[This Transcript Is Unedited]



July 19, 2007

National Center for Health Statistics
3322 Toledo Road
Hyattsville , Maryland

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax , Virginia 22030



DR. COHN: Good morning. I want to call this meeting to order. This is the
third day of hearings of the Ad Hoc Work Group on Secondary Uses of Health
Information of the National Committee on Vital and Health Statistics. The
National Committee is a statutory public advisory committee to the U.S.
Department of Health and Human Services on national health information policy.
I am Simon Cohn. I am the Associate Executive Director for Kaiser Permanente
and chair of the committee.

I want to welcome committee members, HHS staff and others here in person,
and want to welcome those listening in on the Internet. I also want to remind
everyone, as we always do, to speak clearly and into the microphone so those on
the Internet can benefit from our deliberations and dissemination. I also want
to thank the National Center for Health Statistics for hosting us for this

Let’s now have an introduction around the table and around the room. For
those on the National Committee, I would ask if you have any conflicts of
interest related to any of the issues coming before us today, would you so
publicly indicate for your introduction. I want to begin by observing I have no
conflicts of interest.

MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield of North Carolina,
member of the committee and no conflicts.

DR. CARR: Justine Carr, Beth Israel Deaconess Medical Center, member of the
committee and no conflicts.

MS. AMATAYAKUL: Margaret Amatayakul, contractor to the work group.

MR. FITZMAURICE: Michael Fitzmaurice, Agency for Health Care Research and
Quality, liaison to the committee.

DR. DEERING: Mary Jo Deering, National Cancer Institute, staff to the NHII
work group.

DR. WHITE: John White from the Agency for Health Care Research and Quality
and testifier today.

MS. SPRENGER: Sharon Sprenger from the Joint Commission. I am a testifier.

MR. VIGILANTE: Kevin Vigilante, member of the committee, Booz Allen
Hamilton, no conflicts.

DR. SCANLON: Bill Scanlon, Health Policy R&D, member of the committee,
no conflicts.

MR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention,
staff to the ad hoc work group and liaison to the full committee.

MR. ROTHSTEIN: Mark Rothstein, University of Louisville School of Medicine,
member of the committee, no conflicts.

MS. JACKSON: Debbie Jackson, National Center for Health Statistics, CDC,
committee staff.

MS. HAYES: Rebecca Hayes, America’s Health Insurance Plans.

MS. YOUNG: Alison Young, American Health Information Management

DR. COHN: I want to welcome everyone. I will be very brief in terms of my
introductory comments. We have a lot to do between our start this morning and
our 12 noon adjournment for this set of hearings. I do want to remind everyone
that we do have hearings coming up during the first three days of August, and
then we will have additional sessions late in August 23 and 24. This is meant
to be a fast-paced effort.

As I have indicated before, I want to thank members of the committee for
serving on this ad hoc work group and for donating their summer to this project
and effort.

Just to remind everyone, and also for information and context setting for
our initial presenters, we have been asked by the U.S. Department of Health and
Human Services and the Office of the National Coordinator to delve into the
issues of the secondary uses of data, especially in the context of this
evolving and development Nationwide Health Information Network. We have been
asked to develop an overall conceptual and policy framework that addresses
secondary uses of data, including taxonomy and as we saw yesterday, a very
significant need for definition of some terms, just because there is a lot of
terms out there that are maybe overloaded or as was described yesterday,
everybody uses the term to mean something different by them.

We have also been asked to develop recommendations to HHS on needs for
additional policy, guidance, regulation and/or public education related to
expanded uses of health data as you move into the Nationwide Health Information
Network. We are looking widely at this, but we also will be emphasizing the
issues relating to data for quality measurement, reporting, and I do want to
mention specifically improvement. Sometimes we get so involved with measurement
and reporting that we forget that the reason for all of this is to improve the
quality of care in the health care system, and we want to make sure that we are
supporting that at every juncture.

Finally, I would comment that in all of this work, we are looking for
frameworks, but we are also looking for approaches, tools and technologies that
may help minimize risk as we move forward. So that is also part of the
conversation. It isn’t just high level frameworks, not just policy, but other
practical things that can we recommended that might help minimize the risk as
we move into this new environment that may be mostly covered or completely
covered by HIPAA, but was probably not completely contemplated when HIPAA was

I want to thank Harry Reynolds and Justine Carr for being the co-vice
chairs of this activity. I will be turning it over to them to chair and
facilitate the rest of the sessions. But I do want to observe that we have two
main sessions this morning, one talking about work from the AQA and John White,
thank you for coming in and helping brief us on that, as well as the Hospital
Quality Alliance, and Sharon Sprenger, thank you for joining us for that
conversation. We also have somebody from Centers for Medicare and Medicaid
Services, Mike Rapp, who will join us in person or in the phone.

After our morning break, we will move into discussions around health record
banking. One of the questions we have is, what part, and is there even a part
for that activity in relationship to the work that we are discussing, where
does it fit in. I think it will be an interesting conversation. I am hoping at
the end, as we have been doing on a regular basis to spend some time talking
about learning issues, open issues and next steps. We are asking Margaret A. to
help us work through those discussions, recognizing that that serves to inform
the questions for future hearings as well as in some ways testifiers. So that
will be the morning, and we will adjourn at 12 noon.

Harry Reynolds, let me turn it to you.

MR. REYNOLDS: We will go in the order on the agenda if that is okay with
you. John.

Agenda Item: Organizations Directing and
Supporting Quality Improvement Activities

DR. WHITE: Thank you very much. Hello, everybody. Thank you for having me
here again. It is always a pleasure to be back.

Since we are in Washington, political speeches are common here. There are
four parts to any good political speech: Bond with the audience, raise the
alarm, point with pride and with hope. I don’t know if you have ever heard that
before, but in the interest of bonding with the audience, I have been paying
attention to the testimony over the past few days and as always, you all are
doing a fabulous job of addressing a very complex subject. It had nothing to do
with my involvement in taking a look at who was going to be testifying
beforehand. I am really pleased at the hard work that you all are doing, and
mean that honestly, joking aside.

My day job as you all know is Health IT Director at AHRQ. I am here today
to talk to you about an occupational pastime of mine, something that has been a
fairly serious endeavor over the past two and a half, coming up on three years
here, which is the AQA. It has been a significant force in the world of quality
and quality measurement, and has many activities underway that are fairly
directly relevant to the things that you all have been talking about for the
past few days. So I am really pleased to be here on behalf of the AQA to tell
you about what has been happening there.

To start at the beginning, in September of 2004, the four groups that you
see listed here, the American Academy of Family Physician, the American College
of Physicians, America’s Health Insurance Plan and the Agency for Health Care
Research and Quality, joined together to lead an effort for determining under
the most expedient time frame how to most effectively and efficiently improve
performance measurement data aggregation and public reporting in the ambulatory
care setting.

This initiative was initially known as the Ambulatory Care Quality
Alliance, but the coalition is now known as the AQA Alliance, because its
mission has broadened to incorporate all areas of physician practice. So an
important distinction if you were paying attention at the beginning, but have
shifted focus since then, and this is focused on all areas of physician

It has become a broad-based collaborative of physicians, consumers,
purchasers, health insurance plans and others, and we will talk a little bit
about who is involved later.

The mission of the AQA is to improve health care quality and patient safety
through a collaborative process in which key stakeholders agree on strategy for
measuring performance at the physician or group level, so strategy. The second
point is collecting and aggregating data in the least burdensome way. The third
point is to report meaningful information to consumers, physicians and other
stakeholders to inform choices and improve outcomes. So a lofty mission with
equally lofty goals.

Goals are to reach consensus as soon as possible on a set of measures for
physician performance that stakeholders can use in private health insurance
plan contracts and with government purchasers, a multi-year strategy to draw
additional measurement sets and implement measures into the marketplace, a
model including framework and governing structure for aggregating, sharing and
stewarding data and finally, critical steps needed for reporting useful
information to providers, consumers and purchasers. You will see those
different goals embodied in the work groups that have constituted the AQA up to
this point.

There will be a test later on the participants in the AQA. I put this list
up here not to overwhelm you unnecessarily, but more to impress upon you the
point that from its rather humble beginnings, it has grown to encompass a lot
of different organizations and a lot of national organizations. Although at
times the discussion has been contentious when you start getting close to what
people care about, it truly has been a broad and collaborative process. The
numbers of folks that are involved are broad. The A’s take up the entire first
column, and as you can see, it is most of the academies, the American Colleges
of, the American Boards of, American Societies of. You can see there is fairly
broad representation there.

Those are the participants. There is a smaller steering group that meets in
between the large AQA meetings and guides the discussion as it moves ahead.
AARP, AHRQ, the AAFP, American Academy of Family Physician, American College of
Surgeons notably involved, American Medical Association, AOA, Osteopathic
Association, America’s Health Insurance Plans, National Partnership for Women
and Families, Pacific Business Group on Health and the Society of Thoracic
Surgeons. A number of organizations support the AQA and have publicly committed
to supporting the processes that go on there, including the AFL-CIO, the
Association of American Medical Colleges, American Academy of Pediatrics,
Centers for Medicare and Medicaid Services, Medical Group Management
Association, National Committee for Quality Assurance and the National Quality

So you can see here that there is not just broad participation in the
collaborative, but significant participation in the collaborative. These are
some significant players in what we loosely term the quality enterprise.

From the outset, the AQA had three work groups that moved the discussion
forward and advanced the activities. There is the performance measurement work
group, the data sharing and aggregation work group and the reporting work

I am going to touch on these a little bit out of order. My involvement from
the start has been with the data sharing and aggregation work group, and that
is probably most relevant. The others aren’t irrelevant, but it is probably the
most relevant, so I am going to address that last, but we will touch on the
other two work groups first.

The performance measurement work group has undertaken the process of trying
to pick what we measure when we are talking about measuring physician
performance and measuring quality. I have a typo up here, I apologize. I said
April 2006. That should actually be April 2005. Starting in April 2005, the
performance measurement group set out a starter set of 26 measures for
ambulatory care that were broadly agreed upon as things that were ripe and
things that should be focused on.

I have the list of them here. I’m not going to go into all of them, but
these are things like the percentage of women who had a mammogram during the
measurement year or year prior to the measurement year, or colorectal cancer
screening or cervical cancer screening, influenza vaccination. For heart
disease, things like drug therapy for lowering LDL, cholesterol and beta
blocker treatment after a heart attack. Other topics that are touched on
include heart failure, diabetes, asthma, depression, prenatal care.

Additionally, there are two quality measures that we included that
addressed overuse or misuse of care, which included appropriate treatment of
children with upper respiratory infection and appropriate testing for children
with pharyngitis.

Now, were these necessarily the most earth shattering, biggest movers in
quality? Some of them are very significant; I can’t say all of them were. But
the point was, it was a starter set. It was a set of measures that were broadly
agreed upon by providers, by plans, by national associations and by accreditors
as saying yes, these are things we can all get behind, this is where we can
start our work. It was never intended to be the sine qua non, but it was a
great place to start, and has been broadly taken up and discussed throughout
the health care community, especially those that focus on quality.

In addition to the starter set, there have been sub work groups that have
focused on acute and chronic care, surgery and procedures and cost of care. As
you all can imagine, the discussions are very interesting. There is a number of
documents that support these work groups and describe the work that they have
undertaken that are all available on the AQA website, so I am not going to get
too much into them here. But just know that this is going on.

In addition, this work group has set out parameters for selecting measures
for physician performance. This is guidance to try to help people understand
what principles underlie this process and how folks get there.

I’ve got them here. I’m not going to read them to you verbatim, but I’ll
just pick a few for you. Measures should be reliable and valid based on sound
scientific evidence, mom and apple pie, but when you actually start looking at
the measures and saying what backs it up, that is something that you have got
to be able to stick to.

Measures should reflect processes of care that physicians can influence or
impact. Outcome measures should be appropriately risk adjusted and stratified.
The measures should include but not be limited to measures that are aligned
with IOM’s priority areas. Again, I’m not going to read it all to you today,
but there are some good sound measures here. They are publicly, broadly
discussed, widely vetted, and I think are fairly sound when you look at
principles for selecting these things.

As I mentioned, we started with a starter set. The group has expanded to
consider all areas of physician performance and have adopted a number of
measures. As a result, currently there is over 120 approved measures. These are
all available on the AQA website. These do start to expand to include things
like surgical procedures. Things are not necessarily just ambulatory care,
which is where it started.

So it has been a very exciting process to watch. It has been really
exciting to see the engagement by all the different stakeholders as they have
gone forward with this. As you all can probably well imagine, it can be a
fairly contentious issue when you start out.

In addition to the performance measurement work group there is a reporting
work group. It would be unfair to say that this has been a less active work
group. This has certainly been moving ahead, but I think the ferocity of
intensity of work has probably happened in the performance measurement and the
data aggregation work groups.

Nonetheless, this work group has put forward two fairly significant
documents, principles for public reports on health care and principles for
reporting to clinicians and hospitals. This is where you have to start this
conversation. You need to say what do we hold ourselves to when we start going
out and putting out reports.

Again, I won’t necessarily get into the depths of these, but the principles
for public reports include things like, the reports should focus on areas that
have the greatest opportunities of making care safe, timely, effective,
efficient, equitable and patient centered. Those of you who have somehow
interacted with the IOM in the past may have heard those words before. Also
focused on the general areas of portrayal of performance differences. Reports
should use fair and equitable methods to display performance differences that
enable users to make decisions based with meaningful, reliable information.

Transparent methods; that has been key. That has been a point that has been
brought up over and over again. As you go about reporting or measuring or
deciding what to measure, you can’t do this behind closed doors. This cannot be
a black box. This has to be publicly and richly discussed.

Report design and testing for usability as well as timely results. The same
thing is reflected in the principles document on reporting to clinicians and

I do want to call out that there is a difference that has been recognized
between what do you report out to the public and what do you report out to
providers. You need to report the same information, but you might be
representing it in different ways. For me as a doctor, I know things that I
would want to know that make a difference in how my office runs or how my group
runs. It is going to be very different from what I want to know as husband and
father of three children when I go to make decisions for care based on that

So that is the reporting work group. Finally we get to the data sharing and
aggregation work group. This is how you make the sausage, if you think about
it. This is, once you have agreed on what you are going to measure, where do
you go for it.

The discussions at the outset, given the folks who are around the table,
focused around the use of claims data, of what is called administrative data
but largely is data that is generated for the purpose of billing and claims.
Why? Because that is what we have electronically. You can go to chart review,
and frequently you do have to go to chart review, but we all know that is a
fairly labor intensive process, can be challenging to go through. Of course, my
charts are all perfectly organized and everything is in the right place at the
right time, but otherwise if you want to bring together large sets of data,
electronic is the way you go.

One of the interesting things about the AQA is that when you talk about
claims data, there is a significant player in this country who has a fair share
of claims data sitting two seats to my left. That organization is the Centers
for Medicare and Medicaid Services.

America’s Health Insurance Plans represents a number of health plans around
the country, and each one of those individually has made efforts to measure
quality based on the information that they have had. This effort came out of
the interest of trying to look across all payors and individual physicians’ or
groups’ performance.

You can imagine that the validity level goes up when you are talking not
just about the Aetnas or Uniteds or Kaisers, but when you start looking at Dr.
White’s performance on how he took care of diabetic patients, not just on my
Aetna patients or my United patients, but based on all the patients that I see,
or at least all the ones that have health information and have claims data
submitted for them. So that becomes significantly more powerful.

The discussion in the data sharing and aggregation work group has centered
around two streams. The first stream has been, how do we do this. The second
stream has been, what are the issues that get raised by doing this that we need
to consider and that we need to be deliberate about.

The how we do this has manifested itself in the establishment of what was
originally called the AQA pilots but subsequently has become the better quality
information initiative through CMS.

The concept was that we are not just going to talk about this, we are
actually going to do this. Starting in late 2005, so about a year after this
process got underway, the work group talked about standing up pilots that would
bring together all payor data for the purposes of quality measurement around
measures that had been agreed upon by the performance measurement work group.

There were certain principles and characteristics and key elements of these
pilots that were said at the beginning to be important. They are listed here.
The key elements would be that these pilots assess clinical quality, cost of
care and patient experience, that the folks who did these pilots would
demonstration understanding of structural capacity as a covariate to assess
physician performance, in other words, where does the data come from, what does
it look like when you get it, how does the data flow from place to place. The
pilot would collect and aggregate Medicare claims and private sector data from
multiple sources and where possible Medicaid data. The pilot would explore both
existing and new methods for collecting, submitting and sharing data from
physicians’ medical practices. These pilots would leverage the experience of
existing aggregation efforts, and they would subsequently disseminate
measurement information.

So a process was undertaken to say who is out there that can do this, and
requests for information was put out to organizations to see who could
potentially be involved, and responses received back.

The individual sites that came in and were agreed upon were the six that
you see listed here, the California Cooperative Health Care Reporting
Initiative, the Indiana Health Information Exchange, the Massachusetts Health
Quality Partners, the Minnesota Community Measurement Initiative, the Phoenix
Regional Health Care Value Measurement Initiative, and the Wisconsin
Collaborative for Health Care Quality.

These were designated as AQA pilots in early 2006, and subsequent to that
have transformed through initially a small amount of AHRQ funding but
subsequently a significant amount of CMS funding, into the BQI initiative,
Better Quality Information initiative.

Now, before I start going too far down this, Mike, are you going to talk a
little bit about this? I’m very grateful for that, because I don’t know as much
about that as I’m sure Mike does at this point. I did call and chastise Marc
Overhage in the cab on the way home yesterday. I was really hoping he would be
here to be able to participate in the discussion, so he is appropriately sorry
that he couldn’t be here. But these are really interesting, and I will leave it
to Mike to talk more about them.

As I said, the one stream of discussion in this work group has been how do
we do this, and the second stream has been what are the principles around it.
One of the issues that came up early is this issue of, you are getting
information and you are using it for purposes other than which it was
originally intended, which gets at why you have me here today.

This is the secondary use of health data. In this case, we are not
necessarily talking about clinical data, like a temperature or a culture. You
are talking about claims data. From fairly early on it was recognized that this
was something that was going to need to be thought about, and thought about

This started out as a discussion on data ownership, who owns the data. As
time went by, there was a recognition that once data is digital, once it is
electronic, as you have heard already from Charlie Saffron yesterday and from
others, if you have a copy of the data you own the data. So that principle of
ownership gets fuzzy. The principle of ownership is fuzzy to begin with;
something that is in the doctor’s chart, is that my data as a patient or is
that the doctor’s data because they generate it.

So we put aside the issue of data ownership and started talking about the
issue of data stewardship. You talked about overloaded terms earlier; it
absolutely can be overloaded. I am, as Winnie the Pooh said, a bear with very
little brain, and so I like to try to keep things simple. So when I say
stewardship, there is a very nice definition on Wikipedia that says,
stewardship is taking care of something that is not one’s own. Stewardship is
taking care of something that is not your own.

So putting aside the fuzzy issues of ownership, when you talk about health
data stewardship, you are talking about taking care of that data. That should
apply whether you own it or not, but when we say taking care of it, that is
different than waxing my car. This is making sure that you are doing things
with that data and you are keeping that data secure in such a way that you are
not betraying trust. Trust is a big issue here.

We have had very robust discussions about that over the past two and a half
years, and the work group has enumerated a number of data sharing aggregation
principles. I don’t want to go too much longer, but I do think it is worth
culling out a few of these.

The principles that we agreed on were transparency with respect to
framework process and rules, measurement of performance derived from
standardized metrics and data collection protocols that can be compared against
national and regional suitable benchmarks, useful data for physicians to
improve the quality and cost of care, public reporting to consumers of user
friendly actionable information, collection of data so a physician’s
performance can be assessed as comprehensively as possible, standardized and
uniform rules associated with measurement and data collection. Those submitting
data should be accountable for the accuracy and completeness of their data.
Compliance with privacy, confidentiality and other applicable rules while
insuring that providers, plans and other data contributors have necessary and
appropriate access to useful information, so there is balance there on that
one, and systems or process to share, collect, aggregate and report quality,
cost of care and patient experiences that should be designed to minimize cost
and burden, which is again why you get to the principle of doing this
electronically, because it significantly reduces your cost and burdens
associated with this.

So out of this discussion sprang the concept of a national health data
stewardship entity. Originally it applied to the concept of an entity, or a
group that would be responsible for insuring these principles and
characteristics were there. The characteristics of it were discussed.

Understand that the word entity came up in association with the AQA and the
processes of the AQA. So it was not necessarily meant to be an entity that
would cover the entire country. A lot of folks have heard this and said, so you
are setting up a database in the sky, one giant database to do all this. No,
that is not exactly what we are talking about when we talk about this.

As the discussion for the group progressed forward, we put these principles
out for the entire AQA to talk about. There is a characteristics document of
things we thought would be useful for that particular entity. It became clear
that number one, this concept applied to things other than what the AQA was
going and number two, that although we had several thoughtful folks around the
table that we might not be getting everything that we needed to have it be a
very solid concept or an organization with a solid foundation.

So to that end, the group agreed to issue a request for information, as
opposed to a request for a proposal that was originally thought of. I said, do
you have money for that? They said no, and I said, then it is a request for
information. So a request for information was published in the Federal Register
under AHRQ’s name, and it has been out there since early June, and responses
are due back in eight days on July 27.

We had a fair amount of interest. A number of organizations large and small
have said that they are going to be responding to it, some of whom have already
testified to you over the past couple of days.

Again, without getting too further into it, it discusses this concept as it
came up at the AQA. It lists about 25 different subject areas for comments. So
it is fairly comprehensive. It is a public request for comment. So we don’t
know what will come back, but we thought it was very important to have a
publicly available venue for comments, and comments that would be on the

The other thing that I would indicate to you about the RFI is, number one,
we have agreed that all responses are going to be made public. We plan on
scanning the responses and putting them up on the AHRQ website. Number two,
that we will put together a qualitative summary of the comments in case you
don’t want to read all the responses. I choose those words carefully. I don’t
want to say, four people said this and three people said that, so that is
right. This is not an election, this is a request for information, so it is
going to be qualitative, not quantitative, and it is going to be a

It will not provide further analysis at this point. It will not provide
recommendations for next steps. That was not necessary for the purpose of the
RFI. The purpose of the RFI is meant to enrich and inform the discussion as it
moves forward. So that is the purpose behind that.

So in summary, all talks should tell you what they are going to tell you
and then tell you what I told you. The AQA is a broad-based collaborative and
it is focused on physician performance measurement. The work groups involved
have been data sharing and aggregation, public and provider reporting in a
measure selection process. Mike is going to tell you about the projects. Out
there now is this data stewardship, RFI, that we are looking forward to having
a robust response to.

Thank you very much for your time.

MR. REYNOLDS: Thank you, John. I’d like to welcome a few other people. Mike
Rapp, thank you for joining us, and Kelly Cronin and Christine Anderson have
both joined us. Glad to have you with us today. Sharon, if you will please

Agenda Item: Hospital Quality Alliance

MS. SPRENGER: Thank you very much. It is a pleasure to be here. I am
checking with my colleagues, because we overlap in things that we do, so
neither of us wants to step on the other’s foot in terms of what we are going
to present.

My name is Sharon Sprenger. I work with the Joint Commission. But both the
Joint Commission and the Hospital Quality Alliance were asked to speak to you
today. I was lucky enough to win. I am here to speak on behalf of both
organizations. I will speak on behalf of both the Hospital Quality Alliance and
the Joint Commission.

Specifically we were asked to focus on sections five and six, so as I go
through my presentation, I will try to address some of the questions that you
asked us to address.

I think the first thing that is important to note here — this is a slide
that was prepared by the American Hospital Association — is that there are a
multitude of activities confronting hospitals. When you look at the activities
confronting them for national quality and patient safety efforts, most of these
collect data which result in the secondary use of the data. So this certainly
has been an important topic that we are pleased to be here to address today.

First of all, with respect to the Hospital Quality Alliance, the Hospital
Quality Alliance was created in December of 2002. It was led by the American
Hospital Association, the Federation of American Hospitals and the Association
of American Medical Colleges. It is a public-private partnership to improve the
quality of care provided by the nation’s hospitals by measuring and public
reporting on that care.

There are a number of partners that work with the Hospital Quality
Alliance. You can see on this list that it includes partners both from the
hospital arena, employers, consumers, purchasers, other providers such as the
American Medical Association, the government such as CMS and AHRQ, as well as
different quality groups.

The Hospital Quality Alliance identifies robust sets of standardized
measures that are easy to understand. They are all related to the hospital.
They are used by all stakeholders to improve the quality of care, and they are
used by consumers to make informed choices. The data on these measures is
posted on Hospital Compare, which was a website tool developed to publicly
report credible and user friendly information. This website debuted on April 1,
2005. I included the link to the website. I should note that thanks to CMS it
is their website that they offered to the HQA to use.

Currently on this website there are 22 process measures that are being
reported. These are measures that are common to the Joint Commission and CMS.
In June there are now two outcome measures that are being reported in Hospital
Compare. These two measures would be unique to CMS as they included mortality
measures that were reported on Medicare patients only.

To give you an idea, because this is a voluntary initiative, hospitals
voluntarily submit their quality information to be reported on Hospital
Compare. This gives you an idea right now of the number of hospitals. I think
it is quite impressive that as of January there were 4,215 hospitals that are
voluntarily reporting their data on Hospital Compare.

Now, in terms of some of the other work that HQA is doing, I think one of
the most important things is that the HQA has brought transparency to hospitals
and the reporting of their data. But they are working to consolidate the data
stream to reduce burden, to expand the capacity for measurement. They are
beginning to do some work in looking at the analysis of costs they might be
reporting, working on the identification of priorities for measurement and the
ongoing identification of additional measures that will be reported over time
on Hospital Compare.

The HQA also works closely with the AQA. In fact, there is a steering
committee between the two organizations, and we have a number of work groups
working on efficiency, harmonization of measures, pricing, transparency and
working on the BQI pilots, et cetera. The HQA has designed an infrastructure
for sustainability.

What I wanted to show today was that — as we talk about the secondary uses
of data, to think about the continuum of uses for performance measurement data
and how that has changed over time, going back to 1985, where we started using
data for internal quality improvement. We have moved to accountability, we have
moved to public reporting. We have moved to payment for hospitals. We are now
using performance measurement data for maintenance of physician certification,
and we are also moving to use data for payment to physicians. So I think over
time, the uses of performance measurement data have certainly morphed, and they
continue to grow in how this type of data is being used.

I am going to switch my hat for a moment and talk a little bit more about
the Joint Commission. The Joint Commission is the nation’s predominant standard
setting and accrediting body in health care. I have included our mission here
because I think it is important to note that our mission is to continuously
improve the safety and quality of care provided to the public through the
provision of health care accreditation and related services that support
performance improvement in health care organizations.

One of the questions that we were asked to address today is, right now what
are the sources of the data that we are using for quality performance
measurement. Right now we have two primary sources that we are using. One is
the medical records. The majority of the data is being done through a paper
medical record. We have some hospitals that utilize a electronic health record,
but that number is very small. Probably as most of you are seeing, there is
more movement in the electronic health record in the ambulatory setting, just
starting to happen in the inpatient setting. But this is something that we will
be exploring, is the use of the electronic health record and how that would
influence our data.

The other primary source is the use of administrative claims data, or using
the UB-92 or UB-04 for many of our data elements.

In terms of the data collection challenges that face us, one is the data
collection effort using a paper medical record. There are some limitations with
the use of ICD-9CM codes, which drive all of our process measures. That is, how
the population is identified is through the use of ICD-9CM codes. There is some
limitation in using this data from administrative claims data. In the past
there has been a limitation in the number of diagnoses and procedure codes that
can be submitted.

There is also a challenge with having staff that is well trained to collect
this data and to have the clinical knowledge to collect the data on these
measures. Then there is also use and claims data. There are limitations with
the clinical richness of administrative data.

You also asked us to address where we see in the future some of our primary
data sources may be. These are a few that I just wanted to address.

At the moment at the Joint Commission we are involved in testing a set of
NQS nursing sensitive peer measures. They use data from human resources and
payroll records. I think this is an interesting data source that we are looking
at. We will see more use of administrative data, but by that I mean patient
data. In this country there is a real desire for measures related to infection
care, and many of those measures use aggregate denominators based on patient

Also, the movement toward surveys both at the employee and the patient
level as a data source, more movement toward electronic registries, for
example, cardiac and cancer, and obviously the use of electronic health
records. The Joint Commission is hoping this fall that we will have a
roundtable to start looking at the electronic record with vendors, et cetera,
to identify how that would change our processes in terms of our current
measures that we are collecting, the data sources, et cetera, and how all of
that will work.

You also asked that we address a little bit about what do we do in terms of
data quality, and what do we think data quality is. Broadly, we believe that
data quality can be defined as the accuracy and completeness of the data.

Currently, the Joint Commission in collecting the data that we use uses an
intermediary which we call the performance measurement system or the vendor. We
have about 53 vendors that culled data from 2,300 hospitals that report to us
each quarter. One of the links between us and HQA in Hospital Compare is that
approximately 90 percent of the data that is posed on Hospital Compare comes
through our vendors and is posted on that site.

The other thing I want to mention too is in terms of how is this data
protected under privacy. When a patient goes to a hospital they would sign a
consent form under HIPAA. If that patient was to opt out of that consent form,
we would not receive the data on that patient for our measures. In turn, the
Joint Commission has a business associate agreement that we sign with each
hospital that covers us in terms of receiving the performance measurement and
accreditation data that we receive.

In the past, the Joint Commission in terms of the data we receive, we
received aggregate data, basically numerator and denominator. But this year we
will start receiving anonymous patient level data, but again, I emphasize,
anonymous patient level data.

In terms of some of the things that we do for data quality, first of all we
have a contract with all of our vendors. We do a lot of data quality education.
We do vendor education manuals. We obviously have a specifications manual with
all the details. We also have a manual for all of our vendors related to data
quality and what our expectations are.

Annually we do a conference with our vendors that CMS participates with us
in, in terms of what our expectations are in terms of their collecting this
data, et cetera. We also have a number of mechanisms in place to monitor the
data that we receive. We have a number of qualitative evaluations that we run
on the data that we receive. So for example, because hospitals have selected
the measures that they report based on the services, one of the evaluations
that we would run is that there are absolutely no cases reported. But we are
also looking at our statistical outliers, sudden changes in what is being
reported, et cetera.

The other thing that we do is, we audit our vendors. This year we are
stepping up our efforts in this area, and are recording through these
evaluations that we are doing in other tests. We will be assigning points to
our vendors, and based on the number of points that you will have, you will
either receive an e-mail from us, a conference call, a desk audit, or we will
come visit you so we can identify what the issue is either at the vendor level,
or if you are having some particular issues with the hospital that is
submitting their data.

You also asked us to tell you how were we using our data. The Joint
Commission in terms of the performance measurement data that we receive
currently has four major use of the data. One is using this data in our
priority focus process for accreditation, using it in performance measurement
reports, quality checks and an annual report we have. I will just quickly show
you what each of these is.

The priority focus process is how we identify when we make our
accreditation visits where we should focus. For a hospital we have a number of
internal and external data sources that we use to aggregate all the information
we have to determine when we got to a hospital where should we focus.

A couple of years ago, the Joint Commission introduced a new process called
the chaser methodology, where we identified some patients based on the data we
have that we are going to trace through the organization. The reason I share
this with you is that for the hospitals that we survey, approximately 40 to 50
percent of the data that is driving the PFP process comes from our core measure
data that we are receiving, in terms of the patients that we identify for the
tracer methodology.

We also create what we call an Oryx performance measure report. This is a
report that is available to our accredited organizations. It is posted four
times a year because we receive our data quarterly. It is posted on a secure
Externet site that the hospital has access to, and they will get a complete
summary of the measures that they are reporting on. Currently we have a
requirement that the hospitals have to collect three measures out of the five
that we have available. It has detail available for every single measure they
are collecting. Also if they are missing data, any data quality issues that we
have identified, et cetera.

How the hospitals see their data on this report is through the use of a
control chart that is posted for each measure that we receive data on over
time, and also they can have information on a comparison chart that shows how
they are doing in comparison to other hospitals unless it would be a risk
adjusted measure. Then it would show the hospital how they were doing based on
their risk adjusted rate.

We also post for our accredited hospitals data on a report that we call
quality check, that would give you the ability to look at the data overall
first, and then to drill down to each individual measure and to see how that
hospital is doing in comparison to the nation and the state that the hospital
resides in.

Then just this past March for the first time, the Joint Commission issued
what will now become an annual report called Improving America’s Hospitals, A
Report for Quality Safety. This report incudes information on the performance
measure data that we have as well as on national patient safety goals.

On behalf of the HQA and the Joint Commission, we realize there are a
number of uses of secondary use. Today we see five overarching uses of data.
One is through patient and consumer choice so that a consumer can choose where
to go with confidence. The data is being used for quality improvement, it is
being used for accountability.

It is being used — probably the most important — to improve public
health. I appreciated your comments at the beginning. I think sometimes we are
so busy collecting data, we forgot we are collecting it for a reason, and that
is to improve patient care, and it is also being used to drive market share. So
if data is put out there, it can be an advantage to a provider when you see
data on their patient care.

In terms of barriers and challenges to the secondary use of data, these are
some that we would like to highlight. Obviously there are a number of potential
privacy issues, for example, what is governed by HIPAA. There is an absence of
standardization of measures and data element definitions. The issue of data
quality, and also there needs to be a methodology associated with
de-identification consistent with HIPAA.

So we believe that rules are needed, and because of this increasing thirst
for performance measurement data, there are rules that are needed. There needs
to be standard rules to de-anonymization. This is an interesting discussion, to
anonymize or not to anonymize. If we totally de-anonymize data, then it will be
impossible to link it to the individual patient, which could be important.

There are rules needing respecting data quality, rules needed regarding
matching data sets if we want to merge databases, if we want to understand the
accuracy of those matches. As I often say when I am talking to my statistician,
how right do we want to be when we are doing this. We need to have rules
addressing who can get information from secondary data, perhaps some potential
privacy rules. We also need to have some rules with correct statistical
approaches to balance and differentiate outliers.

DR. COHN: Sharon, I just want to make sure, since we are talking about
overloaded and misunderstood terms, by de-anonymization, do you mean
reidentification or de-identification? Or what do you mean by that?

MS. SPRENGER: It is an interesting term, isn’t it? It is looking to say,
because you have anonymous data, how could you de-anonymize it down to a
certain level in order to do those linkages at the individual level.

DR. COHN: I want to try again here. De-identification, does this really
mean standard rules for anonymization? Or is it de-identification, or are you
looking for rules to relink the data with the individual?

MS. SPRENGER: I think there has to be standard rules to link the data, to
have that ability. This was out of our Washington office and I have to admit,
when I saw it too I said, that is a whole new term, even looking through the
literature related to the secondary use. But basically the question is, how
would you be able to link data from one patient to another.

So the challenges are great as are related to the secondary use of data.
There certainly is a need for a public-private entity to sort through this. We
are very interested in work that is going on right now with the RFI for
national health data stewardship entity. Hopefully that could provide
leadership in this area.

I also wanted to mention today too that we think there is another
interesting issue that is emerging, too, and that is the tertiary use of data.
We now have third parties creating new and different views of data such as
researchers and third party payors. So an organization with secondary use has
no control over the tertiary use.

So in some ways, I think the dominos continue to fall here in terms of how
data is being used. We are rather concerned that there could be some real
potential for unintended consequences. Part of it would be too that as we move
through this into tertiary use, for many of these users HIPAA no longer
applies. So I think this is the next frontier that we are going to have to take
a look at once we get our arms around the secondary uses of data.

So in summary, we believe that we need the right protection on data. We
have to be cognizant of unintended consequences as we use data. We have to
balance patient privacy with creative, unique elucidating uses of data
producing different pictures of health care and health status. The bottom line
is that health care data should improve the safety and quality of care provided
to the public.

Thank you very much for the opportunity to speak with you.

MR. REYNOLDS: Thank you very much.

DR. CARR: Thanks, great presentation. You mentioned in the beginning that
patients can opt out of submission of their data to the Joint Commission. Did I
hear you correctly?

MS. SPRENGER: Yes. Under HIPAA when a patient comes into a hospital, they
would sign a consent form for the use of their data. But if a patient does not
want to sign that consent, then the hospital would not send data on that
patient to us as part of their performance measurement data that they send us.

DR. CARR: So do you have any sense of what percentage of your data set is
missing based on patients opting out?

MS. SPRENGER: I do not have that information. From what I know, I do not
believe that that happens very often that patients opt out, but I don’t have
any actually data to give you the number when that happens.

MR. REYNOLDS: Bill, do you have a follow up question on that? Then I want
to get to Mike.

DR. SCANLON: Just a quick question. Do you know if that form that the
patient signs is explicit about the Joint Commission versus other uses? Or are
the patients just signing a form saying my data can be used?

MS. SPRENGER: To be honest I don’t know what the actual form looks like,
other than it is a pretty standard consent form that is used by most hospitals.
Some of the standards are quite short, but it talks about using data in a
general way, but it does meet the intention of HIPAA.

MR. REYNOLDS: Mark, you had one follow up. Paul is not here today, but you
guys are getting me worried.

MR. ROTHSTEIN: I’m close to his chair. Just for the record, I wanted to
clarify that patients do not sign consent forms when they enter health care
institutions. They are not required to do so by HIPAA. They are given a notice
of privacy practices and they are then presented with a form that is an
acknowledgement that they receive the notice of privacy practices. So there is
neither consent nor have they the opportunity to opt out of these disclosures.

So to answer Bill’s question, they don’t have probably any specific notice
in even the notice that they are given. Typically what it says is that your
information may be used for treatment, payment or health care operations, and
health care operations improve quality improvement, more or less.


Agenda Item: Centers for Medicare and Medicaid

MR. RAPP: Thank you. Thank you for the invitation to speak today. The
presentation I have is directed toward answering questions five and six, which
I think were the primary things we were asked to address. We were also asked to
talk about the better quality information for better care of beneficiaries
project, the BQI project, that was previously talked about briefly by John.

The first question is what are the primary sources of data used for quality
reporting and improvement. With respect to CMS, we are involved in numerous
payment settings, so we in those various settings which I am going to go
through use a variety of types of data. What Sharon was talking about for
Hospital Compare is chart abstracted data with one exception. She mentioned the
mortality measures; that is the only situation in Hospital Compare where it is
based upon claims data, so it is a single place where hospitals don’t have to
submit anything to us, so it presents an interesting difference.

It is limited to Medicare/Medicaid beneficiaries, as she pointed out. The
reason for it is because it is claims data as opposed to chart abstracted data.

Claims which I will go through is another source of data. We also have
assessment instruments in the post acute setting, nursing homes, home health
agencies. It is required for assessment instruments on patients to be
completed, so that is a source of data. Then finally, electronic health records
are a source, although a limited source at this point.

We use the data for all potential uses, quality improvement through the QIO
program principally, public reporting in our numerous compare sites, and
performance incentives, we don’t currently have the authority to provide
performance incentives based upon how you do on the measures, but we do have
our demonstration authority and that allows the waiver of payment rules and
therefore in those situations such as the premier hospital demo, for example,
we can use the data for performance incentives.

I am going to go through several of the settings with regard to the data
sets used and the current methods of data abstraction. What Sharon was talking
about with Hospital Compare is the source for the most part. Chart abstraction;
a validation takes place through a process where five charts per quarter are
verified to make sure that the chart abstraction was accurate.

Nursing home. We have nursing home compare as our primary use there of the
data for public reporting, that is used for other purposes as well for the MDS
assessment, but the MDS instrument is the data source there, through

What is interesting about the MDS instrument, that is considered equivalent
to the medical record. I like to look at data as primary source data or
secondary source data, so the medical record for all purposes is considered
primary source data. So if you get it out of the medical record, there is no
verification per se that one has to do. But nevertheless with regard to MDS,
even though we consider it equivalent to just another part of the medical
record, there was some verification done. It was basically looking at the
patients, in the same way you might verify a medical record to see did this
really happen with the patient. But normally once you get to the medical
record, if that is what it says, then that is the best evidence of what the
true situation was.

Home health, another assessment instrument, the Oasis assessment tool. We
use that on home health compare. Those are outcome measures at the present
time. As far as audit, there is submission algorithms which are used to verify

Dialysis facilities. We have dialysis facility compare. The source of that
data is claims. When you are dealing with claims data, I don’t know whether I
would classify it as primary or secondary data source, but I kind of thing it
is a secondary data source. It is not primary source in using my made-up
terminology here. Claims usually have program integrity oversight if things get
way out at one end or another. It is subject to review, but each and every
claim is not verified against the medical record, so validation of any claims
is the standard claims review process. I think it is in part what is wrong with
claims data when it is used for quality, because the accuracy of it is somewhat

Clinical performance measures nd the end stage renal disease area is
another source of data. It is used for quality improvement at this point. It is
not anything that is publicly reported. It comes from a chart abstraction
sample. There is data entry validation edits.

Next year it is anticipated that there will be another method of submitting
this data. It is called Crown Web. With that, one will have a more robust set
of data available with regard to ESRD, that that doesn’t just come from claims.

Physicians. We have initiated effective July 1, 2007, based upon authority
given to us by Congress last December, the physician quality reporting
initiative. This data source I refer to as augmented claims, because claims
data is those data elements that you as a normal course of business are
required to submit in order to get paid.

This however has additional data elements. We started off with G codes or
temporary HCPICS codes, but the AMA has developed what they call CPT-2 codes,
and those codes are specific quality codes.

So for example, if one of our measures is the percentage of patients that
had a hemoglobin AIC greater than nine, in other words, bad control, the
physician will as part of the normal claim submission process submit the ICD-9
code diabetes, will submit the CPT code indicating an office visit, but
normally would not say anything about hemoglobin A1C. If one is trying to
figure that out, one has to then go to the data source, which is the lab test
that the patients receive, which may or may not be readily available.

Here, we are asking the physician to indicate to us as part of the quality
reporting a CPT code which ties to each measure. So we have 74 of these
measures in the physician quality reporting initiative. I’ll talk a little bit
more about the robustness or lack thereof of claims-based measures for
physician quality measurement when I get to BQI, but this I think for the
future is an important source of potential quality measurement data for

The only thing missing is that since it is claims data, it is coming from
in this case Medicare claims, because Medicare is the only payor that has
implemented this so far. But insofar as the measures are implemented in the
future by the private payors, and private payors require physicians to report
these same measures, the potential exists for a much more robust set of

Actually, in the dialysis facility, we use G codes there, too. We ask the
dialysis facilities to report to us the hematocrit, for example, and the
effectiveness of the dialysis indicators. So it is possible to augment your
claims in this case by giving physicians a one and a half percent incentive
payment to do that.

The other major thing that we are doing for physicians, at least under my
purview, is the better quality information to improve care for Medicare
beneficiaries. This was mentioned by John. It is a QIO contract, and therefore
it is necessarily directed toward Medicare beneficiaries, and providing them
with more information. I’ll get to that in more detail and tell you what that
is about, but it is claims-based data. Medicare information is aggregated with
private payor data, and the validation is standard claims review.

Then finally we have Medicare Advantage plan finder. It uses HEDIS data.
This is I suppose the grandfather or quality measurement. It starts at the plan
level, easier to do populations as opposed to all the individual attribution
you have to do when you try to report on individual physicians. But we have
that so patients can compare Medicare Advantage plans.

Reuse of data. I probably could go into more detail here, but one use is
publicly reporting this information on Hospital Compare. Of course it doesn’t
have any patient identifiers and it is related to the hospitals.

We do have downloadable data files associated with this. Sharon was
mentioning tertiary use of data. Basically it comes down to this: With the data
that we post on Hospital Compare, any person in America would set up a pay for
performance program for hospitals. They just say, do better than you did last
year on Hospital Compare. We have got the data. CMS provides it publicly and so

So there is a lot of potential there either for public reporting and
analyzing. And there is quite a bit of research that is done, and they tell us
what is good and bad about our quality measures frequently in the medical

As far as consent and that sort of thing, the quality improvement
organizations have special statutory authority to deal with individual patient
data. They can’t however take it outside that arena. So they can work with it
inside for quality improvement and so forth, but they have very strict
limitations on what the quality improvement for an organization can do.

However, once the data comes to CMS, we have the ability to make it public.
That is what we do with Hospital Compare. So that information collected through
the quality improvement process, once we get it, we have the authority to then
make it public, which in some cases we do and some cases we don’t.

Future sources of data. I think we always have to keep in mind electronic
health records. As good as claims data may or may not be, it is not the best
source of information since claims are for a different purpose, really. Insofar
as we are looking to the future, we need to always bear in mind electronic
health records, and what we can do to try to help push that process along and
what we will be able to do when we have it. To the extent that we do have it,
will it make some of the things that we are doing now particularly with claims
data not so necessary. So I think that is always important to keep in mind.

There are such things as clinical data registries, which is another thing
that I think is a really important source of data. That would be a secondary
source, but for example the Society of Thoracic Surgeons has a database that
for the most part cardiac surgery is reported there, and they keep track of
outcomes. They do that over time.

One of the criticisms I think we frequently have of the quality measurement
process is the very short period of time that we are dealing with. We don’t
deal with things over time, but clinical data registries have the capability
that you actually learn something new with the quality measurement as presently
implemented. We can say they did this or they didn’t do that. They met a
criterion and they didn’t meet a criterion, but we don’t really learn anything

One of the negative aspects of quality measurements is, you freeze things
in time and you say this is what you should be doing. That might be that way
today when we do the quality measurement, it may be different tomorrow. The
more detail in quality measurements you get, the more they are subject to

For example, on Hospital Compare we have a choice of antibiotic for
prophylaxis to prevent surgical infections. When you talk about measuring some
party on the choice of antibiotics, you are going to face immediately the fact
that you have antibioitics that change very frequently, and you have bacteria
that don’t pay too much attention to this either, and they change very

So when you have both variables moving around, then you try to lock it down
for quality measurement, and especially as we move to value based purchasing,
which we are going to hopefully have the authority to do, then you have to lock
down things for several years, because you have to compare the one year with
the previous year. Then you have to give notice of the measures of the previous

So if you have a measure that is subject to change, that then is going to
have a limited utility, which leads me to the conclusion, valid or not, that
process measures have some fundamental deficiencies. To the extent that we can
move to outcome measures, we will be better off because we will be able to
cover things over time, and we will be less dependent on the vagaries of
different processes of care, and we will have less impact. It is always good
not to die from a medical treatment, but it may not be good that you had a
certain process of care.

As far as health data exchanges, we get our information directly through
the methods that I mentioned. As far as using for other purposes, the quality
improvement organizations have the statutory authority to collect and use
patient level data for quality improvement. Then we publicly report the
de-identified quality process and outcomes.

Let me get, as I promised to do, to the better quality information to
improve care for Medicare beneficiaries project. This is as I mentioned a QIO
contract, so the scope of work is limited to those things that will be of
benefit to Medicare beneficiaries. However, we take advantage of work done in
the private sector that John mentioned, in terms of looking for ways to
aggregate data.

What we are doing in this project specifically is with respect to six
localities. We are having the contractors take Medicare data, Parts A, B and D,
and aggregate it with the private payor data that they will get in these local
communities, and Medicaid claims data when it is available. Once that data is
aggregated, then to calculate performance measures using a subset of the AQA
starter set of measures which John was also talking about.

Once we get that, and we should get at least at the physician practice
level some of those performance results soon, we will have the capability of
publicly reporting that on a CMS website, which we don’t intend to do with an
interactive tool such as Hospital Compare, but merely to publicly publish the
data. Once that is done, then it will be available to the organizations at the
local level, that they could publicly display it in a web format. As I
mentioned, once we publicly send it out there, it is free for the world to use,
but in this case definitely available for the local organizations to do.

We are starting off with the first set of deliverables with five measures,
and then next year it will be 12 of the 26 measure AQA starter set. There are a
number of measures in the AQA starter set that don’t relate at all to Medicare
beneficiaries, such as cervical cancer screening for patients up to age 64. So
it is hard to say that that is a real pertinent measure for Medicare
beneficiaries. So we don’t use that one, for example.

Other measures. I think this is an important thing. Getting back to claims
measures in general, they present a lot of problems. In working through this,
the first thing the contractors had to do was just get used to working with the
data. So they had to get the Medicare data and the private data and so forth
and play with that for awhile.

There are limitations related to how you can measure quality using claims
data. For example, colorectal cancer screening with look-back periods of ten
years, that sort of thing, bringing together the lab data, bringing together
the pharmacy data, where are you going to get that, which payors have this. So
the ability to get all that data together and find measures that you can
actually calculate is tough in and of itself. When you are dealing at the plan
level it is a lot easier.

Most of these measures in the AQA starter set are HEDIS measures, so they
were originally designed for plans. They weren’t originally designed for
physicians. So ultimately to be able to use them for physicians, you have to be
able to attribute them to physicians. So when you do that you have to make some
policy decisions; which doctor of the dozen that the patient saw in the last
year is responsible for her not getting a mammogram, for example. So we would
know whether the patient got the mammogram or didn’t get the mammogram, we know
all the doctors they saw, but what are the rules that make one doctor
responsible from the standpoint of pay for performance or publicly reporting
and which aren’t.

So that is the sort of issue, and that is a primary issue that we are
working through with the BQI project. I would say the output of it, we are
going to have a certain number of measures available to be published for a
certain number of sites, but the main thing that we are going to get out of it
is a methodology. We are going to take our six pilots and beat their heads
together, not literally of course, but we are going to encourage them strongly
to come to an agreement on a form of methodology that we can then use in other
situations, because if you don’t have that, if you have every different payor
using a different methodology, and every time you use claims data, for this
purpose it is 30 percent of the claims for an office visit, was this doctor
okay. Another methodology might be one visit. You can’t have that if you are
going to have some kind of uniformity.

One of the things from the federal standpoint, the Secretary of HHS
frequently says that health care is local, which I am certainly not going to
argue with. But from a federal standpoint, he also says that we need some kind
of a system that — our job is to try to encourage some uniform standards as to
how you do things.

I think what you are working on here is standards for use of data itself,
but from this standpoint we are looking from the standpoint of uniformity and
measurement, at least the use of claims data here.

So those are some of the primary struggles that we are having. But as I
mentioned, another fundamental struggle we have to do is to what extent can you
measure quality using claims. I think we can go a lot farther than we have so
far without question. There is opportunities potentially in the hospital arena
to use claims data more than we have so far.

We are dealing with the chart abstracted data, but the main thing, getting
back to John’s presentation, that claims data doesn’t provide is all payor or
all patient information. Physicians will tell you, I don’t want to be measured
by what I did with a Blue Cross patient or an Aetna patient or a Medicare
patient; I want to be measured overall, just like the hospitals are. So that
means that insofar as we use claims data, we have to have a methodology like
BQI is exploring for physicians of aggregating that data and getting it to the
point that it will represent the overall quality of a given provider.

The way the BQI project is working, we are taking raw data, aggregating it
and calculating performance results. That I think is what most people think in
terms of as far as aggregating data.

Obviously that presents a lot of potential privacy and other issues if you
try to take that outside the protected environment. Other options which would
be potential would be getting to how you make things anonymous and still
effectively use the data, would be potentially to calculate the results at the
payor level and then aggregate the performance results based on numerators and

So that is another thing that we are not really exploring through this.
This is using the raw data. Insofar as the different challenges that exist for
aggregating Medicare and other data can be overcome, then this will provide a
model for that

Thank you for the opportunity to present. I hope I addressed some of the
questions that you had.

MR. REYNOLDS: Thanks to all of you, excellent.

MR. STEINDEL: Thank you very much for this interesting talk. We have heard
a lot of very interesting topics. I am going to ask my questions based on talks
that we heard yesterday.

The first one is addressed directly to you, Sharon. This concerns your use
of the term anonymous patient data. I am particularly asking this question with
respect to your introduction of the new term, de-anonymized data. What do you
mean by anonymous patient data? We have been hearing that the meaning of this a
lot of times is in the eye of the beholder.

MS. SPRENGER: Yes, we have a workshop on all the different terms. We have
no identifiers on that patient. We have stripped off the birth dates, all those
type of data elements. So we don’t have anything that would identify that
patient to trace them back to who they are.

MR. STEINDEL: But do you have some of the dreaded HIPAA 18 creeping in?

MS. SPRENGER: No. But we really don’t know.

MR. REYNOLDS: So would you say it is de-identified plus?

MS. SPRENGER: If you like to use that word. We use the word anonymous, but
we don’t have any of those identifiers.

MR. STEINDEL: Well, if they don’t have any of the dreaded 18, then it would
be de-identified as defined by HIPAA. ow, what that means, we have been


MR. STEINDEL: I had another question, one of Mike. Mike, are you familiar
with the proposed rule just released by CMS on the changes in the payment
process, that seems to expand and formalize the use of data registries for

MR. RAPP: You are talking about addressing clinical data registries for the
BQI program?


MR. RAPP: Yes, I am.

MR. STEINDEL: I just wanted to get it on the record. I just got e-mails
from all the groups, and it seems to have come out this week, and comments are
due on the 31st.

One thing that seems to be significant about it, it is about 100 pages
shorter than the HIPAA reg, which puts it at 924 pages. But there are ten pages
that discuss an expanded role for quality registries, clinical registries for
quality and the PQRI process.

DR. SCANLON: Could I follow up on that though, since Steve put it on the
record? Isn’t it though that it is in the rule that CMS in 2008 is going to try
five different approaches using the registry? And there is not a settlement in
any of them in terms of what is going to be the rule of registries.

MR. STEINDEL: I just looked at it very quickly, Bill, and that is what
appears to be the focus of this proposed rule. I was just pointing out that
there is the start of a mechanism within CMS to formalize the clinical
registries. We have had some discussion based on the testimony we heard
yesterday from clinical registries about their role in the formalization.

MR. RAPP: What the tax relief and health care act of 2006 said was, it gave
us authority to implement the physician quality reporting initiative that I
mentioned, that is augmented claims. So there are a number of quality data
registries, in particular the Society for Thoracic Surgeons, which is
referenced in the statute.

The statute requires CMS to address data registries for 2008. The way we
propose to address it in the rule is to test the submission of quality data
from registries.

The rationale here is that under PQRI, we are asking physicians to submit
some additional quality information that potentially they are also submitting
to a data registry. If we were to say, that is great that you are doing that
for the data registry, but to get our one and a half percent you have to also
send it to us, we could potentially undercut the development of data registries
such as this.

I mentioned some of the advantages of them. So I think that is the
underlying rationale for why that is in the statute, and how we propose to
address it is to test various mechanisms of the registry submitting data to us.
We were seeking comments as to which testing we should do or not do.

DR. COHN: First of all, I want to thank our testifiers. It has been very
useful. We will be following up with you.

Sharon, I especially want to thank you for adding the term tertiary uses of
data to our vocabulary. We have been heretofore talking about repurposing of
data as it gets into secondary sources, but I think you are helping us refine
our thinking on this.

Michael, I have a question for you. Sharon, I think we will want to hear
testimony on some tertiary users and repurposers of secondary data. I think it
is as much a question as anything. In your BQI pilots, the question I would
have is, are the contracts and rules by which they are using the data, is that
publicly available? Is this stuff that we can review? And is there any sense of
— given the amount of data that they are going to have, all of which is
individually identifiable as I understand it at this point, if indeed it does
become de-identified, what tertiary purposes could all those data be used for?
Is this being contemplated in the BQI pilot discussions?

MR. RAPP: The primary uses of the data would be for potentially — first of
all for quality improvement. So there is feedback given to the physicians as to
what their rates are. Even that is somewhat complicated by the restrictions on
the use of data even within the QIO program, but in addition, public reporting
at the group level and individual level.

One of the cautions people have in these local collaboratives, the idea of
the localities being involved in that, is to work through the sensitivities of
measuring physician quality at the individual level. The one area we don’t have
a compare site is for physicians, so there needs to be some work done if we are
to get to such a point, first of all to make sure that these methods are those
that meet acceptance in the physician community.

In the hospitals, Sharon didn’t mention, but there is a preview period for
hospitals to review all the data. So we have to work through some of those. But
definitely for quality improvement but potentially for public reporting, as to
the availability of the methodologies. Yes, we are working on this with AHRQ.
They have sponsored learning efforts, so this will be part of that.

Yes, there is no desire to keep this secret. It is designed to share this,
and hopefully have the people interested in physician performance measurement
broadly benefit from this, and ideally use it.

DR. SCANLON: I want to thank you. I think what you have done is identified
one of the most important secondary uses of data, and talked about what you
might characterize as the pioneering effort.

John, you started off with where are data that we can use. The polite term
might be that they are highly unsatisfactory, but they are there. So that is
our reality.

I think what our work group is about is where are we going to be in five
years to ten years. We need to make recommendations that move us most quickly
to a much better situation.

So I wanted to ask you, given all the pioneering work you have done, and
you have been so preoccupied fighting all the battles to get to where you are,
the question is, there is a hope for the future that the electronic health
record is going to make this a whole lot easier. But the electronic health
record has to be of a certain format in order to make that true.

I think Sharon, you said you were going to start some time this fall
looking at that question. I am wondering if today you have anything you can
help us with in terms of how we should go about thinking about what that
electronic health record should be like to facilitate exactly this kind of a
use. This to me is where we have the potential to break down.

Right now, in terms of these quality initiatives, in other contexts I hear
people talking about, I have got electronic health records and I am having to
hire abstractors in order to submit information for the hospital case, or
physicians if they are in the same situation. This is not where we want to be
down the road.

MS. CRONIN: Can I add a little bit of context to that question, too? There
are other people exploring that particular question. I think in a lot of
conversations we have had in the AHIC quality work group and elsewhere, we
recognize that it is not just the electronic health record in the new
electronic health care that are interconnected in our health care system. We
are actually going to be over the next many years relying on electronic
clinical data coming from a variety of sources, including the electronic health

We have some processes in place now through the standards panel and the
certification commission to try to get the EHR to where it needs to be over the
next five to ten years to more automatically export the very detailed amount of
clinical data that is going to be required. And also considering the realities
of work flow and clinical documentation and how hard it is going to be to now
get to standardized detailed granular clinical data that we need over time.

Those processes are somewhat being addressed, but the concept of how do you
take not only data from ambulatory care or inpatient care in an electronic
health record, combine it with what you might be getting from electronic lab
results from another network, medication data from another network, and in the
context of having network services available that will allow for the sharing of
that data and the aggregation of that data as needed. From that larger
perspective, not just the EHR, but all the network services around it and the
various different data sources that have been talked about probably over the
last couple of days, in that context I think your question is right on; what do
we need to be thinking about in terms of authorizations of procedures that need
to be in place.

MR. WHITE: Just a few quick follow-ons to that. Thank you for calling all
that out. That is exactly right, Kelly. Erin and Christine and I and many other
people have been spending a lot of time recently thinking about just exactly

One of the specifics things about that is, we had a meeting convened by the
National Quality Forum called the health IT expert panel. Many of your previous
testifiers have been in that. Paul Tang is a part of that. That is a process
that will continue to move forward to look at that issue.

We are actually getting ready to award a number of grants. Back a year and
a half ago, we realized that this was going to be an important issue. We are
getting ready to award a number of grants for two-year projects that look at
how health IT enables quality measurement.

Not to divulge the gory details, but for example there is one project that
is in a very well known, highly digitized environment, ambulatory environment,
that is going to look at the 26 AQA measures, and compare data that is derived
completely from the medical record, versus a hybrid claims chart review method
versus a claims only method. That is one example.

In five years, my hope is that we will be a lot closer. We will have some
answers from some research and other activities that have gone on and are
underway. I also know that a number of the BQI projects, while they are looking
at claims data, a number of them are IT enabled. Indiana is very much so,
Massachusetts is very much so. I think you will get some good answers from

I guess the final point that I would make is just to emphasize something
Kelly said. I am one of the CCHIT commissioners. On Monday we will be in
Chicago. We have meetings every month, and this is something I know that group
is definitely focused on that we are going to richly discuss over the coming
months and years.

MR. RAPP: I just wanted to follow up. In the EHR part and the rule that has
been published, for 2008 we do make reference in the registry section of
potentially allowing for submission of PQI measures that overlap with the doc
IT project. So it potentially may be an available avenue.

So just like with the registries, the desire would be not to undercut
registries by saying even though you submit to a registry, you have to also do
it by claims.

Insofar as this might be feasible and practical, it would mean that
physicians who had EHRs could submit their PQI data that way. They wouldn’t
have to also do it by claims just to get their one and a half percent. So we
are trying to allow for that flexibility and look to the future and not just be
fixated on the current opportunities.

MR. REYNOLDS: Mike, last question, then we will take a break.

MR. FITZMAURICE: I too want to express my appreciation for the fine
testimony. From you we hear about what are the legitimate, that is, the
accepted uses of health data to improve care, and you all are doing a great

I have four questions for John.

MR. REYNOLDS: Did you say four questions?

MR. FITZMAURICE: One question in four parts. You have to wonder about an
organization that is the ambulatory care question alliance. But I’ll get over
it because I got over CMS.

The first question is, the performance measurement work group, of the 120
AQA approved measures approved by AQA for use in quality measurement, quality
improvement and pay for performance, or are they just approved for testing and
further discussions?

MR. WHITE: They are accepted by the AQA. So as the AQA themselves go out
and do quality measurement and pay for performance? No, they do not. However,
their individual members and a number of other processes have looked at AQA and
the AQA acceptance of these measures as a form of endorsement, not dissimilar
from NQF endorsement. So to that extent, it confers some broad acceptability
upon those measures.

MR. FITZMAURICE: Fair enough. The reporting work group; you talked about
principles. Is there any principle in that reporting work group about physician
specific reporting? The N is so small for a lot of physician measures.

MR. WHITE: It does talk about that specifically. I would share those with
you. I think it would probably be worth sitting down looking at those, because
there are a couple of those principles that address that issue. It should be
fair and equitable.

It may not be directly addressing the issue of when the N is too small in
power, but I think those ideas are incorporated in there, yes.

MR. FITZMAURICE: In one of the slides you talked about the BQI pilot and
structural capacity. Does that refer to a physician who says, I would have done
this, I would have ordered an MRI or would have given a flu vaccine, but we
don’t have an MRI in the area, or there is a vaccine shortage and I couldn’t
give it to the patient. So don’t ding me in the numerator for the measure.

MR. WHITE: You are talking about exceptions now, which I think is probably
different than structural capacity. I think you are talking about where the
data comes from and how you can get it. So that is different.

MR. FITZMAURICE: So the structural capacity refers to the capacity to


MR. FITZMAURICE: Finally, out of AQA, are there any suggestions coming out
for priorities and adding clinical data to the claims data to improve the
validity and accuracy of quality measures? You have got a whole bunch of stuff
based on claims data, then they say, if you just added hemoglobin A1C to this,
you would have a better quality measure, or if you just added this.

MR. WHITE: There has been some work at our agency on that recently.
Specifically, Anna Licksheiser and Michael Pine and a number of other folks
have recently published an article in JAMA that talked about adding small
nuggets to claims data to administrative and how that gets us closer.

AQA, I’m not so sure. Yes, Mike?

MR. RAPP: Just to clarify a little bit the relationship between AQA and
NQF, NQF is an endorsement body that is capable of producing voluntary
consensus standards which the government is required to use in preference to
government standards.

The AQA is more a selection body. It selects among NQF endorsed measures,
or those that they anticipate to be NQF endorsed. It doesn’t develop measures.
It doesn’t go through the rigorous type of technical evaluation panel that NQF

So as far as however many measures that you indicated they had, they
started off with the 26 measure starter set of HEDIS type measures. Then
basically adopted most of the measures that are in the PQRI. So as John
indicates, it does represent a broad acceptability. But as far as the details
that you are talking about, I think we would look for NQF to make those

MR. FITZMAURICE: So if I’m a doc, I would say, I don’t want to be bothered
with this measure unless the AQA says it is acceptable. Further, I don’t want
to be bothered with it or judged by it unless a larger consensus body said yes,
it is okay. Then CMS might grab it after that and apply it to me. I would be
okay with that, roughly.

MR. RAPP: That is the process that we are using.

MR. REYNOLDS: Simon has a comment, then Kelly has a comment, then we are
taking a break.

DR. COHN: I’ll be very brief. For better or for worse, eight years ago,
about nine years ago, I chaired a work group that established CPT category two
codes. They were meant to be at that point temporary to be moved into the world
of clinical terminologies and codes. They were a little less temporary than I
think we had assumed.

But having said that, as you move into these category two or the G codes
that Michael had described, you really begin to get into a blended clinical
environment, and it is no longer a diagnosis of dialysis, it was, was the
hemoglobin A1C above or below one-seven, above or below nine. It begins to make
the edges a little funny about what is clinical versus what is administrative.

I just wanted to point that out. It is an interesting blend of environment
we are moving into.

Kelly, I think you have the last comment.

MS. CRONIN: Yes. I was wondering, Mike, if you could comment on how CMS has
looked at the use of the clinical data warehouse in Iowa in terms of receiving
data under Part A for quality measurement. You articulated how it is different
once CMS receives it and you can publicly report it.

Has HHS interpreted the use of the data in the clinical data warehouse to
be under the QIO authorities explicitly? Or has anyone interpreted it to be
clearly allowable as part of health care operations under HIPAA?

MR. RAPP: I think we looked at that as part of the QOI program at this

MS. CRONIN: And has OGC ever looked at it under HIPAA?

MR. RAPP: I’m not sure.

MS. CRONIN: You’re not sure, okay. It might be something that we might want
to look at at some point in time, about is there any precedence for what is
considered health care operations.

MR. REYNOLDS: We had a lot of discussion on that yesterday.

MS. CRONIN: I just wanted to make note of the fact, and hopefully we can
talk about it later, that Senator Kennedy introduced a bill that has a lot of
provisions related to what we are all interested in around disclosures and

I can review a high level summary of what I just read about this morning. I
think this just happened in the last day or so. But it is very interesting, and
some of the specific provisions probably pertain to much of what we are going
to be interested in in the next couple of months.

MR. STEINDEL: I just wanted to mention in my quick read of the reg, it does
make a reference to the CMS data warehouse as a repository for information from
the registries. So there seems to be a lot of thought going on in this area,
and we should consider exploring it.

MR. REYNOLDS: We will be back at 10:35. So you’ve got eight minutes.

(Brief recess.)

Agenda Item: Health Record Banking

MR. REYNOLDS: We are going to talk about health record banking. We have
Bill Yasnoff and Jonathan Gold. Jonathan, are you going first? For this panel
we have a hard stop at 11:45, so they have agreed to hold it to 20 minutes
apiece, and then we are going to have some time for questions. Jonathan, please

DR. GOLD: I am Jonathan Gold. In my background I am a pediatrician. I have
worked in the hospital for about 15 years. I also in a previous life was a
medical quality assurance director for a region of a rather large HMO.

About three years ago, I was a postdoctoral fellow at Johns Hopkins
University in medical informatics. What I will be presenting today comes out of
the research that I was doing there specifically about the health banking

Presently I am employed by McKesson. I do want to give a disclaimer. This
is my research, and this is my opinion. I don’t have any financial interest in
what is going on with the banking system.

What I would like to do is, I would like to go through three sections. One
would be an overview of what the health record banking system is about.
Secondly I will talk a little bit about the research that was done,
specifically parts that are related to the secondary use of health data, and
then just to summarize the presentation, I will talk about a few questions
which I think this work group needs to consider, analogies and resources, if
you have not considered them yet.

So health banking 101. In your handouts I have skipped a number of slides.
I felt like I was rushing through an open door. I don’t need to convince you
that there are reasons for having secondary use. One thing that I did put in
the handouts though is, I did a quick and dirty study of the New England
Journal of Medicine to find out in the year 2006 how many research articles
they had and what were the study populations for those. You can see that it
comes out to about 326. Of those, two-thirds had study populations of fewer
than 150 and four-fifths had study populations of fewer than 500. I think if we
are looking for reasons for investigating secondary use of health data, that is
a very important number to keep in mind, where we are today.

If we talk about what we have today, what is our information flow, this
would be how we go about doing things. You can use the term patient or
consumer. I tend to use the term consumer. I go to doctor A, within the upper
left-hand screen, and I will tell this doctor about my medical needs, and this
doctor will typically — if they are one of the 75 to 80 percent of doctors who
don’t have an electronic medical record, they will simply scribble something
down, put it away. If they do have something, they will typically put it in
their computer on board in their office.

Then if I go to the next doctor, the same thing will happen. There is no
connection really between these two doctors except the scribble, or through the
consumer who tends to be the person who caries the information.

If I remember, I feel fairly well versed as a physician in my medical
history. Yet, I know that I will forget something. I will be asked, what were
the surgeries you have had, and I have not had many surgeries, and I’m sure I
will forget some important detail that maybe later I will recall. If I were 20
years older and had substantially greater amount of information, I may very
well forget that little green pill that I am taking that is keeping me alive.

There are other entities, hospitals, labs, et cetera. This slide is simply
to say that the linchpin here is the consumer, and the consumer may or may not
remember all that is going on with them.

We were trying to think of an analogy. I worked with Marian Bell on this,
and we were trying to think of an analogy between what we want with medical
records and what happens in the real world. We said, let’s look at banking.

Now, in banking you have got all sorts of different account holders. You
have all sorts of different ways of handling accounts, so in the banking world
you might have a small accounts holder, a medium sized holder like a small
business, or a large enterprise like corporations. What would the analogy be in
the health record banking system?

A small account holder would be like an individual or a joint family
personal health record. I would be able to talk about my children. We would
share a record. When I go to doctor A or doctor B, the child doesn’t have to
present that. Or with my elderly mother, I would also be able to access or help
her in presenting her record.

If you talk about medium sized accounts, you might talk about something
like a solo physician practice or a group practice or pharmacies. These would
be the different types of bank accounts available of account holders, and large
enterprises would be HMOs and hospitals.

I am using this as background material, because when I go in to show you
the actual setup, you will understand why you need this background.

If we talked about types of accounts right now, if you go to the bank you
may have a savings account, a checking account or whatever. There are different
bank types and different sources of revenue. In medical records, there are
really two different types of records. We are talking about electronic records.
It is either text or it is an imaging file. Even things like monitoring are
ultimately imaging tied into a temporal aspect, but are two basically different
types of files. But for quality’s sake, you might have a text health record,
which is what the doctor scribbles. You may have imaging, which is your
radiology images. You may have your lab data which also is text, and you may
have genomic data, which I imagine in the next ten or 20 years we will all have
that in our files.

There are different types of banks we have. We store things at the savings
or the credit union. Here, there might be different types of health record
banks. There might be a full service bank that deals both with the physician’s
records and the patient’s records, or it might be a specialty bank like the
genomics specialty bank for storing that type of information. There might be
physician’s services banks, et cetera.

I think probably one of the important parts about the banking model is,
when we talk about RIOs, or we talk about other things that we are becoming
familiar with, at a certain point those entities need to become independent.
They need to become financially independent and if they are not, they will
fail. This is how this country works. We need to take into account that the
federal budget will not always be there to prop up things that we think are
important, including the health records.

So the health record bank would have a means of being self sufficient, if
not immediately, over time. That might include member services. I may pay a fee
to put my records in. I may put my records in and receive a dividend as a
consumer, like when I go to a savings account and I put my $200, I receive one
dollar a year in return as interest, or maybe I can lease out de-identified
data. It is not de-anonymized data, but my de-identified data, and receive an
interest that organizations would go and ask to review data which has been
stored without knowing who it is. When you have studies that appear in New
England Journal of Medicine, four-fifths of them wouldn’t have only 500 people
that they had researched. You would be able to grow over time and have tens of
thousands if not hundreds of thousands of people as you develop, and have banks
that have tens of millions of people.

Other things would be selling disaster recovery plans to hospitals and
HMOs. It could be a personal disaster recovery plan. Health record curation is,
as we go from the paper record to the digital record, we will need probably an
intermediary who will help guide organizations and individuals through those
steps; what are those immediate records that need to be digitized, what are
those secondary records and how do we link things. So that would be a service
that would probably be a source of revenue.

Let me get back to — I showed you an as-is slide. Let me get back to more
explicit slides of what the health record banking system would be.

Rather than having the consumer as someone who may come and give
information or may not but would serve as a courier, here we have the consumer
who is controlling who has access to his or her record. Basically, I would go
to a physician, I will say, you are my physician, here is my code, you have
access to all of my records or these parts of my records for a certain time
period. You can use this PIN to get into it.

The moment that I decide that I have moved from Milwaukee to New Orleans, I
can turn that code off. That means that the physician will have had the ability
to enter stuff up until the moment I turned it off. I will show you in the next
slide, the physician will retain the right to always review those things that
the physician has written or received related to that patient, which they have
authored or they have received.

Here I am just working in general. Allied health care professionals; it
could be the nurse who comes and does hospice care. Medical services, there
would be different types of relationships. One might have a read-only ability,
one might have a write-only ability such as my heart monitor only needs to
write, it doesn’t need to access my records for more information. Public
agencies may be able to look at certain parts of the data. There might be
personal actions. It might include the acupuncturist who would not be part of
my HMO but who I would go to, who might have information that would be
important to enter into my record. There might be additional information

If I look at my role as a provider, what am I doing? I receive a key from
the consumer to open up that record. I know that this is the record. I will of
course ask many questions, but I know that I have access to everything that has
been digitized and put there so that I can review it. But it allows me not to
hear four different versions and get different names for what that green pill
is that my mother is taking. I will know that this is what is called the legal
complete record of that patient.

I open the file, I examine the patient, and then I will send back an exact
copy of what I am taking as my notes to that patient’s file. Anything that has
that patient’s name or information on it goes back to the consumer.

In addition, I will keep a copy of this for myself. I can either do it
through a different health record bank account. Remember, I said the solo
physician or the physician practice might have it. Or I can store it locally.
To me, storing it locally is like putting my money under the bed and the house
burns down and I have lost the money. I think it makes a lot more sense to have
a bank account that I know is constantly followed up and backed up. We each
manage our records our own way.

Incidentally, if I haven’t pointed out, the name of the article — this has
been published, this was in the IBM Systems Journal at the beginning of this
year, so you will be able to read it a little bit more if you are interested,
with a bit more coherence. You will see the references.

What happens with that data? I’ve got it in the account. Here, the health
record then has to somehow store it. If I wish to have it without my data, it
has to somehow de-identify a component of that record, and then it needs to go
to some sort of data exchange.

This is like once upon a time when I was living in Baltimore, and I went to
the local Wachovia Bank in Baltimore, and they would take my money and they
would of course deal with the main Wachovia Bank in Maryland and throughout the
United States, and they would be able to leverage the money that they have to
lend it back to me or to larger institutions.

So we would have a number of small health record banks that would be part
— if you look at the left-hand screen, you can’t read it, but it says health
record banks, and they are part of a larger banking association.

What is this good for? Well, third parties are very interested in this type
of data if it is de-identified and if it is controlled by the consumer. So the
consumer can say, I do not want to sell any of my data, or I am willing to sell
all data not related to my psychiatric history, or I am willing to sell
absolutely everything as long as it is de-identified. Then other entities might
be interested. Pharmaceutical R&D might be interested, medical supplies.
The moment I have got a query, that I can say, show me how many people in your
database smoke, drink alcohol, take Lipitor and show me what their blood
cholesterols are, I suddenly have — out of the ten million, I will come up
with a million hits. What I do with that is something else, and who has access
to request that secondary use of data needs to be discussed, and I will talk
about that shortly. But there are many groups that would be interested,
including the academicians and the government.

Now I would like to turn to a second part. I wrote a white paper as of
December 2005. I distributed it in January 2006, and I sent it out to a number
of people, actually a few people who sit on this committee. Marc Overhage, I
spoke with Paul Tang, and I also spoke with Charlie Saffron specifically about
this, Bill Yasnoff, who is not a member of this committee, and I have spoken
about this as well. I sent the white paper and I interviewed them about a
number of critical issues that are raised in the paper that you can see from
the Systems Journal.

Four of the issues which I want to discuss are information security,
patient identification, legal, ethical implications, and I will show you the
fourth in a second.

Information security. We need to realize that in a system like this,
confidentiality and security are paramount. There is nothing that will sink the
system faster than if we cannot insure the stakeholders that what they are
putting in is going to stay in and will not be misused.

Here we have a different question. Is this a covered entity under HIPAA?
Right now banks are non-covered entities. We need to figure out how HIPAA will
latch onto this and will be associated with this. We need to talk about how
HIPAA can enforce what goes on.

Secondly, I’d like to talk about what are security limits. We need to have
it secure enough that stakeholders can use, but we need to also understand it
comes with a price tag. In fact, one of the people with whom I spoke said that
between 20 and 40 percent of the developing costs for a health record bank
would be spent specifically on security, and that is what you will have to
realize, that this would not be an inexpensive undertaking.

As far as patient identification and de-identified, I’m not going to do any
of this anonymization stuff, de-identified records and record matching, what is
the definition of de-identified information? If it is completely de-identified
it is completely useless. I don’t need to know the name and I don’t need to
know the social security number, but if I have no idea what the age or the sex
or the background of that person is, or if I have no idea of the temporal
aspects, did they receive drug A and five days later reaction B occurred, that
means something. If I say drug A and reaction B on the same patient, that is of
much less value.

If I am splitting up records, and once again this is a security issue, we
need to know how we can link file A and file B, how can I link my text file
with my radiology file, how can I link my record to my children’s records, and
how do we prevent fractionated accounts.

There are many people who might go to two different doctors. How do I
insure that my record is not split up? Part of that actually has to do with
people who don’t want their records to be known to all of the entities who
might have access to this. I don’t necessarily want my employer or my insurance
company to have access to my record, but what can I block from that record, or
what if I don’t want someone to see my psychiatric or gynecological history,
how do I block it or control that?

So the patient may grant limited or full permission or just opt out of this
whole idea, but also opt out of parts of sharing with their doctor. Then what
does this do with what the physician will know? How do we identify the
consumer, the provider or the institution? What IDs do we give to them that we
can de-identify them and then re-identify if we need to?

Do we sell answers to queries? In other words, I’ve got this pool in the
record banks, and I will allow you to query how many people take insulin, have
cough and have had a certain reaction? Or do I actually give them access to
de-identified data? It is a real question, because on the one hand it is much
easier to have secure files. On the other hand, the data is much richer and I
might be able to do data mining and receive a lot more information than I even
thought I would receive at the very beginning.

MR. REYNOLDS: You’re down to five minutes.

DR. GOLD: Okay, I will go through this very quickly. One thing I did want
— I wanted to address one question that you asked. When we are talking about
the electronic health record, it might very well make sense on a health record
to have a keyword index, so any time a doctor has ever entered the term
myocardial infarction, that will appear at the top of the record. If it is
mentioned 15 times, it doesn’t have to say it 15 times, but it might be
something that we can scan through and just hit those records that have those
bits of information there.

I am going to go through these a little bit faster obviously, with five
minutes. What are the legal and ethical implications? Right now patients are
not granted free access to all of their information, even if they request it
from their physician, they will receive a summary of certain parts of that
record. They will not receive everything.

Who owns or controls access to our records and who should own and control
access? The consumer should be empowered. On the other hand, the physician
continues to need access to those parts that the physician has authored or
received information


We do need national registration. It is imperative to resolve a lot of the
legal issues, not only a national registration; it needs to be in contact with
the state registration so they do not provide.

Stakeholder acceptance is really imperative here. Stakeholder includes not
only the consumer, but also the physician and the HMO and the hospital. We need
to engage in public dialogue. I am going to skip through this because I think
that I want to get to the questions and analogies and resources that I have for
the committee. I think these are three important slides.

The definition of secondary use of health data. Primary use is obviously
for patient care. Secondary use has multiple identifications. When I was
involved in QA, I would say that I was using data to gather information about
the diabetic patients in my HMO. I was aggregating them to know how in general
were we doing, how were the individual physicians doing, and then I would feed
it back to the physicians and I would say, these people have hemoglobin 1AC
over eight.

Is that secondary use? Yes, the first part definitely is, but there is also
a primary use component to that.

What are acceptable secondary uses for health data? I have fewer problems
sharing data with CDC. I have much greater problems leasing out data to the
tobacco industry. If they go to the health record banks and they say, lease us
this data, who controls that?

In my opinion, it is the consumer who controls it and says I am willing to
opt in or opt out at this level. You may share or not share with government
agencies, you may share or not share with research institutes, you may share or
not share with private corporations.

What are the acceptable means for sharing? What are the incentives that the
consumers are going to receive, or the stakeholders, which might be a physician
or a pharmacy, to share their data? What are the guarantees that we have for
confidentiality and security? I know that you discussed this the first couple
of days as well. And how can we engage the public in discussion.

The analogies. I want you to quickly remember, ATMs took ten years before
there was buy-in. What do you mean, take a card and you will give me money out
of a wall? I don’t trust it. You are going to eat up my card and destroy my
bank account. Online banking, where I can move much larger sums of money and
there is a virtual bank, I don’t even know where that is. How long did it take
for the adoption, and do we trust virtual banks? Today, I have to say that is
how we bank in our home.

The Internet also. You start at point A, you don’t know where point B or
point X will end up. We will start with the health record bank when this is up
and running. I’m not sure that any of us here in this room understand the
ramifications of that, the complete ramifications, and for better or for worse
we need to consider many aspects of that.

The Human Genome Project, I only mention it here because they very well
understand about engaging the public. Five percent of — I forgot which part of
their budget, is spent on the ethical, legal and legislative part, which is
involved with getting stakeholders on board.

Resources for consideration. We need representatives of those who might be
harmed by the secondary use of data, by sharing health data. I think that it is
clear you need to speak with groups like AARP or support organizations for
syndromes and for diseases, like the American Diabetes Association and the CF
Foundation, citizens’ rights advocacy groups and minority groups and the
uninsurable; how will these people deal with this type of bank.

Secondly, we need to engage those agencies with experience with medical
ethical issues and citizens’ rights organizations. Third, who is likely to
benefit from them. We need to engage them and ask them, how would you be using
this, what would be the limitations, how would you control that.

Fourth, once again, John White was asking at what point is this — who owns
this data, and John stated the person who has it on their computer or has the
file. I’m not sure I agree with that, but we do have experience in certain
industries with copyrighting such as the publishing and media, how did they
find what goes out on You-Tube.

With that, I’ll wrap up.

MR. REYNOLDS: Thank you, excellent. Bill.

DR. YASNOFF: Thank you. It is a pleasure to be here again. Many of you on
the work group know me. For those of you who don’t, very briefly, I am a
physician. My PhD is in computer science. I was elected as a Fellow of the
College of Medical Informatics in 1989. I built the immunization registry in
the state of Oregon in the ’90s, spent five years at CDC developing the field
of public health informatics, including co-editing the textbook in the field,
and subsequently and most recently spent three years at HHS initiating and
developing the National Health Information Infrastructure project in response
to the 2001 report from the NCVHS work group that led to the creation of the
Office of the National Coordinator. In 2005 I left and formed my own consulting
firm that primarily works on helping communities to implement successful health
information infrastructure.

I want to spend just a few minutes with you today talking about how health
record banks can enable secondary data use with privacy protection. I am
speaking on behalf of the Health Record Banking Alliance, which is an
organization which I founded last year, first met in September of last year.
The purpose of that group is to promote the concept of health record banks
which are as Jonathan has described in detail consumer controlled, independent
repositories of health records.

The Health Record Banking Alliance has brought participation, but as of yet
no formal membership. HIT vendors, health record bank organizations,
consultants of various types, privacy advocates are all participating. We have
over 100 people on the mailing list. We meet monthly. We have put together a
set of draft principles for health record banks which have been posted on our
website, and I would be happy to provide those to the work group if you are

I want to address the first four questions that you had asked. First of
all, policies needed to achieve the effective secondary data use. I wanted to
reinforce that there is very strong public support of secondary data use in a
2005 survey; 81 percent of those asked supported use of electronic health
records for research.

But the public also wants to control their information. In a 2006 survey,
64 percent of adults said they would like to have an electronic medical record,
but 62 percent agree with the statement that, quote, electronic medical record
use makes it more difficult to insure patient privacy. So the public
understands that as we make records more available for good and laudable
purposes, both direct patient care and secondary use, that privacy protections
have to be increased.

The policies that I believe are needed are, first, we need to put into
statute the individual right to medical privacy. We have to make it clear that
an individual may own and control a complete copy of all their medical records.
By this, I do not mean that consumers should be able to control the medical
records of providers. That is not what we are talking about. What we are
talking about is, the consumer should have the right to assemble a complete
copy of their own records and control that copy.

In that sense, the individual should be able to control all use of their
medical information, and consent should be required for whatever use that
information is put to. That consent may be provided in advance, may be granted
for a person, an organization, a specific study, and it should be for a
specific purpose only.

The second question that was addressed was the adequacy of privacy
protection under current law. HIPAA regulations in this regard are completely

This is a somewhat confusing issue. The treatment, payment and operations
exceptions in HIPAA that allow data to be exchanged without consent seem
completely reasonable. I don’t think in principle anybody objects to health
care information being used for treatment, payment and operations. The key I
believe to understanding this is, who decides what is treatment, payment and
operations, who decides, and who monitors the decisions.

Today, it is the organization that has the data that decides, and there is
no oversight or monitoring in any meaningful way. So if I am a health care
organization and I have data and I use it for a specific purpose and I
determine that it is health care operations, I am fine. I don’t have to report
that to anybody, nobody asks me, and there is essentially no one to challenge
that decision. The people who are the subjects of the data have no way of
finding out what I am doing with that information.

This is completely inconsistent with fair information practices which were
defined in an HHS study in 1973 and codified in the Federal Privacy Act of
1974. Unfortunately, the Federal Privacy Act only covers data held by the
federal government.

One of the reasons that is always given for this need to move information
around without consent is that it is too difficult to get consent. It is too
time consuming and it is an administrative burden. That is no longer the case.
We have the technical means to get consent, to record it.

Again, I am not suggesting that every time every piece of information about
a patient is used we have to go back to the patient and get consent. But the
patient can consent to broad uses. For example, the patient can consent to full
complete access any time to all their data by their providers. So there is no
need then to ask the patient another question every time there is a visit.

The third question was, what are the uses of health data with insufficient
protection. Based on what I just said, it won’t surprise you that I am going to
assert that all uses of health data today have insufficient protection, because
HIPAA is basically about disclosure, it is not about privacy protection. There
is no disclosure of specific uses. Individuals cannot opt out. Individuals
cannot find out what their information is being used for, and individuals
perhaps most importantly cannot prevent their own information from being used
against themselves.

De-identification which has been discussed is virtually never absolute,
hence the term re-identification. Typically any data that is de-identified can
be re-identified, and therefore the idea that everything is protected if you
de-identify is not technically correct. There has been wonderful research in
the computer science community about this. You can actually calculate
quantitatively the probability of re-identification of data. I would refer you
to Latania Sweeney if you would like to get some testimony on that. I suspect
she would be willing to do that.

This whole scheme really violates the Hippocratic Oath. The Hippocratic
Oath essentially says that the physician shall keep confidences secret. The
reason for the Hippocratic Oath, which is thousands of years old, is that if
the patient is not confident that their physician is going to maintain the
secrecy of the confidences shared, the patient will not share the information
and therefore you cannot provide care.

So I submit to you there is not a choice here between whether we are going
to have complete information shared without consent or whether we are going to
have complete information shared with consent. The choice is, if we share
information without consent, people are not going to provide the information.
We know from consumer surveys. There have been two recent surveys, one said 13
percent, the other said 17 percent of consumers admit to information hiding
behavior, going to another physician so that their regular physician doesn’t
know about it, not getting a test. I suggest that if that many people admit to
it, probably twice that number are actually doing it.

So the fact is that if we do not provide privacy, we will not get the
information that we need. So the choice is to have incomplete information for
care because we are not protecting privacy, or to protect privacy, do
everything with consent and have the maximum information for the maximum

I want to spend just a few minutes talking about this fourth item, other
NHIN related health information use issues. I am going to talk about the
requirements for community health information infrastructure, a little bit
about the health record banking model, and some secondary use implications, and
summarize my policy recommendations.

If you think about a community health information infrastructure, I believe
you need four things to make it successful. First, we need the complete
electronic patient information. This is the pot of gold at the end of the
rainbow. But in order to have that, you need three things to support it. First,
you need stakeholder cooperation. All the stakeholders have to play. Second,
you need financial sustainability, because without that you may build a system
and it will then go away. Third and perhaps most importantly, you need public
trust. The public is not going to allow these systems to be built and to be
operated if they do not trust that the information is being used properly, and
in particular is not being used against them.

So let me talk about these things one at a time. First, the compete
electronic patient information. The good news here is, most of the information
is already electronic, labs, medications, images, many hospital records. The
big problem we have are the outpatient records. A very small percentage of
physicians have adopted electronic records. The reason is that the business
case for outpatient EHRs is weak.

Now, there is policy argument about benefit. Some studies have shown an
above zero net present value to EHRs in a physician’s office. I would argue,
that doesn’t matter. Physicians do not believe that there is a business case.
They do not believe that if they invest money in an EHR that it will pay for
itself or better. As long as they do not believe that, they are not going to
invest the money. I think the fact is that the adoption rate remains slow,
although thankfully it seems to be increasing.

So I would argue that in order to make all the information electronic, and
there is a simple premise here, it is very difficult to exchange electronically
information that is not electronic; pretty basic. In order to make the
information electronic, we need financial incentives to insure the docs get
EHRs. So that is your first requirement. You have to have financial incentives.

Second, we have to have a single electronic access point where you can get
information. You have two choices. There are two ends of the spectrum. One is
to leave the data where it is and gather it up where it is needed, what I call
the scattered model. The advantages of this are, the data stays in the current
location and there is no duplication of storage.

But there are some very serious disadvantages. This means that every
system, every electronic system that has records in the world, certainly in the
community and the country, has to be available for query 24/7/365. The query
responses have to be in real time.

This means that each system incurs additional cost. You have to have
additional cost for hardware, for software and for telecommunications
constantly, particularly in physicians’ offices where you already have a
problem with the business case, having these extra costs added on is not going
to be helpful.

The response time is going to be slow, because you can easily be querying
for dozens if not hundreds of systems to gather up one patient’s record, and of
course your response time is going to be dependent on the slowest system. You
cannot search in a system like this. Why not? If I have a model like this and I
want to find all the people who have cholesterols over 300, I don’t have
anyplace to look. I have to basically say, gather up all the information for
patient number one and then look through it and see if anybody’s cholesterol is
over 300. Gather up all the information for the second patient and look and see
if anybody’s cholesterol is over 300. That is a sequential search.

In computer science, we do not do sequential searches, because we like our
searches to finish before we die. Any search you do with any application is
always going to be indexed. Think of it this way. If you wanted to find a word
in a book, you can go to the index and look for the word and then go to the
page, which is what you would do, or you could start on page one and look at
every word and so on. Even though computers are fast, they do not start on page
one and look through the book. They go to the index that is previously created
and they go to the page and find the information. So you cannot search.

This model does not support effective secondary use of data. You have a
huge interoperability challenge because everybody has got to be interoperable
in real time. Furthermore, if any of the systems where a patient’s information
is located happened to be down at the time you do the query, the record is
going to be incomplete.

So your other option is a health record bank, a central repository. You
take all the information for a given patient, put it in one place. You have
fast response time. You don’t have to interoperate between communities because
for a given patient, you go to one health record bank and get the complete
record. So there is none of this connection between communities. You can search
easily. The reliability depends on a single system. You can control security in
one location.

You may want to get testimony from folks in DoD that set up secure systems.
There is a set of guidelines called the DoD Orange Book. Guideline number one
is, when you set up a classified system, all the data has to sit in one place,
first thing. The completeness of the record can be assured, and it is very

The problems with this, and the reason this was rejected by HHS by me
actually when I was there is because who do you trust in the community, who do
you trust in Washington, D.C. to electronically hold every person’s complete
medical record? Who would you trust?

So this is a problem which I will address. Also, you have to duplicate
storage, but it turns out that is really not much of an issue. But I am going
to leave this as a requirement, and I’ll explain public trust in a minute.

Stakeholder cooperation. If you think the stakeholders are going to come
together and cooperate voluntarily, see me afterwards, there is this land in
Florida I’d like to show you. It is a little bit moist. You might be interested
in buying it.

You can of course pay the stakeholders to cooperate, but where are you
going to find the money for that? So I would argue that you have to mandate
stakeholder cooperation. There are two ways to do that. One, you can go up to
Capitol Hill or you can go to your state legislature and try to get a new
mandate for cooperation on health IT. Good luck. That is a long and difficult

But there is an existing mandate. This is where HIPAA helps us, because
HIPAA requires that when patients request information it has to be provided. It
is true, they can charge for it, it can be on paper and so on, but that is
enough of a lever to get the stakeholders to realize they are all going to have
to cooperate in a community, and this actually works. But you have to have a
system where the patients request their own information.

Financial sustainability. This is a really difficult problem. Your funding
options start with the government. I don’t think I have to explain to you that
the federal government is not going to pay for this. No one in the
Administration feels that this is a federal responsibility. No one in Congress
feels this is a federal responsibility. So unless you think the Supreme Court
is going to order it, it is not going to happen.

The states for similar reasons are not going to pay for it, although there
will be startup funds. There are federal startup funds, there are state startup
funds, which are helpful.

The health care stakeholders in many communities actually are paying for
this, typically the hospitals. But in general, the health care stakeholders are
paying for giving care, and this coordination is not really part of their
mission. It is kind of like going to McDonald’s and saying, I’d like a
hamburger and they say that will be a dollar, and you say no, I am hungry and I
just need a hamburger. They say no, unless you pay the dollar. We are not here
to solve world hunger, we are here to provide food in exchange for money.

The payors and the purchasers, the insurers and employers, ought to pay for
this. They are the ones that primarily benefit, but they are very skeptical,
rightly so, about the benefits. Also, there are these free rider and first
mover effects that they are concerned about. They don’t want to pay for someone
else’s benefit.

So that leaves you with the consumer. Interestingly, 72 percent of
consumers support electronic records. In two separate national surveys, a slim
majority of consumers have indicated their willingness to pay. One survey
specifically mentioned five dollars a month. So my suggested requirement is
that the solution has to appeal to consumers so they will pay.

Now let me talk about public trust, and then I’ll conclude. The key to
public trust in my view is that the patients have to control the information.
Essentially what you have to have is an electronic safe deposit box for the
records for consumers.

Just like a physical safe deposit box, when you go to a bank and you rent a
safe deposit box, the bank is providing you with an infrastructure to protect
your papers or jewels or whatever that you put in the safe deposit box. But the
bank does not have an ownership right to what is in the safe deposit box. So
for example, if the bank goes out of business, they can’t just pop open all the
safe deposit boxes and auction all the stuff off to pay their bills. So you
maintain the ownership, they provide the infrastructure. That is what we really

First, the patients have to control all access. Second, you have to have a
trusted institution. You think of trusted institutions, the first thing you
think of are banks. Why do we trust banks? It is not because they often have
Trust in their name. We trust banks because they are regulated by the state and
federal government, and the federal government in its wisdom provides all of us
with a no cost, no copay, no deductible insurance policy on all our deposits up
to an amount more than most people can deposit. So sure, we trust banks.

I used to say it was impractical to have health record banks regulated, and
now I have question marks by that because as I am sure you know, in the last
Congress legislation was introduced to create a regulatory framework for health
record banks. The House has introduced a bill just last week, I believe, with
30-plus bipartisan cosponsors. There will soon be an accompanying Senate bill.
So it is conceivable that there could be a regulatory framework which would
help with trust.

Today there is no regulation. Today the way I believe you can do this is,
you have it regulated via a community owned nonprofit that has all the
stakeholders in the community and provides independent privacy oversight, and
essentially supervises the contract, the operation of the health record bank.
So via those contract provisions, you can insure that the contractor is
following the right practices in terms of the use of that information.

Finally, my favorite topic which I will spend virtually no time on is, you
need a trustworthy technical architecture. There are many ways to do this. You
have to prevent large scale information loss and you have to prevent
inappropriate access to individual records. I suggest the two server solution.
You have one server that you use for searchers that you lock up and you have no
phone lines or Internet connectivity, and you put it in a vault and you lock
information in and out.

The system that provides access to individual records is an especially
constructed secure server. I call it a cubbyhole server, where each person gets
a block on the disk for their records, and the system is constructed in such a
way that no user of the system can see more than one block.

So the health record banking model, as Jonathan has described, all the
information for a patient is stored in one account. The patient controls all
access. The way I see it, each health record bank would have three interfaces
at least, a withdrawal window, a deposit window and a search window.

Whenever new care is received, wherever you receive new care in the world,
the records of that care are sent to your health record bank for deposit, and
therefore your records are always complete and available. Everyone has to
contribute because of HIPAA.

So how does this work? You have a health record bank with secure files, and
at a clinical encounter the clinician would inquire, and the patient has to
give permission. If the patient does not give permission, no data is sent. Then
you are going to have a very interesting conversation with the patient, but
I’ll leave that. Most patients overwhelmingly want their clinicians to have
their data, and hopefully the data would be recorded in an EHR and then all
that data would be added to the health record bank, and optionally the health
record bank since it is very inexpensive to operate, you can set up a business
model that will provide payments to the docs for those deposits from their
electronic health record and those will pay for the record.

I have two minutes. The secondary use implications. Privacy is protected
through consumer control. Each consumer customizes their own privacy policy. I
submit to you the only way we are all going to agree on how to handle the
privacy is if everybody gets to set their own privacy policy. I don’t think we
are ever going to come to consensus.

Health record banks facilitate secondary use because you can search easily
over populations. It is not necessary to release the data. You can provide
counts of matches with demographics rather than releasing data, and that
eliminates the issue of de-identification if you ever release any data. You can
combine searches over multiple banks through as Jonathan mentioned a health
banking association.

Banks could also notify individuals without the knowledge of the people
searching. So for example if you are recruiting for a clinical trial you say, I
am looking for people with these characteristics, send them this message. Then
you report back, we found 3,483 people who matched, we sent them all the
message, and maybe you will hear from them. So therefore, the person recruiting
does the recruiting and the people receiving the information are anonymous
until they decide to contact the researcher. The banks can collect fees for
these searching services, and they can share those fees with consumers.

Policy recommendations. The consumer has complete legal ownership and
control of their health record bank information. No exceptions are needed
because this is just a copy, so if anybody wants this for subpoena, for law
enforcement, they can go elsewhere.

The information needs to be protected from change in ownership, failure of
customer payment, bankruptcy. Consent is always for a single purpose access,
and there should be no coerced consent. The consumer should not be forced to
consent. All holders of electronic medical information should be required to
provide it to the bank within 24 hours of creation at no charge, assuming the
patient requests that.

Health record banks should be covered entities under HIPAA, although of
course what I am recommending goes far beyond HIPAA. And independent privacy
and confidentiality audits should be required, and of course you have to have
security procedures sufficient to enforce whatever privacy and confidentiality

Thanks very much.

MR. REYNOLDS: I would really like to thank both the gentlemen. You covered
a lot of data in the right amount of time, and we appreciate that very much. I
would like to open it for questioning. I know Justine wants to ask a question.

DR. CARR: Thanks, great presentations and very intriguing ideas. A question
I have just in terms of the logistics. We heard yesterday from Northern New
England Cardiovascular Registry for cardiac surgery. How would data that goes
there or to SCS or to any of these registries, how would because data delivery
interface with the data bank?

DR. YASNOFF: I would argue that if you have health record banks you do not
need to have registries, that the health record bank is the universal registry
and has all the information. I have had experience in the cardiovascular data
area, looking at outcomes and so on. The reason you have that data is so you
can query it. So you could do those queries through the health record bank and
you would not have to actually have the data.

Now, I will say that one of the additional aspects of this that is
important to recognize is that the surgical data includes outcomes. If you have
a surgical procedure and your outcome is very good, the record of that good
outcome is not likely to get into your medical record, either your paper record
or your electronic record, because few people will make an appointment with
their surgeon five years later just to have them put in the record that they
are doing fine.

So you have to engage an additional activity in order to collect outcomes,
and when you do that, you would want to then deposit that data into the health
record bank and then use that for ongoing queries.

Now, lest I be quoted tomorrow as saying I advocate the destruction of all
registries immediately, I want to clarify that obviously there is a transition
process. Until the health record banks can provide the capabilities that will
substitute for registries, which obviously will take some time, we are going to
continue to need registries, in which case during the transition patients can
give their permission for the data to be sent to registries for a specific
purpose, provided it is not for the release.

Did that address your question?

DR. CARR: Thank you.

DR. COHN: First of all, I wanted to thank both of you for coming to
testify. What I am observing, and I think Bill knows when I talked to him about
this awhile ago, the question was, what part does this play into our
conversations. The question I have for both of you is, and maybe it is an
observation as much as a question, it appears to me that a lot of models seem
to be merging. We are getting health information exchanges that are becoming
holders of data. We are getting health databanks that appear to be offering ASP
services, which is what I was beginning to read between the lines. We are
getting ASP services beginning to offer personal health record applications. Is
what we are beginning to see is that a lot of models are beginning to converge

DR. GOLD: I think what you are saying is absolutely true. I think we are
all searching for what answer we can use to serve the consumer, to empower the
consumer, and we are becoming aware that we have a lot of information out there
that has to be stored somehow. So I think it is true.

Bill and I spoke two years ago about the different models. There is another
gentleman in Israel by the name of Amon Schvoh who feels that this should be a
federal entity, the health record bank. I have seen over the past couple of
years that Bill and I are beginning to sound more and more alike, even though
we don’t work together at all, in our thinking of how do we deal with using
this data for good purposes, which would be the secondary use of data, and how
do you make this a financially stable institution.

DR. YASNOFF: I think there is some degree of convergence. I think it is
interesting to note that every single community that has some kind of
operational health information infrastructure today, and there are about half a
dozen, all have central repositories. No one has succeeded in operationalizing
a scattered model. So I think just that fact alone tells you that the technical
and political operational difficulties of setting up a scattered model are not
easily dealt with.

In Santa Barbara, they were able to actually build the technical capability
for sharing, but they weren’t able to get people to agree to share. One of the
big advantages of this approach is that because it is the patient requesting
the data, everybody has to provide it, so no one has the option not to share.
That is a very important component.

As you know very well, this issue of building a health information
infrastructure in communities requires you to solve all the problems that I
mentioned all at the same time. You can’t neglect one.

So I think more and more folks are recognizing that the health record bank
approach makes sense. The state of Washington has come out with a report
supporting health record bank, and they have some funding to pursue pilots now
from the legislature. Louisville, Kentucky is on the path to health record
banking, and recently the state of Texas in the governor’s office decided that
that was the approach that they wanted to take, because they see that this
approach can solve the difficult problems and allow us to have both the patient
care benefits of having complete information and the secondary use benefits
while having financial sustainability and protecting privacy.

MR. REYNOLDS: We have a question from the floor. Sir, if you would
introduce yourself and then ask your question, please.

MR. CRONER: My name is Chuck Croner. I work with Geographic Information
Systems here at CDC. I would like to take the conversation into that dimension
if I could, Bill. I can see a tremendous benefit. We all know the importance of
place and location on health, and especially I can envision down the road where
the understanding of chronic disease especially, where we can track exposures
from place to place and from location to location and get a tremendous insight
into the etiology of cancers and a variety of types of chronic diseases. But
also many other benefits in terms of relation of the outcomes to SES
characteristics of place, et cetera, as Nancy Krieger of Harvard University has
very strongly argued.

So if you would entertain that subject, as to how we capture that kind of
identification to bring a more robust record to the health care system.

DR. YASNOFF: As you might expect, having spent as much time as I did at
CDC, I am very sympathetic to the public health needs and public health uses of
this data. I think that having location coordinates for each patient will be
very helpful in terms of generating important results for queries.

I think that more research needs to be done in terms of how to do queries
of large location enabled systems and produce results that do not inadvertently
identify people. So that is a challenge. But I think that certainly these
health record banks ought to be GIS enabled.

I also would say that I put the public health uses of health record banks
into two categories. One is querying the system, either to follow chronic
disease, to do research or in a public health emergency to find things that you
need to know right away. But the other is that if you have health record banks,
it provides you with a single point in the community where you can generate
public health reporting.

So if every piece of health information, medical care information, is
deposited in a health record bank, at the deposit window you can screen it to
see if it is public health reportable and immediately send a copy to public
health. That is required of the providers by law. The way I envision is, the
provider would delegate that task to the health record bank. The health record
bank would provide it as a service, and then public health in each locality
would have — depending on how many health record banks there were, just a few
feeds that would provide real time information about all reportable diseases.

So I think that potentially the health record bank not only can provide the
kinds of insights that you mentioned with respect to chronic disease and
location and so on, but also can provide wonderful improvements in terms of
completeness and timeliness of public health reporting.

DR. GOLD: I’d just like to add to that. I am going rather than refer to GIS
right now, what you are saying raises certain questions about the anonymity or
the de-identification process. It is important to have that information.

If you think about phenotypic data, where we are suddenly looking at the
genomic information, would we be able to de-identify that in the same way that
we can de-identify the locale of the person. I think that needs to be
considered as well.

So even though the question is specifically about GIS, I think that we need
to also consider those other aspects and how we might re-identify and how we
keep that information secure.

MR. REYNOLDS: Kevin, you have the last question. We need a hard stop at

MR. VIGILANTE: Thanks for great presentations. We were bemoaning a little
bit before that a lot of people were agreeing with each other about their lack
of problems with secondary data in some ways or that could be handled by HIPAA.
So it is always refreshing to get a contrarian point of view. That is very

Just so I can get my head around this a little bit, is there a case in
which somebody can be in both systems simultaneously, and does that present a
problem? In other words, could you go to one provider who is paper based and
apply a HIPAA notice of privacy which would give that provider — say they
abstracted their records manually — the ability to use that data for quality
assurance and then potentially sell it? Then also, another provider with an
electronic health record goes in the bank and then your data could end up in
the same person buying or not buying the data from different sources.

DR. GOLD: That transition phase will be a very difficult phase. I think
that we are very aware that there will be a transition phase. This won’t be a
panacea, but will solve things within the next five years. But as the record
bank comes in, I think it has a lot of chance of bringing people in. At a
certain point people will say it doesn’t make sense for my stuff to be filed in
someone’s cabinet elsewhere.

So I do think that people will shift, and I think that physicians are
shifting now, as Bill stated before.

DR. YASNOFF: I think that I agree that there has to be a transition. I
think what I suggest with respect to health record banks is that the issue of
patient ownership and control of their data is initially only for the data in
the health record bank and that we just leave the rest of the system alone. The
health care system is difficult enough as it is, and the idea is, you create
these health record banks that provide patients for the first time with a place
they can have their complete records under their control.

I think that over time, we will see that having records under patient
control satisfies every use case, every primary use case and every secondary
use case. As that becomes clear and as more and more data is there, then I
think it will be time to change the HIPAA regulation back to what it was when
it was originally proposed, which was all uses require consent. Then once you
have all uses require consent, then the health record banks will help manage
that consent and make sure the information is available.

Let me again be clear though, the records that are generated by a provider
belong to the provider.

MR. VIGILANTE: Even the banking system?

DR. YASNOFF: Right. The records that are generated by the provider belong
to the provider for the purpose for which the patient has consented, which is
for their care.

In my personal view, whether it is legal under HIPAA or not, it is wrong
for providers to use that information for other purposes without patient
consent and notification. That is not what the patients agreed to.

I certainly am not interested in trying to take away the provider’s records
that they generate. They have to have those records – that is part of their
business. Also, if you are seeing a patient, any records that you see from the
health record bank, you have to be able to have those too and hold them or at
least have a permanent reference to them, because you have to be able to
justify your decision making.

That is not what we are talking about here. What we are saying is that
patients should be allowed to control where their information goes, what it
should be used for, and they should know about it. We have the technology to do

MR. VIGILANTE: With the exception of required public health reportable
events, right?

DR. YASNOFF: The way I look at public health, I put that into the category
of patient consent in the following sense. There is individual consent, where I
go to you as the physician and you treat me and I give you consent.

I put public health in what I call community consent, where the community
as a whole has said in order to protect the community this is what we have to
do. Obviously that has to continue. In a health record banking system, it may
be prudent to increase the number of reportable diseases because the marginal
costs would be low and it might have public health benefits and so on.

MR. REYNOLDS: Kelly, I know you have a question, but it is their hard stop
so if they get up and leave, I wouldn’t take it personally.

MS. CRONIN: I just want to make a really brief comment first, and then I
have a question.

I think none of us have a crystal ball to know what it is going to look
like in five to ten years in terms of combination of the hybrid approach. Many
people would agree peer to peer or your scattered approach is going to be very
technically challenging, for all the reasons you described, but the hybrid
approach and the many health information exchanges or the several that are
operational may be trying to reach that. So they are not going to have
completely a model to the extent that you are describing that would be either
in consumer trust or the health record bank.

I think we also need to keep in mind that we know so little at this point
in terms of what really will lead to a viable business model. Clearly if
consumers — hopefully if some of that survey data plays out, if they are
willing to play it will happen in either the state of Washington or Kentucky,
and we will have some real empirical evidence to work from, but we don’t now.
So I will just caveat that.

The other thing that was really intriguing about what you said is that it
caused them to customize privacy policies. If you have any thoughts about how
that might be operationalized through automated consent processes for different
types of uses or whatever you contemplated, it would be helpful to understand.

DR. YASNOFF: Let me respond very briefly. Thank you for bringing up your
first point about the hybrid models. I am not a purist about this. I do not
think there is value in putting peoples’ complete hospital record in a health
record bank. I think discharge summaries are plenty. Once you are discharged,
nobody cares what the nurses wrote at four in the morning on your third day of
hospitalization. It is just not relevant.

Second, I don’t think there is any reason to put digital images into a
health record bank. First of all, the reason for putting the information in one
place is so you can search it, and we can’t really search on images. Second,
images are large and take up a lot of space and third, you can through a
pointer system or a peer to peer system hook up to all the imaging centers in a
community, and there are usually not very many, and then you can count of them
to be available 24/7.

So I’m not a purist about this. I am trying to describe this at a high

With respect to consent management, I would suggest looking at the system
developed by Richard Dick at You Take Control. I don’t know if you are familiar
with that system. I’m sure Richard would be willing to testify. They have a
consent management system developed. It is an independent third party consent
management system that allows consents down to the data item level to be
maintained by an outside organization and managed very efficiently. I’m sure he
would be happy to describe that to you in detail, either in hearings or

DR. GOLD: Just two words to add to that. Before when I was referring to the
terms used at the top of a patient’s electronic health record are the keywords
that a system could access. If you look at the article in the IBM Systems
Journal, it talks about categories of the EHR, and there is a section within
that which would include permissions, automatic permissions and non-automatic
permissions, as well as legal counsel and things like that.

I use the analogy of, if you can imagine a letter being sent to you, you
have got an envelope and you have got a letter itself. The envelope would
include certain types of consistent information, family members, demographics,
et cetera, that would also have a stamp as it were of keywords and consent and
other things. The inside information would be the actual medical record. MR.
REYNOLDS: Thank you. We really appreciate an excellent job. We started out very
compellingly. We have had great testimony on this one at that level again.
Thank you very much.

DR. GOLD: Thank you.

Agenda Item: Work Group Discussion

DR. COHN: Now we are going to do about 45 minutes of work in the next nine
and a half minutes here.

I think the priority for the moment is to give people at opportunity to
debrief. The reality is that our next full set of hearings is in ten days, so
if there is time you can comment on what you are seeing on that agenda, but I
think that we are not going to want to — given how far we are on that, it is
really not terribly useful for us to be taking extensive time reviewing at a
detailed level that information. Though I would say, if you look at it and see
there are things that were missing that you want to see discussed, e-mails to
Margaret, e-mails to me, e-mails to Harry and Justine would be very much

Now, having said that, let’s open it up for a little bit of debriefing,
thoughts, epiphanies that may have occurred today as well as next steps.

Kevin, I think I will start with you and go around.

MR. VIGILANTE: Some random thoughts, I guess. I think this notion of
tertiary uses of data is an interesting thing to keep in mind. I think when we
think about the HIPAA notice of privacy that enables health care organizations
and covered entities to use data collected in the care of the patient in

ways seems like something we have already addressed at some level.

Where it gets sort of sticky is, once you have that data as a covered
entity or a non-covered entity in some cases, it is the tertiary uses or the
quaternary uses. As you release it to somebody else either for sale or for
other purposes, that really starts to get sticky and concerning, if you were to
try to present that to a patient up front and feel confident that the patient
would say yes, that is fine with me, even if you say it is going to be
de-identified. So it is those tertiary-quaternary levels that I think are the
more vexing ones. So that is item number one.

Number two, I think the issue of stewardship and ownership clearly very
important, but who is the steward you trust. It is interesting that in the
health record bank model that stewardship and ownership are convergent. It is
the same entity, the individual, and it addresses that in an intriguing way.

Thirdly, I think the issue of trust that we have talked about, and we
talked about some models of trust, but I think that trust is important. We
talked about uncertainty yesterday, what is going to happen with my data later,
in the future, with unknown people. I think trust becomes increasingly
important as uncertainty increases.

If I have greater trust around — understanding and transparency and hence
trust in how it is going to be used and who is going to use it, then I am more
likely to — uncertainty is addressed at a certain level and I am more likely
to consent to it.

I’ll just stop there.

DR. COHN: Very well done.

DR. SCANLON: I am in a very similar situation to where I was last night,
and I recapped last night, so there is not much to add.

Today’s two presentations for me were — not two presentations, but two
sessions, two panels, were very interesting in some respects, in contrasting
where we are versus something about where we might want to be. I think the
whole issue of secondary uses is kind of a no-brainer. There are so many good
secondary uses that the question is how do we maximize what we can do.

But we are operating now in a very suboptimal world, and for me in my
earlier question, I wanted to know how I can most quickly get to a better
world. Our last panel was playing out something that was intriguing in terms of
one model of a better world, a very difficult one though to think about in
terms of what the pathway is going to be.

I would like us to always keep the future focus in our discussion, and
identify the elements that are key to that future focus in terms of the
facilitators and the barriers. The future focus may not have a particular model
in mind. I think we have to leave open the option that the model has yet to be
specified, but it has got to have — there are certain barriers and certain
facilitators we can maybe identify that are going to have more universal
applicability or more widespread applicability to facilitate improving on the
current situation.

DR. CARR: It really has been very educational as we have progressed through
this. I think there are a couple of areas that I feel that there is a lot of
confusion about, starting with HIPAA. I think we have heard it at the JHCO
level, in terms of understanding, are people being notified or are people
giving consent. We have heard it at the clinician level in terms of when
consent might be needed. We have also heard an enormous amount of work, ongoing
work, being done about further understanding HIPAA or the common rule and
refining the details. So I am struck by this disconnect that there is so much
work on it, and yet in the playing out of it at a high administrative level as
well as a local implementation level, we don’t all see it the same way.

Then within that, one of the things that has come up is when does quality
become — when is it TPO and when does it become research, and do we have
definition around that.

Then the other is the whole concept of identifiable is a challenge with
quality, because we will not be able to do a lot of the great work that we
heard if we draw the lines tightly and require de-identification and
anonymization so that you can’t figure out who is who.

Then finally, the issue about tertiary and quaternary. I think that is a
helpful concept to think about. I think that is where we are getting stuck, and
so how we understand the management of those tertiary uses I think is

What struck me today as we have all been struggling with all these decision
points and where these definitions are and who owns them and who implements
them and who does them, the parsimony of what we heard today was very

I’ll stop there.

DR. COHN: I know we started asking members to debrief first, but we will
also ask the key staff. Harry, I want to thank you again for facilitating the

MR. REYNOLDS: You’re welcome. We started our discussion with testifiers
that said HIPAA was fine. Then we went all the way to databanks today.

I heard consistently ambiguity. I don’t care whether it is how people
understand HIPAA or how people identify the data, TPO, which is in the eye of
the beholder and some of these other things. I also would like to play off of
Bill’s statement how we get from where we are to a future state which have had
both exciting and upsides and downsides, as we have heard it today.

But one of our focuses is quality. So I think if we can clear up some of
the ambiguity, help the transition by structuring it a little bit like we have
done with the NHIN requirements, a little bit like we did with e-prescribing, a
little bit like we do with our other things, but at the same time, regardless
of how other things have or haven’t occurred or will or won’t occur as we go
through this transition and get better technologically and other ways, to allow
things like quality and other things to continue under something that makes
some sense, that is the picture that I am starting to draw as far as how we can
do it.

We can’t fix it all and we can’t go to the databank if we wanted to
tomorrow morning. People right now don’t understand HIPAA, that is clear. We
have heard that over and over again.

So I am pretty energized about the fact that we may be able to help this,
and especially as we look at it longitudinally, but then we drop down to
quality, I think we may be able to come out with something that is going to
make a difference, with the help of the other testifiers and the people we
still need to hear from, and everybody around the table.

But from HIPAA to the databank, how we get the ambiguity cleaned up on the
way, if we can help the ambiguity we might help people move faster.

DR. COHN: Harry, that is very well said. I think we are certainly hearing a
lot of people agreeing at the high level with the principles. It is the
specifics that either are tripping people up or they are being confused about,
or that were just not contemplated.

MR. STEINDEL: Thank you, Simon. It has been a fascinating three days of
testimony, I have to say that, in an area that I thought I knew a lot about. I
found out I didn’t.

But there were a couple of things that I think a lot of people have touched
on. A theme that ran through on the successful uses of secondary use of data,
one thing that we did hear a lot of, is that regardless of what the perceived
or known or whatever environment that exists under HIPAA, people are doing
secondary use, correctly, incorrectly, properly or improperly. I think we have
to look at that more carefully. But it is being done, it is being done well,
and it is being done we have heard for a lot of good things.

We have heard a lot about successful stories of where the is has been
implemented in relatively clear fashion, but they seem to have common themes.
They seem to have a theme of trust. That trust theme seems to revolve around
the issue of transparency of the use of the data through all the parties, down
to the patient level and the final people that are using it. I think that
transparency theme is very important.

Sometimes that transparency theme involves consent and sometimes it doesn’t
involve consent. I think this is an issue that we have to touch. We haven’t
actually heard testifiers on this. I think we are going to hear some in the
near future, but people have touched on it, and this is concerning the sale of
data and how this impacts on secondary use. I think we have to explore that

I think one thing that we have heard is, people have very clear stories
which indicates to me they have a very good idea of why they are collecting the
data and what they are going to use it for, and how they are going to tell
people how they are using it. They were a lot more successful from the
testifying point of view in getting the message across to us than people who
have had more disconnected stories.

I was fascinated by today. I thought there was a little bit of a yin and
yang in today’s presentation. In the morning presentation we heard these very
good ideas coming forward of how we are going to use this proposed present EHR
system and moving it into data registries and this sort of thing that a lot of
us conceive of the data flow, and how that is going to go forward and do good
things. Then we heard this interesting future presentation of a new way to
handle data from the health databank point of view. So that was an interesting
contrast that we have to think of and figure out how we are going to handle it.

Simon, from a quick point of view, that is really —

DR. COHN: Very good, thank you.

MS. JACKSON: Going back to Dr. Cubby’s beginning with the end in mind,
keeping us focused on what we are trying to get out of it. There is so much
information that was covered in terms of a time span from where we are now to
where we are going. My whole thing is just making sure we drill down to what we
can cover based on what was presented before. The background documents in the
committee just continue to come up, the NHIN, privacy and of course
understanding the concepts, the lack of clarity. So wherever the committee can
drill into making that point would be great.

MR. FITZMAURICE: I learned a lot more than I thought I was going to learn,
even though I missed the first day of hearings.

Maybe my most important thing that I synthesized out of it was that the
risk assessment framework is needed to guide people in uses of health data,
particularly for revenue generating uses. It might include things like learning
what is public opinion regarding the secondary uses of data and generating
revenue, where does it seem to be acceptable and not seem to be acceptable in
the United States.

Then a little bit on what are the legal barriers and what are the data
quality barriers. In other words, this use might be acceptable but not being
used because the data is not useful for the purpose. So the marginal
improvement of the data quality could make a marginal improvement in revenue
generation, which can translate into benefit or value to society.

Also, what is needed to implement good acceptable patient authorization to
these uses. Do you announce it in the newspaper and nobody complains, so you
use it? Do you have each individual patient sign off on each individual use? I
don’t know if it is acceptable yet for these uses, but it runs the gamut of
these secondary uses.

The second point would be on quality measures. How good is the science, how
good are the data for quality measurement, how effective are the applications
of quality measurement and improving patient outcomes. That is probably the
most important secondary use that we heard testimony this time, yet for many of
those questions we don’t have the answers in front of us.

A third thing would be, even today, and I agree with Harry strongly, the
application of the HIPAA privacy rule is not well understood. In the discussion
of tertiary uses of protected health information by non-covered entities about
patient authorization, how did they get that data in the first place? It is
hard to get it out of public entities and into these uses without violating the
HIPAA privacy rule. That wasn’t addressed, and maybe it points up — Mark might
say we need more investigation. If the public isn’t complaining about it, there
has got to be a balance somewhere.

Then finally, the New England’s use of registry data to test the Apache
system. Their accountability was, we told ourselves. It seemed to work. I
wouldn’t object to that use, but what the heck, is that good enough? It is for
that purpose. Maybe for other purposes it is not good enough. Maybe that is
still another point.

I would seriously consider that we use the AMIA taxonomy rather than trying
to invent one of our own, and we look through the AMIA stuff to see whatever
else we can endorse rather than invent.

DR. COHN: I think for the next hearing we will be digging into the tertiary
issues more.

DR. DEERING: I suspect that I began these three days with much more
humility than perhaps anybody else in the room. To quote Don Rumsfeld, I knew
what I didn’t know, and I knew that what I didn’t know I didn’t know was rather
large. Also, not surprisingly, I think I will make my comments more in the
consumer than communications point of view.

Having agreed with almost everything that has been said there, I’ll pick up
on this thread of evolution toward the future state and being mindful that what
we do enables the future state and doesn’t preclude it.

One aspect of that transition that I want to speak to is the potential
evolution from what is today still a provider centric disease centric state to
a clearly person centered, health centered state. While that is seen most
clearly in the juxtaposition toward perhaps health record banks, I think it
follows many other ways.

Just as one small point, I think that the more I heard, the more I would
cast my vote against in the future the use of primary and secondary. By
definition the word primary conveys a provider centric view. That data exists
primarily for the doctor to use. That is the definition. I do think that the
future state may not necessarily be quite so limited.

Our first morning pointed to this and to the ways in which all of this
information needs to flow together to improve the system broadly and also the
individual’s ability to manage also.

I would just hope that as we write what we write and point to this future
state, that we are conscious of whether or not we are merely trying to
strengthen the health care system or whether we are trying to strengthen

MS. CRONIN: I don’t have the benefit of having heard everything over the
last three days, although John Loonsk tells me you had two really good first
days, and from all the other comments it sounds like it was time worthwhile,
and all the efforts that went into organizing the three day period were
appreciated and well worth it.

But I think a couple of things I have been contemplating just this morning
are building off of what Harry already mentioned. I think it would be very
helpful if we could just come up with a consistent interpretation of current
law, not just federal law, but state law.

You all heard from RTI and Steve Posnack about some of the preliminary
findings coming from the states from the HISPC project. But I think we could
probably dig a little deeper there, because there are more than a half a dozen
states that are taking on a uniform consent process. I think that we could be
looking at some of those individual reports, or perhaps getting more testimony
from states that have thought through how they might implement that, and try to
be aware of what is happening at a state legislation level, because they are
quite active right now. There are over 140 bills that have been either
introduced or passed across states.

So we may want to think about getting a better handle on that as we move
forward, so that we know what is being enabled or perhaps what barriers are
being introduced. I think New Hampshire and perhaps some other states are even
contemplating putting a halt to secondary uses.

So just having a consistent interpretation, and getting to those issues of
the boundaries of research versus operations and how might that be defined with
some additional inputs so we have it right, I think that could be extremely

I think we will also be learning a lot more over the next couple of months
around what are the parameters and scope of stewardship, whether it is a
federally authorized data steward that would have a national level of
responsibility for overseeing how health information would be used for the
purposes of quality measurement. That is clearly what AQA was calling for close
to two years ago. I think the RFI is meant to inform what exactly is an
appropriate scope there. And for somebody federally authorized it would take
legislation. But I think there is real keen interest in that, to make sure that
there is clear authority for such an entity.

So I think that that will evolve over time, but that is not the only kind
of data stewardship we are talking about. As recommendations are developed or
contemplated for the use of health information for quality measurement and
reporting, that is directly relevant. But we have mentioned before that there
is probably a lot of other levels of data stewardship, whether it is at the
level of a health record bank or it is a health information exchange or it is
governance of the NHIN, which could be done subsequently through a successor to
the American health information community, which would be a whole series of
activities and responsibilities that are yet to be defined, but we are trying
to define them now, or we will be over the next few months.

I think we need to keep all that in mind, the larger context or the larger
conceptual framework that you want to also be trying to develop, and building
off of what AMIA has already done.

So there are several layers of data stewardship, I think is my message. I
think that when it comes to quality there is a whole host of challenges. The
way that we use the data to have a reliable numerator and denominator for
measures in particular is very important. We heard this morning about
challenges around getting data quality consistent enough to make sure that
whether it is Indiana or Boston or any of the BQI projects that are actually
using electronic clinical data. There is a lot of mapping that needs to happen.
There is a lot of complexity to make sure that if you are taking data from
these disparate data sources that you can actually make sense of it and use it

So there is a lot of technical and statistical challenges to getting
precision in your measurements. I think data stewardship could perhaps
encompass even those kinds of rules, whereas data stewardship over the NHIN or
governance over the NHIN is likely going to be at a different level and may
have more to do with exactly how data is being shared across networks, but not
necessarily used for very specific purposes such as quality measurement and

I guess my basic point there is that there will be more to learn about in
the next couple of months pertaining to governance at a national level for both
health information exchange globally and for use when it comes to quality

DR. COHN: You’re right, much more to be done. We may ask you for your help
in terms of the state pieces. I didn’t think the presentations were quite as
targeted as you may think that they were from previous days, so that we may
come up with the right questions.

MS. CRONIN: In fact, I have just been seeing more and more things coming in
this week on that. On the 31st of July we will be hearing from four different
states, some of them pertaining to this concept of consent.

DR. COHN: I do apologize. We are going to speed up here a little bit. I
think we can finish up in the next four minutes or so. Erin, would you like to

MS. GRANT: I was kind of over the last three days listening with two
different hats on. One is, what other speakers do we need to identify and how
to get them.

To Harry’s point, looking at the ambiguity issue in terms of the future
state and where we want to be, I drew a little diagram here in terms of looking
at the different types of data, whether it be anonymized or de-identified,
pseudo anonymized, identified, and what are all the uses for that type of data
and what are the risks and benefits to having that type of data, and are there
regulations that govern each use.

I think if we did that analysis it would help us figure out where do we
want to go, what other testimonies do we need, what regulations may we need, in
terms of mapping out some of the future sets. I think we need to pull it all
together and understand where things lay. It also helped me figure out who we
may want to think about having in the next two weeks and also at the end of

DR. COHN: I think I would also describe some of those — when you talk
about tools and approaches, these are some of them that we reference.

MS. ANDERSON: I just have a short comment, although one that is really
perplexing. Even though we have agreement in any group that we want to move
from the focus on medical care to the focus on health, and we want to move from
a provider centric individual site of care view to a person centric
longitudinal view, there is a fundamental business case problem here which is
the reason why we are struck with this issue around monetization of the data,
because it is considered to be one of the ways to fund some of the other public
good movements.

So I think it is going to be hard to deal with this issue of
commercialization independent of the individual axes of data use without
thinking about why is that business model emerging, why does it show up in the
NHIN, why does it show up in these quality groups, why do organizations that
aggregate data for quality, and then there is a demand on the pharmaceutical
side to mine that data.

Part of the way they are able to have affordable products is because they
have some ability to monetize some of their costs. So it will be hard to
separate out commercial and look at quality and look at research all
independently and try to come up with an end point.

DR. COHN: I’m glad that you are joining us on this journey, because I think
that is an important perspective. Margaret A, you have been taking notes
diligently. We have got a lot of next steps.

MS. AMATAYAKUL: I certainly don’t want to reiterate what everybody has
said. The one theme, and it is interesting that Christine mentioned it, is that
it seems to me that if we are focused to the narrow piece of this in addition
to the broader, that allowable uses for quality, if we are looking at a fee for
data environment, still seems to be focusing the fees on the provider or the
patient as opposed to other beneficiaries. It strikes me that for the last many
years, we have talked about who should pay for all this, and if often isn’t
those who benefit most.

But anyway, my viewpoint is mostly the task at hand. So I guess thanks to
the challenges, I took this on because I do get tired of doing the same old
thing. So it is definitely a challenge.

It seems to me that we have identified the need for a taxonomy of terms. We
are accumulating a set of terms. We are getting good resources for what these
terms mean, or at least the variation in them that we could point out.

It seems to me that we are understanding data flows better, and it seems to
me that some of the issues and potential solutions are emerging even if we
don’t know what we might recommend specifically.

I guess where I am still a little bit concerned, is there truly an
overarching framework of what do we need to include in that framework. So while
all the other things are probably more important than the framework itself, I
still think there still needs to be an overarching framework to guide future
action just beyond quality or other uses.

DR. COHN: Based on that comment, I’m glad this isn’t our last set of
hearings and it is just our first.

I do realize we are running late, and I am not going to engage any
conversation around all this stuff. Our next hearings start August 1. We are
going to be implementing about an hour and a half each day for discussion.
Trying to do it in the 15 minutes of the day, trying to squeeze into the last
20 minutes of the session on the last day isn’t going to get us where we need
to go.

I know Margaret and Justine and Harry and I and Karen and Erin and
Christine and on and on are going to be working on fine tuning the agenda for
the next session. Those of you who I have not mentioned, please take a hard
look at it and see what you think needs to be added. For myself, I am trying to
make sure that we do balance this issue of tools, approaches, technologies,
just so that as we talk about the issues we begin to learn more about
approaches that may help minimize risk in all of this. So we hope that we have
things that we can recommend that have substance and reality to them.

I do want to thank everyone. A variety of you helped make this session a
success. I think it has been very interesting, I think we have learned a lot,
and it just reminds us of how much we have to go.

Thank you very much, and the meeting is adjourned.

(Whereupon, the meeting was adjourned at 12:22 p.m.)