[This Transcript is Unedited]

National Committee on Vital and Health Statistics

Subcommittee on Standards and Security

January 27, 2004

Hubert H. Humphrey Building
Room 705A
200 Independence Avenue, S.W.
Washington , DC 20201

Proceedings by:
CASET Associates, Ltd.
10201 Lee Highway, suite 160
Fairfax, Virginia 22030
(703) 352-0091


P R O C E E D I N G S [9:30 a.m.]

Agenda Item: Call to Order – Dr. Cohn

DR. COHN: Good morning, everyone, I want to welcome you to the first
morning of the hearings of the Subcommittee on Standards and Security on the
National Committee on Vital and Health Statistics. I do want to apologize for
those listening in on the internet that we are running late. I think those in
the room here realize that we’ve been having somewhat of a snow emergency,
which being from California I find very interesting. And certainly having been
in Los Angeles yesterday where there was like 65 degree weather it may be a
little confusing.

Anyway, my name is Simon Cohn, I’m the chairman of the subcommittee, I’m
the national director for health information policy from Kaiser Permanente. I
want to welcome fellow subcommittee members, HHS staff, and others here in
person. I particularly want to welcome those listening in on the internet also.
Given that we are on the internet and I believe it is live today I want to
remind everyone to speak clearly and into the microphone so that they can hear.

We obviously have a lot to cover over the next two days. This morning we’re
going to be starting a discussion, or actually hopefully maybe completing a
discussion, with Consolidated Healthcare Informatics Initiative, at least on
the first phase of your work. As we understand it you’re coming forward with
final recommendations on four health care domain areas, which include clinical
encounters, text based reports, population health, and chemicals. And obviously
the intent of these standards are that they be used within the federal health
care enterprise and potentially influence work going on in the private sector.
Obviously this is part of your federal adoption process and we’re very pleased
to have an opportunity to hold public hearings to get public input on these
recommendations, and obviously we’re encouraging you and feel that your work is
very important.

We’ll also be later on this morning, and certainly as we go along with
these recommendations, reviewing our current draft letter, and as I remember
even we had a couple of issues from a prior draft, see if there’s any
additional information that will cause us to update them beyond these four
recommended new standards. Obviously the intent of this letter, and hopefully
we’ll have a chance to vote on it by the end of the morning, will be to submit
it to the full committee for ballot on Thursday.

This afternoon we will be having a hearing on the HIPAA security rule and
the status of that implementation. I want to thank John Paul Houston, one of
our members, for taking the leadership in putting that together. John, thank
you. This is obviously a topic that as we move more towards implementation I’m
sure we’ll be having ongoing conversations with the industry on issues and
opportunities around that implementation.

Now tomorrow we begin with a HIPAA update followed by a discussion of the
draft letter on the claims attachment standard that were based on the December
hearings. The question in that case really for the subcommittee is whether we
are ready to move forward with a letter recommending some next steps or whether
additional investigation or testimony is needed, but that will be a
conversation for tomorrow morning.

Following that we have a conversation with the dental community, the focus
of that session is really on SNODENT and whether it is appropriate to recommend
SNODENT as a clinical terminology, which is one of the issues sort of left open
from our last set of PMRI recommendations. But given what I’ve seen of the
testimony so far I suspect that there will be other issues coming before the
subcommittee from the dental community as well.

After lunch we will further discuss our role in investigating and
recommending e-prescribing standards. As many of you know the recently approved
Medicare Reform legislation calls on the Secretary to adopt standards for
e-prescribing and the NCVHS has been directed to develop such standards
recommendations. Jim Scanlon and hopefully Karen Trudel will update us on the
department’s work plan in relation to this and then we’ll be discussing our own
draft work plan. Obviously I want to thank Jeff Blair for his leadership in
terms of putting together what I think is a very good draft work plan but we
obviously do need to reflect on the scope.

Now before we go around with introductions I do want to emphasize that this
is an open session, obviously those in attendance are welcome to make brief
remarks if you have information pertinent to the subject being discussion. We
also have time at the end of each session for brief comments by those in
attendance. Finally for those on the internet we welcome emails and letters and
other comments on issues coming before the subcommittee.

Obviously with that I would ask that we go through with introductions for
the subcommittee and then around the room. For those on the national committee
if there are any issues coming before us today for which you need to publicly
recuse yourself I would ask if you would do that as part of your introductions.

MR. BLAIR: Jeff Blair, Medical Records Institute, vice chair of the
subcommittee, member of AMIA, ASTM, HL7, and HIMSS, and there’s nothing that
I’m aware of that I need to recuse myself from.

DR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention,
staff to the subcommittee and liaison to the full committee.

MR. HOUSTON: John Houston from the University of Pittsburg Medical Center,
I’m a member of both the committee and the subcommittee.

DR. HUFF: Stan Huff with Intermountain Health Care and the University of
Utah in Salt Lake City. I’m a member of the subcommittee. I’m a vocabulary
co-chair in HL7 and so I’d need to recuse myself from HL7 discussions. I’m also
a co-chair in the LOINC committee and would have to recuse myself from any
LOINC discussion. And I’ve contracted on occasion with 3M so I’d need to recuse
myself from any ICD-10-PCS or like discussions of 3M products or contracts.

MS. BRADFORD: Alicia Bradford, CHI.

MR. SEPPALA: Gregg Seppala, Department of Veterans Affairs, representing
the CHI clinical encounters group.

MS. NUGENT: Linda Nugent, Department of Veterans Affairs, representing the
CHI text based reports group.

MR. HUNGATE: Bob Hungate, Physician Patient Partnerships for Health and
member of the full committee.

MS. GREENBERG: Marjorie Greenberg, National Center for Health Statistics,
CDC, and executive secretary to the committee.

MS. FRIEDMAN: Maria Friedman, CMS, lead staff to the subcommittee.

MS. SQUIRE: Marietta Squire, CDC, NCHS, and staff to the subcommittee.

MR. SYRAKOWSKI(?): Arthur Syrakowski, Center for Devices and Radiological

MR. KILE(?): Frank Kile, American Dental Association.

DR. COHN: Okay, welcome and obviously this is Simon Cohn again. I do need
to publicly recuse myself in relationship to any issues that come before us in
relationship to CPT, which hopefully should not be an issue being discussed
today I hope.

With that, Alicia, would you like to lead off with an introduction to where
we are with the CHI recommendations please?

Agenda Item: CHI Introduction – Ms. Bradford

MS. BRADFORD: Thank you for having us here today. Some of these slides are
fairly familiar, you’ve seen them before. This one is showing the phase that
the different teams have gone through, the progress for phase one with our
final teams wrapping up, and they’re wrapping up their work in late December,
I’m presenting now to you in January. The process that we go through from
deploying the teams, the analysis and feedback within the workgroup, consensus
with the agencies, HHS, VA, and DOD. And now presentation to NCVHS.

And today as you mentioned we’ll have four workgroups and this will wrap up
phase one of the clinical encounters text based reports, population health and

DR. COHN: You might want to change the overhead, are you going to be using
these on Thursday also?

MS. BRADFORD: We will and I did. And we’ve kind of refined this as the
project has progressed regarding the range of possible recommendations quickly
realizing that there is no perfect terminology. The workgroup could return
saying that there was an acceptable terminology that just needs evergreening to
maintain the viability. More often then not there could be an imperfect
terminology that would result in different levels of follow-up, one being that
there are just identified gaps that don’t preclude its use but need to be
addressed. It could be a conditional approval meaning that the terminology or
standard is not ready for use yet until these conditions are addressed. And
there could be temporal issues such as the standard is in ballot or production
version. And more rarely but has happened that there could be no solution
available at this time and we would identify an SDO or a group that the
government would work with to fill that need.

As Gregg mentioned, we have Gregg Seppala from the VA and he’s representing
the clinical encounters workgroup.

DR. STEINDEL: Alicia, can I get a bit of a clarification on what you just
said? You said that this concludes phase one, does that mean that multimedia is
not going to be presented as part of phase one? You’re shaking your head —

MS. BRADFORD: Yes, Council consensus was not reached on the multimedia
recommendation and that will be pushed on into phase two in addition with the
history and physical that we did not receive, the workgroup did not progress
with that and the recommendation was to wait and address history and physical
in phase two also.

DR. COHN: Well, Alicia before Gregg starts, and I know he’ll be starting in
just a second, either today or Thursday is there going to be any discussion of
what phase two is?

MS. BRADFORD: I don’t believe so, I don’t think it’s all been decided yet.

DR. COHN: I see, but I guess it has been determined that there will be a
phase two.

MS. BRADFORD: We have definitely identified further work to be done so we
hope that there is a phase two for us to continue this work identifying and
addressing the gaps and additional domains that were not addressed in the first

DR. COHN: When do you expect that you’ll be discussing more publicly I
guess the various aspects of phase two? Would this be a March meeting

MS. BRADFORD: I think so, yeah. By then we’ll have more knowledge about
phase two.

DR. COHN: Thank you.

MS. BRADFORD: Okay, Gregg.

Agenda Item: CHI Final Reports – Clinical Encounters –
Mr. Seppala

MR. SEPPALA: As I said before my name is Gregg Seppala, I’m from the
Department of Veterans Affairs, and I’m representing the CHI workgroup that
helped define select terminologies for clinical encounters. The other members
of the group, those people on the internet can’t see the slide probably,
include Dave Bergland(?), CDC, Theresa Cullin(?), Indian Health Service, Jason
Goldwater, CMS, Gail Graham also of VA, Bart Harmon of DOD, Ken Hoffman of DOD,
Eduardo Ortiz of AHRQ and Cynthia Wark of CMS.

The first challenge we faced was trying to figure out what clinical
encounters was and what it wasn’t, so we spent some time first of all doing use
cases to see how broadly we felt clinical encounters should be scoped, and we
concluded as a group that it needed to deal with encounters in all kinds of
settings, ambulatory care, inpatient care, which would be acute, intermediate,
or even long term, emergency care, home health care, field care, and virtual or
tele-medicine. Once we broadened the scope to that point we were seeking some
way to narrow the scope and so we were looking for a definition for encounter
and the one that we thought was the best definition was the one in ASTM 1384,
the version was 02A, standard guide for content and structure of the electronic
health record. And we felt that that was an apt definition.

After we had agreed on the scope and definition for encounter then we
needed to determine which data elements would be within the scope of our
recommendations and which would not, and we turned to the CHI approved
messaging standard, the HL7 version 2.4 ADT message as representing the data
elements within the scope of clinical encounter. That message in 2.4 consists
of 25 message segments comprising 612 fields, so again we were looking for ways
to constrain scope so items that we declared were out of scope were
demographics, because they were being done by another workgroup, allergy
information, diagnosis and problem lists, financial and payment, insurance
information, interventions and procedures, all of those were within the scope
of other workgroups. So although they would be considered part of a message
about a clinical encounter the standardization work and recommendations are
being done by other groups.

In scope we had admission information, transfer or patient movement
information, discharge information provider information, and then two segments
which didn’t seem to have another home in CHI but were part of the ADT message
which was accident information, death and autopsy information. Also excluded
from our scope were practitioner to practitioner interactions, practitioner to
record interactions, and ancillary service visits, because those did not fit
within the definition of clinical encounter balloted by ASTM, and we’ve
identified those as gaps. We do know that in the future there is an interest in
being able to exchange information about clinical services but our opinion was
that the ADT message and the current definitions didn’t well support that and
that’s identified for future work.

So when we were finished taking segments and data elements out of scope the
612 data fields were reduced to 92, and of those 92 data elements 38 of them
used coded data, and so we focused on those 38 coded data elements. We looked
at ASTM 1384, we looked at ASTM E1633, which is the standard specification for
coded values using electronic health records. We looked at the X12 837 health
care claim message, we looked at SNOMED CT, we looked at the UB-92, or the CMS
Form HCFA-1450. We also looked at the data elements for emergency department
systems release 1, also known as DEEDS, and we looked at HL7 versions 2.4, 2.5,
and version 3.

After we’d looked that over in general what we recommended is adoption of
the coded values recommended by Health Level 7 version 2.4 and higher, and then
we had a number of gaps that we’d identified to be addressed in the future.

Some of the gaps as I mentioned before would be better support for home
health field and virtual encounters. We felt that the current standard really
focused on ambulatory and inpatient encounters and didn’t provide clear support
for those. Clinical services that don’t meet the definition of a clinical
encounter, such as provider to provider interactions without the presence of a
patient, provider to record interactions, and ancillary service visits. Another
gap is that we are looking for and between the time we wrote this and today the
final regulation to the National Provider System was released, so we’re looking
for those identifiers to be used for both practitioners and health care
organizations. We’d also, it would be helpful to have standard location
identifiers but I think this is a gap that will exist for some time. And
another challenge would be standard hospital service names.

So that’s the short version, I’d be glad to answer any questions or go into
more details about the recommendation.

DR. COHN: Questions from the subcommittee? Steve.

DR. STEINDEL: I have one question and one clarification since I’m the
keeper of the documentation it needs to go on. The clarification is Gregg, the
transmission that was submitted to NCVHS does not explicitly state some of
these gaps that you noted. Would you like the documentation to reflect that, at
least I do not see them, like the virtual encounter, etc., it just says one of
them, so Alicia or Gregg, if you’d like the transmission document to explicitly
state that, which I think would be a good idea, if you’d see me at the break or
something we’ll just add it, Simon, if that’s okay with you.

DR. COHN: It appears that the overhead that they have here doesn’t, isn’t
in any way related to the documentation, which I think is what you were

DR. STEINDEL: And the documentation actually forms the record that we
transmit over.

DR. SEPPALA: I did send in an updated longer report on January
7th which matches this a little better so maybe we just —

DR. STEINDEL: Maybe we just need to sync. We’ll just do that at the break.
That was cleaning up your documentation side of it, just as a question point of
view I noticed that you say 13 data fields are published in version 2.4, seven
in 2.5, and four in version 3. Are the ones that are in version less then 3,
the version 2.X data fields, are they intended to be transferred over to
version 3 or are they represented in similar fashion in version 3 at this time?
Do we have to make any note of that? Stan as vocabulary co-chair if you want to
give a technical answer to this it might be helpful, too.

DR. HUFF: Our intention is to transfer all of the version 2 tables into
version 3, but there’s not a defined timeline to do that.

DR. STEINDEL: Thank you, I think that’s a satisfactory clarification.

DR. COHN: I guess maybe I’ll ask a couple of questions. Obviously we have a
report from you from January 6th, so it’s probably not the one
you’re even referencing. That’s what I referenced in red. Obviously I’m sitting
here trying to remember and I apologize, I don’t have E1384 in my office so I
was trying to figure out what the definition for encounter that you were
referencing since it wasn’t to be found anywhere in the document except the
fact that you agreed with it. So do you have it, is that something that’s short
enough that it’s readable to inform the committee of what the definition was?
Is it in there? Where is it?

DR. STEINDEL: Very beginning.

DR. COHN: Oh, I’m sorry, I apologize, I was looking at page two and page
three, I take back, I mean obviously it’s short so why don’t you read it just
so, as my face goes from red to slight lighter shades of pink.

MR. SEPPALA: This is a quote from the standard and then we go on to
elaborate a bit. So the definition for a clinical encounter, again from ASTM
E1384, is one, an instance of direct provider or practitioner to patient
interaction regardless of the setting between a patient and a practitioner
vested with primary responsibility for diagnosing, evaluating, or treating the
patient’s condition, or both, or providing social worker services. Definition
two, a contact between a patient and a practitioner who has primary
responsibility for assessing and treating the patient at a given contact,
exercising independent judgment. The ASTM chapter goes on specifically to
exclude ancillary service visit, which is defined as the appearance of an
outpatient in a unit of a hospital, or outpatient facility to receive services,
tests, or procedures. Again, the key point is exercising independent judgment.
And then because it requires a direct interaction with the patient this
clinical encounter definition would also exclude practitioner interactions in
the absence of a patient such as practitioner to practitioner interactions, or
practitioner to record interactions.

DR. COHN: Okay. Jeff and then I’ll ask a couple more.

MR. BLAIR: Was there any thought given to providing diagnostic services or
evaluations over the internet? Because that falls outside of the definition.

MR. SEPPALA: Anything that would happen without direct interaction to the
patient, now tele-health might include patient to provider interactions not in
real time, so I think that’s an area that we would like to investigate in the
future, certainly a gap.

MR. BLAIR: I don’t know if it’s a gap or not because I don’t know if that
needs to be referred to as an encounter, maybe tele-health becomes a separate,
so I don’t know, I was just raising it as a question, whether it was
considered, if we’re going to move more into that area do we need to either
modify the definition or do we need to consider that as a separate activity.

MR. SEPPALA: Actually the ASTM definition, I think it was five years ago,
explicitly excluded telephone as a modality for an encounter and at VA’s
encouragement that restriction was removed. So VA certainly feels that there
are tele-health encounters, there are probably other things which take place
over the internet which still wouldn’t be categorized as an encounter, but I
think it’s a new area that needs to be looked at.

DR. COHN: Marjorie?

MS. GREENBERG: I just wanted to clarify regarding ancillary services such
as an x-ray, so if a patient goes and gets an x-ray the x-ray technician is not
considered to be exercising independent judgment, that’s not an encounter?

MR. SEPPALA: That’s our understanding of that definition.

MS. GREENBERG: When the radiologist reads the x-ray he or she is exercising
independent judgment but the patient isn’t there, so that’s not an encounter


MS. GREENBERG: Is that right?

MR. SEPPALA: I think so.

MS. GREENBERG: Way back when, actually the committee and the department
were developing the ambulatory care dataset, those types of situations were
actually considered encounters because they, I think they were trying to align
more with what generated an actual claim. But the ASTM definition is not really
aligned with what generates a claim but more the requirement of both the
patient and provider both being there and the independent judgment.

DR. COHN: I guess I should ask the question, I’m just trying to think of
whether or not I’m going over the line on this one just by asking but it really
is that billable encounter concept, which obviously there are HIPAA standards,
and typically the issue of service versus encounter, they do sort of overlap a
little bit, they more then a little overlap and there’s one code system that I
can think of and it’s obviously it’s the AMA CPT that goes, at least discusses
a lot of types of clinical encounters in its E&M(?) section, and so I’m
wondering if there’s a slight disconnect between this and, I mean they for
example have codes for telephone, for internet, for various, I’m just trying to
think of how all this works out, it’s not a position statement it’s just more
of an observation.

MS. GREENBERG: That’s why I made my observation because the claim/encounter
transaction is used for events or whatever that are not, that do not meet this
definition of an encounter. But then this is really for the clinical
environment and the exchange of clinical information as opposed to the
administrative environment.

DR. COHN: But having said that I mean within my organization, for example,
I mean we track telephone encounters, we certainly track internet —

MR. SEPPALA: Telephone is included in this definition.

DR. COHN: Oh, included? I’m sorry, and then there’s also internet
encounters and email and things like that that we’re tracking and considering
to be actually a service and an encounter.

MS. GREENBERG: I think those are covered right?

DR. COHN: I don’t think virtual, isn’t that a virtual encounter?

MR. SEPPALA: It is a virtual encounter. What we said is that the standard
doesn’t, the definition and scope includes virtual but the current message
definitions don’t well support the different viewpoint. For example in a
virtual encounter you might actually have two locations that you’re tracking,
one is the practitioner’s location and the other is the patient’s location.
We’ve discussed it some in the context of an HL7 version 3 modeling how this
would be handled but we’ve actually excluded that from the release one scope.

MR. BLAIR: Oh, that’s what I missed.

DR. COHN: Steve?

DR. STEINDEL: I’m trying to recall what was discussed when this was
presented in the preliminary form at NCVHS because I do recall that we had some
discussion of the definition of the encounter with regard to laboratory
reports, x-ray reports, etc., about whether they were encounters or not. And I
think we somewhat decided that the key word here was contact, and that it did
not necessarily mean physical contact with the patient and that we felt that
these reports were some type of clinical encounter and that this did cover
those, this recommendation did cover those because of the stretching the word
contact. And I’m basing this on recollection, I want to know if anyone else had
that kind of recollection or if we should make any comment about that.

MS. GREENBERG: The radiologist reading —

DR. STEINDEL: Yeah, or the pathologist issuing —

MS. GREENBERG: Was an encounter.

DR. STEINDEL: Was an encounter, was a clinical encounter.

MS. GREENBERG: I read this definition that it wouldn’t be but —

DR. STEINDEL: I think we had some discussion on that because this is
actually a very critical portion of this definition of the encounter because I
think, while I think there’s some question about the technician doing the test,
the technician or the technologist doing the test, whether that interface with
the patient should or should not be considered a clinical encounter I think
most people consider the physician interpreting the results to be a clinical

DR. COHN: Well, it’s certainly considered to be a service.

DR. STEINDEL: A service, yes.

DR. COHN: Which obviously begs the question and if we, the question is is
the definition interaction with health care system or is the interaction with
the practitioner, which I guess is sort of the question you’re begging.

DR. STEINDEL: I mean if we apply, strictly apply the ASTM definition what
it involves is what does the word contact mean, does it mean physical contact
or indirect contact as well.

MR. SEPPALA: Well after, I think it was in October the preliminary report
was presented and we considered that issue and then we looked more closely at
the messages and still felt that although reporting clinical services that
didn’t fall under the ASTM definition was important, that the current message
didn’t support that well and we identified that as a gap that needs to be
addressed soon.

DR. STEINDEL: Thank you, that then gets to the clarification in the text
that the NCVHS has right now as identifying that as a gap because if those
types of issues are addressed in the final document that’s transmitted to NCVHS
then we really don’t need to make a comment on it in the letter, but I think we
would want to make sure that those types of things are mentioned.

MR. SEPPALA: When you look over the version if it’s not crystal clear from
the document then we can edit it again because that is our intent, to identify
that as a gap.

DR. COHN: Other questions or comments from the subcommittee? I’m struggling
a little bit because obviously the version you’re referencing is different then
the one that I think I have on my desk and so I’m going, and I think different
then the one that we were sent out though I’d have to double-check that.

DR. STEINDEL: Yeah, it’s different then the one that was sent out because I
went looking through my various documents and I can’t find a more recent one.

DR. COHN: Obviously everything you’re saying I agree with, I don’t have any
objection to any of your comments I’m just trying to think of, it’s hard to
accept a document or make modifications on it when we’re having trouble
identifying what the base document is.

MR. SEPPALA: Unfortunately the primary edit was to pull out the gaps, which
were sort of sprinkled around in the document and highlight them in one

MS. BRADFORD: This is Alicia. The teams have a working document that the
use to lead them through the process and it’s quite long and we condense that
for a report to present to you. So some of that was probably left out and we
can elaborate on the report that you have on the gaps and redistribute that.

DR. STEINDEL: We can do that at the break.

DR. COHN: That’s something we can do contemporaneously with the
conversation today.

Are there any other questions? I mean overall I’m not hearing anything that
we should just not accept, or should concur with, excuse me, but obviously we
probably need to take a look at that document.

I guess the one other question and I will apologize because it’s probably
in your document, at least in the version I’m seeing there’s basically a
description of certain data elements needing further work, is that, are those
listed out explicitly in your document?

MR. SEPPALA: Yes. So in the ADT message we identified six coded data
elements that have no vocabulary in HL7 nor in any of the other items that we
looked at, and there are actually some notes because some of these although
they’re called coded data elements I’m wondering if that’s true. For example
one is a pre-admit test indicator, which sort of sounds like the codes would be
yes or no but it’s actually a coded set, a discharge to location, which would
probably be a location identifier but it’s defined as a code. So these six, I
think we need to refer to HL7 to look at whether these are actually coded data
elements or something else, and if they are coded data elements start coming up
with a starter set of values. Recurring service code, role duration and role
action code, so that’s the six that don’t have any suggested values.

DR. COHN: Other questions from the subcommittee? How would you like to
proceed, I mean we can, I think we’re in a situation where we sort of need to
see the final document first before we can identify how to modify it but I’m,
I’m sort of thinking that by this afternoon we’ll have it.

DR. STEINDEL: I will get with them at the break and we’ll have Marietta
print it out —

DR. COHN: Get copies of it and then hopefully we can —

DR. STEINDEL: And I’ll do it in mark-up form so we’ll be able to tell

DR. COHN: Okay, great. Well, Gregg, thank you very much.

MR. SEPPALA: You’re welcome.

DR. COHN: I guess we were supposed to have multimedia but we’re not having
that, how would you like to proceed Alicia, do you want to move on to text
based reports?

MS. BRADFORD: Is time good? I have Linda Nugent, representing the text
based reports is Linda Nugent, she’s one of the co-leads along with Viet
Nguyen, who wasn’t able to make it today.

Agenda Item: CHI Final Reports – Text Based Reports –
Ms. Nugent

MS. NUGENT: Good morning. I’m Linda Nugent and I’m representing the text
based report. The team consisted of several very bright and knowledgeable
persons. Dr. Viet Nguyen from the VA and Dr. Timothy Mahew(?) from Indian
Health Service did most of the research and largely put this paper together and
provided the majority of the information. Dr. Howard Hayes, Alicia Bradford
also assisted us in keeping us on the road and keeping us straight and keeping
us thinking about the right kinds of things. Sandra Bailey from the VA and
Derek Wang joined us to talk about the e-authentication piece that we finally
discussed in the paper. It was not part of the original scope and we added that
later on. David Thomashock(?) and Bart Harmon from DOD.

Our domain included identifying the standards and terminologies used to
define the messaging architecture and syntax of clinical text documents.
Clinical text documents were defined as being generated by health
professionals, comprised of free text, which was primarily unstructured data.
However, in an electronic record we have the capability to utilize standards to
structure this free text and turn it into extremely useful information.

What the group determined to be within our scope was the text document
structure and syntax, the electronic signature, document section headings, and
the clinical document types and title. Because of the overlap of the domains of
the groups working on other aspects of the CHI we determined some document
components and data domains to be out of scope. These included clinical signs
and symptoms, vital signs, physical exam observations and findings, laboratory
findings, diagnoses and problems, and orders.

In preparation of a recommendation for standards adoption the CHI Text
Based Reports Subcommittee analyzed many options. These options included the
HL7 Clinical Document Architecture, CDA, the ASTM E1384-02, Guide for Content
and Structure, Continuity of Care Record, CCR, SNOMED CT, Abstract Syntax
Notation One, CEN, Portable Document Architecture, Rich Text and Rich Text
Format, XML, Extensible Mark-up Language, and HTML.

The Consolidated Health Informatics Text Based Reports Subcommittee
recommends without conditions adopting the standard for text based medical
reports of the HL7 Clinical Document Architecture, current release and
subsequent releases. Upon release of the final e-authentication policy in the
companion NIST technical guidance, the workgroup recommends that CHI reconvene
the workgroup to review the guidelines and recommend adherence to risk
assessment evaluation and application of appropriate security technology.

The Clinical Document Architecture is a standardized representation of
clinical documents, such as reports of medical history, the physical exam,
progress notes, and many others. The CDA is also a framework for exchange of
those clinical documents, it is based on a set of design principles that
include keeping the barrier to entry low while still providing a migration path
to sophisticated electronic medical records. By leveraging the use of XML the
HL7 reference information model and coded vocabularies, the CDA makes documents
both machine readable so that they are easily parsed and processed
electronically, and human readable so they can be easily retrieved and used by
the people who need them.

The combination of clear definitions and interrelations of medical terms,
such as LOINC and SNOMED, can be used to populate an HL7 CDA document using
standardized XML syntax. This will allow medical information to be transmitted
to and retrieved from any local area network or from any secure
telecommunications system connected to the world wide web. In turn this
achievement could enable a clinical to retrieve any patient’s medical chart,
laboratory and radiology reports, and other necessary information anywhere
anytime given proper security. The information represented in the standard
structured format will allow manipulation of the data to facilitate advanced
functions, including record searches, patient specific guidelines, outcomes
research, accounts receivable and others.

The consensus was that the HL7 CDA is a mature standard with valued
functionality that was widely implemented, richly expressive and flexible, and
tested. Today most major dictation vendors have HL7 CDA capability and many EHR
vendors have some degree of HL7 capability. There are a series of vendors
adopting both health care and non-health care specific XML tools for the CDA,
preeminent among them is Microsoft. Adobe is also demonstrating use of their
PDF forms generator for CDA. In the U.S. the HL7 CDA is being used by several
federal agencies, including the VA, DOD, and FDA. In addition some large
non-federal institutions have shown some degree of commitment to the CDA based
document strategy. Outside the U.S. the HL7 CDA is even more widely

A major impetus to the adoption of CDA has been the proposal for its use in
the HIPAA claims attachment and there is scheduled to be an extensive
interoperability demonstration that shows many vendors working with the CDA and
the full family of HL7 at the HIM Conference in Orlando.

Thank you.

DR. COHN: Questions, comments? Stan, did you —

DR. HUFF: Well, this is one where I have a vested interest, I need to
recuse myself.

DR. COHN: Jeff?

MR. BLAIR: This is kind of indirect but my employer is personally involved
with the CCR and therefore I feel like I need to recuse myself as well.

DR. COHN: It’s our usual situation in that anybody who has expertise in any
of these areas has to recuse themselves from the conversation.

I guess I have a question, an observation and a question or two. Steve?

DR. STEINDEL: I have a question, I don’t really think in this particular
instance either one of them has to recuse themselves, they both worked on the
development of this but really have no vested interest in it.

DR. HUFF: We have no financial interest but that’s not really the same as
not having a personal interest.

DR. STEINDEL: We all have personal.

MS. GREENBERG: The CDA is an HL7 document.

DR. STEINDEL: But Stan’s only responsibility in HL7 for instance is he’s
chair of the vocabulary and CDA is not in that area.

MS. GREENBERG: His waiver is for HL7.

DR. STEINDEL: Okay. Thank you.

MS. GREENBERG: Now in the case of Jeff I think he can comment on an HL7
activity but not on, actually I don’t think you have a waiver but I would agree
with you that continuity of care record since your employer is responsible for
that would be inappropriate for you to comment on that. In that matter I would
not have an problems with —

DR. COHN: I apologize to those testifying, as I said there’s ongoing issues
that we have in our areas of expertise, we’re typically often excluded from
making comments or asking questions.

I guess I would both observe to the subcommittee that I believe that
further investigation of CDA and CCR is actually part of the work plan for this
coming year and we probably ought to note that in whatever letter we have to
the Secretary just as sort of a statement of fact. I mean certainly I’m not
sure I have any major objection to what you’re doing but it’s more that we’re
sort of seeing that as an upcoming issue to try to figure out how all this
relates and sort of, I mean just I think a piece of our ongoing discussion
related to PMRI standards. We’re obviously thankful that you’ve sort of looked
into some of this already.

Now I guess as I look at what you’re describing and I’m, and once again I
apologize that when I see documents mentioned in your reference I have not been
as good as I probably should have been going looking at the source document.
But obviously the issue of, was it electronic signature has been only a slight
issue over the last while, that was actually part of the original HIPAA
standards, was never actually invoked into a final rule and will now become an
issue for us again as we move into the world of e-prescribing, and it’s going
to be not a small issue as we move into the world of narcotics prescribing and
other drugs that have DEA issues associated with it. now you seem to be
handling the issue by reference to the GSA OMB e-authentication policy and the
NIST FIPS publication 199, though you also reference that the NIST publication
is apparently a, actually maybe I’m confused here. Are those final documents,
are those preliminary documents? Because you’re also referencing a final
e-authentication policy and companion NIST technical guidance that’s supposed
to come out some time in the future. Can you really reference where we are with
all of that and what you’re perception is?

MS. NUGENT: Actually I can’t.

DR. COHN: Okay.

MS. BRADFORD: I don’t think they’re final documents, I think that because
we are an eGov initiative and another eGov initiative is handling the
electronic signature, and that’s a cross cutting initiative, that we have
relinquished that sub-domain to their leadership. But I think that the
documents that are referenced here are working documents, I don’t believe they
are final documents yet.

DR. COHN: Okay, I mean effectively it sounds to me like you’re sort of
taking that out of scope in other words, or at least referencing it to another

MS. BRADFORD: We’re recognizing that it’s within scope of text based
reports, that it’s out of scope of the workgroup to determine the standard and
to turf that to the other eGov initiative.

DR. COHN: Okay, well then let me just ask sort of a general question, is
that there’s, I mean if I were Kepa, which I’m not, but he is obviously very
versant and will be here this afternoon, we would probably be observing that
there’s sort of various levels of durability and appropriateness of an
e-signature standard. And obviously it’s one thing to have a, there’s actually
already federal law that relates to some of e-signatures but there’s various I
guess levels of authentication and strength of the authentication. And as we
move into actual prescribing and things like this, which are not really text
based reports but really do relate to e-signature, is this going to be a
standard or policy that’s going to have the strength to basically be able to
handle that? Or is that going to be good enough for text based reports but not
for the type of thing we’re talking about? Does anybody know?

MS. BRADFORD: We had some discussion with the gentlemen from GSA, Davis
Thomashock, that we had call into our workgroup regarding those different
levels of authentication saying that it would be, different levels were
required for different business cases and those would have to be determined
within each agency and their business needs. And that we couldn’t, no one felt
that they could put a blanket level two or level three authentication on the
text based reports depending on the content. So I just think it’s something
that’s still emerging and not quite there yet.

DR. COHN: So I guess our recommendation here of e-signatures is just a
recognition that this is really even though described in here it is really not
being addressed by this workgroup, I would think that the subcommittee, the
full committee would consider this to be a very important issue that does need
to be resolved, maybe working on it as part of e-prescribing, but there really
does need to be some resolution of this issue. I think it was deferred from the
HIPAA standards because NIST hadn’t come up with a final policy about all of
this one and it appears to continue to be an issue that’s unresolved. Or is it
going to be resolved soon and we’re just talking about that we’ve just not had
a final balloted or final approved recommendation here?

MS. BRADFORD: I would have to get back to you on the specific dates, to my
best recollection I don’t believe that it’s a final rule yet but I have seen
the documentation which I believe came out late last year.

DR. COHN: Okay. Other comments about this one? Am I the only one who’s
concerned about this one or at least ignorant about it? John Paul?

MR. HOUSTON: I don’t have any comments, I really don’t.

DR. HUFF: I don’t have anything to add, I’m very interested as you are —

DR. COHN: Well, I’m just trying to make sure I’m not completely off on this
one. Other comments or questions? Marjorie? No? Okay. Well, it sounds like we
have a couple of comments about this one as well as questions. How do others
feel? Jeff, are you able to comment about this one at all or do you have to
completely —

MR. BLAIR: I have no concerns or objections.

DR. COHN: Well, in that case is there a motion to, I guess we’ll have to
see what our comments look like as written out, yes there is a quorum, John
Paul, with you being here there is a quorum. So we can actually vote on whether
to concur with this, with the comments that we’ll further discuss, or at least
review after we’re done with the presentations. Actually Steve how far are you
with comments at this point?

DR. STEINDEL: I’ve just noted the committee would like to note that we,
this is what I put in as rough wording. The committee would like to note that
we will be further studying both the HL7 Clinical Document Architecture and the
Continuity of Care Record as part of our ongoing work. We further note that the
need for e-signatures is an important component that has been investigated by
the committee in the past and we’ll be exploring further as part of our
investigation into standards for e-prescribing over the next year. And I’ll
probably wordsmith that a little bit, that was just what I typed in now.

DR. COHN: Okay, well, is there a motion?

MR. HOUSTON: Those who haven’t recused themselves —

DR. COHN: Since I’m the chair I think you’re the only one who can —

MR. HOUSTON: I move.

DR. COHN: Concurring with the following comments.

MR. HOUSTON: That’s right, I make a motion to concur with the following

DR. COHN: Okay, I guess I’ll second it. All in favor? Jeff, are you voting?
Jeff in that case you second it. All in favor?


DR. COHN: Opposed? Abstention? Stan’s abstaining. Okay, well thank you.
Well, with that, I think we’re right at break time, why don’t we take a 15
minute break and we’ll get back together at 10:45. Thank you.

[Brief break.]

DR. COHN: Would everyone please be seated? We’re going to get started here.
I think our next topic is population health.

DR. STEINDEL: Are we going to go back to the encounter letter, Simon,
before that? Or do you want to do the other two first?

DR. COHN: Well, actually it might be a useful, given our conversations to
go back and look at the encounter letter for just a second, is that okay
Alicia? Do you have time?


DR. STEINDEL: Do you want me to introduce —

DR. COHN: Sure, Steve, why don’t you —

DR. STEINDEL: With regard to the encounter discussion that we had earlier
it was noted that the document that was presented to NCVHS did not include
specifically the minor gaps that were noted by the CHI workgroup in their
report. As was noted by them the gaps they considered were items that should be
filled but did not necessarily prevent the adoption of the standard that was

What I’ve passed out to the group is a minor modification of the report
that explicitly includes the gaps that were mentioned, and you’ll find that in
the last section under conditions. And the modification was the words noted
below just to point to the list and then the list itself, and the items that
they noted as gaps were explicit support for home health field and virtual
encounters, support for clinical services that do not meet the definition of
clinical encounter, national provider system IDs for practitioners and health
care organizations, standard location identifiers, and standard hospital
service names.

I didn’t talk with the workgroup concerning the national provider system
identifier since between the time this report was created and now the final
regulation has come out about whether we should leave that as a gap and as was
noted during that discussion while the final regulation has come out there’s
still going to be at least 18 months before the system is implemented so they
felt that this was a gap that should remain.

So Simon, I think that completes the sense of the report, and I think it
adds many of the items that we discussed at this table.

DR. COHN: What sort of comments had we, just to remind us, were there some
comments that you had or were they all related to our —

DR. STEINDEL: I think they were all related to what’s covered in these
gaps, and the main ones that we discussed around the table included the
observation that the definition for encounter that they were proposing, the HL7
definition, was week in its support for, the ASTM definition, and also I
believe the HL7 for virtual encounters because of the lack of two addresses,
etc., two locations, so there is some strengthening that needs to be done for
home health field and virtual encounters both in terms of the message and the
ASTM definition, and also the support for clinical services that do not meet
the definition of a clinical encounter as defined by ASTM, in particular I
think the clinical reports, radiology reports, pathology reports, etc.

DR. COHN: I guess that’s, is that actually listed, I guess that is sort of
stated in support for clinical services that do not meet definition of clinical
encounter. This obviously as one looks at it, the January 7th
version is obviously a little more complete then the January 6th and
it does address most of the issues. I guess the only concern that I would bring
forward might be some sort of recommendation that we might want to make that
further work in this area needs to be done, especially, and I guess I would
almost describe it as including some reconciliation between the concept of
clinical encounters and billable encounters, just because there is, obviously
these, I see that they’re actually, by the time they’re done with their larger
definition obviously begins to handle that universe, but I think there is some,
there needs to be sort of closer interaction occurring between the two
recognizing that most business cases do sort of revolve around that second
issue. And maybe we have a different better, better word then billable.

MR. BLAIR: That probably is where the gap occurred because the federal
government doesn’t necessarily have the same billing as the private sector, so
maybe that’s why they didn’t focus on that.

MS. GREENBERG: I think there’s a recognition of this being an issue and the
problem is, and again, this was something as we were discussing off-line people
have been agonizing over and trying to figure out or come to terms with for a
long time. I think my interpretation is the workgroup felt that they could use
the ASTM definition to come up with a recommendation that they felt met that
definition recognizing there were services and other types of health care
activities that would not be captured in that definition, feeling they would
get probably tied in through administrative or other processes. I think what
you said, Simon, about trying to find some kind of reconciliation between the
clinical encounter definition and billable encounters is worth saying but
easier said then done.

DR. COHN: Well, I think it’s simply for further work, and I think that they
begin to move in that direction as they talk about the future work that needs
to be done, except that they don’t really label them as conditions, more as
sort of future suggestions is what I’m sort of reading these as. So obviously I
think we accept these future activities but I think we do need to reemphasize
that this alone as it is right now doesn’t probably meet most people’s use
cases. And I think that final piece, which really is taking a hard look at this
and figuring out how it all relates in with billable and sort of reconciling
the two may really be that final step. Bob, it looks like you have a comment.

MR. HUNGATE: This question may be too far off the subject to be valid but
it’s an uncertainty that I have that you can perhaps help me with. Thinking
about the personal health record, where there will be information that the
patient is self reporting, what does that get called and how does that fit into
the structure of events in the record if you will. This is a clinical encounter
which seems to me is an event within the record of an individual, and it seems
to me that we’re talking about other things that are pertinent to that
individual that maybe don’t fit this. And so is there a class of other things
that goes parallel with the clinical encounter that there’s a list of that
cover these other contents? That’s the question.

DR. COHN: So the example you’re giving is sort of a patient directed —

MR. HUNGATE: If the personal health record takes form there’s going to be a
lot of input there, yes I did take the drug, no I didn’t take the drug, I
didn’t like it, I got this side effect, there’s going to be content that’s
germane to the clinical process for that individual.

DR. HUFF: I think the heart of this comes back to why do you want to
distinguish these clinical encounters. It’s clear why you want to distinguish
billable encounters because you want to bill for them, or you want to track at
least the financial implications of the care that was provided. I mean in our
case, speaking for IHC, all of that other, I mean there’s the electronic
medical record and things in that record, some of them represent billable
encounters, some of them by the definition that was given would represent
clinical encounters, and then there’s a lot of other data that’s just in there
that’s part of the electronic medical record. And I think maybe that comes back
into this desire that Simon expressed reconciling sort of those definitions and
asking the question is it really essential. I think the definition that was
given here was appropriate for bounding and focusing the work of saying what
terminology should be used for encounters but I’m not sure it has any real, I’d
like to understand the use case for distinguishing it otherwise within the
medical record. I think the rest of it is just data that’s important to the
health of the individual it should be part of that record.

DR. COHN: Stan, I don’t know if you’re reflecting and coming up with some
further wording for our comments or not, it seemed like you’re almost there. Do
you have something to propose that we add to the, I sort of agree with you, I’m
just not sure how to —

DR. HUFF: Well —

DR. COHN: Is this a subject for further work, additional —

DR. HUFF: I don’t know how to formulate it any, I guess what I’m saying is
that I support the work of CHI for the clinical encounter and the way they
approached the work and using the definition they did allowed them to bound the
work and determine terminologies and standards that would be used for
communicating this clinical encounter information. What’s not clear is how it
relates to billable encounters and how it relates to other things that don’t
seem to fall into the encounter at all but are clearly part of the electronic
medical record and those should be a subject for future work of the committee.

DR. COHN: Jeff?

DR. HUFF: So I’m not formulating it very well.

MR. BLAIR: If I piggyback off of your comment, Stan, about use cases, it’s
almost as if we’ve heard three and where the report was called clinical data
encounters it seems to me like maybe if it was called patient provider
encounters and then Bob Hungate’s comment is that we may have patient directed
or patient generated encounters that have yet to be well defined, and the third
one would be billable encounters, then we have three different types of
categories and maybe that would help to encompass what you’re saying as use
cases, encompass Bob Hungate’s observations, and encompass yours, Simon.

DR. COHN: I think the world of billable encounters is pretty well defined
to the HIPAA administrative transactions.

DR. HUFF: The other thing that plays into this, this is confounding more
then helping. I mean the other concept that is very useful is the idea of
episodes, which are focused around a particular disease process and that’s very
useful because then you can track the costs and the provision of care as
appropriate to that specific disease process. And that’s sort of left undefined
in all of this, too, we’ve never figured out a good way that’s not, that’s sort
of operational to do episodes right because it’s hard to figure out how to
allocate things to a particular episode. Well, it’s not actually so
intellectually hard but it’s just practically hard in terms of determinant for
every piece of information which episode it applies to.

DR. COHN: Well, though I will tell you that probably some vendors would be
happy to help you with that problem.

DR. HUFF: Yeah, I think so, seems like I’ve seen that. I mean I can see a
use case for that because it helps you track the quality and cost of care
focused around a particular disease process.

DR. COHN: Steve and then I have a comment to make also.

DR. STEINDEL: Simon, I have to in one sense put on my CHI hat right now and
we have to look back at the purpose of CHI, which is to define standards to be
used for federal interchange of health care information. And while the comments
are very appropriate concerning billing and concerning the personal health
record, this was not, billing was identified as a domain of CHI and that was
reported and it was noted that the HIPAA standards would be used for the
billing domain so I think in a sense that encompasses the billing encounter.
And the personal health record was not noted in this phase of CHI as something
that was particularly important for federal health care exchange. And when the
encounter workgroup came together they asked what is left that we should be
defining, and they looked at the clinical encounter itself as they defined it
here. I think it’s totally appropriate for NCVHS to comment in the letter about
the extension into these other areas, a note to the Secretary that NCVHS is
concerned about it. But I think to reflect it as a recommendation to CHI to
change what they were saying may not be —

DR. COHN: So basically I think we’re coming up with two recommendations for
extensions that would be of value. The part I think I’m having trouble with and
let me just be honest about it is, I think this is very good work and I
actually agree with the recommendations, the problem that I have is that I’m
not sure I agree with the fundamental definition and the way they’re
constraining the universe. And I just don’t know how that helps us at all and
that’s the part that I’m having some trouble with even in the federal health
care enterprise. And I guess I had thought, when I first heard about clinical
encounters I thought that there was really a universe of clinical encounters, I
thought nurses had clinical encounters with patients, I thought all aspects of
the health care system really had clinical encounters and that probably was
inclusive of your perspective, Bob, in terms of patients have their own
initiated encounters, and this is really I think what they’ve taken as, by the
act of taking clinical and moved it into decision making, which I think the
ASTM definition, or a direct whatever, that obviously, I mean it’s an
interesting definition, I’m just, I need to understand better the use cases
that make this a valuable definition and a valuable constraint.

DR. STEINDEL: As I understand it the ASTM definition is not constrained
just strictly to physician/patient encounter but any practitioner.

MS. BRADFORD: Social work —

DR. STEINDEL: Social work, nursing —

MS. BRADFORD: ET, OT, they’re all included.

DR. STEINDEL: That exhibits any or all of the characteristics that are
noted in the definition.

MS. BRADFORD: I believe all other then ancillary personnel, such as nurses
aides —

MR. BLAIR: Did the ASTM, it had more then one definition, the very first
one is the broader one, the second one was the one that indicated decision
making on the part of the practitioner.

DR. COHN: Okay, so let me just ask maybe again, maybe I’m missing this. As
I read this one it still doesn’t look, I mean does this include a nurse to
patient interaction in the process of care or does it exclude it, because I
guess I can’t tell.

DR. STEINDEL: It is my understanding it is supposed to include it, there
was some discussion about this at CHI Council.

MS. GREENBERG: That it was what?

DR. STEINDEL: Included, nurse/patient —

MS. GREENBERG: Nurse practitioner you’re talking about?

DR. STEINDEL: Any nurse.

MS. GREENBERG: I don’t think so, that would be excluded.

MS. BRADFORD: No. It even includes here such as social workers, anyone for
the responsibility of assessing, evaluating, treating a patient, which can be
any of those practitioners. I don’t think practitioner is limited to physician.
It’s a licensed practitioners, so not —

MS. GREENBERG: A nurse is under the supervision of the physician as opposed
to being the provider who can bill or whatever, and I hate to get into the
billing but if the nurse is under the supervision then is he or she exercising
independent judgment?

MS. BRADFORD: Nurses evaluate and formulate their own plans of care for
patients outside of a physician, so they’re included, as well as physical
therapists do the same and social workers do the same. So I think it’s limited
to licensed practitioners.

MR. HUNGATE: Just thinking about the content it seems to me that there are
two issues involved in it. One is the source of the information, because it has
a different credentialing process if it’s the physician or a social worker
probably. And the actual content, what it is. And the patient, although not a
licensed practitioner, controls more of the health process then anybody else,
so it just seems to me the source and content are both kind of wrapped up in
this definition. And I wonder.

DR. STEINDEL: Simon, would it be appropriate to say something to the effect
of, something like it is our understanding that this workgroup is recommending
that an encounter apply to a wide range of practitioner/patient episodes but we
are unclear if the definition is broad enough to cover this and recommend that
it be revisited, something like that? I mean I have to word it a little bit
more appropriately but —

MR. BLAIR: I guess in my view when, if you look at that first definition I
thought it was broad enough to include all different types of practitioners and
even added social workers, but the thing that I was thinking of is maybe the
problem is in the word clinical encounters, see that’s where I was thinking
that this is really provider/ patient encounters, and within that context I
think those definitions fit and the recommendations fit.

DR. STEINDEL: Jeff, if I may comment, I deliberately used the word when I
was trying to phrase some wording in my mind that we’re unclear on the
definition, it’s not that the definition may cover it. But actually a very
similar discussion occurred at the CHI Council level, so the CHI Council itself
had some questions about the breadth of this definition and it was viewed on
both sides of the fence as it’s being viewed here at this table on both sides
of the fence. So I think we realized that the intent of the workgroup is to
cover these encounters and we may be trapped in just some wording, and they
looked through the literature to find a definition that they could site and
chose not to make one up on their own, and this was the closest that they
found. So I think our comment back that the closest definition works maybe 90
plus percent of the time is appropriate but we have some questions about that
percent that it doesn’t fit and if we could word something in the letter that
says that I think it would be appropriate.

DR. COHN: So I’m hearing that there’s sort of three things that we’re
saying, oh I’m sorry, Marjorie.

MS. GREENBERG: Why don’t you say your three things.

DR. COHN: Well, I think the three things, one had to do with asking for
additional clarification, to make sure that it’s as wide as we’d like to see it
be. I think B, we’re asking for some reconciliation with the world and I’m
trying to think, better come up with something better then billable encounters
but I’m just trying to think of services identified under the HIPAA
administrative and financial transaction, I’m trying to think of what the right
term is but it probably —

MS. GREENBERG: I think it’s alright.

DR. COHN: Billable services?

MS. BRADFORD: There’s a billing domain workgroup for CHI which recommended
HIPAA, we could reconcile with that domain’s recommendation.

DR. COHN: That’s right, with that domain’s recommendations. And finally is
that there needs to be I guess further work around the very important area of
direct patient interaction, the patient initiated interaction is really what
we’re describing.

MS. GREENBERG: Patient generated information, is that what we’re talking

DR. COHN: Patient generated.

MR. HUNGATE: Patient initiated.

DR. COHN: Patient initiated encounters with the health care system. Is that
what —

MR. HUNGATE: Well, by entry into a personal health record you’d say this is
information about me that’s important for my medical —

MS. GREENBERG: I think it’s patient generated information because they may
not even, I mean from what you’re describing not necessarily interacting, I
mean most encounters are initiated by patients, the majority I guess are one
way or the other but this is the case of, you’re talking about a personal
record, personal record for which they have allowed some linkage to the
electronic health record, so that’s really patient generated information.

DR. COHN: Does this also include things like letters that patients send
into the doctor about their condition and all of that?

MS. GREENBERG: That would be patient generated.

DR. COHN: I mean that’s not an unusual occurrence even in the world

MR. HUNGATE: I’m presuming that a clinical encounter is reported by a
clinician and that’s a distinction from that which is self reported by an
individual, not having been reviewed by a clinician. So there are different
kinds of information in that way, I don’t know how that gets dealt with in the
standards —

DR. COHN: Or in the concept of clinical encounter.

MR. HUNGATE: And I’m not sure whether the patient unreviewed input is
called clinical in this context.

DR. COHN: Mike, do you have some wisdom here?

DR. FITZMAURICE: I don’t know if it’s wisdom, I know that we had an awfully
rough time defining an encounter and to talk about it as what’s missing, and
can we shove it into what’s missing almost begs them for a modeling of
information, what information do you need to make a decision, what information
is not in an existing set of standards adopted by CHI, and I’m not proposing
that we have CHI then take an exercise in information modeling or data modeling
but really that’s what this is getting into when you start asking what do we
not have and let’s put it in here.

It bothers me that a patient goes to get a lab test and the physician who’s
the head of the laboratory reports it someplace, that it may not be an
encounter, I tend to think of encounters as if I’m an HMO what do I want in an
encounter because I get paid not on the basis of the same billable units as the
fee for service insurance, and so do I want something in there that has the
same effect as an electronic medical record, you want something in there that
defines some discreet units that I can count up and serve as fodder for HEDIS
measures or other quality measures. And then it gets back to, it’s information
modeling and then it gets back to Stan, well what is the use case, what are we
going to use it for and here’s a place to put the information in there that
we’ll need. So I can think of supply and quality measures, I can think of
pseudo billing so you can justify maybe a payment from a health plan or a
Medicare when you don’t have bills.

It’s not wisdom but it’s a way of looking at it in a modeling that, it’s
leading us in that direction and I guess I would propose that we give some kind
of overview thing, and this is an attempt to put information that might not be
gathered elsewhere that is not complete, it doesn’t have some of the laboratory
information, it’s not a clinical patient encounter at that time.

DR. COHN: Well, I think we should observe that the X-12 837 is actually
just not for billable transactions, it’s also actually in the definition, it’s
also indicated as for encounters such as you’re describing, I mean whether it
fulfills that purpose completely is another topic but that was certainly how
it’s defined. So what do we do with all of this?

DR. HUFF: Here’s one more chance, one more thought. So I would say that I
agree with the scope and recommendations that the committee has made relative
to clinical encounter but that we not use that definition as a guide as to what
should be included in the electronic medical record.

DR. COHN: Or transferred.

DR. HUFF: Or transferred or whatever.

DR. COHN: Or exchanged.

DR. HUFF: The idea being that again, I think it’s appropriate within their
scope to say for purposes of defining the set of terminologies and transactions
that we need relative to encounters their definition is appropriate, but that
we not use that definition in trying to exclude data from the electronic
medical record simply because it doesn’t fall into the definition of this
clinical encounter as it was used by the subcommittee.

MS. GREENBERG: And they would agree I’m sure fully.

DR. COHN: I feel sorry for Steve trying to put all this together.

DR. HUFF: I don’t think we want to use this definition, basically we don’t
want to use this as a reason to exclude any data that should be included in the
electronic medical record.

DR. COHN: And I think that that’s really the conversations that we’re all
having sort of fall into that issue of this clearly is not the universe and I
think we’re all observing that for all the many reasons.

DR. COHN: We could go on to say specifically we expect to include patient
generated data but I think it’s not only patient generated data but there are
other things that could be noted by family members or by health care providers
that wouldn’t, I mean if they observe a fall, there’s just a lot of things it
seems like wouldn’t fall under this definition but would be information you
would want in the electronic medical record.

DR. COHN: Steve, how are you doing with this as we give you all sorts of
good advice on, you all thought we’d have more then enough time to do all the
work that we needed to do.

DR. STEINDEL: Simon, if you’d like me to read what I’ve captured at this
point in time I’m going to skip the first sentence, which presumes a vote that
we haven’t had yet, but then the expansion part. We note that some
clarification is needed regarding the scope of the definition for encounters.
It is our understanding CHI intends for the definition of encounter to refer
broadly to all types of practitioners interacting with a patient. We feel the
definition encompasses all encounters between practitioners and patients, there
should be a while in there, we feel while the definition in some explicit
clarification may be in order. While not possibly within the scope of CHI we
note the standard proposed might not apply to patient provided data as might
exist in a personal health record. We finally note that the scope of this CHI
workgroup was narrowly defined and that encounters as would be observed broadly
in health care or as might be enumerated in an electronic health record is
broader. I have to do some wordsmithing still but I think that captures the
thoughts that I was hearing around the table.

DR. COHN: Stan, does that, I think that’s actually pretty good.

DR. HUFF: Yeah, I think that —

DR. STEINDEL: Adding the wordsmithing.

DR. COHN: Yeah, the wordsmithing. Does anybody have any additional
comments? I think that really sort of captures —

DR. HUFF: If you had longer I think you could say it in shorter but that’s

DR. COHN: Okay, well I think we’re all nodding our heads, which is a good
sign. Do we want to see this, we probably ought to let Steve do final
wordsmithing and then we can reread it but I’m sensing that this is sort of the
sense of the subcommittee on this one and we’ll, review it when we’re done with
the next two items I think and then we can sort of reflect back.

DR. STEINDEL: Simon, we need closure on a vote.

DR. COHN: Oh, on this one?

DR. STEINDEL: My recommendation there is that we concur with the
recommendation of clinical encounters as modified.

DR. COHN: With the following, well isn’t as modified but the following —

DR. STEINDEL: The observations are separate, we’ve actually made a slight
modification in the document. The way we’ve been handling this previously is
that we edit the gaps.

DR. COHN: Okay, I’m sorry, I thought this was consistent with the 1/7
version but I guess this is not the —

DR. STEINDEL: Well, I’ll let them worry, we’ll just say as modified.

DR. COHN: Oh, as modified, fine, okay, does somebody want to move that with
the following comments? With the comments as described simply to further
wordsmithing, Jeff?

MR. BLAIR: I move that we accept that language.

DR. COHN: Second? Stan? Other comments? All in favor?


DR. COHN: Opposed? Abstentions? Okay, Alicia, thank you. I think we’re on
to population health, that’s Steve, we’re asking you to multi-task.

MS. BRADFORD: The next two that we have are both led by Steve, population
health and chemicals.

MR. BLAIR: Do you want to hold one hat while you wear the other?

Agenda Item: CHI Final Reports – Population Health –
Dr. Steindel

DR. STEINDEL: Thank you, rapidly changing hats. Population health, this
workgroup has had a long history, it was one of the first workgroups that was
formed and it was one of the last workgroups that actually started to work. It
was identified by CHI Council as a very important workgroup and as it was
discussed in the early stages we realized that population health reporting
encompasses a large number of areas that might be defined by other CHI domains
that hadn’t produced reports at that time. It was decided at that time to defer
this workgroup until those reports started at least providing some information
in draft format if not final format.

As that material came in in the fall we realized that we were seeing an
intellectual gap starting to exist between what was going on in population
health and what was coming in in the area of clinical reporting standards.
There was a lot of discussion at the CHI Council level about what to do with
this workgroup and what form the report should take. After much discussion it
was decided that the workgroup for population health reporting would not
recommend any or a specific standard, and the report that I’ll be giving
reflects that basic thought.

We had, Alicia if you can go back to the first one, the workgroup itself
was made up of numerous members, most of the team that participated in the
formation of the workgroup is noted in the slide were from various HHS agencies
since most of population health reporting comes from the HHS agencies. There
were comments from DOD on the report.

I reviewed most of this material about what population health data is, and
we were looking at it as a domain that might be dependent on other standards
but also using what’s existing today. If we can go to the next slide, this is
the approach that we took creating this report. The first was that we could not
produce a specific recommendation, that we decided to produce a recommendation
that could be used as a basis for future work in this area, and the first step
that we did was to ask the various HHS agencies to produce a rough list of the
population health statistics reports their agencies produce and what standards
that are being reflected in the clinical environment that might exist in those

The report specifically excluded those population health reports that did
not use any of the standards that were being recommended in other areas and I
need to point out especially with respect to CDC that a lot of the material
that does exist in this report is based on older data since that was all that
we had our hands on and some of this is in a state of flux. So this was used to
put together the recommendations.

The scope of this domain included public health reporting, which includes
surveillance information, etc., population health statistics, which includes
such things as vital health statistics, etc. It excluded billing data and
statistics related to that as it was covered under another CHI domain. And
finally we did note that institutions tend to keep these types of statistics as
well, however, the CHI domain would not encompass that but we did suggest that
if institutional statistics were being kept that they use standards that are
similar to what’s being used for the external statistics just as noted.

Alternatives identified and this was based in part on the list we put
together from the various HHS agencies. These lists in just part of the
standard terminologies that are being found in population health reports that
exist today. If you take a look at it you can see that it is a wide range of
classifications and terminologies, and it would be difficult to make any type
of specific recommendation at this time based on this.

Our findings were that the current terminologies are numerous, they’re not
coordinated among the various agencies, the list contains recent population
health reporting systems used by HHS and that contain one or more standard
terminologies, and this list is provided as part of the report, it’s
approximately a ten page list, it is not complete by any means. The list found
some HHS population health reporting systems today that are widely used and
widely noted such as the National Disease Surveillance System from CDC that are
not on the list, and the reason it’s not on the list is because at the time the
list was created in 1997, which was the data I used to put it together, the
National Notifiable Disease Surveillance System only used its internal codes.
Today we are making a move at CDC to convert that over to SNOMED codes and we
are in the process of doing it, but actually if I produced that list today I
still would include it because that conversion is not complete. So you can get
a sense of the extent of standard coding systems that are currently being used
for population health reporting systems.

So if we can go on to the, well, we also observed, however, that today many
of the reporting systems that are being used to gather population health
statistics are covering domains that have been noted by other CHI workgroups.
For instance, in infectious disease reporting we tend to use laboratory results
and CHI has made recommendations for both laboratory test names and laboratory
test results that have been adopted. And we note that where the domain is
equivalent that that domain can be used for population health reporting. So we
didn’t feel that we needed to re-enumerate those but just make that broad
statement, so for instance CDC has a very active program now trying to convert
the nation’s laboratories into using LOINC and SNOMED codes, which are the two
domains that have been recommended by CHI for public health reporting and that
is within the scope of the notes that we took for the population health

We note that the list that we provided we acknowledge is incomplete, we
acknowledge that we have no idea beyond this list of the extent of the
population health reports that are being produced or what terminologies are
being used. I will note that the Data Council of HHS has created a list that is
assumed to be complete of all the population health reporting statistics that
are being generated within HHS and a website exists that allows access to those
reports. However that specific report that was created by the Data Council does
not go down into the data domains that are used or the terminologies used in
that area, so our recommendation is still complete, that we do make an
exhaustive survey of the population health reports now being produced by the
federal government and the various terminologies that are being used in those
reports so we can relate those to what’s going on clinically and we do have
that inventory and we’ve suggested that this task be assigned to NCHS because
they are the designated the national health statistics agency.

The next part of our report involves something that we noted and that is
that there is a transition in effect right now and that is the movement to the
use of clinical data for the generation of population health statistics. And I
noted that for example in infectious disease reporting we are already starting
to make that move. However, many of the population health statistics are
reported using already existing classification systems, etc., that are not
widely used clinically and today there is a human translation of this clinical
information into the codes that are being reported for population health. In
the future we are presuming that that transition will occur electronically,
possibly using maps, possibly using other means, but there will be an
electronic transition.

We have no idea how —

MR. BLAIR: Transition or translation?

DR. STEINDEL: Transition and translation, I think both words are
appropriate, Jeff, thank you. We have no idea of how this new data derived from
clinical data will track longitudinally with preexisting data and of course as
we’re well aware longitudinal data is very important in population health
statistics and we think some investigation should be done as to make
recommendations for this transition.

We also note that at least for a time, and that time might possibly exist
forever, there will be a dual system that exists between the electronic
translation of clinical data into population health statistics data and human
translation of this data into population health statistics data. And while we
say for a time, obviously if everyone is using electronic health records we
hope that it will always be done electronically but we presume that at least
there will be a time gap before that occurs and that time gap may exist in
isolated areas where human translation will always exist. And there have been
studies that have shown that humans can tend to be subjective and machines tend
to be very objective and we need to know if there’s going to be any difference
in how we can make decisions based on these changes. And we suggest that an
authoritative body look into this. And those are basically our recommendations
for two future studies in this area.

Are there any questions, comments?

DR. HUFF: Maybe you could address, do you see for instance data that is
contributed or passed to either cancer registries or disease registries to be
in scope of this particular recommendation?

DR. STEINDEL: It is our notation that data that’s generally passed to
specific disease registries, for instance cancer registries, etc., what we tend
to have passed into those domains actually is the clinical data, the tumor
diagnoses for instance, the anatomical location of the tumor, etc. And those
recommendations have been covered by other CHI domains and we feel that those
recommendations are appropriate.

Now what we don’t know in the future is the reports coming out of the
registries, sometimes they’re translated into classification systems and
sometimes they are not, and so it’s that next step that we feel a little bit of
the cloudiness occurs. But the data going into the registries we feel will be
clinical data, it is clinical data today.

DR. COHN: I actually sort of think the recommendations are a reasonable one
what you’re describing, I did have the same question that Stan had about
whether we should be observing good work, for example at the immunization, HL7
immunization standard and all that and whether that was something to
acknowledge, or the work going on by the NCHS related to developing an
implementation guide for the 837 that relates to public health —

MS. GREENBERG: Discharge data?

DR. COHN: Is that what it is specifically? I was actually thinking more of
the work that you’ve done with the data, the consortium —

MS. GREENBERG: The guides for health care services?

DR. COHN: Exactly, about whether any of that are things that we should not
but it seems like it’s sort of out of scope from what you’re describing.

DR. STEINDEL: We actually noted that as being out of scope for this
particular workgroup because it’s using billing data.

DR. COHN: Okay, well I guess we won’t say nice things about that, it’s
always nice to say nice things about things but I guess we’ll be reflecting
that in the HIPAA report instead. I guess the one thought I had as I was
listening to this is that this sort of work almost sounds like the next step
for the 21st century statistics vision. Is that —

DR. STEINDEL: I think that that’s an accurate reflection.

DR. COHN: I don’t know if there is a next phase of work of all of that but
it just feels like this is really sort of how we’re talking about sort of
clinical data meet future statistical systems and how does this all really play

DR. STEINDEL: Well, Simon, I didn’t specifically, if we look at the last
slide and the last bullet it says specifically it is recommended that the
NCVHS, the Board of Scientific Counselors of the NCHS, and the National Library
of Medicine would participate in these studies. That is reflected in the

DR. COHN: Well, do we have any comments? Do we just want to concur?

DR. STEINDEL: Please, just do that, so I don’t have to do any wordsmithing.

MR. BLAIR: I move that we concur with these recommendations so that Steve
doesn’t have to do any wordsmithing. No, no, I move that we concur, as is.

DR. COHN: Other comments? John Paul, do you want to second?

MR. HUNGATE: I will second.

DR. COHN: Further discussion, Mike?

DR. FITZMAURICE: Just a question, Steve, you mentioned two studies, which
of those bullets refer to the two studies, the first bullet and the —

DR. STEINDEL: The first study is the compilation of the population health
statistics reports that are being done, and the second study is the future
relationship of the clinical data to population health data. Those are the two

DR. FITZMAURICE: You might want to make it clearer in the recommendation.

DR. STEINDEL: Actually it’s clearer in the report then it is in the slides.

DR. COHN: Any further comment, questions? All in favor?


DR. COHN: Opposed? Abstentions? Okay. Steve, you’re on to chemicals.

Agenda Item: CHI Final Reports – Chemicals – Dr.

DR. STEINDEL: Okay. Now the chemical domain, this was interesting from
somewhat of a personal point of view because most of the years at CDC and I
would say essentially all the work, almost all the work I have done at CDC, I
have never acted as a chemist, which is what my degree is in, and this is the
first time I think I’ve actually put on my chemical hat —

DR. FITZMAURICE: Well, you had been a catalyst haven’t you, Steve?

DR. STEINDEL: So it was nice to be involved in something that was chemical
for a change. But this was a very limited domain, if we can go to the next
slide we’ll take a look at the people that were involved. I was the team lead,
we had Bill Hess working on the report from FDA, John Harmon from EPA, and Dick
Nemeyer(?) from NIOSH at CDC, our National Institute for Occupational Safety
and Health, primarily because of his interest in toxicology.

The domain was specifically stated to be chemicals of importance to health
care outside of medications. We have already made a recommendation for the
terminology to be used to list drugs and medications, so this is the other

We had a lot of discussion about where these chemicals might appear and how
would they be used and it was our feeling that most of these chemicals when
they would appear in a health record would be chemicals that were found in the
work place or the environment that contribute to a patient’s health. So we felt
that generally speaking these chemicals would not appear widely in a health
record of any kind and if they did they generally would appear as part of the
first encounter with the patient and as part of the history and physical, but
they would not be widely used.

MR. BLAIR: Steve, you said they would contribute to a patient’s health, so
you’re say positively only? I thought it was both —

DR. STEINDEL: Both, both.

MR. BLAIR: — negative —

DR. STEINDEL: Any aspect of the patient’s health. So we looked at this as
non-medical chemicals were in scope and as I mentioned the drugs, etc., were
out of scope.

We looked at, originally this was focused as just a confirmation domain
because we were aware of many lists of chemicals that are out there. There are
literally thousands of chemical lists that are available on the internet for
people to use. SNOMED CT has a list of about 16,000 odd chemicals. Our feeling
and the feeling of the drug group when they looked at SNOMED CT is that SNOMED
CT was a reactive list. When something appeared in the medical literature it
would then appear in SNOMED. What we were looking for was a more proactive list
where the list of chemicals would appear before somebody encountered it, and so
it could be used, so we felt that SNOMED was not appropriate for this.

There is a very good list of these types of chemicals that exist, the
registry of toxic effects of chemical substances, that until about a couple of
years ago was maintained by CDC’s NIOSH division and contains roughly 150,000
toxic chemicals and the impact of those toxic chemicals. We would have really
liked to recommend this list but a couple of years ago NIOSH decided that it
could not afford to maintain this list and released, and signed an agreement
with an outside vendor and consequently this list is no longer available in
public domain and has a license fee associated with it. We did not get a firm
feel for what the license fee would be but it’s approximately on the order of
$250.00 a user, so we felt that that would be prohibitive.

There is a widely used list, it has I think about 23 million chemicals
listed that’s maintained by the Chemical Abstract Service, a division of the
American Chemical Society, it is considered to be the list of chemicals. The
problem is that it also encompasses a license fee and it is allowed to be used
without licensure for regulatory purposes, the Chemical Abstract Service does
allow that, so consequently you see Chemical Abstract Service numbers widely
appearing in other lists because those lists are used for regulatory purposes.
We have talked with the Chemical Abstract Service and we are both in agreement
that using these for medical purposes does not constitute regulatory use so
consequently the CAS numbers were not considered appropriate for this domain.

After looking broadly the EPA maintains a list of approximately 80,000
regulatory chemicals as part of their substance registry system. This list is
available in the public domain, it’s maintained by the government, and we felt
that this EPA list would serve as our recommendation for chemicals. The EPA
list as you might gather is very complete with respect to those chemicals of
environmental importance. It is not complete with respect to those chemicals of
toxicological importance and we have discussed this with the EPA and given
adequate resources they are willing to expand that list to encompass those

We have also noted that the EPA list is not distributed completely. Now
people who want to get information from the EPA list can query the list for
specific chemicals or specific sets of chemicals as defined by EPA regulatory
domains. This would not be adequate for medical purposes, the EPA is willing to
make a subset of that list available for chemical purposes as a download from
their database should this be selected as a government standard for that.

There are some minor other things, like for instance if we do accept this
as a government standard we would have to develop an object identifier for use
in HL7 messaging, and I think that about covers the conditions and gaps. But
these were noted as conditions and gaps that were critical, that we could not
start using the standard until they were filled. Since these do require some
resource allocations from EPA, EPA is not going to start filling these gaps
until there is some specific recommendation that resources be assigned and
negotiations occur to find where these resources should come from.

There were some non-critical gaps, the first one is one that EPA itself has
identified and is working on it concerning synonyms and how they’re used in the
SRS, and also the introduction of a common exchange file format. Presently the
list is available for download as a comma or tab delaminate file of EPA defined
structure. There are known chemical file structures that have been defined,
I’ve listed two of them, the MDL Mole(?) Files or the Chemical XML structure,
both of which are widely used, established, and EPA has made an internal
commitment to investigate and to use these structures so we think progress is
being made here.

And those conclude the chemical recommendations, I’m open to questions.

DR. COHN: Jeff?

MR. BLAIR: Steve, could you explain what you mean by an object identifier
that you’d have to create?

DR. STEINDEL: An object identifier is used by HL7, it’s an ISO standard
identifier that uniquely identifies where the terminology comes from. So if we
did use the EPA SRS table it would have to be assigned a unique object
identifier so that whenever we gave it in messaging it would have this long
number and all these people who memorize these object identifiers would just
take a look at the long number and say oh, that’s the EPA SRS.

One reason it’s actually listed there is because I’ve had discussions with
EPA, there’s two ways an object identifier can be assigned, an external body
can assign it or EPA can assign one internally if they decide to establish an
object identifier structure. And CDC has decided to do that and that’s the way
we assign our object identifiers, and I’ve talked with EPA and told them that
this would probably be a good route for them to go. So before one is assigned
we just have to work that out internally.

DR. COHN: Stan, why don’t you go and then I’ll —

DR. HUFF: A couple questions, one, did you actually try and negotiate with
the CAS guys or did you just —


DR. HUFF: So you explained to them that we’d like to use their number and
if they wouldn’t let us use it for free we would do something else and they
said go ahead basically?

DR. STEINDEL: Yes, I have a letter from CAS.

DR. HUFF: Second question —

DR. STEINDEL: Stan, just to elaborate on that, actually the National
Library of Medicine went through a similar exercise a few years ago with the
same response.

DR. HUFF: That was my second question is what’s the coverage of these kind
of chemicals in either MeSH or the metathesaurus?

DR. STEINDEL: MeSH and the metathesaurus, the coverage in those areas is
roughly the same as SNOMED and the coverage in it is complete from a reactive
sense meaning that if a report appears in the literature MeSH will pick up the

DR. COHN: Steve, I think I have a similar question to Stan’s first one but
related to RTEC, did a similar discussion occur with them in terms of —

DR. STEINDEL: The actual discussion occurred when NIOSH made the changeover
to RTEC.

DR. COHN: I guess it really does point out that the government ought to try
to coordinate their activity and centralize their databases as opposed to
having significant redundancies —

DR. STEINDEL: I actually think if there was something such as CHI going on
two or three years ago when NIOSH made this decision internally, since NIOSH is
part of CDC, we probably would have recognized the problem of doing this in the
future and we would have kept it.

DR. COHN: Jeff?

MR. BLAIR: I understand that the scope of this workgroup for chemicals is
external to drugs and medications. However, is there a possibility of any
difficulties if the coding structure for these chemicals is different then the
coding structure that the FDA is putting forth for ingredients in drugs and it
might be the same chemical? Supposedly we’re trying to say that these are going
to be considered separately but what thoughts are there about inconsistencies?

DR. STEINDEL: The FDA and EPA have already started discussion on
eliminating any inconsistencies that might appear. We do note that there
probably is very limited overlap between the two lists, if any overlap, just
because the environmental chemicals are generally not drugs, so we don’t know
what the extent of the overlap is but we think it’s very, very limited. But I
think as you might recall that there was an EPA representative and an FDA
representative on the workgroup and both of them without any real prompting
noted the synergy between the two lists of chemicals maintained and there is
discussion to harmonize those two lists.

MR. HOUSTON: Wouldn’t there be chemicals such as used with animals and
otherwise in essence be the same compound, I’m sorry, I was just saying that I
think in agriculture there would be a fair number of chemicals that might
overlap because they would be used both with animals as well as in humans.

DR. STEINDEL: I think what we have here is we have two types of
agricultural chemicals and those, the agricultural chemicals used for the
production of food products, be they fertilizers or pesticides. A lot of those
are already, are regulated by EPA and are on the EPA list from that point of
view. And then there’s the other set of chemicals that are used to augment
animal growth, like for antibiotics and stuff like that, and those are
generally considered to be drugs and FDA usually has those in the list. We
don’t have any veterinarians present but I think there are very few veterinary
medicine that would be just existent in the veterinary world, and they probably
are for reptiles or something like that that might have different types of
metabolism then mammals.

DR. COHN: Bob?

MR. HUNGATE: Another question related to the personal health record part of
it. A lot of alternative medicine that’s going around, and I’ll bet that a lot
of the things listed in these lists are in alternative medicines.

MR. BLAIR: Do you want to speak into the microphone?

MR. HUNGATE: I was trying to but I guess I wasn’t close enough. So I don’t
know whether the reporting mechanism you’ve talked about here is history and
physical, but I think it might also be personal health record if this
information gets translated through products that its in in ways that
individuals understand it. And I don’t know how that gets done or how it fits
but it seems to me like it’s a piece of it.

DR. STEINDEL: I think we had some discussion regarding alternative medicine
when we spoke about the list for drugs and I think there is still a lot of flux
going on within the FDA structure about how to handle the whole area of
alternative medicine when they start thinking about changes to the NDC codes,
where there are now non, a lot of NDC codes for these types of products that
are not considered to be in the domain of the FDA, and I think we’re going to
see some codification in that area. Now that’s one answer. A second answer is I
think your observation is quite correct and I think a lot of these alternative
medicines were covered in the RTEC list but are not covered in the EPA list and
we do note that the RTEC list needs to, at least a large portion of it, appear
in the EPA list but will not do so unless resources are allocated to do that.

MR. HUNGATE: Well, my suspicion is that people are going to put stuff in
their mouth and in their body without FDA’s control of that process, but
medically it’s going to be there and there ought to be a good way of keeping
track and knowing what it is.

DR. COHN: Carol?

DR. BICKFORD: Carol Bickford, American Nurses Association. When you’re
talking about chemicals that are not related to medicine how did you crosswalk
that to laboratory toxicology studies, for example, carbon monoxide?

DR. STEINDEL: That actually would be within the domain of this group.

DR. BICKFORD: But was there an actual crosswalk —

DR. STEINDEL: Not as a specific exercise because most of the people who
were involved with the workgroup were familiar with it, like the person from
NIOSH, his expertise is toxicology, I’m a clinical chemist for instance and
have done that crosswalk mentally many times.

DR. COHN: Steve, final question about the SRS, is there, I mean in many of
these terminologies, some of them have no structure, others have structure, is
this a structure terminology or how does it —

DR. STEINDEL: Yes, it’s a very —

DR. COHN: It’s a well structured —

DR. STEINDEL: It’s a well structured terminology within the domain that
they’re working.

DR. COHN: That’s what I mean, you can identify siblings and, I mean unique
identifiers and you can identify closely related other substances that are
similar and all that, as opposed to a flat file.


DR. COHN: Okay, good. Other comments, questions? I don’t think we’ve solved
everything, clearly this is an area that’s going to require mapping to
everything else and I guess would be incorporated into the metathesaurus?

DR. STEINDEL: It is our intent that eventually it will be incorporated into
the metathesaurus.

DR. COHN: Okay, so that would ensure mapping with SNOMED, with other, the
various drugs and everything else.

DR. STEINDEL: There is a commitment from the National Library to make sure
that all the CHI recommendations are in the metathesaurus. Putting on my
workgroup chair hat what I would like from NCVHS if they do concur with this
recommendation is that in the letter we do make an explicit statement about the
need for resources for EPA to fulfill the use of this, we’ll word it

DR. COHN: Okay, comments? — but also I presume that the NLM has funds to
make sure this is in —

DR. STEINDEL: We’re not sure where the funds would, I don’t think it’s our,
the NCVHS’s domain to decide where the, we just note that —

DR. COHN: Funds are needed.

DR. STEINDEL: It’s my understanding that EPA might be able to provide its
own funds for this from a reallocation point of view if they were told it was a
mission but they’re not going to do it unless they’re told it’s a mission. I
think the actual funds that are required to add the new toxicological
terminologies the way it was described to me is they have a consulting chemist
that validates that there’s no duplication, etc., with existing structures in
the tables and it would be basically contract work with him.

DR. COHN: It seems like there’s two pieces, one is the expansion of the
terminology, the other is the integration into the UMLS, but of course that
second one is true of everything we’ve been describing so far, all the

Well, I think we are basically supportive of that, is there any, we’re
obviously concurring I think with the recommendation that resources are going
to be needed, we’re probably making a sort of a reminder that applies to all of
these and I guess we’ve, are we doing 15 or 14 domains this time, that
obviously to help this all happen there needs to be adequate resources to
support the integration and mapping.

Anything else? Do we have a motion then?

DR. HUFF: I move we concur with this recommendation.

DR. COHN: With the additional comments.

MR. BLAIR: Appropriate resources. And I second it.

DR. COHN: Further comments, discussion? All in favor?


DR. COHN: Opposed? Abstentions? Okay, that’s passed.

Now I will tell you it’s 12:25 and I think everyone has a well deserved
time for some lunch. Why don’t we take an hour now, when you come back my
understanding is is that we have three presenters, testifiers relating to
security. I guess the hope would be is assuming they’re all here by 1:30 that
maybe we can do a single panel rather then having two separate panels on the
discussion, and maybe at the end of that if it’s okay with everyone what we’ll
do is to take a look at the letter as it is now. I guess there are a couple of
questions that were, reflecting on what we passed back in December, what we’re
looking at now, I think there were a couple of outstanding questions, I don’t
know if Alicia is going to be around or maybe she can supply any answers to
Steve so as we sort of look at them, how we need to revise certain parts of the
letter but just make sure that we’re comfortable with it for taking it to the
full committee on Thursday.

DR. STEINDEL: Simon, in the draft of the letter that I have I have only one
outstanding question that we asked to be revisited, and that concerned the
licensure terms for the recommendations in genes and proteins.

MS. BRADFORD: And that has been clarified and it is free, the human genome
nomenclature is free and the website has been updated to reflect that.

DR. COHN: Okay, well good, so we can resolve that one issue.

DR. STEINDEL: So I can just take that out.

DR. COHN: Any other issues, comments, concerns at this point? Okay, so we
will break then until 1:30 and thank you all.

[Whereupon at 12:20 p.m. the meeting was recessed, to reconvene at 1:30
p.m., the same afternoon, January 27, 2004.]

N S E S S I O N [1:40

DR. COHN: Okay, we’re going to get started here in just a second if
everyone would please be seated. As I commented during the morning’s
introduction obviously the security issue is, security rule is one of the more
important issues that obviously we will be tracking. This is the first session
knowing that we’re getting close to a year into the implementation for us to
sort of talk to key players in the industry to see where we are and see what
issues may be ongoing here. But I think the reality is is that this will be an
issue that we’ll be hearing from you and others as we go along and the actual
implementation adoption date gets a little closer.

Now I want to thank John Paul Houston again for helping put this together,
and I was actually going to ask if you would like to make a couple of
introductory comments, sort of give you the gavel to sort of facilitate this

MR. HOUSTON: Certainly, I’d be more then happy to do that. I think as Simon
indicated we’re almost a year through the compliance period for the security
rule and we really hadn’t, I guess because of the other HIPAA rules hadn’t
really spent much time focusing on security rule and I think probably most
people in the industry hadn’t either. I think privacy was a great time sync and
I think then the transaction standards themselves really took a lot of effort
and I think what ended up is people I think both mentally as well as
financially sort of deferred the security rule. And now I think we’re at the
point now where we have to start to worry about it. And we haven’t really heard
much yet from the industry as to what are the problems with the security rule
and I’m sure there are problems, but we weren’t sure, we hadn’t heard anything,
it really isn’t, if you go out and read today about HIPAA you’re going to see a
lot about privacy, a lot about transaction standards, and I don’t think, I
don’t read really nearly as much about issues with the security rule.

And for that reason we really thought it was important to maybe get some
testimony, get some feedback now, as to where, if there are potential problems,
maybe there aren’t, but if there are what are they and try to formulate some
recommendations if there are issues so that there is some time to respond prior
to the compliance deadline. Again, sort of like what happened with privacy. So
again, today was really intended in my mind, and I think Simon’s, too, to be
sort of an open ended what do you think, what are your general thoughts, sort
of pulse taking as to what, if there are issues with the security rule or what
can be improved upon or maybe it’s all glowing comments about security although
I doubt that having read the testimony. So that really was the intent.

With that said how did you want to —

DR. COHN: Well, why don’t we ask each of our presenters to introduce
themselves and then we’ll start off with John since he obviously is the first
one on the agenda, but John would you like to start off with just an

MR. TRAVIS: My name is John Travis, I’m with Cerner Corporation, Kansas
City, with Cerner I oversee our development efforts in the area of what we
might call information, security, and privacy. I’ve worked with our client base
in trying to prepare for both the privacy and security rules and spend half my
time serving in consultive roles as much as development roles towards that end.

DR. COHN: Well, thank you, we obviously realize it’s not the easiest thing
today getting in so we appreciate your participation.

MS. SCHULMAN: I’m Roslyne Schulman with the American Hospital Association,
I’m a senior associate director for policy development and HIPAA security among
a variety of other things is on my plate.

DR. COHN: Are you from Chicago or here?

MS. SCHULMAN: No, I’m from the D.C. office.

DR. COHN: Oh, good, I know that wasn’t easy either but thank you. Tom?

MR. WILDER: My name is Tom Wilder, I’m with AAHP/HIAA, I’m vice president
for private market regulation and I’m responsible for helping our members deal
with federal regulatory issues including HIPAA implementation.

DR. COHN: Tom, thanks for joining us. John, would you like to start out?

Agenda Item: Security Rule Implementation Issues – Mr.

MR. TRAVIS: First of all I think we may represent a little bit of a unique
perspective because we come from the particular aspect of being a health care
information system supplier, vendor to the industry, to the provider side of
the industry, so our interaction is as one who experiences trying to help a lot
of organizations work through compliance issues and trying to take a read of
the market basket. So my remarks are going to be kind of from that perspective.

Cerner has around 1,000 provider clients in the U.S., also quite a few in
international markets, so we get to see on the balance how does HIPAA stack up
against other jurisdictions, especially the European Community in the Pacific
Rim. I want to start off a little bit by talking about what we see as the
current state, which is really a fact of life for a lot of our clients. Most
provider organizations right now are making do with a significant inventory of
legacy systems and that really is their starting point. And they’re also trying
to take a more strategic or enterprise view of security as something to deal
with across their organization, I think a lot of the tone of what I’ll speak to
hits upon the tension that comes between becoming compliant and making
improvement toward that end.

So there’s several observations I would make. First, each system vendor in
clinical IT has tended to solve security in their own way, so they’re self
contained, they historically have not had to worry about anybody but
themselves, they develop their own security architectures and they wind up
especially in a best of breed scenario being structured that way. And so a few
vendors have prepared their systems to really support dealing with security at
an enterprise level, so you don’t see a lot of collaboration or a lot of
specialization in health care around enterprise security.

And then there has been a lack of security standards development, maybe
more so guidance and adoption of standards in health care to govern really
trying to take an enterprise focus, sharing information between systems about
security policies and standardizing health care roles and I’ll speak to a
number of those.

And then I think even a very few provider organizations have really maybe
because of the lack of capability or the lack of focus looked at security as an
enterprise problem to be solved. So they start out their compliance programs
really with an extensive legacy system inventory, non-standard security
implementations, and then trying to assess and see where they are and where
they can make progress.

So when they come to making decisions they have really two main choices,
they can try to work with existing systems and put their faith in vendors
getting up to snuff, or, and it’s probably not a pure or, it’s an and/or, they
can try to improve their capabilities by investing in enterprise wide
technologies or administrative solutions that can reduce their costs. If
they’re taking that latter course they may have to plan for a long project plan
horizon, not just strictly their compliance plan but probably more looking at
the quality improvement for getting individual vendor solutions replaced over
time, for getting other solutions upgraded, and then trying to deal with the
mandatory requirements of the security rule in the short run, so they can’t
ignore that but I think a lot of them are struggling right now trying to figure
out which way do we go with this so that we’re not revisiting the security
issues three, four years down the line. Is the right opportunity because we
have a compliance imperative that could help drive our organization.

And I think administratively speaking providers are often for the first
time perhaps defining formal security policies, they went through the
experience of the privacy rule with minimum necessary guidelines and privacy
practices, and this is a similar exercise for them with security policies
around need to know and relating need to know to job rules. So there’s a number
of challenges for implementation and compliance and I’d really characterize the
first one as being that matter of policy definition, that they have clear
definition of policies and procedures that guide health security then can be
set up in their systems.

I think that having well defined roles will help them in their assessment
process, help them in defining what clinicians and staff can see and do in
systems, because that’s really where the rub of it is. Unfortunately for most
organizations defining roles and systems was probably done by department system
managers, line management at mid and low levels in the organization as they
implemented systems that in some cases could be ten to 20 years old, so the
changes or the guarantee that a role in one system has any validity for a role
in another system would be almost by accident. And in fairness there’s only
recently been standards based work proposed to try to define job roles for
health care that could guide information systems policy management around

I think the good news on the front is that most providers because they
spent the time during the privacy rule compliance efforts for policy
development did spend the time to look at need to know policies, and so most of
that is probably done, most of their assessment work is probably done, so
they’re not in bad shape from that standpoint but I think that there is still a
remaining test to make sure the systems support those policies in some degree
of consistency, even if it’s trying to reconcile different definitions,
different architectures.

Kind of speaking a little more to the point of improvement, we see a lot of
providers desiring to pursue single sign on and what we might call single point
of administration types of projects. And so if they see the security rule
compliance effort as a chance to also reduce administrative costs and make real
improvements these are areas of real focus. With single sign on the idea there
is that a user may be able to sign on once and have that identity or that sign
on information shared throughout all the systems that run on that provider
organization’s network. The administrative point is to have information shared
between systems about who users are, what roles they may play, what memberships
they may hold, credentials they may present, and have all systems be able to
support sharing of that information so that each system is not compelling
providers to maintain that information separately and uniquely system by system
by system. That’s the reality historically, most vendors have not thought in
terms of gee, I might share information from a network source or with other
systems, I’m going to require you to define it through my tools and my system
manually and you’ll have to do that for as many times as you have different
vendor applications.

So that is a major opportunity for improvement and I think that’s where a
lot of the administrative costs for security management could be reduced if
vendors were to make improvements to integrate with those types of enterprise
technologies. Those technologies are available, they’re in use in other
industries, they’re in use in health care but probably to a more limited degree
then most anybody would like. And the main issue is the matter of limitations
to be able to share that information.

I think the second point around that is that this is a matter for standards
work as well to be able to share security attributes, to be able to share
personnel attributes between systems, and be able to do so avoiding
non-standard types of information sharing. Standards work has been underway
within groups like HL7 for a number of years to try to push ahead with this and
I think that that will eventually make the process much easier but we aren’t
real far down the path for adoption.

So I think with single sign on and centralizing or standardizing security
policy they may not be literal compliance requirements but they are things that
organizations are trying to debate spending time and money on doing now since
they’ve got, they may have some corporate focus on those types of issues.

Another area that’s very much related is electronic signature, because I
think while people are looking at the security issue they still, while the
signature requirement may have been scoped out of the final security rule
they’re still looking for a way to have a secure and reliable electronic
signature methodology in place to share information, and I’ll speak to
community sharing a little bit later. But at a recent meeting of HL7 the
committee chair of one of the groups I participate in for medical information
made the comment that a lack of standard driven or regulatory requirement
driving electronic signature standard or requirement at a federal level is
going to serve the dampen the use of the web for sharing patient data. I think
we are entering a time where we are seeing some regulatory requirement in other
ways for sharing of patient data via the web, I cite by example the
e-prescribing initiatives that will come under the recently passed Medicare
Reform Bill, so this isn’t an issue that’s gotten a lot of historical push
because systems have traditionally shared information only within an
organization, within a closed network, and not with other organizations through
the web. But I think we need to see more ability to have trust in that
information sharing, a lot of that’s going to come back to the reliability of
the electronic signature. So we’d encourage the committee and the Secretary to
consider moving ahead with proposed rulemaking and standards, or backing of
standards, for electronic signature.

Probably the most challenging and costly aspect of security rule compliance
is one near and dear to me because I’m an auditor by background and started my
career in that end, and that is for accountability in audit systems in health
care. Probably no other issue will cause system replacement or upgrade like
this one and I think there’s three factors that contribute to that. First, many
existing systems just simply do not provide an adequate level of auditing in
the manner that the security rule contemplates. It’s particularly true if the
patient information is only inquired or printed but not actually modified or
changed or created. Many systems offer auditing for those types of operations
but enabling audit of inquiry or printing types of events is a major system
enhancement for most of them. The availability of audit data is going to be
especially problematic for older systems that are still in use that may not
have been designed with any knowledge in mind of how to identify just a simple
inquiry that didn’t actually change data.

Most vendors I think are addressing this with newer versions of systems,
ourselves certainly included. So that is why in a lot of cases there are going
to be system upgrades or replacements often simply because of trying to deal
with the auditing requirement. Second, and also of issue, good security
practice requires audit information to be reposited separate from the patient
record keeping system. That just is a plain separation of duty requirement that
most are reading as part of the requirement for the audit systems. So for
patient care systems that do provide availability or capability to audit how
patient information is used many of them do not provide separate and secure
audit logs for actual control of that data. As a result a security auditor may
well have to traverse enumerable logs at a network level, at application level,
in order to get a fairly complete picture of what end users see and do within
patient records.

There really needs to be a focus on trying to have organization level audit
logs, enterprise level types of audit logs, that can draw from each patient
care system and present one whole audit trail. That’s not the current state of
the market but it’s our opinion that we need to move to that.

The third area in auditing, or the third issue with auditing is that only
draft standards are available for health care providers to try to share audit
data between patient care systems and an audit system. HL7, ASTM, and DICOM
have come together and agreed to propose a common audit standard that should
help solve that problem but it’s still a ways from adoption. Some vendors have
designed auditing around this standard on a prospective basis to anticipate
that that will become the standard, but mostly for their newer versions of
systems. So providers are still left with incomplete ways to get audit data for
whatever they can find. Audit data is probably going to be a tedious task
that’s going to require knowledge of the data architecture of systems to be
able to get at the data, and custom programming in order to harvest it. So
there’s no guarantees that are a very complete picture of accountability
emerges in that kind of a state.

I’ve highlighted the importance of standards in guidance to the health care
information systems industry in a number of areas, and so I kind of take a
moment to underscore that. We’ve talked about auditing personnel or user
management and some other areas but our main point is that health care IT has
suffered from either a lack or a lateness of standards adoption or availability
relative to security. I think unlike HIPAA EDI where standards were very
strongly supported by regulation and industry consensus and long study, that’s
not been the case quite for security under HIPAA. There is a lot of standards
work available but it just simply has not been analyzed for adoption or with
the speed for adoption that it probably needs to be. So the more that can be
done to promote the adoption of standards within health care IT relative to
security we think the better.

That also speaks to treating security as an enterprise organization level
problem to be solved, and we feel that providers need to be thinking that way
and vendors should back that, especially through pushing for standards that
ensure consistent definition of security policies at the enterprise level and
provide support for using those security tools that can reduce costs of
administration and provide user convenience for accessing systems.

We see good examples in the provider community or organizations attempting
to do this. The VA within this very department has taken a leadership, I should
way within the DOD, is taking a leadership role to standardize user roles and
they’re pushing that as a proposed model for health care information systems
generally. Many organizations are implementing the kinds of security tools that
I discussed earlier to ease the burden of administration, and we need to see
auditing treated as a problem to be solved once for an organization, but that
does lag behind other areas.

I don’t know that it’s the government’s interest directly to encourage
particular tools or techniques but we do think it advisable for best practice
develop to be encouraged. So interpreting and providing working examples of
what organizations have done successfully, such as what was done with WEDI SNIP
for HIPAA EDI needs to be encouraged.

Another area that concerns us is what we see with what’s going on of
balancing information access with privacy. Now that the privacy rule has been
in effect for nine months the industry has had ample opportunity to take a lot
of the measure of its impact and we think a lot of our clients have taken
advantage of our systems to improve protection of the security and privacy of
patient information without necessarily having us to make a lot of major coding
changes, and we do see that as our clients implement systems one thing has
changed and that is security and privacy has become a major part of any new
implementation effort, so they are considering it. However, we are finding an
interesting situation that’s beginning to emerge, it does seem to us many
organizations are treating compliance as primarily a legal problem and not an
operational one. Many long standing practices have had to change about how
patient information is handled and disclosed. Probably my favorite, we’ve had
many clients ask our advice about whether or not faxing should even be used,
and many represent to us as a matter of fact that it’s outright banned under
HIPAA as a practice.

Some provider organizations have behaved as if protecting privacy is a
primary role of their health care IT without due consideration given to the
role of information systems to really automate their business processes. So
this poses a challenge and we think perhaps a threat to proper patient record
access and use. We encourage the committee to consider recommending to the
Secretary that guidance and reasonable perspective be given on the security
rule just as the Office of Civil Rights did a very good job with the privacy

Currently there’s a lot of speculation on what a compliant system is and
much is left in the eye of the beholder. For example the limited amount of
standards based guidance on health care roles leaves providers to determine
this for themselves at a time when they are trying to reconcile roles across
systems that have been very inconsistently defined over time.

And finally there is a matter of enabling true community information
sharing, the issue is whether or not the security rule works well with other
regulations from a proper sharing of electronic health information between
health care providers. It does seem desirable for the government to wish remote
examples of appropriate information sharing between community members and a
good example for this is what I mentioned earlier with e-prescribing under the
recently passed Medicare prescription drug legislation.

As we observed in the privacy rule amendment process and in the guidance
given by the OCR for things like eligibility practices and processing of
prescriptions, sometimes you see literal interpretation of regulation that goes
too far and retards the very thing it was to assure happened properly. We see
many provider organizations make a determination or remain very closed, and
only disclose information when there’s absolute written proof of patient
permission even for permissible disclosures related to care. We also see a lot
of desire on many parts of the provider organizations to share properly with
each other and promote such sharing within a community to better the care
delivered to patients they all share in common. This is retarded by the fact
that some organizations interpret the privacy and security regulations as
making a presumption that electronic health care information seems only to be
held only within provider organizations and somehow should not be at a
community level, or that community sharing is only possible with very
burdensome administrative and technical conditions applied.

We encourage the committee to consider taking a position on proper
information sharing practices that can encourage enabling electronic community
level health records. We believe that the government has a strong interest in
the promotion of electronic health records standards that include appropriate
information sharing as an important goal. Personal and portable electronic
health record is an important future objective for many health care information
systems and it really is a vehicle by which real patient rights toward their
records can be realized.

We believe the U.S. health care system has an interest in promoting good
model frameworks for how to reconcile the security and privacy requirements for
the health record with the community level information sharing objectives in
mind that are important to such a health information structure.

So to summarize our recommendations, we believe the following are important
to consider, first, the promotion of the use of standards in health care
information systems security, we’ve identified several key areas of emphasis.
Number one, or I should say A, health care roles for users, audit, exchange of
security information between systems to reduce administrative costs, and then
the use of electronic if not digital signatures. Standards work is available or
nearly available in most every significant area. We do not necessarily suggest
a formal DSMO process for their adoption but we do recommend that their
adoption be given a strong backing by the committee.

Number two, the development of guidance or best practices around what
constitutes proper and appropriate information sharing practices, especially at
a community level so as to promote an effective balance of privacy and
availability of patient data.

Three, consideration for some kind of best practice sharing forms, such as
WEDI SNIP for security practice and privacy practice.

In conclusion, the security rule compliance period catches health care
information systems, vendors, and providers using their systems between an era
when it was okay for vendor solutions to worry only about their own systems and
an era when health care is rapidly moving towards enterprise solutions for
security. There still is quite a bit of existing system inventory in place that
serves to hinder the pace of that progress. Providers do not have the budget in
many cases to both remediate their systems and move to adopt enterprise

The last comment I would leave you with is that much consideration should
also be given to the good faith efforts of providers and their vendors to
enable compliance in the design of the enforcement regime for the security
rule. I’m certain that many providers are going to be in the process of
implementing their plans come April 2005 because of the choices they have to
make between remediation and improvement.

On behalf of Cerner I would like to thank the committee for the opportunity
to present our observations and recommendations on this matter.

DR. COHN: John, thank you very much and we’ll have questions and
discussions after you all have testified. Roslyne, I believe you’re next.

Agenda Item: Security Rule Implementation Issues –
Ms. Schulman

MS. SCHULMAN: Good afternoon. I’m pleased to be here today to talk to you
about the AHA’s perspective on how the nation’s hospitals are implementing the
HIPAA security regulations. Today I’m going to be going over some challenges
that hospitals face regarding security as well as some preliminary data we have
with regard to where hospitals are in the process of implementing and becoming
compliant with security.

I would echo John’s comments on the late start on security, I think both
our hospitals and AHA has gotten sort of a late start on security. The greatest
challenge for hospitals remains ensuring that they are able to submit HIPAA
compliant claims and receive payment in a timely fashion. We’re still in the
contingency phase with regard to transactions and code sets, and our primary
concern right now is ensuring that TCS is not interfering with payment.

There’s also the ongoing issue of HIPAA burnout. The energy focused on
implementing the privacy regulation and the ongoing challenges of implementing
the transactions standards has been exhausting for the nation’s hospitals and
HIPAA momentum is fading. As a result providers may be behind on implementing

There’s also some confusion regarding the differences between the
requirements of privacy and security at the executive level, that is when
security implementation is raised as an issue the question arises haven’t we
already addressed this in privacy. It’s hard to disentangle these requirements
and it’s hard to explain.

This raises a resource question because the cost to comply with security
could be more then initially perceived by our nation’s hospitals. It really
depends on what the organization’s normal security efforts are to date. There
are some privacy components that are dependent on the final security
regulations, a covered entity needs to have safeguards in place in order to
comply with privacy. For instance, mapping the minimum necessary policies to
access controlled requirements. On the other hand, due to the overlap in
privacy, some of the groundwork for security has been implemented in some
hospitals. Also some organizations may have begun implementing provisions of
the security rule when it was still a proposed rule, and some may be ahead of
the curve for that reason.

We are pleased to have heard CMS continue to emphasize the fundamental
principles of flexibility and scalability in the security regulations. It’s
critical that CMS’s enforcement activities stay close to these principles. It
would not be helpful to second guess the risk calculus and decisions that
hospitals make and CMS needs to respect these decisions. Further, it’s
important that CMS understand that because of this flexibility and scalability
a security breach does not automatically mean that there has been a violation
of the rules. There are some threats, uses, and disclosures that cannot be
reasonably anticipated.

Also due to the overlap between privacy and security it’s not clear when a
violation goes from being a violation of privacy to a security violation and
vice versa. CMS’s Office of HIPAA Standards and the Office of Civil Rights are
working together because of this overlap, and we’ve head from CMS that a
complaint may be initially identified as a privacy violation but may also
contain a security breach. There doesn’t appear to be a bright line between
these and so therefore consistency in enforcement between privacy and security
is critical. Also consistency in interpretation is key. We’ve talked to CMS
about the consistency between central office and regional office
interpretations of privacy and the same goes for security. We need consistency
between the approaches and actions taken by the regional and central CMS

Also providers are worried about the resources that compliance will
consume. As with the other components of HIPAA the security rule will result in
technology purchases in the nation’s hospitals. Among other things hospitals
are concerned that for IT folks this may seem like Christmas. Long repressed
technology wish lists will now come to the foreground whether or not they are
necessary for compliance. Also as occurred in previous components of HIPAA
we’re concerned that there may be incorrect information and scare tactics used
by consultants and vendors that are designed to encourage hospitals to do and
purchase unnecessary things.

Also it’s important to realize that technology alone will not lead to
compliance with the security rules but over promises from vendors regarding the
results of their technology in totally addressing security is a problem. On the
other hand technology is ever changing as are the scope of the threats that are
facing hospitals and therefore compliance with the security regulations must be
an ongoing process. The need to dedicate resources to ensuring that the
appropriate safeguards are in place over time will be a challenge for

Like I said before, while the AHA like its members are really only now
beginning to take a comprehensive look at how hospitals are implementing the
security rules last week we did have an initial conference call with our
members regarding security rule implementation. We had a number of
presentations from experts from CMS, from Ernst & Young, from Hogan &
Hartson, from AHA staff as well as from a hospital system. And the thing we’re
going to talk about now is that in order to register for the call individuals
were asked to complete an online series of questions and I’m going to be going
over the responses we got from approximately 475 organizations. This is not a
random sample, that’s a caveat, the providers who responded I think are more
likely to be on the ball about security and perhaps a bit ahead of the curve.
But on the other hand it gives us a taste of where hospitals are.

The first questions we asked were with regard to HIPAA security regulation,
implementation and compliance. And we were pleased to see that they really have
gotten started, only 1.4 percent said they have not yet started, 43 percent
said they were doing initial research or trying to understand HIPAA security
requirements. About 47 percent were in the planning stage, 43 percent were
performing risk assessment and evaluation, about 26 percent were in the
implementation stage, and 9.3 percent claimed that they were compliant with the
HIPAA security regulations. This adds to way more then a 100 because they were
able to select more then one so you’ll see that in a couple of these questions.

The next pertinent question we asked, we were trying to get an idea of what
they considered to be obstacles to implementing the security regulation so we
asked them whether their focus on HIPAA privacy regulations has been an
obstacles. And we were pleased to see that about 70 percent said that no,
privacy had not been an obstacles. About 28 percent said that it had been.

We also asked them whether the transaction and code set requirements had
been an obstacle to their focus on implementing security. And very similar
results, about 65 percent said that no, transactions had not been an obstacle,
and 33 percent had said yes, that it was.

We then asked what other obstacles, had there been any other obstacles in
security compliance, and 63.5 percent said that yes, they had other, there had
been other obstacles in compliance, and the next slide goes over some of their
list of what they consider to be obstacles, sort of the obvious things, lack of
budget, lack of resources, timing issues, having multiple priorities, other
competing IS projects, misinformation or unclear guidance, IT security
education and training, the sheer scope of the project, that is a good answer,
finding good security policies, the complexity of the organization, IT IS staff
turnover, outsourcing, and a lack of agreement on the scope and depth of
required security regulation implementation. So it’s a variety of obstacles
they’re seeing ahead.

We also asked whether the organization has budgeted for security rule
implementation and 55 percent, the majority said that they had, and 34.5
percent had said no, they had not budgeted. The other ten percent said
something other, I’m not sure what that means except maybe they hadn’t budgeted

And then finally we asked them whether they were able to rely solely on
internal resources for HIPAA security implementation and compliance and what we
found is 62 percent of them told us that they were actually using a combination
of internal and external resources. About five percent were using only external
resources and 25 percent said they were using internal resources only. And
seven percent said other, again, not sure what that means.

Among the resources that AHA has established to help the nation’s health
care providers with the security requirements are several. We have a website
that’s dedicated to HIPAA, go to www.aha.org
and click on HIPAA under key issues. There’s a few things there already
including an advisory and a couple articles we’ve done. We will be adding
additional advisory sort of drilling down into security over time, we’ll also
be, we are considering doing a survey of the hospitals, a bigger survey of our
hospitals to see where they are in implementation.

As I mentioned a moment ago we do audio conferences for our members on
HIPAA issues and we more then likely will be doing additional audio conferences
on security. Also the AHA has selected Ernst & Young as its strategic
advisor for HIPAA security services and we’ve endorsed their HIPAA security
services including risk analysis, gap assessment, and all security
implementation services.

We will continue to develop advisories and checklists and briefings and
other documents for AHA members, and then finally as we progress through the
April, to the April 2005 deadline we will be vigilantly tracking the journey of
our members towards compliance, ensuring that bumps in the road get smoothed

And I’d be happy to answer any questions at the end.

DR. COHN: Roslyne, thank you. Tom Wilder.

Agenda Item: Security Rule Implementation Issues – Mr.

MR. WILDER: Thank you and good afternoon. I also want to thank you for the
opportunity to be here with you today. AAHP/HIAA represents approximately 1300
health plans and insurers, and our members provide a variety of health
coverages to over 200 million Americans.

As I mentioned I’m responsible for working with our members as they deal
with federal regulatory issues, including HIPAA implementation and I want to
speak to you today about what our members have been doing to implement the
HIPAA security rule. A number of the points that I’m going to make have already
been mentioned in the prior testimony.

In talking to our members, although we’ve not done any kind of in depth
survey, what we’re finding is they’re actually pretty far along the road in
terms of implementing the requirements of the security rule. And I think in
large part that’s due because their work on getting ready for the privacy rule
laid a lot of very important groundwork because in many respects what you need
to do for the privacy rule helps you in terms of the security rule because they
both deal with uses and disclosures of information and protecting against the
misuse or unauthorized access to that information.

In visiting with our members there are some challenges, I think Roslyne in
her survey gave you some very good, an excellent outline of what some of those
are but some additional things that our members have mentioned is for example
taking off the shelf products such as software, hardware, fire walls, or taking
the security aspects of a software program and adapting that for your own
particular business needs. Setting up the infrastructure and the systems to
track uses and disclosures, and to monitor who has access to a particular level
of information. Dealing with business associates, how much do you want to
monitor their activity. Setting up policies and procedures and training
programs. Again, these are not insurmountable but these are the kinds of issues
that the health plans and insurers are dealing with as they get ready to
implement the rule.

There are some additional issues that I just want to raise with you. First
of all we were very pleased that this rule is scalable and flexible, and the
idea of course is that you take a look at the rule and look at it through what
is your own particular business needs and operations and how you adapt the
rule, and we think that’s very critical given the diversity of covered entities
that are covered by this rule. Obviously what’s needed for a very small
practice group is vastly different from what’s needed to address the security
needs of a multi-line insurance carrier that has global operations.

I know there’s been concerns raised, including concerns by members, that
this scalability leads to uncertainty, there is a certain amount of comfort
from a compliance standpoint of knowing that you have to do A and B and C and
you only have to do D if you have 50 or more employees. But again, the
practical reality is that given the diversity of business operations of covered
entities that if you’re going to take that approach the security rule is going
to probably be the size of several phone books stacked together. So we support
the approach that in the rule of having a scalable and flexible set of
standards that covered entities have to follow.

We also support the enforcement philosophy outlined so far by CMS that
they’re going to be compliance driven rather then punitive in terms of helping
people get ready for the rule. Obviously that makes the most sense. Because of
its scalability and flexibility to a certain degree the rule is fuzzy around
its edges and so people are trying to assess what best meets their needs within
the boundaries of the rule. For many covered entities, particularly I think for
a lot of the smaller providers and to some extent, to the extent that employers
are covered by this rule, it’s a new world for them, so covered entities really
need assistance in coming into compliance rather then being fined if they don’t
meet these standards, and I think the best way to help a covered entity get
from point A to point B is to help them along the path and not hit them with a
stick if they stray too far. There obviously are enforcement processes and
penalties built into the rule and those can be assessed where appropriate but I
think again for most covered entities they need help with compliance.

And finally I think CMS quite frankly needs to be a little bit more engaged
in the process in terms of outreach and education for covered entities, again
particularly for a lot of providers or for employer groups that are not as
familiar with the rule as they probably ought to be. I think for a lot of the
larger providers and for a lot of health plans and insurers they have
sophisticated IT and compliance systems and so while they have some challenges
and they have things they need to do to get ready they have the tools available
to them to get where they need to go. I know CMS has been very involved
obviously in helping people get ready for the transactions and code set
requirements but I think it’s very critical that they turn their attention now
to security compliance. For example, I think they need to develop some
checklists, some very simple checklists that people can use in order to assess
how far along they are with their compliance activities. They need to do a lot
more in terms of developing educational materials and guidance on their
website. They need to ramp up their activities to put on seminars and
educational activities. Obviously our association as well as the American
Hospitals Association and others are involved in this process but I think the
more communication that can go on by not only the associations but by CMS the
better in terms of helping people get ready for compliance.

And I think they ought to sit down and have a serious conversation with the
Office for Civil Rights. I think OCR did a very good job to the extent they had
the resources available to help people get ready for the privacy rule. They had
seminars and educational sessions across the country, they’ve got a very good
website where they post some guidance, they’ve been very responsive as
questions have come up, they’re developed some education materials and
checklists for people and do they’ve got a good guide for what’s working. And
again, as I mentioned, the privacy and security rules have a lot of
similarities in terms of what you need to get ready.

And finally they should obviously partner with the industry. I know we’re
ready to work with CMS to help get our members ready, I know American Hospitals
Association, AMA and others are ready as well, so we are ready to work with the
government to help our folks get where they need to be.

Our member companies obviously use and share health information everyday,
it’s a very basic core function of what we’re all about, the same can be said
for health care providers. We all have a strong vested interest in seeing that
the security rule is implemented and that the security and health information
is protected and that uses and disclosures are appropriate. And this really
goes beyond the fact that you have this rule out there that you have to comply
with. It’s really just a central part of our business operations and
philosophy. We believe that the security rule is an important benchmark for the
health care community and again we’re ready to work with this committee and CMS
and others to make that a reality.

DR. COHN: Great, thank you all for some very enlightening testimony, that’s
very useful. Comments, questions? Maria.

MS. FRIEDMAN: This is Maria Friedman speaking with my CMS hat on, and I’d
like to thank everybody for their ideas and suggestions, and just to follow up
on what Tom has said, we are actively underway developing our outreach
materials very similar to the transactions and code set materials that we have
up on our website. We’re doing a similar set of papers and checklists and all
of that that will be going up. And we will be continuing partnering with the
Department of Labor and others for their seminars and outreach, looking at
roundtables. We still haven’t got our budget yet so we’re still trying to
figure out what we can do with what we’re going to get. But we’re going to
continue on with the model that we’ve used and we appreciate the opportunity to
partner with anyone and everyone.

DR. COHN: Thank you. John Paul, do you have comments?

MR. HOUSTON: Not a one. Actually I have a great deal and I don’t want to
monopolize the conversation, so I’ll take a stab at a couple.

DR. COHN: Okay, and then I see Stan has some questions, too.

MR. HOUSTON: I guess I’m going to start with John, from your perspective,
knowing you’re just one IT vendor, I guess I have a question, are the IT
vendors prepared, are they able to deliver HIPAA compliant, HIPAA security
compliant information systems at this point in time that even can be
implemented? You talked about people wanting to move to new information systems
to become HIPAA compliant but is the state of the industry such in your mind
that there are solutions readily available to speak to the issues that I think
everybody spoke to.

MR. TRAVIS: I think that many vendors have probably started out and I’ll
speak by metaphor our own experience, trying to enable an appropriate level of
especially access control capability. We all, and I’ve shared a lot of
information at least through industry forums non-competitively where we can
kind of talk openly with each other, that we all tried to assure that if at
least there were capability to have appropriate role based security models in
place, I think you’ll find most vendor solutions, especially those that are in
use now or newer versions of existing products, would address that pretty
adequately. I don’t think that’s where the greatest fear would be. I think the
auditing area is probably the one that is the most challenging. I think most
vendors have focused on that being a matter of new solution version or upgrade
capability, may not have taken that back to all versions of prior legacy
system. I will say that I think most have tried to make that clear with their
clients about what versions would enable those. The barrier does remain though
that given the reality of the environment in health care IT and providers that
auditing has not been a problem solved at an enterprise level. I think that
there’s going to be challenges in making a security auditor’s job horrible
quite frankly in trying to be able to traverse those audit logs to have a good
system of accountability that can alert and really enable real time
intervention for possible issues of abuse.

MR. HOUSTON: Sort of a follow-up question, I know from my organization, I
think trying to have somebody, one, who has a relationship with the employee to
know what the employee should be accessing, ensuring you don’t have an overly
restrictive set of rules to restrict access to information while still being
able to then effectively audit seems to be a real dilemma.

MR. TRAVIS: Yeah, I think you’re right, you have the balance between do I
implement access controls that are very restrictive and therefore I can
probably not focus on those areas that I know are appropriate accesses because
I’ve locked down controls very tightly versus putting a higher level of trust
in my staff in trying to establish some pattern of auditing that really does do
a good representative sample of review across those and identifies patterns of
abuse when they happen. You mention employees, I think one particular
challenging case we’ve seen repetitively from clients is employees accessing
their own health records or accessing records of other staff, and being able to
detect those patterns. I think that can be challenging in some instances the
way some systems are architected to know this user is an employee engaging in
an access to another employees record. That is an area where there’s been a
wide variety of efforts to recognize those circumstances. And that’s a fairly
common area of maybe not malignant abuse but it’s been an area of abuse

DR. COHN: Can I ask sort of a follow-up question on that because I
certainly agree with you that you don’t want as a security issue and privacy
issue you don’t want to have someone check someone else’s staff record or
whatever, maybe you can explain to me a little more about the security or
privacy issues about a person checking their own record, I mean that’s —

MR. TRAVIS: it is perhaps more of a policy issue for organizations. A lot
of our clients have policies of access to the subjects record that require
formal requests in writing, that require an organizational response because
there could be third party data in the record that shouldn’t be released to the
individual, that there just shouldn’t be the same level of access right to you
as a patient as you may possess as a provider’s staff member, a physician, a
clinician of other kinds, for the lack of the opportunity to the organization
to vet your request and to properly respond to it as the privacy rule would
suggest there should be due process to do. One of the things that you’re not
going to find health care IT in a real good state to support right now is the
idea of a consumer or a citizen portal to get into their own record so that
there is this idea of a safe sharable record that’s been published that the
patient could come and get any time they want. One of the issues about that is
that most health care systems are provider based record systems, they are not
necessarily designed to support the role of a personal health record, which is
really a little bit different animal and so employees attempting to use a
provider based record as their own personal health record so to speak may fly
in the face of a lot of the policies of certain organizations to have some
control over that release.

DR. COHN: Sure, and thank you, I’m actually well aware that most
organizations have policies about all that, I just didn’t really think it was
precluded by the security rule.

MR. TRAVIS: I think the problem is that it’s actually not precluded by the
security rule adequately so that you can tell the difference.

MR. HOUSTON: But there are I know, at least in Pennsylvania, there are
state laws that would, though they allow patients access to the record
interestingly enough there are certain types of test results, such as HIV, HIV
test results you’re required to have, the physician is required to provide
counseling regardless of whether it’s a positive or a negative so you can’t
just go online and look up your own HIV test results, it’s intended you should
have to go to the physician and the physician is supposed to deliver it to you.
So there might be certain cases where patient access to the record, which is
very convenient for employees, may fly in the face of treatment relationship as
well as certain limited state laws.

DR. COHN: Stan, did you have a couple questions?

DR. HUFF: I’d just ask Roslyne for a clarification, I didn’t understand
exactly what you meant by there shouldn’t be second guessing of risk calculus

MS. SCHULMAN: Well, as part of the requirements of the security regulation
you’re supposed to identify the risks, possible uses and disclosures, and then
prioritize those and apply solutions to what you consider to be the most
important of those risks. And the concern is that if there is a breach, a
security breach, that CMS might come back and sort of second guess that whole
process as opposed to considering whether there really has been a violation or
not, just second guessing the decisions the entity made in good faith.

DR. COHN: Actually, John Paul why don’t you go and then I have a couple
questions also.

MR. HOUSTON: I have a bunch of questions, vested interest here. I sort of
heard two sort of countervailing positions on the level of specific guidance
regarding how detailed the security rule should be. I think John your position
was that there should be more, there wasn’t a lot of support for specific
measures that should be taken on the security side if I’m not mistaken.
Roslyne’s was sort of to the opposite of there’s a scalability issue of it’s
nice that it’s scalable I think and I can find the words if need be but I’m
interested in sort of —

MR. TRAVIS: My perspective and admittedly keeping in mind where we come
from, our basis of making that statement is that we do work with medium to
large health care organizations, the scalability is in a sense, they’re at the
upper end of the scale so they are fairly technology dependent on solving
security issues. And I think from their standpoint development of best practice
sharing and the promotion of standards is going to be an enabling factor for
them. Scalability is going to be probably limited a bit by what technology
choices you made prior to ever entering into the client’s effort so I think it
works to be good working examples of how do I make progress.

MR. HOUSTON: But do you want specific, are you looking for specific
guidance as to exactly what should be implemented based upon —

MR. TRAVIS: I’m probably looking more for the type of forms or structure to
give best practice sharing, to promote that the industry provide more guidance
to itself if you will. I think the examples of the WEDI SNIP group sets up very
well, they spoke a lot to best practices for bringing systems and procedures
into place, to try to see HIPAA EDI as an opportunity for operational
improvement, and I think that our, at least our type of client is going to be
very interested in being able to have that similar kind of a forum. I think the
other kinds of guidance may go more towards procedural matters or interpreting
scalability based on the kind of organization you are but that’s not really
what I was —

MR. HOUSTON: Are people specifically looking for guidance as to I’m this
size or I have this complexity of IT systems, this is what I should be doing,
these are the types of controls I should have in place or the type of
technologies I should be employing? I guess that’s as much —

MR. TRAVIS: I defer to Tom on what he may have intended by the remark, I
think for us it’s probably a little less define the set of requirements that’s
appropriate for me, I think people are looking a little bit more for I’d really
like to be able to standardize, how do I go about doing that. But is there a
good model, for example I mentioned the VA in their health care roles, I’ve got
the security policy, I developed job roles in my HR system, I know what kind of
profile people have but now I’ve got 50 information systems that I need a
benchmark or a baseline of what’s appropriate.

DR. MCDONALD: If I could interpret for the industry, I think that, I work
in a hospital and I see patients, I think by and large this looks like
someone’s invented something that no one knows how to build in the universe, it
might not be buildable, we don’t really know what it is, leave it light and let
us figure out is kind of what I think I’m hearing because we’re trying to find
a way and I don’t need someone knocking it down and making it be this, this,
and this.

MR. HOUSTON: That would be my preference, too, I sort of thought I heard
sort of two different perspectives on give me guidance or let me figure it out
for myself and I wasn’t sure, I just wanted to sort of get a sense.

MS. SCHULMAN: Flexibility and scalability is a two edged sword, on the one
hand it’s nice to have that ability to scale your compliance to your own
specifics of your organization. On the other hand there’s sort of an anxiety
out there about am I doing this right, am I going to be cited. So to the extent
that CMS enforcement is consistent with that philosophy we would continue I
think to support the open endedness of the flexibility and scalability.

MR. TRAVIS: I take as my measure that it’s an issue to be dealt with by how
many times they get asked is your system HIPAA compliant, and I hear it frankly
a whole lot more in security then I do with EDI, and I was involved in both
efforts for Cerner. And it’s an interesting question because I can’t, I’ll tell
them it’s relative, are you speaking of a patient care system that’s accessed
by 20 different classes of users, are you speaking of a lab system that’s only
accessible by med techs? Are you worried about accesses by med techs in a lab
system as something you would audit versus a patient care system accessible by
thousands of residents in an academic situation? So it’s really that point, I
think that there are very relative as to what the scalability and flexibility
are going to mean for somebody.

MR. WILDER: If I could follow-up, I think again, as I probably mentioned to
this group before I’m a lawyer by training and experience and so I tend to look
at these things from a lawyer compliance standpoint. Letting us figure out what
we need to do is good, giving us some guidance is good, figuring out what best
industry practice is is good. Don’t tell us if we don’t do this that we’re in
trouble, because coming up with what the roles are at a medium sized hospital
doesn’t apply to everybody, coming up with what those roles are may be good for
that medium sized hospital today but it may not be good for them a year from
now. So we need from a compliance regulatory standpoint giving us more
certainty is good but don’t give us a whole set of rules and standards and
requirements that just really don’t fit what we’re trying to do.

DR. COHN: John Paul, I think they like it the way it is, ambiguous.

MR. HOUSTON: I just want to make sure I understood that, I like to be more
open ended myself, I like that concept of me figuring out what I need to so but
absent a lot of guidance right yet I think everybody’s sort of questioning,
Roslyne, I think you sort of said it, I believe you said it sort of we want to
make sure we’re at least going in the right direction and we’re not way off
base come compliance time and find out there’s a huge variance between what the
expectation is, maybe it was Tom that said it, and what we’ve done.

DR. COHN: Actually, why don’t we let Kepa, do you want to introduce

DR. ZUBELDIA: Sure, I’m Kepa Zubeldia, member of the subcommittee and I was
late today.

DR. COHN: Welcome. And tomorrow.

DR. ZUBELDIA: And tomorrow. And I apologize for being late but I have a
question that may have been addressed in testimony and the thing that Mr.
Travis kind of referred to it, you’ve been asked many times are you compliant,
would it be beneficial to have a reference place or a process by which you can
submit whatever you’re doing and have it deemed compliant? Or is that getting
into the boundary of things that you’d rather not do?

MR. TRAVIS: I would probably defer to those who represent covered entity
associations here because Cerner doesn’t technically fall under that. I think
what our client base is after is guidance and I’m not trying to redo the point
of standard, it really is very close to the same thing that at the end of the
day it’s implementation guidance so I don’t know if that kind of process gets
you in trouble where you may be literally asking for a safe harbor for
something you’re doing. But I do think a matter of more structure to best
practice sharing, the industry needs to solve that to a large measure for
itself but there was a lot of encouragement given I thought. One of the best
documents I read in the last number of years was what the OCR wrote on the
privacy rule when things got out of hand and people were thinking chicken and
the egg, I can’t verify your eligibility because you haven’t given me
permission to share your information to verify your eligibility. So we get into
certain situations when we take things too literally. But I think at least to,
it may be more of that mode where there’s questions of I’m contemplating doing
this, I have this business problem, this is what I’m thinking of doing. It may
not fall under the matter of a safe harbor provision or a letter, compliance
letter, but it would fall under the matter of general guidance given to the
industry to debunk the myths that are going to be floating out there and are.

MS. SCHULMAN: For the AHA I don’t really know but it sounds like a good
survey question, something to ask our members. I just don’t know how you would
do it, I mean it’s, compliance is so dependent on the specifics of that
particular facility I don’t know how you could ensure that you were, to sort of
certify your compliance, I don’t know how that would be done, but it’s worth
thinking about.

MR. WILDER: We’ve not addressed this issue specifically on certification by
the security rule, how we’ve looked at it in terms of other things like the
privacy rule, number one, I think it would be very difficult to come up with a
program that would work for everybody. I don’t know that CMS would be
acceptable to that and if you give me, Claredi for example gives me a
certification and CMS says I’ve still broken the law, am I going to come after

DR. ZUBELDIA: We won’t do it, just to make sure, we don’t want any parts —

MR. WILDER: And I apologize, I didn’t mean to point fingers at you but
again, give us, help us get where we need to go, don’t give us another set of
hoops we’ve got to jump through to get a piece of paper that may not do us any

DR. ZUBELDIA: What I have in mind is people like NCQA and the Joint
Commission that are getting into this kind of situation right now, they have
certification programs for HIPAA security compliance. Is that helpful? Is that
something that the government should support or not?

MR. WILDER: Again, I want to be very careful how I characterize this on
behalf of our members, the NCQA process has been helpful to some extent but
we’ve also found that NCQA for example has gotten into areas where they’re not
really, where they don’t really know what they’re doing. And they’ve
established some internal certification requirements that we actually had to go
back for example and walk them through what the privacy rule actually meant and
how their certification requirements differed from the privacy rule. And they
eventually got there but we had some struggles with them as well to educate
them about what the privacy rule meant.

DR. COHN: Tom, I think you handled that one well. And certainly I think as
Kepa is commenting there are certainly likely to be a number of players getting
into some aspects of certification or otherwise. Many of these groups will be,
they’ll be part of, they’ll be one item out of 30 pages of things that they
look for when they accredit a hospital or otherwise. And of course given the
flexibility of the rule exactly what they will be looking for will be hard to
know, so that’s part of the issue.

MR. TRAVIS: One of the things that was very good in the final rule that
they went away from that I think was spoken by one of the panelists, I can’t
remember which one of you made the comment, that there was a degree of, we
liked the rule because there was a degree of flexibility, the original rule
implied or at least I think a lot of consultant dollars were spent in this area
on matters of very formal risk assessments, very formal certification
processes, almost based on the Department of Defense NIST series taken very
literally and that’s where a lot of security consultants were making tremendous
amounts of money about three years ago when we thought we would have a security
rule imminent in the summer of 2000. But I think that organizations are not
going to have the capabilities to do that level of formal assessment, it’s
going to be much more informal, but still they want assurance that they’re
covering the right things, that there’s a good basic set of things we should be
evaluating and looking for that I think all of us to some degree are reflecting
on. So I view it more from the standpoint of we get the outcome of that
assessment process and clients coming to us saying what do we do, and I’m not
sure we’re best positioned to serve in that role for our clients because we
still have a vested self interest, which is trying to offer commercial software
solution acceptable to all of the market and we struggle getting into a lot of
different implementations if we try to go down that path.

DR. COHN: I think Michael had his hand up and I think Stan you also had a

DR. HUFF: It’s just a questioning face is all, I didn’t raise my hand or

DR. FITZMAURICE: When we drive an automobile they all have similar kinds of
tires and engines, a lot of things are interoperable but we all get to drive at
the speed we want and we get to turn when we want. As John was talking and then
I heard more —

MR. HOUSTON: There are speed limits.

DR. FITZMAURICE: But there aren’t governors on most cars and so —

MR. HOUSTON: Didn’t you ever listen to Bob Newhart’s driving instructors,
30, 40 years ago, you can turn but next time wait until the street?

DR. FITZMAURICE: So anyway, as Tom and John were talking I got to see that
you can spend an awful lot of money on security if you wanted to, and then if
there were some uniformity like we have in tires for cars and engine parts,
that if some things were interoperable that you could save a lot of money
because as one company buys out another or as you have different components and
you work together, building for the enterprise seems to be less expensive in
the long run then building for each particular system. So I guess my question
is are the appropriate forums, are there sufficient forums to discuss this, do
you know where to go to talk about it with your hospitals, with your health
plans, with your other vendors on developing or listing functions that are
needed from health information management systems and from the vendors of those
systems first of all?

And secondly do you have a place to go to to talk about developing
standards for these supporting functions, such as role based access, and how
you would do it across components of an enterprise, maybe even between
enterprises? And do you have a place to go to to talk about encouraging or
specifying the uniformity and interoperability among systems for security
functions? Because right now we spend a lot of time on interoperability and
uniformity of data, having uniform comparable data, but I’m not aware of the
same sorts of things for how you do the security functions so that mine would
fit with yours so that we can start getting role based access, I define the
role the same way that you define the role so that when we get our security
systems talking it’s going to talk as well as we hope our data systems will
talk. Is there a place to go to, do you have places like that where you go to
talk about it and to work for those ends?

MR. TRAVIS: I’ll take it from our perspective, to a degree, I don’t think,
it’s been one of the slower areas for the industry to really build momentum to
even talk about. HL7 is a major forum if the concern is how do I share
information without judging the technologies that are sending and receiving
that information. ASTM, ISO, other organizations are focused around this issue
frankly because in other international jurisdictions, especially for ISO, it’s
of much greater concern and you also have national health economies like the
NHS in the UK, at the state level in Australia, where they are trying to get to
standards, or at leas the public health sector that really give impetus to

I think the issue we face in the U.S. is it’s still very much up to
individual participants to take and adopt those things. And I’m not suggesting
that that aspect of it shouldn’t change, I think more promotion, more
visibility to the availability of these sorts of things because a lot of work
has been done, this isn’t as if we need to investigate and discover ground work
for the first time, it’s probably more for evaluating things that are

As a framework ISO 17799 gives you a very good framework of what you need
to do, NIST has done tremendous amounts of work and laid out the common
criteria available as a common point of reference. It’s just simply I don’t
hear a lot of discussion or progress for organizations to want to take a look
at adopting them. And the major issue over time is going to be when you get to
I want to share information at a community level, I want a pass security
attributes with that information so that the receiver has the right to the
information I intend to convey, or as they take that information into their
system they can set up the appropriate right that’s intended to be conveyed.

We’re going to run into issues with information sharing as long as we have
a very decentralized non-standard way of sharing information that doesn’t
address the security attributes of that information. So that’s where it gets
concerning is making progress on building confidence that you can share
information, have a true community record, enable some other things a lot of
people would like to see happen, including the government.

DR. FITZMAURICE: Do you have places to go to talk about it in hospitals and
health plans or is this something that you prefer not to spend any money on
because you’ve got a bunch of other stuff on your plate? But interoperability
is going to hold down costs in the future I believe.

MS. SCHULMAN: I think a lot of this is still developing, I know that some
of the committees that John mentioned, there’s not a lot of hospital
representation, they just don’t know what’s going on there, it takes a real
commitment of folks to go to these meetings. I think this is all still under
development, it would be helpful I think, I think WEDI is doing some good work
that hospitals can turn to.

MR. WILDER: I would agree, although John and Simon might have a better look
at how they’ve been approaching this issue on behalf of their plans. But I
think we’re not as far along in terms of discussing some of these security
issues and particularly in terms of interoperability as some of the other IT
and patient record issues may be in terms of places to go to talk about things,
to share information. Obviously WEDI, NIST, some of the other groups are
starting to address this but it’s not as robust I think as some of the
discussion of the other issues.

DR. FITZMAURICE: What I’m struck with a sense here is earlier, maybe within
the past two or three weeks, AHIMA wrote a letter to the Secretary and one of
the arguments they made was if we do something sooner rather then later all the
new systems that are developing and being brought on board will be able to
incorporate it rather then having to retool those which has a larger expense. I
see that applicable here that we’re not going great guns on security, we’ve got
an awful lot to do on privacy and a lot to do on transaction and code sets, but
if there’s some thinking that starts off this and everybody starts to begin to
fit into a framework, then it’s going to be cheaper in the long run down the
road. That’s what prompted my question.

MR. TRAVIS: One of the, probably the best example I’ve seen, and we adopted
it very vigorously in our own right, HL7 has proposed an audit message standard
that really is a good data set and a good standard for sharing of audit data
for security or patient record access types of auditing. And that is, though
it’s not going to be in a standard until a new generation of HL7 is really an
industry adoption they did do work to get consensus with two other standards
groups, ASTM and DICOM, I think it’s what enables enterprise wide auditing in a
common basis. I think that it is a scalability issue, how much do you audit,
what do you audit, but if you want to move to saying I’ve got 20, 30 patient
care, financial, administrative, 20, 30 systems that hold personal health
information and I want a common audit view so that, you know I only have two
security officers in my institution and it’s a 2,000 physician staff, I’m going
to have a very difficult time having those two individuals traverse 30 systems
and have anything approaching a credible system of accountability. So open
standards towards that, even that alone would be very significant to see
progress in.

I think that we’re going to 15, 18 months down the line, we’re going to see
that one really rear its ugly head when people realize, the first test cases
have proved to me that that individual wasn’t in, we had two cases occur in our
client base in this that I’ll cite without certainly citing the institutions.
One where an individual was selling face(?) sheets in the admitting office to a
workmen’s comp consultancy that worked with ambulance chasers, and the other
where a staff member in a lab department knew a 16 year old girl had been in
for pregnancy tests, that patient had expressly said she was a competent minor
in the state where she was, that individual had said do not call my family or
my home about my pregnancy. This kind staff member called the parents and said
your daughter’s pregnant, congratulations, I don’t think it quite went that way
but both egregious violations, one probably the death penalty under the HIPAA
privacy rule, the other inadvertent disclosure, well not inadvertent but not
meaning harm but grossly overstepping bounds of propriety.

Both examples of things that systems of audit, no one’s going to know
enough to intervene in real time but they are places you would build the audit
trail that could to that individual, be possibly admissible in a couple of law
or a civil proceeding. These types of things, it’s not going to take many of
those occurrences to cause a lot of provider organizations to say this is a
matter of corporate risk and liability for us, health care IT department what
are you doing about it, so I encourage it in this area.

MR. HOUSTON: It sounds to me like, I was going to ask the question what is
the biggest issue with the security rule, it sounds like collectively that the
whole issue of accounting and coordination of auditing and things of that sort
sound like they’re really, that’s at the fore as being the big issues, how do
you manage it, how do you practically do it. Is that the big issue or is there
something else out there that really is, that really trumps that as being
probably one of the dicey security issues?

MR. TRAVIS: I think so, I’d say three things, one is it’s probably the one
most open to interpretation because the security rule just simply says you will
have a system of accountability. It is for electronic health data, we have to
remember the security rule is about electronic data, not about paper based
data, so there’s no denying that you have to have some manner of electronic
system of accountability towards how patient information is used or disclosed.
It’s probably also the area, I think most systems do well with the access
control and technical and physical types of requirements, auditing, these
systems were not designed in their inception to have these kinds of audit
trails, they focused on audit trails for history and data integrity of the
clinical record but not for —

MR. HOUSTON: But even if you could amass all the audit information for the
purpose of review it sounds like that’s still a huge issue of who’s going to do
it, how are you going to practically do it. I think Tom you’d sort of, I
believe you were concerned about monitoring access and disclosures, too,

MR. WILDER: Yeah, I would agree, I think building the infrastructure and
the system and the policies and procedures and the rules track where all the
information goes and figure out who ought to have access to it, and who ought
to have what level of access is probably the biggest challenge that health
plans are faced with. And you all probably know this better then I is number
one, that information is spread out in a lot of different places. I’ve had a
lot of privacy officers tell me that they had no clue where all information
went and the various kinds of uses and disclosures until they actually sat down
and did a gap analysis, so dealing with that, dealing with the proliferation of
the ways that you can now access information, the development of hand helds for
physicians I’m sure is a whole other complex area of issues that you’ve got to
think about. So the access and the accounting and the tracking is probably the
number one.

MR. HOUSTON: — any need for a way to be practically achieved within, by
April 2005? Or is that —

DR. COHN: Well, achieve what?

MR. HOUSTON: I hate to say it, when I think about what John describes is
you have to take all these disparate systems, you have to some way consolidate
the information in a way that can then be distilled down so that people can
review access, because it really is —

DR. COHN: Let me just jump in here a little bit because I think you’re
going, this is not the world of black and white, the security rule is a world
where you do risk assessment and then based on that risk assessment you put an
action plan into place, at least as I understand it. And I think there’s, I
think John is obviously talking about the perfect solution I think for an
enterprise but obviously there’s lots of policies and procedures that can help
keep you afloat while you’re seeking that perfect solution. Am I off on that
one, John?

MR. TRAVIS: I would agree that reality is organizations are going to have
to make choices about what are the most critical systems to have these kinds of
audit systems in place, or what level of capability, it’s certainly going to
start with what level of capability is there, and then I think it is a plan in
progress to answer John’s question, I don’t think it’s going to be a reality
that people will have these kinds of centralized audit systems in place with
the intelligence to traverse activity over many by the compliance date. I think
it’s something to aspire to, I think what is going to be a bit challenging is
that risk assessment process that, that’s where I’m going to have to trust the
access control systems, do I audit where I have an access control system that’s
pretty robust or lock down and pretty tight. They’re going to have to have some
good judgment about how they implement, how they establish the risk calculus
for why didn’t you turn on auditing in your lab system while you were auditing
your reg systems. And unfortunately though I think there is going to be an
aspect of this that’s going to depend on their experience and their sense of
their own historic risk that’s going to drive a lot of that decision.

DR. COHN: I know Stan has a question, too, but one would observe that the
things that you were obviously describing as egregious issues may not have even
been picked up on an audit log because they may have been authorized users, in
fact most of these things are done by authorized users.

MR. TRAVIS: In those cases admittedly a prospective or a real time
intervention was probably not possible. A retrospective review to try to prove
conduct still was something that may have been detectable. It’s arguable but
certainly absent those capabilities there’s not an opportunity to detect those
types of activities. No data was changed, no intervention was happened, they
were simply print events or inquiry events in all those cases and I think
that’s the state of readiness of systems to determine, you know I could go into
a clinical record and see a history of who did something to the record actively
online, most systems will give you that even though it may not be terribly easy
or retrievable for the kind of purpose we’re speaking of, it’s still there but
I just was in there inquiring, I just was in there printing and keeping a
record of that also for the disclosure requirements under the privacy rule that
I think are most challenging, the generation of systems most providers are

DR. COHN: Well, Stan, I know you raised your hand up a while ago.

DR. HUFF: I had a comment and then a question. I guess my comment is just
to second what’s going on in terms of the discussion, I mean we’re fully,
clearly fully auditing in our clinical systems and the volume of data we get
quickly escapes any manual sort of prospective analysis to see things and so
we’ve used it retrospectively on specific individuals to prove culpability. I
keep looking for a graduate student who would take a decision, a knowledge
driven rule based approach to analyzing this kind of data and I think that’s
where you’ve got to go before you can get to any kind of prospective sort of
catching the stuff. I think it would be fairly sophisticated and be very
interesting research. But that’s just a comment.

So my question is on the one hand we like the fact, we recognize I guess
the diversity and complexity of the areas where we’re trying to implement this
and that leads to us liking the ability to flexible and to individualize it.
But on the other end, I mean my intuition says yeah, but if you went out and
looked at some places you would say oh, but that’s passed what I’d call
flexible into not best practice or maybe non-compliance, though I hate to use
that word, and I wonder if there’s a middle ground, it was spurred by Kepa’s
thought, but I mean is there some middle ground where, it seems like just
sharing best practices may not be enough and at the same time with the
diversity and complexity you don’t want to go out ticketing a lot of people who
are in good faith trying to do things but you’d like to over time create some
pressure for people to improve and not just sort of accept what they did as
being at face value adequate. And I wonder, so I mean, you wouldn’t necessarily
find them compliant but I can imagine that, I mean the only way that I ever
know how to do these things is look at lots of instances and say oh, you know
that one stands out as not really being appropriate, you can’t say that a
priory, I can say it only after I’ve seen 25 and then you go gee, that stands
out as not being appropriate. And I wonder if there’s some mechanism that we
ought to think about that could provide that sort of non-punitive but some at
least pressure to improve.

DR. COHN: Well, Stan, I guess I have a couple questions on this one, I’m
sure others will jump in. I mean one of them is obviously as you were
commenting is I think there are a lot of organizations that may wish to jump
into this fray and maybe a little more directive then you were describing, and
this may have to do with licensure. As we all know in many contracts between
employers and health plans there’s obviously always the clause about being in
compliance with state and federal laws, and we’ve seen that a lot with the
HIPAA rules, that that sort of shows up and it begins to sort of push all of
that happening.

Now I was reflecting, I’ve been in this area basically since the beginning
of HIPAA along with Clem and a couple of others and I think we maybe have sort
of a longer view on all this knowing that some of these rules have taken a long
time coming to fore. And the security rule was based, or not based but was
enlightened by it was the National Research Council document called For the
Record, as I remember, there were various players participating and made
recommendations. And I think the observation at that point, and this was as I
said a number of years ago was A, that there really weren’t many standards in
this area, B, the general level of security, and by that I mean policies and
procedures and physical technical safeguards, as opposed to the general
perception of security, I think most people felt they had a secure institution.
But the perception, the reality was that there was not a whole lot there in
most health care institutions. And so the rule that was developed really did
not reference standards very much, it really more referenced a lot of the
recommendations out of the NRC report which said hey, let’s at least start
auditing, let’s do a risk assessment, let’s deal with low hanging fruit. And
that was really what we see in this rule as it’s being implemented.

Now obviously a lot has happened over those years and I think we’re all
beginning to sort of mull, I mean John you mentioned the ISO standard, there’s
various other standards that are admittedly probably not perfect and we
probably need to investigate further applicability, but the question is is are
we moving into a world where maybe there is more out there that we could use
and I think the question, the thing that I wonder for the subcommittee and
others is do we need to be investigating some of the standards to see about the
applicability about all this as we go in. Are they at a right level of
abstraction that maybe they really do provide guidance to health plans and
large and small hospitals and all of this, maybe a little more that’s in the
regulation but maybe a little less then being told exactly what to do. Will
they be helpful in all of this? I mean is that something we should be looking
at? Clem?

DR. MCDONALD: Well, maybe not exactly to the point but hearing all this
discussion makes me worry a lot that we could find a way to pour the whole
national economy into this effort for no productive gain. When we’re talking we
don’t really have a way to tell if anybody’s looking at the records, well if
nobody can tell does it matter that much? If people are learning it and keeping
it a secret, that is is it just sort of an idea that someone might know but if
there’s no sentient signal to anyone in the universe that anyone else knows is
it that important? I mean I think about this in terms, we’ve got 27,000 people
a year in car accidents, well, hell, we could fix those up like Indy cars and
no one would die, but we’re investing in that, we’re going to be investing in
an immense amount of effort —

MR. HOUSTON: I disagree that nobody knows —

DR. MCDONALD: Well, if there’s someone that knows, the way we detect, what
I was going to lead to is we have some very good teeth in this rule, and if
somebody does something that’s, they sell it or they use it they go to jail. I
mean in between that, if someone says, the daughter learned about it because
the father told her, well, we got a nice signal there. We go back and smash
him. The point is I don’t know that we have to be, we either have signals that
tell us what’s going on and we have good tools to deal with them, this
prospective and analytic, it reminds me of the Chinese in the 800’s or 1200’s,
they had this great theory of life and everybody studied it like crazy, the
courtyards, the courtiers, they all knew it. It didn’t do anybody any good, I
smell a little bit like the same thing going on here.

MR. HOUSTON: But here the issue is that is the case where often happens in
a hospital environment where an employee looks up a fellow employee’s records,
and we’re not quite sure which employee it was but it gets out that a certain
employee had some procedure done or there was some issue, and all of a sudden
there is an issue of, the issue arises and we have to figure out what employee
did what.

DR. MCDONALD: Those are actually very easy to track without fancy systems.

MR. HOUSTON: But the point is is that often, the only time it ever comes to
the fore is that something occurs and then we investigate it and then we find
it out, but there is a latent issue that under the surface that unfortunately
you don’t see, which is, I know within our health system our employees are
captive members of our health plan, which means they have to come to us for
services, and you hear stories about employees absolutely being afraid of
coming for services because they’re afraid that one of their co-workers is
going to go look at their record. And unless you have a good mechanism to
ensure that when somebody does try to look at a co-worker’s records that we
find out about it to ensure that it wasn’t inappropriate —

DR. MCDONALD: But is that documented, is the place emptying out, because I
mean you can tell whether they’re coming or not.

MR. HOUSTON: Unfortunately I’m using anecdotal evidence but again, I’ve
seen it, we’ve investigated it, we’ve discharged employees ourselves but it
does occur and I think that there is, when we decided to go to a captive health
plan, our own health plan so you can only go to one place for your health
insurance, that means you have to come to our system then to get services,
there was a substantial outcry from the employees saying I’m concerned, I don’t
want my fellow employee looking at my record, I’m afraid that’s going to
happen. And the only way to ultimately get to the point where you have a high
level of employee confidence and frankly consumer confidence is when you get to
an environment where the auditing is such that it does trigger an inquiry when
something seems, you went to one hospital for services but somebody at another
hospital where that employee works is actually looking at —

MR. TRAVIS: We face kind of an interesting challenge because we do see, we
see both ends of the spectrum, we have some clients who will more or less go
status quo and bet that nothing bad is going to happen, and they might only do
reactive investigation to things. Then you have the sadder but wiser, the
privacy officer of the first client I mentioned who frankly now has gone way to
the other extreme, wants to turn on, in our system we enabled audit ability in
most anything an end user can do. And it is, it’s an overwhelming audit trail
yet this privacy officer wants to turn it all on, keep it online for 180 days,
keep it near line for 18 months, living in fear that something could happen
again and they’re facing a multimillion dollar civil litigation right now
beyond what the individual employees are facing criminally who were involved
with this.

So I guess it is the perspective of has it happened to you or not as to
what your opinion is going to be about the importance of the audit trail, as a
system designer there’s our spectrum. So we went to great expense to develop a
capability that was neutral to that that you could bury yourself in data or you
could be laissez faire and choose some more moderate, perhaps even not to use
it at all, type of perspective.

So this is where you do get to kind of the use case as a best practice or a
reasonable practice. We have this mandatory requirement in the security rule to
have a system of accountability, what did you mean by that, it really is the
most undefined open to interpretation sort of a definition and I would say
that’s an area the industry, right now that’s what we’re left with, we have
some who say it’s a procedural answer, I’m going to educate my staff, I’m going
to assure that I monitor them through observation and things like that and
trust that they won’t abuse things, and then you have the privacy officer who
has a multimillion dollar civil lawsuit pending, and my metaphor is when you
get a corporate integrity agreement on the fraud and abuse provisions of CMS
you’re going to be told what your audit program is going to be and it isn’t
going to be laissez faire. You’re going to have some very intrusive procedures
for the period of time that CIA is in effect, and that could be one possible
future scenario for bad issues of compliance violation.

DR. COHN: Bob?

MR. HUNGATE: John Houston used the term consumer confidence and I think
there’s a very important content issue there because the inter-linkage between
privacy and security is pretty strong and consumer confidence is not as good as
it once was in terms of whether they’re being well protected by the system. It
strikes me that the content is such that you almost need some of kind of a, in
the accounting profession has gotten some trouble in its own management, so
it’s not necessarily the perfect model, but for me to hear that a hospital says
we audit whether we do this or not doesn’t rebuild my confidence. If there’s
somebody outside the hospital that audits against some kind of set of rules and
I don’t know how prescriptive they should be then it could start to rebuild my
confidence. So I think somewhere in here there’s something that, there has to
be some, and maybe it’s the Joint Commission and the way they go about it, I
don’t know what it is, but I think there’s a content issue here, and I’m just
using the visibility of it, not necessarily the reality of it.

DR. COHN: Clem?

DR. MCDONALD: Well, I’d like to clarify, I was not arguing at all that we
shouldn’t keep track of all the access, we do that, I was just saying that the
prospective audits may be very difficult but there are signals that come back
and over time we should be able to correct any of the clearly big violations
fairly easily. But it’s still, getting back to the employee thing, I don’t care
what you do at the computer, if I’m walking down the hallway with my skivvy
thing half open in the back and there’s other employees there, I can’t protect
that with any amount of computer security, that is they’re going to see me and
my butt in that hospital. So they may have some concerns about being in a
hospital and the attendant of the computer controls that you can put over the
bodies walking around —

MR. HOUSTON: Let me just say this, with the evolution of an EHR here you
have a truly purely electronic medical records environment, you can’t simply
lock up the medical record inside the medical records department and know that
it’s safe. You have this concept of global availability and in fact in order to
efficiently deliver health care and meet the needs of the consumers that record
needs to be readily available from a variety of places and having a
multi-hospital system, a very large one, we want it to get to the point where
no matter where you happen to present that record is going to be available in
its entirety so that we can deliver the highest quality care possible. But in
that type of environment it’s very easy for somebody in a very secretive way,
almost anonymous, I shouldn’t say anonymously, but without calling suspicion,
raising suspicion, to go to look through a record. And you want to make sure
you provide the appropriate access so the clinicians absolutely have the
capability to deliver, get the information they need to deliver care, sometimes
though that provides a level of access that unless there’s an effective way to
audit and log you may be opening up that record to a level of access, again, on
a fairly, somebody could sit in an office and they can pour through, here they
can look through a record, it’s not like that have to go to the medical records
department and check the chart out, that would raise that suspicion
immediately. It does sort of change the paradigm though and that’s I think what
the issue is here.

DR. ZUBELDIA: All of these security provisions that you are going to be
putting into your hospital system, you don’t do that because of HIPAA, you do
that because it makes sense. And I think that there has to be a distinction
between what has to be done as HIPAA compliance, and what has to be done
because it just makes sense to do it.

MR. HOUSTON: But I disagree we do it just because, in one sense we, there’s
a lot of things we should do that the economics sometimes don’t allow us to do
what we would like to. I agree that if we had all the resources that we could
possibly have available we would do it, HIPAA acts as a catalyst I think often
to do things that maybe we’d like to do that now we’re saying we should, we
have to put more money into, in other words because it’s a compliance issue now
it gives us another justification or basis for doing it. Health care people are
good people, I mean we’re not evil, they’re not evil people, but still, at the
end of the day HIPAA does raise the bar, it sets a standard, it sets a standard
for which expectations with regards to security and privacy and I think it does
change what we need to do and the level at which we have to do it.

DR. COHN: Steve?

DR. STEINDEL: John, I have a question for you. Kepa raised the point that
you do it because you should do it, and not necessarily because of HIPAA. If
the person that John Travis was talking about loses the multimillion dollar
privacy suit what impact would that have on your security provisions, and
especially with respect to HIPAA?

MR. HOUSTON: I think that clearly loss history, when you hear these types
of events it does cause you to go back and reassess your position, absolutely,
I’m not saying it doesn’t. Certain things speak volumes and in that particular
case, yeah, you hear about it and boy, you don’t want to be the next occurrence
at the University of Washington where 50 records were stolen and that sort of
sent a chill down a lot of people’s spines about how to protect their
electronic health records environment. So absolutely, you want to do the right

Again, I welcome, personally welcome the security rule, I think the
security rule helps me accomplish some things that may have not been as high a
priority, or I’ve been able to reprioritize so that it comes compliant now. We
have a priority order in IT at least in my organization and at a high priority
in my organization is compliance. So if something is labeled as a compliance
initiative it gets a higher priority then a variety of other things. Now
obviously patient care comes first, regulatory compliance may come second,
system upgrades that will continue to allow us to operate systems and allow us
to get vendor support also falls in there, too, but then a lot of stuff falls
below it. So I’m saying, you make a lot of balancing decisions as to what you
implement and what you do based upon funds available and other requirements.

DR. COHN: I’m not sure where to go other then to observe that to be the
case. Kepa, you had an issue or question about electronic signature that you
wanted to —

DR. ZUBELDIA: Yes, and I missed the testimony presentation from John Travis
but I was glancing through it on paper and you discuss a topic on digital
signatures, and this is a topic on which I have very special interest. And I
sometimes wonder the question what would be best. About four years ago, three
years ago, there was a lot of activity on PKI, and there’s still some activity
on PKI, not dead, but there has never been a lot of activity on signatures. And
the special signature requirements in health care, for instance, archival
retention, counter signatures, double signatures, multiple party signing the
same document, signing encoded documents, what does it mean to sign an HL7 in
the limited format, can the signer understand what they’re signing, and all of
that. And sometimes I wonder would it be better for the government to create an
electronic signature standard, no necessarily CMS but perhaps NIST or somebody
to create an electronic signature standard, rather then waiting for the
industry to develop one that could be adopted by the Secretary.

MR. TRAVIS: I think that in particular because CMS is one of the parties to
a lot of health care transactions that I think we viewed it running something
like this, that when you got to having the claims attachment standard out, now
you’re going to enhance the probability that you would have electronically
signed documents being transmitted associated to claims, that might lead to a
vested interest to promote electronic signature standards to ensure the
integrity and reliability of those signatures, that it may come through that
kind of a process or with e-prescribing and exchanging medication history
between pharmacists and providers and health plans or pharmacy benefit plans.
That those both present you with very strong use cases for doing exactly that
and I think there is a regulatory interest in both that would be interesting to
see the government push.

I am familiar with a lot of the work the HL7, I’m on the Medical
Information Committee so I view it from that perspective of managing the
signature chain of trust if you will and how you keep association and the
integrity of the signature to what you’re signing. From a workflow standpoint
our position is you do have to back up and look at how the origination and the
signing and the management of the signature process plays in source system
because you can’t simply adopt this standard in space if you will between
organizations, between systems, it has to be something that sending and
receiving systems do both abide by in order to have it implemented

So we do have some organizations pushing ahead believing that state laws
are requiring them to adopt this. This is an area that is very confused, we had
as you said, the PKI initiative, some states were trying to press for very
strong electronic signature requirements that implied digital techniques, then
you had the National E-Sign Law that supposedly preempted any states because it
was a matter of interstate commerce. We didn’t see a lot of good use cases
emerging in health care to say I outright need electronic signature to be
digital for this because of this and I think that guidance still really suffers
from being clear. But I think, I’m afraid we’re going to wake up here not too
long and suddenly have the requirement and not be real prepared.

DR. ZUBELDIA: The requirement is here, I mean with the e-prescribing the
docs are going to need signatures. And the question that I have is the industry
waiting for the government to adopt an electronic signature? Because I think
the government is waiting for the industry to develop an electronic signature.
So is the perception that the government has to adopt something before the
industry, or the government has to define the standard before the industry will
implement it?

MR. TRAVIS: I think that’s very possibly the case both because of it being
in the early security rule, and anticipating that it might come out as its own
rule as a matter of requirement for claims attachments or e-prescribing. I
think unfortunately there is a little bit of that, they’re going to promulgate
something, we’ll react to it when we see it. It’s not completely disregarding
development of standards on the part of the industry, those efforts are
continuing, but they really need a kick in the pants I think to get across the
line and be adopted. And put into use. And a lot of workflow management around
clinical documents in systems is going to have to understand to appreciate that
standard so that’s a serious investment and I think that may also play into why
there’s a little bit of a wait and see, let’s see what emerges so we know for
example what kinds of authentication, re- authentication and verification
techniques we really need to support, are there going to be encryption
methodologies and definitions of value defined the signed dataset that emerge.

DR. COHN: Kepa, you missed the early morning presentation from CHI where
they were talking about NIST having responsibility under the eGov to try to
come up with something though it still sounded like it was draft. And of course
the question is is when will it stop being draft, which is a very reasonable
question given the length of time they seem to have been working on it.

DR. ZUBELDIA: The work that I’ve seen from NIST centers on authentication
and PKI, and I haven’t seen anybody putting out any work that centers on how
you actually sign a document, which is the standard that needs to be adopted,
something for electronic signature. And how do you sign an HL7 document, how do
you apply two signatures to a document?

MR. HOUSTON: I agree with what John is saying simply that most of the
industry is out there waiting for somebody to dictate a standard, and that’s I
think, that is the issue right now, I hear it all the time.

DR. ZUBELDIA: And I don’t think, from what I’ve seen, I don’t think that
there is anybody out there trying to create a standard for health care, it’s
more like waiting for the health care industry to develop a health care
signature standard.

MR. HOUSTON: Then it’s sort of the —

MR. TRAVIS: I think that’s accurate and it’s, most health care systems
probably have some fairly weak authentication method used for re-verification
like something that’s password based, there’s a lot of work that goes into both
the management of the signature path, which gets into your routing of the
documents for all the appropriate signatures, ensuring that the right
precedence of signatures is established. But then there’s also issues about,
and it gets towards HL7’s need or dilemma, how do I identify what I’ve actually
signed and managed versioning and the dataset that’s actually subject to
encryption or subject to reference to that particular signature event. And I
think that it’s not a small development to ask for any of the health IT vendors
so it is probably something that they’re waiting for clear guidance on. HL7 has
done some work but I think you read it correctly, it’s the hesitancy both ways.

DR. COHN: Jeff?

MR. BLAIR: Help me with this and I don’t know whether this is going to be
John or Kepa, but there was an attempt, I remember ASTM created these digital
signature standards which seemed to at least meet a number of the requirements
for non-repudiation and authentication but I thought that it wasn’t adopted for
the most part because it was just very complex and you had to wind up having
the certificates and you needed a whole infrastructure for the certificates,
which there was some entities that were starting up to try to do that but I
just haven’t heard anything in this last year or so. Did that fade away? In
short, why have digital signatures died? Is it too, I’ve mentioned a couple of
things, the complexity, the other thing is the certificates, was there more
then that as a reason or did it even not need all the requirements?

MR. TRAVIS: I think part of the reason it may have died was that the focus
did swing very much towards authentication and that authentication did not
literally have to have a digital technique applied, it just simply had to be
two factor, most vendors and probably most providers only invested in what they
needed for their purpose at hand. And absent a requirement to use certificates
or digital techniques for authentication it died because there was no real
impetus for digital signature as a mode of electronic signature of documents to
then be supported or pushed. So authentication was where people’s heads were at
three years ago, four years ago, when it looked like we might have that kind of
requirement possibly emerge in the security rule. But absent that I think it
has withered. It’s going to wind up getting impetus again through if nothing
else e-prescribing, other required modes of information sharing electronically,
so it’s not going to remain dead, I think it will get revived.

MR. BLAIR: Your answer surprised me a little bit because I thought it died
because of technical difficulties in implementing it.

MR. TRAVIS: It did die of some cost issues and technical difficulties at
the time, I think those technologies have come a fair way in the last several
years and continue to come a fair way. It really was a cost factor at the time
that helped kill it as well.

MR. BLAIR: I thought what I heard you saying in your reply was with
e-prescribing and some type of a government incentive I thought I heard you
saying it still is a viable approach, is that correct?

MR. TRAVIS: I think that there is going to continue to be a requirement for
a trusted reliable signature method applied to electronic data shared between
organizations and that does get you into the questions of what is a trustworthy
signature, what are the requirements for it. Most people will go to conclude
it’s something that measures pretty close to what we saw in the definitions of
a digital signature. Now if that literally is the requirement, the only path,
or if it’s conveyed by some kind of secure token or secure certificate by other
means, I mean predominantly from the authentication standpoint you either could
present smart card that would have your certificate on it, you could present
tokens that are pluggable tokens, things like that, so there’s a variety of
methods that could achieve a secure signature. I think the costs of those have
gone down and that may make it more viable now.

MR. HOUSTON: I think it all goes back to what we were talking about before
with security which is people will then spend the money once there’s a
compelling, a requirement to do so. I think it is going to be a fairly
expensive undertaking nonetheless.

DR. ZUBELDIA: And it’s an area where perhaps since the industry is clearly
waiting for the government do so something, and the government is not, I don’t
think is ready to do anything about it yet, perhaps this is an area where the
best that can be done at this point is to have a designation of compliance
given to certain technologies or certain processes, like the global e-sign act,
although it requires that you write your name at the bottom of an email, and
something like that and that’s enough. And perhaps for prescriptions for
filling drugs there should be an indication from the department that says there
has to be more authentication then just somebody —

MR. HOUSTON: It’s not just authentication, it’s repudiation and everything,
repudiation and other things, I think it’s very tricky also —

DR. ZUBELDIA: And it all is contingent upon what are the attributes
desirable from a signature, because today when you sign on a prescription pad
there are no attributes to that, nothing is preventing that prescription from
being changed or from the signature being forged or from anybody validating the
signature anyway because when it gets to the pharmacy they don’t know what your
signature looks like. So I think that we’re jumping from the low technology
level where we are today to an infinitely secure signature that has certain
attributes that are maybe not even necessary but because the technology is such
it’s in the hands of perfectionist propeller(?) hands like myself that like to
have the best signature possible, but we may never get there.

MR. TRAVIS: The suggestion of guidance or standard reminded me of some, it
does need to go back to what are the attributes of a valid strongly trustworthy
signature, it’s not a method, I don’t think we would ever suggest you
specifically specify methods but you do define attributes that those methods
have to measure up to.

DR. ZUBELDIA: I’m even questioning the strongly trustworthy signature,
because that’s not an attribute required today.

DR. COHN: I think the DEA might disagree with you.

MR. HOUSTON: Can I make a statement? I think the issue is it comes back to
the issue of electronic information versus paper and the global accessibility
of an e-signature and the thought that if somebody presented a script from a
physician to a pharmacy that the pharmacy maybe didn’t recognize the
physician’s name or hadn’t, or something of that sort, would they question it
today, and what is the ability of somebody to gain the system, I understand it
definitely occurs, but does it become a much more global issue by all of a
sudden having it in an electronic form that can, I don’t know the answer to
that, I’m just questioning whether that’s part of the case, too.

DR. ZUBELDIA: We’re just still feeling the taste in our mouths with the
HIPAA transaction requirements, where there are additional data requirements
that were not there before and are causing all kinds of problems because the
industry wasn’t ready for that. And perhaps as a stepping stone towards that
goal of perfect signature perhaps there should be some less then perfect
workable, I’m not saying just write your name at the bottom of the
prescription, I think it has to be a little bit better then that, but some
workable mechanism that would enable e-prescribing for instance.

DR. COHN: Clem?

DR. MCDONALD: Well, actually to be a little disrespectful about how intense
this prescription issue, in some countries you just go to the drugstore and you
get what you want, people are allowed to do that and they aren’t all dead, so
it’s not the worse thing. The second thing is much of the prescription kind of
intensity comes from worry about if we God’s sake would ever give a narcotic to
somebody who didn’t need it or who might like it, of course this at the same
time we go to this thing where you’ve got to write down how much pain they have
and why you’re not giving narcotics by almost by regulation, so I would support
your position that we don’t, at the same time it’s coming across in truck
loads, we worry about these milligram amounts that leak through the medical
system in boats, big shipping cranes of narcotics, so I think that we sometimes
get out of whack so I would support your position of some more modest steps to
get something done.

MR. HOUSTON: The signature depends on the level of narcotic, a narcotic of
a certain class would require a certain —

DR. MCDONALD: Well, I mean there’s sort of an intent or a goal that we
would all have to do or electronic prescribing to get a narcotic, a class II
narcotic. My point is it will have no measurable effect on the total narcotic
use in this country. They’re measured in tons not in milligrams because of the
other mechanisms for getting narcotics.

DR. COHN: I’m going to change the subject just slightly if that’s okay, is
that okay? Well, I was actually going to ask both Roslyne and Tom because
they’ve been sort of quiet and listening to this techno talk for the last
while. One of the questions I had coming into this particular session was
really, we have the privacy rule and I think Roslyne you commented, and Tom
also, that we’ve gotten a lot of the way towards security because of the
privacy rule, and I was trying in my own to decide is what’s left of security
rule that isn’t in privacy, is that something that’s so hopelessly technical
that it really needs to be handled by the security subcommittee, by the HIPAA
standards crowd, as opposed to the Office of Civil Rights and the NCVHS Privacy
Subcommittee. Now I probably have answered my question just listening to the
last hours worth of conversation, it probably does deserve to be over here but
I’m curious about what your thoughts are in terms of implementation and what
makes sense in all of this. I think there’s been long debates about whether
security is really a standard or whether it’s a, something more along the other
lines. In terms of assuring a reasonable implementation here who should take
the lead, how should this best go? Tom, do you want to —

MR. WILDER: I guess we’re waiting for the other to take the lead here. I
think it’s appropriate to keep the discussion in a whole bunch of different
forums because there’s a whole bunch of different aspects to it. There’s some
pretty highly technical IT standards that need to be addressed by various
groups. There are some legal enforcement issues that need to be handled through
probably OCR and through other places within HHS that deal with more the legal
enforcement side. There’s just some issues of developing best practices that
need to be handled by those groups that talk about best practices, so I don’t
think there’s any one central place to talk about security.

MS. SCHULMAN: And I think, if you just look at the rule itself there are
three aspects of the administration, the physical and the technical, you’re not
going to find one home for all these and it’s appropriate for you folks to be
trying to sort some of that out.

DR. COHN: Obviously I was just sort of observing the breadth and the fact
that this security rule seems to live in different places depending on your
perspective on all of this.

Now I heard somebody, I think John Paul already left thinking we were
getting ready for a break. I do think it probably is time for a break so why
don’t we take about a ten minute break and we’ll wrap this up, talk about other
things that need to be handled by the committee, and if we’re lucky maybe we’ll
actually get out of here before the ice gets too thick outside. So let’s take a
ten minute break.

[Brief break.]

DR. COHN: Okay, why don’t we get started for the last session. I don’t
think we’re completely done, we probably didn’t really complete this session.
Maybe John Paul, would you like to, I think we really just sort of need to wrap
this up and figure out sort of where we are and next steps. From my view,
obviously we’ve heard a lot of things and have sort have gone off in a number
of different directions. I was actually hoping that John Paul might be able to
put it together a little bit in terms of thoughts about what we heard and sort
of next steps.

MR. HOUSTON: In talking to Simon briefly at the break, it sounded like, if
you ask me I think the dominant issue in all of this again relates to logging
and auditing and that particular aspect of the rule and that really seems to be
from what I can tell the one big thing that stands out there I think we
probably need to think about and comment on maybe come up with some
alternatives or at least some recommendations. Nothing stood out to me
personally that, and again I think there was a lot of good discussion, but it
sounded like a lot of what was going on was manageable with regards to the rule
and I think that auditing was a big thing. I think e-signature, though I think
it’s a concern, is really going to be consumed within —

DR. COHN: I think it’s likely to hit head on with e-prescribing.

MR. HOUSTON: — e-prescribing, so we’re probably best off to let that one
go to the point where we really deal with that directly. And I think the other
potential topic we may want to ensure we comment on relates to guidance as well
as enforcement or how is CMS/OCR going to deal with the issue of the
privacy/security complaint, which nobody’s quite sure what it is or if one
morphs to the other, and how are we going to deal with guidance that maybe
overlaps between security and privacy because I think there is an overlap
there. So I think that might be the other topical area that I see personally, I
mean I would, I’m going to go back and read through each of the testimony again
just to make sure I haven’t missed something but are there things otherwise
that really are way at the fore that we need to consider?

DR. ZUBELDIA: J.P. I think I heard very clear at least from Tom and Roslyne
the agreement that flexibility is good and that the flexibility in the
regulation should be preserved, that that is a good thing.

MR. HOUSTON: That’s a good point. I would add that to the, even though I
think to some degree John was sort of thinking, I think I can draft it in a way
that meets everybody’s sort of comments with regards to flexibility as well as
other sources of guidance.

MR. TRAVIS: I would agree the auditing thing sticks out as the one
mandatory requirement if you will that just lends itself to the need for
definition and guidance, and is the one area where the state of the art if you
will in health care IT is probably not where it needs to be as a starting point
and that starting point is kind of a two year comment because it takes a while,
I think newer generations of systems are there but they still are
decentralized, I mean they still are probably logging relatively to their own
audit logs, the security of those audit logs is probably debatable, and there’s
not a real great way to share that data or harvest that data to a central type

I think one thing I didn’t mention, when we got into our own development
effort we got approached by every technology under the sun from ERE vendors to
data mark technologies to deep dark IP, intellectual property rights protection
type technologies, and they all offered to solve the problem so I can imagine
what it’s like for the security administrator at a large health system or at a
health plan and who’s pitching to them in terms of who can solve this problem.

DR. COHN: Other comments?

MR. WILDER: I think from our standpoint those are kind of the high point,
in terms of putting together some comments or recommendations for the

DR. COHN: I mean my sense is that everything that I’m hearing leads me to
believe that we’re still sort of in the early phases and that we really have
not, I mean I think the comments Roslyne that you were sort of making about the
fact that everybody’s been sort of preoccupied with all of the other things
coming in is I think, obviously caused people to sort of only now be focusing
more on the security rule, so I suspect that we’ll be sort of following this up
with conversations as the year goes on. And I suspect that they’ll be more
things to identify and comment on and certainly we’ll look to CMS and the
Office of HIPAA Standards to, I think we’re all learning how best to support
these sort of massive industry implementations and hopefully we can take the
learning’s from the previous and apply it to this one. Yes, Carol?

DR. BICKFORD: Carol Bickford, American Nurses Association. What I’m hearing
is that we are automating our current business practices and I’m inviting us to
think of new ways of doing business and actually making sure that what we’re
trying to do is the appropriate action. Are we truly looking at our business
practices in a different way, are we looking at our decision making as being
the accountability piece or are we just accounting for tasks? So I’m just sort
of tossing out something that Clem was talking about sort of, which was are we
really looking at the important things in the great scheme of life? Are we
locking down things that shouldn’t be, that we shouldn’t even be recording, or
recording and setting up new business rules? Sort of looking at the enterprise,
so I’m just tossing that into the pot for a think about.

And if we are looking at improving our health care system who should be
doing that? Is that an NCVHS initiative as we have an opportunity to do some
really innovative things as we move forward with our electronic health record

DR. COHN: Does anyone have comments? Thank you for the thought. Okay, well
I think with this I think we’ll I think complete this session so Tom and
Roslyne we sort of made you sit up there just to finish things off but we
wanted to make sure that we were sort of all together here.

Agenda Item: Draft CHI Recommendation Letter – Dr. Cohn

DR. COHN: Now you can feel free to sit there for the next session, we’re
really going to be talking about the CHI letter at this point, or if it is
easier you obviously see the screen hopefully sitting back there. Steve, are
you going to be sort of running through the letter for us?

DR. STEINDEL: Yeah, I think what I’ll do is project —

I’ll start with just where we left off with after the last session, which
is I think the last three or four bullets starting with encounters, and then we
can return to the rest of the letter. Now please realize that to the full
committee we will be distributing the draft letter plus all the CHI
documentation which follows this letter, and some of which has modification and
some of which is just plain, so the actual letter that we will be distributing
on Thursday will be a little bit thick.

The first that we talked about this morning was clinical encounters, what
now reads you can read on the screen but I’ll read it to you, concurs with the
recommendation for clinical encounters as modified to include the explicit
notation of the CHI noted gaps. It is our understanding that CHI intends for
the definition of an encounter to refer broadly to all types of practitioners
interacting with patients.

MR. BLAIR: Could you change the word our to it is the NCVHS’s
understanding? Or it is the understanding of the NCVHS?

DR. FITZMAURICE: Or NCVHS understands?

MR. BLAIR: Yeah, something like that.

DR. STEINDEL: NCVHS understands that CHI intends for the definition of an
encounter to refer broadly to all types of practitioners interacting with
patients. While we feel the definition encounter encompasses all encounters
between practitioners and patients some explicit clarification may be order. We
finally note the CHI workgroup scope was narrowly defined and many encounters
observed in health care, such as from patient provided data as might exist in a
personal health record or as might be enumerated in an electronic health
record, occur outside this scope. Wordsmithing comments.

DR. ZUBELDIA: I would remove the word finally.

DR. STEINDEL: We note.

DR. COHN: Marjorie?

MS. GREENBERG: I don’t really think you can refer to patient provided data
as necessarily being an encounter, I suggest the following for the last
paragraph rather then, this last sentence rather then what you have here. We
finally note the CHI workgroup scope was narrowly defined, an electronic health
record would include many other sources of information such as those from
ancillary services or a personal health record, which are outside of this

DR. STEINDEL: But I don’t think it’s totally appropriate.

MS. GREENBERG: Well, what we have currently doesn’t really make sense to
say alright, we all agree with this first phrase, we finally note the CHI
workgroup scope was narrowly defined. But then it says and many encounters
observed in health care, such as from patient provided data, I don’t think
that’s an encounter observed in health care, patient provided data.

DR. STEINDEL: Patient provided data could refer to encounter type
situations that do not strictly meet the scope of the clinical encounter as
defined as a practitioner/patient relationship.

MS. GREENBERG: How about many encounters observed in health care that might
be enumerated in an electronic health record as well as patient provided data
occur outside the scope? I don’t know, I just have a problem —

DR. COHN: Well, I agree with you, I have a little problem with this, too,
but I guess the question I have is that I think we’re describing basically the
patient, the act of the patient providing the data as actually another
encounter isn’t it, I mean the patient interaction with the record, I mean
that’s the part to me that’s confusing here, and I think it’s part of the

MS. GREENBERG: This is somewhat unique, I don’t know that there’s much —

DR. COHN: Is that an encounter or not?

MS. GREENBERG: — a lot of acceptance of that as being described as an

DR. STEINDEL: The problem that I’m hearing is that we have a problem with
the question of patient provided data, may I suggest we break the thought and
we note the CHI workgroup scope was narrowly defined and many encounters
observed in health care as might be enumerated in the electronic health record
occur outside the scope. Then add another thought concerning the patient.

DR. COHN: Very good, okay.

DR. FITZMAURICE: Simon, could I raise a question? Does this conflict with
HIPAA’s use of the 837 for clinical, I’m sorry, for encounters?

MS. GREENBERG: It’s contradictory with that sort of.

DR. FITZMAURICE: HIPAA encounters versus clinical encounters? If there’s
overlap in the data definitions do we go with the HIPAA definitions? That’s the
thing I’m raising.

DR. COHN: Well, we brought that up, were you here earlier for that
conversation? I don’t know that we really ever resolved it —

DR. FITZMAURICE: Maybe my confusion just stems from the fact that we didn’t
resolve that.

MS. GREENBERG: Bill Braithewaite(?) made an interesting comment to me, he
said he really felt that encounter was a billing concept, it wasn’t a clinical
concept, so it was almost like an oxymoron to talk about clinical encounters,
that I think episodes was more a clinical concept.

DR. COHN: Well, I did, we did certainly all reflect earlier that most of us
think of an encounter as a billing encounter, I mean that’s how our systems are
set up, the type of data we get, whether or not we’re involved in the actual
act of billing or not. Hadn’t we in this one also talk about the
reconciliation, is this the one we had the reconciliation between billing
encounters and, didn’t we actually have that as a thought here that had gotten

DR. STEINDEL: We actually discussed that and we also discussed a lot of
similar types of thoughts and I just encompassed it with the statement that
these are the type of things that might be enumerated in an electronic health

DR. COHN: Well, but that I think is a different, I agree with what you said
there but I’m just wondering if this is an additional concept or an additional
recommendation, because I think we said, I mean we said there are lots of
things out of scope but I think we also said that there are, I mean finally, I
think that there’s, once again I apologize, I’m sort of stuttering here, it was
sort of this sense of maybe some reconciliation between this concept of
clinical encounter versus the concept of billable service, I don’t know. I mean
that was sort of, that sort of does bring up that issue again.

MS. GREENBERG: That’s why I had mentioned, specifically mentioned in my
rewrite about ancillary services, that seems to be a big area where that would
definitely generate, as a service it would generate an encounter form but it
doesn’t seem to meet this definition of clinical encounter.

DR. STEINDEL: Simon I was trying to wordsmith during the time we were
having that discussion and I think that there is a separation between a
clinical encounter and a billing encounter. The fact that the two of them are
the same a lot of the time is I think more coincidental.

MR. BLAIR: What if you included at the beginning of this phrase a
distinction and point out clinical (not billable), (not necessarily billable),
so you point out right at the beginning of this letter paragraph here of our
observations that we’re distinguishing between clinical encounters and billable

DR. STEINDEL: The CHI document actually lists billing encounters as being
out of scope, so they explicit state that, if you would like it repeated I can.

MR. BLAIR: I’m just saying from the standpoint —

MS. GREENBERG: For this domain.

DR. STEINDEL: Yeah, for this domain.

DR. ZUBELDIA: I think that there is a distinction here between a billable
encounter and the billing for an encounter, and the billing for an encounter is
out of the scope, but the encounter is an encounter, it’s the same thing, but
the billing for it is different from the clinical reporting of it.

DR. COHN: Unfortunately that’s not where they came to, though.

MS. GREENBERG: The ASTM definition will exclude clinical services that are
ancillary in nature and don’t involve —

DR. COHN: Kepa, I think we were talking around this whole point as you were
describing, which is that we were trying to figure out what the business case
is for this particular concept, or the use case or whatever you want to
describe it and I think we sort of keep struggling with that one. I’m beginning
to wonder if there’s something really that’s wrong here that we need to say but
Mike, do you have a comment?

DR. FITZMAURICE: I guess if we could show that it has a different use,
different use case to use Stan’s term, then the encounter that’s envisioned in
HIPAA, I think what’s envisioned in HIPAA is here’s a record of the encounter,
such as for an HMO that doesn’t bill by the encounter, but it contains the same
kind of information anyway so you could do a pseudo aggregation of charges to
see how much to pay the HMO, you could aggregate to do HEDIS measures and other
things. That’s what I sense that HIPAA is to be used for. If this has a
different meaning, that it’s more detailed clinical information and is used by
different people then I think it’s fine, but I don’t want to try to invent the
same thing that already exists for the same purpose.

DR. COHN: Clem?

DR. MCDONALD: If you read over the CHI thing it really was defined as
looking at vocabulary that it needed in the context of encounter, and I think
the difference, there is a difference, it’s the object that you have to have if
you’re billing a clinical record to know who did the service, to follow through
to the results and the findings and the other parts of the other objects, it’s
an important link that’s both an aggregator and provides the other things you
needed to know about the roles and who’s doing what to what. So we don’t know
what kind, so you got a lab test down there, you don’t know if it’s a hospital
based one unless its got an encounter attached to it which you can group it by
and that says those kind of things. So I thought if you look at the CHI
recommendations it wasn’t, it didn’t really conjure the kind of concerns you’re
describing in this thing because it’s not a message, not talking about a
message —

MS. GREENBERG: Yeah, talking about vocabulary.

DR. MCDONALD: Talking about the vocabulary that goes along with the fields
that you find in an encounter as you would see it in a database is how I view
it, and use a couple different heuristics to find those, including looking at
the ASTM definition which then didn’t have any vocabulary specifics in it.

DR. FITZMAURICE: — adopting HL7 for the standard for this and we’ve
adopted X-37 as the standard for the HIPAA encounter, do we have a conflict in
vocabulary for the same thing?

DR. ZUBELDIA: No, the 837 has been adopted as the standard for reporting
the encounter for billing purposes.

DR. FITZMAURICE: But it can also be used for the encounter not for billing
purposes, it’s one of the categories.

DR. ZUBELDIA: Sure, but it’s still reporting between a provider and a payer
of an encounter. The encounter is going to have a lot more information then
what is reported, and not all encounters have reportable for billing purposes
or for payment purposes.

MR. BLAIR: Why can’t we reconcile this in that sentence where you wound up
indicating that this has a narrow, what was it narrow definition, narrow scope,
that phrase, and then you said the and after that, you know where I’m talking
about, Steven? Like your last sentence I think?

DR. STEINDEL: Yes, we note the CHI workgroup was narrowly defined in many
encounters —

MR. BLAIR: Narrowly defined, I’d do a period there, okay, and then for the
rest of that phrase I’d just simply make the statement NCVHS understands that
the following is out of scope, and that includes billable encounters, that
includes —

MS. GREENBERG: Well part of the billable encounters are in scope, that’s
the problem.

MR. BLAIR: Maybe it’s Kepa’s phrase, what was your phrase, you didn’t say
billable encounters you said information for billing or something like that?

DR. ZUBELDIA: The reporting of the encounter for billing purposes.

MR. BLAIR: Reporting of the encounter for billing purposes, that’s a more
accurate statement.

DR. FITZMAURICE: But under HIPAA there’s an encounter data that’s not for
billing purposes, and I’m only saying is if you have the same variable in both
are they defined the same, and if you use HL7 vocabulary for one and 837
vocabulary for the other there may be a conflict if somebody goes through and
makes that comparison.

MR. BLAIR: But even if that’s true, Michael, this is just talking about
CHI, the way they’ve defined it, and the way they’ve defined it that would be
out of scope for this definition.

DR. FITZMAURICE: But it may conflict with the definition of an encounter
and the variable that was used for an encounter —

MR. BLAIR: Maybe it does conflict, but that’s a different point.

DR. FITZMAURICE: So that gets back to who is using the encounter and who is
using the HIPAA encounter, who’s using the clinical encounter versus who’s
using the HIPAA encounter, and since we haven’t gotten to the users, that is
the use case, I don’t know the answer.

MR. BLAIR: I was just simply trying to nail down the scope, that last
sentence, to get it clear and full.

DR. FITZMAURICE: And I’m just trying not to avoid having the same encounter
definition and the same variable, that they don’t match.

DR. COHN: Well, Michael, I actually sort of agree with what you’re saying,
I’m just trying to think if we, isn’t that sort of what we need to say?

MR. BLAIR: Maybe the phase is that we find that the codes used for clinical
encounters is not mutually exclusive with the code for HIPAA encounters.

DR. COHN: Marjorie?

MS. GREENBERG: Maybe Steve who is the source of all knowledge here, when
the subcommittee and then the full committee commented on the billing domain —

DR. STEINDEL: That’s what I’m looking up right now.

MS. GREENBERG: — say something about the need for harmonization?

DR. STEINDEL: I believe they did and I’m in the process —

DR. FITZMAURICE: That I think is the way out of it is to make a
recommendation of the fact that they harmonize their definitions of the same
variables they have in common with the HIPAA encounter so that there’s not a

MS. GREENBERG: It’s not just the variable, it’s overall kind of gestalt.

DR. COHN: Well, it’s the definition of encounter.

MS. GREENBERG: — the definition of what constitutes an encounter more work
needs to be done on harmonizing these.

MS. GREENBERG: It seems to me it was the national committee that said
something about it.

DR. MCDONALD: Let me clarify what they actually say in the CHI, and this is
really the focus was on ADT answer messages, these are not going to be direct
overlaps —

MS. GREENBERG: Not going to be what?

DR. MCDONALD: The same stuff is not going to be in both messages, they’ll
be some overlap I’m guessing, I didn’t list them. Concluded that 17 data fields
that hold identifiers do not require standardization because they’re really
just, they’re not vocabulary issues because they’re dates or numbers, seven
should use the national provider system identifiers once they’re available, and
it goes on and it says there’s 16 fields that have elements for about admission
information, transfer patient moving information, discharge information,
provider information, accident information, death and autopsy information,
these are the kinds of data elements they’re talking about.

DR. COHN: Well, Clem, I actually don’t think our question has to do with
the ADT/HL7 transaction, I think what we’re sort of hung up on is actually the
ASTM Definition of clinical encounter and what exactly that means in all of
this, which is on the first page, and how it really applies and it seems to
almost create more confusion then it does clarity, sort of like how does it
relate to the rest of the world is I think what we’re sort of —

MS. GREENBERG: Except I think Clem was getting at what Gregg was saying,
Gregg Seppala, if they tried to extend this HL7 message, well, vocabulary, the
thing that’s a little unclear to me is an HL7 message does include vocabulary,
but anyway. If you try to extend what they’ve adopted for their definition of
clinical encounter to these other types of services it’s difficult because you
don’t really know always who did them and the roles and at least who’s
responsible and everything isn’t necessarily clear always with these services.

DR. STEINDEL: I’ve tried to craft something and may I ask the opinion of
the committee, it’s the last part of this paragraph, I’m not sure if
structurally it belongs there or not. I said NCVHS knows that a similar concept
of an encounter exists within the HIPAA process and harmonization should occur
between the two.

DR. FITZMAURICE: It points out the problem.

DR. STEINDEL: What I’ve heard from the discussion is that that is what
seems to be the essence of the problem and our job is not to solve the problem
in this letter.

DR. COHN: We’ve already tried.

DR. STEINDEL: Now we can attack wordsmithing and position if we’d like.

MS. GREENBERG: I would say the scope was somewhat narrowly defined, I don’t
think it’s that narrow, it’s all the interactions between patients and
practitioners, I mean that’s a lot, by saying narrowly defined it sounds like
it’s really a small piece but it isn’t, not the full Monty.

DR. ZUBELDIA: Well defined.

DR. COHN: No, actually it was not well defined, we actually thought it was
narrowly defined.

DR. STEINDEL: I think narrowly encompasses the sense of the —

DR. COHN: I actually thought that there were a lot of things we pointed out
that were sort of not included in all of this —

MR. BLAIR: Maybe now that you’ve added that sentence about the need for
harmonization maybe we don’t even need that sentence anymore about the scope,
scope is already in the document, we understand what the scope is, and the
issue is the need for harmonization with the billing.

MS. GREENBERG: We could just say that we note the CHI workgroup scope does
not include many encounters observed in health care as might be enumerated in
an electronic health record. But then you only have to refer to scope once as
opposed to saying it’s narrowly defined and these things are out of scope, you
can just say that we note that it doesn’t, that the scope did not include, just
kind of making that —

DR. COHN: That’s actually okay, so the scope does not include many
encounters —

MS. GREENBERG: — encounters observed in health care as might be enumerated
in an electronic health record. I think that makes it a clearer sentence.

DR. STEINDEL: Repeat that Marjorie.

MS. GREENBERG: We note the CHI workgroup scope, and just get rid of was
narrowly defined, does not include, then the rest of your phase, does not
include many encounters observed in health care as might be enumerated in an
electronic health record, period. I think fewer words and says the same thing.

DR. HUFF: Up on the second sentence I think we can clean that up a little
more and just say NCVHS understands that the CHI definition of an encounter
refers broadly to all types of practitioner interaction.

MS. GREENBERG: See I have a little wonder about that, it doesn’t include
pathologists interacting with patient specimens —

DR. MCDONALD: No, but if they went and did a biopsy it would.

DR. HUFF: I was just trying to fix the grammar, I wasn’t trying to do
anything with the content.

MS. GREENBERG: Maybe you should say NCVHS understands that the CHI
definition of an encounter refers broadly to all types of practitioners
interacting with patients: however this may require some explicit clarification
may be needed. Because otherwise it gets pretty repetitive.

DR. HUFF: So if you want to improve the content, the real issue that we
brought up in regards to that is that we shouldn’t interpret the ASTM
definition to mean that only a physician could exercise independent judgment
about the patient, diagnosis or treatment.

MS. GREENBERG: Well, I wouldn’t have interpreted it that way but I do
question whether, it’s a little unclear to me whether the ASTM definition
includes a health care practitioner who is functioning under the supervision,
the direct supervision of another practitioner. So certainly if a nurse is
providing some services within the context of a visit which the principle
practitioner is the physician, then those nurse services don’t represent a
separate encounter, they’re part of that encounter is my understanding. I think
it’s a little unclear myself.

MR. BLAIR: Steve, why don’t you read what you have?

DR. STEINDEL: I was going to suggest since we’ve made numerous changes why
don’t I reread the paragraph as it exists right now, and we can comment on
wordsmithing on what I have. Concurs with the recommendation for the clinical
encounters domain as modified to include the explicit notation of the CHI noted
gaps. NCVHS understands that the CHI definition of an electronic, of an
encounter refers broadly to all types of practitioners interacting with
patients, however some explicit clarification may be in order. We note the CHI
workgroup scope does not include many encounters observed in health care as
might be enumerated in an electronic health record. Additionally, patient
provided data as might exist in a personal health record is outside the CHI
scope. NCVHS notes that a similar concept of an encounter exists within the
HIPAA process and harmonization should occur between the two.

MS. GREENBERG: I think that sounds good myself.

DR. COHN: I think the only question I have, and I have to ask Bob Hungate
on this one, I’m now looking at this, I’m fine with everything, I’m just
wondering the relevance of the personal health record data as this has evolved.
Do you still feel it’s relevant or does it seem a little bit out?

MR. HUNGATE: Well, I asked about the personal health record in order to
lessen my own misunderstanding. I’m not sure I’ve made progress in listening,
because I’m not sure that I understand what this is now, because I can, the
result is that the personal health record is not part of CHI, okay, maybe
that’s right —

DR. MCDONALD: Well, to clarify, this isn’t defining the whole scope, this
is all aimed at defining vocabularies —

MR. HUNGATE: That’s not what that says, it says it’s outside the CHI scope.

MS. GREENBERG: The CHI definition of a clinical encounter.

DR. MCDONALD: All these scopes had to do with vocabularies, that doesn’t
mean that they’re not going to do anything else.

MR. HUNGATE: I understand. I don’t understand is also part of what I’m
saying, that I don’t understand the interactions of all the definitions and the
vocabularies and what’s in there and I was trying to for my own edification ask
questions of how is the personal health record dealt with because I thought it
might be important. So that says it’s not in this domain so therefore I would
conclude it must be in another domain or it’s not in the whole thing.

MS. GREENBERG: Well, it could be like in that history and physical domain
which hasn’t been addressed yet.

MR. HUNGATE: So that’s what I was trying to get at, was the content
question, where does the content appear and how does it get in.

MR. BLAIR: So the bottom line is that you’re not suggesting that we refine
the wording on this any further.

DR. COHN: Well, actually Steve is doing a good job for this one, the
question though, we should look at this one and probably see if this makes more
sense. The pregnant question is is there a bullet at the end that says we
recommend that work be done to identify terminologies for patient interaction
with the personal record in the next stage of a CHI activity, I mean that would
be —

MR. HUNGATE: That might be the answer. The other comment that I had was
that in the domain/sub-domain in scope and out of scope, we could just put
another item at the bottom of it that said personal health record. In the table
it was on the earlier page and it wouldn’t need reference here because in the
discussion of the attachment where within clinical encounters it says yes to
admission, transfer, discharge, provider, accident, death, and autopsy, and it
says no to allergy, demographics, etc., so a no would also be to personal
health record.

DR. COHN: So basically you’re saying enumerated in electronic health record
or personal health record, is that what you’re saying?

MR. HUNGATE: That in the domain/sub-domain inclusions and exclusions, on
the first page of the attachment.

DR. STEINDEL: I’m actually more comfortable with what Bob is suggesting
right now then the sentence appearing here, and we can just change the first
sentence to note that the modifications that we’re recommending include the
exclusion of the personal health record in their document.

MS. GREENBERG: As being in scope.

DR. STEINDEL: Yeah, we’ll just modify the document as Bob just suggested
and make a note of it.

MR. HUNGATE: That doesn’t take care of my other question, how does the
patient reported information get in and that’s another —

DR. STEINDEL: That’s what, it’s starting to concern me more and more about
this sentence existing here because it raises a lot of other questions that
really the clinical encounters domain workgroup and CHI as a whole may not, has
not addressed.

DR. COHN: So is there a way for us to take that question and put it in as a
we recommend in a next phase of CHI work that the issue of patient reported
data be considered?

MS. GREENBERG: If we want to make that recommendation it would be timely.

DR. COHN: That’s right, exactly, and works well in the letter.

MR. HUNGATE: The reason, one of the reasons I think it is important is that
the patient data may not get into the database, experience that don’t get into
the database of medical information, like adverse effects that don’t get
reported, where the personal health record will be a good avenue for some of
those things, so it’s the way we have to do the enrichment of information.

DR. COHN: And we absolutely agree with you, we’re just trying to figure out
where this fits in with this letter.

MR. HUNGATE: I understand that. But it may not be a domain specific comment
is all I was wondering, if whether it’s a generic overall comment as opposed to
a domain specific.

DR. COHN: I bet we’ll see this being addressed in some way as a domain sort
of in the same way that multimedia is considered to be a domain or history and
physical is considered to be a domain because these are pretty generic, I mean
really they’re taking slices of this, if you think about it that applies in
many settings, so I think it actually would be appropriate for them to take it.

MS. GREENBERG: Sort of like legislation, this is the opportunity to say it.
You’re right, it’s broader then this particular domain.

DR. COHN: So in our letter can we at the very end sort of say something
about the recommendation for another stage, the next stage of work?

DR. STEINDEL: No, because it changes the format of our style letter. Yes,
we can.

MR. HUNGATE: This is a little out of sequence but it’s germane to the same
thing. In the disability section it would be natural to think also about health
status reporting, which comes back from patient reports, the SF36 kind of thing
that people might do on an annual basis, and that section talks about not
making a recommendation at this point, but I wanted to raise a question about
philosophically saying whether we expect to get a single standard on things
like patient status and stability and whether there’s a broader topic there.

DR. COHN: You’re asking a really good question which we sort of, we
deliberated on quite extensively, let me see how I can best describe this one.
There were two issues that were brought forward by the disability workgroup in
their recommendations. One of them had to do with the, actually there was one
but we observed that there were two, the one issue that they really brought
forward ad to do with the issue of questionnaires, a la SF36s and all the
questionnaires and how did they codify them, and we were having a hard time
with existing terminologies and we were sort of recommending that they needed
to explore more of a question and answer terminology a la the LOINC style or
something like that to basically be able to represent that.

But then there was also the other question which they really didn’t talk
about, which was representing the concepts of disability, which were sort of
left unstated. But clearly the part that they were really having conundrums
with were around this issue of these sort of question and answer, select one
through five of severity and all of this stuff. So I think we had recommended
that they needed to do more work on it with the hope that maybe that would be
in the next phase of activity also.

I don’t know if that quite answered your question, I can only say that they
I think were questioning the same issue you were, we tried to advise them of
what we thought were reasonable solutions, and we don’t have a solution today
for them, nor do they have for us.

DR. STEINDEL: I wasn’t following but I would suggest that we return to like
the past discussions when we get finished with the next three.

DR. COHN: Okay.

DR. STEINDEL: I was working on the —

MR. HUNGATE: It was related to the personal health record and that’s why —

DR. STEINDEL: What I’ve done is added a paragraph just before our standard
closing paragraph, it’s a one sentence paragraph and wordsmithing is always
appropriate. During our deliberations on the scope of the CHI work we have
observed that the personal health record has not been explicitly discussed and
we encourage investigation during future CHI investigations.

DR. COHN: Okay, that’s great.

MS. GREENBERG: The vocabulary for the personal health record has no been
explicitly discussed. Well, messages or vocabulary I guess.

DR. STEINDEL: I would just say in general they haven’t discussed anything
about —

MS. GREENBERG: You’re right. And we encourage this investigation in the

DR. COHN: Future CHI deliberations.

MS. GREENBERG: By CHI in the future.

DR. STEINDEL: Investigation by CHI? I like that.

DR. COHN: Okay.

DR. STEINDEL: I didn’t know if I should say phase two because I don’t know
how formal that is, I mean it’s been colloquially referred to but —

DR. COHN: Sounds good.

MS. GREENBERG: In the future.

MR. HUNGATE: That serves the clarification I needed when I asked the
question originally.

DR. COHN: Okay.

DR. STEINDEL: And then the paragraph that introduces this section has been
introduced now with concurs with the recommendation for the clinical encounters
domain as modified to include the explicit notation of the CHI noted gaps and
the inclusion of the personal health record as out of scope. And then we have
eliminated the sentence that’s in the paragraph concerning the personal health
record. Can we move on to the next one?

DR. COHN: Yes.

DR. STEINDEL: Okay, concurs with the recommendation for the text based
report domain as presented. The committee will further be studying both the HL7
clinical document architecture and the Continuity of Care Record as part of
ongoing work. We further note the need for e-signature is an important
component that has been investigated by the committee in the past and will be
exploring further as part of our investigation into standards for e-prescribing
over the next year.

MS. GREENBERG: I think that would be explored further.

DR. STEINDEL: And will be explored further. I’m not sure what, and will be
explored, thank you, I was not hearing well. Any other comments?

DR. COHN: No, I think we’re okay.

DR. STEINDEL: The next one is concurs with the recommendation of the
population health domain as presented.

DR. COHN: Okay.

DR. STEINDEL: Concurs with the recommendation of the chemical domain as
presented. We note and support the explicit need for additional resources at
the Environmental Protection Agency.

MS. GREENBERG: There I had changed it, because originally it just sounded
like we were advocating for their budget.

DR. STEINDEL: Yeah, I actually noticed that, too.

MS. GREENBERG: — the explicit need for resources at the Environmental
Protection Agency to accomplish the additional work required.

DR. FITZMAURICE: Yeah, we ought to be more specific about what’s required
on that.

MS. GREENBERG: Take out the first additional.

DR. COHN: Okay.

DR. STEINDEL: Now we should return to the areas above in case there’s been
some changes over the last N months.

MS. GREENBERG: Just in the first paragraph, just wordsmithing —

DR. STEINDEL: The first paragraph is standard, that’s fixed.

MS. GREENBERG: It says consequently NCVHS is now working, I mean we have
been for quite a while so I don’t think you really needed now.

DR. COHN: Okay, delete now.

MS. GREENBERG: It sounds like it’s a new development. And then that last
sentence, recommendations as part of the CHI Council acceptance process, the
the got into the wrong place. You could put a the before CHI or you don’t even
have to.

DR. COHN: Okay.

DR. STEINDEL: Okay, I think the first one is on anatomy and physiology —

DR. BLAIR: Rather then read each of them through if you just mention them
and ask if anybody has a question.

DR. STEINDEL: That’s what I was thinking of doing, was the first one is on
anatomy and physiology, any questions? Comments? The next one is on billing,
questions, comments? The next one is on medical devices and supplies.
Questions, comments? Then the nursing domain, questions, comments? History and
physical questions, comments? The next one is disability, questions, comments?


DR. COHN: Do you want to read that one over?

MR. BLAIR: Actually the very last sentence there’s one word I’d like to
have us consider altering, if you just read the last sentence.

DR. STEINDEL: We further recommend that future activities consider the
different needs and perspectives of all domain stakeholders.

MR. BLAIR: When you say all domain stakeholders it blurs the point I was
trying to make, the different needs of the different disabilities, different
disability, disabilities represented or disabilities to be considered.

MR. GREENBERG: I think this actually captures that as part of it.

DR. STEINDEL: Yes, and I also think the domain stakeholders are not just
the disabled.

MR. BLAIR: Could you read it again?

DR. STEINDEL: We further recommend that future activities consider the
different needs and perspectives of all domain stakeholders.

MR. BLAIR: Maybe it’s the different disability needs then. The thought I’m
really trying to get in here is that a one size fits all for disabilities is
something that I am concerned about.

MR. HUNGATE: And I would echo that, I think trying to get a one size fits
all will not be successful in meeting the needs of the —

DR. COHN: Well, I guess maybe I’m, I just have questions about that because
I think if we, I mean just in the same way you’re a surgeon your terminology is
different then being an OB-GYN then being different then an emergency
physician, I think what we’ve tried to do is to say yes, there are different
ways of expressing your key concepts but you ought to use the same terminology.
And I think what we’re trying to say here is is that clearly the important
issues for each disability are different but if we’re going to come up with the
right terminology it should be expressive enough that every disability should
be able to express their key issues in that terminology. And so I guess I’m, I
worry if we start trying, I mean we obviously want to have input and
involvement by all of the stakeholders and I would agree with that, but we
don’t one terminology for people that are deaf, another terminology for people
that are amputees, I mean we’ve got to have the same terminology so it all fits
together, at least I would, that would be my sense going forward. Jeff,

MR. BLAIR: Well, what I’m speaking now is reflecting a concern, and Simon,
I do understand your point and actually I agree with your point, I just don’t
want there to be an execution of this task, which isn’t exploring directly from
the different disabled communities where somebody is not just —

DR. COHN: And I agree with what you’re saying absolutely —

DR. STEINDEL: Could we modify it to say we further recommend that future
activities consider the different needs and perspectives and involve, and
something like and involve all domain stakeholders? I think your question is
more participation then actually dictating a result.

MR. BLAIR: Okay, the different needs and perspectives of the different
disabilities and related stakeholders.

MS. GREENBERG: Yeah, there are other stakeholders, too, like WHO is a

MR. BLAIR: Different disabilities and related stakeholders.

DR. COHN: And other domain stakeholders?

MS. GREENBERG: Different needs and perspectives of all domain stakeholders,
including those —

MR. BLAIR: See when you say all domain you lose the point that I’m trying
to make.

MR. HUNGATE: The domains and populations are two different things it seems
to me, domains are what we’re referring to in other things, we’re referring to
something differently here and we ought to make sure that there’s a distinction

MS. GREENBERG: These are stakeholders in the disability domain.

DR. ZUBELDIA: Then say that, or disability domain stakeholders. If they’re
not stakeholders in the disability domain they don’t need to be considered, but
if they are —

PARTICIPANT: Well by definition aren’t stakeholders —

DR. STEINDEL: May I suggest the following? I’ve just typed it in. We
further recommend that future activities consider the different needs and
perspectives of the disabled population and other domain stakeholders.

MR. BLAIR: See, it still is lumping everything together as if you could
look at all disabilities as one entity, and what I’m trying to say is that
there’s very different needs and perspectives among the different disability
groups. Yes, you could fold that into one terminology but I’m trying to say
that it has to consider the different disability groups.

MS. GREENBERG: You could say consider the different needs and perspectives
within the disability community.

MR. BLAIR: Among the disability communities.

MS. GREENBERG: The thing is disability —

PARTICIPANT: [Comment off microphone.]

MS. GREENBERG: Can I say something here?

MR. BLAIR: Thank you, that would work.

MS. GREENBERG: This is maybe getting a little nitpicky but this domain
about disability is relevant to people beyond what would be termed the disabled
population. If you think about the disabled population you tend to think about
a narrower population then people for whom they’re functioning and who have
temporary disabilities, generally I mean somebody who injures him or herself
and needed rehabilitation, this domain is relevant to those people but you
would not consider them being in the disabled population. So I think that —

PARTICIPANT: Aren’t they represented in the other domain stakeholders,
isn’t that our wording —

MR. BLAIR: We weren’t eliminating that, all I was doing was adding of the
different disability groups and all domain stakeholders.

DR. COHN: I still don’t think we have what we need up there but I’m not —

MS. FRIEDMAN: Why don’t you say the unique needs and perspectives of the
different disability groups and other domain stakeholders?

MR. BLAIR: Yeah, that does it.

MS. GREENBERG: I like that terminology a little better.

MR. BLAIR: Thank you.

MS. GREENBERG: I mean ideally, I agree with Simon, ideally you would have a
vocabulary that was sufficiently robust that it would be responsive to unique
needs of all these groups —

MR. BLAIR: It could be one vocabulary —

DR. STEINDEL: We don’t dictate the result with this sentence.

MS. GREENBERG: But you don’t know, it may not be possible.

DR. STEINDEL: What we’re asking for is the process that’s inclusive, and
we’re not dictating what the end result would be, which is I think what the
objective of the subcommittee was.

MS. GREENBERG: Do you want to say and all other domain stakeholders?

MR. BLAIR: It’s fine.

DR. STEINDEL: No, I just want to say and other domain stakeholders because
then we have to sit down and define all. That could be a very big all.

Okay, does anyone want me to read any more of this? The whole thing? Okay.
The next one is genes and proteins, the original draft had a sentence in bold
that asked for clarification on the cost and we did get that clarification so
it was removed. The diagnosis and problem list domain is next —

DR. COHN: Read to me the second sentence and explain to me what it means.

DR. STEINDEL: We further recommend the addition of ICPC to the list of
terminologies for early mapping efforts.

DR. COHN: Oh, no, no, no, I’m talking about under genes and proteins.

DR. STEINDEL: We recommend that an explicit comment on the lack of
terminology for the remaining sub-domains be added. Basically genes and
proteins came in with a recommendation for just the human genome and did not
note in their report that there was no terminologies for the other sub-domains
that they recognized.

DR. COHN: This is wordsmithing and I’m not sure we want to take time now
but it would be nice if that sentence stood on its own so we want to say that,
you might want to say recommend that explicit —

DR. STEINDEL: For the remaining sub-domains and then list the sub-domains.

PARTICIPANT: [Comment off microphone.]

DR. STEINDEL: I don’t think there were many.

DR. COHN: Yeah, you’re right, somehow we need to, they only came up with
one recommendation.

MS. FREIDMAN: NCVHS notes the lack of terminology for the remaining domains
and recommends that some should be added, or something like that. Is that a
phase two thing, too, that you want to add it in phase two for ongoing

DR. STEINDEL: I don’t know because the workgroup did not make any explicit
statement concerning —

MS. GREENBERG: Maybe he’s talking about up in Pennsylvania, Gene Lengerich
just sent an email to Vicki Mays saying since the forecast is for four to 12
inches of snow on top of the ice we currently have, okay maybe he’s talking
about up in Pennsylvania, I’m sorry, I thought he meant down here, most likely
will be using the call-in number.

DR. STEINDEL: This is probably where he is in Philadelphia.

DR. COHN: I think is Dr. Lumpkin is having similar concerns and problems

DR. STEINDEL: Simon, I can’t find it right now.

DR. COHN: Well, I don’t think we need to handle it right now, I think it’s
just something, it’s a wordsmithing issue where it just doesn’t stand on its
own very well. So let’s continue on and we can just sort of fix that.

DR. STEINDEL: That was just, okay, concurs with the recommendation, the
diagnosis and problem list domain is next, that’s the one we just, and then
finally non-laboratory interventions and procedures is the last one. So we just
need to clean up that one sentence on genes and proteins.

DR. COHN: Is there a motion for acceptance of this document with the
modifications, wordsmithing that Steve is going to do to that one bullet?

MR. BLAIR: I’d be happy to move to accept this.

DR. COHN: Is there a second?


DR. COHN: Any further discussion? I’m sure you’ll have a chance to look at
it tomorrow with any further modifications.

DR. STEINDEL: And do we hand it to the new members when they walk in for
the orientation session at 4:00?

DR. COHN: I think we’ll wait until the next day.

DR. STEINDEL: Wait until after the initiation ceremony.

DR. COHN: But I do think we all ourselves ought to have copies of this with
the attachments if we could tomorrow.

DR. STEINDEL: Yeah, I will probably give this to Marietta tomorrow morning
for her to produce for both us and the full committee.

DR. COHN: Exactly. There will be times where if we have to be comment I
will be looking to everybody on the subcommittee for exactly what did we mean
by X, so we’ll need all of your help in terms of that presentation.

DR. STEINDEL: And so Simon can practice reading it.

DR. COHN: Having said that, so basically we have a, it’s been moved and
seconded, any further discussion? All in favor?


DR. COHN: Opposed? Abstentions? Okay.

Well, with that —

DR. STEINDEL: We closed CHI phase one.

DR. COHN: Almost. Now we are going to adjourn until 8:30 tomorrow morning,
I’m trying to remember why we did that but it’s too late to change. One of the
things that I want the subcommittee members to think about a little bit is
obviously we have a relatively full agenda, actually a very large agenda for
the remainder of the year and I’m going to need some guidance from the
subcommittee members about whether we’re going to need to schedule more
sessions or whether we start going into three day sessions, so we don’t need to
talk about that or decide upon that right now but I’m happy to do either. But
I’m just sort of seeing this coming as I look at the to do list, the number of
items, and obviously the new requirements of the Medicare Reform. So think
about it, we’ll probably discuss that a little bit tomorrow. Thank you. The
meeting is adjourned.

[Whereupon the meeting was recessed at 5:20 p.m. to reconvene the following
day, January 28, 2004, at 8:30 a.m.]