized before.

What we’re looking at at this point, and obviously we need to get the
committees together and get advice from them, but as you know, we have a broad
range of standards, and let me just go to those slides. You see here on the
screen this roadmap that we had of three use cases in 2006, four use cases in
2007, six in 2008, and then there was one use case and a bunch of gaps and
extensions that were submitted to HITSP that we’re working on now for 2009.

The standards from the first two that fall into consumer, provider, and
population channels, the ones from 2006 and 2007 have been recognized by in
this case Secretary Leavitt, and the ones in 2008 were accepted as we see on
these next two slides those that were updates to existing interoperability
specifications that were accepted, biosurveillance, and consumer empowerment
and access to clinical information via networks, emergency responder EHRs, and
consumer empowerment and access to clinical information via media.

There’s then a set of new interoperability specifications that map against
those use case areas, medication management, personalized healthcare,
consultations and transfers of care, etcetera. Given the change in process,
these are then ones for us to draw on. The recognized status from before has
been replaced by a different process, but these do constitute ones that we can
draw from as we go forward.

In addition, there were a few specific areas that Congress said the
standards had to address, both in terms of certain functions, but also
specifically needed to have fields for not only gender, which we do have in the
standards, but for race, ethnicity, and primary language of the patient.

Those exist in a stubbed-in form, in talking with HITSP, and knowing that
there are standards sets that can be drawn on for that we believe that that’s
not an issue in terms of being able to get that through and in a form that can
be brought forth and with enough time for vendors to be able to respond to it
and include it in next year’s certification cycle.

So we will be looking through the standards, getting input from the policy
and standards committees as they’re formed, which obviously has to happen
pretty rapidly for them to guide us, then we’ll have to go through the
rulemaking process, or the modified rulemaking process to get those through.

Where the money is is in the five grant areas, actually six counting the
NIST. The NIST grant, which we will be working closely with them, has to do
with sparking innovation through and for inter-exchange or exchange of health
information, and that will go out to institutions of higher learning, but also
federal laboratories and other types of nonprofit on a tentative basis, and
will come out of the $2 billion funding for those centers, in addition to $20
million that we’ll be giving them for their testing activities.

Of the rest of them, and let me pull up here these other grants just so that
we can be looking at that, actually I don’t have that on the slide, I’ll do a
dynamic reshuffling of the agenda we were talking about.

I mentioned the immediate funding to strengthen health IT infrastructure,
and basically that just allows us to use the different agencies as vehicles to
invest through. We’re not intending to set up a whole grants office in ONC,
given that there are very good grants offices that do similar types of grants
that match these. In other agencies we’ll work hand in hand and pass money
through them, staff them up as they need to handle it, and then have a smaller
grants office that looks at accountability and the reporting that will in the
office, but will go out I would expect through agencies such as HRSA and AHRQ,
and maybe CDC or others for that.

This is one section that gives a little broader perspective in terms of what
we can use the funds for, and the way the bill was written. The few billion
dollars are specifically for what’s written in the Bill, so if it says for the
HITECH Act then that describes the authorization section. Here they do broaden
it and talk about the HIT architecture training and dissemination of
information on best practices to integrate IT and other types of
interoperability of clinical data repositories, registries and other things. So
they paint a broad field which gives us some of the flexibility that we need as
well, to make sure that the rest of the money that’s spent really has its full
impact, that we don’t have pieces that lack that last 5 or 10 percent that will
allow us to pull it together.

There is set of grants, or one of the grant sections, that’s basically
setting up a regional extension center, a parental center above the rest, and
then regional extensions that is modeled after the agricultural extension
centers that really help farmers. In this case it’s really providing the
support and training, the installation, guidance, to the frontline commissions
and providers, in a way that is meant to speed up if there’s an improved
technology or improved solution or improved process that it’s meant to rapidly
disseminate that out, rather than the fusion of that which often takes years.
The number of those, the structure of those, are yet to be determined. And part
of that is also to foster innovation, so there’s a research center looking for
new innovative ways of helping to get adoption.

There are state grants that are for the exchange of health information. You
might think of it as support for HIV and RIOs, but the question there is are
there also other models that we should be looking at over parts of the country
where more of an ISP type, a health ISP, may be adequate and at a lower cost.
Those are things that I think we need Steve to still explore.

The grants themselves, community plan grants or implementation grants, and
they go to either states or to what are called Qualified State Designated
Entities, so many of the state level health information exchanges are those
types of entities.

There is a required match with nonfederal participants starting in 2011.
There are certain restrictions or qualifications, that is that the strategic
plans that those entities submit need to be pursued in the public interest.
These are not for-profit entities. And that what they propose needs to be
consistent with the strategic plan developed by the National Coordinator.

Let me stop there for just a second. As you know, last June we did release a
copy of a federally coordinated strategic plan. I think one of the questions
early on during the election and even in December and early January, was what’s
going to happen to all this effort. Certainly lots in the press, but was it
going to be set aside and start over, was it going to be built upon. I think
the answer from the Bill is clearly that it’s being built upon and moved
forward, accelerated even more with both the availability incentives and
resources. So the strategic plan itself is explicitly referenced, and the
National Coordinator is told to update that, so we’ll be doing that.

Back to the grants then. We have a third grant type, and that is for states
and Indian Tribes. These are competitive grants, but they’re really just setup
loan programs, revolving loan programs, that facilitate widespread adoption of
the certified EHR technologies. In talking to a couple of the states, one of
the problems is that since it requires state matching, unless they match it
with state funds doing this in the state is actually difficult. And we’re going
to have to work through this and work with the administration and even maybe
with Congress, because we certainly want to do the intent of this, but the
issue is if it’s not workable we really need to find something that meet the
intent of Congress.

Then there are a couple of education programs fortunately. One is called a
demonstration program to integrate information technology into clinical
education. And this really is one that’s broadly integrating health IT and the
use of health IT tools into the education of health professionals. These are a
broad sweep of professionals that are covered by this, and this particular one
I believe requires that there be two disciplines involved in the grant. It
can’t be just nursing or just medicine, and it explicitly has a broad range of
health professionals fortunately. There is a report back, and how we can
improve that.

The next one is really the investment in medical informatics education. And
this is one where the Secretary gets to put out these funds in consultation
with the Director of NSF. But it’s really establishing a medical informatics
education for either health professionals or for IT professionals, with a
priority given to existing programs and ones that are designed to be completed
in less than six months. So there are different levels here. Obviously, you can
fund both the two-year type of informatics where that’s needed, but there is a
priority also if you try and get some people who can service that frontline
group that can understand – arena and help in the workflow changes, and
help that out.

Those are really the grant areas that we have. The mix across them, there is
one, this is the only area whether other than money to miss there is a
specification that $300 million will go to helping setup the information
exchange in the communities. In reading this we’re still looking to get
guidance as to whether that’s just the one that goes out to setting up the
HIEs, or whether it includes the extension centers. It’s either one or both,
and we’ll be getting clarification as we go through. But the mix of that is
still something that needs to be determined by the administration, and in
particular, $2 billion, which is a huge amount, more than anything we’ve ever
had like this before in the area, is still very small compared to what’s needed
for all of this. And frankly, what we need to do is figure out how to structure
these so that for every dollar we put out we get ten dollars of impact.

And we also want to see what we can do in working with the standards, that’s
why they’re so critical, and the vendor community, provider community, to
recognize what we’ve done before or since the pilot. Pilots are usually more
expensive than operationalize the whole thing. The question is how do we drive
down the installation cost per office, the new installation cost, the
maintenance cost, how do we foster competition among the vendors so the new,
more agile, more adaptable or configurable software that’s a lower cost to
infrastructure, it’s more secure, and can be updated quickly, that that’s
actually what we’re favoring so that we bring about some movement of market to
favor a lower cost higher quality faster adoption model. In particular what
we’re looking for is to really find the outliers who have done it, and then see
if we can replicate that. With the HIEs we are seeing that they’re now the
models where some of the more successful HIEs can franchise their knowledge,
their technology, their support, and bring up a new community faster and less
expensively. So rather than going into a new community and starting from
scratch, what can we do to foster this type of model going forth that will
stretch our dollars further.

I think the key part here is that we’ve got to make sure we have the
standards, that we have the adoption, that we have some communities, and that
we will be moving forward with NHIN as being the area that completes what we
didn’t have at the beginning or years ago where we put out standards but we
couldn’t test them, or if we did they were three entities together. We found in
NHIN testing that if we just gave clusters together of three or four of the
communities or with the feds, those groups could talk together, when we got
them all together they actually couldn’t talk together. So the idea of allowing
standards to be tested by having small groups doing that really doesn’t work,
and we need to have something that builds towards a more common structure.

With that, let me stop and let Jodi talk about some of the important things
in the privacy arena, and summarize what we did in December.

MS. DANIEL: Good morning, or I think we are getting close to noon here. Did
you get an update on the privacy pieces, privacy and security pieces of the
statute? Okay. I’m not going to go into a great deal of detail on it. I’m just
going to briefly explain sort of the high points. Obviously folks from OCRS CMS
can do a better job of getting into the weeds on how that might impact the
existing rules and where they might go with that. But just to give a little bit
of a flavor for what’s in there so folks know what may be coming down the pike
from HHS, particularly from OCR and CMS.

The provisions in the Act, there are kind of a handful of different things.
Mostly there are modifications to the existing HIPAA rules. So they are in the
flavor of specific changes and specific provisions. There are a couple of areas
where it appears that Congress wanted to take a different approach than had
been taken previously by the Department in the areas like sale of PHIs,
accounting, things like that, request restrictions. So there are some specific
changes in the statute on particular rules.

Then there are some additional things that were added in, particularly
breach notification. There are specific requirements about covered entities
being required to notify individuals in the case of a breach, and also business
associates being required to notify covered entities in the case of a breach of
information they hold.

Then what I think was probably the most significant change as far as the
HIPAA rules were how they applied. There are provisions both for the security
rule and the privacy rule where certain provisions of those regulations would
now after the fact apply to business associates, both directly as well as
having them beyond the scope for enforcement directly. So that is a significant
change. Obviously the Department will be digesting all of this and trying to
figure out how to incorporate these new changes into the regulatory structures
that we currently have.

But one thing that was interesting from a health IT perspective is that it
explicitly stated that health information exchange organizations, RIOs,
e-prescribing gateways, and PHR vendors would be business associates under the
current HIPAA regime. That is not an absolute, but it talks about particular
types of PHR vendors and that sort of thing. But it does specifically clarify,
I know that was an area that folks were somewhat confused about, and it does
explicitly state that particular types of entities are in fact business
associates, and therefore the rules on business associates would apply to them.

There are other provisions about PHRs, particularly again PHR breach
notification. The statute didn’t make all PHRs covered by the HIPAA rules, but
it did explicitly provide this breach notification requirement for PHRs, and it
requires the Federal Trade Commission to come up with regulations and to be an
enforcement arm with respect to the PHR provisions. So we will obviously be
working a lot more closely with our Federal Trade Commission partners who we’ve
been – both OCR and ONC have been working very closely with them on a
couple of different issues in this area, so we will be continuing in that role.

There are provisions in the privacy section for enhanced enforcement of
HIPAA, as they call it, or strengthening enforcement, I forget what the exact
term was. They are in a couple of different flavors. They seem to do a lot in
this area. They both address the approach to enforcement, how the Department
actually enforces the rules, and what our approach is when there is a complaint
that comes in, and when we impose penalties and our approach in that way. It
also affected the penalty structure. Interestingly, it included the ability for
State Attorneys General to enforce, that that’s something we’re also looking
at. We want to make sure that we don’t have more confusion where we have each
state interpreting the federal rules differently, and then also have the feds
interpreting those differently, so we’re going to have a lot of work to do in
that area as well to make sure that that is done in a way that is most
effective and causes the least bit of confusion for folks who are trying to
apply these rules.

Then there are a couple of areas where there is one provision about
education. There is a requirement, an affirmative requirement I think it’s
within twelve months that the Department does some specific education on
privacy of health information. And we hope very much to work closely with OCR
on that to make sure that its use of health information and privacy provisions
for health information, but also as they apply to health information
technology, electronic health records, health information exchange and the
like, and make sure that the education is one that is helpful in the current
environment given the context in which that came under this HITECH Act.

Finally, there are some requirements for guidance, particularly in the areas
of defining what unsecured protected health information for purposes of the
breach notification provisions, as well as guidance for the most appropriate
technical safeguards for the rules. That latter guidance is actually an annual
guidance requirement. Again, we’ll be looking to be providing a lot more
information in that area as well.

Generally, it’s using the HIPAA structure, and Congress basically made
changes based on the structure that already existed for privacy and security
protection, trying to enhance it in certain ways, add some protections in
certain ways, provide ability for greater education and guidance, then added
some particular provisions particularly in the area of breach notification. But
it’s really following the existing model that there is.

Then the transition from that into what we did recently and what ONC is
working on with respect to privacy and security. We in December put out a
privacy and security framework, and I think people should have copies of that,
I brought a bunch of copies to pass out. You’ve got it, great. So I don’t have
to read through the specific provisions in there, which is helpful. For anybody
who doesn’t have it it’s available on our website,
So it’s easy to find, all the privacy provisions are on that one page, all the
privacy tools and things.

When we first set out to come out with this framework, the context was that
we needed to have this trust infrastructure, we needed to have a set of high
level principles that folks were trying to establish health information
exchanges, that folks who were trying to figure out how to exchange health
information could use so that everybody was talking from the same page, that
everybody was thinking about the same issues that they needed to deal with, the
same principles they needed to focus on, etcetera. And particularly when we did
put this out, there was a concern that there were certain entities that were
not covered by existing laws, the existing statute helps in that regard,
although there are still we expect folks that would not be covered by the HIPAA
rules, and this framework was designed to be a broader infrastructure, a
broader framework for folks who were engaged in health information exchange.
What we tried to do was actually talk about these principles in the context of
health information exchange.

The purposes relates to establish a baseline, a clear and uniform baseline
that folks who are engaged in health information exchange, all players who are
engaged in health information exchange, could follow. It was designed to kind
of overlay the patchwork of federal laws, the patchwork of state laws that
exist, and provide just that one context for people to look at.

In developing this we are always, as I know you all are well aware, are sort
of grappling with that tension between appropriate access of information and
protection of information. And that is something that we really struggled hard
to get the right balance on when we were designing this. Obviously, on the one
hand you need to have the appropriate protections so that people trust that
their information is safe and secure, and will want to participate in
electronic health information exchange. On the other hand, having that
information available at the time and place of care, having the information
available to the consumers in a timely fashion, and being able to improve the
care coordination and consumer involvement in their own care, are critical. So
we tried to strike a balance in the development of these principles in those
few regards.

What we did as a methodology is we looked at what was out there. We looked
at all of the different types of principles and fair information practices
related specifically to healthcare, related more broadly to information. We
looked at the HEW, Code of Fair Information Practices from 1973 I believe it
was, we looked at the OECD guidelines, we looked at the Markle Foundation, we
looked at some consumer principles specifically related to health information
exchange, we looked at some international principles that were brought to our
attention as well. And what we did was we tried to digest all of this and come
up with a uniform one set of principles for health information exchange based
on that.

If you look at these principles none of them will be shocking to you, you
will have seen all of these terms before. They are the basis for the HIPAA
rules. They are the basis for a lot of others, the Privacy Act and other work
that we follow. The way we set this up, this is very high level, it’s a set of
principles, we have the principle, a very brief description of the principle,
one sentence description, and then we have some explanation of how we expect
this to work in health information exchange environment.

We explained that our expectation of the scope as it applied to all
healthcare related persons and entities involved in electronic health
information exchange, so it doesn’t apply to individuals. Individuals don’t
– we weren’t assigning responsibility for the individual with respect to
their own information. We were trying to identify either principles that apply
to those who are holding information on behalf of others, holding other
people’s information and what they need to do with that information. That
seemed to be a point of confusion for some folks who read this.

Then we’re hoping that this would guide the actions of folks involved in
health information exchange. So if a new HIA is being considered or performed
in a particular region or a particular state that they would look at these
principles to get a sense of the things that they need to be focusing on
thinking about, and doing to make sure they have privacy and security policies
and practices in place that are sufficient to establish trust for consumers.

The principles themselves, I’m not going to go into great detail, I’ll just
read through them. There is individual access, this is an individual’s access
to their own information in a format that is understandable to the individual.
Correction, the ability of individuals to be able to dispute the accuracy of
their information and to make corrections or have a dispute documented in their
record. Openness and transparency is a big one. Making sure that people
understand what the policies and procedures and technologies are for
collecting, using, and disclosing their information. The technologies was an
interesting one. We heard a lot of people saying they’re concerned about
databases or that folks are collecting information and they don’t know how
they’re being held or what kind of security methods are being used to protect
the information. So transparency not just about policies and procedures, but
also about the technologies in place.

The next two I see this as going hand in hand. Individual choice, that
individuals should be provided a reasonable opportunity and capability to make
informed decisions about the collection, use, and disclosure of their
information. This wasn’t designed to be an absolute, but it was designed to say
that wherever possible consumers should have a role to play and should have
choices with respect to how their information is used and disclosed. But we
think it’s important that that needs to be hand in hand with collection, use
and disclosure limitations, that the entities that are holding the information
have rules of the road they have to play by, and that information is used only
to the extent necessary to accomplish a particular purpose. If de-identified
information is perfectly adequate to use for a particular purpose, then
encouraging folks to check out identifiers and that sort of thing.

Data quality and integrity was important, another principle that information
be complete, accurate, and up to date, and not be altered or destroyed in any
authorized manner. Then safeguards, the security protections that need to be in
place to protect information.

Last but not least, and importantly, underlying all of these is
accountability, making sure there’s a means and method to report, mitigate, and
adhere to the policies and procedures. Again, this is to sort of explain how we
anticipate this being used or the context, this is not a regulation, this is
not any kind of mandate to folks where expect this to be guidance. We hope it’s
useful, and we hope that it’s used universally so that folks are talking from
the same song sheet. But we have encouraged, I’ve just met with state leaders,
the State Alliance for Health, encouraging them to use this back in their own
state efforts. We expect to identify ways in which we can link this framework
and these principles to other federal health IT activities that may be coming
out in light of our new authorities and responsibilities.

You will see these coming up over and over again. And what we’re hoping to
do is actually go to the next step and come up with more specificity and
implementation guidance, to help people actually make these principles and this
framework more useful to folks who are trying to implement it.

Very briefly, we came out with some tools as well at the same time, worked
very closely with OCR and HIPAA guidance to help clarify some
misunderstandings, and some areas of confusion about the relationship of the
privacy rules and health IT and health information exchange. We came up with a
security guide to help providers, mainly non-technical audience, small
healthcare providers that are adopting new technologies, to help them think
about their risk assessments, the issues they need to think about from a
security perspective, and to help them think through the policies and the
technologies that they should be putting in place in their office to secure
their information. We worked closely with CMS on that.

Then we put out a draft PHR model privacy notice. What we’re hoping there,
particularly in light of the fact that there are PHRs that may not be covered
by federal laws, is to help on that transparency principle, to help PHR vendors
communicate to consumers how information may be used and disclosed, what rights
they might have with respect to that information, so that they can make
informed decisions about choosing a PHR. We are in the process of putting out a
draft, we’re in the process of getting feedback, and we will be doing a number
of rounds of consumer testing and hope that we will have a final product next
year that we would encourage PHR vendors to use. There have been several
conversations with PCHIT about using the model notice in their certification

I’m trying to do this quickly because I know we’re short on time. The model
privacy notice, the context here was or the vision of this was like the
nutrition facts label on a soup can, there is a mandate for a food product that
you have that nutrition facts label on disclosed particular types of
information about what’s in the soup. The government doesn’t tell the soup
maker how much sodium they can or should put in the soup, it just tells them
they have to disclose how much sodium is in the soup. If you’re concerned about
your sodium, the sodium content in the soup you can look at your Campbell’s
label and your Progresso label, and I have no idea which one has more salt, but
you can determine which one has more salt and make a determination based on the
facts that you have. It’s again about not necessarily setting the policies for
PHR vendors, but making sure they clearly communicate those policies so people
can make informed choices about how they want to use those and which PHR vendor
they may want to use.

That’s quick in a nutshell.

Committee Discussion

MR. REYNOLDS: Great, thanks to all three of you. Linda, if you could move
over, as long as you have a microphone there.

I’m going to ask one question, and then I’ll start the list. My first
question, Jodi, maybe you could help out, is I kept seeing the words
‘business associate,’ but what I couldn’t draw is everything about a
business associate up until now has been based on that it was working with a
covered entity. And I sensed that this removes that umbilical cord, because not
all HIEs and not all this stuff necessarily has – I’m struggling, and you
may have said it, but I just couldn’t see where it really snapped in like a
Lego block and said ah-ha, here’s who the covered entity is.

MS. DANIEL: The language about PHRs and business associates, it said that if
they’re providing a service for a covered entity. That actually was very clear.

MR. REYNOLDS: So that leaves them out. So if they’re not?

MS. DANIEL: That doesn’t mean that all PHRs will all of a sudden become
business associates. That is not what the statute does. To answer your
question, it doesn’t change the definition of business associates. I’m 99
percent sure, I haven’t read it in a little while, but the HIPAA guidance that
came out in December did clarify how the relationship of HIEs and covered
entities and HIEs as business associates, typically HIEs will have a
relationship with a number of covered entities. My understanding before this
came out is that was already the case, that most HIEs were already business
associates with a number of covered entities. This makes it clearer that that
is the case, but it doesn’t necessarily take away that tie from covered

And I don’t want to speak too much out of turn, the definition of business
associates is in the HIPAA privacy and HIPAA security rules, and CMS and OCR
will be the ones who make the final determination on how that is defined, but I
don’t think that there is the concern that you’ve raised. And I don’t know if,
Karen, you have anything to add to that or not.

MS. TRUDEL: I think it’s possibly not a covered entity model that we’re used
to thinking of, in terms of a covered entity, a health plan, or a health
provider hiring a business associate to do a piece of work. That there are
still contractual relationships, and I think one of the things that is probably
going to be discussed in a bit more detail is how does the covered entity keep
itself aware of what its business associate is doing, if that business
associate is an HIE that has contractual relationship with lots of covered

MR. REYNOLDS: Okay, thank you. All right, let’s go down the list. Walter.

MS. DANIEL: I am going to have to leave very shortly, because I have another
commitment at noon. I can stay for a few questions.

MR. REYNOLDS: All right. Walter, Leslie, Jeff, Larry, Sallie, Paul, who
wanted to talk to Jodi? Questions for Jodi, go in that order. Walter.

DR. SUAREZ: Hi, Jodi.

MS. DANIEL: Hi, Walter, how are you?

DR. SUAREZ: My question is about opening of the HIPAA regulations based on
– is there going to be an expectation that the current HIPAA regulations
will have to be quote, unquote, “open” for modifications based on
this? Are they going to be new rules that will have to be issued? The timeline
for the compliance for those regulations based on HIPAA statute that says two
years after a new standard gets adopted is going to be the compliance. So are
new rules on HIPAA about privacy going to happen, or are there going to be
modifications based on this, or is the statute enough to guide that?

MS. DANIEL: Again, OCR and CMS are going to be the ones who will make those
final decisions. I would expect that there will be some things that we may want
to clarify or articulate through regulations. But as far as the timeframe, if
it’s modifying an existing standard, for instance, if there’s something in here
about right to request restrictions and we’re modifying the right to request
restrictions, it’s an existing standard, so it may not necessarily require that
two-year delay.

DR. SUAREZ: I think it gives the Secretary basically a new modification of
the existing standard, it can be required to comply with up to six months, and
then after that whatever time. So, for example, it can give two years or more
to the budget –

MS. DANIEL: None of those decisions have been made at this point. We’re
still digesting, so we’re coming up with our plans right now.


DR. FRANCIS: I’m with John Houston, the co-chair of Privacy and Security
Subcommittee of this Committee. My question for you is over the next year or so
it would obviously not be smart to reduplicate efforts, that is it wouldn’t be
sensible for us to work on something that you were working on on the front
burner, and then leave something else completely unlooked at. At the same time
we may have different views about certain kinds of things from what you all do,
and might want to push certain points or might want to take down more on
certain points than say the privacy framework does, and I know it’s meant to be
a very high level framework. There is a lot to work on underneath it.

So the question is sort of half a process question and half a substance
question, which is how do we try to figure out – I almost feel like it’s
chicken eggish, because we’re meeting now – we need to plan what we’re
going to be doing over the next three to six months, how do we try to plan
wisely so that we work well with you and don’t leave the worst gaps. I’m sure
you’re asking the same question.

MS. DANIEL: Yes, we are. It’s a fair question, though. Like I said, my plan,
and don’t have a Secretary yet, we don’t have a lot of folks in place, so
obviously this is subject to change, is to try to dive in one level deeper on
the framework. It still will be a high level document, it won’t be at the level
of the HIPAA privacy and security rules at any event. But to try to get one a
little deeper and give people some more guidance on how they would consider
these principles and how they might implement them in their own policy, the
hope is we would do that for all of them. We might do it, I’m not sure, again
it depends on the bandwidth and everything else we have to do.

It might be worth sort of brainstorming offline a little bit and sort of
figuring out what we might need to do, because like I said, we’re just
developing our plans now given that this act has just passed, and there are
some things that are kind of a little bit later in time, we’re trying to figure
out the roles of policy committee, there are some things in there about privacy
and technology related together. We need to kind of carve that all out and
think about where things might be helpful. And I would be very interested into
your insights into where you are all both interested and where you think you
might be able to fill an open gap, like you’re saying.

DR. FRANCIS: So that is what we ought to do then with our meeting this
afternoon, and then we ought to talk offline.

MS. DANIEL: That sounds like a great idea, yes.

DR. KOLODNER: I just want to mention that throughout the Bill there are
references to the fact that, for example, the policy committee should take the
recommendations that have come forth from NCVHS and that we’re to make sure
that there’s a link, and certainly that was part of what guided the framework.

MR. REYNOLDS: Reiterate to everybody on our standards hearing yesterday was
in close conjunction with ONC and the kind of things that they need to think
about and do. So we have had a good partnership for a long time, we need to
continue that, and we need to discuss along the way, because everything is
moving in new and different ways, and that’s a good opportunity. Jeff.

MR. BLAIR: Hi, Jody. I’m not sure whether the framework will include this
type of new thing as we evolve. For the most part we’ve defined the covered
entities and there was providers and there was payers and there was
clearinghouses, and their roles fit into the entities and organizations that we
call the organizations the same names as the roles. When we get into areas, and
I think we’re moving more towards in terms of wellness, preventive care and
disease management, we have areas where the payers or health plans are
providing those services. From the folks I’ve conferred with the guidance I’ve
received, is if you are providing wellness or preventive care or disease
management that those functions, those roles, are those of a healthcare

However, those services may be provided under the auspices of a health plan.
Now, I could come up with some simplistic guidelines to help reconcile that, if
I go by the role, but if there’s other legal issues that will come up down the
pike I think we’re going to be facing that a little bit more in the future. I
don’t know if the framework will provide guidance for that or not, but it’s a
topic area I would like to see the framework provide guidance on, if you can do
it within a reasonable timeframe, or within the timeframe that you have to with
these other priorities.

MS. DANIEL: I hadn’t necessarily been thinking about this. I’ll have to
think about how we can divide up for doing some more detail guidance in
particular types of either entities or functions. It’s a very good point. I’m
not sure if we’ll get into the level of detail for those particular types of
activities as you’re talking about, but I will bring that back and consider
that. Thank you.

MR. REYNOLDS: Larry, was yours for Jodi?

DR. GREEN: Yes. I want to keep pushing on Walter’s question again. I will
self-identify, that I’m enormously skeptical that HIPAA is ever going to get us
to where we want to go. And its initial purpose which was to facilitate
information transfer, as far as I’m concerned, has never been met. It’s about
ten years later and my skepticism grows from your report, and Dr. Kolodner’s
diagram, from the on the ground observations of 27 projects at about 350
practices where they’re trying to do things like link their diabetic patients
up with the YMCA, and using information exchange to do so where the owner and
address moves from one place to another. When I hear the discussion about we
need a contract with a business associate, I just sort of wonder about this.

Then the IOM comes out February 4th or 5th, was it,
with their report about the inadequacies of HIPAA and the entire IRB thing.
It’s riddled with recommendations that blew my skepticism right out of this
planetary system we’re in. You get my drift.

MR. REYNOLDS: Could you narrow that down to be a real point?


DR. GREEN: Pressing Walter’s question further, are we just not paying, or
don’t we have to have a HIPAA fix that aligns with what we’re about to

DR. KOLODNER: You may want to leave now.


MS. DANIEL: I have to go. That’s a very interesting question that I would
love to have a debate with you about. It is something that would require a
Congressional discussion as opposed to an HHS discussion. We have the authority
that is granted us by Congress, Congress has written the HIPAA rules and wrote
the HIPAA changes, and we are charged with implementing those. So while I think
we could have a very lively discussion about that, I don’t feel that in my
current capacity I could opine on that.

MR. REYNOLDS: One thing I’d like to do is this afternoon we’ll be talking
about the stuff we’re putting together to further forward our thoughts on data
stewardship. Let’s add this to that discussion. Because, again, as we’ve said
before, we can make recommendations in alignment with ONC to the Secretary and
so on. So I think that’s a good way for us to pick up that subject. How far we
go with it, we’ll have to decide.

MS. DANIEL: In the interest of now that I’ve just said that, putting my foot
in my mouth, the concept, the privacy and security, we’ve heard some concerns
about the HIPAA privacy rule. And the privacy and security framework was sort
of designed to not talk about specific relationships and contracts and specific
detailed requirements, but sort of get at least a level above that and try to
start from the broad perspective, what do we need to have in place, what kind
of trust framework do we need to have in place. So that was sort of the
motivation behind this. I believe we are going to continue our work on the
privacy and security framework, despite the privacy changes and the statute, I
don’t think that necessarily impacts the work and path we’re going down. We
will be continuing to think about privacy and security and health information
exchange at a broader level, and also working very closely with our colleagues
at CMS and FCR on the specific requirements that we need to implement for

DR. SUAREZ: This is something we can talk about in the Security and Privacy
Subcommittee as well.

MR. REYNOLDS: Sallie’s got a question.

DR. KOLODNER: Harry, if I could just add one thing using this as the key. We
know that articulating the roles and differences between NCVHS’s role and these
two new FACAs is something that needs to be done, and inside the Department we
need to work that through and we need to be able to communicate that clearly,
and I would hope with input from all of you as well.

You have statutory authority in the area of HIPAA and in the area of
e-prescribing. As we move forward with the infrastructure that we need and the
clinical, e-prescribing clearly is something you have responsibility for, but
it is in the heart of what will most likely be some of the effective use
criteria that CMS would be putting out in the future for reimbursement.

In addition, at some point when we have an infrastructure that really is
reliable, operational, beyond just the development stages, we need to also have
the discussion about how does that – what’s the relationship between that
and the movement of claims data and other things that really is part of HIPAA.
So there are discussions that will need to happen clearly that ties into some
of this, and the question is whether there will be something new in this
technology that has to do with the clinical data that comes and actually in
essence delivers the kind of changes that might be useful, or whether statutes
need to be changed, and I think those are just –

MR. REYNOLDS: And I think that’s a great point, because if you study claims
data it many times has as much health data in it as some of the other things.
So, again, we can use those ties where we have statutory authority.

DR. KOLODNER: Jodi does have to leave. Maybe this will be the last question?

MR. REYNOLDS: Okay. Sallie was in line next.

MS. MILAM: I think this is for Dr. Kolodner. I did just want to thank Jodi
for the work and the framework and OCR guidance. They really clarified the gray
areas. Thank you.

MS. DANIEL: I think I’ll leave on that note.


MR. REYNOLDS: Paul, was yours to Jodi?

DR. TANG: Jodi as well, but the last question – and it’s friendly and

MS. DANIEL: Thank you.

DR. TANG: I like your framework. Is it your opinion that the Recovery Act
has privacy provisions that help oversee the privacy on the NHIN versus covered
entities? I assume probably not. And if not, then how would you like to work
with – this is a little bit picking up on Leslie – do we need to do
much further with what we call our data stewardship piece or the privacy and
security letter to the Secretary? Or is one avenue of working, I asked this of
Karen as well, and I don’t know which jurisdiction it is, the PHR report that
the Secretary has to provide about whether those vendors who are not covered
entities or business associates need to, do we need to do anything further with
respect to privacy? Is that something done out of the ONC office, and is that
something where we can contribute? I’m just trying to find where –

MS. DANIEL: Yes, as far as who’s doing what, like I said, we’re working on
our plans, and I expect very much that these will be collaborative efforts,
that it will not be owned by any one of us, but that we will have some
cross-office teams. And if I can be so bold as to saying that as the Office of
the National Coordinator, that’s our mantra. I think you raised a couple of
places where there might be some opportunities, the data stewardship, and I
don’t know exactly what you’ve been doing on that, but I think that there can
be some interesting conversations there. I think PHRs, the statute in my
personal opinion seems to focus primarily on technology in a clinical setting,
getting doctors connected, and doesn’t spend as much time on personal health
records and tools for individuals. So that might be an area where – and
there’s still going to be personal health records vendors that are outside of
the current provisions.

So that is an area that I think is still ripe for greater discussion and
greater thinking and input.

MR. REYNOLDS: I’m going to give Carol the last question for whomever.

MS. MCCALL: These are more comments for you to take into your thinking.
First, thank you for being here. And I want to play off of something that Jeff
said, and actually, Harry, something that you said.

There are going to be new players on the field, new, quote, unquote,
“entities.” And it’s more than just recognizing that fact, I think
it’s learning to anticipate and even embrace it. So as we take a broader view
of the health ecosystem, what is actually in it, in that web of different
players, that we anticipate that. And whether or not HIPAA has done what it is
that we want, I think we can all recognize that the concept of entity as found
in HIPAA is too narrow.

I would also encourage us that there is something that we can do
specifically within our work on a primer, that there may be a concept of a data
steward, I create it, I use it, or both, that that then becomes a layering upon
a legacy of what we already have, kind of a higher level concept. There may be
some new concepts we need to create, those may take on regulatory authority in
some way shape or form, and there may be actually a gradient.

When you think about entities, you either are one or you are not, it’s
either yes or no, it’s on or off, there’s no dimmer switch. So when you start
thinking about the diversity of data for measuring health, creating it or using
it, that people will be closer or farther away from the nexus of the

So these are concepts that I think we should charge ourselves with
discussing and exploring, and that folks who have the responsibility for
enacting begin to take into account.

MR. REYNOLDS: Great opportunity this afternoon.

Laura, I’d like to ask you just one question, we didn’t get anything –
and I apologize for calling you Linda a little bit ago. You are obviously
working in the same space, so as you see synergies and if you have any off the
top of your head right now or as you continue along this same kind of thing,
because we’re all working in this same space. And when you say you want to go
fast, six people in the same bag in a sack race, it isn’t quite the same as six
sprinters across the field running full speed. So I think if we’re really
trying to get fast we got to make sure we’re not having a multi-person sack
race here. Anything you can see, if you have any comments now, or anything as
you go along, those are the key things I think are going to be important. We’re
going to be working hand in hand continually with Rob, and we already have
been. I want to make sure that we don’t lose sight of those efforts either.

MS. MILLER: I appreciate those comments. I think we’re in a sorting out
phase, and without a Secretary there are decisions to be made. We have a
collaborative that has a board with a huge amount of expertise in this space
that wants to help and move forward. Hopefully we can all figure out how that
path forward is together.

MR. REYNOLDS: And Paul is going to be given a new assignment right before we
break for lunch, he’s going to be the translator. Since he is important enough
to be on multiples of these things, he has to be our translator. So welcome and
congratulations, it’s a unanimous vote, I’m not even going to take it. And
we’ll go from there.

Thanks to everybody. I really, really appreciate it. And, Rob, thanks again
for coming in, and Laura.

With that we’ll break. I’d like you back at 1:15 please. We do have some
time after the first presentation to talk about a lot of this. Thanks

(Whereupon, a luncheon recess was taken)

A F T E R N O O N S E S S I O N (1:15 p.m.)

MR. REYNOLDS: All right, take your seats, please. Some of you remember that
Justine had represented us at a conference with the Center for Democracy and
Technology. They introduced a paper on de-identification of health –

DR. CARR: We are producing a paper.

MR. REYNOLDS: Right. So we have asked Deven McGraw, since this was such a
big item as we dealt with privacy, and as we all continue to deal with privacy,
and we heard it again this morning or yesterday in the hearings quite a bit
about information and structure of it and so on, that we’ve asked her to join
us today and give us an overview. So, Deven, please.

De-Identification of Health Data/Center for
Democracy and Technology

MS. MCGRAW: Okay, thanks very much, Harry, I appreciate it.

I did bring some paper copies of the slides. I’m sorry I did not get them
done in time to make them into your packets before the meeting. A few too many
things going on lately.

Let me just give you a few minutes on CDT and more specifically the project
that I direct there called the Health Privacy Project. We really believe very
strongly that health IT has tremendous potential to improve healthcare quality,
reduce costs, and save lives. I feel like I’m speaking to the choir when I say

We know that consumers have some pretty significant privacy concerns, and in
fact you all have made some of what I think are the most cutting edge
recommendations along those lines. So, again, I still feel like I’m speaking to
the choir.

Part of what we do or are trying to do is to develop and promote workable
privacy and security policy solutions for electronic personal health
information that are protective of privacy, but also allow us to move the
information for the purposes that we want information to move better, faster,
and more efficiently for quality of care, treatment, public health, research,

Part of what we also do along those lines is to try to explore in a little
bit more depth some of the more challenging issues. And one of the things that
we have already done is put forth a paper on what we think the appropriate role
of consent is, and how fair, because not too long ago there was a lot of
discussion with people saying what we need to do to fix privacy and health IT
is to tell patients that they need to consent for each and every use of their
information. We put out a paper fairly recently about what our position is on
that issue, which is actually consent is when you over-rely on it is provides
very weak privacy protection, and a framework of rules is a better approach
that consent can be part of.

And then the other issue that we have been looking at more recently is this
issue of de-identification of health data. The way that we started to go down
this road was really just looking at de-identification. And when I say
de-identification I don’t mean it as a general term, I mean the HIPAA standard
for de-identification. Is it still possible to de-identify data given that on a
daily basis we make more information publicly available through databases or
that lots of people can get access to if it’s not publicly available.

What are some common uses of de-identified data? Is the HIPAA standard
sufficiently rigorous? And by this I’m talking more to what people often refer
to as the safe harbor standard, which requires the removal of certain
categories of data, versus the statistical model, which is I think designed to
be flexible over time, because statisticians basically tell you whether or not
you have no reasonable probability that data can be re-identified.

Then are the general policies surrounding use of de-identification still
sound? Because when it qualifies as de-identified it’s not protected by HIPAA,
and in the view of some of us there are really insufficient legal mechanisms to
ensure at a minimum accountability for re-identification, because once the data
qualifies as de-identified there certainly is no legal requirement for entities
to make a binding commitment to do so, although I do know that there are lots
of healthcare entities that do bind data partners to non-reidentification, but
that’s certainly not required in the law.

We had a workshop on this. It took place September 26th, 2008. We
pulled together some panels of leading experts, of which Justine was one. Then
we invited a fair amount of people, we probably had about 40 people in the
room. It included folks who were in our informal health IT working group, which
includes vendors, employers, consumers, some provider groups, and some
academics. We try not to have the group get too large, because we like to be
able to discuss these issues. Then we did invite some Hill and administrative
staff. There were folks from ONC, and the Office of Civil Rights in attendance,
and I think there was one Senate office there, but as usual, they’re often too
busy to attend these things, but that doesn’t make them off the hook with me.
Coming to them later with our report when we’re ready to make conclusions,
being closer to press, and we did not record it, in part because we wanted to
make sure there was a free flow of dialogue and that people didn’t feel
constrained to say anything in particular. Not that I think there was anything
necessarily controversial that came out, but we just wanted to make sure of

So I wanted to give you a little summary of really these are the key points
that are going to get raised in the paper that we are developing post-workshop,
and it’s very near completion, so I was comfortable raising these top-line
issues with you. But we at a minimum need to circulate it to the workshop
participants to make sure that they’re comfortable with what we said in the
paper before we finalize it and release it to the public. But I think we’re
this close.

The HIPAA de-identification standard, and in particular this safe harbor
method which requires the removal of certain categories, really needs to be
reviewed on an ongoing basis, and updated to reflect the fact that the data
that’s available either to the public or to significant sectors in healthcare
is changing and morphing, and it never according to at least one HIPAA drafter
who was in the room, it was never intended to be something that was static and
that would never be looked at again. So it really should be something that is
continually viewed. And whether or not we still should have a safe harbor, I
think the general sense in the room was not every entity that holds data is
going to be able to afford a statistician to give them the assurance that they
need that the data is in fact de-identified. And some will still need a sort of
easy to apply standard to meet, so there probably is still viability to having
a safe harbor.

Uses of de-identified data should still be permitted at a minimum for those
that generate public benefit. I think when I talk in a little bit more detail
about what some of the workshop panel experts shared with us, we don’t even
know the entire universe of how de-identified data is used today, because it
doesn’t have to be tracked. Again, once it’s not covered by HIPAA it can go out
the door for any reason whatsoever from a legal standpoint. Again, institutions
certainly have their own policies in that regard.

We do need better methods for holding data use at the ends accountable. At a
minimum, on the re-identification standpoint, there just isn’t a legal way to
get beyond contract enforcement in those cases where the entities have signed
contracts with their data recipients. There isn’t really any public
accountability if that data has been re-identified and used for purposes that
were not originally intended.

The current de-identification standard, unfortunately actually has limited
utility for many data uses. And the same is actually true for what I like to
call de-identified data’s close cousin, the limited datasets. Those are the
only two data anonymization set options that are currently in HIPAA, and
neither one of them really serves very many purposes. That basically leaves two
or three options for entities that would like to use data for a range of
purposes, and that’s identifiable data or data that qualifies as protected
health information, a limited dataset, or de-identified data, a little bit on
two polar ends. As opposed to a range of data anonymization options that can
fulfill a number of broad purposes, and that can be more privacy protected,
because many of the common identifiers have been stripped out. So those are
rally the top-line.

Who was involved in this workshop? We had it moderated by Peter Squire, who
is a professor at Ohio State University now, but most of you know him because
he had a role on privacy issues, an important one in the Clinton
administration, and he’s still very much interested in these issues.

We had three panels. The first one was talking about current
de-identification practices, and we had IMS Health come and talk to us about
how they take data that they receive in an already de-identified form from
covered entities, then continue to scrub it pretty vigorously to use it for the
various analyses that they can perform. Depending on what their clients’ needs
are, that’s a pretty wide variety, and also includes a number of commercial

Latanya Sweeney, who is at Carnegie Mellon University, and Cynthia Dwork who
is a research scientist at Microsoft. The two of them talked about, well,
Latanya, if you’ve ever heard her speak will tell you how easy it is for her to
basically re-identify just about any point of data. But both of them presented
some models that they have been exploring both in the academic and in the
commercial context for creating more anonymized data. I could not replicate
those presentations if I tried. But I am glad that there are people like that
out there doing that work.

What are some common uses of de-identified data? We heard from Justine, we
heard from Linda Goodwin, who is at the Duke University School of Nursing, we
heard from Stan Crosley, who does research work at Eli Lilly, and we also heard
from Shaun Grannis, who is at Regenstrief.

Then our last panel was our policy implications panel. Our panelists were
Bill Braithwaite, Marc Rothstein – we really from NCVHS, we probably could have
added all of you guys on this panel – and Kenneth Goodman, who is a
bioethicist down at University of Miami. So we had a long day, 10:00 to 3:30,
and honestly we didn’t have enough time I think to go into all of what we would
have gone into.

So just to give you a little more detail about some of the outcomes of the
workshop beyond the top-lines that I’ve already talked about. There is a wide
variety of common uses of HIPAA de-identified data, notwithstanding that it’s
not as useful as some would want it to be for certain purposes. There is still
a fair amount of use being made of it for quality improvement, public health,
research both on the clinical and epidemiological side, and as well for
commercial. Folks were quite upfront about there is high commercial value to
de-identified data. Again, because this data is not regulated or required to be
tracked, the complete universe of uses of de-identified data really is unknown.
Both the patients as well as to regulators, I would assume that entities that
are releasing de-identified data for certain purposes would know the range
within their own institutions, but certainly there has been very little
examination across multiple providers.

Ensuring that this low risk of re-identification, which is what you want if
you’re going to release data from a number of protections, is getting more
difficult in part because of the increased availability of data. And somebody
actually made the point that Congress makes it increasingly difficult to
maintain this viability because more and more data is being released for public
access. In some ways we are our worst enemies sometimes in this regard. A
statistical method for de-identification, again it’s meant to be flexible over
time, but the safe harbor may in fact lose its potency. As I mentioned before,
it was never intended to be set in stone.

Some of the other discussion points that came out, I mean does it still make
sense to allow de-identified data to be used for any purpose whatsoever? And if
so, is there at least a credible rationale from a public policy standpoint for
requiring more transparency to the public about how that data is used? Should
we be tracking or monitoring it more closely? In that regard, is there a role
for data stewardship entities, for example, in determining what are and are not
appropriate uses of data, even in de-identified form. Our paper is not
necessarily going to provide answers to these questions, more to sort of tee
them up for a more vigorous debate in policy spheres.

How do you ensure accountability for misuse of data? Again, because this
data can be used for any purpose, when I say misuse I mean use that was beyond
what was intended when the data was released by the covered entity that was
holding it. And how can we ensure data that re-identification won’t happen,
especially when we don’t have a data protection law in the U.S. We have these
covered entities, and we have business associates, and once data migrates
beyond those spheres it’s unprotected, as you all have identified and crowed
for, but we didn’t get that data protection law in this last round, and I don’t
know whether we will get it.

How do we ensure that people who get de-identified data won’t re-identify
it? How do we hold people at least accountable to the data holder that gave it
to them in the first place, if not to the public?

There needs to be an ongoing review of this safe harbor, it probably doesn’t
have to be every year, but to suggest that now it’s five years old and it still
is as viable as it was then I think is a bit disingenuous. Then, do we need to
ensure more rigor in the statistical method? Again, that’s the one that’s meant
to be flexible over time. But is certification by any statistician sufficient?
Do we count on the covered entities who hold the data to be sufficiently
careful with who they hire to make those certifications?

Then on the point about do we need more options? I think there was some
general agreement in the room that yes, in fact we do need more options. Again,
de-identified data is not as useful for many important purposes. Fully
identified data can actually be used for many of the purposes where we care
about people having access to data for quality improvement, for research, and
for public health. But that’s not as privacy protective as it would be if in
fact that data were used with at least some identifiers stripped from it.
Again, the limited dataset preserves more data, but it’s pretty rigid.

One of the suggestions that came out of the meeting, and it actually came
from Marc Rothstein, was some sort of requirement in HIPAA to use the least
identifiable data for a number of purposes under HIPAA. This may not work very
well in the treatment context, it may not work very well in the payment
context, but certainly for a range of uses that today are permitted under HIPAA
using what is least identifiable given the purpose for which you need to use
the data was appealing to those of us who were at the workshop. It is leading
me to wonder whether this could possibly be accomplished actually through more
guidance or regulation under the current minimum necessary standard in HIPAA,
which applies to all uses of data except when it’s for training purposes.

Are there any opportunities in what just happened in this Stimulus
legislation to probe this in more detail? Yes, actually there are. HHS
Secretary is required to examine and regulated specifically in several areas of
HIPAA. There is a required study on de-identification, in three short
provisions, so HHS has a fair amount of leeway with how that study would be
conducted, but they have to do it.

They also have to put out guidance on minimum necessary, which to me I’m
seeing opportunity for some data anonymization models that can be used for a
variety of purposes, but I’d be very interested to get feedback on that. Then
there are requirements that the new health IT advisory committee and policy
committee and the standards committee consider your recommendations. They have
to specifically be told to do this. I think there was no discomfort at least
with the professional staff that I talked to. Certainly the consumer advocacy
groups that I work with have long wondered why so much of what you all have put
on the table has not yet been taken up for more active consideration. So our
hope is that that will actually happen.

We are releasing our paper. I almost put early spring, but I should learn
not to promise with deadlines. We were working on that consent paper that I
referred to earlier. We started work on that in August and we released it in
January. I hope we’re not talking about that kind of thing, that was a very
difficult paper to write. I think this one will be a little easier.

What else will CDT be doing on this issue? We are going to do our best to
contribute to this ongoing regulatory and guidance process that’s been put into
place. And then we would love to continue to work with you all on this. It
clearly is something that you’re interested in, too.

So I’ll stop. What I did in the paper packet was to give you not just the
slides, but there is also the agenda from the workshop, which has more
information on who was on our panel and their complete titles and institutional
affiliations. Then we had passed out to folks excerpts from the HIPAA privacy
rules, which has both de-identification and limited dataset language, and then
did a little comparison chart, because this was really an interesting exercise
for me in realizing just how little difference there is between what qualifies
as a limited dataset and what you need to qualify for, I mean at least in terms
of the category. There is a fair amount of overlap, very interesting.

MR. REYNOLDS: Okay, Devin, thank you. Yes, Justine?

DR. CARR: I would like to just first say what a wonderful, terrific
conference you put on. I mean it was a short amount of time, but the amount of
territory we covered was tremendous. So tremendous congratulations and thanks
to you.

I also want to observe that this is a great way of working together. When we
were working on the uses of data we came to de-identified data, and we had this
tendency to want to make some proclamation, but we kept getting little
additional pieces of information telling us we didn’t know all we needed to
know of who was using it, in what ways. So we opted to table it with an eye
toward holding hearings. But I think this sort of reminds me of Paul’s model,
or the new etech model that talks about a due diligence subcommittee. This was
a great example of a due diligence subcommittee where all of the relevant
parties were represented and there was a rich discussion. So I think you’ve
done a marvelous job of summarizing it, and I think the way you put the table
together and all that is very helpful and probably in some ways now back to us
to do the part that we do. But I’m just impressed at how this synchronization
of the expertise, the high level and the expertise can work very well together.
So thank you.


DR. SUAREZ: Hi, how are you? I wanted to bring up something I’m not sure if
you’re aware of, but it’s important for the Committee and others to become
aware of.

HITSP, the Health Information Technology Standards Panel, has produced two
constructs, specifically establishing the harmonized standards for anonymizing
data and pseudo-anonymizing data. Those standards are published and have been
recognized by the Secretary, and are incorporated into the interoperability
specifications published by HITSP. Those two constructs are detailed constructs
that define the data elements that would be needed to be eliminated or taken
out of the data in order to de-identify the data. They are built on
international standards, ISO standards that define anonymization of
information, personal information, not just health information. That is a point
of reference for how technical standards need to be brought into the
discussion. I think it will be important for now we’re in the HIPSP for us to
learn more about this, because this I didn’t know about personally. I think it
will be helpful for you to learn more about what HITSP has done as well.

MS. MCGRAW: Absolutely. I’m glad you said that, I mean I’m actually kind of
surprised that it didn’t come up, but given that the workshop was back in
September we may have been off on our timing. But certainly having a standard
that gets adopted in electronic health records that can help entities with
anonymization of data actually helps me to argue that the policies should
require that kind of consideration, as opposed to if it’s just the technical
standard and nobody is required to use it, or if it’s just a technical standard
works for de-identification but doesn’t necessarily give you the same sort of
range of options that I think we were really looking for.

DR. SUAREZ: And just very quickly. We have built actually specific
constructs to anonymize data on this specific use case applicability, so we
have an anonymization construct for the public health case reporting use case,
and one for communication registry, and one for the various use cases that call
for the need, quality is one of them, biosurveillance, that call for the need
to anonymize data. We actually created a generic anonymization structure
construct standard, and then we looking at the specific use case map which type
of data element would need to be built into the construct that applies
specifically to that use case to do an anonymization.

MS. MCGRAW: I will definitely look at those. I think to the extent that
there may need to be some options available where someone’s use of the data
doesn’t fit the particular use case, I know our work will try to be broader,
but I certainly want to incorporate what’s going on at HITSP. So thanks for

MR. REYNOLDS: Leslie, Don, and then Justine.

DR. FRANCIS: First of all, thank you so much. I’m Leslie Francis, and I’m
the co-chair with John Houston of the Privacy and Security Subcommittee. Nice
to meet you.

MS. MCGRAW: Nice to meet you.

DR. FRANCIS: I’m looking forward very much to reading the final report. But
I wonder if you could just comment a little bit about whether there will be
anything in it on the – it’s tantalizing to have you mention public
benefits and then note core different types of uses of de-identified data, QI,
public health, research, and commercial. And particularly in light of the
recent report about HIPAA and data and research, I’m wondering whether there
was any discussion or thinking about whether these categories are crucially
different, that is whether the kinds of ways to think about in Mark’s
suggestion about least identifiable data possible, whether that looks different
when you’re dealing with QI or whether the kinds of arguments for allowing more
identifiable data in QI? There was the study of QI that the Hastings Center put
forward that argued that patients in some way could be thought of as having
consented to participating in improvement of the – I mean I’m not
defending any of that. But I was just wondering whether you thought there was
any or whether there had been any talk about some of the differences.

MS. MCGRAW: A little bit. I don’t think we mined it in quite the amount of
detail that probably needs to happen if you’re going to draw some more clear
lines either with respect to whether it’s permissible to use it at all, and
then if so, then what is the level of anonymization or identifiability look
like for various contracts. That’s not going to be an easy thing to do because
it’s probably going to need to be somewhat flexible depending on the need.

We could probably spend another six to eight months paper researching it a
little bit more rigorously, but the thought was to at least try to get out the
proceedings of the workshop, and then if there are areas that need sort of
further more in-depth review, whether it’s some sort of literature review or
whether we do another workshop that’s just on the research report that just
recently came out, I think we want – I’m just really anxious to get this
thing out. But it definitely doesn’t answer all the questions. The hope was to
sort of continue to stimulate this dialogue, and generate more work for me.


DR. STEINWACHS: That’s the kind of strategy the government is trying to use,
which is called data centers. You don’t release the data, but essentially
they’re using people as part of this, but I mean you could think of technology
solutions where you could run tabulations and do things but what you got out
would never be at a fine enough grain level that you could identify. The reason
for raising it there’s a lot of interest in linking datasets, and as soon as
you link, which we have a set of hearings immediately coming, are more
identifiable. So de-identified data is in theory non-linkable unless you
de-identify it, link it, and then proceed down that pathway.

I was wondering whether anyone raised that idea of instead of making the
data available, having some way that you had access into the dataset but you
never had the data. It seems to me that may be an option we need to explore out
there, instead of the idea that we’re going to keep trying to play around this
edge of how do we make it de-identified with a kind of certainty, and you’ve
already challenged the fact that this is a moving target.

MS. MCGRAW: Is this the certified data stewardship type entity, or is this a
different riff on that same sort of concept?

DR. STEINWACHS: We had I guess it was two years ago now we had a hearing on
linking datasets, and brought together the government agencies. And part of
this was the realization that even within the government you can’t get data
linked and used within the government for things, much less the other purposes
out there. But the solution the government is taking is fundamentally data
centers, so you can analyze like datasets but you can never get them if you’re
a researcher.

MS. MCGRAW: Does someone else perform the analysis?

DR. STEINWACHS: No. You lay out the analysis, you may actually be able to
submit it and run it, but the output is checked to make sure that you can’t.
But in theory you can actually probably find the technology to scan output that
would give you confidence that none of the cells are combinations of tables
that allow you to identify a person or entity. It was just the idea that you
never have the data, you only have tabulations off the data. Just to encourage
you to think about is that some area that you would be interested in going, and
I think this Committee some interest in trying to figure out how to make that
work better.

MS. MCGRAW: Okay, thank you.

MR. REYNOLDS: Justine, Mike and then Carol.

DR. CARR: I was just going to ask Walter to define anonymized and
pseudo-anonymized, as opposed to de-identified.

DR. SUAREZ: There’s no standard body data and use the word de-identified,
they use anonymized and pseudo-anonymized, and those are defined terms. I can’t
recite them right now, but they’re defining our construct. Then they draw a
line or they drew a line with some of the basic concepts of de-identification.
There is a reference of course of the HIPAA 18 plus data element for safe
harbor de-identification process, and they are included actually in the data
elements as a double-check, but there are international standards for
anonymization of data, and those are the ones that were built into the
construct, and the definition of the terms are there. It’s HITSP.org if you
would like to review the various documents.


DR. FITZMAURICE: Just to respond also with Walter that to my thinking is
that anonymized means you can’t re-identify it, try as you may.
Pseudo-anonymized means you can’t re-identify it, except it has a key that
permits you to re-identify it. That’s just the way I think about it in my mind.

On the last page, I guess you can see the last page, and I’m not a lawyer
but I’m looking at the limitations on uses. It says it can be used by a covered
entity only for research, public health, or healthcare operations. Might that
it can be disclosed by a covered entity only for those purposes because it can
be disclosed by somebody else who uses it, like a researcher, under those
conditions of the use agreement.

MS. MCGRAW: Right. What it should be, a user disclosure is covered. I mean
the limited dataset is for any HIPAA access.

DR. FITZMAURICE: Response to Justine, a category of things in my mine – oh
my gosh –

MS. MCGRAW: No, it’s both use and disclosed, access use disclosed.



MS. MCCALL: Thank you for your comments, they are wonderful. Actually, I’m
going to play off of something that Don mentioned. When you were talking about
Don called them data centers, but in this concept I could imagine a type of
service entity that may or may not exist today that does this kind of linking.
But you can imagine that basically let’s say you are the service provider, and
say I want to link my set to Don’s. We both come to you, I’m okay, he’s okay,
you do the linking, and what you then say is all right I’m going to give you
something back, and it actually a physical dataset, but it’s going to have been
scrubbed to different level. And depending on the level to which it has been
scrubbed and anonymized, there are different requirements and accountabilities
and restrictions, including transparency of what I’ve done, including needing
permissions along the way given what I’m attempting to do.

What we may want to do, again back to this gradient of responsibility, that
the more I want to do, the more I want to tie, the more I need to share, and
the more constrained my follow-on uses are. So that’s a concept, and so I don’t
know if that was discussed at all or not, but I offer that up.

The other one was in the least identifiable data possible, was there any
discussion about the fact that that’s very much what I call a hypothesis driven
paradigm. I kind of know what I’m going for, right, in that world. If I don’t
know what I don’t know, and a lot of the methodologies now are very much kind
of a knowledge discovery approach, was there any discussion about how that
would need to be treated?

MS. MCGRAW: We didn’t go into it in too much detail, but I completely see
what you’re saying. What that suggests to me is any sort of – I totally
agree by the way with the construct that you laid out about not just a
commitment to use the least identifiable data possible, but by the way the more
identifiable it is the more we get to scrutinize it, hold you accountable, the
sort of rising levels of expectations and accountability depending on the kind
of data that you’ve asked for and that you hold.

I think what your comment suggests is that not only would it be difficult to
lay those standards in stone because different purposes that need data are
necessarily going to need a different response, that response might actually,
in fact, also have to have some flexibility built into it because either at the
front end you want to have more identifiability of the data because your
hypothesis is not quite as well formed, and in fact part of what you’re using
the data for is to continue to formulate your question better. And maybe it’s
the case that you start to see something in the data that you get under one set
of questions that suggests that actually you need an increased level of

I don’t think this is an easy thing to do, because policy wants hard and
fast rules, it wants a very clear standard, and the people who are regulated
under it would prefer to have certainty. But I’m not sure we can get there
necessarily. So I think we have to have a system or process in place that
allows for some kind of flexibility, including on the question that you just
raised, which is I don’t necessarily know at the front end how identifiable the
data needs to be for me to answer my query, because that is in fact part of
what I’m looking for.

I know we have not fully thought this out, but that is I think a very good
point, and yet one more thing to add to the consideration of what would that
process look like and who would get to decide.

MR. REYNOLDS: I think playing off of Walter’s comment, playing off of some
of yesterday and some other things we’ve discussed, as well as what Deven has
said, the whole ecosystem around setting standards, I know there’s a construct
and you’ve come up with three or four new terms of how to define data, and then
we’ll use Mark’s comment, which is the least identifiable. So basically we may
have just dropped from de-identified down to one of the items that Walter said,
which means you may have moved all data from – that was de-identified all
the way as far as they can within that construct. And the problem is we’re
still struggling to teach a whole industry what de-identified is, and what
HIPAA is. So now we come up with three or four new nomenclatures that
structure, and again I’m not voting for or against anything, I’m just talking
about the process. And that’s kind of what we have to continue to keep an eye
on, and then the minute you do that – and we don’t teach ecosystem what
that means and when the most appropriate uses would be, and oh by the way how
are you going to ever tell a person what those uses are, that’s when we kind of
fall down.

So standards and some of this stuff can get way ahead of the rest of the
ecosystem on how we explain to people who have the data, people who will use
the data, and people whose data it is, really can buy into it. I think that’s
the message we heard yesterday, and it keeps playing through. This whole idea
of everybody’s for continuing to more forward, but we got to move everything
forward, not necessarily just because one committee’s ahead and picks
something, and it might be for a wonderful reason, and it’s probably a right
reason, but if we don’t turn it into the understanding of everybody then all it
is is one more opportunity to keep this thing going back and forth.

That’s not a derogatory or positive statement to anybody, that’s just
understanding the overall process of us moving a whole country forward a piece
at a time, and a data element at a time, and a dataset at a time, and that’s a
struggle right now.

Larry, you had your hand up.

DR. GREEN: At this conference and in your continuing work where does the
idea of risk to the person attached to these data – does that come up? Or
alternatively, is this a discussion about de-identification and security, is it
independent of the potential consequences that re-identification, for example,
might precipitate?

MS. MCGRAW: I think those considerations are woven into the concerns that
we’ve raised about de-identified data. I mean what we have today is an
assumption that there’s no risk, no risk to the individual who’s the subject of
the data, when in fact it’s been fully de-identified under the HIPAA standards.

DR. GREEN: I just realized I didn’t ask the question I really wanted to very
clearly at all. Let me go around the corner here on you for just a second.

Let’s assume that we impose on all healthcare providers, all researchers,
and every public health department, a definition, and we have a rulebook for
how it has to be operationalized, and we teach it to everybody and that’s how
you do it, and now we’re all compliant and we’re protecting everyone’s privacy.

What if that set of requirements gets applied to a dataset that everyone
– you get 100 percent of the U.S. population’s vote that they wouldn’t
care if they were re-identified in that dataset because there was no risk to
them as an individual for being re-identified? Or what if that population said
the risk is so low for me being violated, but I don’t care if it’s
re-identified? That’s what I meant by levels of risk.

The context, the ecosystem for my question, to go back to Harry’s word, this
is dangerously close to trying to get to a one-size fits all. And everybody
that does quality improvement or healthcare or research knows that sometimes
the steps and work necessary to comply, all people of good faith and good
effort and good intent look at and says we’ve destroyed the potential good to
serve the requirements, and by the way, no one can identify how anyone could
have come to harm otherwise.

This is a part of daily life in the United States, in my opinion, and health
plans, healthcare delivery systems practices, and universities, and each time I
see another one of these I sort of want to know if we shouldn’t possibly be
considering stratification of these strategies according to what is understood
to be the risk to an individual to be re-identified. Was that talked about at

MS. MCGRAW: Well, yes and no. I mean I think what we’re proposing is in fact
a flexible standard based on how the information needs to be used, not in fact
a one size fits all. I mean arguably actually two sizes fit all, or three sizes
fits all, is in fact what we have today.

What we didn’t talk about specifically was whether we would put some sort of
balancing standard in place that would say not just sort of what – really
the HIPAA de-identification standard on a statistical method is what are the
risks of re-identification, it’s exactly how you implement it. So in fact
arguably that’s something we already have today, and we’re not actually arguing
that that be dispensed with. Instead we’re arguing de-identification is so
rigorously strict that in fact sometimes you need some identifiers on data in
order to do what you need to do. And in fact we’re open to talking about that.

DR. GREEN: Again, my concern is not the risk of re-identification, I’m
trying to use the word risk to be a risk of harm to a human being.

MS. MCGRAW: That is an issue that maybe you and I might disagree on, because
harm in the context of information research is very different from harm in the
context of clinical research. What does sometimes tend to happen is not always
a strong valuation of people’s privacy interests and information, because the
concept of harm unfortunately too often gets defined as did the information get
out and you lost your job, or did the information get out and there was
financial information associated with it and therefore you lost money.

You know harm is very subjective in the healthcare context, which is why
it’s so difficult to come up with a standard for breach of health information,
for example, that isn’t just well as the information goes out the door you have
to be notified, because what is sensitive to me about my healthcare information
is not necessarily going to be sensitive to everyone.

I want to say one more thing about that ending that you said. One of the
things that Cynthia Dwork proposed, and she was the scientist from Microsoft
who talked about the ways that they quote, unquote, “de-identify
data.” She proposed a method for de-identification which I can’t, Justine,
if you can remember the name that she attached to it, but essentially what they
measured was if your risk of being in the data is no – of being identified
by being in the database is no better than it would be if you were out of the
database, in other words it’s sort of a neutral proposition, then essentially
there is no risk to you being in, and so therefore there’s no heightened risk
to your privacy by being there. I think that’s a very interesting thing to
– and please don’t ask me any detailed questions about this, this is
Cynthia Dwork’s hypothesis, it was very interesting, and there was some
complicated math associated with it that I’m going to have to admit that I
don’t fully understand.

But, again, because we have so much data about ourselves out there already
in the public sphere, my understanding, and Justine, you can correct me with
that, what she was saying is if there’s no greater risk you being in this
particular dataset than out necessarily, because there is no greater risk of
re-identification for being in and out, is basically it.

I see Maya nodding her head.

MS. BERNSTEIN: I was also at this meeting. What I remember her saying was,
and I’m glad you made this point, because I was sitting there going you need to
talk about Cynthia Dwork’s point, that if there’s no greater risk of you being
in the dataset then your risk in being in the general population, that the risk
of somebody finding out this information based on the fact that you’re in the
general population, whatever public information might be available about you or
other information about you, then that risk is low enough. Basically you’ve
protected them enough if you get down to the point where it’s the same risk as
somebody being in the general population.

Was that your sort of understanding of what she said? [Overlapping voices]
It was in a way complicated mathematics, which I also –

MS. MCGRAW: No, it’s not a safe harbor.

DR. SUAREZ: Exactly, that’s not the safe harbor, that is the statistical.

MS. MCGRAW: It’s just a methodology to meet the statistical prong.

DR. SUAREZ: It’s an approach to meet that statistical requirement.

MS. BERNSTEIN: It doesn’t directly, I don’t think, get to Larry’s question
either, which is what is the risk of some harm coming to the person from the
information being out there. But I think it’s very hard to measure risk to your
reputation, I mean financial risk is relatively easy to measure, but risk to
your reputation or embarrassment are the other kinds of things that a privacy
breach might come to pass are very hard to measure.

MR. REYNOLDS: I got Mark, Carol, Paul.

DR. TANG: On this last point though, I don’t buy that argument because the
risk of somebody else identifying you based on being in this database doesn’t
take into account a couple of things. One is, as Deven said, more and more
information databases are being made public, so you risk will change over time.
And the other is it doesn’t take into account the private databases that any
one entity such as Microsoft has. It’s just like cookies are anonymous until
you have registration data from one person, and you have doubleclick.com who
happens to have contracts with all the other parties and instantly you’re
identifiable, yet Mark wouldn’t be able to pick you out.

So I’m not sure –

MS. MCGRAW: I thought it was somewhat illustrative.

DR. TANG: You know it’s not a criticism or you.

MR. REYNOLDS: You could also have the same argument as to whether or not you
would want somebody, certain companies being the ones who decided this.

No, not being ugly just being – Mark and then Carol, and then we’re moving
onto the next.

DR. HORNBROOK: At the conference did anyone pursue the notion of how much
data specific to health and health status and healthcare is already out there?
The registries doing data, STD reporting, immunization, public school, life
insurance, disability insurance, the vendors that support all our health plans
and doctors, birth certificates, any outbreak investigation by public health
authorities, motor vehicle accidents with injuries, interpersonal violence on a
police report, workplace injuries, these are all things where you data moves
out of your record to someplace else. That is quite a bit.

Did that come up at all among the theory of this issue of privacy?

MS. MCGRAW: Well, yes. I guess I’m not sure what your question is.

DR. HORNBROOK: Did people actually get into the notion that there is a way
to start thinking about the fact that how much data is already out there
presumably for good purposes. All these data releases are to help somebody to

MS. MCGRAW: Right. And all of them authorized by some law somewhere.

DR. SUAREZ: Sorry to jump in, but some of them is protected from being
accessible. You mentioned public health, nobody can access the AIDS database in
the state of Michigan in public health unless they made a mistake.

DR. HORNBROOK: But the public health department comes to Kaiser and by
simply asking they do find out about you, because we disclose it because it’s a
public health request.

MS. MCGRAW: That’s right. But that’s exactly what the scope is, in other
words, all of those uses that happen today with fully identifiable data or
whatever is the pieces of data that need to flow in accordance with what you’re
legally required to, or what you get asked to, and then there are numerous
allowed data uses and disclosures under HIPAA.

That’s actually the point we were trying to get at, is in some cases you do
need to know who the person was attached to the data. Obviously, anonymizing,
pseudo-anonymizing, de-identifying, you know, that’s out the window when we
really need to know who that person is, but for so many of these other purposes
you don’t need to know it’s me, you might need to know my age, you might need
to know my condition, you might need to know in fact exactly where I live
depending on what the investigation is. But that is essentially why at this
point what the report says is least identifiable as possible to actually still
meet the purpose.

But today there are neither incentives nor requirements to think about the
release of data in that way.

DR. HORNBROOK: One footnote, as a person who uses large datasets and merges
them in my research every day, when you think about asserting the quality and
integrity of linked datasets using every single one of those variables you just
mentioned, is that necessary to make sure that you haven’t been caught by a
datapunch error, by somebody fraudulently using a health plan card, or
fraudulently using a social security card.

MS. MCGRAW: And that is actually given that we’re also an organization that
doesn’t think too kindly about unique patient identifiers, and we want people
to be linked by using other data points, we wouldn’t want a recommendation to
get in the way of that.

MS. MCCALL: Firstly, kind of a general comment. I think we’re going to have
to have work we have to do on defining what we mean by privacy. It is thrown
around a lot. It tends to be thrown around in the field as kind of a stink bomb
to slow everybody down. And it’s there for a reason, and we need to be
cautious, we need to be clear, we need to be intentional. But we’re not doing a
very good job yet of defining what we mean by it, privacy from what or for
what, and I just think that’s work.

A question for you about the time you spent together. Was there any
discussion around data itself? And let me tell you what I mean by that. There’s
data and there’s, for example, Medidata, where the fact that certain data may
need to be made private, notwithstanding what I just said, but that the
Medidata on it may not be. So I may be on five different medications and I am
loath to tell you what they are, but the fact that I’m on five is a nice little
piece of Medidata that could be valuable.

So was there any discussion around that as a concept?

MS. MCGRAW: I think we were narrowly focused, I mean we got through this
doorway initially by looking at the HIPAA de-identification, so it was a pretty
narrow inquiry, it was an inch wide and a mile deep, but still we got into it
through this de-identification door. Then when we were exploring sort of is
that standard still rigorous, does it still work, that’s when we started to
stray into the territory of well it doesn’t actually work for as many purposes
as we might want it to.

Therefore, in areas where today identifiable data is used, which I wouldn’t
characterize as Medidata per se, although if you say you are on five
prescriptions and I know it’s you, Carol McCall, then that’s different from –

MS. MCCALL: We kind of think about data today as every field with its real
value and not some sort of a Medidata field.

MS. MCGRAW: No, it wasn’t discussed in a lot of detail and that’s a good

MR. REYNOLDS: Okay. With that interesting thought, maybe the problem is we
don’t know how to explain to the general public how we do or don’t want to use
their data in ways we might want to use it for. So we keep coming up with ways
to police ourselves, and how we’re going to use it, but maybe we ought to get a
whole lot better explaining what we’re trying to do, it might be more helpful.

So, Deven, thank you. Obviously you have us stirred up, and we look forward
to your paper. And after you put it out, you can’t hide.

MS. MCGRAW: No, no, like I said, I mean there’s more work. This in no way
mines this field. It is obviously rich with lots of issues and things to
consider. So it won’t look much different, I suspect.

MS. GREENBERG: Thank you. I might note that the Privacy, Confidentiality,
and Security Subcommittee is meeting the last part of today, and there is no
other subcommittee meeting at that time as I see it. That gives all of you an
opportunity to continue the discussion.

MS. MCGRAW: And I’ve sent my policy counsel Sheele(?) is coming back to keep
an eye on you guys during the conversation.

MR. REYNOLDS: Thank you, Deven, appreciate it.

If everybody will now turn to Tab 5 in your book, please?

Compendium of Data Stewardship Efforts

MR. REYNOLDS: If you remember at the last full committee meeting, Justine,
myself, and Susan said that we would put together kind of an outline of a
primer on health data stewardship that could be produced by the Committee,
obviously with some preface and context on key things that we’ve learned, key
things that we understood as we went through our effort, and then oh by the way
making sure we point to all the appropriate industry papers, writings, and so
on that try to develop the subject.

Again, a good aspect of NCVHS is that we many times take very complicated
things, put them into some kind of structure, and then as we said before, when
we talk about our audiences, at times I don’t think we focus quite enough. One
of our audiences is the whole industry. And I’ll give you an interesting
example that I think you would appreciate as we go through this. I’m teaching a
class now, a Ph.D. class, and as I have some of our readings out there for them
to read on the health IT subjects I keep getting comments back, and these are
doctors and COOs, so these are not just 21 year olds, and they make the
statement that well I read all the readings and boy NCVHS makes it clear, NCVHS
at least listed in a way I can think about it and then I can actually debate

DR. STEINWACHS: You certainly do a lot of wordsmithing.

MR. REYNOLDS: No, but I’m saying taking that as an example, this idea of
putting this together, especially at this time when things are moving so fast,
and the idea of data stewardship to those of us who went through it now becomes
an important thing, and some of us will actually implement at home. I think
that’s the kind of thing as you look at this we’re not trying to fix the world,
we’re not trying to come up with a complete and total definition of what a data
steward is, we’re helping people be able to take one set of learnings and use
them to build how they think about it. And oh by the way that group may be as
this Stimulus and other things move faster, and as things as we just talked our
discussion earlier, where we want to use data in more and different ways these
are the kinds of concepts that go horizontally across everything we’ve been
hearing, and can in fact make a universal difference even though it doesn’t
have the universal answer. So that’s what I want you to think about.

If you’ll turn to 5, and hopefully most of you got a chance to look at it.
Susan, why don’t you just briefly walk through the layout of what we’ve done,
and Justine and I and Susan have kind of put this together, and Marjorie and
Debbie and others I know have seen it. We brought this back, and again it’s not
the complete paper, it is the structure of the paper, and what we would like to
do is get your sense if it’s a good structure. If you have specific comments
I’d like to make sure you get them to me, Justine, and Susan. We’re not going
to spend a lot of time today beating this document up.

Then we’re going to take especially where we talk about tentative report
comments about two-thirds the way down the page, we’re going to use some of our
writings and others to blow that out bigger and have some more things to say.
Then, more importantly, the key documents on data stewardship, which is on the
second page of what we gave you, look through there because a lot of you are
working on a lot of things, around the country. You may have a particular paper
that you’re aware of done by a group, done by yourself, done by somebody, that
also continues to drive the knowledge of the subject, and if so then we would
want to make sure that we include that as a good reference document. So that
again we become almost a library card, we become the primer of how to do this.
And I think that’s a great service that we could add to an entire industry, not
just thinking about one particular group. That is when it gets kind of fun when
you start raising the water level, for those that don’t understand you raise
the water level, for those that do understand you give them a structure to go
ahead and take it and put it in.

So with that, go ahead and make your comments.

MS. KANAAN: Just to kind of reinforce a couple of things you said, Harry
talked to me about the 500th car in the train not knowing where the
engine is going, and that kind of helped me get a mindset in thinking about
this. This is not for the likes of you, this document. It is appropriate
probably that I came to this with kind of a beginner’s mind. I heard the
discussions here, and I did this summary of your big report, but basically I
went to Google to try to understand what is this concept and what are people
saying about it, and who are the thought leaders, and I had some initial
guidance from Justine and Harry, but it was a very interesting and kind of
eye-opening experience to go to Google and Google data stewardship and find out
it’s not useful at all.

I began to think of this a little bit as a primer, it’s the canon on some
level, that’s a little bit presumptuous to call it that, but just to review
– yes, this is the Kanaan canon. I am totally an instrument here, I mean
I’m certainly no kind of expert, so I really need your input.

Just again to reiterate what Harry just said, there are three components to
this little two-page paper that you have here. The first is just an attempt to
articulate the key concepts, to make sure that I’m getting them right, that my
thinking is right and that the language is right. Then there’s a very high
level outline. There you need to be looking at are the key concepts or key
issues, topics, addressed, are they on the list. Then the third, as Harry said,
are the specific documents, and there’s a list of what seemed to be the
undoubtedly key ones. And then there’s a list of possibilities, which I need
some guidance about, a thumbs up or thumbs down. Then there is the possibility
of others, and I think two were probably identified at this meeting that need
to be on the list, the loose framework. In any case, this is by no means a
complete list.

This is going to be a pretty short primer, I think, because there aren’t
going to be a whole lot of words in any of those categories. That is my

MR. REYNOLDS: All right, Carol.

MS. MCCALL: One question, two suggestions, and in reverse order. First
suggestion is in the what is data stewardship and why is it important, I’d put
that first. And I would add one more piece, why now. I believe we need a sense
of urgency that actually accelerates with HIT and actually runs past it, so it
can be there when it gets there. That’s just my personal opinion.

Second, I think that there needs to be a call to action for the reader. I
think that they need to think about, I think that they need to start talking
about doing, taking into consideration.

Then the third is who is the reader, that’s my question, who’s the audience.

MR. REYNOLDS: I’ll answer the third one, and I think we’ve both kind of
tried to touch on it. It can be anybody right now, from somebody in a small
doctor’s office, somebody in a large institution, somebody that’s on one of
these policy committees, us continuing to use it. When you do a primer, this is
kind of like data stewardship for dummies, is its whole idea of this should
play anywhere, and the thing I know looking at it myself, and I spent the whole
time on all of our secondary uses of data, I can still go through there and now
that Susan has spent some time looking at some other documents, I’ve looked at
a few of those just to see because it was done by another group that I
respected, so I looked at it to see how’s that different than what we were

It is really the general industry.

MS. MCCALL: Right. My point is that if the reader is a naïve reader,
they may not appreciate, let alone understand, some of the things that we take
for granted in terms of both the value, but also today’s difficulty. So the
question is whether or not to educate on those. Sometimes yes, sometimes no,
but also why.

DR. HORNBROOK: I think those of us in this industry have been meeting with
privacy and privacy protection without looking at the other side of the mirror,
and that is you can harm somebody by sending the wrong data. You need to think
about data stewardship both in the sense of keeping data safe, but also when
data used to be sent they’re right because you can harm somebody by sending the
wrong data or sending it to the wrong place. So data stewardship is actually a
much broader and a much more important concept than privacy. Privacy is part of
it, but also benefit entitlement. When you’re entitled some benefit and people
interfere with that entitlement because they don’t recognize you, you don’t
have the data about you, or they don’t use your data correctly, that’s just as
harmful as breaching your privacy.

MR. REYNOLDS: Yes, Leslie.

DR. FRANCIS: This is I take it the kind of point John Houston would make, so
if I get it wrong it’s all my fault.

John uses the term “governance,” and I think what he means by that
as far as I understand it is a different level. So this report, or the focus of
this, is what a good holder of data does basically. I think that’s the level
that Mark – or so this is aimed at health organizations, payers
information, all those sorts of folks.

But it seems to me there’s another question that maybe is a stewardship
question, which is how do we try to assure that a holder of data is being a
good steward. For example, one way is disclosure or transparency, another is
some kind of oversight, and that’s what I think John is talking about in
governance, I mean obviously there’s also sanctions and things like that. I
didn’t want to bring up the nasty side of it. But it seems to me that it could
be we want a part 4.

MR. REYNOLDS: Let me stop you there for a second. We are where we are
because we held some hearings, and we discussed data stewardship. And I think
we don’t want to go outside what we discussed. So the reason I’m hesitant to go
any further than that now – we are willing to point at other documents.
For example, if you know of other documents that would explain what that was
and somebody spent the time, the effort, the time on it, then I don’t think we
would have any problem adding that, because again we’re a primer. We’re saying
here are all the things you need to consider. We are not taking a stand on what
you should or shouldn’t do, because we don’t have the jurisdiction to do that.
We’re second not taking a stand that says if you don’t do this you’re wrong.
And then somebody could come back later in some kind of a lawsuit or point back
and say, look – so we have been very cautious as we wrote this to make
sure we stayed within what we already knew, because we did have a lot of
discussion on this, and all of our documents are clear on this. So I’m hesitant
to go outside that comfort zone except to point at whatever we want to point

DR. FRANCIS: Again, I said this is what I took John to be saying in those
discussions, which is that there’s another layer on this which is not just
being a good steward but how do we generate the kind of trust that we need to
have that people are being good stewards. We don’t know about how to do that;
we certainly didn’t have hearings about that. But pointing out that it’s an
issue seems to me to be –

MR. REYNOLDS: In the beginning I don’t have a problem pointing that out as a
consideration. Again, I want to stay real careful as we talk about what to do
or not do, and we don’t go outside what we’re already on record doing.

So I got Walter, Judy, and Sallie.

DR. SUAREZ: I’m a little confused here. Are we trying to write a document
that says the position of the Committee on data stewardship?


DR. SUAREZ: Are we trying to create a resource for people that will be
dealing with data stewardship?

MR. REYNOLDS: What to think about, just like the same kind of things we’re
talking –

DR. SUAREZ: Okay. So there’s no intent of creating a set of recommendations?

MR. REYNOLDS: No, absolutely not.

DR. SUAREZ: Okay. Just one point then. The Recovery Act calls for the
appointment of a chief privacy officer by the Office of the National
Coordinator, whose functions are to advise the privacy officer on privacy,
security, and data stewardship of electronic health information. So there is a
direct responsibility of that person.

Now, it sounded to me like ONC requested, so that’s what it says in the
agenda, or whatever it says, ONC has requested us to do something about data
stewardship, help them –

MR. REYNOLDS: That was part of our secondary uses of health data.

MS. TRUDEL: We held hearings and generated a report at their request.

MR. REYNOLDS: Now, in that report there are recommendations.


MR. REYNOLDS: In that report our secondary uses report has recommendations,
there’s no question about that. This though took the subject of data
stewardship, and again, what we’re trying to do is how do we help an industry
learn, and so that’s what we’re trying to do with this now.

If that privacy official is appointed, then we should point them to our
whole discussion of secondary uses of health data of which data stewardship was
a piece. If somebody were to take that job that would be a great document for
them to take a look at to understand all the ways that that data can be used in
the nationwide health information network or any other things in context of
what our assignment was, that’s where we were going.

All right, I got Judy and then Carol.

DR. WARREN: I would just like to speak to when I went through this initially
this is a document that I have been trying to put on PowerPoint slides for my
students. When I have them read the paper and letter that we wrote there’s a
lot of information in there, and we wrote that because there was a lot of
things coming out from HNA, from AMIA, we had hearings on it, we made
recommendations. There is a lot of information in there, but most people don’t
know how to take those letters and then know what to do with them.

When I saw the primer this is exactly what we need. So I am going to quit
making my slides and wait for the primer to come out, because there are other
things I need to be doing. These are the kinds of things I would like for us to
consider. I know when I first came to the Committee I told Simon once, I said a
lot of the stuff that comes out of this Committee I make my students read. And
Simon’s thing was why are you making them wade through all this stuff, it’s not
there. And yet I can’t think of a more up-to-date targeted source for the key
issues in health IT or in health communications and stuff that we discuss and
adjudicate out of this committee.

I do think there’s another kind of market niche for us that when we take
these very high level heavily wordsmithed kinds of documents and make a primer,
not just for the students that are out there. When I also worked with some of
the hospitals in our area, they have a very difficult time really looking at
this, and what they want is a very simple kind of as short as you can make it
primer with references of where to go.

The suggestion that Leslie made, that would be where to go next. If you
added all the stuff that she talked about in this primer it would turn people
off, because it’s too complex for them to think about, there are too many ways
to go. But if you keep with this kind of outline and really kind of walk your
reader through it, that’s why your comment about going to Google and coming in
as a naïve viewer of this I think is critical. But this may be something
the Committee wants to consider for future products that we produce that we
might want to have a primer as a subset of that, because I think it would be
very useful.

MR. REYNOLDS: Sallie then Carol.

MS. MILAM: Just an idea for your consideration. Leslie and John raised the
issue of how to include governance. What you might consider doing is adding
another box here, key documents and data stewardship, that has a reference to
some of the privacy frameworks that you see around the world. They have
governance inherent within them, ONC’s does that they just issued. There is a
group called the ISTPA, and they put out a report on every privacy framework
that has ever existed and exists in the United States and around the world. So
that would be a way you could just add to the chart I think and maybe address
that issue.

MR. REYNOLDS: Sallie has just been added to the Committee to give Susan that
box and what should be in that box. That’s part of what we’re doing today.
There are things that can have this. No, we don’t want a casts of thousands,
but if you can pick a couple that will take somebody trying to figure out how
to think about it, let them learn how to think about it and then obviously they
can branch out from there as sophisticated or other as they want to be. So,
Sallie, that would really be great if you would do that.

Carol and then Mike.

MS. MCCALL: A comment on just extending where Judy went. I think, first of
all, the idea of a primer is great. Second, I do think it needs to come in
multiple forms, and also it’s not a one size fits all in terms of what the
readership actually reads, whether it’s a PowerPoint slide, whether it’s a
one-pager slick, good God, maybe it’s a refrigerator magnet that goes on and
slaps on the side of a PC that says because – this is just think about an
organization that’s trying to socialize the responsibility of data stewardship,
and give them the kit that they need to then actually run a program.

You can think about what it means to say, look, if you’re serious as an
entity here’s what it means to begin to start training your organization and
your responsibilities, and that includes links, that includes slides, maybe
magnets. And here is a thought, does it include a website that is
www.datastewardship.gov that says we love to hear from you, because it is about

Now, those things may become the job of the chief privacy officer. My
question is, and I think we should do it anyway, but did the client ask for
this primer?

MR. REYNOLDS: Did the client? No, we have decided that the industry is our

MS. MCCALL: Very good. I’m just curious, I’m just going back to –

MR. REYNOLDS: However, everything that we put out many clients look at. It
may not have been the client that originally asked for it, and in fact Walter’s
comment, if somebody gets appointed.

All right, I got Mike first.

DR. TANG: Let me just answer her challenge to have a refrigerator magnet:
“Do unto the data of others as you would have done to yours.”


MR. REYNOLDS: I’m sure Susan listed that. Okay, Mike.

MS. MCCALL: Math illiteracy affects 8 out of every 5 people.

DR. FITZMAURICE: Would you please not put that refrigerator magnet on my

Secondly, the way I think about data stewardship is suppose I’m walking
along the street and I find your medical record down at my feet. I’m not a
covered entity, I’m not a physician, maybe I don’t even know you, but I got
your record in there. What would you have me do with your record, which is kind
of like what you said, Paul, do unto others.

So the principles of data stewardship should guide what you do when you find
yourself with that record, or any kind of a record about another person. It’s
the same as you’re in a cubicle and somebody next is fighting with his or her
wife, talking with his or her stockbroker, sometimes it just runs in one ear
and out the other, but you have principles that govern how you handle
information. So the data stewardship paper I think should appeal to a
reasonable man, that these are reasonable principles.

I actually think a privacy law would be good if it were just data
stewardship law. If you find yourself with this data, say medical data, here
are principles that govern what you do, and then state law if somebody is
harmed could prosecute you, and if you didn’t follow those principles your case
would be a lot weaker than if you had followed good principles and something
bad still happened to the patient.


MS. KANAAN: You may not want to go here, but in a way this goes back to the
issue that Leslie raised. When I started looking into this, and indeed when the
idea for this primer first came out, there was still a lot of talk about the
national health data stewardship entity. So that kind of shaped my initial
thinking, and explorations, was that this was all headed toward an entity, a
governing entity I guess. But the more I learned the more I discovered that the
comments to whatever it was called that AHRQ posted, we’re not going to do that
right now.

So in the question if the entity or national policy is in the outline, and
the question is –

MR. REYNOLDS: The idea that that was discussed is in there.

MS. KANAAN: It’s a part of the story, yes.

MR. REYNOLDS: But there’s no selection.

MS. KANAAN: And it’s one of the issues. So I guess everybody’s comfortable
with talking about it that much. I mean it is part of the history.

MR. REYNOLDS: I want to make sure everybody gets real comfortable here with
the whole thing shortly. So, yes, you’re exactly right.


MR. REYNOLDS: Justine, and then we’re going to close it down.

DR. CARR: I think that that debate isn’t closed; I think that’s still a
discussion in many venues. I think just putting everything out there, the
thoughts over these couple of years. I just want to reiterate what Mark said,
that data stewardship is not just about privacy. This is really about, I know
Bill hates it when we use this word, integrity of the data, and it’s integrity
in terms of its accuracy and application and all of that. I just want to make
sure that’s in.


DR. GREEN: My comment is about the structure of the report again. I’m
extremely comfortable with that, I think it’s a great idea, and I really like
the suggestions I’ve heard.

Mike Fitzmaurice’s comment triggered this off, in many of our IOM reports we
struggle with using examples, the human interest story, the something that
takes these pretty nerdy headed concepts for your students and for others. I
would urge us to look at our audience list, by the way clinicians isn’t listed
on the audience list there and it probably should be explicitly, but we could
think about examples that would galvanize our audience into understanding what
this is about by something just like well if you’re walking along and you
happen to –

MR. REYNOLDS: That would be good. So you kicked off the process. So the
point to me is that we’re showing this as a group, we would like the
opportunity to build it out, run it through the Executive Subcommittee and
bring it back. I’m asking each of you that if as you hear these subjects,
whether Sallie just added some things for the governance or some of the other,
whether anybody around the room has an example that they would put together.
Again, we’re trying to build a primer, and I don’t want it to be through the
eyes of those of us who are on the small subcommittees. I want it to be
something that helps generally.

Again, I just implemented data stewardship as part of our Sarbanes-Oxley
effort for all of our controls of all our data in our company, and I will tell
you it is something that it’s very hard to get across to people. People want to
use the word data ownership, and nobody wants to own the process, they want to
own their piece of the data, that’s why you call them stewards. Because within
a company you can have nine people touching something, and each one of them is
a steward as they move it along.

This whole idea of how you would do it yourself and what it means in
different situations is what this primer is really helpful. And you can take it
in your own world and you can make something of it, because literally I just
finished implementing this with people kicking and screaming all along the
whole way on how far they have to own or be involved in what they did.

So, Walter, last comment, and then we’re done.

DR. SUAREZ: Thank you. I just want to add perhaps one of the dimensions or
aspects that is not explicitly stated in the outline is security. We reference
privacy issues and talk about HIPAA, but I think part of the stewardship
responsibility is ensuring that some secure procedures and policies are in
place, and that’s translating to the confidentiality of health information
protecting the privacy and security mechanism. So I think it would be helpful
to explicitly identify security as one of the areas.


MS. MCCALL: We can add security, but then let’s not stop there. Because data
stewardship, if you go back and read things, it’s a lot of things, it’s also
ensuring not just that it’s private, secured, and all locked up, but it’s
actually useful. I think your intro actually talks about these coexisting
tensions. I would agree that it needs to be included, but that it not be
limited to that, and that you really talk about the coexisting tensions. And,
again, I would personally just reemphasize and talk about why this is
important, and also why now, because there are a lot of these readers who don’t
understand its value or they take for granted that it’s easy, or something else
is being assume in us because we are so close to this that our readers will

MR. REYNOLDS: Again, that’s why we have done very little to lead our writer.
We have given her a framework and we have asked her to go out literally as a
lay person in this subject and write it at that tone. So the same things we
have tried not to do I want to ask the Committee not to do, which is if we turn
it into our document and our knowledge we did it again, you know, we may have
just left three-fourths of who might read this out.

We sometimes know too much when it comes time to teach, so I want to be

Last comment, and then absolutely we’re done.

DR. HORNBROOK: There is the whole concept of communication behind
stewardship. That is if you’re going to send something somewhere to make a
benefit, you have to make sure the recipient receives it and understands it and
uses it correctly. So this notion of stewardship is also the principle of
successful communication, and of course successful communication also means
respect for people at both ends of the communication line, which means private
stays private, and you have permission to send something forward, and
permission from the person to receive it.

MR. REYNOLDS: So the recommendation is we continue to work with Susan to
build it out. Some of you have assignments, if you could help us with some of
this we’ll bring it forward, hopefully before the next meeting we’ll try to
bring it forward to the Executive Subcommittee. Then bring it in here, and if
you have any other comments please get them to us, because when we bring it
back in let’s don’t tear it apart again. It’s a primer, if you read it with
your knowledge you’ll probably want to change it, and you’re probably the worst
audience we could bring it back to, being honest, because you know too much.

So help us now with what you would like said, and then let us work with
Susan and then maybe even some others who could turn that into language that
most people would understand, not something that we might necessarily want to
do because we know what we know.

DR. HORNBROOK: Do you want to publish this?

MR. REYNOLDS: Yes, we’re going to send it out, yes.

DR. HORNBROOK: No, I meant do you want to publish it in a journal?

MR. REYNOLDS: Well, we’ll worry about that. let’s get something done, then
we’ll figure out where we want to put it.

DR. HORNBROOK: I think it an appropriate place to put it in Health Affairs.

MR. REYNOLDS: We’ll get it done and then that will be the first – you
get to ask that first question when we get it done.

I would like to spend the last 15 minutes of today, and, Susan, thank you so
much, you’ve been a wonderful asset for us.

MS. GREENBERG: As always.

Committee Discussion – Strategic Planning

MR. REYNOLDS: We heard a lot today, we heard how fast things are moving. I
wanted to make sure while we still have the full committee together to have
some people’s thought on how do we play, what do we play. I know there’s been a
lot of discussion, we’re discussing with ONC, we’re discussing with CMF, we’re
discussing amongst ourselves, with Jim, Marjorie, and we’re trying to
understand where does NCVHS play, what do we play. I have some feelings, and so
do a number of us, the deal is supposed to be looking at this, and I’d love to
have some input from the group on where you see us playing, how you see us
doing it, so we make sure we at least have some of that discussion before we
get too much further along and how we’re going to do that.

So the floor is open. Justine.

DR. CARR: As Jim told us a year ago when we had our February meeting last
year, stay tuned for the next big thing. So I think we heard a lot of big
things today. And his point was not to get locked into various agendas until we
saw what was unfolding, so I think that’s what we’re seeing today.

It is interesting the themes that have reemerged, HIPAA for one, stewardship
for one, and PHRs, and I guess those were things we thought we had done. But do
we need to revisit any of those?

MR. REYNOLDS: Larry and then we’ll go around this way.

DR. GREEN: From the strategic and organizational point of view, I would like
to use my experience yesterday as an example of what I’ve begun to think about,
about the way to go forward.

I was an interloper yesterday at the Jeff and Judy show, and it was
terrific. I sat here this morning trying to imagine what it must be like for
everyone else on the Committee who wasn’t there to keep up or to be informed,
to benefit from it. What it has done is precipitate a little crisis of
confidence from a strategic perspective about our ability to subdivide
ourselves up into small groups and go off and do our work and then come back
together for relatively short periods of time and make sense out of it and do
it. And from the very practical point of view, last night after having this
positive experience on a committee that I’m not, it just made me think that
when you take the curve, and the word accelerate has only come up about forty
times, so the curve is really steep, and we’re structured to sort of go off and
think in small groups, and then three times a year get together sort of as a
larger group.

To cut to the chase here, I’m coming to sort of an 80 percent formed opinion
that we’re at a point where we need to function much of the time as a committee
as a whole in order to bring all these perspectives into play. That is not to
say we have to take work assignments and go off and do stuff. I so wish the
whole committee had been at the Jeff and Judy meeting yesterday, it would have
benefited all of us I believe in our mission.

DR. WARREN: Larry brings up an important point. It was actually something I
was thinking about last night and also this morning while Rob was talking, is
that we did cover a tremendous amount yesterday and there were some really good
slide sets and papers that were there. And I haven’t discussed this with Jeff,
so he can throw in his two bits. But I do think it would be worthwhile for us
to probably put together a summary of yesterday, and I want to do that, but the
caveat was it’s the first of four days. We’re holding ourselves open not to
make any opinions or summaries or recommendations, and we’re trying very hard
not to do that. But certainly we can put together something and email it out to
folks if everyone’s interested. Yes, I am working with Susan Kanaan to put
together kind of a summary. But I was thinking of the raw data. We had some
tremendous source documents and stuff that were out there.

Like with Larry wanting to educate himself, should you want to read this
stuff, or maybe it’s like a primer, here is a reference to these source
documents, websites, things that were mentioned. I’m just throwing that open
because several people have commented to me today about that meeting. So we can
throw that open.

And I know from other subcommittees that have met, I have kind of felt the
same way about the material in the hearings that they’ve had, that it would
have form, especially now from standards since we’re hearing so much more about
testing, communication, and the infrastructure or the context in where they
live that we’ve not paid that much attention before.

MR. REYNOLDS: Debbie. I’m coming right around.

MS. JACKSON: Just structurally I’ll add that we have some copies of some of
the slides from yesterday, and that even in the books we have been trying to be
more conscientious of putting the agendas for what we’re calling the tag-along
meetings in the book. That has been a new feature for us, so anything we can do
to send material out in advance to help galvanize this consensus is really
growing this Committee, it’s really palpable, it’s really exciting to see. So
we’ll be very glad to help how we can.

MR. REYNOLDS: Walter, I saw your hand up.

DR. SUAREZ: Yesterday I mentioned how being an unprecedented decade
basically for health IT, and we’re about to embark on an even greater one. And
I think we have a unique opportunity to make some bold statements about some of
the things that need to be done to take full advantage of this opportunity.

I think over the last five years we’ve struggled with the little amount of
money that the government had to put in place all the things that they did with
all the volunteer work that has been done on all the different activities from
AHIC to HITSP to CCHIT to the NHIN efforts. Then here all of a sudden we have
100 or 1,000 times more money than what we had originally. So we need to
consider this opportunity as a way to making some bold statements about how we
proceed with everything, with standards, with health information exchanges,
with privacy and security.

The challenge we have is time. In 90 days, or less than that now, since the
enactment of the law, the two new advisory bodies have to be established, and
they start supposedly to be providing some feedback or input. I don’t think
that’s realistic or whether it’s going to happen, I’m not sure. But if you line
up some of the deadlines, we need deadlines for people at ONC and others and
HHS to comply with, it’s moving – I mean it’s not like the train is
moving, it’s the train left last Monday and is already in New York, and we’re
still here in Washington.

I’m concerned with some of the opportunities that we have if we take too
much time, and I’m talking about a few months, that’s too much time. If we
don’t move faster than that in some fashion, some of the things that we will be
suggesting or recommending will come into a second wave, if you will, of
actions. The first wave of action is starting to happen in the seventh floor
here, and is already moving.

I think we need to find a way to over the next six to eight weeks take some
recommendations, some ideas, even if it is draft ideas or in any form that is
informal or whatever, but if we wait until we deliver final reports to the
Secretary, whoever that’s going to be, things that are going to be already in
place and moving. The effect that we might have on those might not be
necessarily what can be done at that point, because all the pieces are already
in motion.

That is my point, and I think we have indeed the opportunity to make some
bold statements about some of the things that are in place and that can be done
in different ways.

MR. REYNOLDS: I’m going around. Carol, did you have your hand up?

MS. MCCALL: I apologize, I have a hard stop, I have to go.

MR. REYNOLDS: That’s fine. Jorge.

DR. FERRER: It is still unclear to me with the new FACA committees where
actually NCVHS actually plays. Is it going to be advising them, is it – so
that structure is completely unclear to me. So if somebody were to ask me,
okay, give me a brief, and we know there’s two committees coming out, NCVHS is
going to do what with whom, and who is going to do what?

MR. REYNOLDS: I will make some comments, Marjorie will make some comments,
and I’ll try to put you in contact. I’m letting everybody have a sense of
asking their questions, and I tell you what we’re all trying to do right now –

DR. FERRER: It would be good if we knew that before we left the meeting.
Carol was just – before she leaves.

MR. REYNOLDS: I understand that, we’re doing the best we can. There’s a lot
going on right now. Jeff.

MR. BLAIR: Walter, one of the things we discussed with ONC was that we would
be sharing information with them after each of the four days as soon as we are
able to get transcripts.

And, Marjorie, I think you need to be part of this and hear this.

MS. GREENBERG: Excuse me, I was having a little sidebar with Harry, and I

MR. BLAIR: One of the things we sort of have an understanding with ONC with
respect to the four days of hearings because they’re stretched out over such a
long period of time is that they will try to be present during as many of the
sessions as possible to hear directly. Then as we wind up getting our
information not just transcribed but organized, so that people could wind up
looking at it from different perspectives, that we would share with them as we
go along. So we’re not waiting, as you were saying we can’t wait until
September or October or November to pull this all together, we’re providing the
information to everyone as quickly as we can about what was said in the
hearings, and then after that we’ll try to pull together to see if there’s
themes or issues or recommendations that we could make.

The other thing is that – and Harry, I’ll leave it to you with respect
to the roles of ONC and NCVHS.

Then the third thing is that we have a secret plan, and that is all of us
will clone ourselves five times over to be able to be in all the committees we
need to be on in the next three months.

MR. REYNOLDS: I’m going to make a comment and put it in context for
everybody. Let me make one other comment, and I’m going to play off all the
comments today. There is a privacy group meeting at 3:00, I’ll play off of
Larry’s comment. If you don’t think you’re going to be involved in the privacy
of what we’re doing, you’re crazy. And if you have an opportunity to go and you
don’t go, you chose to miss out. I’m not being ugly, I’m being serious. We’re
moving and things are happening, and this is a perfect time to do that. I want
to make sure all the co-chairs here, I’m hearing a lot of pleas about how we
could make a difference, well, you all got meetings between now and tomorrow
when we get back together.

We had Standards yesterday, we got the other three in the next short period
of time, come back and say how we make a difference. You’ve heard a lot, and
I’m going to give you a little more information about it. But remember, it’s us
deciding the difference we can make, I mean there’s nobody else in the room
helping us. So we can’t yell help, we should yell help to ourselves, so I want
to make sure we do that. Judy.

DR. WARREN: I just wanted to make one plea, and it’s in response to Walter’s
sense of urgency. One of the things that I’ve learned about this committee is
we have the ability for the long vision. And I don’t want us to give up the
long vision because we’re concerned about what’s happening in the next 90 days.
I think that’s a very easy thing to get into, that we need to really
deliberately take a look at where we think things need to go and to choose
those projects that really move forward the vision of health information,
health data, and all of those, and not get caught up in the craziness that’s
going on in Washington, D.C. right now. Because this happens every four years,
and yet we still have the ability to contribute to that. I just want to put a
plea in for that, that we don’t make ourselves crazy and wear ourselves out in
the next 90 days.

MR. REYNOLDS: Marjorie, and then I’ll make my comments.

MS. GREENBERG: As the usual mother of this group I want to thank my
co-mother here. I agree absolutely with both of you, or as usual I agree with
everyone, even when you contradict each other I guess, that’s like a real
mother, because there’s something good in everything, in whatever you say.

But on the one hand, maybe because I’m sitting here planning the
60th anniversary, although it is true these new advisory committees
are in law which always for a long time did differentiate NCVHS from others
that come and go, the fact that we are in legislation, of course we’re
mentioned in that legislation too so it may just be two times but it was two
times I was happy to see. I was sitting in yesterday’s meeting, I mean I had no
doubt that there was a role for the National Committee on Vital and Health
Statistics, and I think not only are we here for the long term but we also have
the long view going back, as well as the potential of going forward. And the
view that is if you recall what the Committee agreed it was going to focus on
as a sort of touchstone or whatever it was, it’s person-centered health.

Larry raised this yesterday, and certainly I think Don Detmer did, and Carol
Diamond, but when you looked at all this stuff from the eHealth Collaborative,
most of it said patient, most of it said healthcare, even though they’re not
the eHealthcare Collaborative, the eHealth Collaborative, it’s still true that
most people are thinking healthcare and most people are thinking patient rather
than this broader view. Yet, people were saying if these standards and even
these electronic health records don’t contribute to health, not just healthcare
but health, it’s going to be a problem. So I think that is an area where the
National Committee because of its membership and because of its history,
etcetera, does have that view, that health view, whether it be population
health or personal health, whatever.

I agree with all that, but on the other hand, and I want to hear what Harry
is going to tell us and I may have more to say after that, but I do agree with
Walter in one regard. There are two areas in which the train is moving, oh yes
one is all of the actual work and stuff and the recommendations related to all
that, and I don’t think all that is going to happen in 90 days. Frankly, I’ll
be amazed if these committees are established in 90 days, particularly the
policy committee includes members named by the Congress. We have been trying
for three years to replace Richard Harding, who is the Senate representative to
this Committee. Maybe if they are going to name them to these other committees
maybe at least they could name one for us too at the time, you know, while
you’re at it. But I’m hoping that the people in this building who will be
communicating with them will point that out. It is kind of ridiculous, I
shouldn’t say that, but it makes you wonder.

But this is a good time I think, and June will not be as good a time or a
good time at all, to be saying to the Department okay there are all these
things that these new advisory groups are supposed to be doing, not to mention
the new groups that you just transitioned from an advisory group. And we see,
you know, these are the things that we have so much experience with or that we
are already working on or whatever that we are prepared to take the lead on,
we’re happy to take the lead on. I mean I think even if it’s – that
doesn’t mean that each of these groups will be formed and they’ll have limited
bandwidth just as we do. So this would be the time between now and the next
month or so it seems not after June to say what the Committee feels – what
part of this – even if it wasn’t assigned to us, not to mention the things
that have already been assigned to us, and we’ll keep doing those and they
relate in many ways – but what pieces of the pie we feel we’ve already
been shopping, we’ve been mixing up the ingredients, you know, and that could
be a great relief to those who have this whole responsibility.

MR. REYNOLDS: Garland, I think you had a question a little bit earlier and I
went around there and missed you.

MR. LAND: I guess I want to pick up on Walter’s concern about we need to
watch that train getting away from us. I am concerned about the question I
raised earlier, in terms of health statistics, which we don’t talk too much
about, that train is leaving very fast, maybe in the next week or two, and
there is potential money to, you know, we talked in the last meeting about how
national surveys are being cut in half, how the vital statistics system is
being eroded. There is real potential that money from the Stimulus Package
could help that situation. I’m wondering if we could prepare a letter even for
tomorrow to go to the Secretary or whoever to reinforce our concern about the
national health statistics system, and help to support the use of the money for
that purpose.

MR. REYNOLDS: And the way I’ll approach that and Walter’s comments is I
heard the word “bold,” I’d like to see a list of them. No, I’m being
serious. I mean if we say we want to make some bold statements, then let’s list
the bold statements. Because if we’ve already done the work on them –

DR. SUAREZ: Let’s do it. No, I think we should.

MR. REYNOLDS: All I’m saying to everybody is there are committee meetings
between right when we walk out of this room and tomorrow where the process of
this Committee is that the subcommittees bring forward recommendations to the
full committee. If you guys want to write letters tonight, want to write
letters in the morning, you want to pick a letter we have already kind of
messed around with in the populations I believe on asking for more money for
some of these things, and you want to dust it off and you want to change it and
make it more apropos to current, the process of this Committee is that we have
subcommittees so people can prepare things, you bring it to the full committee.
What I’m saying is, it is moving fast. If there are things that we want to redo
or change a little different, bring back things we’ve already said that looks
– they might not have seemed so important when we said it six months ago,
my gosh it plays right in the middle of the sweet spot now. Let’s do it, that’s
what subcommittees are for. So I’m challenging each of you, please put them
down, take them to the right subcommittees, so that’s what I’m looking for.

I’ll make one comment on the standards yesterday. That was done in total
concert, 100 percent concert, with ONC. I will promise you that anybody from
ONC that was in here yesterday walked out different. You have heard Larry’s
discussion about his transformation and how he thought, Rob Kolodner sat here
the whole day. So everything he did yesterday all the way from, and some of the
statements that were made in there were not overly excited about the current
direction by the thought leaders. We’re not necessarily saying that that was
going to be the right thing or the wrong thing. I’m saying we had thought
leaders in yesterday, and we also had people talking that were on other
committees that were doing standards as to how they’d be left out and
everything else.

What I’m saying is we had a seat on the train yesterday. Even though we
might not have exactly where the destination is, we helped move them forward,
and I know Rob would say that if he was sitting in the room. That discussion
was quite dramatic, and it was a discussion that NCVHS can hold. It would not
have necessarily been a real exciting meeting if it had been driven by ONC,
because there were some pretty strong statements made in there about what’s
going on, because you’re talking to thought leaders. Remember you’re not asking
people to stay just on the train.

So there is a train leaving, but there will be more trains leaving, and
there will be all new railroad systems in some cases. So I just want to make
sure that we maintain with what we have and the time we have and the resources
we have, is that we keep a focus on where they might go. I can say to you that
I’ve spent an incredible amount of time with Rob, probably more time in the
last week by a multiplier of 20 then I have since I became a member of NCVHS.
We are all over it.

And we’re working with Marjorie, we have X amount of things we can do, you
guys will be working with her, I’ve spent time with Jim Scanlon. I spent time
last night with Tony Trenkle about the things that CMS is doing, and oh by the
way CMS is now is the Stimulus Package. I’m saying we’re getting connected into
all the places where we can help, because none of these groups are going to be
– we’re actually probably going to be faster out of the gates on anything,
whether it be assistance with the standards discussion yesterday, whether it be
some of the other statements we made in most of the other groups because there
is still going to be a struggle as to how to create some of these FACA
committees to even get together to do something.

We have subcommittees, we have a structure, we have a whole lot of people
that have opinions and have good direction and know where this is going. Please
engage, please engage now. If there are things we can do right away let’s do
them. I can comfortably tell you that we are marching now.

The other thing is we have to also as a committee take into consideration
that we do give our recommendations to the Secretary. There is not a Secretary
at the moment, so we’re working through Jim, we’re working with everything
we’re doing, but a letter can be prepared and that letter can be carbon copied
to Rob Kolodner, that letter can be carbon –

MS. GREENBERG: There’s an Acting Secretary.

MR. REYNOLDS: Yes. So I’m saying there’s things we can do. We are tightly
connected into the players and what they might or might not need. So please
continue from your subcommittees to tell us what you think you want to do, and
we’ve already got all the connections to start working what would be the best
way to do that. None of us are waiting, I can comfortably tell you. We’re all
over this and we’re ready to move.

But you got to go through our regular process which is when Privacy meets
this afternoon if there’s something that they want to do they got to say it. If
Standards, which yesterday I think we kicked Standards a whole lot forward in
its thinking in general than it has been in a long time. And I’ve been on the
Standards Subcommittee for five years now. Because the game changed, so all of
a sudden we changed, and oh by the way we happened to be the group that had the
thought leaders in the room at the time as soon as the game changed. So boom,
one thing good about this you can jump to the front, you can get on a
helicopter and go in front of the train, and that’s kind of what I think we got
into yesterday. That’s what we have to think about.

So please go through your process, please if you have a passion put it down
into action. If you have something we’ve already done and you think it makes a
more important point now, pull it out. If you don’t, then we’re just victims. I
have no intention of just being a victim. Oh by the way with everything we got
to get done maybe there should be three FACAs, because they all better go like
crazy. If you add it up there’s all kinds of stuff going on right now.

I just ask you to help. One thing great is you guys own this Committee. So
good, own it. Write down what you want to do, tell us how we’re going to do it,
and honest to God, we’ll make it happen. We’ll take it forward to the right
places because we’ve been spending an awful lot of time doing that. We got
between Marjorie’s experience, Jim, CMS working with them, working with Rob,
and then obviously touch some bases as soon as we get a new Secretary, we’re
ready to go. Let’s decide what go looks like. And I think we can really make a
difference. I ask you to be very aggressive about that this afternoon and
tomorrow morning, and come back in. Then if we need to call some conference
calls to move a letter along faster, some things to do we think we ought to
make up, let’s do that.

MS. GREENBERG: I just was going to note, because I’m looking at tomorrow’s
agenda, obviously in the morning we have Population Health, they’ve got some
things they’ve already put on the table they want to do, not to mention things
they were already going to do. Standards is reconvening, and Quality. That goes
until 10:00. Then we have outside people coming in, and I think it’s going to
be a great day. But if you look at the agenda it leaves precious little time
for committee discussions, particularly if people are bringing forward letters
to consider, etcetera.

I know that there are some people who know they have to leave whenever, and
there is no flexibility. But if you’re wondering are we going to end early, I’d
say no way. And even we may end up eating lunch around the table, I don’t know,
something. But it’s very tight, and sometimes we have a kind of open day the
second day, but we actually don’t tomorrow.

MR. REYNOLDS: Again, if we get some letters, I mean we’ll have to work out
ways to make this stuff happen. I’m saying please bring forward what needs to
happen. Be aggressive about it. I totally agree with what Walter said, the
game’s on. But guess what, we’re the only FACA in place. We’re the only group
that’s been working on this on a continuous basis, and we know how to do our
thing. That would be front row. There’s no other road, and that’s not a bad
place to be. So let’s go. That’s what is exciting to me about this, we’re ready
to play.

MS. GREENBERG: That’s what our President said.

MR. REYNOLDS: That’s right, let’s go.

DR. FRANCIS: Before we break up into subcommittees, I just want to be sure
there isn’t something that we all believe in but that isn’t likely to be owned
by any particular subcommittee, because there’s a risk that that won’t get
surfaced. I was sitting here worrying about whether Garland’s – that’s the


DR. FERRER: What I’m hearing you say is that you basically have – you have
offered the services of NCVHS to help Dr. Kolodner put together some of these

MR. REYNOLDS: No. Here’s what we have done, is we have clearly spent a lot
of time talking to him about how does he see what they’re doing, what we’re
doing. He also knows obviously the whole standards thing is a perfect example.
Now, if they’re going to hire us like they did a few other times then there’s
got to be money. If we’re going to be use our normal process, which we are
doing exactly right now with standards, to allow them to walk beside us and
more forward faster, we’ll do that.

I’m saying we have lots of ways to do it, but we got to understand what they
think do it is, and that’s what we’re doing. Then we got to figure out how we
would ever make that happen if we could. That is where we’re going.

So, no, I’m not presupposing anything. Jim is not sure what to do, I haven’t
had enough time to spend with Marjorie because we’ve been going full speed on
this. And understand, this all happened between last Thursday and today. This
isn’t like something we’ve been talking about for months. Because we happen to
be in the right place in town at the right time, and had a lot of

MS. GREENBERG: It’s impressive that our Standards Subcommittee planned this
hearing well before there was any Stimulus Package, or well before there was
even a new administration.

MR. REYNOLDS: We know the right stuff, guys, that’s the fun part of this, we
know the right stuff. So let’s step up and go with it, because it’s going to
play, however they paint that train it’s still going to play on that train.

Jeff, last comment and then we’re done.

MR. BLAIR: Jorge was asking about the division, at least my understanding of
your question was who’s going to be responsible for what between ONC and NCVHS

MR. REYNOLDS: I hope you don’t have an answer.

MR. BLAIR: That’s the point, that’s exactly the point. But what we do have,
and this is reinforcing emphatically reinforcing the point that Harry just
made, I’ll just put maybe some slightly different words on it, which is we
really have I would consider a partnership relationship with ONC, is that a
fair word, Harry?


MR. BLAIR: It’s a working relationship where Rob understands what the
statute has said, he’s trying to figure out what he can do, and what he can’t
do, and he I think regards us as a partner where some of the statutes, like for
HIPAA and e-prescribing identified as NCVHS as having the lead. If we were
sitting down in the same room with Rob and we were writing the law instead of
Congress we might not have crafted things exactly the same way, but that is the
statute, that’s what we need to work with. So how do we work together, because
we have a very trusting relationship to build on, and what we need to do is
look forward to how do we address the needs of the country in terms of
healthcare. We have in some ways this Stimulus Package gave us resources and
things we didn’t have before, and in other ways it set boundaries that we
didn’t have before. But we have a partner to work with, so these will be worked
out over subsequent months.

MR. REYNOLDS: Let me quote Rob from today, if you were listening very
closely, which I’m trying to do with every word he says so I understand how
we’re playing.

He made the statement with HIPAA it’s pretty clear that you have the
jurisdiction. With e-prescribing you have the jurisdiction, but remember
e-prescribing is part of everything that is being thought of, considered, and
implemented in the NHIN.

We’re in, guys. Let’s decide what “in” is. Let’s decide what we
want to work on. Let’s decide what we want to say. We got a great body of work
already. We have been talking about the NHIN and some of this for a while. We
talked about the NHII a long time ago. As a matter of fact, I will confidently
tell you that Rob touted that quite significantly at the session we were in in

So, let’s go. If we don’t go, shame on us. I’m just telling you, we’re going
to figure out how to make go work, once you tell us what you want to go with.
You can count on that. Let’s go do it. I expect this ought to be fun tomorrow.

(Whereupon, the Committee adjourned at 3:00 p.m.)