[This Transcript is Unedited]

DEPARTMENT OF HEALTH AND HUMAN SERVICES

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

SUBCOMMITTEE ON PRIVACY AND CONFIDENTIALITY

January 23, 2007

National Center for Health Statistics
Hyattsville, Maryland

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax, Virginia 22030
(703)352-0091

List of Participants:

  • Mark A. Rothstein, J.D. Chairman
  • Simon P. Cohen, M.D.
  • John P. Houston, J.D.
  • Leslie Francis, Ph.D
  • Paul C. Tang, M.D.
  • Harry Reynolds
  • Maya Bernstein, J.D.
  • Gail Horlick, MSW
  • Sarah Wattenberg

TABLE OF CONTENTS


P R O C E E D I N G S (9:15 p.m.)

Agenda Item: Introductions and Opening Remarks

DR. ROTHSTEIN: Good morning, everyone. My name is Mark Rothstein. I am the
Director of the Institute for Bioethics, Health Policy and Law at the
University of Louisville School of Medicine, and Chair of the Subcommittee on
Privacy and Confidentiality of the National Committee on Vital and Health
Statistics. The NCVHS is a federal advisory committee consisting of private
citizens that makes recommendations to the Secretary of HHS on health
information policy.

On behalf of the members of the subcommittee and its wonderful staff, I
want to welcome you to today’s hearing, which is titled Privacy Protections for
Medical Records of Non-Covered Entities. We are being broadcast live over the
Internet, and I want to welcome our Internet listeners as well. We also have
several people who are with us on the telephone, and we will hear from them
shortly.

As is customary at our hearings, we begin with introductions of the members
of the subcommittee, staff, witnesses and guests. At this time I would invite
subcommittee members to disclose any conflicts of interest they might have.

I will begin by noting that I have no conflicts of interest, but before
proceeding to the rest of the introductions, I want to welcome the newest
member of the subcommittee who is with us by telephone this morning. That is
Leslie Pickering Francis. Dr. Francis is chair of the Department of Philosophy
and a professor of law at the University of Utah. She is one of the nation’s
leading experts on ethical and legal issues surrounding health privacy. She has
served on health IT advisory committees in Utah. The members of the
subcommittee may recall that she testified before the subcommittee at our
hearing in San Francisco in 2005. So I want to especially welcome Leslie.

Now I will take the opportunity to get the rest of the introductions.

(Whereupon, introductions were performed.)

DR. ROTHSTEIN: Thank you, and welcome to everyone. This afternoon from 2:30
to 2:45, members of the public may testify for up to five minutes on issues
relating to the topic of today’s hearing. If you want to testify, please sign
up at the registration table.

Witnesses have been asked to limit their initial remarks to 15 minutes.
After all the witnesses on a panel have testified, we will have a time for
questions for all members of the panel. Witnesses may submit additional
testimony in written form to Maya Bernstein, lead staff to the subcommittee,
within two weeks of the hearing.

At this time, if you haven’t done so already, I would request that
witnesses and guests turn off their cell phones. Also during the hearing,
especially given the logistical problems we have already encountered, I would
ask you all to speak clearly and into the microphones, so that those listening
on the telephone as well as on the Internet can hear us.

To introduce the topic of today’s hearing, I want to call your attention to
the NCVHS letter to the Secretary dated June 23, 2006, specifically
recommendation R-12 on page 11, which I am sure all of the subcommittee members
have memorized, but for everyone else’s benefit, I will quote it.

“HHS should work with other federal agencies and the Congress to
insure that privacy and confidentiality rules apply to all individuals and
entities that create, compile, store, transmit or use personal health
information in any form and in any setting, including employers, insurers,
financial institutions, commercial data providers, application service
providers and schools.”

The subcommittee has attempted to follow up on this recommendation by
getting a sense of the range of entities that would be covered by a more
commercial health privacy law or regulation, their current regulatory and
professional obligations and the practical implications on their operations and
on the individuals whose health records they use.

At our hearing in September of 2006, we heard from the representatives of
the life insurance industry, occupational physicians and school nurses. At our
hearing in November 2006, we heard testimony from representatives of the
financial sector. Today’s hearing focuses on entities engaged in activities
associated with health care but currently not subject to the HIPAA privacy rule
coverage by virtue of the fact that they do not bill for their services or for
other reasons.

Quite frankly, in preparing for this hearing, I was struck by the vast
number of health related entities that are not covered by the HIPAA privacy
rule.

We will hear from two panels this morning dealing with this issue. Then in
the afternoon we will consider the statutory authority under HIPAA to regulate
covered entities and explore whether HHS has the authority to define health
care providers more broadly, or whether Congressional action would be needed to
extend coverage to some of these providers in accordance with our June
recommendation.

At this time I want to welcome our first panel. I would note for the record
that the schedule has listed Dr. Marshall from WebMD, and he is not available
to be with us this morning. So the first panel will have three witnesses, and
then at the end of their statements we should have ample time for questions and
discussion.

So I want to welcome the panel and our first witness, Carolyn Walton.

Agenda Item: Panel I: Non-Covered Health Data Benefits
and Services

MS. WALTON: Good morning. Thank you. On behalf of Walmart, I appreciate the
opportunity to provide both written comments and enter into discussion with you
this morning on this important topic.

Walmart is based in Bentonville, Arkansas. We employ 1.8 million associates
around the world. More than 1.3 million of these are in the United States,
making Walmart the largest private employer in our country.

There is no issue facing the business community in America that is more
significant than how the public and private sector will work together to
address the national health care crisis. This is both a fiscal and a quality of
life issue for millions of hard-working Americans.

Walmart fully endorses and supports the initiatives set forth by the
Administration to promote price and quality transparency, to drive health IT
standards, and to provide options that promote quality and efficiency.
President Bush and Secretary Leavitt, and I’m sure you are very familiar with
this, have put forward a vision that says, in the Secretary’s words, that would
create a personal health record that patients, doctors and other health care
providers could securely access through the Internet, no matter where a patient
is seeking medical care.

With 1.3 million associates in the United States and our company health
insurance costs growing at 19 percent per year over the past three years, we
certainly support these initiatives. At Walmart we are committed to bringing
about solutions to some of the most pressing health care challenges facing our
country’s working families. We have made this a major focus of the last year.
More affordable health benefits improvements are just one example of that. We
are making a real difference for our associates, our customers and the
communities we serve, and we are building on those efforts.

That is why Walmart along with several other large employers who are
concerned about the rising cost of health care and concerned about
inefficiencies in the current system, are coming together to form Dossia, a new
nonprofit organization that will provide a framework for electronic personal
health records. With employers paying almost half of all U.S. health care
costs, Dossia will be an important component in making the health care system
more efficient and effective, eliminating waste and duplication of effort on
behalf of consumers and providers.

I would like to begin by speaking briefly about electronic personal health
records in general, and then I will move to speaking specifically about Dossia.

Electronic records allow individuals to manage an extensive and
comprehensive record of their personal medical history, and ultimately can
receive the best possible treatment. These records can help eliminate duplicate
medical tests, erroneous or lost information, help reduce administrative costs
and help prevent thousands of serious illnesses or even deaths that result from
prescription or other medical errors every year. Because these records are
electronic, there is no paperwork to lose and no files to transfer.

For an example, an associate and his or her doctor can review recent
prescriptions and track office visits. Doctors can evaluate past Xrays,
immunizations or screenings and make more comprehensive decisions about the
proper course of treatment, avoiding duplicate or unnecessary tests. A record
of a patient’s medical history will be available to them and to their doctor,
saving money and saving lives.

There has been a tremendous amount of interest in the issue of electronic
medical records and hospital and doctor groups have long supported efforts to
computerize medical records. However, little progress has been made due to
financial and technological constraints. As a result, today only a small
percentage of doctors in the U.S. use a completely electronic recordkeeping
system.

Dossia is a first of its kind collaboration between Walmart and other
employers, and it represents an important first step toward bringing greater
efficiency, quality and transparency to the U.S. health care system. Dossia
will provide Walmart associates and employees at other founding companies with
a framework through which they and their doctors and both build and maintain
private electronic personal health records.

The mission of Dossia is to empower people and their doctors to be active
partners for health, by providing secure, convenient access to lifelong health
information. Dossia’s objective is to transform the U.S. health care system,
reducing waste and facilitating better care by developing and making widely
available a lifelong personal health record.

Employee participation as a Dossia network user is completely voluntary. At
the request of employees and other eligible individuals, the Dossia network
gathers health data from multiple sources. Once gathered and secured, it is
stored in a decentralized database. The health information is continually
updated and is available to individuals for life, even if they change
employers, insurers or doctors.

Electronic health records provided through Dossia will be personal, private
and portable. They will not be tied to an individual’s employer or health care
provider or to their software. This will provide choice and differentiation for
both employers and consumers. Individuals will own their personal health record
and can decide who outside of their doctors has access to that medical
information.

Employers will not have access to their employees’ personal health record.
Dossia is hosted by an independent not-for-profit institute, creating a barrier
between employee data and outside parties, including the founders of Dossia.
Quite simply, Walmart will not be able to view associates’ personal medical
records. They will be 100 percent private.

In the initial stage of the program, founding members’ employees will have
access to this service, and over time it will be expanded to include more and
more health care consumers. Currently, Dossia’s founding members include
Walmart, Intel, BP, Pitney Bowes and Allied Materials. Together employees at
these firms represent about two and a half million U.S. health care consumers.
Participation in Dossia is open to other employers who are interested in
bringing electronic health records to their employees.

I would like to spend a moment talking about how a personal health record
is developed through the Dossia framework. There are many different groups and
entities that offer personal health records, but Dossia provides what is
missing today in terms of portability, accessibility and transparency. Dossia
is based on the Connecting for Health common framework, a set of design and
policy standards established by a collaboration of industry stakeholders. It
includes consumer advocacy organizations, physician groups, insurers,
technologists and certainly privacy advocates.

Connecting for Health is founded by the Robert Wood Johnson Foundation. The
goal of the common framework and of Dossia as the framework’s first real world
deployment is to provide a robust, secure and flexible data capture and
authentication system through which consumers can aggregate their health
information to create an independent lifelong personal health record.

The unique Dossia framework gathers health information on behalf of the
individual from various sources, and it stores it within secure databases.
Dossia’s open architecture will support multiple personal health applications,
allowing users to organize and summarize the information in ways that are most
useful to them.

Health records will be secure, they will be private, they will be
accessible only by the individual or by others to whom they have granted
permission. Records will also be portable, enabling individuals to continue
using the records even if they change employers, if they change health plans,
or if they change doctors.

Dossia enables an individual to develop a personal health record by two
means. First, they can enter the data themselves and enable the system to
search and securely aggregate their individual health data from a variety of
sources. Once Dossia is complete, it will begin drawing information from all
available electronic sources in the health care system on behalf of the
individuals who request it.

But despite all our efforts to build the broadest possible network, a
tremendous amount of medical information is going to remain on paper for years
to come. So as a result, Dossia will allow patients and consumers to capture
and store scanned images of any documents they feel are important and they one
day want to share with their caregivers.

In the testimony that is submitted, I have included some quotations from a
number of other sources regarding what they are saying about electronic
personal health records. In the interest of time I will pass over those so that
you can review that in more detail later.

Moving to the topic of trust and privacy, we all know that trust is a vital
component of any health care initiative or relationship. That is certainly true
for e-health initiatives. As discussed earlier, e-health has enormous benefits
for consumers, but if individuals do not trust the system, they won’t use it.
They won’t provide complete information or otherwise reap those benefits.

Trust in how medical information is handled could be improved, even in
regulated areas. Surveys continue to show that significant percentages of
consumers are not as confident as they should be that health records will be
secure, and that they won’t be shared in inappropriate ways.

EpicTide, a security provider for the health care information, reports in
its December 2006 survey that 98 percent of consumers believe that health care
organizations should protect medical records, but that only 40 percent feel
confident that providers do indeed secure those records. This is consistent
with other surveys that have been conducted since 2000. There are also
increased reports that medical identity theft is on the rise and given the need
for trust in public concerns, personal health records and other e-health
initiatives will need to focus on this important issue.

At Walmart we take very seriously the privacy of our associates and the
privacy of our customers. Trust is a focus for our initiatives.

I would like to speak first about some general privacy principle for
e-health initiatives before turning to Dossia in particular. I thought it would
be helpful to put personal health records in the context by framing some key
privacy principles that seem to be common throughout many of the existing
e-health records. Then I will discuss unique aspects of personal health records
in more detail.

For purposes of this discussion, I am happy to use the definition that your
group submitted in the June 2006 report. Health information privacy is an
individual’s right to control the acquisition, uses or disclosures of
identifiable health data. This is a good definition for privacy in other
contexts, too, and it shows the distinction with security.

Privacy involves the deliberate choices in policies afforded to and
exercised by the individual, by the entities the individual deals with
regarding managing their health information, Basic privacy principles include
the fair information practices of notice, choice, access, security and redress.
As the report notes, control is a concept that overlays e-health initiatives
and particularly personal health records.

Notice in general concerns how the individual understands how the collector
manages information, including such things as its acquisitions, its uses,
disclosures, access and security. Choice concerns options that individuals may
exercise regarding data management. Examples include where the records are
contained in an e-health system, or who has access to health records. Access
concerns who has access to that data. Individuals should have access to their
own health information conveniently and affordably. Security involves how the
integrity, security and confidentiality of health information is protected.
Finally, redress concerns how an individual can ask questions or file
complaints about the data practices. How data is managed should be transparent.

Personal health records offer unique privacy issues and certain privacy
enhancements. I will first discuss personal health records as their own system,
and then personal health records as part of a network.

With personal health records, by definition the individual controls more
aspects of the system. This starts with the decision whether or not to even
participate in the personal health record at all, as well as exercising control
over access to that information. Simply put, the individual is the driver of
his or her health information.

Given this model, I would like to describe some examples about how fair
information principles will operate in the personal health record context. The
first is notice. The main issue with notice is how to communicate data
practices and how to make that information effective rather than simply making
it be a box that is checked as to whether or not that information is read or
not.

With personal health records, individuals need to have a basic
understanding of how it works before they sign up for and before they use the
system. Personal health record models will need to focus on the communications
and notice aspect with some robustness.

Other examples are choice and access. Personal health records give
individuals a new level of access. Never before have they had access to their
health records at their fingertips at any given time in quite the same manner.
This level of access will allow the individual to check their records and
update them for completeness and accuracy. Not only do they have immediate
access, but the individual can determine who else should have access to their
records, which again gives them control.

Personal health records can also function as part of a larger network such
as a Nationwide Health Information Network. Data exchanges between networks
raise privacy issues, too. One of the biggest questions is how centralized or
decentralized these networks should be. There are pros and cons to the varying
approaches, including with regard to ease of use, data accuracy and risk
management. These issues are going to have to be carefully considered as the
networks are more fully developed.

Regarding Dossia’s privacy and security, the first and last job of any
medical record system is security. This begins with an industrial strength
shared system for verifying a user’s identity. Dossia features stringent
privacy and security policies and procedures, including a strong authentication
system. Individuals opt into the system, then they decide what information to
share and with whom. No one can see an individual’s information without his or
her permission.

Additionally, since Dossia is hosted by an independent third party, there
is an organizational barrier between the data and outside parties, including
employers and health insurers. Because Dossia will be connected to data
networks that exist today behind the curtain of the health care system, and
because of the sophisticated and rigorous security and patient record location
intelligence included in the common framework design, the user of a personal
health information product will be able to quickly access his or her
information. The information will pass through the Dossia network into the
patient’s control and will be completely de-identified, assuring privacy in the
unlikely event that it is not the patient’s actual medical data.

Furthermore, in keeping with the principles of the common framework, and as
a final way of insuring data integrity, the user will have the ability to
review that data and choose whether to include or exclude it from their record.

In conclusion, Walmart as a founding member of Dossia is committed to the
success of e-health records, personal health records and privacy and security
for those records. We are prepared to assist members of this committee in any
manner as you keep considering the important aspect of personal health records
for Americans. We are committed to working with state and federal leaders to
define real action steps that can be taken to move the discussion forward.

Today there are more than 45 million Americans without health insurance.
Affordable and accessible health care is out of reach for many Americans.
Walmart understands that our nation cannot address this problem without a
combination of technology and common sense. This is what we do each day in
urban areas and small towns across America, and this is how we hope to assist
in this vital national effort.

We appreciate the opportunity to present our views, and look forward to any
questions you may have.

DR. ROTHSTEIN: Thank you very much. You have raised a number of very
interesting issues that I’m sure the members of the subcommittee would like to
pursue during the question session.

At this point I want to turn to Dr. Yasnoff. Please proceed whenever you
are ready.

DR. YASNOFF: I assume you are on my title slide, and I will cue you as to
moving the slides forward. For those on the Internet in particular I will
attempt to speak in a way that doesn’t absolutely require seeing them.

First of all, thanks very much for the opportunity to testify. As many of
you on the committee who know me are aware, in my prior roles at the CDC and as
senior advisor for National Health Information Infrastructure at HHS, I served
as staff to NCVHS. So it is wonderful to be back in another role, to have the
opportunity to testify.

In addition to my primary activities as managing partner of NHII Advisors,
an HIT consulting firm focused on helping communities build health information
infrastructure, I am also the CEO and founder of the Health Record Banking
Alliance, which is a relatively new organization just several months old, a
nonprofit promoting the idea of health record banks such as Dossia. We are
pleased to have a number of organizations participating including Dossia,
Cerner, EDS, Microsoft, Patient Privacy Rights, NHIMA, Holven Health, You Take
Control, the Pharmaceutical Manufacturers Association and the Herigate
Foundation, among others. We have developed a relatively broad based coalition
to promote the idea of health record banking.

What I want to talk with you about today is how health record banks enable
privacy and health information infrastructure. If you go to the next slide, I
am going to say a few words about requirements for health information
infrastructure, then talk about the health record banking model, then the
privacy implications, and make some specific policy recommendations to the
subcommittee.

You will need to pick through this. There are four major components of the
community health information infrastructure. If you click once, you will see
the pot of gold at the end of the rainbow is complete electronic patient
information, anywhere anytime complete health care information and decision
support at any point of care.

This needs to be supported by three pillars. The first one is stakeholder
cooperation, the second one is financial sustainability and the third one is
public trust. If you have these three things supporting complete electronic
patient information, you essentially have a complete community health
information infrastructure.

If you go to the next slide, I will talk about the four elements one at a
time. First, complete electronic information. The good news is, most of the
information is already electronic, labs, medications, images, many hospital
records. The big problem with electronic information in health care is, only a
small percentage of physicians have electronic health records, primarily
because the business case for outpatient electronic health records is weak. I
think you can be sure that if acquiring electronic health records in
physicians’ office was a money making proposition for physicians, they would be
doing it.

In order for you to be able to have complete information, you need to be
able to move the information. Frankly, you can’t electronically exchange
information that is not electronic, at least not easily. So you need financial
incentives to insure that physicians acquire and use the EHR. So I have listed
that as the first requirement, that you need financial incentives to create a
good business case for outpatient EHRs.

Then the next requirement for having complete information is, you need a
single access point for the information. There are basically two ways to do
that. One is to gather together the data when it is needed, what I call the
scattered model, where the data stays where it is and there is no duplication
of storage. When the patient shows up for care, you basically have a query to
an index of where the records are located, and then a large number, a
potentially very large number, of secondary queries to all the different places
where the patient has visited in their lifetime. Then you have to wait for
those responses come back, integrate them and deliver the information at the
point of care. In fact, this is what the Markle Foundation recommends.

This has a number of drawbacks, including all the systems that have
information have to be online and available for query 24/7. This is extremely
problematic, particularly for physician EHRs.

In addition, each system that is to be queried incurs the added cost of
those queries, both the initial added cost in terms of hardware, software and
additional communications capabilities, and ongoing maintenance costs. So you
have added costs to every element in the system.

The response time is slow because you have so many secondary queries to
process and you cannot finish your work until all the systems have responded.
Also in this model, you can’t search the data because you don’t know what the
data is. So you have to basically acquire the complete record sequentially and
then search it sequentially in order to find out for example how many people in
a given area have a cholesterol over 300. This makes this methodology
essentially useless for public health, for research and so on.

You also have a huge interoperability challenge, because you have to be
able to insure that every source of electronic health information in the entire
U.S. is standardized and accessible to you, because you have no idea where any
given patient may have been. Finally, the records are only complete if every
possible data sources is operational, which is going to be very, very
difficult.

The second option is to have a central repository. By central repository,
what I mean is an operation where there is a central administrative
organization that has direct control over all the data. This does not mean that
all the data has to be in a single server. It can still be distributed, as long
as you have control over it and you are operating it, so that you can assure
that you can get the data when you need it.

The advantages of this are, you have fast response time. You don’t have
interoperability problems between communities because if you have a person’s
complete record, that health record bank does not need to communicate with any
other health record bank about that patient. It is very easy to search the
data. Of course, that would be by permission. The reliability depends only on
the system that you are running. Security can be controlled in your location or
locations, and you can assure the completeness of the record, and this is
extremely low cost.

The problems with this are that the public trust when you put all the
information together is challenging, and you also have to duplicate storage,
but it turns out storage is inexpensive. I have listed the second requirement
that you need a central repository for storage.

If you move to the next slide, which starts the three pillars that I talked
about. The first pillar is stakeholder cooperation. If you think the health
care stakeholders are going to cooperative voluntarily, I would like to chat
with you after the session, and I think I can convince you otherwise. Obviously
you could pay the health care stakeholders to cooperate, but financial
sustainability is a big problem already, and there is no money available for
that.

So really, you need to mandate cooperation, and you can do that one of two
ways, either with a new mandate or thankfully HIPAA provides an existing
mandate, because HIPAA requires information to be provided on patient request.
So if you design a system where the patient is requesting the information,
everyone has to provide it.

If you go to the next slide, financial sustainability, in order to pay for
this there are a number of options. The government is not going to pay for
this. I am not going to discuss that. The federal government is not going to
pay for it, state government is not going to pay for it. The best that is going
to be forthcoming are startup funds.

The health care stakeholders in some cases will pay for it, but in general
are paid for giving care, and it is difficult for them to make investments like
this. In particular there are no health care stakeholders that have an interest
in having electronic health records in doctors’ offices, or we would have them.

The payors and purchasers, the insurance companies and the employers, ought
to pay for this, but typically are skeptical about benefits and are concerned
about free rider and first mover problems as these systems are established.

Interestingly, consumers have indicated a willingness to pay for this. In
one survey, 72 percent of consumers supported establishing electronic records,
and in a 2005 survey 52 percent of consumers indicated they would be willing to
pay five dollars per month or more for their medical records to be electronic.
So I have listed as the fourth requirement, the solution has to appeal to
consumers so that they will pay a little bit for it.

Public trust. I have a couple of slides on this. To me, the actions of
public trust in a system like this is having patients totally control the
information. You will hear me emphasize that point again in a few minutes.

You also need to have a trusted institution that handles this information.
One way you can have a trusted institution is via regulation like banks. If you
think about why we trust banks, it is not just because they sometimes have
trust in their names. We trust banks because they are subject to state and
federal regulation, they are subject to regular financial audits. The federal
government in its wisdom has provided us at no cost a no copay no deductible
insurance policy for our deposits up to an amount larger than most people
deposit. So sure, we trust banks.

I used to say that you couldn’t have regulated health record banks, that it
was impractical. But I put question marks by that now because there was
legislation introduced in the last Congress and will be introduced again to set
up a regulatory framework for health record banks to provide valid legal
protections and a legal framework for them. In the meantime, the best you can
do is to have a self regulated community owned nonprofit with a board that has
all the key stakeholders, independent privacy oversight and operate in an open
and transparent manner. So I have listed that as a requirement.

You also need a trustworthy technical architecture. I won’t spend much time
on this, but you need to prevent large scale information loss. You can do that
by having your searchable database offline and carefully screening all
employees, and treating that information as you would high security classified
information.

You also have to prevent inappropriate access to individual records. What I
recommend is a separate server for that, using state of the art computer
security to insure that you can only access one record at a time with strong
authentication, no searching capabilities, and a secure operating system. I am
happy to talk about that more in the question period if you like.

These requirements lead you to the health record banking model, where all
the information for a patient is stored in a health record bank account. The
patient or whoever the patient designates controls all access to the account
information, and there is absolutely no reason for anyone to have access,
because everything in there is either entered by the patient or is an original
record that is held elsewhere. So there is no reason anybody else for any
reason should be allowed into that information without patient approval.

Each health record bank needs to have at least three interfaces, a
withdrawal window for record access, a deposit window to receive new
information when you get care, and a search window when authorized requests are
received.

The way this works is, once your initial information is gathered, whenever
you receive new care, whatever new records are generated are sent to your
health record bank for deposit in your account. Thereby your information is
kept complete, and all data sources would contribute as patient requests for
HIPAA.

This is an animated slide, so you will need to click through this. You see
health record bank in the left corner. If you click once you will see a circle
with the health record bank. Click again, there are the secure patient health
data files. If you click again, there is the clinical encounter. Click again,
the clinician inquires to the health record bank for the patient’s record. If
you click again, you see that the patient has to give permission. If you click
again, if the patient says no, nothing is sent. Clicking again, we hope of
course the patient says yes, in which case the patient data is delivered to the
clinician. If you click again, we hope that encounter data is entered into an
EHR. If you click again, the new encounter data in total is sent to the health
record bank for deposit, then if you click one more time, you can then have an
optional payment for that deposit to the clinician’s financial bank, and
through those payments you can offset the physician’s use costs of the
physician EHR.

Let me talk for a minute about privacy implications. First of all, the
essential elements of privacy protection in my view are the consumer control of
information release. This allows each consumer to customize their own privacy
policy.

To me, this is the only way you could possibly satisfy the privacy needs of
all consumers. There is no way in my view to have an overarching privacy policy
that is going to make everybody happy. And health record banks facilitate this
privacy through consumer control.

The granularity of the control is limited to what information is visible at
the control point. So if you have a scattered model, where all you know is the
location of the information, you can only give your permission by location of
information. You cannot be more specific than that. So since in the health
record bank model you have complete visibility of all of the information, you
can have patient permission down to the data item level.

I have five policy recommendations I want to share. I think you will find
many of these are consistent with your recommendations you have made
previously.

First, the consumer needs to have complete legal ownership and control of
the health record bank information. The health record bank functions much like
a financial trustee, with a fiduciary responsibility to follow the patient’s
instructions and act only in the interest of the patient.

As I midnight, no exceptions are needed, since copies of all the
information are elsewhere. When I say no exceptions, I mean none, no discovery,
no subpoena, no government access, nothing. The information also needs to be
protected from change in ownership of the health record bank. Failure of
customer payments, so if the customer doesn’t pay for their account, the health
record bank does not have the option to do anything with that information
except either return it to the customer or not make it accessible. They can’t
do anything that the customer hasn’t asked for. Also, you need to protect the
information from bankruptcy. You can’t let the information become a bankruptcy
asset that then is sold in that type of situation.

Second, all holders of electronic medical information should be required to
provide it within 24 hours of creation at no charge on patient request. As I
mentioned, HIPAA requires information to be provided, but you have 30 days, and
you can provide it on paper and you can charge for it. So if you have economic
information, you should be required to send it. This is not a burden, because
sending it is very, very inexpensive.

The third item, health record banks should be covered entities under HIPAA.
In fact, as you have previously recommended, personal health information should
be covered regardless of where it is. Of course, health record banks are going
to function at an even more stringent level than HIPAA, requiring patient
consent for all releases.

Fourth, you need to require independent privacy and confidentiality audit
of health record banks. This is the equivalent of financial auditing of
financial banks. There needs to be certification of those auditing entities and
public disclosure of the audits.

Finally, you have to have security procedures that are sufficient to
enforce the privacy and confidentiality policies.

Thank you very much, and I look forward to questions.

DR. ROTHSTEIN: Thank you very much, Dr. Yasnoff. I know we will have many
questions for you.

Our next speaker and the final speaker on this panel is Professor Edward
Janger from the Brooklyn Law School.

DR. JANGER: Thank you, Mark and Maya, for inviting me. I come as much as a
consumer as a supplier of information. I come as a bankruptcy professor who has
done some thinking about privacy issues in bankruptcy, and also about issues of
data security, but not particularly in the health care context.

My one past intersection with health care privacy was at Mark’s request
when I thought about bankruptcy implications for bio banks, and now that I have
listened to the previous two speakers, I understand why Mark put me on the
panel, but I am answering a slightly different question from the one that I
thought I was answering, but that is okay, because the issues are the same, and
I am going to make some linkages on the fly, and I think they will be quite
interesting for the group, and probably provocative.

I think I may be a little bit of a skunk at the garden party here. As Dr.
Yasnoff was saying, we have to bankruptcy proof this; my thought was, oh, okay,
that is a can of worms. Let me see if I can explain the can of worms that
bankruptcy and insolvency create for both EHR data banks and more generally for
privacy regulation through HIPAA of non-covered entities through the business
associate technique that HIPAA tries to adopt. I am going to try to do those
two simultaneously. I think it will work, but let’s see how it goes.

The first way that HIPAA tries to deal with entities that are not covered
is by recognizing that many HIPAA covered entities have to disclose data to
non-covered entities and what it requires them to do is to enter into what are
called business associate contracts, which is to contract for derivative HIPAA
health care protection. To the extent that we are beginning to think about EHR
banks, what we are really thinking about is the kinds of contracts and kinds of
legal protections that need to be created for those in such a way that both the
solvency of the EHR entity or the solvency of the business associate won’t
create privacy risks that are unanticipated.

With that thought in mind, what I am going to be focusing on is the fact
that under U.S. law, for the most part individually identified data is not
treated as property. It is treated as information. The way that the transfer of
personal information is regulated, both by individuals and generally by the law
is through contract or tort, which is to say, regimes that restrict transfer
through the imposition of post disclosure liability, or alternatively through
public enforcement.

I am staying away from public enforcement because bankruptcy doesn’t affect
that, and what I am going to focus on is the risks that are associate with the
fact that data is protected through contract, and that this introduces a
serious problem which was first identified during the dot com bubble now five
to seven years ago of credit risk generally.

So I think there are two real paradigms that you need to think about. I am
going to try to go through each one to talk about one, how bankruptcy law deals
with them and two, how credit risk exists even outside the context of
bankruptcy law.

The first credit risk paradigm is the one that some of you may be familiar
with. It is sometimes referred to as the Toysmart problem. The second one I
want to talk about is what I will call the derivative contract problem, which
is something I haven’t written about before in the bankruptcy context, but
which I think is really important here because it is a model that has been
adopted both under GLB and under HIPAA for dealing with the outsourced
obligations. I think there is some real risk there that nobody has thought
about, so you will get my ideas on that here first.

First, the Toysmart problem, which is a general frame for thinking about
how bankruptcy deals with privacy promises. For those of you who don’t know the
story, what happened in Toysmart, Toysmart was a toy company that was owned by
Disney that gathered information, e-commerce type information from grownups and
from kids subject to a privacy policy that said we will never share your data.
Toysmart then went bankrupt, and its insolvency consultant listed the customer
lists for sale, and people went berserk.

What it caused people to realize was an aspect of bankruptcy that is just
out there, which is that when an entity goes bankrupt and reaches a contract,
what the non-bankrupt claimants have is a claim against a bankrupt entity for a
breach of contract, which gets paid out on cents on the dollar. This creates a
somewhat scary moral hazard problem, which is that the bankrupt entity can
break a promise and make hundred cent dollars and pay damages in ten cent
dollars.

There are bunches of things — and this is not a bankruptcy problem per se,
this is something that exists outside of bankruptcy and people call it the
judgment proof problem. That is why we want banks to be properly capitalized
and other entities to be properly capitalized. Once you are insolvent, the
liability based things that try to make people do the right things don’t work
as well.

Anyway, this problem could exist in the context of one, an EHR that turns
out to be thinly capitalized and goes bankrupt. We want to make sure that the
promises it has made not to disclose data are enforceable notwithstanding the
entity’s insolvency.

We have a similar problem in the ordinary HIPAA context, where you have a
business associate contract that requires the entity to do all the appropriate
things, but then they go bankrupt. They break the contract and they are not
fully internalizing the risk of their misdeed.

Now, in Toysmart there is another angle to this which we shouldn’t forget
as I tell the horror story. Toysmart ultimately didn’t disclose the data
because the FTC jumped in and sued them under Section 5 for an unfair trade
practice, which didn’t really go anywhere, but it all got mooshed up, and
ultimately Disney Toysmart $50,000 for the data which it then promised to
destroy. So there are other layers out there, but those aren’t what I am
talking about.

The response to Toysmart more generally was an amendment to the United
States bankruptcy code that has significant relevance here, and a somewhat
different helpfulness level in the EHR data bank context as compared to the
business associate context.

The 2005 amendments to the bankruptcy code, which went effective more than
one October ago, contained an amendment which basically says that personally
identifiable data cannot be sold in violation of a privacy policy unless.

The unless is relatively significant. It can’t be sold unless the
bankruptcy court approves the sale after the appointment of a privacy ombudsman
who will then negotiate on behalf of or serve as a guardian for the holders of
the personal data to make sure that their legitimate privacy concerns or the
privacy policy spirit is honored through whatever data transfer.

This is a really big advance. I have written both praising it and
critically of it. The praise is for the ombudsman and the negotiation and the
court supervision approach, which I think goes a long way towards setting a
model for how to deal with these problems.

The problem with the Leahey amendment as an approach is one, there has to
be a contractual privacy policy. If one is familiar with the e-commerce world
and the way privacy policies have developed, they are not so much privacy
policies anymore as data sharing or data disclosure permission policies. So to
the extent that the businesses have already not made Toysmart like promises,
the Leahey amendment doesn’t provide much protection. That is something I think
that has to be worried out for example in the consumer based context of an EHR
data bank, where you need to make sure that where the consumers aren’t
responsible for negotiating their own privacy contracts, because it won’t work.

The business associate contract context may be slightly different. I think
the Leahey amendment may be quite helpful here. Remember, the business
associate contract creates a contract with bite that would then run through the
Leahey amendment and give you some real protection. So I think you have got two
different sets of concerns, one on the data bank, the consumer data bank, where
I think you have to make sure that the privacy policy that runs through the
Leahey amendment type structure is not voluntary, but on the business associate
side, I think you have got something that may work pretty well.

Here is the big problem with the Leahey amendment, and it is a big problem.
It only applies if the entity actually applies for bankruptcy and tries to sell
data in bankruptcy. If the entity simply leaks data, does whatever it is that
smaller entities do when they messily wind up, the Leahey amendment never comes
into play, and the data simply goes away, leaks out, goes wherever it goes, and
there is no redress against anybody.

So that is I think the bankruptcy law problem. There is a second insolvency
problem that is more general and not really bankruptcy specific, which is the
general contract law problem of trying to regulate or impose public regulation
through third party contracts.

When we think about a business associate contract, the liability is
enforceable only through contract damages. To the extent that you are relying
on contract damages, insolvency, whether in or outside of bankruptcy, raises
the moral hazard problem that I identified earlier, and therefore undercuts the
effectiveness of contract damages as a deterrent. Hence, thin capitalization
undercuts the incentive not just to not sell data, but to also take appropriate
care to protect data.

This is the new part. This discussion that I am about to enter into builds
on a piece that Paul Schwartz and I are about to publish dealing with data
security issues more generally, and draws on some thinking I have been doing
about a similar approach which is followed under the interagency guidance under
Section 501 of the Gramm Leach Bliley Act, which similarly like HIPAA requires
outsource entities to contract for protection.

The problem is, one, you have got the capitalization problem, but two, you
have another bunch of problems that go along with this type of derivative
contract regulation. One, you have got a detection problem. I can’t imagine
people haven’t become aware of the number of data spills that have happened
over the last two or three years, or more to the point that have become public
over the last two to three years as a result of the passage of breach
notification statutes in California and other states.

I don’t mean to take a potshot at Mr. Yasnoff’s presentation, but one of
the types of entities that has been most subject to the notification of these
spills are banks. They are really good at protecting money, but they turn out
not to be all that good at guarding customer data, Bank America, Citibank.

The example of the data security breach that I think fits this example best
is a case called Card Systems. Card Systems is a company that make the boxes
that sit at the checkout counter, where you put in your PIN number or you swipe
your card. What they are supposed to be is a data conduit. They run data from
the checkout counter to the check payment clearing entity and don’t touch it
except to trigger the cash register.

Card Systems had a contract with VISA and everybody that they did business
with that that was all they were going to do, is ship data back and forth and
not touch it. Somebody at Card Systems got a bright idea. They got the bright
idea that they have got R&D to do, and wouldn’t it be good to do R&D
with real data. So they siphoned off some data, put it in the database, played
with it and got hacked.

This violated every contract that they entered into, and they got sued. But
two things have happened. One, they are still in business. Two, they are still
providing this service to VISA. Three, nobody knows what information got
leaked. I have never gotten a customer notice about my Card Systems data, and
I’m sure I was in there.

So we have got a whole bunch of problems that arise from this, simply
because people don’t always know that it happens. Even if the breach is
disclosed, you don’t know if your data has been disclosed. Second, there are
internalization problems which go along with the fact that the damages are
likely to be small, so who is going to sue once I find out that somebody knows
that I bought something at the A&P.

Then there is a third problem, which is that this damage regime, both under
GLB and under HIPAA, this contract liability, I’m not quite sure where it comes
from, because neither HIPAA nor GLB have private rights of action. So you are
piggybacking on unformed tort lability or whatever to make these things happen.

I think that is a pretty good place to stop. When you get into this
derivative contract regulation, in addition to the capitalization problem you
have the problem of an attenuated relationship with the consumer and an
attenuated relationship with the regulator. These are not insoluble problems,
but as I said, I am the skunk at the garden party, they are ones that need to
be thought about.

DR. ROTHSTEIN: Thank you very much. It is now time for questions. I know I
only have about an hour’s worth of questions, and I’m sure each of my
colleagues do as well. So I will go last as is my custom, hoping that somebody
asks my questions earlier. We also have two members on the telephone who may
have questions as well.

So we will begin with John Houston, and then we will proceed to the rest of
the panel. I would ask you to keep your questioning brief so we can get through
one round of questions and if time, a second.

DR. HOUSTON: I have two questions, and they are focused towards Ms. Walton.
The first being, what type of consumer contract — I use that loosely — do you
perceive you are going to have with whoever subscribes to your system? What do
you plan on telling them, how you are going to manage their data? Are you going
to have a contract in place?

That is the first question. Before I forget the second question though, do
you think that Dossia would be willing to voluntarily comply with HIPAA? That
is the second question.

MS. WALTON: Let me take a shot at both of those. First, regarding your
question about the type of contract that we would have in place with the
consumer, just for the record, I want to make very clear that Walmart will not
have a contract with the consumer.

DR. HOUSTON: Dossia will.

MS. WALTON: Walmart is simply contributing funding to the nonprofit
organization Dossia. I can’t speak on behalf of Dossia relative to the specific
content of the contract and so forth. The contract would be between Dossia and
the various parties involved with that there. So I can’t presume to speak on
behalf of that.

But the principles that we have discussed are a very high standard. They
are the fair information practices that we have outlined, the specific content
of the contracts. Dossia is working toward an implementation for the first
group of employees of the founders in the summer of this year, so there is a
lot of homework to be done. There is a privacy working group being formed to
address those details.

I can’t speak to what the content would be. What I would suggest is that if
the committee has continued interest, that Dossia be asked to come and share
more specific information over the next few months as that implementation is
planned for later this year. We are very early in the stages of that rollout.

DR. HOUSTON: As our last presenter indicated, that contract with the
consumers is vitally important.

MS. WALTON: It is the vital touch point. From the beginning as we talked
about the common framework and others, the intention of Dossia and what is
being designed and prepared regardless of regulation is intended to meet or
exceed those standards that you would see within the HIPAA world, even though
at this time it is a non-covered entity.

DR. ROTHSTEIN: Thank you. Now Harry Reynolds has a question.

MR. REYNOLDS: I’d like to make one comment first. If you go back to our
letter that we wrote to the Secretary, I think the Card Systems — we talked
about entities especially in NHIN that will be nothing more than switches or
other things, where data will pass through them. So I think that is an
excellent example for us as we continue to deliberate. That is an excellent
example of what NHIN is going to bring to the table. You will have these
electronic switches that say, I do nothing but accept and pass on. So that is a
great example for us.

My question is, as I have listened to all of you, and if you read our
letter, we have some things that we couldn’t quite come to full closure on.
Everyone that has presented today has talked about the person having personal
choice on what is in any of these records. So that is a fact and that is a
statement.

The second is things like financial incentives that Bill Yasnoff discussed
as to how do we get this adoption and how do we get things to happen.

Then the third is, depending upon the validity of the information,
depending upon what is or isn’t in there at the choice of the person, the
usefulness of that data at the actual care site comes into question on a
continuous basis. If it is not information that is complete enough to allow the
attending provider — and we will use provider, because as Mark said, there is
a lot of people that touch this kind of stuff — if it is not complete enough,
then it probably may not be part of the process, if the caregiver can’t accept
it as a good record or a good index, or there is some notation that something
is not there.

So I would like each of you, especially maybe Ms. Walton to start first,
and then Bill and then Mr. Janger, from the standpoint of — as you were
saying, you are talking as consumers in some cases. I would like your feelings
on that, because that is an issue that we are struggling with. The person gets
to decide. The caregiver wants to see it all, and in the middle we want some
kind of a thing to happen.

MS. WALTON: Just a quick comment there. The first decision I believe that
the consumer has by choice, at least under the Dossia framework, will be to
verify that the data being presented for inclusion in the record actually
belongs to them; was I there in this date of service, in the highly unlikely
event that some weird thing happened and you are sent someone else’s
information. So that authentication, that verification, is the first step.

I have heard quite a bit of discussion, and rightly so, regarding the issue
of completeness, and whether or not the attending physician and others in the
treatment arena will be able to provide appropriate care if the record is not
full of everything.

I think that is a great question. It is no different than it is today. The
physician does not have a complete history. Frequently a physician has to rely
on my failing memory. If I am really sick and feeling bad, the questions I
answer may — my answers may change over the course of an hour or two as I am
moved along within a facility.

There are those weaknesses today in the caregiving arena. I don’t say that
glibly or say that this is not an important issue.

One of the things that I have heard discussed is that as a consumer may
choose not to reveal a particular portion of their health record to another
entity, that caregiver will be provided some information that says the consumer
is withholding some information. It doesn’t say what it is, but it gives the
physician an opportunity to probe more deeply and ask questions on that point.

MR. REYNOLDS: Bill, would you like to comment?

DR. YASNOFF: Yes, I would. First of all, we don’t know much about having
complete information at the point of care, since we never have it at the
present time. We certainly never provide any assurances that information is
complete. So the idea of providing any assurance, either actual or implied,
that information is complete is a new thing. By that I don’t mean to trivialize
the question. I think it is a very important question. Providing the
infrastructure that allows us to contemplate having complete information at the
point of care by definition raises numerous difficult policy issues. This is
one of the classes of more difficult issues.

I think clearly, at the present time, the patient has control over what
information is presented. I can tell you, having given talks all over the
country on NHII, after nearly every one, someone would take me aside and say,
if you are going to create a system like this, I am going to have to opt out
unless I can control the information, because I had my sexually transmitted
disease treated somewhere else, or I got a test somewhere else, or I had an
abortion out of state, or some such thing, that I didn’t want my provider to
know about. And of course, patients know the system as it is, and they know how
to get there in a way that their providers didn’t know.

As the subcommittee I’m sure is aware, the California Health Care
Foundation surveyed recently on this point, and found that consumers admitted
so-called information hiding behavior, 13 percent of consumers admitted this,
which to me means probably a much larger percentage are actually doing it.

So the fact that is that I don’t think you can have any system like this
unless you have patient control and you give patients the option to suppress
information selectively. So the question is, what do you tell providers. I
think this is a difficult question. My current view of this is that you do need
to tell providers, if you know for a fact that the information is incomplete,
you need to disclose that. In certain cases you have to be more specific.

Let me give one specific case. Let’s say you have a patient who is on a
controlled substance for pain, and the patient is trying to illegally and
fraudulently obtain additional prescriptions like that. So naturally with a
record system like this, they would suppress the information that they are on
the controlled substance so that the next physician would not be aware.

Then you have the possibility that unscrupulous patients would be using the
system to aid and abet criminal activities. Clearly that cannot be allowed. So
in the case of controlled substances, if a patient decides to suppress the
information about one or more controlled substance prescriptions, I believe
that as a matter of public policy you must inform the physician to the effect
that this patient has suppressed one or more controlled substance
prescriptions. You don’t have to say what they are, but you have to inform the
physician. Otherwise you are building a system that can aid and abet criminal
activity.

So that is one example where I think the policy is relatively clear, but
there are lots of more subtle examples where it is not so clear. I think this
is something that needs to be extensively debated, and there may be different
approaches in different situations, depending on the sensitivity and nature of
the information.

DR. ROTHSTEIN: If I may interrupt before Professor Janger responds, to
point out that the subcommittee debated this issue for months, literally. We
decided against the flagging route and did not include that in our
recommendation.

But there is an element that has not been discussed. I want to ask Dr.
Yasnoff specifically to finish his answer, and that is the decision support
element. One of the things that we included in our recommendation letter was
the notion that even as to items that were somehow suppressed by the
individual, decision support would still operate on those facts.

So for example, I may as a patient choose not to disclose that I had a
sexually transmitted disease for which penicillin was prescribed, but I became
allergic to penicillin. So the record wouldn’t have the STD, but the decision
support would show that I was allergic to penicillin, so if penicillin were
being contemplated for some other condition, then the physician would be
alerted.

I wanted to ask you, Bill, is the system that you are describing, does that
contain a decision support mechanism as well, or is it just simply transferring
whatever records are submitted to the bank?

DR. YASNOFF: Health record banks as I am contemplating them would not
actually contain decision support. Of course, they could, but that begs the
question.

This is my suggestion to the subcommittee on this. If you get testimony
from consumers about this, I am going to give you my personal view on this, my
personal view is that as a consumer is that if information is suppressed, it is
suppressed, and it is not available. It is not available to anybody for any
reason ever, no matter what.

I think it is also very clear that when I make the decision to suppress
some information, undoubtedly the general counsel of whatever organization is
letting me make that decision is going to put a warning on the screen,
something to the effect that by suppressing this information, you may be
causing your own death, and sign here. I think that is perfectly appropriate.

But if you do not allow patients to really control this information, I
think that there will be tremendous resistance to the establishment of these
systems. But again, I would urge the subcommittee to — that is just one
person’s perspective, and I would urge the subcommittee to gather information
directly from consumer groups, from privacy groups and so on, on this topic.

DR. ROTHSTEIN: Thank you, and I apologize. Ted, your answer?

DR. JANGER: It wasn’t an answer as much as two further questions that it
seems to me this raises. One is, it strikes me that — and I think this is
already coming out — that there may be situations where the central database
is actually less complete than the information that an individual would give
their own doctor, because of concerns that an individual has about making this
information available centrally, for fear of — and this comes back to the
trust — ways in which that information might be used or might be called upon
to be used.

In other words, if I go to my doctor, I may tell him about the STD, because
I know that I want him to know about it, and because I know that it won’t go
any further, but I won’t put that in the central database.

That is point number one. Point number two question is linked to that,
which is, are there limits on the purposes for which a consumer can authorize
the use and disclosure of their medical data.

The reason if I am a consumer that I am worried about this is, I put this
stuff in the central database because I want my doctors to have all this
information. The next thing I am worried about is that my employer is going to
come to me and say we would like your health care information, and I say no,
and they say bye. I say, I’ll give you the paper records and they say, no, we
want the stuff in the EHR. Then I’m stuck.

So anyway, there are adhesion problems that can arise that can then force
that information out and overcome the control. So I just wanted to highlight
the issue. I don’t have an idea about how to deal with that.

DR. ROTHSTEIN: Thank you for raising that. It is something that if we have
time I would like to pick up on as well.

I want to recognize our subcommittee members on the telephone now, and give
them an opportunity to ask questions. I know, Paul, you are under the weather.
Do you have any questions?

DR. TANG: Yes, I do, thanks, Mark. I have three, if I could take them in
order.

The first one, Bill Yasnoff had mentioned that if doctors did have
financial incentives, then we would have EHRs throughout. So let me ask that
financial incentive question regarding Dossia and the record bank. That is,
what is the business model, what benefits accrue to the founding members, and
what would prevent everybody from contributing or not?

MS. WALTON: Relative to the business model for Dossia, the business model
for Dossia begins with the founder’s initial contribution of a $1,500,000
apiece. The goal is to have ten founding companies. Five were included in the
initial press announcement.

You had asked what is in it for the employer, why are we there. In my
opening comments I spoke about how employers pay for health care for our
associates through our insurance programs and so forth. Walmart’s cost is
rising at 19 percent per year. I know it is a leap, but the reason we are doing
this, not only do we feel like it is a good thing for our associates, but
ultimately we believe that a personal health record used on a widespread basis
in our society is going to improve the quality of health care and lower the
cost, and that is the payback for employers.

We do not have any near term other derivative benefit out of that. We feel
like it is something that we can do as employers to help cause movement and
change within this country.

In terms of Dossia’s revenue model downstream, the intent is that Dossia
will be on its own feet and beyond the seed money after the first three years
at a minimum. Dossia will be an open framework, so that you would look at the
possibility of other software solutions and products and so forth that would
work out financial agreements with Dossia in terms of licensing and using the
technology, those types of revenue streams that are there.

Does that answer your question?

DR. TANG: So you are saying that this model for Dossia is basically to make
secondary use of these data. To follow up on the founding, why would there be a
limit to the number of founding members if there is no benefit to being a
founding member? Or why would there be a restriction on the number of people
who would throw money into this effort?

MS. WALTON: I could not hear the first question. I could hear the second
question about the limit on the number of founders. That is simply for us to be
able to launch quickly and get out of the box. So there are those who are
contributing to the startup of Dossia. They will be the ones who first have the
option of providing personal health records to their employees, to their
retirees, and to the dependents of those individuals.

That is the reason for starting with the ten. There may well be a number of
other forums of affiliate memberships and so forth at a later point, but we are
just trying to launch and cover the two plus million people this year.

DR. TANG: The first part of the question, it sounded like Dossia when it
became self sufficient, it would mean that it was permitted to derive from
secondary use of the data on behalf of individuals. Is that going to be part of
the concept? I know that is not complete yet, but the employees who are putting
their data into this system, would they have control over the secondary uses of
the data?

MS. WALTON: First of all, that is not what I said, and I want to set the
record straight on that. Dossia is not in the market of providing secondary
uses of the information.

If you look at the ability to connect and pass information or the
equivalent of technology within computers today that allow you to transmit
information from one to another, it becomes a licensing arrangement between
technology companies.

So someone who has let’s say an electronic health record system today, but
they don’t have the ability to connect with other proprietary systems, it is
conceivable that Dossia would have all those connection points there and say,
for a small fee you can rest your own product, be it a personal health record
system, and use our connector, so that you have a broader reach to other
insurance companies, other health care providers, other sources of data.

I hope that clarifies that.

DR. TANG: Yes. I’m sorry, I did get the wrong impression initially. So it
would be only through technology licensing, but having nothing to do with the
consumer data?

MS. WALTON: Correct. Dossia is the underlying framework on which other
stuff could ride.

DR. TANG: Bill, is the same true for the health record bank?

DR. YASNOFF: No. I think the Health Record Banking Alliance recognizes that
there may be health record bank with widely varying business models. I was
trying to illustrate one such business model, which is having the patients pay
a monthly fee and providing financial incentives to provides for EHRs by paying
for deposits.

There are other financial models. There is no requirement to pay physicians
for deposits. Of course, if you don’t do something like that that you don’t get
the EHR incentives, and so you don’t have the effect of converting the health
care system to electronic records.

I will say that it is pretty clear that once you have an operating health
record bank, your sources of revenue can be quite diverse. With patient
permission, it is contemplated that health record banks would make information
available for secondary use. Not only that, revenue generated thereby would
mostly be returned to the patient.

So you really ultimately have an analogous situation to a financial bank.
In a financial bank you deposit your money and you earn interest because the
bank uses your money to make money, subtracts its operating costs, and then
returns the difference to you. In a health record bank, you would deposit your
medical information, and if you chose to do so, you could have a quote-unquote
interest bearing account where your information was used for searches and so
on, and money would be returned to you, which would either be credited towards
the fee you pay, or ultimately the fees might be reduced as a matter of course
for all the customers.

In addition, there are a number of value added services that can be
provided once you have complete health information, things like sending instant
messages to parents if any of their children’s health record bank records are
touched by an emergency room physician. Most parents that I have talked to are
very interested in that, would be willing to pay something for it. Sending
instant message medication reminders for every dose of medication, this might
be particular helpful in the elderly, and pharma might be interested in paying
for that.

Something like I call prevention advisor, which would be a service that
consumers could sign up for, based on demographic and information in the
medical record. Consumers could be reminded of all the things they need to do
to stay healthy on an individualized basis. There are also things that could be
done for providers.

So for example, you could associate customized rules with orders that
providers give, so that instead of ordering a lipid profile and having to
review the results and then talk to the patient, you could order a lipid
profile with a set of rules that says, if the results of this test normal, drop
them into this preformatted e-mail and send them to the patient and I don’t
want to see the results. That is something that would be relatively easy for
the health record bank to provide, and would obviously be a valuable service
for providers.

So there are lots of different services that you can provide once the bank
is up and running. The central principle however is that no information is
disclosed or used for any purpose without explicit consent of the consumer.

DR. TANG: Thanks, Bill. I hope Mark will follow up on the context for
secondary uses.

My final question has to do with access to the data and also unintended
consequences. I think my understanding is that Dossia and probably health
record banks are planning to include claims data as one way of — some of these
records. I may be wrong, so please correct me.

I think most people including the payors recognize that the claims data
have a large problem with accuracy. There have been studies that compare the
clinical record with the claims data. There are a number of reasons for that. A
lot of it is because the people who provide the data oftentimes are not
directly providing care, so that the disconnect, that these are two separate
streams and they don’t have to relate to each other, so the accuracy is not
that important to the health care provider.

But the consequence of having inaccurate data is that, let’s say in the
case of decision support or even making decisions based on the data, it can
result in a number of unintended side effects. So I am wondering how the two
groups are thinking in terms of literally — betting is not the right word, but
how do we make sure that the data streams that are coming in are accurate.

DR. YASNOFF: Paul, could I jump in and answer that first, because I am
going to have to jump on my plane here?

DR. TANG: Sure.

DR. YASNOFF: First of all, Health Record Banks Alliance takes no position
as to whether you put claims data in the health record bank or not. That is not
the primary intent, but there is no objection to it, either.

I think you have a number of things you can do. First of all, when the data
comes in, if you have any questions as to whether the data belongs to a given
patient or not, you can put it into what amounts to a suspense file and have
verification, including calling the patient or the doctor to see if that data
really belongs. Those deposits do not have to be completed in real time,
because you are not trying to provide data for care at the moment the deposit
occurs.

The second thing which I think is very important is that in the health
record bank situation, the patient has access to the data, so the patient will
look at the data, and if the data is wrong, the patient presumably will make a
call and say, there is a stress test in my record and I didn’t get a stress
test.

Furthermore, you can set up mechanisms whereby the patients are always
notified about every deposit that is made into their record, not necessarily
the contents, but the fact that the deposit has occurred, so as to alert the
patient to the fact that there is a new deposit so they can check.

So I think having the patient reviewing the records can be a very, very
powerful force and help to reduce errors in the data and improved quality.

I’m afraid I have to go catch my plane. If there are further questions, I’d
be happy to answer them in any way the committee would like to followup,
including in writing or whatever. Thanks for the opportunity.

DR. ROTHSTEIN: Thank you, Bill. I appreciate your phoning in. I know how
difficult it is. Have a safe trip.

DR. YASNOFF: Thanks very much. Bye-bye.

DR. ROTHSTEIN: Leslie, are you still with us?

DR. FRANCIS: I know that you are almost 15 minutes —

DR. ROTHSTEIN: That’s okay. We are going to go over a little bit, so we do
have time for a question if you have one.

DR. TANG: Mark, could you ask if Ms. Walton would care to comment on the
question on claims data?

MS. WALTON: Could you repeat the question, please? It broke up over the
transmission.

DR. TANG: Okay. My understanding is that there probably will be some
pre-population of the Dossia health record with claims data. The claims data is
known to be inaccurate, so the unintended side effects of having inaccurate
information may either pose problems and lead one to make wrong decisions or
mislead decision support programs that help patient and their providers make
correct decisions.

One example could be, oftentimes for purposes of billing, you may be
ordering a test. Every test must be associated with a diagnosis. It is common
to —

DR. ROTHSTEIN: Paul, may I interrupt for a second? We are really out of
time here. Maybe you can send a written question for her to answer. I want to
give Leslie a chance to ask some questions. We are getting into claims, and
that is something I want to try to avoid, if that is okay.

MS. WALTON: Maya has the contact information for me. I’d be happy to handle
any followup questions. She has some e-mail and phone numbers for me. Thank
you.

DR. ROTHSTEIN: Thank you. Leslie?

DR. FRANCIS: Instead of asking these as questions, because in some respects
they have been touched on, but in the interests of time I will underline the
following ambiguities that I noticed in several of the presentations. At least,
these were things I wasn’t clear about, not necessarily to ask for answers
right now, but perhaps in the files for ongoing consideration of this.

First of all, particularly with respect to Carolyn’s discussion, I wasn’t
clear about whether patients would be expected to pay for the record system, or
whether it would be entirely free to patients.

MS. WALTON: Quick response. There is no charge to the founders’ employees
and their dependents for use of the system.

DR. FRANCIS: That was one question I had, whether there would never be a
charge, because I imagine later institutions’ charges being questionable.

The second question I had involves both Bill and Carolyn. This has been
touched on. In the design of records, one issue is whether with a pull system,
which is what I think Carolyn Walton was describing, a patient who sees a
provider should be able either to exclude entirely that provider encounter or
exclude aspects of that provider encounter from being pulled into the system,
and whether even if it is pulled into the system there would be secure envelop,
need to know kinds of design.

Obviously Bill talked about that with respect to a drug abusing, drug
seeking patient, but there are lots of varieties of that question. Carolyn’s
description of a pull model didn’t talk about that question.

The third question that I had was about, once the patient consents to
having his or her physician have access to the record, it is very important to
safeguard, even if the record doesn’t go elsewhere, disclosures that the
physician could make using the record. That is where the interface with
employers’ insurance and so on is.

So I would assume there would have to be additional patient consent for any
of those other kinds of disclosures. The testimony is always brief, but I
wasn’t clear that I heard full answers to that in terms of what this would look
like between disclosure to a physician and then whatever the physician in turn
does with what is being disclosed to him or her.

So those were the quick points that I would want to insure that — if the
idea of this is non-covered health data benefits and services, and how should
this relate to those. Those were the questions I had about that.

DR. ROTHSTEIN: Thank you, Leslie, I appreciate that. We have taken copious
notes of those questions, and we will follow up on those throughout the day if
we can.

I just want to take a couple of minutes to ask one question of each of our
live witnesses, and then we will take our break.

The first question is a statement that poses a question, as many of my
questions tend to do. It has to do with the Dossia system. The question had
been raised about possible secondary uses. In other words, would employers have
access to Dossia. The answer is, of course employers will have access to it, as
will life insurers and disability insurers and any other entity that can
condition a relationship on signing an authorization.

So if you want to sign for a job with XYZ company and they know your
records are at Dossia, they can say after a conditional offer of employment,
sign this authorization releasing all of your medical records from Dossia to
XYZ company, whether or not they are members of this alliance that contributes
health information.

So what I think would be really terrific, and I’ll figure out how to phrase
it as a question as I go along, is, if the members of this consortium which
represent already at least three million employees in the United States, would
agree to the following and work for the following. Number one, after a
conditional offer of employment, when they ask individuals to sign
authorizations to release their medical record, to see if they are fit to do
the job they are doing, if they agree that they will only ask for information
that bears on job related abilities, that is, that they won’t ask for the whole
record, they will ask, we are considering hiring Joe Smith to climb telephone
poles and do these three other things, and we want that information.

B, in the design of this system, if they will work to implement
recommendation R-12 from our June letter, which is to have the architecture of
the system contain the ability for contextual access criteria, so that there
would be the electronic ability to only disclose that information. If the
Dossia alliance would do that, it would take a tremendous leadership role in
corporate America in protecting the privacy of individuals.

So the question is, might they consider doing that?

MS. WALTON: The answer is yes. Let me say that when I said that we are
pleased to work with this committee in any way possible, I offer that from
Dossia’s perspective as well. We have our first founders board meeting February
1 and 2, and at that time we will be focusing on the mission and charter of the
work groups that will be involved in the startup process for the additional
release of records.

Certainly one of those is focused solely on privacy. We would welcome that
opportunity to have a dialogue to gain insight into your question/statements,
so that we can insure that we are focusing on the right things in these early
days.

DR. ROTHSTEIN: That would be terrific. You would get my personal hero award
if you could do that.

The second question is for Professor Janger. Can you contemplate some sort
of private FDIC model for insuring the financial solvency of health record
banks or information exchanges so that we don’t have this overhanging threat of
the insolvency-liquidation selloff of records where there is no filing, but no
consequence to the company? Are there models where that might work?

DR. JANGER: Short answer is no, but I have another idea.

DR. ROTHSTEIN: Okay.

DR. JANGER: When you think of an FDIC or a Jones Act or a PBGC type
industry funded insurance model, what you are trying to do there is make sure
that the industry as a whole internalizes the cost of its harms, which I think
is an important thing to do. I think that is not necessarily a bad idea, but I
don’t think that it gets you the incentivizing function that you worry about
with a Card Systems type, a thinly capitalized outsourced entity problem.

I suppose what you could do, thinking out loud here, is a piece of this
would be to say, there are capitalization rules that go along with creating the
fund. In other words, if you want to participate in the fund, you have a margin
and you would have to be able to meet calls or something like that.

But I think the lesson here is a little bit different. What you really need
to do is make sure that the individual actors have something at stake if they
screw up, and that is requires a shift away from either a — there are two
pieces to it. One, shift away from a liability model to a public enforcement
type model. Second, and I say this somewhat more advisedly, it may also require
you to think about restrictions on the way people who end up with the
information use it. In other words, restrictions that run with the information
to the extent that that is possible.

That gets a little bit technologically tricky and can really chill
information uses in ways you don’t want to, but those seem to be the avenues
that you have to go, because I think that the insurance model solves the harm
problems, but we are talking about dignitary harms here, anyway, so it doesn’t
get you where you want to go.

DR. ROTHSTEIN: Thank you. I want to thank Dr. Yasnoff in absentia, and I
want to thank our present witnesses. I want to apologize to those listening on
the Internet and also elsewhere for running late.

We are going to take a ten-minute break to 11:20, and then begin Panel II.
We will take the time out of the subcommittee’s lunch somehow. Thank you all.
We will resume in ten minutes.

(Brief recess.)

Agenda Item: Panel II – Non-Covered Health
Providers

DR. ROTHSTEIN: Welcome to the members of our second panel. I know that you
have the testimony of the first panel members.

Just by way of introduction, let me ask you if you can, you know we have
got lots of questions. I think that is where we really benefit, from the give
and take. We have got your written testimony, so if you could summarize or hit
the high points of your written comments, focusing on the topic that we have
under discussion today, that is, the possibility of extending HIPAA or
HIPAA-like coverage to currently non-covered entities, and then we would like
to explore those issues with you.

The first of our witnesses on this panel is Dr. Eric Light.

DR. LIGHT: Mr. Chairman and the committee, thank you for letting me speak
with you today. An apology. Apparently we had trouble with electronically
transferring files from Italy and the U.K. to you. That is why you received our
remarks so late.

Also, as I listened to the testimony this morning and the questions that
were asked, I realized that I may be raising more challenges than providing
solutions. So bear with me as we try and bring you into a different world,
those people who are health care providers, not in the traditional mold, and
with many clients who want to opt out of the system you are trying to control.

What do you do when you have — we will separate this medical spa world
into two different categories right now. One would be aesthetic medicine where
the medical spas you quite often see on the street are advertised, and also
what we would call lifestyle medicine, or the lifestyle medicine spa.

In the traditional classic medical spa, you see minimally invasive services
offered by physicians or under the supervision of physicians, so there is a
complete understanding of HIPAA and the need for privacy and for patient
records. As this expands, we are seeing greater interface with the medical
world, because patients are moving from minimally invasive services into the
operating rooms of plastic surgeons or cosmetic surgeons. So there has to be an
exchange of data.

We also see an interface where a spa may be offering pre and post
treatments to a surgeon to improve patient outcome. Where is the
confidentiality of that record, where is the control of that record, what
rights to the patients have when they move from a spa world into a medical spa
world. That is an interface that we are concerned with as we look at it.

The second category is probably more problematic, that is, the lifestyle of
wellness medical spa, which may operate under the supervision of a licensed
physician, but will also be operated under the supervision of a naturopath or
homeopath or physiologist or psychologist, all of whom are working within their
scope of practice, but who do not necessarily provide traditional services or
traditional treatments, are quite often shunned by the medical establishment,
the insurance companies, corporations, although that is changing, fortunately,
but because they have been shunned are loath to share their data with the
traditional industries of medicine, and also who have clients who have opted
out of the system to these complementary and alternate practitioners, and are
also loath to bring their data back into the mainstream.

The distinction is that these facilities look at preventive care rather
than acute care. It is preventive medicine rather than reactive medicine. The
crisis point comes when a client does go into an acute care need. How do we
transfer their preventive medicine data to the acute care system?

We don’t have an answer for that right now. We have recognized the need to
come up with a solution. We have also recognized the need to create an
interface that solves the needs for both the practitioner and the client. It
hinges on client control of data. Since they have opted out of the traditional
system, they want to control their data more than the traditional patient in
the medical world. So we are very cognizant of that, and that is why we are
surveying practitioners, facility owners, their clients, manufacturers and
particularly computer software manufacturers to see if we can create an
interface that is viable.

We are going to need your committee’s assistance in doing that, because we
need to know where the connection points are and what you envision doing with
this data.

The system I heard this morning from our colleague from Walmart was very
fascinating to me, because it does talk about client control. It does talk
about the client being able to enter the data rather than a physician or
medical office. When we start looking at things that way, I think it becomes a
much clearer alternative.

In the short term, we practice medicine a little bit differently, as I said
in my remarks. We had a woman who came to a clinic because her doctor had her
on painkillers and muscle relaxers, and she was getting gastric problems, and
she didn’t like the gastric problems. In the course of the interview, the
physician assistant moved her purse aside, and it felt like she was moving a
rock. This was an older woman who put her life into her handbag. It was weighed
out at being 9.2 pounds. No wonder she was having shoulder problems. So they
got her a fanny pack, they got her into massage therapy, and they sent her
across the street to the golf center to have her golf swing worked upon.

Now, in the definition of medicine we had a problem, diagnosis, treatment,
solution. She is off painkillers, off inflammation. He golf swing is better.
Four weeks after coming off of pain medication she won her first tournament. We
have a very satisfied patient.

A woman who gives up smoking puts on 40 pounds, has difficulty walking now,
wants to go back to smoking. Instead, she came to a spa where she was given a
simple metabolic test, FDA not approved, but permitted, done not by a licensed
practitioner but by an aesthetician, diagnosed at a certain metabolic rate. She
was put in a biooxidative bath, something that is not often found here in the
United States, but is used throughout Europe, Asia and the Far East. The idea
was to speed up the detoxification from the nicotine. She was also put onto a
weight management program. She was given massage therapy to balance out the
pyriformis muscles in her back. At the end of the day she was also given a
manicure and a pedicure as a reward for giving up smoking, which meant that she
stayed on the program.

Is that medicine? We had a cured patient, but it does not fall within the
categories you have been discussing today and discussing I’m sure over the past
few months.

We don’t have the answers or the solutions that you might be looking for.
We do know that we have a need to interface with your traditional forms of
medicine much more clearly. The International Medical Spa Association has
already started a dialogue within its industry.

We don’t want more regulation, we want solutions. The problem we have run
into is that HIPAA has been used as a weapon against us. We have a situation in
Hawaii where a resort corporation forbad its aestheticians and massage
therapists from asking health questions which might have revealed
contraindications to services. Their legal staff told them that they did not
want to fall into HIPAA requirements.

Unfortunately, since they took a release from the client, the court said it
was a — that obviated the need to follow the standards of practice. The upshot
was, a woman who had never been to a spa before was given a seaweed wrap, but
since nobody asked her if she had any allergies and nobody understood that she
was allergic to iodine, she want into anaphylactic shock. A life squad was not
called in time, and she died. A simple seaweed wrap.

We can’t have that happen. We can’t have corporations use HIPAA as a weapon
to prevent good care. The court’s decision is being appealed. We are actively
involved in that appeal. I’m sure you are puzzled by how that could happen; so
were we. But this is why we are concerned about the interface between what we
do and HIPAA and any of your information —

DR. ROTHSTEIN: Excuse me. What are you appealing? The award of damages?

DR. LIGHT: No, what we are appealing is the idea that a release form from a
client could supersede the need to take an effective pretreatment evaluation,
in other words, a health questionnaire. The court decided that the technician
who was dismissed because she asked a question was fairly dismissed rather than
unfairly dismissed, because she wanted to defend her licensure.

DR. BERNSTEIN: What was it that prevented the spa from asking these
questions in the first place?

DR. LIGHT: They had been asking the questions and the resort’s attorneys
said, oh no, that is violating HIPAA policy because we can’t manage the health
data, so they were no longer allowed to ask health questions.

DR. BERNSTEIN: And the attorneys wanted to avoid becoming a covered entity
somehow by collecting medical information?

DR. LIGHT: Even though this was a resort and the data was destroyed
immediately upon the person leaving the spa. It made no sense. I can see your
faces, and you are shaking your heads, but this is our reality.

DR. BERNSTEIN: Unless they are taking insurance they are not covered,
right?

DR. LIGHT: Of course not. But why did they feel the need to take that step?
And it did happen.

I think in the short, since you have my remarks, and I hope the committee
will allow me to expand and extend them based on what I heard this morning and
not getting them to you because of electronic issues, that in the gist is what
we are here for. So more about questions for you than solutions from me. I kept
it short, so you are back on time.

DR. ROTHSTEIN: Thank you so much. I will take the golf lessons and all the
other stuff that you are offering as well. We will I’m sure have questions for
you.

Our second witness is Mr. Marquis.

MR. MARQUIS: Good morning. Are you going for the seaweed wrap as well as
the golf lesson?

Mr. Chairman, members, thank you for the opportunity to be here today. I am
here to talk about concierge medicine. When Maya spoke to me about coming here
today, as she will recall, I was concerned about the fact that I didn’t know
anything about HIPAA. I was even using the wrong acronym, as one of my partners
reminded me. But I have learned a little bit since we spoke, Maya, and I think
I have learned enough to help the committee understand where concierge medicine
fits in this puzzle.

You do have my written remarks, and I won’t restate those, nor will I
necessarily follow them here.

There is one important thing you need to understand, and that is, there are
two kinds of concierge medicine, a term that really is used rather loosely,
particularly in the last three or four years. As types of physician practices
have morphed into different kinds of physician practices, different things have
been added, different things have been tried, yet they all seem to fall under
the rubric of concierge medicine. It is not really fair to think there is
something out there that is concierge medicine and should or should not be
covered by HIPAA.

As I said, there are two distinct kinds of concierge medicine. Many of you
have heard perhaps of a company in Florida called MDVIP. This was the biggest
mover today in one type of concierge medicine. I call this type of concierge
medicine a fee for non-covered service or FNCS type of concierge medicine. It
is very distinct from the second kind that I will describe to you.

Most of the national controversy about concierge medicine is around the
FMCS style of MDVIP style practice. The controversy initially arose in 2002 as
to the question of whether the physicians practicing this kind of medicine were
in violation of the Medicare rules, because they were charging —

DR. HOUSTON: Could I ask a question? Could you give a simple example of
what is FMCS? Just something so I can get a vision.

MR. MARQUIS: In that type of model, the patient pays the physician directly
a certain amount of money, usually $1500 to $1800 a year. In exchange for that,
the traditional form of this FMCS style practice, the physician would agree in
exchange for that payment to give the patient a palm pager number, phone
number, next day appointments, no wait appointments in the office, and shrink
her practice down to 400 to 600 people, usually 400 people, 400 plus. So you
have got a 3,000 patient physician going down to 400 to 500 patients in
exchange for the money, which is paid in exchange for these, as I call them in
my testimony, enhanced services and enhanced access to the physician.

That controversy erupted in 2002 because of the Medicare issue. If these
physicians were still in Medicare, participating physicians, on the one hand
they are accepting Medicare reimbursement and on the other hand accepting
direct payments from the patient. In a perfect world there is something
inconsistent with that.

Tommy Thompson concluded in 2002 that there wasn’t anything inconsistent
with that. I think that is a correct conclusion on his part. The services for
which this money was being paid are not covered by Medicare. They are not even
medical services covered by Medicare. Some writings since that time have
indicated clearly that there really is no conflict between that type of
practice properly run and Medicare rules as we currently understand them.

The reason it is important to understand the two kinds of — for your
purposes, two kinds of concierge practice is that these physicians are already
subject to HIPAA. Of all the concierge doctors in the country, I would say 80
percent plus are practicing this kind of concierge medicine, and they are
already covered by HIPAA. They bill insurance, they bill Medicare, and I think
by definition as a result they are included.

The second kind of concierge medicine is very different. In fact, I will
describe to you very briefly how that is about to morph into something that
really does not deserve the name concierge, which is not the greatest word in
the world to describe a medical practice, and everyone recognizes that.

I call this type of practice the fee for care model. The primary player in
this field today, the most prominent, is Dr. Garrison Bliss in Seattle.
Garrison has been practicing this type of medicine for around eight to nine
years. It is not so much a concierge model. It is not so much that the patient
is paying for extra access, although Garrison’s practice is 800 to 900 people,
which is half than the normal primary care physician practice. But the fee that
he charges, and Garrison charges on a monthly basis, is for primary care. So
when a patient agrees to pay this type of physician an amount of money, and
some physicians charge an annual fee, some charge a monthly fee, that fee is
really in exchange for medical care.

Now, most of us who practice in this industry believe, and I think it is an
absolute truth, that you can’t be in Medicare, you have to have opted out of
Medicare in order to practice this kind of medicine. Garrison Bliss and others
who do practice this kind of medicine have opted out of Medicare. They do not
bill insurance companies. Some try to stay on the panels for referral and out
of network purposes, but all these physicians do not bill — none of these
physicians, I should say, bill insurance companies and they don’t bill
Medicare.

If you are a family practice physician, and almost all of these physicians
are family practice or primary care physicians, you get in exchange for your
payment whatever that physician can offer you. If he is an internist, you will
get internal medicine, you will get your babies delivered, you don’t get your
cut sutured up necessarily. If you are a family practice physician, then you
get whatever is within her scope of training and experience in exchange for the
money you pay.

Now, my written comments only refer to one specific part of it. On the next
to last page, there is a quote of the GAO report which was issued in August of
2005. Congress wanted to know if concierge medicine, the FMCS style of
practice, was interfering with Medicare and the access to health care by
Medicare covered people.

The GAO studied this and determined there were 146 physicians in the
country out of about 450,000 who were practicing that kind of medicine. I think
that was an underestimate, although they tried to do an exact count. There
certainly more than 146. MDVIP has more than that itself, and there are a heck
of a lot more of those physicians than are working with MCVIP, but they are
already covered by HIPAA.

So what about the physicians that aren’t covered by HIPAA? Theoretically
the fee for care models are not because they don’t bill insurance or Medicare.
I think most of them probably already comply, but I’m not sure they have to.
But the comment made by the GAO was, there aren’t enough of them to even worry
about. There is no point in this.

I make the same point about the fee for care model. I would estimate there
aren’t more than 25 doctors in the whole country that are running that kind of
model.

In closing, I’ll point out that there seems to be a movement in that form
of concierge medicine to something that is really quite interesting. You have
to look to West Virginia and the legislation that was enacted there to
establish a pilot program for so-called concierge medicine to provide care for
the uninsured. That is one of the stresses that Garrison Bliss is attempting to
instil in his practice as well, is the extent to which you can provide primary
care for uninsured people for a relatively small amount of money. In fact, Dr.
Wood as I mentioned in my written testimony estimates that he would have to
charge $83 per month per patient in order to provide 100 percent of their
primary care throughout the year.

So in short, I am here not to give you a magic reason why you shouldn’t
extend the HIPAA rules to every physician, but I can tell you that there are so
few of them currently out there that are not covered by HIPAA, I’m not sure it
is worth much of your effort.

Thank you.

DR. ROTHSTEIN: Thank you. That is a very interesting development that we
would like to explore with you in a few minutes.

Our third witness on this panel is Tracy Powell on a totally different
aspect of health care.

MR. POWELL: And I have got to start by telling you I am a little intimated
here, and out of my league. I don’t have a J.D., Ph.D, M.D. behind my name. I
run a small business. The comments that I have, I am going to parallel pretty
much what I submitted, because if I can keep it brief enough, I think it is
important that you understand what part of the world we come from.

When Maya called me, she said we understand a little bit about your
company. We have heard that you guys do things right with respect to privacy
and confidentiality. Just to show how naive I am, she talked about HIPAA and
she said, you are not covered by HIPAA because you don’t do insurance billing.
I said, I thought we were covered by HIPAA. So needless to say, I’d like to
take credit for us being good corporate citizens and having done this HIPAA
compliance on a voluntary basis, but the actuality is that we believe that it
was legally and otherwise important for us and imperative to implement HIPAA
into our business.

I think it is important that I help the group here understand what our
business is all about, because it is a little bit different, and why we are so
focused on privacy and confidentiality. In fact, our business is built on
privacy and confidentiality.

The very first system that we developed, and we started our company in
Chicago in 1993, and the very first offering that we wanted to bring to the
market was to provide a solution to a public health need. In the late ’80s,
early ’90s, people were at risk for HIV but they feared going to the doctor or
a clinic because they didn’t want to be identified for even taking a test. So
literally, some people died of embarrassment, and that is just not the right
thing. So we said there ought to be a way that you can develop a systematic
approach that would allow a very high level of privacy and confidentiality
accuracy with respect to testing, and we did just that.

So we developed the Home Access to HIV-1 test system. It was approved by
the FDA in 1996. I want to take you through it very briefly so you understand
why this thing is private and what we think about it.

The very first thing we did was, we said, in order to protect peoples’
privacy and confidentiality, what is the best way we can do it? The best way in
our opinion was, provide then an anonymous system. So we built a system that is
predominantly — there are components in here so that you can prick your
finger, you put blood onto a card, you send this in with a prepaid mailer.

But the most significant component in here is this card, because this card
has a code number, and it allows an community to anonymously — informed
consent is as simple as signing a number. There is an 11-digit number. You
enter that along with your date. We instruct you to give us a couple of drops
of blood. We then ask individuals to tear off the bottom part of the card. That
is their anonymous code number. That code number then gives them access to a
medical record. We ask them to call our system and enter that anonymous code
number. That creates a medical record.

They then send this sample in. We test this. By the way, we test it at 100
percent sensitivity and 100 percent specificity for an FDA claim of greater
than 99.9 percent. So this thing is really bulletproof accurate.

Someone then calls back for their results. They call an 800 number and they
access this personal identification number. They get their results. If they are
negative — on an automated basis so that it is very convenient, unobtrusive.
In the event that an individual is positive for HIV, an infective, deadly
disease, that call is transferred 100 percent of the time to CDC, client
centered counseling related counselors that are under our medical director’s
supervision in our call center, and they tell that individual what their status
is, and they provide them with referrals and assistant to get them into
follow-on care. They don’t know the individual’s name, but they know a lot of
information about the individual, because our system asks people to opt in to
give us data. That data includes demographic as well as risk data. Eighty
percent of the people who volunteer through our system provide us that kind of
data. So we get very rich information. When our counselors are talking to
somebody that are positive, they know where they live in most cases, what their
sex is, what their risk factors are, et cetera.

So this is an anonymous system. In my view, this medical system provides
the utmost in privacy and confidentiality.

Next up, however, our friends in the public health world came to us. You
remember hepatitis C in 1998, the Surgeon General said that hepatitis C was the
silent epidemic, four million Americans infected with hepatitis C, and
virtually none of them know it. So we developed a system in collaboration with
some public health partners and the like.

One of the things that we learned that public health needed was, they
needed to identify people, because what good does it do if you are out trying
to deal with an infectious disease if you don’t know who the individual is, you
can’t counsel that individual, and/or you can’t communicate with that
individual about their results.

So we built an add-on to the system to allow for confidential testing as
well as anonymous testing. In the case of confidential testing with our
company, it is 100 percent opt in, so we are not getting information from
individuals that haven’t allowed us to use that information. We are highly
protective of that information, because again, we comply to the HIPAA
compliance.

We implemented HIPAA compliance into our good manufacturing practice
procedures. That was in 2003. Most recently, we are now developing a new
methodology, a new platform that is similar, but we are separating red blood
cells. So it is a couple of drops of blood, but we separate red blood cell from
serum. So with the new platform we are looking to help screen and avoid common
chronic diseases like diabetes, cardiometabolic disease, cholesterol related
heart disease, et cetera, with a highly accurately mail-in test that can either
be anonymous or confidential, depending on the venue. In other words, the
public health department we will use confidential. A consumer, if you go to
retail and you want to buy this, you would probably prefer to have an anonymous
type test.

DR. ROTHSTEIN: Like the HIV test.

MR. POWELL: Like the HIV test and like our hepatitis C test. You can either
get it anonymously or confidentially, again depending on the sponsor and what
the venue of service is.

So in conclusion, I can’t offer this panel nearly what others can in terms
of depth for regulatory systems, legal, et cetera. I can tell you from a small
business guy’s perspective that I think anonymous testing is a service that has
been needed and will be needed, because there are people that won’t test, that
won’t give their information unless you provide that sort of convenience and
courtesy.

Confidential testing, we are absolutely committed to doing it. With respect
to new laws that may come into effect, whether or not they would impact us,
even if there were a new law on national health information and it didn’t apply
to us because we were not doing insurance related billing — although we are
probably going to be doing that too, but even if we weren’t, we would comply
with the law, because we think it is the right thing to do for our business.

But I will say this. As a small business, I think what is most important is
that you look to develop a system for connection, compliance, et cetera, that
is as simple as possible for adherence on the small business side. I think it
also needs to be one that is least amount of onerous cost, et cetera.

Those are my thoughts. I think you guys have a monumental challenge ahead
of you. With that, I wish you all the best of luck. Thank you again. I am
honored to be here on behalf of Home Access.

DR. ROTHSTEIN: Thank you for that assessment, which we share. Now our final
witness on this panel is Mr. Jon Almquist. Welcome.

MR. ALMQUIST: Thank you very much. On behalf of the NATA, the National
Athletic Trainers Association, thank you for allowing me to come and talk to
you today. We are an association of 30,000 licensed and certified athletic
trainers.

Again, my name is Jon Almquist. I have been an athletic trainer for 24
years. Currently I am the athletic training specialist at Fairfax County Public
Schools, which is the 13th largest school system. We deal with approximately
25,000 student athletes a year that we are providing health care for.

Let me first explain a little bit about what the athletic trainer is,
because we are in an identity crisis with our profession, and there is a lot of
misunderstanding in the public with regard to the term trainers. We are
athletic trainers, not just simply trainers. We don’t want to be confused with
the dog trainers, the lion trainers, and more importantly the personal trainers
who deal with getting healthy people stronger and faster or lighter and
quicker.

We are certified athletic trainers who deal with the prevention of athletic
injuries, the evaluation, the assessment, the treatment and the rehabilitation
of athletic injuries.

Athletic trainers must have a four-year degree or a bachelors or a masters
degree and then sit for a national certification exam. In 44 states we are
regulated. For example, in my state in Virginia, we are regulated by the board
of medicine. We are all licensed in that state to practice the art and science
of athletic training.

Approximately half of the athletic trainers work in the secondary schools,
colleges, professional sports, and the other half work in hospitals,
physicians’ offices, clinics and corporate wellness centers and other specialty
settings.

I have served as chair of the NATA Secondary School Committee for ten
years. I just got off that ten years worth of service. With this background I
would like to speak to you about the delicate balance between the FERPA and the
HIPAA privacy issues and how they impact the student athlete in the secondary
schools.

The whole issue of privacy in our setting can be very frustrating. In order
to provide appropriate care, there has to be a dialogue between the treating
physicians, which aren’t always the team physicians, in high schools as they
are in colleges. We could have 150 students we are dealing with in any one
week, and they could have 125 physicians that they are working with as far as
their primary care.

The communication between all these health care providers is essential to
providing adequate care. What we find is that there is a misunderstanding or
sometimes it is just a fear that nobody can speak to anybody. That is a concern
that is detrimental to us providing health care to our athletes.

The NATA doesn’t have a policy or position statement regarding which rules
to follow, whether it be HIPAA or FERPA, but we leave it up to the employer,
whatever the athletic trainer is employed by, their privacy rules and
regulations, that is what they should follow.

Within the secondary school setting where athletic trainers are employed,
there is two primary employment models. One is when the athletic trainer is
employed by that school, paid for by school board funds either as a fulltime
athletic trainer or an athletic trainer and also a teacher. Usually they get
paid for the athletic training duties in a stipend form.

Their employer is the school, and all the records are created by school
employees, and therefore it is pretty much a no-brainer, it is a FERPA issue.
But when it gets a little foggy is when the athletic trainers are employed by
the local hospitals or clinics or physicians’ offices, and then they are
providing care to the athletes in the high school. Sometimes there is a
monetary fee that is paid and sometimes it is paid through the clinic. That
subsidizes the athletic trainer’s salary within the clinic hours that they work
within the clinic walls, and then they go out to the high schools in the
afternoons and take care of the student athletes. Sometimes they are paid
directly by the school in stipend form, so they will work for a clinic for a
very small salary, ridiculously low, to be honest with you, but we are working
on trying to raise those. Then the supplemented stipend would then supplement
their overall salary to make a go at it for an annual income.

Then there are situations where as a clinic employee that is a HIPAA
covered entity without a doubt. But then they go into the school and start
creating documents there, and there is a fuzzy area of who owns what.

I say this, because we have dealt with the issue quite extensively in our
particular system. We have two division attorneys on staff and we have been
looking into this quite extensively. But the stories you hear from outside from
all over the country as the chair of this Secondary School Committee, the
consensus is that there is no consensus. That is where some of the issues crop
up.

So the bottom line is that when we are an employee of two different
entities, one is FERPA, one is HIPAA, where does it cross over, where are the
dividing lines, where are the Chinese walls, is what the attorney that I spoke
with mentioned.

So these are some of the issues that we have dealt with.

DR. ROTHSTEIN: Thank you very much. I want to thank all four of you for
keeping us on time and on point by focusing in on the issues that we asked you
to address.

I know we all have questions. We are going to go in reverse order from the
first panel and start with Leslie, and give you the first question. Are you
with us?

DR. SCHMIDT: She did mention when I spoke to her yesterday that she might
have to teach a course today.

DR. ROTHSTEIN: Okay, professors also sometimes work for ridiculously low
salaries, but they still have to do stuff.

Simon, would you like to begin?

DR. COHN: Sure. I want to thank you also. I thought that was very
interesting testimony.

I just wanted to clarify with you, Eric, as well as Jon, the perspective
that you are providing. As I was trying to divine the reason for your
testimony, it appears that the reason that you are not covered entities is
because there is no insurance transactions? There were absolutely no
transactions that occur? It seemed like there was a mixture in some of this
stuff.

DR. LIGHT: We have a mixture. The problem is that we have various models of
medical spas. Some are located in hospitals, some are located inside an
existing physician’s practice. So in that case, they are operating within
facilities that are covered by HIPAA. The recordkeeping is in conjunction with
normal practices inside the medical institution.

But when you start looking at adjuncts, when you start looking at
facilities outside of the traditional medical model, is where we start running
into questions. It is not so much the question of whether it is covered or not,
but more about the interface. That is what my concern is, is where does the
interface come along.

Let us assume, for example, that a medical massage therapist, and I use
that term particularly, because for example in Ohio, a massage therapist has a
limited medical license for the practice of massage. One of two states,
Washington is the other. Let’s say that massage therapist has a practice where
patients or clients are referred by physicians. The physician may be charging
that client an extended fee because there are some adjunct therapies involved.

The medical massage therapist may be issuing records that that patient
themselves can then submit to an insurance company. Where does HIPAA come in
there? Where does the confidentiality come in, but more importantly, where does
the interface of data come in, not only between the physician and the
therapist, but as you talk about this global model, how does that patient’s
data go into the global model? What I heard this morning was that the patient
could have control of the place to get into the model, and that is important.
They can go and scan their record into the back, and that would be useful.

The wellness medical world, part of which is anti-aging medicine, but has a
lot to do with endocrinology, has a lot to do with preventive rather than
reactive care. What does happen when a patient has to transfer from preventive
into acute care, and how does that data move from one world to the other?
Again, it is not a question of whether HIPAA applies, but it is a question of
the interface. When you look at your models, I ask that you think about and
help us understand where the touch point could be, how can we work a system in
such a way that those people who have been shunned by the traditional medical
community as being out there in that far out third world medicine, which has a
5,000 year history of operating, how do we interface into the traditional world
of recordkeeping?

Understand that in China, the physicians are paid only when the patient is
healthy. The minute the patient gets sick, the physician is no longer paid.
That is the antithesis of our system, but that is where a lot of consumers want
to be. They are willing to pay the physician to be well and resent the fact
that they wind up sick.

CDC data says that 35 percent of Americans suffer from a preventable
lifestyle relate disease, and 24 million of them will die from the disease. If
a woman breaks her hip and goes into a nursing home for longer than six months,
there is a 40 percent mortality rate. Why not take calcium? Why not get a
metabolic test at a spa that can show you where you need to build your
supplements? But that is medicine.

DR. BERNSTEIN: I think the question that the committee has is less about
the legitimacy of the practice, but what in practice for these kinds of
caregivers — what is the practice with respect to how they keep and guard the
information that they do collect. They are collecting information, some of
which can be characterized as medical information. What is the general practice
in your experience in the medical spa community with that information? What
happens?

DR. LIGHT: In many instances where it is within a traditional medical
practice, it is following electronic guidelines. Most of the practices outside
that world still work in a paper system. They are taking personal notes.

There are some new technologies which now intake via PDA into some new
software that is coming, but it is mostly paper. I will share with the
committee two forms that I have picked up from suppliers.

DR. BERNSTEIN: Maybe you misunderstood the question. What I am asking is
not what is the technological practice, but what is the practice with respect
to protecting the information, what rules apply, what self imposed policies,
ethical rules and so forth.

DR. LIGHT: There are no rules within the industry. Outside of those covered
by HIPAA, there are no rules within the industry. We are working to help
develop guidelines, but there are no rules. Most people use a common sense
approach and say, we lock these things up under key, because our clients expect
a certain degree of confidentiality, but there are no fixed rules.

DR. ROTHSTEIN: It seems to me, just to follow up, that from your seaweed
example, the industry would be opposed to any sort of regulatory system that
tended to require the suppression of important information.

DR. LIGHT: That is correct.

DR. ROTHSTEIN: Even though we discussed that it really didn’t in this case.
Would it be fair to say that in exchange for this open communication that would
value the practitioners in these spas, that the industry would be prepared to
have itself covered under some reasonable regulation to try to protect the
privacy and confidentiality of the information? Conceivably a result would be
more customers would be inclined to avail themselves of your services.

DR. LIGHT: I’m not sure I can speak for the industry as a whole, because it
is so varied. I think that there is a movement towards the medical spa, the
wellness center, as the alternative to conventional health care. This question
has not been adequately addressed. I think that the dialogue is ongoing right
now. It started partly because of your invitation, but had been started prior
to that and how we manage records.

We are hoping to come up with some codified system. It would most likely be
on a voluntary basis, because we have no means of enforcement. But the fact
that we would consider creating standards and looking to people to accept them,
because consumers want them to be accepted, is I think where we are going.

DR. ROTHSTEIN: Mr. Marquis, same basic question.

DR. FRANCIS: I wanted to follow up on Mark’s question as it gets back to
both of you. It seemed to me from what I heard that there were two different
kinds of questions. Mark’s question suggested how they were related.

The first kind of question concerns the current HIPAA regulatory regime,
which is, is it creating for you problems in getting access to information,
most particularly because there are covered entities that can’t share rather
than because within your shop there are misunderstandings?

That is one set of questions. If we are charged with looking at the HIPAA
privacy protection rules, we need to know whether they are creating
unanticipated problematic consequences for the quality of care that you get.
That is one thing.

The other side of the question is what Mark was pushing on. The question
for us is, should we be thinking about recommending some expansions of privacy
protection for the kinds of records that you all have. In which case, the
question of would you be willing to accept some of that in exchange for the
benefits that you get is an important question, but also, are there features of
what goes on where you are that would be different that would need to be borne
in mind with respect to the question of extending privacy protection, like
decentralization, for example.

Did that make sense?

DR. ROTHSTEIN: And that was directed to Dr. Light?

DR. FRANCIS: It was actually directed — what I was meaning to do was to
say that as we look at both athletic trainers and medical spas and other kinds
of entities that currently maintain health information, but that don’t come
under HIPAA, what we need is to know both the problems that HIPAA is now
creating for them, not because of misinterpretation, and the question of
whether there are special aspects of their circumstances that it is
particularly important for us to know about in terms of expanding or thinking
about whether HIPAA protections ought to be expanded.

MR. MARQUIS: Mr. Chairman, could I take a shot at that?

DR. ROTHSTEIN: Please.

MR. MARQUIS: The gentleman on my left, Tracy, made a point earlier
regarding being a small business person or starting a small business, and the
difficulty of meeting all one’s legal and other expectations financially and
maintaining a viable business.

I want to relate that to the Dr. Woods situation in West Virginia. I think
that it is true that to the extent that a physician does not bill insurance
companies or Medicare and therefore would use electronic media billing, they
are not covered by HIPAA.

Now, to the extent that the Dr. Wood type of practice that is simply a cash
only, would not be covered by HIPAA, to require HIPAA compliance to the extent
that that would increase the cost of Dr. Wood’s doing business, would be from a
business standpoint unfortunate for Dr. Wood.

I think that Dr. Wood would tell you that at $83 a month for helping
uninsured people find health care, he is on a shoestring, and his margin is
very, very small. To the extent that he is not covered by HIPAA, to require him
to do something extra that he is not now doing, and I don’t represent Dr. Wood,
I’ve never met the man, I have read articles about him, but to the extent that
he would have to do something that he is not doing now that was going to
increase his cost could have an adverse effect upon the viability of the
practice that he is trying to maintain.

I think that is the point that the gentleman here was making about imposing
an extra requirement on his business, which would simply add to the cost.

DR. ROTHSTEIN: But just a followup. In the concierge world, correct me if
I’m wrong, there are various motivations why physicians would want to embrace
this model. Frustration with all the paperwork, they can’t give adequate
treatment in such small time blocks and so on and so forth.

Am I correct that avoiding HIPAA responsibilities in the very few
practitioners that would be so affected is really not a motivation of these
physicians?

MR. MARQUIS: I think that is correct to say.

DR. ROTHSTEIN: So if we were to continue our recommendation that HIPAA
style requirements applied across the board, there would not be this huge
outcry of anguish from Seattle, right?

MR. MARQUIS: I can’t speak to what Garrison Bliss might outcry to. For all
I know, Garrison is already HIPAA compliant. I have no way of knowing. He is a
very sophisticated physician and runs a very sophisticated practice.

DR. ROTHSTEIN: And covering him may have no effect because he may be
compliant for all we know anyhow.

MR. MARQUIS: Yes. I do know, although I don’t have any dealings with the
physicians, there is a fairly large organization of physicians, the cash and
carry, the retail type physicians, that have nothing to do with concierge
medicine. They are just, I’ll see you at the door and you pay what is on the
wall.

DR. ROTHSTEIN: The doc in the box.

MR. MARQUIS: Not necessarily. These are private practitioners that are just
cash and carry, who are very adverse to HIPAA, as I in my studies in the last
two weeks have revealed. But I don’t represent those people.

But I think the basic premise is correct. A motivating factor for
physicians getting into the fee for care model to my knowledge has never been
avoiding HIPAA.

DR. ROTHSTEIN: Thank you. Harry, you have been patient and John as well,
and then we will get to Paul.

MR. REYNOLDS: Thank you. One thing about being on this committee, you get
to learn. I thought all of your testimony was excellent.

If you look at three kinds of entities that we are dealing with, HIPAA has
covered entities so those are clearly defined in the industry and everybody
understands that. We have looked at this whole new world of the Nationwide
Health Information Network and other things, and technology vendors. Those of
you who were here this morning, you heard how data is going to go from one
place to another, and the person who touches it may have nothing to do with
HIPAA, but they have the key information.

Then the third is this set of caregivers and advisors that are involved
with dealing with people that are really not what would be considered a HIPAA
covered entity, may not be an insurance covered entity, may not be a medical
covered entity. You have laid it out clearly as to what it might be. I was
interested from a standpoint of dealing with the schools. You may be one of the
few caregivers that some of these people actually see as a medical trainer,
because some of these kids might not be going to the doctor regularly, but they
are playing sports and they are seeing you every day. So that is another
environment as you try to improve care for the uninsured, you guys are a first
line of defense.

I think they key point is, as we look at all three of those, in the end if
you are looking at the person, the person has personal health information.
Let’s forget the HIPAA definition, that is personal health information to them.
What we are trying to do, whether HIPAA would be advanced — and I know HIPAA
covered entities is a big deal to a lot of people. Having been a payor, I
understand it, I implement it, so that brings a whole lot of things to the
table, and for small businesses and others that brings a whole cadre of things
you have got to do and expenses and other things that are outside the norm.

We have a sense that if somebody touches somebody’s personal health
information, they should protect it. If I played off of the testimony this
morning, the idea of the bankruptcy, the idea of selling off to somebody else
who could get the member list, could get the documents there that are key, I
would just like you to quickly say whether or not you also feel that it is
protected health information and that it should be protected for the
individual, is really what I am looking at, if you could expound on that in any
way.

Again, it is about protecting the information. If we go into a nationwide
health information and we pulled in things like the spas — in other words, if
I am a patient and I say I want my full record and by the way, I’d like the
health from the spa, now it comes into a whole new world of protected.

One of the things that we are trying to look at is protecting this
information, and right now HIPAA only went to a small administrative group of
people. You are absolutely in many cases not anywhere near that. So we are
trying to look for some kind of way to move the ball. It may not be to hand you
HIPAA, but it has got to be something to insure that that person feels that
their information is protected.

DR. LIGHT: In answer in part to your question, yes, there is an absolute
requirement that peoples’ information be maintained confidential. To what
extent people are enforcing that or what procedures they use is unclear,
because there is so much differentiation, but it should be protected.

The place we run into more difficulty with is not the information going
upward through the food chain, but coming downward, where people say you are
not a HIPAA kind of place so we are not going to share — you don’t qualify
under HIPAA so we shouldn’t share that information downward, where it is just
as critical to have.

So if there is anything I would like you to consider it is that it is a
two-way street, and that HIPAA should not be used as a barrier for sharing
information to non-traditional practitioners.

DR. ROTHSTEIN: They could share it with you, but if they assumed that you
are not engaged in treatment, then they would need some sort of release or
authorization from the individual.

DR. LIGHT: Right.

DR. ROTHSTEIN: So if you were considered in a treatment relationship under
the HIPAA principle of treatment disclosures, then they could do it. It would
depend on what services you were providing, whether it is massage therapy or
golf lessons or whether it would qualify. But I think your point is well taken.

MR. POWELL: I don’t know if I really completely understand the question or
HIPAA for that matter, but I can tell you that in our case, we absolutely as I
said earlier believe that the individual has to be assured that that
information is protected.

So again, this may be naive, I flip now to say yes, I think there is an
issue with respect to costs for small business, no question about it, Jon. You
have got to bear in mind how onerous is it for that individual to implement
something the likes of which HIPAA. But now from a small business, where is the
good in my view to have a standard that you can have a system that is trusted,
I think there is a lot of goodness in that.

I don’t know if I want to extend that beyond HIPAA all the way into the
national individual health system because frankly, I don’t know how you control
individual coming from so many disparate systems. My brain fries trying to
think through it.

But that said, and I don’t know if I answered your question, I believe very
much in protecting individuals’ information. If there are systems for
reasonable costs on the part of small business to build connections,
interfaces, compliances with that, I am all for it.

MR. ALMQUIST: If I may, the certified athletic trainer through their
education is well aware of the importance of privacy and confidentiality
amongst their care and their records. But we do have that misunderstanding.

I understand what HIPAA is supposed to allow in transfer of individual to
two medical professionals providing care. But the problem is that the
physicians’ offices are running so scared that instead of allowing that, they
just say no to everything, and that compromises overall care.

So if there is a new reform, that it would be spelled out a little more
clearly perhaps. I know when this first hit the press it was a lot of
misunderstanding and everybody was running all over the place. Maybe that is
what caused all that tightening up, and they never let go. But if that could be
addressed with regard to making sure people understand that you can share
information amongst two people providing care, that would definitely help in
our situation.

DR. ROTHSTEIN: Thank you for that point. That has been one of our mantras
for the last five years, the need for education among providers as well as the
public.

DR. FRANCIS: I found that to be helpful. I also found points to underline
and think about more the question about the interface between the HIPAA regime
and for us.

DR. ROTHSTEIN: The question, Leslie, was raising the interface between
HIPAA and FERPA. That was the subject of a hearing that we had in September. It
is an issue that we are not through with, and it is one of great concern to us.

I think Mr. Armquist would agree with the sentiment that we need to resolve
this conflict and the gaps and the overlaps to make the FERPA and HIPAA work
together seamlessly so that information that needs to be protected is, but
people can still do their jobs.

We were concerned at our hearings with school nurses getting immunization
records and that sort of thing. We just heard a new twist on that today.

DR. FRANCIS: Right, I just wanted to bring that up and make sure we didn’t
forget about that.

DR. ROTHSTEIN: No. Thank you for reminding us.

DR. HOUSTON: You answered the question I was getting ready to ask you. It
speaks to the fact that whether it be a trainer or whether it be a school
nurse, you almost fall into the same bucket because you are trying to speak to
physicians about something related to child care. I think we need to make sure
we don’t lose sight of that, regardless of where we lump these two things.

I do have a couple of other questions, one for Tracey. You said you
voluntarily comply with HIPAA.

MR. POWELL: To the best of my knowledge, yes. Don’t ask me how.

DR. HOUSTON: I was going to ask you how much. I was just wondering about
the burdens. Often the issue comes up that the costs associated with HIPAA
compliance is so great that it has a detrimental impact on whomever, and that
is one of the reasons people don’t want to extend the coverage of HIPAA.

But if your company is the poster child for yes, you did it and it made
good business sense, do you have any statistics on what the cost was or what
the effort was?

MR. POWELL: i don’t remember any specifics. I do remember pain. But again,
it was pain that I felt was legitimate.

Just to put it in perspective, you don’t feel pain like you do going
through FDA approvals for Class III medical devices. That is real pain. But
there was a cost burden, both in terms of developing procedures, understanding
what it is all about. Somebody at my organization had to do that, not me.
Somebody had to develop the systems, the procedures, the training, all part of
our good manufacturing practice.

So there is a considerable amount of effort, energy and some expense
related to it. But that said, I am okay with that.

DR. HOUSTON: Do you believe that the value to the business outweighed the
cost in this case?

MR. POWELL: I did, or I probably would have challenged it much harder than
I did. I felt it was something that, if you are going to be mainstream in
dealing with organizations that are covered, and whether we are or we aren’t,
if we are dealing in that world, it was important to us. It was an imperative.

DR. HOUSTON: If I could ask one question of Eric and Mr. Marquis, there is
a group of physicians who have not had to comply with HIPAA because they don’t
electronically bill. Where I see the touch point with HIPAA potentially needing
to apply is where there might be an interest in getting information.

I understand, Eric, part of your testimony was just that, how do you
exchange information, but I am going to ask the question in maybe a little bit
of a different way. With the development of the Nationwide Health Information
Network, there is going to be this body of information that is going to be
readily available.

I am going to make a statement and let you respond to it. I think it should
be appropriate that if you want to participate in NHIN or get information from
NHIN, you need to agree to a set of standards, in this case HIPAA or something
very much like HIPAA that protects patient information and privacy information
and security and things like that.

How would you react to that statement, both of you, in terms of yes, do you
agree? Would it be something that your constituents would be willing to agree
to? Is it something that doesn’t sound right, or does it sound like something
that is appropriate or reasonable?

DR. LIGHT: If you want to be part of the club, you have got to play by the
rules. I think it is as simple as that. If you want to be part of the system or
have access to the system, you have to comply to a set of rules.

Having said that, I don’t want the lack of membership in that club to act
as a barrier to the safety of the consumer or the patient. That is the concern.
So the control, should it be between the club members or should it be between
the person whose health is essential to the whole question, and that is the
client or patient or whatever you want to call them?

But just from practitioner to practitioner, I think there needs to be some
rules. I just hope you will have some flexibility, because our businesses are
so different in how we apply the need, not how we recognize the need, but how
we apply the need.

MR. MARQUIS: That question puts me in a position that I didn’t want to get
in when I came here. I’m not here representing the great body, if there is a
great body of physicians out there who are not covered by HIPAA to state their
position. I am here to describe the small segment of concierge physicians that
likely are not covered by HIPAA, and likely wouldn’t be, to please if they
heard me say they should.

I have not had a discussion with any of them other than a general
discussion over the years about HIPAA generally. Obviously they don’t feel very
kindly toward this when they are charged with implementation.

There is one other — when you mentioned the cost of HIPAA, there is a
retrospective cost that Tracey was referring to. There is also a prospective,
unknown cost. That is, you have created — not you folks, but government, have
created a whole body of plaintiffs out there who could be looking for HIPAA
violations. Not that there is a professional group of plaintiffs looking for
these things, but that is the reaction you get from some physicians; when you
tell me I have to comply with something, I better comply with this or I am at
some sort of risk. I don’t think that risk exists frankly, but you do hear that
from physicians as part of their costs.

DR. HOUSTON: We are whispering over here that there is no private right of
action under HIPAA, but it does raise an interesting issue. If you are
voluntarily complying with something and if there is a voluntary compliance
component to it and you don’t do it, would there be liabilities that would
attach because of that.

MR. MARQUIS: There is a difference between saying there is no private right
under HIPAA and the establishment of a standard the breach of which will create
liability and the standard in a state court might be HIPAA compliance.

DR. BERNSTEIN: I will quickly point out, I was writing a little note to
Mark here, that that is an extremely good point. Just this week someone passed
me a note that there was a North Carolina case, a private suit, in which HIPAA
was used as the standard of care, even though there is no private right of
action.

DR. ROTHSTEIN: Paul Tang?

DR. TANG: I’ll pass, thanks.

DR. ROTHSTEIN: Thank you. Anyone have followup questions? I have asked my
questions.

DR. BERNSTEIN: I wanted to ask Mr. Powell about the confidentiality rules
rather than the anonymity. In the case of anonymity it really is anonymous and
you couldn’t put together the types of data you have, not an issue. The
patients are not identifiable. You might be able to do some research on it, but
if they really are not identifiable.

I wanted to ask you to talk a little bit more about the rules that you said
cover the public health tests that you are doing that have confidentiality
rules that are not anonymous. How does that work? How do those things differ?
Could you just elaborate on that?

MR. POWELL: I’ll try. Let me just say, with the anonymous testing there is
a value to the data. We have provided data at certain times to the likes of
CDC, FDA and others, where we were able to look at demographics. So you could
theoretically look at outbreak areas in a country. So there is some good value
with respect to anonymous data.

The question I have is that going to be thought of as connecting to this,
and it seems like on the surface, no.

What we do in the way of confidential testing when we first started looking
at this, it was predominantly to help public health departments, because they
would say anonymous testing doesn’t do us any good. The reason for that is, we
need to get our hands on these people and we need to get them in to — we need
to do partner notification, we need to try to get them into — you have a
question?

DR. BERNSTEIN: Is that not the case with HIV? There are some states that
require reporting for positive HIV tests too. Why is there a difference between
those other kind of tests and the HIV tests?

MR. POWELL: It is not just HIV. It is hepatitis C as well. Typically, at
least in my dealings with public health officials, they are first and foremost
truly looking to help those individuals, find those individuals, stop the
spread of the disease. How do you do that anonymously? I don’t want to get —
that is a whole other tangent.

So we said, our anonymous system may not be good for you in certain venues.
So we will put together a system that will provide you a confidential and on an
opt-in basis, and it is completely at their volition, do I want to opt into a
program.

As an example, we will do programs in churches. We will do programs in
community outreach centers. So individuals are typically asked by outreach
workers, do you have risks for — I’ll take hepatitis C for a minute. There are
six or seven different questions that you can ask, and you can do it on a piece
of paper or over the computer or over the telephone.

What we try to do is educate individuals before we go to testing, so they
can find out whether they are at risk through a very easy to use health risk
assessment. When we get someone to go through the risk assessment, and it is
determined that this individual is at risk, then these workers will suggest
that you are at risk, so you should think about taking a test. In many cases,
this test is underwritten by the likes of a public health department, what have
you.

So it is an opt-in basis. It is confidential, because now in this case they
know who the individual is. One of the reasons why that is important is, when
we are testing, to make a test highly accurate, it needs to come back to a
laboratory and we do confirmation. We do ELISA testing and confirmation
testing; that takes some time.

DR. BERNSTEIN: Do you know who that individual is, or just the public
health entity know who it is?

MR. POWELL: We will have a record on that individual.

DR. BERNSTEIN: An identifiable record?

MR. POWELL: A code number and an identifiable name, if you will. We will
have other contact information that we will get. All of that information is
highly protected in our system. I can’t tell you how, but I can tell you it is.

DR. BERNSTEIN: Jumping off what John was saying, presumably if you have a
highly protected privacy system, then if you were to be regulated by some
scheme, the increase in your costs would probably not be that great, because
you are already doing a lot of it, anyway.

MR. POWELL: I always felt as I said earlier that we were regulated, so
little did I know. Our FDA system for hepatitis C testing, it is highly
regulated. So even though we are not billing insurance in that case, I felt
that HIPAA was absolutely critical to protecting.

DR. ROTHSTEIN: But you do suggest a new strategy that we might pursue, and
that is instead of legislation or even regulation, we could just spread rumors
that all these other entities that we are talking about are covered.

MR. POWELL: You got me. Did that answer the question?

DR. BERNSTEIN: Yes, it did somewhat, yes. I wanted to also ask Mr. Almquist
a couple of questions. One is, we heard in our September hearing from school
nurses, I don’t think I have ever heard this before in a hearing, but they said
they would like to be regulated by HIPAA. They would not like to be regulated
by FERPA. It seemed like the reason for that as I understood it, and other
people who were there can jump in, that the Family Educational Rights and
Privacy Act was designed to protect school records, and did not take into
account the fact that the school nurses are essentially a public health
organization. They are seeing things like immunization issues, they are
diagnosing autism, where it was more often diagnosed in schools than a medical
setting, they are having trouble reporting to public health entities, and doing
other things that a health care organization would normally do, because FERPA
did not consider that some of the school records are health records and just
didn’t take them into account. It is actually much more narrow in its
exceptions to where you can share information. They said they would rather be
covered by HIPAA.

Do you know if NATA would take that position or if the athletic trainers
would take that position? I don’t mean to put you on the spot if they have
taken a position, but since there is that complication, would it be better for
you as a health care providing organization?

MR. ALMQUIST: I don’t think that NATA has taken a stand one way or the
other. But I do know that the — everywhere you go, you are getting an
individualized understanding of the situation. So how our school district looks
at the whole situation between HIPAA and medical records and FERPA and our
employees, whether it be the school nurses, who in our system are government
employees because they are from the health department, they get contracted to
work in the schools, as opposed to being school based employees. So there are a
lot of controversies.

The inconsistency is one of the biggest problems. That is what the attorney
explained to me, the Chinese walls. If the person is contracted within the
school system to provide the care and develop the records, then those records
are in fact FERPA records. But is another attorney in another school district
looking at it in a different way? That would be the biggest question, to flush
out what is right first and then determine which way you want to go, do you
want to go with the HIPAA or the FERPA.

But it does appear that when you are within the school, there are
individuals who do have a need to know about a certain issue that may not be
from a medical profession or from a medical angle.

DR. BERNSTEIN: Teachers, coaches? Who are you referring to?

MR. ALMQUIST: The teachers and the coaches. Especially in our setting with
the athletics, it would be the coaches, who may need to have information with
regard to a medical condition that one of the athletes has. If we were under
HIPAA, the way I understand it to be now, we would not be able to provide that
information to the coach, as opposed to now that we are FERPA, we do have that
latitude to expand that area of information.

DR. ROTHSTEIN: I want to thank all four of you for very interesting
testimony, and to alert our listeners on the Internet as well as our phone
colleagues that we will stand in lunch recess until 1:30 Eastern. Thank you.

(The meeting recessed for lunch at 12:50 p.m., to reconvene at 1:45 p.m.)


A F T E R N
O O N S E S S I
O N (1:45 p.m.)

DR. ROTHSTEIN: We are back on the record for the afternoon session of the
Subcommittee on Privacy and Confidentiality of the National Committee on Vital
and Health Statistics and our hearing on privacy protections for medical
records of non-covered entities.

This afternoon we have got a variety of things to discuss. We will go
through them in order. As we get to them I will explain more or less where we
are in each one of these.

On your agenda you will see that we had listed a panel discussion, and it
will not be a panel discussion. Only Mr. Goldberg has been able to attend, and
we thank you very much for coming. So what I would propose that we do is have
him provide background and his view on the scope of HHS authority to, if it so
chose, extend protections to the full extent of the statutory authorization,
and then the subcommittee can use that background for its followup discussions
among itself to see where we want to go with this.

So with that as background, I want to welcome you and thank you for coming,
and we are anxious to hear what you have to say.

Agenda Item: Scope of HHS Authorities

MR. GOLDBERG: Mr. Chairman, members of the committee, guests and listeners,
I am honored to be here and privileged to have this opportunity, thank you.

But first, a disclaimer. I am of course an attorney at law, and my training
over 40 years of practice of law has been related primarily to being a zealous
advocate in behalf of clients. That is not what I am here for today. So I
disclaim anything I say as being for and in behalf of anyone I have ever
represented or I might now represent or I might at any time in the future
represent, and I disclaim anything I say being for and in behalf of anyone I
work with, for or am likely to be affiliated with in the future.

DR. ROTHSTEIN: So noted.

MR. GOLDBERG: With that as preface, I want to say one other thing. I am
humble, being before you. I am not licensed to practice health care. I believe
each and all of us who are embarking on any course that affects or could
disturb the delivery of health care must indeed be restrained, sensitive and
focused on the fact that those who do deliver health care are unique, special
and certainly to be commended for what they do. Our goal has to be not to
interfere with those efforts as, much as we can, while being mindful of legal
obligations and constraints.

Now getting right to the point of your question to me, which is, what is
the authority and is there expansive authority for and in behalf of the
Secretary of Health and Human Services to address additional privacy concerns
in our society today.

I believe the Secretary is limited by the statutory authority that exists
under the Health Insurance Portability and Accountability Act of 1996,
administrative simplification, subtitle, in several respects. I believe the
authority is limited insofar as transactions of electronic natures are a part
of the authority base for the Secretary, dealing with financial and
administrative aspects, although I know that the Secretary may increase the
numbers of transactions, so there might be some vehicle for some expansion.

I know also that the privacy rule is worthy of special note, in that it is
probably the briefest portion of the HIPAA statute, about which so much has
been written and so much has been promulgated in the rulemaking based on
several sentences in the statute. But I believe that the Secretary is
constrained by those several sentences in the statute to deal with patient
privacy, the exercise of rights with respect to privacy, and use and disclosure
authorized and required. Then the Secretary might go somewhat beyond based upon
that statutory underpinning.

So as you see, there are two vehicles for some expansion, that is, the
transactional area and the privacy rule base under the statute. But as you can
tell by my hesitancy and qualification, I am not inclined to say that were I to
be a zealous advocate in behalf of a client with respect to expanded authority,
I could comfortably provide an opinion that any material or significant
exercise of supposed authority to encompass substantial numbers of additional
covered entities or substantial numbers of additional protections with respect
to non-covered entities of the privacy of individuals. I am hesitant, and would
likely have to conclude if pressed that I probably could not provide that
opinion with respect to the enforceability of the Secretary’s initiative.

Now, I say this from several perspectives. One, as indicated, from having
represented many covered entities, many individuals and many in the middle,
neither individuals whose privacy is addressed by the HIPAA statute and rules,
or entities who are covered under the statute.

It would seem to me, now moving beyond whether the Secretary has the
authority, as I have indicated, I think the Secretary is quite limited, and
even if the Secretary would conclude some additional exercise of authority
might be appropriate, let me give you a view, again not zealous for and in
behalf of, but simply my own personal notion.

I believe the HIPAA privacy rule is extraordinarily complex. I believe
those in health care who seek to implement the HIPAA privacy rule should be
commended for a Herculean effort at understanding something that we as lawyers
spend many, many hours, weeks and months, indeed years, trying to deal with.
Parenthetically, some ask me because of all of my experience what I think of
HIPAA and the privacy rule, and I sometimes say it is a living. But I am not
pleased to say that, because fortunately after 40 years of practice and now
with my own law firm and no need any longer to address the so-called billable
hour that many in the legal profession are so committed to having to deal with,
I can step back, since in my own office I can do whatever I like in terms of
many requirements that I had to adhere to before, and I can tell you, it is not
pleasant to have to assess a charge against a health care provider for trying
to explain a complex, difficult and challenging portion of a HIPAA rule, even
though — and I must emphasize this, the Secretary of Health and Human Services
and the staff working in the Office for Civil Rights, has provided a tremendous
amount of information, samples, background, focus pieces, so much that we as
attorneys who have to deal with HIPAA really are very fortunate beyond how many
others are in the law in having an encyclopedia of HIPAA information.

But having said that, one still has to open it and in either an electronic
manner or paper wise deal with it, understand it, apply it.

I think the other qualification I would add for the Secretary to want to go
forward would be state law as a serious concern. I am admitted in five
jurisdictions, and in each of those jurisdictions, Virginia, New York, the
District of Columbia, Florida and the Commonwealth of Massachusetts, we have
privacy laws that are different from each and all of the others, that are
different from much of what is in federal law. I don’t think that is helpful at
this time to address the Secretary’s concern that privacy should be protected
for many more by many more, because I think the confusion that arises today
insofar as issues of pre-emption or supervention will only be magnified if more
entities are thought to be covered and more privacy protections are sought to
be given.

The only other thing I would like to say from my somewhat prepared remarks
— of course, my remarks have only been prepared very recently because my
invitation came very recently, and therefore this is more of an extemporaneous
discussion than a fully researched presentation, but perhaps that is a
strength. I hope it is not a weakness.

When I was thinking about my presentation this morning as I was coming up
here from Virginia, I thought to myself, right of health care privacy, each
being three very, very important words. Then I thought, wash your hands. I said
to myself, we better be careful, because from my experience and reading over
the years of many, many publications in health care and from personal
knowledge, it may well be that more focus has to be given to wash your hands or
cut this way, again, three magical words, than protect patients’ privacy in a
seeming exuberance, when the statute does indeed have constraints that have
very effectively been addressed thus far by the Secretary, but perhaps
shouldn’t continue to be the subject of such effective implementation that
those of us who must construe the rules based upon the law are challenged in
giving opinions.

If I was to suggest where we should go as a society, what should be done, I
believe in three things. I believe we should have one national supervening,
overarching, effective regulatory system for the privacy of information, all
kinds of information, health care information, banking information, business
information. I believe the system that we have now, which fractionalizes and
individualizes each of the areas of protection, is confusing, confused,
inefficient, expensive and most of all, very difficult if not impossible for
people to fathom, let alone deal with, as those who must in the health
professions and business and otherwise implement these requirements.

This afternoon I am going to begin teaching a new course for me this term
in health care administration. I have taught at several law schools, I taught
lawyers. My law students always analyze the HIPAA privacy notices and look at
the rules and start out very eager and end up very anxious when they realize
how complex all of this is.

But my course this term at George Mason University College of Health and
Human Services will be to health care administrators, medical informatics
specialists, nurses and others. They actually have to implement the HIPAA
rules.

I caution members of the committee and others having responsibility for
providing advice to the Secretary. Let’s be mindful of the fact that these
well-meaning decent honorable individuals in health care administration, as
well as all licensed to deliver health care, have overwhelming burdens, and to
add to their burdens by going beyond where we already are without carefully
thinking first whether we can, second whether we should, and third, whether if
we did they could respond to what we did, is something that should be pondered
over some substantial period of time.

I don’t believe we should move faster than we can. I don’t believe we have
moved as fast as we should have, but we are here now. I believe the
responsibility lies in your hands in giving your advice to make it clear to the
Secretary that waiting and watching and learning might be a better course than
moving ahead before all the views and all the perspectives and all the
information that we should seek about a uniform approach is available to us.

Those are my remarks. I would be pleased to endeavor to respond to any
questions.

DR. ROTHSTEIN: Thank you very much. It is very interesting. The committee
is already on record as recommending to the Secretary that the privacy rule
should be applicable to all who use health information. So we have kind of
crossed that bridge, but what we haven’t crossed is what we are going to do
when we get to the other side, which is, how do you get there. Part of that is
the Secretary’s responsibility of joining us in advocating before Congress that
a more comprehensive legislative solution is necessary.

DR. HOUSTON: I have one question. You said there were three things. I heard
the one national regulatory system governing all privacy, but I didn’t distill
out the other two things. You said there were three other points you wanted to
make, and I heard one of them. Either I missed the other two or — so the first
one was a national regulatory system governing the privacy of all information,
was what you said. What were the other two, though?

MR. GOLDBERG: I’ll give you several, and you can use them as two or three
or one, as you may choose.

I would certainly encourage a singular system of protection of privacy,
independent of the nature of the information. I would also encourage prudence
being important here. Prudence tells me that being patient and taking time is a
necessary ingredient.

Another critical part is simplification. We ought to always go back, as an
attorney I try all the time to remind myself, go back to the statutory
underpinning, administrative simplification subtitle. It is not administrative
complexity subtitle. And it is a subtitle. It is not a big title. So we are
talking about simplifying, at least in my mind making less complex what people
in the health care delivery system in particular today are so challenged by.

Again, when my law students have to focus on these areas over a full term
course, and by the end of the course when the papers are written and given back
to me, and I am doing the reviews, and I see well-meaning, well intentioned,
highly schooled, well trained intellectually, extraordinarily effective
students not understanding some of the portions of the privacy rule, and then I
think of a nurse or an aide or an administrative assistant or a technologist or
a physician — who not incidentally never takes a course in law in all the
medical training that a physician receives, when I realize that all of those
individuals are supposed to construe the privacy rule the way I do, again that
is not a living I want to make.

DR. HOUSTON: Thank you.

MR. GOLDBERG: You’re welcome.

DR. ROTHSTEIN: Any immediate questions for Mr. Goldberg? I want to thank
you for giving us that background. That has been very helpful to us. This is a
topic that we need to discuss further as a subcommittee to try to get some
ideas about where it is that we are going. So thank you very much.

MR. GOLDBERG: My pleasure. Thank you for inviting me.

Agenda Item: Public Statements

DR. ROTHSTEIN: There are various issues that we need to discuss. The first
thing that I want to do is check to see if there are public statements. So we
are opening the public comment period a little ahead of schedule.

MR. RODE: Dan Rode, American Health Information and Management Association.
I just wanted to clarify some testimony from this morning. In Bill Yasnoff’s
testimony on the Health Record Banks Association, while we have attended Bill’s
meetings, we are not in any way a direct supporter of the Association and its
goals and objectives at this point. We think it is an interesting model. We
think it bears watching, and we have to see how it goes, but we have not signed
on to be a full-fledged member of the Association as Bill indicated in his
testimony.

DR. ROTHSTEIN: Thank you for clarifying that. I’m sure Bill will be
interested to get further clarification. Are there other public comments?

Let me see if I can go over for the members of the subcommittee — please.

DR. FRANCIS: The audio stream has quit functioning.

(Remarks off the record regarding technical difficulties.)

DR. ROTHSTEIN: Let me go over the list of issues that we need to address as
a subcommittee this afternoon, so that everyone follows what we still have left
to do.

We need to discuss the annual HIPAA report. There is a privacy section in
it, and we all agreed to take a look at it and send suggestions in that Maya
has compiled. We are going to consider what the privacy language should look
like. So that is one issue.

DR. BERNSTEIN: I haven’t actually compiled them yet, but we have collected
them. If we are going to do some line changes we haven’t loaded up on the
machine, I can sit over there if you want to do that next.

DR. ROTHSTEIN: I’m going to go through the list, and that will be the
first.

The second thing we have to do is talk about what we plan to do next with
regard to the issues that we have already heard about. In other words, it seems
to me that we have heard among the following topics at our last three hearings,
that is, September, November and today, about the extension of coverage to the
entities in the commercial and financial industry, the overlap and gaps in
schools, coverage to other non-covered entities such as life insurers and
employers in their roles as employers as opposed to health plan sponsors. So we
need to decide what we want to do to follow up on that, as well as the health
care providers that we heard from today.

We also need to consider whether we want to do any additional followup on
the research strategies topic. Remember, we heard at our last hearing in
November if we were to design a research system to measure whether the privacy
rule had any effects, what would that look like, so we need to talk about that.

We need to talk about what additional issues we might want to consider
next. I have got some ideas, and I know other members of the subcommittee have
ideas about where we ought to go next.

We also need to discuss timing, if we are going to send letters with regard
to one or more of these issues, when are we going to have our next meetings,
what are we going to shoot for in terms of our timetable, when are we going to
schedule our next hearings.

So those I think are the four issues — maybe I have left something out —
that we need to discuss this afternoon.

DR. HOUSTON: The first three things you described, is that one issue? You
said extension of coverage, commercial and financial, overlap with schools and
others, and non-covered entities such as insurance and others.

DR. ROTHSTEIN: Yes, that is all one issue. It is a fleshing out of the
recommendation from June, that the same rules ought to apply without regard to
whether the entity is within one of the three covered entities things. Those
are explanations that we talked about. In other words, Gramm Leach Bliley,
FERPA and so forth are all underneath that one, and that is the extension. Then
we have the research strategy issue that we heard about.

(Remarks off the record regarding technical difficulties.)

MR. REYNOLDS: Two ways to build something, from the individual issues we
have, or to step back and say at the end of ’07, where would we want to be,
what would we want to have done to consider a move forward. We did the whole
letter, and now we are going through the pieces.

So it is just a question. What do we want to have contributed this year
through these hearings rather than just subjects that would get us at the end
of the year to something that would say, yes, that made a difference?

DR. ROTHSTEIN: Harry, I would say that that is a very good point. There are
different ways which we could go. One way would be to go into different aspects
of the letter, instead of doing recommendation 12, let’s take a look at
recommendation 20.

Another way is to say, we have got this out there, and let’s just put this
aside for a minute, and that is not the sum total of all the issues that we
need to be worried about, and let’s move to other things. The other things
could be either at a very narrow level, it could be how do we recommend
tweaking the privacy rule, it could be broader privacy issues in the abstract.
There are lots of different ways to go.

I think your point is a good one. This is probably a very appropriate time
to try to figure out where we want to go.

DR. HOUSTON: I absolutely agree with Harry. I think it is a great
observation. I really think that the first subject that you listed out is one
that I continue to hear. It is a recurring theme in a variety of forums.

DR. ROTHSTEIN: Which was that?

DR. HOUSTON: It is this whole issue of coverage of HIPAA and the overlap
with FERPA in the non-covered entities. I have heard in a variety of forums
that this continues to be an issue of great concern. I think that it is timely,
and I think there is great value in trying to come up with some recommendations
on that subject.

It is going to be something that is going to need to get in process sooner
rather than later, simply because of the fact that it will take some time for
it to be resolved. But I think people need to have somebody step up and say,
this is the recommendation of how we deal with this. This is what we think
needs to be done, because if we see NHIN coming, and I think NHIN is really
going to magnify the issues that you laid out earlier, I think it will
absolutely magnify the issues unless there is a resolution on it.

So I think to bring this all together then, my comment is that I think
there is compelling value in us trying to address this issue now and try to get
it knocked out quickly.

DR. ROTHSTEIN: I have a question. Are you just saying — I just want to
understand the scope of what you are recommending. Are you recommending that we
deal with the FERPA issue, the FERPA-HIPAA issue, or something broader?

DR. HOUSTON: I think it is broader. The first three things you articulated
all fell under number one.

DR. ROTHSTEIN: Right.

DR. HOUSTON: FERPA, the non-covered entities, the exclusion of coverage of
commercial and financial. All of those things tie together.

I think all these — if you want to call them non-coverage or overlap, all
that is going to be magnified simply because of the fact that when the NHIN
forms, there is going to be a lot of entities that are either going to want to
participate or get data, or there is going to be more tension about the rights
to data because of the much broader access and availability.

In all those subjects, it is going to be one for which there is going to be
a lot of effort and time between when you make recommendations and when we are
going to get some clarity on it. It may take legislative action, it might take
other things, I don’t know, but I think we need to make a recommendation sooner
rather than later.

DR. FRANCIS: I like the way the last speaker brought out that
interrelationship between the questions that you outlined first, Mark, and
NHIN. It seems to me that what we should be doing is thinking about the issues
on both of those fronts, so that we make a list of the non-covered entities
questions and which ones we think are most pressing, most practical and most
problematic from the question of interface with the NHIN.

On the other side, we keep our eye on the question of whether there are
privacy recommendations that need to be brought forward in light of what is
going on with respect to electronic health records.

DR. ROTHSTEIN: I thank you for that. Let me add my response to John’s
comment. I think we all share the view that there are so many entities that
deal with sensitive health information that are not subject to the privacy
rule. Not only did we say in June that they ought to be subject to some sort of
regulation, but we wanted to get a better sense of what was involved and what
it would mean to them, and whether it would be burdensome and whether there
were overlaps and so forth.

Personally, I think we may be reaching the point of diminishing returns by
continuing to explore this. We have gone into many of these areas. I think it
is safe to say that there are thousands of providers in dozens of different
categories that are not covered, and if we wanted to go into detail, I suppose
we could do that. We could encourage the Secretary, and maybe even fund from
our funds — now that Marjorie has left the table, I can say this — hiring a
contractor to estimate the number of non-covered entities in each of these
different categories.

I’m not sure that at this point, having already gotten that principle on
the record, it makes great sense for us to continue pursuing that, except for
one area. The one area that — if I had to pick one that I would say is really
messed up at the moment, that might be amenable to some degree of change or
clarification or guidance without amendment of the statute, that is the FERPA
issue.

I think the testimony that we heard was so compelling from the school
nurses and all these people. They can’t get records that are very important to
the health of the children. They can’t share information with public health
agencies that is very important. We heard another aspect of that from the
Athletic Trainers Association today.

Personally, if we wanted to pick an issue to go into more depth, I would
say FERPA. It is not that I am not concerned about the others.

DR. HOUSTON: I’m not advocating that we take more testimony. What I am
advocating with my earlier comment was that we take those issues and we make
recommendations. I think what we need to do is get to deliberation on actually
making some recommendations.

By the way, I think we probably have heard enough about FERPA to know that
there is an issue, and I don’t even know if we need to get more testimony on
that. I think there is already a lot of compelling arguments. All I’m saying
is, I think we need to translate what we have heard on these subjects into a
recommendation. I think it is going to be a fairly lengthy recommendation, but
I think it is one that is timely. I think if we start on it now and try to get
it done by the end of summer, I suspect it is going to probably take that long
to do what we need to do.

DR. ROTHSTEIN: Would it be your recommendation that we bundle them all
together?

DR. HOUSTON: Yes, that is my recommendation. When you unbundle them, what
was the last — Alan Goldberg — even if we stay with health care and try to
bundle those issues together to keep a health care focus, if you unbundle them
you are going to have a lot more fragmentation that is going to lead to as many
questions. So I think you have to almost pull them together in some cohesive
fashion. But the focus will always be — the domain will be health care. Even
though we are going to be talking about potentially FERPA and GLBH and stuff
like that, the focus is health care and health care data.

His recommendation was that we should have a comprehensive privacy law for
everything. I wouldn’t do that far, but I think we need to comprehensively deal
with privacy within the health care domain.

MR. REYNOLDS: I would add one another remark. The reason I see what we are
talking about here more important than it has ever been is that in my day job,
I don’t think two hours go by where there is not something in the e-mail or a
new call or a new meeting where somebody is trying to do something in this
space. A lot of them are not covered entities.

I would say to you clearly that the implementations are going ahead without
guidance. The implementations are going full speed outside of the realm of what
HIPAA was set up to be. I am telling you, people are grouping up in different
and strange ways. People are offering services that are not even covered
entities, and are offering these kind of services that have this information.

I would just say that the implementations are not waiting for a definition
of what the next step should be. They are going full speed. Everybody uses the
NHIN. That is not here yet, but there are plenty of PHINs, personal health
information networks, RIOs. I spend of time talking to Jeff from the Standards
Committee, Jeff Blair. His fulltime job now is building these things.

DR. HOUSTON: But you know something, Harry? They are becoming the surrogate
for the NHIN.

MR. REYNOLDS: They are what?

DR. HOUSTON: They are becoming the surrogate for the NHIN.

MR. REYNOLDS: I agree. So what I am saying is that maybe two years ago if
we were sitting here, everybody was talking about doing stuff. There is an
industry out there that is wide open, putting stuff in place. I think at some
point privacy has got to catch up, or this discussion has got to catch up with
it, because once it is implemented, undoing it and getting everybody to go back
and change it to come back to where we would like everybody to be is not
something that works well in this world.

DR. TANG: I just want to round out, just in case Harry didn’t make it
clear, I am just scared of witnessing as many egregious violations. It is a
changed world just in the past one year or two years. There are vendors that
are obligating covered entities to do things that they are not allowed to do.

DR. ROTHSTEIN: There are vendors obligating covered entities to do things
that they are not allowed to do, is that correct?

DR. TANG: Correct.

DR. ROTHSTEIN: I think it supports Harry’s view that there is sort of like
a wild west out there.

Here is my concern. I know the members of the subcommittee realize that I
am a very strong advocate of extending the coverage of privacy laws to all
entities who have this. My concern is that doing that basically is a two-step
process, from us to effectuate. We have got to make a recommendation to the
Secretary, and then the Secretary has got to go forward and take that to
Congress and have something happen there.

We have already made this general recommendation. So my concern is, maybe
our time would be better spent on concentrating on issues that the Secretary
could implement without having to go to Congress, because we have already said
we think Congress ought to do this.

So there are a limited number of hours that the committee can meet and a
limited number of topics that we can do work on. If I were king, I feel
passionately about this, this would be one of my first edicts. But it takes a
long way to get from our discussion to implementation and it can get
sidetracked very easily by all sorts of things along the way over which we have
no control.

So that is my only hesitation. If we took John’s suggestion and came up
with a detailed, more comprehensive in-depth followup of our earlier
recommendation, I am afraid that we would be debating that for a long time in
subcommittee to get the language just right and so forth, and then the full
committee, and then it goes to the Secretary, and God knows what happens to it
after it reaches the Secretary’s desk, and maybe we have spent all this time
and having nothing to show for it.

DR. HOUSTON: In my mind though, this is something that desperately needs to
be done. I think we need to do it. Somebody needs to do it. Somebody needs to
step up, in my mind.

DR. ROTHSTEIN: Somebody needs to step up and say what?

DR. HOUSTON: How do we resolve all of the issues with everything from
covered to non-covered entities, how are we going to deal with data flow,
whether they be these large private organizations managing data or outside the
purview of HIPAA to how are we going to deal with the NHIN and the fact that
you are going to have entities that are going to want access or contribute data
that are not HIPAA covered entities. How are you going to deal with the
interplay of FERPA and HIPAA in the same context of this more global sharing of
data. I just think this is a big ugly mess that is going to get worse.

DR. FRANCIS: In the context of thinking about the sorts of issues that John
was just outlining, why isn’t it possible to both look at which of the issues
seem to us to be most important in terms of need and most track for us? That is
what we want to look at first, that we can do it through recommendations to the
Secretary rather than through statutory.

It seems to me that the question of what kind of change would be required
is something that of course we ought to be looking at, and something that
doesn’t require Congressional change is important for us to concentrate on. But
if something is really important and does, we need to say that.

(Remarks off the record regarding technical difficulties.)

DR. COHN: I am a little embarrassed, because I could only about 20 percent
hear Leslie. I’m not sure what I am saying is completely what you said or
completely separate.

I am listening to the various issues that we are describing, and I am a
little perplexed that John is sticking them all on top of one another, just
because it feels to me like we are dealing with separate issues which may be
important, but trying to deal with FERPA on top of non-covered entities such as
we have had testimony on today feels me to like very different things with very
different solution sets.

That is not to say they aren’t important. I am in my own view thinking that
we have done a fair amount of work on FERPA on letters previously. If you look
back at our letters, there have been a number of letters that have related to
FERPA. We may need to go back and look at that. Maybe it is time, given that
there is other work going on, looking at research and all of that, that maybe
that is something that should be in a direct letter as opposed to more
deliberation.

DR. HOUSTON: The only tie I see to FERPA in this case is that it seems like
some of these individuals for which FERPA applies are non-covered entities
under HIPAA, or there is some question about that. So when we are dealing with
groups that are non-covered entities for which there is another regulation that
may apply to them in some way, which may also govern privacy or management of
health. So that is the tie.

DR. COHN: And maybe what we are talking about is coordination. I guess I
contrast that with the other piece we were hearing today, which had to do with
really non-covered entities. It is unclear exactly what the coverage is of new
entities in the environment.

The part that I heard, which I thought was new today — and once again, I
don’t have a lot of legal background, —

DR. HOUSTON: But you are a doctor.

DR. COHN: I am a doctor, exactly. This is something we talked about when we
talked about personal health records, this issue about whether or not business
associate agreements would suffice in terms of coverage for those entities.

From my view, if indeed that handles the problem, fine. If it isn’t, we
need to bring that fact to peoples’ attention, because I think there is an
assumption going on that that is going to solve the problem.

DR. ROTHSTEIN: Simon, I believe that in our June letter we specifically
said that the business associate language in the current privacy rule was
inadequate to address these issues, and that is why we had recommendation 12. I
think there is language there that I could cite to you.

DR. COHN: Mark, I think that a one paragraph or in this case a two or three
sentence piece — once again, I don’t have that letter in front of me, but —

DR. ROTHSTEIN: I do.

DR. COHN: Okay, you have that letter in front of you. Maybe I should take a
look at it. I don’t remember a lot of the background of why —

DR. ROTHSTEIN: See, you’re not a lawyer, but I am.

DR. COHN: And you come a lot more prepared than I do. Was there an
extensive discussion of why it was not sufficient? Or was it more a
conclusionary statement of why it was not sufficient? You are hearing how I
tend to think about HIPAA, but I can certainly withdraw my comments and let
things proceed.

MR. REYNOLDS: One quick comment is, a lot of people that are in the space
now that are implementing are not business associates of anyone that is a
covered entity. That is the other piece that is coming to the forefront. Some
of these people that are offering personal health records aren’t everybody
defined in the HIPAA law.

For example, you could take the not-for-profit that was discussed this
morning. If those companies only give money to that group and do not consider
them a business associate, which they probably would not, then that group that
has all that information is nowhere. They are zero. There is nothing going in
the world for them.

So that is this paradigm, where the keepers of the information are far more
important than what is actually occurring. DR. BERNSTEIN: We just promoted
David Holzmann, in case you don’t know him, from the Office for Civil Rights.
Christina Hyde had to leave. A little changing of the guard there, so that
since we are discussing HIPAA stuff, we have a HIPAA expert with us.

What I was going to say about the authority issue is Leslie’s point about
trying to pick the low-hanging fruit where we don’t need legislative change, is
that determining whether or not we need legislative change is a very big task.
Notwithstanding the previous non-panel panel, or whatever we were attempting to
start thinking about what authority the Secretary has, it is not clear what
authority the Secretary has. Unless you want me to go off and have a new job
figuring that out, to the detriment of serving this committee and the other
things I have to do, I don’t think we can probably answer that question in the
subcommittee. But I think that the subcommittee should nevertheless feel free
to make whatever recommendations you believe are appropriate.

Truly, if the Secretary wants to take up those recommendations and decides
to do so, we will determine with counsel whether he has the authority. If he
decides that he wants to do it and he has the authority, he will go right
ahead. If he decides that he wants to do it and does not have the authority, he
will seek legislative change to get the authority if he is motivated to make
the changes that the subcommittee is recommending.

In the case where the Secretary does not want to take up the
recommendation, no amount of authority is going to make him do it, really. That
is a political decision that — by your powers of persuasion you can suggest
all the reasoning why the Secretary might want to take up a particular
recommendation, and I think this subcommittee has historically had great powers
of persuasion to do that.

But if we were to wait to figure out which areas — unless it is obvious;
we know that the Secretary is not the Department that has the responsibility
for FERPA. That is the Department of Education. But the rule or the statute,
one of them, says that anything covered by FERPA is not covered by HIPAA, so
there is a wall there, as was mentioned in earlier testimony.

The Secretary could for example decide to cover those entities by HIPAA,
but would not be able to relieve those entities of being covered by FERPA
without working with the Department of Education seeking legislative change and
so forth.

So I guess I would recommend not getting caught up in which authorities we
have particularly, but to focus more on what you think the right result is for
the country, for the NHIN, for those particular topic areas that you think you
well understand and are ready to make recommendations. Then we can move on from
there.

I think the Department as I said will respond. Maybe Marjorie has some
thoughts on this, but the Department will respond by making political
decisions, as it does, and in the case of authority will go ahead, and in the
case of non-authority will either seek the authority or not.

DR. ROTHSTEIN: Unlike many of our debates in the subcommittee, the thing
that is unusual about our discussion today is that substantively I think we all
agree. The issue is tactics, and how we best use our limited resources. So I
think that is where there is a difference of opinion.

DR. BERNSTEIN: I do think it is a very complex problem. We could make it
easy by saying anyone who has medical information should be covered by some
rule, or as someone said earlier, the protection should follow the data itself.
Even if we were to decide, the subcommittee were to decide, that everything
should be covered that is medical information, the question is still how would
you do it. Would you do it by provider, would you do it by tagging it to the
information itself, would you do it by the use? There are lots of different
ways even to do that. I am guessing that you are going to get more granularity
than that.

DR. ROTHSTEIN: Marjorie, please help us.

DR. GREENBERG: Well, when you put it that way. I agree with everyone. I am
just thinking that you have had a number of — you have the letter from June,
you have a number of very interesting hearings. I think if you could take away
one thing, it is probably that ignorance is not bliss, because groups we
wouldn’t even think about, as Harry as pointed out to us — and well-meaning
groups; we haven’t heard from those with nefarious purposes.

I think the bottom line is that as Harry mentioned, and as several people
we heard today, maybe we raised their consciousness, maybe the general
environment has raised their consciousness, but a lot of people are thinking
about, maybe they need policies, who currently aren’t covered and don’t have
policies. The train has left the station, to be trite.

So it seems to me that there could be real value in the committee sending a
letter to the Secretary which would also go to the Data Council and probably
get to AHIC, et cetera, with the findings, or identifying these issues without
yet having solutions. Possibly if you feel you could in a reasonable period of
time mention some alternatives and some pros and cons, some of the problems you
have heard with HIPAA, but those are really more findings than recommendations.

I think that it might educate folks who are very focused. We were talking
about, there is a lot of focus on secondary uses of data, but there are all
these primary uses of data that aren’t necessarily covered that do relate
directly to treatment and maybe possibly payment in health care operations.

It was mentioned in your letter, but there was so much in that letter that
I don’t know that it is necessarily what people focused on. Probably they
didn’t, because there were some other things that were maybe more controversial
or expanded more.

So I think sooner rather than later, at least a letter with the findings
with the hearings you have had since September, would be a good idea.

DR. ROTHSTEIN: So let me see if I understand what you are suggesting. We
send in as short a time period as possible a letter to the Secretary that says,
in June of 2006 we recommended the following. We have had three rounds of
hearings since then to get a better sense of the magnitude of the problem, and
here are some of the things we have heard. What we have heard basically
reinforces our earlier view that this is a very significant problem, and that
there are lots of classes of health care providers who are not covered entities
under HIPAA.

DR. GREENBERG: Not only that, but that there is a lot of confusion, and a
lot of people are looking for guidance, and everyone is doing their own thing
in the absence of guidance.

It is hard for me to remember what happened yesterday, but what I heard in
the hearings in September, I do know you have got two large groups. You have
got the ones that aren’t covered by anything except maybe a business associate
arrangement, if that were to be executed. But then you have got those who are
covered by fairly substantial legislation, like the banking one and the FERPA.
But there are these areas of confusion and overlap and redundancy and maybe
gaps, so it seems to me that you address one one way and one the other when
there is nothing, and when there is a lot it is not compatible, or it is
overlapping.

Maybe this is just self evident, but I think you have gathered a lot of
information. I would agree, I don’t think it is necessary to gather more
information on the problems, on the findings. I agree with Maya. I don’t know
the extent to which, without going into a great deal of detail in a particular
area, you can come up quickly with the solutions, either. That doesn’t mean you
couldn’t build towards recommendations maybe in the FERPA-HIPAA area, where you
could bring in a workshop or something where you tried to bring in the experts
and try to work that through.

It just seems to me there could be some value in expanding on what was a
statement in the June letter based on the last three hearings.

DR. ROTHSTEIN: Thank you. John?

DR. HOUSTON: Two points to follow up on what Marjorie just said. The first
being, I think we could without being too prescriptive give some
recommendations or some thoughts on what we think some of the solutions could
be, not getting into a lot of details; principles, that is a good way to
characterize it.

Second, this is a word to Marjorie, or a question to her. Is it appropriate
to go back to the Secretary and ask whether he would like us to further refine
our recommendations or like us to take more testimony on any particular
subject? Is that something that we do?

DR. GREENBERG: Not so much, but there are a lot of groups out there. Now
AHIC has a privacy and confidentiality group. The HITSP has now established a
privacy and confidentiality group.

I think we need a strategy for how this is going to be resolved, how we
think the Secretary or the Department could exercise national leadership in
this area because we think it is needed for all the reasons that we heard the
last three hearings.

Those two groups were established after the June letter. I don’t think
everyone should be trying to solve the same problem at the same time. Some
people are on all these groups, or have representatives on all these groups.
Maybe some guidance from the Secretary as to where should this be pursued, not
what you said, but some feedback.

DR. HOUSTON: Can I follow up specifically on that point? I apologize, but
it is meaningful. I know right now that on the AHIC CPS work group, they are
trying to figure out what they want to do next. They have just given a
recommendation on identity proofing, and I think they want to get a sense on
what the priorities are. So I think it is meaningful.

It might be helpful to try to take the chairs of that group and maybe do a
little planning, whether it be with Marjorie or with this whole subcommittee,
to try to get a sense on how we want to try to divide and conquer. Same thing
with HITSBE. Maybe there needs to be some joint planning to try to coordinate
the group’s activities, because two or three are trying to figure out what they
need to do next.

DR. TANG: I was going to make a comment that maybe we need a harmonization
group for all these privacy and security and confidentiality subcommittees, but
I think that is what John just said.

DR. GREENBERG: We need a what?

DR. TANG: Either a reconciliation or harmonization process with all these
privacy and confidentiality groups.

DR. ROTHSTEIN: That is I think a point with which virtually nobody would
disagree, except I am going to raise the question of whether it is the role of
NCVHS to do that. I would defer to Simon and Marjorie and others.

It seems to me that our role is to be a liaison to the Secretary from the
public, we are the public advisory committee, and to make recommendations about
health information policy. It is not to reorganize the Secretary’s staff and to
direct how things should work.

DR. COHN: I wanted just to respond to the need for a coordination
subcommittee of the Privacy and Confidentiality Subcommittee.

I think we are all aware that there is a lot of focus and energy in a
variety of these areas, not just privacy and confidentiality, but throughout
all of health information technology policy areas. I think there has been a
renewed and accelerated level of commitment within HHS to assure that there is
adequate coordination that occurs. A piece of coordination is subcommittees and
work groups and all of this deciding on what their priorities are, as well as
what they think potentially should be recommended to other bodies to work on
further. I think it is part of NCVHS leadership and staff to work with those
other bodies to make sure there isn’t redundancy occurring, which I think is
our concern as much as who does what.

Marjorie, do you want to comment?

DR. HOUSTON: I don’t think it has to be all that formal. I think there is a
great value, as everybody is trying to understand what the priorities are, to
spending a little bit of time, maybe an informal conference call, I don’t know,
I’m just saying, I am on two of those committees, and I see right now that they
are trying to figure out what their agendas and their priorities are. I think
there is value to talking about who wants to do what and how we want to try to
get it all done.

MS. WATTENBERG: But in part, that is because — the AHIC privacy and
confidentiality committee as opposed to the security subcommittee is supposed
to be identifying their topics according to what the other AHIC committees feel
they need advisement on to pursue their breakthroughs. So it is a different —

DR. HOUSTON: I understand your point, I agree with that. My only point is,
if they were already going to focus on a specific topic and we were eying it
ourselves, then you say we don’t need to worry about that. That is my only
point. I agree that different constituent groups are trying to direct their
efforts.

MS. WATTENBERG: But again, I think we solicit testimony in these two
different groups for different purposes. I know that the AHIC groups are
cognizant of what we have taken testimony on here at NCVHS. I think we even
raised the issue on one of them to coordinate some testimony with one of the
upcoming NCVHS meetings.

So I wonder if it isn’t maybe more practical to charge some of the HHS
people with more concrete liaison functions.

DR. ROTHSTEIN: Let me just mention that next week, the GAO report
evaluating the coordination of the privacy activities of HHS will be released.
There are also Senate hearings on the issue of HHS’ role in promoting health
information privacy.

I just think that it is above our grade level to take on those issues. I
think we would be better served by taking on more concrete things. That is not
to say that I don’t support Marjorie’s suggestion of sending a findings letter
reiterating our earlier recommendation from June, updating it with more data
that we have found about the number of uncovered entities and making that
suggestion again. Although I would say that my recommendation would be that if
we did that, we ought to do a separate FERPA letter, because it is a separate
issue.

MR. REYNOLDS: I made a number of talks recently going back and reviewing
the privacy letter, because I still think it is one of the best documents on
the whole picture. But every time you go back and look at it, you realize how
far reaching it is and how many subjects are in there.

So I think what we are saying today is that there are a couple, FERPA would
be one, and this whole idea of who is covered, aligned with the fact that the
industry has exploded in this space in the last 12 months, exploded. So what we
are basically saying is, we gave you the whole picture, but oh by the way,
there are two things that need to get looked at pretty quickly, because if they
don’t, it is gone. Things are going to happen, and those things that are going
to happen may create a new environment. I think that is what we are saying.

I have gone through that letter four or five times recently, and if you
look at it overall, having been a part of it, it is overwhelming if I sit there
and look at all of it. But I think now is the time to take pieces of it that we
think really make a difference, and go at them again with a subsequent letter,
go at them again with another set of recommendations on the things we have
heard, to go at it deeper. I think that is what I am saying.

Again, I am not derailing what we are doing overall, but I think those
things will make the biggest difference in the next 12 months.

DR. ROTHSTEIN: Did you have any areas in particular?

MR. REYNOLDS: I think FERPA is a great example, and I think this whole idea
of who is covered. I love the idea that somebody said that the ownership goes
along with the data. I’m not sure how that works or what Maya said, but those
are the kind of things that I think are more important. If we can’t get
legislation, people are putting things out every month. They are implementing
the heck out of the stuff. If you talk to Jeff, they are building fast. These
things are already in place that are doing things. Every month that goes by,
privacy regulations in the real world are getting implemented, by individual
people who are designing systems and designing networks, and consequently in
doing so they are establishing what business is going to do. That is the
scariest part of the deal to me.

DR. BERNSTEIN: Can I interrupt for just a moment?

DR. ROTHSTEIN: Please.

DR. BERNSTEIN: It is almost 3 o’clock. We need to do two things. We need to
take a break at some point, and we need to work on the HIPAA report, which we
have on the agenda to discuss. We moved it off for this discussion, which I
think was very valuable. I just want to make sure you know we need to set aside
some time for that. I understand there are some committee members that need to
leave early. So I just want to make you aware of the agenda.

DR. ROTHSTEIN: Thank you.

DR. TANG: Back on that comment, I wonder if one of the ways — by the way,
I really would like to combine Harry’s idea with Marjorie’s, which is, we have
learned new things and it is more important. The sense of urgency is not to
restate what we stated before, but that it threatens to undermine the goals and
objectives that HCFA has for interoperable data and the NHIN. Maybe that might
not have been stated as clearly or urgently.

The other point in terms of the agenda, perhaps we should include in our
HIPAA report, since it includes privacy, that we have uncovered this issue of
other entities that now have access to personally identifiable health
information which are not covered by HIPAA, and we feel there is a new sense of
need in order to explore the implications of that, and a sense of urgency in
terms of getting policies in place.

DR. FRANCIS: Just an addendum to that, too. As a neophyte, I am struck by
the extent to which there may be information that the committee already has
that a failure to pay attention to some of the data sharing issues and privacy
protection related to that affects patient safety pretty directly.

DR. ROTHSTEIN: I lost you.

DR. FRANCIS: What I was saying is, I know that a major political concern,
obviously not the committee’s, but some of the issues are data sharing has
consequences for peoples’ health. That might also affect the urgency when what
the committee has learned gets brought into that. It may be something also we
might want to highlight.

DR. BERNSTEIN: Do you want to give an example, Leslie?

DR. ROTHSTEIN: Well, people not seeking care because they are afraid of the
record.

DR. FRANCIS: Or information not getting transferred and when information
doesn’t get transferred, it might be information that is really needed for
safety reasons.

DR. ROTHSTEIN: I am going to propose that we take a ten-minute break,
resume at 3:10 Eastern time, and then try to reach closure on this issue of
where we are going and what letters and what we are going to do, and then talk
about some other issues. We still have to talk about the HIPAA report. We have
to talk about planning future meetings and so forth.

So we are going to take a ten-minute break. Thank you.

(Brief recess.)

Agenda Item: Committee Proposal

DR. ROTHSTEIN: Are we now back on broadcast? The first thing I would like
to do is to propose for a vote of the subcommittee members some sort of action
plan for going forward to resolve the issues that we just finished discussing
before the break, and that were discussed during the break informally.

That is the following proposal that I would like to put forward. In time
for the full June meeting of the NCVHS, that the subcommittee prepare two
letters, one to deal with the jurisdictional issue and the covered entities
issue that we have talked about, and the fact that so many health care
providers as we have heard today are not covered entities and so forth, as more
of an informational followup to our June ’06 letter, saying that we have had
hearings and here is what we found, and so on and so forth. That would be one
activity.

A second activity would be a separate letter that we will also have
prepared for our June meeting, discussing the specific issue of FERPA-HIPAA
overlaps, gaps and problem areas that need to be resolved. Now, saying that
does not foreclose additional items which we will take up in due course.

DR. HOUSTON: Only one comment that goes to the very last thing you said. We
did talk about one topic, research affected the privacy rule. Do we want to
make that a third letter, or are we not to the point where we want to do that?

DR. BERNSTEIN: I’m sorry, which piece of the privacy rule?

DR. HOUSTON: The research on the effect of the privacy rule.

DR. ROTHSTEIN: With your consent, I would like to put that on the back
burner for a few minutes and not have that part of the motion.

DR. HOUSTON: Sure, okay.

DR. ROTHSTEIN: Because there are other things as well that we haven’t
discussed. I just wanted to bring some degree of closure to our earlier
discussion before we move to the HIPAA letter to Congress.

I know I have buttonholed the committee members who are here at NCVHS. I
want to give Leslie and Paul a chance to comment on that proposal.

DR. TANG: Can you state that one more time?

DR. ROTHSTEIN: Paul, I think you said okay, is that right? Oh, you need me
to state it one more time. I’ll say this again.

For the June meeting of the full committee, we are going to commit if we
agree to prepare two letters. One would deal with the jurisdictional issue and
the covered entities issue. It would talk about the things that we have heard
today at the hearing as well as from the September and November hearings,
emphasizing that we continue to support the position that we said in June of
’06 for a broader coverage and emphasize that we have additional findings in
that regard, and share that with them, especially the sort of stuff we talked
about today.

The second letter would specifically address the issue of HIPAA and FERPA
and schools, and the health information that can and can’t get to and from
schools about children.

DR. TANG: So that letter would be going on to the Secretary, and the draft
is to be presented at the June meeting, is that what you are saying?

DR. ROTHSTEIN: Yes, that is what I am saying.

DR. TANG: Okay.

DR. FRANCIS: I think that is perfect.

DR. ROTHSTEIN: Thank you.

DR. HOUSTON: I second the motion.

DR. ROTHSTEIN: John seconds the motion, even though I am not supposed to
make the motion, is that right?

DR. HOUSTON: I make the motion to what he just said.

MR. REYNOLDS: I’ll second.

DR. ROTHSTEIN: And Harry seconds. All in favor, say Aye.

(Chorus of Aye.)

Agenda Item: Discussion of Annual HIPAA Report

DR. ROTHSTEIN: It carries. Thank you. Let’s if we may move to the annual
HIPAA report language. Then after that, because we really need to get this
done, we will come back to the issues that were reserved, such as the research
strategies issues and hearing dates and other issues that we want to take up
during ’07. Are we ready for that, Maya?

DR. BERNSTEIN: I’m ready.

DR. ROTHSTEIN: It may be hard for the folks on the phone. Just close your
eyes and imagine, and we will try to tell you what we are doing.

DR. BERNSTEIN: You have a copy that Debby Jackson sent you of the
electronic version of the HIPAA report.

DR. FRANCIS: If you give me page numbers, I will know where to go.

DR. BERNSTEIN: They will be close. I made some corrections already. I have
been sitting here putting in the corrections that Harry gave me over the phone
a couple of weeks ago, so we might have moved by half a page or so. I hope Gail
and Paul also have copies of it.

DR. FRANCIS: I have it. I am going to bring it up now.

DR. TANG: Same here.

DR. BERNSTEIN: What I just want to do is collect the comments of the
committee if there are any on the report. I have the document in front of me,
and if there are comments that the subcommittee wants to make, there are
changes that you want to add, I am ready to take them. Otherwise, I have
nothing to say.

DR. ROTHSTEIN: Can we move to the section on privacy and confidentiality
beginning on page 21, which is really what we have been asked to address.

DR. BERNSTEIN: Yes. Just so you know, there are comments from the
subcommittee on other parts of this.

DR. ROTHSTEIN: Okay, but I don’t think we have got the time to take them
up. The full committee will take them up, right, Simon?

DR. COHN: Yes.

DR. HOUSTON: I had a question at the last committee meeting, where we
talked about the fact that the summary is two pages shorter than the whole —

DR. COHN: For the record, I was making handwritten modifications. I think
what we have seen for this report is A, that the actual cover letter may be
made a little bit longer to include some of the key pieces from the document,
and that the document itself will be a report with necessary appendices at the
back on things that are properly appropriate on that.

DR. BERNSTEIN: Jim Scanlon has the control over this.

DR. COHN: I’ll talk to him about that.

DR. BERNSTEIN: He was at the last meeting. I think that comment was made
there, and it is in the process of being redone, but we were waiting for
comments from the committee before making that change.

DR. COHN: Absolutely. John was making the comment again.

DR. BERNSTEIN: The section Mark is referring to is at the bottom of page
six, and there is another parallel section that looks quite similar to it,
which is at the bottom of page 21. In fact, they might be just the same.

DR. ROTHSTEIN: Six is the executive summary which is the same as the — so
either one. Can you go through what the suggestions were?

DR. BERNSTEIN: I don’t have suggestions on this section from people. Wait,
that’s not true. Harry made a comment on the second paragraph, which is that we
talk about the use of information by non-health care entities. His comment if I
am characterizing it correctly was that we need to say something about the
inadequacy of the term covered entity. When we go to the NHIN, this term is
going to be inadequate. There are gaps in coverage. The advent of the NHIN is
going to put stress on this original definition because more entities are
involved than were originally considered when we were talking about
administrative transactions. That is one of the issues we were talking about
today.

DR. ROTHSTEIN: Absolutely essential. I think the world was split into
health care entities and non-health care entities at a time when somebody
thought that made sense. But that is not the way the world is split now.

MR. REYNOLDS: The other thing is, this was based on administrative
transactions. This whole NHIN goes outside that normal realm of administrative
transactions.

DR. BERNSTEIN: So I am taking suggestions as to how you want to rework this
paragraph.

DR. ROTHSTEIN: I think it probably is not a good use of our time to word by
word this, especially given the stage at which the overall letter is. What I
would like to suggest is that we agree in principle on changes that we would
like to see, and then have Maya take the lead in putting together language that
reflects our views and then bring that to the full committee.

I would like to see basically the subcommittee authorize that procedure. In
other words, have the staff summary attempt to reflect our views, and then
without having to go back to the subcommittee go on to the full committee.
Would that be okay?

DR. GREENBERG: The summary or a revision of the document?

DR. ROTHSTEIN: I’m sorry, a revision of the document that is based on our
agreement.

DR. BERNSTEIN: I will take the notes and put them here, and then we will go
back and wordsmith something that will meet with our approval.

DR. ROTHSTEIN: Is that okay with you, Leslie and Paul?

DR. FRANCIS: Yes.

DR. ROTHSTEIN: Hearing no objection, that is what we are going to do. Let’s
make sure we are all in agreement with Harry’s first suggestion. It is his
recommendation, and I support it. Does anybody have any dissent?

DR. HOUSTON: Would you repeat it one more time?

DR. ROTHSTEIN: Harry, can you repeat that suggestion?

MR. REYNOLDS: I’m not necessarily interested in the wording.

DR. ROTHSTEIN: Not the word, but just the idea.

MR. REYNOLDS: The point is, the covered entity is inefficient and
insufficient in the NHIN world.

DR. ROTHSTEIN: It is an archaic concept that is based on assumptions in a
totally different world.

DR. HOUSTON: Are we going on to other recommendations?

DR. ROTHSTEIN: We are going to try to get them in order, unless yours flows
from that. Is the recommendation you want to make —

DR. HOUSTON: No.

DR. ROTHSTEIN: Is it coming up or is it new?

DR. HOUSTON: It is part of the report.

DR. BERNSTEIN: Just on this section for the moment. We will get to other
sections if you want to make another comment.

DR. ROTHSTEIN: Is it on this section?

DR. HOUSTON: Yes.

DR. ROTHSTEIN: Okay. Paul and Leslie, we are on the top half of page seven.

DR. BERNSTEIN: On the second paragraph.

DR. ROTHSTEIN: The second paragraph, before clinical data and electronic
health records.

DR. HOUSTON: A couple of comments. First of all, in the very first
paragraph, I know we are not wordsmithing, but when you look at it, there is
some inconsistency that I want to make sure you address.

You talked about hearings in the past year, then you talk about a
culmination of an 18-month process. I just want to make sure it is clear that
we are talking about — when I read it, I said was it 12 months or was it 18
months. I want to make sure it is clear.

DR. ROTHSTEIN: I read that, too. The problem is, the report is supposed to
only cover 12 months, but the process that we went through took 18 months. So
maybe we can clarify that.

DR. GREENBERG: Why don’t you just say that you held a number of hearings
and just say the time period, whatever it was?

DR. ROTHSTEIN: I think it was like January ’05 to fall of ’06.

DR. BERNSTEIN: I came in in February of ’05, and there was one hearing on
this topic in January of ’05 before I arrived.

DR. ROTHSTEIN: From January ’05 to June ’06. The process took place from
January of one year to June of the next.

DR. HOUSTON: That inconsistency I think needs to be cleaned up. The other
thing too is, you talk about the considerations in the emerging Nationwide
Health Information Networks. You said focusing on the privacy and
confidentiality considerations in emerging Nationwide Health Information
Networks. I thought it was more specific, that the report was related to the
Nationwide Health Information Networks.

DR. ROTHSTEIN: That is correct.

DR. HOUSTON: So I think we need to be consistent in what we are talking
about.

DR. FRANCIS: Among the testifiers were also health lawyers.

DR. ROTHSTEIN: She said among the testifiers were health lawyers, so we
need to add that.

DR. FRANCIS: Experts in health law, something like that.

DR. BERNSTEIN: We said medical informatics.

DR. ROTHSTEIN: Thank you.

DR. HOUSTON: Back to my comments about this section more generally. We talk
about what the report covers. Do we want to say, or do you think it is
important to make note of any important recommendations out of the report? If
you go into subsequent sections of this report to Congress, you will notice
that on page ten there are all these recommendations.

So keeping it in form with the rest of the document, there is a summary
section on the recommendations, I understand the new format of things, I think
it is deserving to make sure that some of the more key recommendations make
their way into the report.

DR. ROTHSTEIN: I agree. I think we should not miss an opportunity to say
our piece on the recommendations.

DR. GREENBERG: I agree with that, although just to point out that this is a
HIPAA report. So this last part, the lessons learned, are all lessons learned
from HIPAA. Whereas, the June report was more related to NHIN, though it
certainly had HIPAA implications.

DR. HOUSTON: There were some expressed intersections to HIPAA.

DR. GREENBERG: Those you might want to highlight.

DR. ROTHSTEIN: Among the HIPAA related ones are recommendations with regard
to business associates and so on and so forth.

DR. GREENBERG: Those could be highlighted.

DR. ROTHSTEIN: Those we ought to play up as opposed to the others. I agree
with both of those points. Thank you, John.

Any other comments on this section?

DR. TANG: Do you think you want to allude to the June letter that we are
going to be sending? Since covered entities is obviously a HIPAA issue?

DR. BERNSTEIN: We allude to it. We have explicitly talked about it in the
first paragraph.

DR. TANG: I guess you’re right.

DR. ROTHSTEIN: I think what Paul was saying, am I correct, Paul, that you
wanted a preview of what we are going to say in June ’07?

DR. TANG: Yes, because the whole point is, we are going to emphasize
something we have already stated, but clearly what we are stating has been
HIPAA related all along, it is just on uncovered entities.

DR. ROTHSTEIN: I’ll defer to Marjorie on this, but I think this is what we
did in the ’06 report to Congress, not what we are planning to do in ’07, is
that correct?

DR. GREENBERG: This is true. It covers the period May 2006 through November
2006.

DR. ROTHSTEIN: Right.

DR. BERNSTEIN: Also, in order to talk about that, you would have to have an
agreement on that, which you don’t have yet. You won’t have that until June.

DR. GREENBERG: We don’t want to tread any new territory here.

DR. BERNSTEIN: We can report that in next year’s.

DR. ROTHSTEIN: Other suggestions? Maya, what is next?

DR. BERNSTEIN: There is a previous section, if we go to page 4, Harry had
some significant suggestions about the compliance and enforcement section.

MR. REYNOLDS: Before we read those, one of the things you will see in those
comments is how far did we want to go in stating what we have.

DR. GREENBERG: What the terms are.

MR. REYNOLDS: Well, and things we heard in testimony. In other words, I
don’t think I brought up anything that wasn’t in the testimony besides how
aggressive we want to be in this letter, and I will have to defer to others to
understand that.

DR. HOUSTON: Which section?

MR. REYNOLDS: The one she is about to read.

DR. BERNSTEIN: We are on page four of the report. It is the first
subsection in the section on progress since the last report to Congress. The
first topic is compliance and enforcement.

DR. ROTHSTEIN: Can you go to the page five version? I think I said
something about this, too.

DR. BERNSTEIN: If you did, I do not have your comments.

DR. ROTHSTEIN: Didn’t I say to date, no prosecutions have arisen from these
referrals?

DR. BERNSTEIN: Harry said that, too.

MR. REYNOLDS: It is right here.

DR. BERNSTEIN: You are apparently of like mind. I’m sorry if I didn’t
capture your comments. It may be that because I was doing this at home I filed
them in a very neat little folder.

DR. ROTHSTEIN: One of the things that I know that I mentioned besides the,
to date no prosecutions have arisen from these referrals, is that there have
been no civil monetary penalties assessed in any of the cases.

DR. BERNSTEIN: One of the comments here that relates to that that Harry
made is that we say 75 percent of the cases are closed, but it doesn’t say how
those cases got closed. We heard some testimony on it in the last hearing with
the data that Sue McAndrew shared with us. Some of them closed because of lack
of jurisdiction, some of them closed with voluntary compliance, some of them
closed — I can’t remember, David, what the other topic areas were.

PARTICIPANT: After investigation.

DR. BERNSTEIN: Right, after investigation they closed or whatever.

PARTICIPANT: There was a finding of no violation.

DR. BERNSTEIN: Right, there was a finding of no violation. And we know that
there have been no cases where there has been a civil action taken.

DR. HOUSTON: Then maybe we should just put in brief those statistics in
there, in this section.

DR. ROTHSTEIN: I also think that the NCVHS is on record as not being
supportive of the policy of OCR never to assess civil monetary penalties for
violations.

DR. BERNSTEIN: I’m not aware of whether the committee has taken that
position.

DR. ROTHSTEIN: I would like to read you something from page 12 of the June
letter. At least in the context of NHIN, we said, OCR attempts to resolve those
problems that lead to complaints directly with the covered entities. We applaud
the focus on improving the protections —

DR. BERNSTEIN: Could you slow down so they can hear you on the phone?

DR. ROTHSTEIN: — at the covered entity level. Nonetheless, prospective
general improvements by a covered entity often do not satisfy the individual
who makes the complaint, nor reassure the public that the law is being forced
adequately.

So I do think that we are on record as having issues with OCR policy.

DR. HOUSTON: I don’t read that as having issues with OCR policy.

DR. ROTHSTEIN: You don’t?

DR. HOUSTON: Maybe it is just an issue of tone of how we are saying it. I
think we have concerns that individuals don’t feel as though their privacy
protections are being adequately afforded or are being addressed.

DR. ROTHSTEIN: I am very happy to say that, something like, the testimony
that we have heard consistently is that the public is concerned about the lack
of enforcement in protecting their rights, or something like that.

DR. HOUSTON: I think that is more fair than to say NCVHS has made —

DR. BERNSTEIN: We can quote the exact language from the report, which has
been voted on and blessed, essentially, and say the report found the following.

DR. ROTHSTEIN: So you put that in? We are all going to have another crack
at this in February.

DR. BERNSTEIN: My hope is that when the new version comes around, it will
be in advance of the February meeting. People will have an opportunity to have
looked at it before they arrive, and will then come prepared.

DR. HOUSTON: Can I suggest that for the Privacy Subcommittee’s work that
you highlight the sections that are applicable to privacy specifically? The
reason why I ask that is, I want to focus my comments on those things that
relate specifically to privacy. When I read it, I tried to just look at the
things related to privacy. I understand the other things are the purviews of
the other subcommittees in certain cases.

DR. GREENBERG: You are going to get this. We will send it to you, the whole
thing. Debby will probably send it out, so I don’t think one section will be
highlighted over another.

DR. HOUSTON: Okay, I’ll just restrict my comments to those things which I
feel are —

DR. BERNSTEIN: Right, but for example the privacy section is separate from
the compliance section. The compliance section covers both administrative
simplification and privacy compliance. So you have to pluck out the parts that
are going to be relevant. I suppose I can highlight them.

DR. HOUSTON: Don’t worry about it.

DR. GREENBERG: When you send your revisions to Jim Scanlon, they are going
to look like this. You could CC the subcommittee. That doesn’t mean they
shouldn’t respond at that point, but then —

DR. ROTHSTEIN: Just a heads-up on what it is going to look like somewhere.
Other additions or corrections? I am going to have to go back home and take a
look at my hard copy markup.

DR. BERNSTEIN: Did you send me your copies electronically?

DR. ROTHSTEIN: No, I handed them to you at our last full committee meeting,
because I had made them on paper copy in advance at the meeting.

DR. BERNSTEIN: I’ll go look for them again, Mark, I apologize.

The other thing, Harry, we talked about was that even previous to this,
earlier on page four, the first place we mentioned NPI.

MR. REYNOLDS: Yes, but that doesn’t relate to this. Just for purposes of
expedition, we should cover that statement of security.

DR. BERNSTEIN: Okay. Then is there anything else on the compliance and
enforcement section that somebody wants to add?

DR. HOUSTON: No. Can we go to outreach then?

DR. ROTHSTEIN: Are we ready for outreach?

DR. HOUSTON: Even though it is more of a security than an outreach thing,
but since Harry is in the room, too. My only concern is, it says with respect

DR. ROTHSTEIN: The second sentence under HIPAA outreach and education on
page five.

DR. HOUSTON: With respect to security, HHS has published as series of
educational materials that address all aspects of security. I don’t like the
word all aspects of security, because it sounds like it is more comprehensive
than it was. It was good, but —

DR. BERNSTEIN: Anyone object?

DR. ROTHSTEIN: Anything else on the letter at all? So without hearing any
objections, we will go with the plan that we discussed earlier and that Maya
will write up the revisions based on our discussions and pass them along to
Jim, and then we will consider them again in the full version.

Let me thank you, Maya, for your work on this, and announce that it is my
intention to take up the last of the issues on our agenda and adjourn no later
than 4:30. So those of you on the Internet and elsewhere can plan.

Agenda Item: Subcommittee Discussion of Strategy, Next
Steps

One issue that we had deferred that I want to take up now is the issue of
research strategies. You will recall we had at our hearing the testimony of the
research methodologists. Let me give some background for Leslie’s benefit and
others.

We have four many years recommended to the Secretary in a series of
letters, at least two or three that I can think of that the Department
undertake a research program to study qualitatively and quantitatively the
privacy rule and its effect on individuals, on covered entities, on the health
care system, the economic effects, whether people are feeling more confident
that their privacy is being protected, whether it interferes with clinical
care, and so on and so forth.

Nothing has been done in that regard. We discussed last year the idea that
maybe we could increase the likelihood of something happening in terms of a
research program, given the magnitude of the task, if we could point the
direction of such a research program and say, we heard from experts and a
research program we think ought to consist of the following five elements,
whatever they might be.

So that was the purpose of the hearing. We did hear testimony from some
experts who confirmed to us that studying this question is perhaps even more
daunting than we thought. Now the question for the subcommittee is, what if
anything should we do now that we have heard from the experts.

John, you had a comment on this?

DR. HOUSTON: I’m not sure if I did or not.

DR. ROTHSTEIN: Maybe you just want to know if it is being dropped.

DR. HOUSTON: That is more of it. I think we heard from testimony; do we
want to make a recommendation.

DR. ROTHSTEIN: I’ll give you my opinion. It was my perhaps optimistic or
naive or some view that we would be able to put some recommendations together
in this regard, and after the hearing I felt and continue to feel quite
discouraged at the lack of expertise that we have to formulate such a
recommendation.

I think I would continue to stand by our recommendation in principle, but I
don’t think it is a fruitful enterprise for the subcommittee and the full
committee to try to even sketch out the parameters of what such a research
program would look like. It was so complicated and so laden with on the other
hand and footnotes and asterisks and so on, that even though it was my idea, I
will take the responsibility for it, —

DR. GREENBERG: I suggested it too.

DR. ROTHSTEIN: I think it was worth exploring and we learned from the
process, and I just don’t think we ought to pursue it any further.

MS. WATTENBERG: Was there a particular question that was being asked when
you proposed the research?

DR. ROTHSTEIN: The particular question was, how if at all could you set up
a system to measure in any meaningful way the effect of the HIPAA privacy rule.
We got some very complicated answers.

DR. HOUSTON: I think we all agree that it is going to be overly complex to
try to retrospectively — is it worth making a recommendation as we move
forward on some of these initiatives like the NHIN and et cetera, that we make
a recommendation that they should retrospectively put the measures in place to
be able to assess privacy effects on new projects.

DR. ROTHSTEIN: Let me quote to you from recommendation 26 on page 16, which
says, HHS should establish and support ongoing research to assess the
effectiveness and public confidence in the privacy, confidentiality and
security of the NHIN and its components.

DR. HOUSTON: That is what I said.

DR. ROTHSTEIN: Thank you.

DR. COHN: Mark, I am delighted by your proposal. Not surprised, but
delighted. I think you are right, I think the complexities of what is going on
in the environment, especially given the fact that there are overlapping state
as well as federal laws and all of this that made measurement almost
impossible.

Having said that, I think as we begin to look at issues as we go forward,
there may be value to particular types of statistics. I am reminded in the
previous hearing you wanted to know what happens to — what is really happening
at the Department of Justice about cases referred over there. I can imagine
getting some quantitative information around the tracking of disclosures, given
that has been historically more controversial pieces of the HIPAA
implementation, just to see about its utility and all of that, but that is on a
focused, issue based level as opposed to an overall review of overall efficacy
or whatever other measure we may hold this to.

DR. ROTHSTEIN: Just to respond to Simon, I agree with you, Simon. I don’t
want to abandon the notion that we couldn’t ever use data to review enforcement
or other functions under HIPAA. What I am prepared to abandon is this global
idea, this notion that we can use data to answer these big questions. I think
it is somewhat quixotic, after hearing the experts.

DR. BERNSTEIN: I want to remind us that what I remember from the hearing is
that, yes, we had trouble looking retrospectively at HIPAA, but there were
several suggestions made about how to go prospectively doing a study. Even
though yes, there is a recommendation in our previous letter, I think it is
sort of amorphous and attenuated and not very specific.

But I don’t think it would fall on deaf ears to have a more specific
suggestion that now is the time to start collecting data to have a baseline
when there are people who are not yet having electronic records, and where we
could get from baseline, and we won’t be in the same position again where we
can’t measure something five years down the road because we didn’t start now.

You could have some small pilot project. There might be funding for that
stuff, as I understand. In this year who knows, because we are under a CR, but
there are research monies available. I think various pockets of people in the
Department are looking for good ideas. Certainly this fits in with the
Secretary’s top ten priorities, and would possibly support his health IT
initiative.

I can’t speak for the Department and say yes, it will be funded immediately
if you were to propose that. But I think if you made a more specific proposal
that were more tailored, and perhaps with some of the help of the testimony
about how you would go about prospectively doing that, it might be more
helpful. Just my thoughts.

MS. WATTENBERG: There may be some specific kinds of research questions you
can ask, like physicians routinely collect client satisfaction surveys, and you
could do some study on, since the introduction or advent of HIPAA, has client
satisfaction gone up or down, and is there a way to draw a causal relationship,
or in terms of research has there been a reduction in client subjects in
certain kinds of research since the advent of the HIPAA privacy rule. You could
ask some very targeted questions.

DR. ROTHSTEIN: Here is where we start getting into problems that were
illuminated at the hearing. You get into all this selection bias and so forth.
I just think —

MS. WATTENBERG: Every study has to be completely methodologically perfect
in order to be useful. It depends on what the question is that you are asking.

DR. BERNSTEIN: We also heard that it is possible to add a question or two
that might be useful onto existing studies. The selection bias is not there
because the Department is reducing that because of its statistical expertise
and so forth.

DR. ROTHSTEIN: I think that if the Department wants to do this and wants to
use us as support for doing that, we have given sufficient approval and
enthusiasm and go-ahead to do it.

Paul and Leslie, any contradictory views?

DR. TANG: I don’t know where you ended up. You are or aren’t going to do
it?

DR. ROTHSTEIN: The way we have ended up is, we are not going to proceed
with the research issue.

DR. TANG: Okay.

DR. ROTHSTEIN: We have committed to get these two letters out by June, but
these letters do not require any additional hearings. It is based on work that
we have already done.

Let me suggest that I think it would be appropriate for us to give some
thought to additional topic areas that we might want to consider having
hearings on and working out letters that perhaps we could shoot for in the
September meeting of the NCVHS. I know Harry has got some ideas.

Let me present one — and John has some ideas, let me nominate one. That
has to do with the issue of mental health information. The HIPAA privacy rule
currently has a special provision. There is only one class of health
information that is not subject to the disclosure of HIPAA privacy, and that is
the psychotherapy notes.

In order to qualify for non-disclosure as psychotherapy notes, those notes
have to be maintained by a quote mental health professional. It seems to me
that we need to think about whether that was the appropriate way to consider
this class of highly sensitive information.

In particular what I am referring to is the fact that much mental and
behavioral health guidance and counseling is done not by mental health and
behavioral health professionals, not by psychotherapists, but by primary care
docs, by ob-gyns, by family care physicians and so forth, and that information
can be quite sensitive and is not subject to any additional level of
protection.

Now, I’m not recommending anything at the moment, other than that we should
perhaps consider holding a hearing where we hear from primary care docs and
psychiatrists and maybe substance abuse counselors and so on, to see whether
that might be an area that is appropriate for a recommendation.

DR. HOUSTON: Just so we are real clear on this, psychotherapy notes are a
very specific class of mental health information. You were talking like if it
only occurs with ob-gyns and with PCPs, that it would then be covered.

DR. ROTHSTEIN: No, what I am suggesting is that instead of saying that the
exceptions for psychotherapy notes, maybe the exception for mental health
treatment.

DR. HOUSTON: I understand that, but my point is even more specific than
that. Even if you are in a psychiatrist’s office or you are in a psychiatric
facility, that information itself isn’t covered any differently than regular
medical information. You don’t even have to be outside of that setting in
another environment. It wasn’t clear that you were saying that

DR. ROTHSTEIN: I may have and probably did say that inartfully. The
question is whether, knowing what you know and knowing what you think I know,
is that an appropriate topic for us to consider for a future hearing.

DR. HOUSTON: Yes.

DR. FRANCIS: Yes, I think it is a very important topic.

DR. HOUSTON: The only expansion of that would be, do you want to entertain
other types of sensitive information other than mental health.

DR. ROTHSTEIN: That is a very good question, whether we should go beyond
that and consider other sensitive information. One can think of a dozen other
types of sensitive information.

One of the things that — I am of two minds here. In my writing over the
last 20 years I am on the record as being opposed to the balkanization of
medical records, because I think it increases the stigma associated with mental
health, not just mental health but genetic information and all sorts of other
things. The more we separate them, the worse things get. So I am on the record
already as saying that.

But having said that, as long as we are going to carve out something, I’m
not sure that the way it has been carved out is the appropriate way. I come to
this with no preconceived amendment in my head, only the idea that maybe this
is an area that we ought to take some testimony on, that’s all.

DR. TANG: Can I ask, are you saying that you would want to have this
information covered in say progress notes of primary care providers?

DR. ROTHSTEIN: Well, the answer is, I don’t know. That is why I am thinking
of — I am just asking the question.

DR. BERNSTEIN: If I can recommend for the next few minutes that instead of
discussing each one of these topics, if we could brainstorm some other topics
that you might want to cover in the coming year or coming half year after June
or whenever we can set up hearings. Our time would be more productive than if
we have discussion for each one. The point is, we don’t know yet.

DR. TANG: But are we deciding whether to have hearings at this point? I
think that is a big danger, opening up HIPAA again.

DR. ROTHSTEIN: What we are deciding is what areas of health privacy we
think are appropriate for the subcommittee to consider in 2007. You can use
whatever study you want in deciding whether you think that is an appropriate
topic. But all I am saying is that we now have one suggestion, and the floor is
open for other suggestions. Then once we have them, we will see which if any of
these we want to follow up on.

DR. TANG: We are going to have some act before we pursue it?

DR. ROTHSTEIN: We are going to get a list of possible topics from the
subcommittee members and then we are going to decide which ones we want to
follow up on and in what order.

DR. FRANCIS: I don’t know if this is something the committee has already
done, something that is irrelevant or silly for it to do, but ways to get lots
of information in infectious disease surveillance.

DR. ROTHSTEIN: Can you explain?

DR. FRANCIS: What I mean is that there has been a lot of interest in
increased monitoring or getting data on everything from patient shift in
thinking about HIV testing to opt out rather than opt in, relating to the ways
that have been promulgated about what might happen in the time of a pandemic,
if there ever were a pandemic.

This is a very general area that would obviously need to be thought about
in making some decisions about what or where, but everybody is always eager to
get the data. If there is a worry about exceptions, there are huge privacy
considerations. I don’t know whether anybody has looked at that whole raft of
issues from a privacy perspective or not. One of the reasons people are
interested in even in NHIN type data is surveillance.

DR. ROTHSTEIN: I think that is a very important issue, and in fact, one of
the AHIC work groups on biosurveillance took up this specific issue. I think it
would be certainly fair game and reasonable for the subcommittee to consider
what they came up with. As you say, in November of 2006, CDC changed its policy
on HIV reporting, so that certainly would be reasonable for us to take a look
at as well.

So we have got another one on the list, and also on the phone. Gail?

MS. HORLICH: I don’t have another one, but I did want to add that AFTO is
thinking about planning a meeting to look at privacy issues associated with
pandemic preplanning. So I think it is a very important issue. I also
definitely agree that we should look at the mental health issues.

I am going to have to sign off in a couple of minutes, but it has been a
great meeting. I just want to thank you for letting us follow along on the
line.

DR. ROTHSTEIN: Thank you for following along, Gail. I hope to see you in
February.

MS. HORLICH: Thanks.

DR. ROTHSTEIN: Bye. Who was next?

DR. HOUSTON: Just a comment, not a suggestion for a topic. You had
indicated that there is a GAO report coming out as well as some testimony. We
should probably be open to the fact that we might find things in those reports
that will lead us to want to maybe investigate some things. So I just want to

DR. ROTHSTEIN: Keep some powder dry?

DR. HOUSTON: Yes. That is my only other comment.

DR. ROTHSTEIN: If you didn’t hear on line, that was a suggestion that we
not overly commit ourselves in light of new reports that might be coming down.

MR. REYNOLDS: I have got a subject I am struggling without a frame. We have
asked over and over again for information on compliance issues that are out
there, and we continue to hear the numbers.

How do we raise the water level in the industry about understanding the
HIPAA process? In the real world, minus case law, minus clear examples, minus
any of these other things that are going on, we are all barreling forward, and
everybody has spent a lot of money and everybody is watching it close, but
nobody knows if they are watching the right place.

We all flippantly say, and we heard it again today, people don’t know how
to implement it and they are not sure. I am becoming a little tainted by the
fact that that is just so easy to say, and that is what everybody has accepted.
I think the thing we try to do in this committee is try to make some difference
in raising the water level for everybody, and I don’t see that happening.

I think we have asked in numbers of different ways. We have asked for
reports. We have asked for stuff that we could help people see. But again,
being on the ground in the real level, it is still an empty field. I think
everybody we heard testify — if anybody went into a doctor’s office, and we
could all go around the room not saying why we went in, you would chuckle,
either chuckle or cry about what this thing means. I don’t know how to turn it
into an action, but it is something that has not translated well into the real
world.

DR. ROTHSTEIN: Harry, I agree with you. That was part of the justification
or the impetus for my research study that didn’t pan out. Yes, we all know this
from experience, but how can we make sense out of these anecdotes and try to
figure out a policy to go forward?

I would argue that we are still paying the price for a lack of adequate
outreach and education when the privacy rule was rolled out. We had many very
colorful hearings on this issue. I’m not sure how much better things are.

To be brutally honest with you, the only comfort that I think some
providers have with the privacy rule is the fact that even though they don’t
understand it, even though they don’t know what they are supposed to do, even
though it is a mess, at least nobody is going to come after them and assess
them any penalties.

DR. HOUSTON: That is pitiful, too.

DR. TANG: I may be hearing two different things, and perhaps it is just a
hearing problem. What I heard you talk about in your research, Mark, was to try
to assess the effectiveness of privacy protection. What I hear Harry talking
about is assessing the public’s understanding about privacy and privacy issues
and the risks that they may have with certain behaviors.

I think you are right that the former, the one assessing the effectiveness
of privacy, is much harder. The latter, the one that I hear Harry talking about
I think may be easier to ascertain through surveys and those kinds of
techniques, and could be as important if not more important.

So to the extent that the public understands both the issues and risks of
individual behaviors, it could do with what they put into their PHR, sponsored
by whom, so on and so forth. Then we have a much bigger group of folks that can
influence what is and isn’t offered in the market.

So I was thinking that it may actually be potentially more effective to
make sure one, we assess the public’s understanding and two, that we influence
and educate them on both the issues and the risks of individual behaviors. That
might be a more effective way of achieving privacy.

DR. ROTHSTEIN: Harry, did you want to respond?

MR. REYNOLDS: I wasn’t really going to the research aspect. We still have
22,000 complaints that came in, regardless of how they were adjudicated, to get
information about. So you don’t have to do a survey, there is a lot of stuff
out there, what was right, what was wrong, what was good, what was bad.

Again, translating some of that and putting it on the street,
de-identified, it doesn’t matter, gives people a structure. Those that were
dismissed, good.

DR. BERNSTEIN: Harry, I am asking you to clarify what you are talking
about. You are suggesting that OCR or somewhere in the Department, that they
take the factual scenarios from the complaints or whatever facts were
ascertained from an investigation, and put the fact pattern out there
explaining that this is an okay practice or this is a not-okay practice, and
here is what will happen to you?

MR. REYNOLDS: It is not what will happen to you.

DR. BERNSTEIN: It could be.

MR. REYNOLDS: Again, if there is no learning on the street, there is just
people playing at it. I’ll tell you, there are a lot of people that spend a lot
of money, and they are not sure that they are playing or they are not sure they
did a good job.

DR. ROTHSTEIN: Harry, I have a suggestion to make. I think I know what you
are saying. That is, explore with OCR the possibility of making FAQs or
guidance documents out of actual complaint scenarios that have been submitted
to them so that — in the law we sometimes call these advisory opinions, saying
that this is okay or this is not okay. Somebody complained that their doctor
did this, and we think that so long as he or she didn’t do that, that is okay.

MR. REYNOLDS: It is obvious we are not going to get case law, so let’s have
business practice. But let’s have something that raises the water level and
raises peoples’ sense of understanding of the kind of pitfalls that are out
there, which may have been dismissed as not issues, or the ones that were
recommended and somebody changed them. That is great practice.

It is hard to keep sitting here watching that number go up and then a lot
of people sitting in other places not knowing —

DR. ROTHSTEIN: Let me just comment, and then we’ll go to Marjorie. In
November, we agreed that we would try to push for a meeting with Sue McAndrew
to talk about a better use of complaint information at OCR. That meeting has
not yet taken place.

Would it be consistent with your suggestion, Harry, if we put that on the
agenda as one of the items to raise with her?

MR. REYNOLDS: Yes, and as a committee we get something done this year.

DR. ROTHSTEIN: Thank you.

MR. REYNOLDS: Yes, that is my recommendation.

DR. BERNSTEIN: I believe there was some subset of us that were going to
meet with her. Simon, you, maybe me.

DR. ROTHSTEIN: Right.

DR. BERNSTEIN: I don’t know what your schedules are like in early February,
but I know that you will be in town for the full committee meeting, so it might
be possible to have that meeting then. I’ll try to coordinate that with you.

DR. TANG: I would be interested in it as well. I think that is a great
idea.

Something to even add on to that, there is a certain amount of barrier to
submitting one of the reports, the 22,000. There may be another 100,000 out
there. Could we also design a mechanism to have certain things, let’s say some
of these contracts that I have seen put through this hopper, and even just a
commentary on such a practice, and to be part of the bigger learning set, the
difference between adverse events and near misses. There are a lot of near
misses out there that could be very educational.

DR. ROTHSTEIN: Thank you.

DR. GREENBERG: I certainly think you should pursue the meeting with Sue.
The specific recommendation unless I was hallucinating or something, I think I
recall your making it during a meeting, that you look at the scenarios, not
specific, not identifiable, and then develop categories and maybe FAQs. I
thought she said that was one of the approaches they were taking, which is that
if it was a common concern or something that they felt needed clarification,
they were developing FAQs.

But again, I didn’t completely hear what Paul said, but I do think that
22,000 is the tip of the iceberg, not necessarily for egregious things, but for
whatever was intended by the HIPAA privacy regulation not playing out.

For example, this whole notice thing. We keep hearing about that. What I am
saying is, there are a lot of things going on that don’t rise to the fact that
someone is going to level a complaint, but undermine what value we had hoped
the whole notice and policy would have.

Harry triggered this with me. I went to a doctor I hadn’t seen before. When
you go to doctors you haven’t seen before, you forget. I got something to fill
out, and I was supposed to sign that I had received their privacy policy, but
they didn’t give me anything. Most people just go duh, but since I am in the
field that I am in, I did go up to them and say, I am supposed to sign here
that I received this, but nobody gave me anything. They said oh yes, and they
gave it to me.

It does undermine; either people sign it and say they didn’t give me
anything, or they don’t sign. I’m not going to raise a complaint about this to
OCR, for goodness sake, because they did have one. But I think it is an
example.

I am still wondering, going back to your research issue and rejecting a
lull for the committee, because this is such a skewed sample or non-sample, a
skewed cohort of the people who have raised complaints. I still think it is
worth mining it more. Even the FAQs, does the average person go out there to
look at the website, maybe people in the industry do, but I really wonder if it
isn’t worth exploring, particularly in light of what Maya said about, there may
be some funding, adding some questions to something like the health interview
survey which is a representative sample of the population. Not everybody in the
health interview survey, in fact, probably the majority, have not had a health
care encounter in the reference period, maybe the last two months or something,
but to ask some questions that maybe get at this area of just the policies and
the fair information practices and peoples’ views on what their experience has
been.

That then gets into another venue. It could get into articles, it could get
into the newspaper. Things from the HIS are published all the time. It could
get into the MMWR, not as an attack, but as hello, this is what is going on
right now in a representative sample of the population.

Again, it is fraught with problems. You don’t have the baseline, blah,
blah. But I don’t know if you should just reject it out of hand.

DR. ROTHSTEIN: No, I think that is fine. We talked about that at the
hearing in November, you will recall.

DR. GREENBERG: Yes.

DR. ROTHSTEIN: I think that would be wonderful. I don’t want to reject that
out of hand, I want to support that

DR. GREENBERG: It wouldn’t necessarily be definitive about the
effectiveness of the regulation, but it could have more generalized information
about people with experience.

DR. ROTHSTEIN: Do you think the committee needs to recommend that before Ed
or whoever is in charge of signing off on that says we are going to do it?

DR. GREENBERG: No, I think what it would require is maybe the subcommittee
meeting with people from the health interview survey and maybe some people from
ASPE about what kind of questions realistically could you ask. You could test
questions in the cognitive lab.

It requires some money. NCHS doesn’t have that money in their budget right
now, but people add questions all the time. ONC adds questions to the
ambulatory care survey about the penetration of the electronic health records.
I think it would need a little more exploring. It may be that in exploring it
you would be convinced that there isn’t anything you could ask that would get
good answers that would be worthwhile.

We haven’t done that. You had the one hearing or some testimony during the
one hearing. I am just thinking, because I am reacting to Harry’s frustration;
we keep trying the same things and bringing up the same issues, and nothing
seems to be advancing. This would be a different approach, and the results if
it were done would have a different audience and might raise the consciousness
a little bit more and might lead to more active response.

DR. ROTHSTEIN: I certainly would support that. I’m not sure what you are
suggesting. If you are asking, would the subcommittee and/or its leadership be
willing to work with you and ASPE and so on, absolutely.

DR. GREENBERG: I think it should be done. This is a federal advisory
committee, so it should be done — unless it was just one person doing it, but
if it was the subcommittee, it should be done in the usual way. But you could
do it in a working session of the subcommittee. You could ask to have some
slates. That is a huge sample that you can add a few questions to.

So I’m just saying, it could merit a little bit more exploration.

DR. HOLZMAN: If you will indulge me for a moment, I’d like to return to Ms.
Greenberg’s comment —

DR. ROTHSTEIN: For the record, could you state your —

DR. HOLZMAN: I am David Holzman. I am with OCR and I am
representing Sue McAndrew.

Ms. Greenberg, if you had reported your concern regarding the encounter in
your physician’s office regarding the notice of privacy practices, that
complaint would have been fully investigated.

DR. GREENBERG: I realize that.

DR. HOLZMAN: And frankly, that is how OCR receives complaints regarding
concerns about the privacy rule and how it moves forward.

DR. GREENBERG: I realize that, but being a completely complaint driven
system, my point was that for every complaint that is made, there are thousands
and thousands of people who don’t feel they were harmed, and so they don’t
report it.

The problem with it is less that any harm was done, but that it undermines
what we are trying to accomplish. I don’t doubt for a minute that if I had
submitted a complaint, the OCR would have dealt with it in an appropriate way.

DR. ROTHSTEIN: Thank you. Simon.

DR. COHN: Just to try to pull us out of some of this stuff, I had not seen
this occasion to be a time to come up with all the answers, but to identify the
next steps. I agree with Marjorie that a very reasonable next step is for the
subcommittee to invite somebody from NCHS who is involved with survey work to
talk about what can be added to surveys. That can be in the next session, but I
will defer to you on how best to approach that.

I did want to comment. It doesn’t look like we have time to prioritize, but
I am hoping the privacy subcommittee does have a breakout and that there will
be a listing of these things that can be further discussed.

I did want to reflect on the hearings today. Even though I know we are
going to produce a letter on this issue of non-covered entities, I do think
that this is a rapidly enough evolving area that if we are going to be doing
hearings between now and our June meeting, that we might want to have one
session to revisit some of the discussions and see if there are any updates or
changes to the landscape as we prepare a letter in that area. So just a
suggestion on that.

I think finally, I would redouble what John was commenting on. Not knowing
what GAO is going to be reporting, that may be something that we do need to
make time for during the session, or even maybe something gets elevated to the
full committee discussion either sooner or later.

DR. ROTHSTEIN: Let me see if I can summarize what you said, Simon, in the
interest of time, and actually take it a step further.

Suppose at our breakout session at the full NCVHS committee meeting we
start out where we already have two agenda items for consideration of future
activities — we are not going to do anything for the next two weeks — that
is, the mental health substance abuse notes issue and the infectious disease
biosurveillance privacy issue. So those are on the table. In addition, we are
going to pursue a meeting with OCR leadership on the issue of trying to use the
factual scenarios from complaints for guidance purposes.

MR. REYNOLDS: One other thought. We did the letter of privacy on the NHIN,
and we did it out of a nice high level. Possibly considering at some point
having a diagram put together of how stuff may really flow through the NHIN. In
other words, you have got RIOs and you have got the system of systems, and
maybe in one of our discussion sessions put that up on the wall and walk
privacy through that at a little more realistic level of where data might
reside and how it might work, to make sure that we haven’t missed something big
as we have talked about privacy.

DR. GREENBERG: Will this come out of these presentations later this week on
the architectures?

MR. REYNOLDS: It may. We may want to take one of those charts that comes
out on these different architectures, and maybe some time for discussion here.
There is the overarching subject and the idea of the pieces, and then there is
some reality starting to flow. I call them filters. It doesn’t hurt the filters
one level down to say, does our umbrella miss anything.

It is a little bit like case law, where it is starting to come clear how
people are going to do it. So it wouldn’t hurt just to go through a couple of
those, or any charts that come out of the ONCHIP meeting, and just say, did we
miss anything. It may be a 30-minute discussion, it may turn into something
where we said, oops.

DR. ROTHSTEIN: How about if I propose the following, that we already have
two possible hearing topics, and for our subcommittee discussion that comes up
in February, I would like to add two additional topics. One is the use of
survey data from the national health interview survey or other sources, and
maybe get somebody to one of our meetings. The second, using the architecture
models for a privacy reassessment.

MR. REYNOLDS: Maybe that is later in the year. Again, we are putting out
things to do. I’m not saying this is something we have got to do right now. I’m
just saying that as we are laying out this year, I think within this calendar
year, this is a subject that we ought to take a look at.

So I’m not pushing to all of a sudden slam it into the next hearing, but I
think it is a subject that this committee ought to take as these things become
a little clear. So I’m not pushing to add it to the next —

DR. ROTHSTEIN: So that is four items that we have got for consideration at
our breakout meeting.

DR. BERNSTEIN: I just want to point out that the second topic, on
infectious disease surveillance or other kind of public health uses, is one of
those things that falls into the concept of secondary uses, depending on how
you define it, and various people are defining what is a secondary use
differently.

So as a privacy person, anything that is not the reason for which it was
collected is a secondary use by me. That includes, if information is collected
for a clinical purpose and it is public health, that is still within the health
realm as a secondary use, or if it is for marketing or it is for your bank or
God knows what, all those are secondary uses or maybe tertiary.

But other people define secondary uses to be either narrow or wider, and I
think there is a lot of overlap in what various committees are doing. If we
were to take up the issue of infectious disease surveillance, we are slicing
that concept of secondary uses, we are picking one of them. It is an important
one, but there are other ones, too, if you want to start exploring those areas.

DR. ROTHSTEIN: We are not committing to anything yet. There are initiatives
in the works now at the Department that will influence how we go on any one of
these issues. All I’m trying to do is put together a slate of things to keep
our eye on and take another look at, at our February meeting.

Leslie or Paul, suggestions?

DR. FRANCIS: No.

DR. TANG: No.

DR. ROTHSTEIN: Amazingly, that brings us to the end of what I consider to
be a very productive and interesting day. We did get a lot of work done. We
heard a lot of interesting testimony and we have some very important steps to
take to go forward.

I want to thank Maya and the staff for putting together a very interesting
hearing. I want to thank our support personnel for operating under very trying
circumstances. I want to thank Leslie for attending virtually her first
subcommittee meeting, and we look forward to seeing you at the full committee
meeting.

Paul, I hope you are feeling better, and looking forward to seeing you in a
few weeks. I want to thank Marjorie and NCHS for hosting us, and our staff. We
will meet at 8 a.m. at the full committee meeting.

Thank you. We are adjourned.

(Whereupon, the meeting was adjourned at 4:40 p.m.)