[This Transcript is Unedited]
DEPARTMENT OF HEALTH AND HUMAN SERVICES
NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS
SUBCOMMITTEE ON PRIVACY, CONFIDENTIALITY AND SECURITY
February 25, 2009
Hubert Humphrey Building
200 Independence Avenue SW
CASET Associates, Ltd.
Fairfax, Virginia 22030
Table of Contents
- Call to Order, Welcome
P R O C E E D I N G S (3:15 p.m.)
Call to Order, Welcome
DR. FRANCIS: On behalf of my co-chair, John Houston, and myself, I’d like to welcome you to the Privacy and Security Subcommittee. John unfortunately had a death in the family and is not able to be here, so we are proceeding without his good work, but we’ll try to do our best and report back to him on what’s happened.
I believe what is customary is that we go around and introduce ourselves, and we will begin with that. I’m Leslie Francis, I’m at the University of Utah, and I’m Co-Chair of the Subcommittee on Privacy and Security, and I have no conflicts.
MS. KHAN: Hetty Khan, National Center for Health Statistics.
MS. TRUDEL: Karen Trudel, CMS.
MS. MILAM: Sallie Milam, Healthcare Authority and Health Information Network.
DR. FRANCIS: Sorry, I forgot to say this, but please if you’re a member of the Committee indicate whether you have any possible conflicts.
MS. MILAM: I don’t know that I have any conflicts with this Committee. I mentioned that we’re a NHIN contractor, and if that could be a conflict I’ll put it on the table.
MS. BERNSTEIN: We’re not going to be making any decisions today. Maya Bernstein from the Office of the Assistant Secretary for Planning and Evaluation at HHS, and lead staff to the Subcommittee.
MS. MCANDREW: Susan McAndrew, I am with the Office of Civil Rights on Privacy.
DR. OVERHAGE: Marc Overhage with the Regenstrief Institute, Indiana Health Information Exchange, Committee member, and Subcommittee interloper.
DR. HORNBROOK: Mark Hornbrook, member of the Committee, Kaiser Permanente, and I just heard from Marc that Kaiser is a NHIN subcontractor.
MS. CHAPPER: Amy Chapper, CMS, staff to the Subcommittee.
DR. TANG: Paul Tang, Palo Alto Medical Foundation, member of the Subcommittee, no conflicts.
MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield North Carolina, member of the Subcommittee, no conflicts.
MS. JACKSON: Debbie Jackson, staff of the Committee.
MS. JAMISON: Missy Jamison, National Center for Health Statistics.
MS. GREENBERG: Marjorie Greenberg, National Center for Health Statistics, CDC, and Executive Secretary to the Committee.
DR. FRANCIS: Okay, so welcome, everybody.
Let me give you just two quick updates. The first is that our pamphlet on the Committee recommendations on Privacy and Confidentiality, the pamphlet that we have enjoyed putting together, is reaching the final production stage, so we’ll have a lovely piece soon to show everyone. Also, Susan Kanaan was very helpful on that.
Secondly, we had reached almost the point of being ready to schedule hearings on personal health records, and thanks to Maya in particular we have a quite superb collection of background materials on PHRs. But there are now slightly, shall we say, and Maya’s mother is having surgery so she’s having to run in and out, there are some slightly, shall we say, more important events that have overtaken our initial plans. Obviously one of those which stopped us actually from having hearings continuously with this Committee was the very wise decision of the Quality group to involve the people that we’ve been interested in hearing from are some of the same sources on the broader topic that we’ll be hearing about tomorrow afternoon, which is, wow, where is health information going in 2.0 and 3.0 and no doubt 4.5, which we’ll be hearing about tomorrow afternoon. And of course is the Recovery Act, and the sections there that are potentially applicable to us.
Our plan with this discussion is to have Sue and Maya bring us up to date on their digest of what might be in it for us, with respect to the Stimulus Package, that is what are the points of entry that we might find perhaps most attractive, and that HHS might find it most attractive for us to move into. Obviously, one of those places is PHRs, but it’s not the only one.
Since Maya had to step out quickly there is a summary that is up there, and there should be a piece of paper, the agenda is in your book actually, it’s basically a discussion. We had sent it in, so it was distributed, yes, by email. Anyway, that’s what we’re going to do.
I am going to turn it over to Sue and to Maya to bring us up to date on Subtitle D of the HITECH Act, the privacy section, and what our potential points of entry might be.
MS. BERNSTEIN: First I just really want to – many of you have, I hope all of you have, there are maybe more copies over there, kind of a preliminary summary marked “draft” that Sue’s office prepared, and I’m very grateful for her allowing us to share it with the Subcommittee so that I didn’t have to do the same thing over. It is a very preliminary summary of the basic provisions of the privacy section of the HITECH Act, which is Subtitle D, and essentially any dates that are relevant to that.
Do you want to just go through them? Okay. So Sue will just go through them for us. Is there anything else you want to say about it?
MS. MCANDREW: I will just preface this by saying I just got back from a vacation in Hawaii, so I’m a little jet-lagged and all of this happened while I was gone. So I was trying to keep up with this and read email attachments of a 300-plus paged Bill.
MS. BERNSTEIN: Allow me to say you were unclear on the concept of vacation.
MS. MCANDREW: I think I have all of this right. Some of this may automatically revert back to the House version of the Bill, which I was much more familiar with as it was going through last year, but I think I’ve got this one now.
We’ll skip over the definitions. Most of them were either relatively innocuous and/or simply referred to how we had defined the term and the regulations anyway.
MS. BERNSTEIN: There are words that are not defined in the section, which might make life interesting for regulators.
MS. MCANDREW: Of course, that’s what they love to do.
The first substantive provision is the 13401, which essentially makes business associates now responsible for adherence to specific provisions in the security rule. These are specified in the law, these are the fundamental must-dos to comply with the security rule. They are in addition to those security rule provisions, this provision makes business associates responsible for compliance with other requirements in the HITECH Act that are placed on covered entities. Then it extends the criminal and civil liabilities for violations, which now just applied to covered entities, to apply directly to business associates for violations of these security provisions, and violations of the HITECH provisions related to security.
There is also a requirement for the issuance of guidance to covered entities on the most effective and appropriate technical safeguards to be used in carrying out their various now security rule compliance efforts. These provisions take effect under the general effective data provisions of the Bill, which is one year after enactment.
MS. GREENBERG: Is the guidance for the business associates or for the covered entities?
MS. MCANDREW: The guidance is essentially for the business associates, but as the rules are now the same for the business associates and the guidance will come from what’s been said to the covered entities.
DR. FRANCIS: It is my understanding that of course our role is advisory, but if we saw anything that we thought was important to give advice about about the types of rulemaking that might be required, or guidance, that could be something we could do.
MS. MCANDREW: I would say definitely with regard to pointing out helpful areas where guidance would be needed. I am suspecting that the regulatory portion of this is going to be relatively straightforward.
DR. FRANCIS: I was meaning to make that as a general point, as it goes through these that those are the kinds of holes that if we saw them.
MS. MCANDREW: I will skip over, if I could, to the counterpart of this provision which is on Page 3, 13404, which essentially does the same thing with respect to privacy, although it does it in a much less elegant manner than the security rule. Provisions were extended to business associates, but this will essentially make business associates liable for privacy violations in the same way that covered entities are today responsible for privacy violations. Right now the interpretation is this will probably be violations with regard to the use and disclosure of information. These provisions do not in effect, as is sometimes characterized, turn business associates into covered entities. It does not do that. And business associates are not required to take on the panoply of all the administrative requirements that we impose on covered entities and can hold covered entities liable for violating. They are very specific on the security side, unfortunately less specific on the privacy side, as to what the standard is that business associates will now be held to and liable for. But clearly uses and disclosures of information in violation of the privacy rule will be a liability directly on business associates.
The privacy provisions in business associates also takes effect twelve months from enactment. Again, makes any new requirements from the HITECH Act that are imposed on covered entities also imposed on business associates for the purposes of this new liability.
MS. BERNSTEIN: Where it says the provisions are effective, does this sort of self-actualizing – these are provisions that don’t require regulations to become effective; is that right?
MS. MCANDREW: That is somewhat of a question, it’s a question in debate, so we’ll have to figure it out.
MS. BERNSTEIN: So I’ll have to figure out whether we get to regulate in certain areas or whether we –
MS. MCANDREW: I think our intent is that we would regulate all of these areas. At least that’s our opening gambit.
DR. SUAREZ: On that point there was an earlier question, something about the issuance of proposed regulations based on this. We had actually an interesting discussion about taking this opportunity to really go inside HIPAA privacy and adjust more things than what exist here, it’s required to be changed.
So it is your expectation that a lot of this stipulations in the Bill in the Recovery Act will mean that there will be a proposed set of rules, and the whole rulemaking process will be established or created or?
MS. MCANDREW: Yes, many of these provisions we will go through notice and comment rulemaking to implement. As we go through them you will see many of them carry a variance on the effective dates of when they are to go into place. We are trying now to align all of those dates and see how they all play out, because I don’t think any of us really want to have 22 rulemakings going on overlapping simultaneously. I don’t think – I mean the provisions of this Bill are different than either we got (?) where the legislation directs to modify the rule to do X, Y, and Z. This has none of that ‘thou shall regulate’ to do this.
At the same time, they don’t modify the Social Security Act where HIPAA went in and was codified, except for the enforcement provisions in 1176 and 1177, that’s the only portion of the existing law that they actually changed. They say that he HIPAA remains in effect, except to the extent that it is changed by any of these provisions, and the regulations shall conform now to these new requirements. So I think the best of all possible worlds is that we get these in regulatory form, the changes in regulatory form by the effective date.
DR. SUAREZ: If I may follow-up with one question. The provision in the Bill states, for example, that the effective date of compliance would be say 12 months after enactment. But by virtue of creating rules and their HIPAA regulations, would there be a conflict in the date compared to what HIPAA allows for compliance with HIPAA regulations?
MS. MCANDREW: Yes, that is one of the issues we’re going to need to work out down the road, is what is the role of the HIPAA compliance date lag time. The Privacy Rule and Privacy Rule amendment, the effective date for those rules were 60 days after publication in the Federal Register. So they have an effective date, but nonetheless, they had the 1 year, 2 year, 3 year run-up before compliance was monitored.
One of the questions on the table is what is the relationship of any regulation to be put out under this authority vis-à-vis that compliance date. We are looking at that.
MS. BERNSTEIN: Sue, can you remind me, I vaguely remember that when HIPAA was passed there is either a prohibition or some kind of limitation on how many times a year we’re actually allowed to amend the rule so that people don’t have to be redoing the standards all the time.
DR. SUAREZ: It’s not a rule, a standard.
MS. BERNSTEIN: A standard can only be amended once a year?
MS. MCANDREW: But the standards include the privacy standards, or do they? They do, right –
DR. SUAREZ: – the privacy standards, there’s 150 standards. So with each standard you cannot change say in the – standard you cannot change 5010 to 5050 to 6010 within one year, it’s each standard that can be changed. At least that’s my understanding.
MS. MCANDREW: This is one of the reasons we also would like to avoid having to stagger these regulations, is it’s much cleaner to be able to go in once and fix it and be done. And then we’ll get our 52,000 comments all at once rather than having it repeated 10 or 15 times.
DR. FRANCIS: Please go on.
MS. MCANDREW: One final thing before we leave business associates, because it was kind of piecemeal throughout the Bill, and that would be to take you over to Page 6, 13408. This now says that an entity that provides – to a covered entity or that requires access on a routine basis for such information, and they use health information exchange organizations as one of the several examples, or that contracts with a covered entity to provide a personal health record, will be a business associate for the purposes here and therefore become subject to the liability imposed by this section on how they use and disclose information, as well as need to comply with the security rule.
DR. FRANCIS: So the import of that is if a covered entity offers a PHR option to patients, that is then a business associate, the PHR vendor becomes a business associate and subject to the liability of a business associate.
MS. MCANDREW: We currently do have guidance out that relates to the fact that if the covered entity itself is offering a personal health record, or if that’s offered through a business associate of the covered entity, then they come within the ambit of the rule. Now, because they are coming within the ambit of the rule that business associate needs to accept the liability for uses and disclosures and security rule violations. There will be discussion, and this might be an area that you all would be interested in getting involved in, and that is exploring how these personal health record relationships evolve with respect to a covered entity, and which warrant being classified as business associates, and which are just some other contractual relationship with the covered entity.
We need to live with this provision for a bit in order to truly understand where it’s going, but this is one of the few places where they have reached out and actually tried to bring in personal health records into this environment, that and the interim breach rules.
DR. FRANCIS: So Paul and then Harry and then Walter.
DR. TANG: When I first read this, and when I first read it many times, I went right with that flow. In other words, if a covered entity hires a – contracts with somebody to provide a PHR for that covered entity, that would be a business, and that made sense. If I look at the words now I could actually allow it to say, because you’re saying basically an entity that provides data transmission of PHI to another agency one can view that entity as a business associate – so we assumed it was a PHR on behalf of the covered entity. You can also read it as creating their own PHR, but getting information from you, a covered entity. An example of that is – Google Health. So Google Health is creating a PHR, or Microsoft Health creating a PHR, and they have gotten data from, gotten electronic transmission of PHI from a covered entity, you could interpret that to say they should be a business associate. Is that?
MS. MCANDREW: I mean we are aware of a lot of arrangements between the stand alone vendors, Google, Microsoft Health, and various providers, and we left ourselves room to be able to look at those relationships on a case by case basis to decide at what point under the current regime they rise to acting on behalf of the covered entity in relation to this service. Clearly, that kind of analysis will need to go on with respect to these particular provisions, as well as however one would have interpreted the current rule, and also in light of the liability that would be associated now with being a business associate for this purpose.
DR. TANG: So is it your office then that renders that interpretation? And if it’s your interpretation, does that have to be put out as an NPRM and get comments and then a final, or – that’s a very specific but it’s actually a very key issue for us.
MS. MCANDREW: I mean certainly we would be issuing whatever definition a business associate would change or remain the same for the purposes of the business associate provisions under this statute.
DR. FRANCIS: As I understand it also pre-rulemaking if we thought that there were kinds of protection that should be in place when, for example, a covered entity puts data out to a PHR vendor in some way or another, whether they’re a business associate, contractor, or in some other way, that’s something we could talk about. That could be an open issue for us to want to explore.
DR. TANG: I guess it’s Walter’s question, I’m looking for the technical answer of this is no longer a rule, this is a law. You may interpret I think that law, and then it’s not really a rule from you it’s an interpretation of the law, and then you’re going to have to prosecute it. Did I get that correctly?
MS. BERNSTEIN: One can issue an interpretation of the law in several forms. Regulation is a form of interpretation of that law. So you can write a regulation that simply parrots back the statute, you can write a regulation that says a little more of what you think the statute meant when they said what they said. Clearly, you can’t do something contrary to the statute.
DR. TANG: But if you interpret it, then you have to put it out as a proposed rule?
MS. BERNSTEIN: If we don’t do an interpretation by regulation, then you are left with guidance, articulation of what you think the statute meant, which is not binding on entities but would be something then that you would essentially argue out on your first enforcement application as this is what the agency’s interpretation of what this provision is.
DR. FRANCIS: We don’t make rules as a federal advisory committee, but what we could do is point to a problem or to something we think the agency should think of as a solution, right?
MS. MCANDREW: Certainly with regard to a provision like this, and it seems to me they had brought in some of the e-prescribing bodies as well in the context of one of the examples of Gateway providers.
MS. BERNSTEIN: I’d like the record to show that Karen Trudel is nodding.
MS. MCANDREW: They had a list of examples of who they meant to cover. This is going to involve conversations with CMS, it’s going to certainly involve conversations with ONC, and to the extent the Committee itself wishes to opine on who they think are the types of entities that should become subject to these definitions, it seems to me that that would be a territory. Certainly with regard to what you learn from your PHR investigations in terms of what kinds of relationships exist between a covered entity or a provider and these vendors that you think clearly make them a business associate, or should make them a business associate, or clearly are not something that warrant making them a business associate, I mean those kinds of factual enrichments of what is otherwise a bare statute would all be helpful I think.
DR. FRANCIS: Harry.
MR. REYNOLDS: One question first. Did Gail Horlick get signed in?
MS. HORLICK: Yes, I’m on the phone, thank you.
MR. REYNOLDS: Oh, you’re welcome.
MS. HORLICK: I was given another call-in number, so sorry to be late.
MR. REYNOLDS: That’s good, I just wanted to make sure we had you.
MS. BERNSTEIN: Why don’t you take a moment to introduce yourself since we haven’t.
MS. HORLICK: This is Gail Horlick, and I’m at CDC in Atlanta. I am staff to this Subcommittee, and no longer able to attend it in person, so I’m glad to be able to participate by phone.
DR. FRANCIS: Welcome, Gail.
Let me just take another second also, because Larry Green joined us and I think didn’t get to introduce himself, and also Walter.
MR. GREEN: I’m Larry Green from Colorado. I’m not a member of this Subcommittee, and I have no conflicts.
MS. BERNSTEIN: But you are a member of the Committee.
MR. GREEN: Of the Committee, oh, yes.
DR. SUAREZ: I’m Walter Suarez, I’m a member of the Subcommittee, and I don’t have any conflicts.
MR. REYNOLDS: So my question. First, I would like to compliment everyone on standing the business associate, I think that’s good. My concern is that the change seems to stop at a health information exchange organization. If you think of the network or networks, and the HIE of the HIE, and everybody that passes stuff around, before when you had a HIPAA covered entity and they had business associates they had to be responsible for the chain, and we also said that in our privacy letter, we said that in our secondary uses, we said that in everything we do.
It seems to me on this 13408, and it may be written differently, I’m just asking, that it stops at the HIE. Well, what if you send my records out of that HIE to somebody else who sends it to somebody else who sends it to somebody else?
Leslie, I guess that’s the kind of thing. We could pull out our earlier recommendations where we talk about that, some kind of responsibility follows the data. And if all we’re going to do is say whatever an HIE does is fine, even though we’ve made them a business associate, I’d like to know – because again you’re still leaving the same covered entities, you didn’t add new covered entities, so you still go on the same food chain. If I’m sending something to an HIE and then it stops there, and they don’t have some responsibility for the downstream, then I feel that as a covered entity I have more liability because of the NHIN than I do under the current environment, because I’m mainly doing this with vendors not that necessarily send it all over the place.
I’m just asking that, again, I’m trying to paraphrase that because our chain has always been extremely important in every document that we’ve done out of NCVHS. So I want to understand if now we’ve taken this hub, like at Union Station down here, so everybody’s fine until we get to Union Station and then whatever train we send it on I’m a little nervous. It just seems to stop, because they’re a business associate. So I would just like some more words.
MS. MCANDREW: In effect there was nothing in this set of amendments that did anything to change the fundamental definition of who’s a covered entity, as Harry points out, and then to change the way that the rule operates with respect to once information is disclosed to an entity that is not covered by the rule there is no statutory liability that follows the information to uncovered entities under this statute, right. There may be other laws that apply to how they may handle data, such as a privacy act responsibility if it comes into the federal –
MR. REYNOLDS: The reason I’m bringing it up is it would appear to strengthen it, but it could inadvertently make people think it’s stronger but it could be weaker.
MS. MCANDREW: I don’t know that it’s weaker, but it certainly –
MR. REYNOLDS: Only by perception, understand –
MS. MCANDREW: By perception –
MR. REYNOLDS: If you added more people as business associates I’m going to say, yeah, everybody’s going to – but now I realize that where it stopped is Union Station. And now it can go out of there in many different ways for many different uses, and I’m still on the hook as a covered entity because I gave them the data.
DR. FRANCIS: This could be an area where we could point out that there is an open problem.
MR. REYNOLDS: We have some recommendations out of secondary uses and out of privacy that says thank you, this is a good move, but still remember anything we can do to have some liability follow the data everywhere it goes is what we’ve been on record as a committee saying all along.
DR. FRANCIS: Walter and then Sallie.
DR. SUAREZ: I guess a comment at this point, I think it actually is strengthened. Before HIE weren’t covered entities.
MR. REYNOLDS: I agree to that point.
DR. SUAREZ: Secondly, if I give data and the covered entities I give data to an HIE, and that now is a business associate, that HIE cannot re-disclose or use or send it out to anybody unless it’s in the contractual agreement that we have. That is the protection that is afforded to business associates. So it is no different now than me giving it to a business associate that processes –
MR. REYNOLDS: But I would say as a covered entity I’m not giving it to them, and the reason I’m not giving it to them is unless they can tell me everywhere they might send it.
DR. SUAREZ: That’s your prerogative.
MR. REYNOLDS: Yes, but that’s not the intent of trying to drive the nationwide health information network and trying to do what we’re doing.
DR. SUAREZ: I was just commenting on that point.
I do have a quick question. I think there are many PHR models out there, of course, but generally speaking to simplify things, there’s two categories. One is the covered entity created PHR, so a health plan, a provider that is covered by HIPAA create a PHR, so that technically will be subject to HIPAA. Then there is the non-covered entity derived PHRs, so the Googles and the other private sectors. What I was trying to figure out is which ones would be outside of the HIPAA, because if I’m a non-covered entity I have two possibilities, I can contract or engage or talk to a provider, a group of providers, and say I need your data for all these patients so let’s come up to a contractual agreement and become a business associate, and then I now have the data for that group of patients, and the patients can access that.
If I never really get data from any covered entity, as many potentially would do in the future, many PHRs, they only depend on the data that the patient puts in it would never be covered really because they don’t have a relationship to any covered entity or business associate relationship.
Then the third one is if a consumer asks that entity to get the data, or the consumer asks the provider to disclose the data to the PHR, is the PHR then required before it receives the data to establish the business associate? Because right now the consumer is telling the provider to disclose it, the provider can disclose it to Joe Smith or to something called PHR, and that’s it, that’s the end of their responsibility. So what’s that relationship that you see there?
MS. MCANDREW: This is essentially what I was mentioning before, is that these new provisions will call for us to begin carefully evaluating not only those scenarios but whatever scenarios evolve from those scenarios that evolve from how the PHR market rolls out, to determine where those relationships rise to the level of a business associate. As you’re saying now certainly there is no business associate relationship if it is just the PHR and the consumer that are having the conversation about the information. Even where the consumer is directing the covered entity to release the information to the PHR, whether that’s done on an authorization basis or through some other permissible disclosure mechanism, the fact that you can permissibly disclose information to X for whatever permissible reason does not see a business associate relationship between the covered entity and to whom they are disclosing the information. Currently that would not require a business associate contract to be written.
Nonetheless, there are these other models where the covered entity and the provider are really becoming much more formally involved with one another in order to facilitate on a larger scale the transfer of information, or even the continuous flow of information between parties. Then you get into some sort of contractual relationship, and it’s those kinds of relationships that are going to have to be looked at very carefully to see are they or are they not business associates.
DR. FRANCIS: I want us to move on so we get a full flavor of –
MS. BERNSTEIN: And maybe it will be in the – if in particular you use the example of a business associate that is a PHR, there are other pieces of the Bill that have definitions of PHR and they are not necessarily clear, not necessarily business associates, and might have to have some – I mean depending on the interpretation might have to have some separate regulation where they are neither a covered entity or neither a business associate. There are separate provisions to deal with just PHR vendors, and depending on how – I mean each of these definitions have ambiguities in them that the Department is going to have to look at very carefully, and depending on how the definitions end up getting played out in the regulations will answer some of those questions. Or those are just things, as you said, we’re going to have to look at. So there are many, many ambiguities in the law that we’re going to have to deal with somehow in regulations, and you’re raising some of them, but know that we don’t have answers. I mean you’re all raising issues about the interpretations of different pieces or different definitions, and these are all the questions we’re going to have to be dealing with.
DR. FRANCIS: And so the real question for us is to think about where we spot the biggest problems that we can help with in terms of giving advice.
So would you go back?
MS. MCANDREW: The next provision is the notification requirements in the case of a security breach. This is going to be on a very fast track. The legislation requires this to be done by interim final rule within 180 days, 6 months, from enactment. This requires essentially the covered entities now notify individuals without unreasonable delay, and certainly within 60 days, of when unsecured protected health information is breached.
It has very specific requirements in it.
DR. OVERHAGE: Is it breached or known to be breached?
MS. MCANDREW: Known to be, or reasonably suspected, whatever.
MS. BERNSTEIN: What counts as unsecured is also interesting.
MR. REYNOLDS: Which number are you on, Sue?
MS. MCANDREW: 13402, bottom of Page 1 over to Page 2. Requires that a business associate who becomes aware of a breach has 60 days to notify the covered entity of that breach. If there is a breach that involves 500 or more individuals there is a requirement that there be a media notification of those kinds of breaches, as well as an immediate notification to the Secretary of those kinds of breaches.
It also requires the Secretary – covered entities must in addition to having immediately reported the big breaches on an annual basis, report all breaches to the Secretary, and the Secretary is required to post breaches on its website.
MS. BERNSTEIN: Or I think list the entities.
MS. MCANDREW: A wall of shame, I don’t know.
MS. BERNSTEIN: Well, there’s some amusing, I think, provisions in this section, the notice that has to be provided to the media if more than 500 individuals are effected, I mean my personal interpretation of this is that we’re doing the media’s job for them because these same 500 individuals would be entitled to individual notice, so what exactly is the purpose of putting it in a major media outlet if we gave them individual notice I have no idea.
DR. TANG: You can’t always contact the 500.
MS. BERNSTEIN: No, but there’s a separate provision saying when you can’t always contact the 500 then you have to do it. This is a separate provision that says any breach that’s over 500 you have to notify a major media outlet. There is just a lot of weird drafting –
MS. MCANDREW: Patterned after the revised California state law. So there’s your expert right there, tell us what all this means.
There is a requirement, this applies to breaches of something that is called unsecured protected health information. There is a sort of definition of what unsecured protected health information, that that really rests on the fact that the Secretary is bound within 60 days of enactment to come up with methodologies and technologies that specify how this information is expected to be protected or secured, and that failure to so protect or secure the information leaves it unsecured, and if there’s a breach as a result of that then all this breach notification is triggered.
MS. BERNSTEIN: But apparently even if you’re using some stronger protection than the Secretary recommended in guidance, or didn’t have a chance yet to update the guidance, you were not protected because you didn’t use something that’s within the Secretary’s guidance. It’s a very odd draft.
MS. MCANDREW: In the absence of the Secretary’s guidance that’s in 60 days, it defaults to some unspecified technology standard developed by some unspecified ANSI accredited standard setting organization. So this is going to be a subject of some research and development. Any ideas?
DR. SUAREZ: This was one area where we can perhaps provide some assistance or guidance or suggestions or recommendations. I was talking to Karen about what they’re calling – it says the Secretary shall issue this guidance no less than 60 days after enactment, so we’re about 45 days before enactment.
Then the other question is, the other point is really it depends on how you draft a guidance whether there’s a very refined – you have to use encryption at 128-bit, or some sort of a very defined specific type of technology, or a range I suppose, it depends on how –
MS. MCANDREW: However, I would also point out this is not limited to electronic information.
DR. SUAREZ: Oh, it’s not?
MS. MCANDREW: No. This applies to any unsecured protected health information, so we also would be looking for the appropriate technology or methodologies to secure paper information.
MS. BERNSTEIN: So actually say I think technology or methodology. Apparently, I don’t know, if the Secretary doesn’t issue guidance we’re going to have to use the anti-standard for shredding, and the anti-standard for –
MS. MCANDREW: Shredding information that you are trying to mail to somebody isn’t going to be helpful.
DR. FRANCIS: We have an hour left, so could I suggest that this question of the definition of unsecured and appropriate guidance about protecting it is certainly an open issue for us.
MS. MCANDREW: It’s an open issue. We just realize the time –
DR. FRANCIS: But it’s a very tight timeline.
MS. MCANDREW: – a calendar that’s operative here.
DR. TANG: Quick question. I thought these were modifications of HIPAA. HIPAA only applies to electronic transactions.
MS. MCANDREW: No, these are not – this is a very peculiarly situated – it is in the security section of the Bill, there is no HIPAA reference directly other than the use of the term “protected health information and covered entities and business associates.” But they don’t amend HIPAA, they don’t point to regulation, and they specifically change language that would have – it usually comes out saying “unencrypted information” and you lose it breach, and they specifically changed that so it was not limited to electronic information.
Can I go on?
DR. FRANCIS: Please.
MS. MCANDREW: The next provision, 13403, will be of interest to this Committee I think. This calls in addition for the Secretary to designate a regional privacy advisor, I guess, guidance, provider. It does require my office to develop and maintain a multifaceted national education initiative to enhance public transparency regarding uses of protected information, and other good things that people need to know about. So I know public education has always been near and dear to the heart of this Committee. There are requirements in the Bill that call for this to be in accessible languages and in accessible form, and at a level of understanding for the public, etcetera. It will be tested from many angles, and the Committee’s assistance is gratefully accepted in terms of what kinds of topics we need to be including within this education program, and methods of reaching people, and technologies to make sure it is understandable. All fodder for your expert advice.
MR. REYNOLDS: We may want to go back to our privacy letters pretty quick, and also secondary uses of health data, which would be a good subject. Because if you are going to talk – one of the things we talked about this morning is the toughest thing is to educate the people on the good things that are going on, and I think Mark Holbrook brought some of that up. Some of the good things that are going on, some of the normal things that are done, as well as the things you would need to be concerned about. So that is reissuing some of that work directly to the Secretary to be forwarded to Sue’s group might not be a bad idea.
DR. FRANCIS: A confidentiality pamphlet might be very timely.
DR. SUAREZ: Just a very quick clarification. Do you think that the focus is exclusively on the public, or does it include providers? In other words, is this directed exclusively to the consumer, or is there a location campaign to be done for providers as well, and others perhaps in the healthcare industry?
MS. MCANDREW: I do think in fact there is a place in this education program for covered entities and others as well as the consumers at large.
MS. BERNSTEIN: I think the language actually specifically mentions that we’re supposed to give help to covered entities and business associates, as well as consumers.
MS. MCANDREW: Right. Making sure it is language appropriate and accessible really I think is more of a consumer issue than a covered entities issue, but the general reach is for business associates and covered entities as well.
DR. FRANCIS: Okay, Sue.
MS. MCANDREW: Quickly then, 13405 contains a number of provisions that largely are just tinkering with the current privacy rule requirements. The first one goes to what we would call requests for a restriction, which right now under current law you have the right to ask for a restriction, but it is not – a covered entity does not have to agree to that, but if they do agree to that then it becomes binding on them to adhere to that restriction.
This makes the covered entities agreement to a restriction mandatory in the case of a consumer asking that a healthcare service that they have paid for out of pocket not be shared with their health plan for payment or healthcare operation purposes. So it is a very narrowly crafted requirement that is different than the current, the covered entity does not need to agree to restrictions.
MS. BERNSTEIN: There are going to be some interesting implementation questions about this section in particular.
DR. SUAREZ: A simple example is if I go to the doctor and pay cash, and I don’t want the health plan, they can request then, now the doctor’s required, not that they can now say well I will consider that request, now they are required to not share that data with the health plan.
MS. MCANDREW: Right. And it still is based on the individual actually asking for that restriction, so it’s not all of these are barred from the get-go from being reported to health plans, it’s just where a request for a restriction is made and cash has been paid.
DR. FRANCIS: Marc.
DR. OVERHAGE: I was going to say, this seems relatively innocuous, and it’s actually very ugly from an implementation standpoint. In part, if you’re a provider, for example, and a pregnancy test is done in your office as part of an evaluation if the patient paid cash for, you cannot use that, at least as we’ve interpreted the statute today, and that’s not our job, you guys get to do that, but we got think ahead, I can’t use that as a contraindication to the drug prescribing choice that I made justification to the health plan as part of a quality improvement process, because that’s a health care operation would be getting back to the health plan. I know that’s not what people were thinking, and I understand the incentive –
MS. MCANDREW: So again some of that might be a conversation with the individual, do you really want this drug.
DR. OVERHAGE: As a provider, yes.
MS. BERNSTEIN: As I said, there are a lot of implementation issues and downstream data use issues that might be associated with this provision that we’ll have to explore.
DR. FRANCIS: Were you going to go on to the other parts of 405?
MS. MCANDREW: Yes. There is also a requirement in there that goes to minimum necessary, and essentially appears to require that the first analysis would be does a limited dataset suffice, and if not, then the regular minimum necessary standard would apply. This provision is effective 12 months from enactment, but sunset when the Secretary issues guidance on what constitutes minimum necessary.
DR. FRANCIS: Could I break in there for a minute? It seems to me that in light of what Deven McGraw, I don’t know if you were here earlier –
MS. ANDREW: No, I missed her.
DR. FRANCIS: – was talking about, about limited datasets and de-identified datasets, and that issues regarding them as well as the recent IOM report on research and HIPAA, this area might be a fertile ground for us to open up. I just wanted to point that out. I don’t know if anyone else agrees with me.
MS. MCANDREW: I certainly believe that there has been a continued request for additional guidance on minimum necessary.
DR. FRANCIS: The question that I actually had is whether we have anything to say about whether the current structure of limited dataset, de-identified data, minimally necessary, and so on, is good. That is an area we could consider. I don’t know if anybody wants to, but I wanted to just point that out that it’s a currently fraught area of discussion.
DR. SUAREZ: Isn’t this incredibly broad? I mean expansion of the concept, I mean normally yes there was a minimum necessary expectation that if I was going to disclose anything – I would just the minimum necessary provision. But now making it a limited dataset, one of the requirements if I recall HIPAA of the limited dataset was to establish a data use agreement with the entity receiving the data.
MS. MCANDREW: Yes.
DR. SUAREZ: So now I have to establish that. I mean before I could use the minimum necessary and disclose the data, for the purpose whatever it was, treatment, payment, operation, but now I have to do a data use agreement if I want a limited dataset or declare that in disclosed limited dataset, even for treatment, payment, or operation.
MS. MCANDREW: Maybe, maybe not. I mean that would be an area that one would have to look at in terms of under this – for the purposes of this provision, and where limited datasets are not currently allowed, is this just a way of defining what the minimum necessary data may be without the necessary contractual obligations that we also imposed on the release of that under the current law.
MS. BERNSTEIN: I think you can assume that the Department will try to interpret the regulations to the extent we have the authority, if we find something is extremely burdensome and doesn’t make sense we’ll try to find a way in our authority not to have that happen. But that’s going to be matters of interpretation, whatever. If we hear from people that this doesn’t make sense, it’s incredibly burdensome, obviously we’re going to listen to that and try to make the regs not impose that burden if we can help it. But then the question is can we help it, how can we help it, what are the options and so forth, we’ll have to explore all those things.
I just wouldn’t be too quick to jump to this is going to make us do X, because we don’t really know, we don’t really know yet.
DR. HORNBROOK: Can I ask a clarification question? Is anybody cross-walking this against the Sentinel network for the FDA? How is the FDA going to get data to keep our drugs safe?
MS. MCANDREW: The FDA currently under Sentinel, I mean they currently would have the authority to do a limited dataset if that’s what they need. They are currently, as far as I understand it under Sentinel, not intending to get identifiable information from the covered entity.
DR. HORNBROOK: Which raises the question, of course, of linking people’s episodes of illness across multiple entities. But that’s probably not with our, I don’t know, is that inside our spectrum of concern? Are we concerned about the health of our patients and how they relate to the safety of the drug system, and the safety of surveillance?
DR. OVERHAGE: Correct me if I’m wrong, but FDA also is public health authority, so they do have that authority under which identifiable data can be made available as well, right?
DR. HORNBROOK: Right.
MS. MCANDREW: Certainly, and to the extent they need identifiable data, and if one went through this analysis one would say limited datasets, no, actually the minimum necessary for this public health relief is identifiable data X. So the out is always there. It’s limited dataset is kind the default minimum necessary under this scheme, near as I can figure. But that doesn’t preclude more data, identifiable data, going because it is the minimum necessary for the purpose for which you’re disclosing it, and is still within the HIPAA commission.
There is an accounting provision. Now, this accounting provision is one of the few that is linked to an electronic health record existence. If you have an electronic health record, and don’t make me go through the implementation dates, you will be required to account to individuals not only for the disclosures you are currently required, but also for your disclosures for treatment payment and healthcare operations.
DR. HORNBROOK: Ouch.
MS. MCANDREW: There you go. Instead of the six years in the current rule for the accounting, this only requires that you go back for three years. This rulemaking is supposed to follow on the adoption of standards by the Secretary that will enable the accounting of TTNO by electronic health records.
There’s also some wiggle language in there in terms of these are disclosures from or involving electronic health records. So if that only covers part of your universe, this may not apply to whatever other records you maintain that aren’t in electronic form or don’t qualify as an electronic health record.
But there is a staggered implementation, depending on whether you currently have an electronic health record that isn’t bought, that the PPO accountability standards are not embodied in, and so you are given extra time to be able to go in and upgrade those records to take into account the new standards. Then the Secretary’s rulemaking is to identify what the minimum set of information is that you need to account for with regard to these new treatment payment and healthcare operation disclosures.
DR. SUAREZ: Was there a fiscal note attached to this? And this might be state lingo, was there a fiscal impact of this assessed during the discussions of the legislation?
MS. MCANDREW: I can only refer you to the back of the Bill where they ask the GAO to provide for an analysis over five years of the impact of these provisions on the healthcare industry.
MS. BERNSTEIN: So five years after the fact we’ll find out.
MS. MCANDREW: There is a provision on the sale, a prohibition on the sale of protected health information with a number of exceptions. And I will say there was an exception, this language has continued to morph, but there are a variety of carve-outs for research and treatments and other activities that may be permissible. The Secretary has the ability through regulations to add other types of examples where some remuneration may be permissible even though it may appear to the sale of PHI.
We had an issue with public health entities who often reimburse covered entities in various ways to help them produce the public health data that’s needed in response to their requests for information. So there was a last minute carve-out to make sure that regardless of how that public health reimbursement comes through that that’s okay.
Then there are two more. The next one is also – this is an electronic access provision, fairly limited. It simply gives the rights, and makes sure there is a right now to receive information in electronic form, to have that information directed to another entity as designated by the individual. Then there is a limit on the cost that can be charged to the individuals for this kind of electronic access that is limited by labor costs. These are all effective 12 months after enactment.
Then in a separate section, although of the same ilk, they have a provision about restricting communications for marketing. There again, with a number of exceptions, an entity that is now paid for a communication, even if it falls currently in what our definition would say is not marketing, as treatment related, or it has to do with an alternative therapy or an alternative setting, if there is payment for that then that is now marketing and can only be communicated after you receive the individual specific authorizations that permits you to make that communication.
There was a prohibition on fundraising, which has been softened in this final legislation to simply I think reiterate and make more prominent the requirements in the current rule that individuals need to be provided with an opt-out of any future fund raising solicitations.
Those are the fundamental changes to the privacy provisions. If there is any additional comment?
MS. BERNSTEIN: There is this little section of interest the Subcommittee is particularly interested in PHRs, that relates to PHR vendors, as I was sort of mentioning before.
Oh, I thought you were done, sorry.
MS. MCANDREW: I’ll get to that. Just in terms of the substantive rule type changes.
DR. SUAREZ: Can I make one quick point? On 13408, Page 6 at the top, just want to clarify or confirm, the third part of the statement provides that any entity that provides data transmission of PHI becomes a business associate. It would be very important to clarify that it’s not just anybody that does data transmission, Verizon and all these companies that people use to do data transmission are not what the subject of this is, correct? I mean there’s a statement after that, and that requires access on a routine basis for transmission.
MS. MCANDREW: Right. So, again, those were all going to be areas of exploration and interpretation about who is in and who is out. We currently do some of that in terms of who needs to be a business associate and where you are simply a conduit of information, and you don’t have to have a business associate agreement to deliver the mail.
DR. FRANCIS: 13407, were you going to comment on that, or was Maya going to comment? Go ahead.
DR. TANG: One question on disclosure, which hopefully would – the disclosure would it says through an EHR, so I’m assuming that it only applies to EHR to EHR disclosures, which we could have an audit – I mean we could have –
MS. MCANDREW: This is for the accounting?
DR. TANG: Yes.
MS. MCANDREW: Okay.
DR. TANG: Versus storing EHR, typically now because they aren’t interoperable. If a patient wants information will print it out the EHR, and would we have to account for that, which is a lot harder for us to do?
MS. MCANDREW: I mean we will be looking at all that language.
MS. BERNSTEIN: I would think if it answers the specific questions on whether the rule covers this or that particular scenario, yes. Also remember this document is merely somebody’s paraphrase summary of what the actual statutory language is, so while it may or may not be entirely precise with respect to exactly what the statute says or the definitions and so forth. So when you read this document it is just supposed to give us a flavor of what the kinds of topics are that are covered and when they’re due, and so forth, and not to really –
DR. TANG: No, what I read that wasn’t –
MS. BERNSTEIN: You know that legislatively, okay.
MS. MCANDREW: 13407 is a parallel set of breach notification requirements that apply to non-covered entities and non-business associates. This is specifically directed to unsecured, as that may be defined, protected health information that is in a personal health record. So this applies not only to personal health record vendors, but various other people that ride along with vendors, third party service providers and things like that.
These entities, the breach notification requirements are quite similar and are drawn from those that apply to covered entities and business associates. But the enforcement mechanism is not through HHS, but is given to the FTC. These are called interim. They are not directly linked in this version, although they were earlier, to another part of the Bill that gives HHS and FTC a year I believe to study the best way of holding these kinds of currently uncovered entities accountable not only for breach notification but also for the general uses and disclosures of information that they received pursuant to their personal health record business, and to report back to Congress as to the best way of regulating and enforcing those regulations, with respect to these entities.
In the meantime, the breaches of information by these personal health records, from these personal health records, are to be reported to the FTC. The FTC will report to the Secretary.
DR. FRANCIS: It seems to me one of the really interesting open areas is the way PHRs are evolving. The definition of PHR identifiable health information, includes information, as I understand it, is not just information provided by but also provided for or on behalf of an individual.
So the old idea of a PHR as something that the only information that goes into it is the information I put in there, is very fluid, it’s not accurate anymore. So possibly something we could do. I’m just trying to probe about whether if we were going to proceed on some of the thoughts we had about PHRs, part of what we could do would be to look at the various kinds of information flows that are coming into and going out of PHRs with a question then to be what might be some of the important issues for those reports to address.
Is that a fair way of stating it? I mean I’m going beyond 13407 to the other parts of the statute that reference PHRs.
MS. MCANDREW: I certainly think it would be worth your time and the investment of your expertise in terms of working with vendors in the marketplace about where this business is going, what kinds of activities should bring them into a regulatory environment, what kinds of things should be left out, what kind of enforcement mechanism is both protective of the consumers as well as amenable to the industry.
MS. BERNSTEIN: Just can I interrupt, because we’re getting very close to running out of time.
DR. FRANCIS: We have until 5:30.
MS. BERNSTEIN: We do?
DR. FRANCIS: That’s what it says.
MS. BERNSTEIN: Okay, never mind.
DR. FRANCIS: That’s what I was planning on.
MS. MCANDREW: Most of the rest of this now gets into there are improved enforcement provisions that, one, there’s a clarification that will make it easier for DOJ to bring criminal actions against individuals essentially directed to individual employees. Probably not too much of a major change other than the DOJ doesn’t have to run around and do aiding and abetting and other kinds of get-arounds to the criminal sanctions only applies to covered entities ruling that we got earlier from the DOJ.
There is a provision that clarifies that employees as individuals can be prosecuted for HIPAA violations. Then there are other ways of improving the enforcement. One gives OCR the ability now to civilly enforce in the area of impermissible disclosures. We are only barred from pursuing civilly those cases where DOJ has actually taken the case and imposed a criminal penalty. So there is no double sanctioning, but we can now civilly sanction an impermissible disclosure directly.
MS. BERNSTEIN: It used to be they had jurisdiction even if they declined to prosecute the case we still can’t do anything about it.
MS. MCANDREW: Right.
MS. BERNSTEIN: That always seemed to me strange since the kinds of cases you’re likely to refer to DOJ for criminal sanctions are likely to be the most serious violations, and yet we aren’t allowed to touch them civilly if there’s jurisdiction over there.
MS. MCANDREW: Not only the most serious cases, but also I mean even for the minor uses and disclosures, impermissible uses and disclosures, there was no civil penalty.
MS. BERNSTEIN: We had to go around the barn in terms of charging lack of training, lack of supervision, no policies and procedures, but it was always when the disclosure is there looking at you in the face. So now basically if they decline to prosecute we can go after them.
MS. MCANDREW: If they decline to prosecute, or even if they, yes, okay, we now have that authority.
And then there is a general provision that now will permit OCR to retain the funds that we received from either the imposition of the civil monetary penalty or the settlement agreement.
MS. BERNSTEIN: So that explains last week’s press release. No, no, it’s not actually covered by this. MS.
MS. MCANDREW: The monies are to be plowed back into enforcement activities.
There is also a provision for GAO to study and recommend to us how a share of those funds could be shared with individuals who had been harmed by the HIPAA violation. Then following that GAO recommendation, we have a three years from enactments to regulate how those funds could be shared back with harmed individuals.
Again, this is an area that is of interest to the Committee. I am not immediately aware of any kind of precedent that GAO would rely upon, or that we would rely upon, in terms in figuring out the best way to divvy up funds, because the fining formulas are not at all related to the harm to the individual. So it’s an interesting idea.
In terms of the fines there are now a much greater opportunity to collect monies. Right now we are limited to $100 per violation, up to $25,000 per calendar year per similar violation. That now becomes the floor or the lowest fine that is available, and that would be applied to cases where the covered entity did not know and had no reason to know that they were violating the rule. Even in those cases we do have authority to go all the way up to the maximum penalty which is $50,000 per violation, and $1.5 million per calendar year for that same violation.
The second tier of penalties is where there is reasonable cause, but not willful neglect.
The third category then is where there is willful neglect, but you have corrected the action.
And the final category is where there has been willful neglect that led to the violation, and there has been no effective corrective action. In those cases, the most egregious cases, they are subject at a minimum to the $50,000 per violation up to $1.5 million. In those intermediate steps there are other levels of minimum fines, and minimum calendar year fines that can be imposed. So there is encouragement to bring more serious actions, and more monies that can be imposed for violations.
Also they gave authority to states attorney general to bring actions under HIPAA. The monies that they can collect in damages are limited to the original HIPAA amounts of $100 per violation, up to $25,000. They are also ousted of jurisdiction if there is federal activity with respect to that case.
MS. BERNSTEIN: Jodi Daniel mentioned this this morning in her briefing as well, just briefly mentioned we will have to do some work to figure out how to ensure or limit the possibility that there will be 50 different interpretations of enforcement by 50 different AGs and so forth, it could be complicated.
MS. MCANDREW: The Secretary does have the right to intervene in these cases where we decide not to oust them of jurisdiction. So that will provide some control. We are required to be notified of whenever they want to bring one of these actions. So we have an opportunity to weigh in on the merits.
There is a requirement which is the Secretary provides now for a period audit. This is separate from the enforcement scheme, so these are not subject to the penalty structure.
MS. BERNSTEIN: They’re also not subject to be paid for. I mean that could be an expensive undertaking to do that kind of thing.
MS. MCANDREW: Right now it’s also not even clear if OCR will be doing the audit.
There are the standards relationships to other laws, for those who don’t like the current preemption, sorry, still there, state law, more stringent state law continues to live despite the HITECH Act.
There are a number of studies and reports and guidance. I would just point out I think you already mentioned the consultation with the FTC on these non-covered entities and what to do with them going forward.
We are required to carry through on the de-identification theme from today. We have a one-year target date for guidance on de-identification, so that is an area where there has been a lot of work of late, and it is a constant thorn in everybody’s side. So whatever advice you would care to give on that would be all welcome.
We also have to revisit psychotherapy notes. There again I don’t have a lot of background on this particular provision, it just kind of emerged on the Senate side and in this most recent rounds.
DR. FRANCIS: What’s the psychotherapy notes, that basically it’s HHS is required to study the definition of psychotherapy notes.
MS. MCANDREW: To see if there is more types of information that ought to be put on the this is a psychotherapy note side of the ledger.
MS. BERNSTEIN: There was a provision added in the Senate bill that added language that said that in addition to psychotherapy notes information that’s involving test data would also be in that category that psychotherapists could segregate, and therefore if they properly segregate as the law requires could withhold it from the patient on request. This got changed to study this matter.
MS. MCANDREW: Then there’s the Controller General will be reporting on best practices for the disclosure for treatment purposes, and the GAO on the impact of the act on insurance premiums, overall healthcare costs, adoption of EHRs, and the reduction of medical errors.
DR. SUAREZ: There’s a de-identification guidance on how to best implement the requirements for de-identification?
MS. BERNSTEIN: Well, that’s HHS guidance, by the Controller General that’s the head of GAO to provide guidance on costs and so forth, right there, Congressional oversight agency.
DR. SUAREZ: Oh, okay.
DR. FRANCIS: Perhaps what I guess the other thing that I should mention is that when Rob Kolodner and Jodi Daniel were here earlier today they were welcoming coordination with us and anything that we thought we wanted to weigh into with respect, for example, to the broad privacy framework, and what might go on in the privacy framework as a national interoperable health IT goes forward also. Which we had previously had recommendations with respect to, for example, sensitive health information, and we considered going further on that. So it occurs to me that those are the – that’s the thing I would want to put on the table of what’s been under our purview earlier on.
What I would like to do now is we’ve got 25 minutes, and what I would like the product of today to be would be a recommendation for what we want to focus our freestanding hearing on between that would occur sometime probably in late April, early May, with then a fire-up one side or other of the full committee hearing. I think it’s fair to say we get one or two days of hearings in the next little while.
So I’d like to have us get to closure on whether we want to move forward on the PHR, what territory we formulated or whether there are other areas that should also be high on our agenda. The floor is open.
MS. GREENBERG: At one point hadn’t you actually agreed on some dates in March?
DR. FRANCIS: We had originally planned, we originally asked for one side or the other of this, or thought of some dates in March. Because of the way this meeting got restructured we weren’t in a position to be able to actually schedule hearings. We have no dates. And John isn’t here.
MS. GREENBERG: Okay, so March is very unlikely.
DR. FRANCIS: No. I think it’s got to be either the early part of May, very late April or the early part of May, or one side or the other of the full committee meeting in June. My own view is that we have to do something before then if we’re going to be doing anything meaningful. We have to get started before the full committee meeting.
MS. BERNSTEIN: As I understand we’re entitled, entitled is a strong word, to budget –
MS. GREENBERG: We can support the budget right now –
MS. BERNSTEIN: Support both of those meetings –
MS. GREENBERG: Can support you being on either end of the June meeting, and also a stand alone meeting.
DR. FRANCIS: Right, that was our understanding. So the question I –
MS. BERNSTEIN: For the entire year or just for this –
MS. GREENBERG: For this fiscal year.
MS. BERNSTEIN: For the whole fiscal year we get two hearings?
MS. GREENBERG: The budget will support each subcommittee having on stand-alone and – unless we get the budget changes.
MS. BERNSTEIN: Okay, thank you.
MS. GREENBERG: And then each subcommittee gets one. Although in this case now, I mean there’s a day before and sometimes there’s a day after, so that could – I don’t mean for one subcommittee, but –
MS. BERNSTEIN: Difficult for the June –
MS. GREENBERG: Like the Populations Subcommittee used the day after, or half a day after the November meeting, and they’re also using a half a day after this meeting. There may be an opportunity for piggybacking more than one time.
DR. FRANCIS: Right. John and I had thought, and we haven’t had an opportunity to converse in the last three days because of his family emergency, but we were looking to scheduling a freestanding hearing between now and the next full committee meeting on the theory that that is really crucial to get us going. And we pretty well had sketched out what a PHR hearing would look like. So we could move forward with that, reformulated in light of the new questions that are on the table with the Stimulus Package.
MS. GREENBERG: If I could just comment that although this seems kind of Draconian maybe, it’s already March essentially, and this is through the fiscal year which ends September. I would say if there is really a compelling reason for you to have more than one stand-alone meeting, that may be related to somebody as Jim likes to refer to them, what did he call it, a client, refer to a client really, and then there could be other resources, you never know.
MR. REYNOLDS: We’ve got a client sitting behind a microphone over there.
MS. GREENBERG: I didn’t want to ask that potential client.
Thank you, Sue, for your going over all this.
If there was anything in what you all have to do, and it looks like you or the Department at least has their hands full here with all sorts of regulations and guidances and everything else, but that you would find testimony or I mean a hearing useful for it.
Obviously, I think the subcommittee would be available to review documents to pull together the stuff the subcommittee has already done and how it relates to education and all of that. But that doesn’t require a hearing.
DR. FRANCIS: No, that’s easy to do.
MS. GREENBERG: Are there areas where you feel you would really benefit from the subcommittee reaching out to stakeholders or whatever?
MS. MCANDREW: I think as we talked earlier, expert testimony on where these PHR relationships are headed would be very helpful in sorting out how to reasonably apply these new business associate definitions and requirements.
I’m not sure testimony, but certainly knowing your interests in the public education piece would be useful, and I think moreso than simply dusting off old recommendations which we do regularly.
MS. GREENBERG: Which you can dust off also.
MS. MCANDREW: We can dust them. And I would think de-identification might be a third area where there is emerging a lot of new information, or at least people are looking into it much more systemically than in the past. And if there is more technical experts that can be tapped into in terms of where do we go from here, are we in a reasonable place, I think there is time also to make use of that kind of testimony.
MR. REYNOLDS: I think you can also pull into that Walter brought up those couple other definitions about HITSP standards. I’m saying Sue’s talking about de-identified, but if there are other definitions out there and we’re talking about educating the public, we’re going to have to educate them on all those definitions because anybody they’re working with may pick a definition and say that’s how I’m doing business, and now that person gets.
MS. MCANDREW: I assume that there are now – I mean there are lots of other terms out there, pseudo-anonymized data, anonymized data, anonymous data.
DR. SUAREZ: Those are the terms that we use in the construct that we build at HITSP, and they are actually now recognized by the Secretary.
MS. MCANDREW: To the extent that, you know, there’s drilling down, there are ways of amplifying those definitions, exploring is that definition really better than this de-identified safe harbor that we came up with, do we move off of that to something else entirely, I mean there’s room for lots of –
MR. REYNOLDS: I think it’s more been defined as a continuum. Some people use de-identified, and then they use these different things based on what they’re – so back to the idea of limited or minimum necessary, or more appropriate amount, whatever that number is, was what that continuum shows. So you need more than one definition, not just the one that’s there now.
MS. BERNSTEIN: On the de-identification issue, I’m always wanting to ask among the possible tasks this committee could take on, or the subcommittee could take on, since it has limited time and resources, whether the makeup of this committee or the particular expertise that we have assembled is the expertise that we need to apply to that particular problem, on de-identification whether there are other people who are already working on that that will be helpful to the Department. So we don’t need to do it, or is there something in that area that we can add that is not being covered somewhere else where it will be useful, as opposed to other possible topics.
DR. FRANCIS: What we don’t have, it seems to me, is at least what I don’t bring to the table, and I’ll speak only for myself on this point, is the technical mathematical expertise. On the other hand, what we might be able to think about is whether the kinds of concerns that people might have, what counts as a harm or a risk, that’s something we have expertise about, that is something that came up in the discussion with Deven earlier today. The other thing that came up in the discussion is whether necessary is the concept that makes sense, or whether in fact it makes sense to think about different kinds of uses that going back to the secondary uses, I mean whether public health uses look different from research uses, look different from quality improvement and so on. I mean those are on the table. I think those are the things where we’re fine on. It’s the technical mathematical stuff, how easy it is to re-identify, what’s the probability, and so on.
I don’t know, maybe there’s somebody here who would feel competent on that score. I certainly don’t.
MR. REYNOLDS: Does that matter anymore?
DR. FRANCIS: I mean maybe it doesn’t.
MR. REYNOLDS: I’m talking about the definitions they have already worked out.
DR. SUAREZ: There are three things there. One is the policy decision to do anonymization or pseudo-anonymization. There is a mathematical approach to it. And then there is a standard of the data elements that will be taken into account for that. So there is –
MS. BERNSTEIN: What was the first of those three points you made, Walter?
DR. SUAREZ: The first one is a policy issue, the decision that it is required to do full anonymization or pseudo-anonymization, or whatever. Then the other one is the mathematical approach to it. Then there is the technical standard itself, the data element.
DR. FRANCIS: Paul had a hand up.
DR. TANG: As far as trying to decide where we should go, there are a couple of sort of overarching themes. One is for this Committee, Subcommittee and this Committee, which is we want to promote the free and secure exchange of data for the benefit of the patient and the population. The other is we have this emerging concept, and I don’t know whether we’re changing it as a result of the Recovery Act, but to look at the person-centered health in novel ways of getting at information that would benefit the individual and the population.
If you intersect those, it seems like in order to safely encourage an individual to share their information, we need to worry about all things that could harm that individual unintentionally. And it looks like with the addition of the provisions in the Recovery Act, it still leaves open one of the areas that we have been concerned about, which is the uncovered PHR vendor, and the downstream, the continued downstream passage of that data. With respect to de-identification, we’re only getting more dangerous I think, from a harm based on data point of view.
It seems like that would be one avenue to continue to pursue. I heard Sue, it was probably one of the clearest requests from Sue, it’s clearly one of the things that is most uncovered in the Recovery Act, and it’s front and center with our how do we get innovative information ways of using information that provides value to the patient and the population, the consumer and the populations.
MS. BERNSTEIN: Are you suggesting we dig down further on the previous recommendation that we made about the coverage or protections following the data?
DR. TANG: The data particularly as volunteered by the individual.
And as far as the de-identification, I think we have a group that dug in very deeply into the de-identification, it seems like we want to look at that report and not redo that, perhaps even collaborate with that group to come up with additional policy related recommendations that could go back to Sue and others.
Does that make any sense?
DR. FRANCIS: You put a one-two in the same way I would have. I really want to test that around the Committee.
DR. SUAREZ: There are a few other things that you all have heard of HISPC, the Health Information Security and Privacy Collaborative. They are the project that is at the stale end of the third phase of the three and a half year evolution. The national conference of that group actually is next week, and we’re going to be hearing from the seven collaboratives.
I think there’s a lot of areas that come out of that, a series of recommendations around consent issues, for example, around security, standards. And something that relates to one very immediate element, which is the definition of what constitutes the technology and methodology to assure and secure PHI, or secure PHI as well, which are some specific guidance that CMS has to come out, I suppose it will be CMS, that would have to come out within 60 days right away of the enactment of this Bill.
There is a series of other areas that I think – so we have the PHR topic to deal with, we have the de-identification topic to deal with, we have a series of other areas that I think it would be pertinent for us to help or assist with, like the guidance of minimum necessary and that kind of disclosure.
We have the security standard, which I don’t think this Committee has delved into too much into security. Then we have the HISPC recommendations.
I think we are probably narrowing things down into about five or so topics that we can do.
DR. FRANCIS: There’s going to be a security FACA, and there is going to be a, quote, “policy FACA.”
DR. SUAREZ: No, not a security, it’s a standards.
DR. FRANCIS: Standards, I’m sorry, you’re right. But it’s not clear where the policy meets privacy.
DR. TANG: The policy actually gets most of the stuff, including privacy and security, and in fact standards, the gap, the HIT standards just gets to recommend standards. So really the heavyweight is the HIT policy.
MS. GREENBERG: And the curious thing there that I hadn’t put two and two together, because it just seemed to me that this new eHealth Collaborative –
DR. SUAREZ: The National eHealth Collaborative.
MS. GREENBERG: Yes. It might be a logical group to evolve into the policy group, but then the membership of the policy group FACA committee is bizarre really, but it’s – with most of the members being named by the Controller General.
DR. TANG: Who knows how that is usually done? Is it on the recommendation of let’s say HHS, or how is that handled?
MS. BERNSTEIN: That’s weird, because the Controller General is the Congressional agency, is the head of the Congressional agency, and there is a separation of powers issue really. We can make recommendations certainly to the Congress, and when we do we probably could make recommendations to the Controller, but he doesn’t – for our Committee, for example, the typical FACA, you have a couple people who are Congressional representatives –
MS. GREENBERG: We’ve had a vacancy for three years.
MS. BERNSTEIN: Also typical. If you have a Congressional appointment then it’s depending on the nature of the committee and the particular interest of the – I mean the one interesting thing about this committee I think is it’s actually supposed to be appointed by the President Pro Tem, which is odd, as opposed to the leadership, as opposed to the Majority Leader or the Speaker of the House.
Then some of our members are nominated or appointed by the Secretary, and there’s some combination. Right. And often there’s some combination like that. Sometimes they have if there are partisan issues, sometimes they have different parties do it, depending on how the FACA is set up.
I don’t recall one where we’ve had the Controller General appointing people. I don’t know if Sue –
DR. FRANCIS: The point about thinking about this is I thought we were urged this morning to really think of what mattered most for us and where we thought we could contribute expertise, and we go with it, and the new FACAs that come along can be benefited by what we’ve done. And perhaps what they end up doing is shaped by, I mean as the ways as each get adjusted, shaped by where we’ve come into play.
MS. BERNSTEIN: Can I just add one thing to think about in the back of your mind, is the timing. The Committee, we the Committee can only make recommendations to the Secretary when the whole Committee votes on them, and we only meet so many times a year.
MS. GREENBERG: Others can do that through teleconference, if necessary.
MS. BERNSTEIN: Okay. We have possibilities. But in particular the example that Walter was giving where the Secretary was required to put out guidance in 60 days from enactment, whether that will actually happen. I mean it turns out that occasionally, you might be shocked to know, statutory deadlines get missed. I’m not suggesting we’re planning to miss this one, but it does happen. Yes, shocked, the gambling that’s going on in the Department.
But the point is that how effective can the Subcommittee be in getting its thoughts, its recommendations into that process, or even into a process where we have 180 day deadline. We should be thinking about that, and maybe thinking about if the Subcommittee or the Committee wants, as Marjorie suggested, to change a little bit about how we actually do our work, if we do more by phone because we have a deadline.
We did last year, two years ago, work on a very tight schedule to do the – I mean we met regularly and met on the phone, and we cranked out something – but it took a big commitment of time, people really set aside time to do that, and I don’t think just realistically we can work that way all the time. We can do that kind of on a special basis, and this might be, but we should think about the resources that we have and how fast we have to move, and when the timing of when our recommendations could be most helpful for the Department in the back of your mind.
DR. FRANCIS: I would appreciate any guidance you would have, either you or Sue or Marjorie or Deven or anyone else in the Department, about is we are to take on the PHR area in the way we’ve been framing it here, and have a hearing sometime about what the data flows are looking like and so on with the relevant expert testimony, sometime in between now and the next full committee hearing we could begin to have something that looks like an account of the territory that these PHR recommendations are going to have to deal with. We could be beginning to get worked up by the next full committee meeting, and that’s what I was envisioning.
MS. GREENBERG: It seems to me it would be useful, and not too late.
DR. FRANCIS: Is everybody happy with that? I also think –
DR. SUAREZ: So you’re saying right now our top priority is PHR?
DR. FRANCIS: Yes.
DR. SUAREZ: Even though there are other things that might come to –
DR. FRANCIS: For a hearing. Our next priority is de-identification issue, Paul and I have the same view. I’m not sure John would share that view, he’s not too interested in de-identification, I know that. But I think he would with PHRs, he’s on board with that. And I think we all agreed that playing an educational role is crucial, including things like what our understanding is of what consumers don’t understand and need to understand. That goes back to the consent point that Walter raised actually.
DR. TANG: So our goal for the PHR really has to be in time so the Secretary, if they’re going to fulfill the need, that report is due out in one year. So in theory we should be in time for that in eight months or something.
DR. FRANCIS: Yes, we got to get moving. I was assuming a timeframe in which we did the hearings, had some preliminary information to report, and filled the gap in the June meeting, and finalized something in the September meeting.
DR. TANG: That doesn’t give the Secretary much time.
MS. GREENBERG: That’s one year from the end of February?
DR. TANG: From enactment.
DR. FRANCIS: So I was thinking we would have stuff off our plate from the full committee in September. That’s six months, maybe sooner.
MS. GREENBERG: Yes, that makes sense. The thing is I would encourage you if you can sort of preview what would be in the report in June and it rises to a higher priority than –
DR. TANG: Who’s our main contact? Would you be our main contact for the report in one year about non-covered entities?
MS. MCANDREW: What do you mean by main contact?
DR. TANG: Well, the Secretary has to write a report within one year. Will OCR essentially be our main contact?
MS. GREENBERG: Will ONC be writing it, or it’s not decided.
DR. FRANCIS: Jodi left us an open invitation to be in an ongoing conversation with her off line.
MS. MCANDREW: I mean it is a requirement for the Department, not necessarily to OCR, and because it does deal with what to do with uncovered entities, I mean that leaves lots of room for other people to take the lead. I mean that has not been decided as to who will be in the lead, so that’s to report to Congress.
MS. BERNSTEIN: Right. And you can imagine there’s a multi-agency representation group of people who are dealing with the privacy provisions. It’s not OCR or ONC –
MS. GREENBERG: – people who will be connected.
DR. FRANCIS: We will follow up on the education, get going on the PHRs, and expect a call around Jeanine very shortly on dates that might work.
DR. SUAREZ: A couple of other points. I think it would be helpful, it sounds like our main focus is going to be PHRs, and I think we need to expand the scope to cover more than just one issue in a year. I think we should consider doing a hearing, a one-day hearing, maybe half day on de-identification, half day on minimal necessary.
There are other two issues that I don’t know where they fall, but one is the sensitive health information, the issue around sensitive health information. That continues to be a major issue. It is one of the major concerns of this HISPC project, which is 42 states. So that is another issue. And the last one is around privacy in health information exchanges, and how that is going to be playing out. I mean I think that is one of the guidance areas that we can get together a group of HIE representatives and talk about some of the approaches and make some recommendations. That’s another possibility.
MS. BERNSTEIN: Sallie and I are actually giving a presentation on that very topic at the International Association of Privacy Professionals next month in D.C.
DR. FRANCIS: We’re not going to lose that because actually some of that is going to come up under the question of sensitive health information is presumably going to come up when we talk about PHRs. That was part of what was going to be on the table with PHRs, as we were envisioning it, sensitive, sure, but that can be a start.
But you’re absolutely right about health information exchanges. And it is actually there that I was thinking about digging down underneath what Jodi was talking about earlier today with respect to the privacy framework. I mean there is, for example, not much at all, in fact I don’t recall anything about sensitive health information. The discussion about individual control basically just says there are other values too, it doesn’t dig down about how they’re going to be weighed in cases of sensitive information and so on.
That was the kind of thing at least I was thinking about that we might want to be working on too.
MS. BERNSTEIN: And I think the issues for PHRs will actually be very similar to the issues for EHRs on things like sensitive information. I mean you’re not likely to have a different approach for one then the other, for example. So it’s very likely those kinds of things will come up.
DR. SUAREZ: I just don’t want to overshadow the sensitive health information issue under the umbrella of just PHRs.
DR. FRANCIS: No. You’re absolutely right, and thank you.
MS. GREENBERG: I mean the conflict in a sense is that this Recovery Bill focuses much, much more on electronic health records than personal health records. So on the one hand you could say there’s more space for us in personal health records, but on the other hand you could say there’s much more relevance right now to the current policy situation in the Recovery Act in electronic health records, in policies that are relevant to electronic health records. But I do think there’s a lot of overlap there.
MR. REYNOLDS: But I think we have been spending a lot of time in the whole NHIN for a while. I still think a lot of our recommendations, a lot of them show up already you can see in some of the stuff. But I think a lot of money and a lot of effort is going to be spent by whatever these committees are to dive straight to that light. Wow, there’s another big light that nobody’s going to be diving at, which is PHRs and some other stuff.
MS. GREENBERG: I would think in terms of two days for your stand-alone meeting, because you’re talking about other topics, and also I mean the big expense is bringing people in.
MR. REYNOLDS: One other thing, with the way things are happening so fast, if we break them into half days, yes we’ll cover more subjects, but will be have actionable capability.
Because I think the point is if we’re going to try and stay in the game we got to pick subjects that whatever period of time we have a hearing we have actions that we can do out of it. Not that we need to have a succession of 14 half days, or 6 half days, and then by the time we just went right past. So being very purposeful on what we would want the deliverable out of that to be, and then drive to that, I think makes sense.
DR. FRANCIS: We’re looking for two full days the last week of April or the first week in May. Thank you everyone, we’re adjourned.
MS. BERNSTEIN: And thank you very much to the staff for staying a few minutes later. We really appreciate that.
DR. FRANCIS: Thank you.
(Whereupon, the Subcommittee adjourned at )