[This Transcript is Unedited]

Department of Health and Human Services

National Committee on Vital and Health Statistics

Subcommittee on Privacy, Confidentiality and Security

June 16, 2010

Sheraton Crystal City Hotel
1800 Jefferson Davis Highway
Crystal City, Virginia

Proceedings By:
CASET Associates, Ltd.
Fairfax, Virginia 22030
(703) 266 8402

P R O C E E D I N G S (3:14 p.m.)

DR. FRANCIS: Our goal is to be in a position to have a draft of the letter.

MR. HOUSTON: By September.

DR. FRANCIS: By September.

MR. HOUSTON: Well, actually, we shouldn’t even say it that way. Our goal is actually to have a letter that we believe we feel comfortable bringing before the committee for a vote in September.

DR. FRANCIS: That’s right. But before we do that, we need to officially call this meeting to order, and we need to introduce ourselves.

I am Leslie Francis, one of the co-chairs. I am a member of the committee, and I don’t have any conflicts.

MR. HOUSTON: You’re a chair of the subcommittee, right?

DR. FRANCIS: And co-chair of the subcommittee.

MR. HOUSTON: I am John Houston. I am a member of NCVHS. I am with the University of Pittsburgh Medical Center. I am also a co-chair of this subcommittee, and I have no conflicts.

DR. SUAREZ: I am Walter Suarez with Kaiser Permanente. I am a member of the committee and of this subcommittee, and I don’t have any conflicts.

MS. MILAM: Sallie Milam with the West Virginia Health Care Authority, member of this subcommittee, no conflicts.

MS. HORLICK: Gail Horlick. I am staff to this subcommittee.

MS. KHAN: Hetty Khan, staff to the subcommittee.

MR. HOUSTON: Great. I think the purpose of our meeting this afternoon, again before we got on the record, just to reiterate, is that we want to talk about the hearings yesterday on sensitive information. We have been doing a lot of work, sort of putting together preliminary thoughts about what needs to be in a letter, and we want to try to mature our thoughts this afternoon, with the intent then that we will work by email and conference call, hopefully over the next couple of months, with the goal that in September, at the September meeting, we will be able to bring a letter to the full committee that we can pass regarding sensitive information.

That I think is sort of background data that Leslie has done a great job at.

DR. FRANCIS: If there were a way for me to put this up on the screen, it might be cool. Is there a way to just take my laptop sitting here and project it?

MR. HOUSTON: You need to get the cord. If the cord is long enough, we can do that.

(Housekeeping discussion.)

DR. FRANCIS: Just by way of background, I knocked together a few thoughts this morning, emailed it around to everybody, and then both Walter and John made comments on it, and Sallie and John and I hung out for a while integrating all those thoughts and kind of shifting things around a bit ourselves. Basically, the idea is to, hopefully, use this as the basis for a draft.

Now, let’s just talk a little bit — I could project this up — why I don’t I email it to Maya?

(Housekeeping discussion)

MR. HOUSTON: While Leslie is doing that, one of the things that we talked about regarding this letter is something that I guess I feel pretty strongly about. Since we want to try to get this on the record in September for a vote, we need to be fairly — I don’t want to say “narrow,” that’s the wrong word — we need to make sure that we are not too expansive in what this letter tries to accomplish.

The purpose of the hearings was to identify different classes of sensitive information and how they need to be managed, or if they are the type of information that is going to need to be in some way potentially sequestered, but I think really the purpose of this letter, I would like to try, I believe, to focus on trying to understand what those different data types are, or classes of sensitive information, and whether there are subclasses or what does really constitute that particular classification, and not get too deeply into the actual sequestration of the information, because I think that we’re going to find that on a state-by-state basis there is going to be a fair amount of variance as to what ultimately they decide to sequester.

My thought is that we just need to make sure we keep our focus fairly narrow on this particular letter so that we can get it done in September.

DR. FRANCIS: Again, we will see that the focus is on saying that these are the categories that need to be defined for purposes of architecture — anyway, you will see that — rather than necessarily saying, oh, that in this particular category, this ought to be provided to A, B, and C or whatever.

So let me make sure that everything that I am going to pass on got saved.

MS. BERNSTEIN: I just say that I am here, for the record. I am Maya Bernstein. I am lead staff to the subcommittee, I am the privacy advocate of the Department, and I work in the Office of the Assistant Secretary for Planning and Evaluation.

MR. HOUSTON: Is there anybody else who needs to be announced? Did you announce yourself, Marjorie?

MS. GREENBERG: I am Marjorie Greenberg from the National Center for Health Statistics and executive secretary to the committee.

Did anyone else see this email from Sarah Wattenberg asking if she could call in to this session?

DR. FRANCIS: I did not see that, no. We can call her, can’t we?

MS. GREENBERG: Is there a number that she can call in? If you will give it to me, I will email it to her.

MS. BERNSTEIN: What am I looking for?

DR. FRANCIS: I think what you’re looking for is “sensitive information draft.”

MR. HOUSTON: Go back, I think it was on that last page.


DR. FRANCIS: Yes. What we did was it went from me around to everybody this morning and then Walter sent detailed comments, John sent comments, we integrated and started with the Walter draft.

MS. BERNSTEIN: All right. So this is what we should have?

DR. FRANCIS: Yes, that’s what you should have, and you should make it lots bigger so we can all see it.

(Housekeeping discussion)

DR. SUAREZ: Marjorie, maybe some historic perspective. How would the committee or how did the committee work back in the years when we didn’t have computers and we couldn’t do this in almost real time? I mean it’s amazing how —

MS. GREENBERG: It probably was a plus and a minus.

MR. HOUSTON: They had a big stone slab, and they would have the chisel up front. Once you put something on the stone, it was etched in stone and you couldn’t change it. They got done with letters really fast.

MS. GREENBERG: After we had those 500 emails regarding the person who wanted to testify by phone, I was wishing we didn’t have email anymore.

MS. BERNSTEIN: Yes, so was I.

DR. FRANCIS: The first thing that we tried to do, and this is not necessarily the order that all of this will appear in, but the first thing that we tried to do was just outline the values that we think should be guiding and have a reasonable working statement of them.

The initial one is that both patients and providers need to be able to have trust in the information exchanges and that protecting privacy is essential to patient and provider trust, basically C being that value that without an appropriate privacy architecture and government structures to make sure that that privacy architecture actually gets followed, you are not going to have people willing to have their data be in exchanges.

MS. BERNSTEIN: Is this now where we’re going to start from whatever this document has on it now?


MS. BERNSTEIN: Can I accept all the changes that you made so far and start from scratch?

MR. HOUSTON: The only reason why I wouldn’t maybe — is this one with Walter’s changes in it as well?

DR. FRANCIS: I wouldn’t, because this will tell you where different things came from, and I think we would like to — what you could do is, as we go through it, accept it, just to tell us that this is not the prettiest prose, we’re not trying to worry about prose, we’re just trying to worry about getting ideas out.

MS. BERNSTEIN: All right.

DR. FRANCIS: The second value idea was that we think it is really important to have clear and workable rules and definitions about sensitive categories of information because that is really needed in order to facilitate — we don’t see this as blocking adoption of interoperable HIE; rather we see this as important to facilitating it. And the industry needs clarity. So that is the second important consideration in this.

The third is that we think that there are a wide variety of reasons to have complete and accurate patient data in health information exchanges. These include patient safety, they include physicians and other providers providing appropriate medical care, they include quality assurance, public health, all kinds of reasons why we want complete and accurate patient data.

MR. HOUSTON: I think part of this concept, as well, is that if there is appropriate trust and patients buy into this, then what you will end up with is a more complete record. People will be more comfortable allowing their information to be exchanged. So that conceptually speaks to having more availability and completeness.

DR. FRANCIS: I guess one thing that I originally had that came out as Sallie and John and I were talking that I am not sure should be out — but we are trying to do this in as efficient way as we can to actually get a letter out — was the whole question of the importance of patient choice. We did not include that. The reason we did not include that was we thought it would be a red flag to some people, that it would look like we were actually committed to patients exercising certain choices and we didn’t want to say that. So I just wanted to say that we folded that into patient-provider trust.

MR. HOUSTON: Let me say this. The whole idea — patient choice really is not the focus of this letter. This letter is really intended to describe sensitive information categories. So if you run down the rabbit hole of talking about patient choice and opt-in versus opt-out, that really is not the purpose of this. So I think we really needed to stay away from that.

DR. SUAREZ: But could you qualify choice with patient privacy choices or patient — because I mean patient choice could be read in many different ways, of course. So you might want to modify it into patient confidentiality, patient privacy —

MR. HOUSTON: I don’t think that is really the focus of the letter. At the end of the day, there is probably going to be a decision and a lot of people talking about whether there should be an opt-in versus an opt-out and how — I think once you start, I just think it gets us off the track, and I am a little afraid that it begs more questions than it answers.


MS. GREENBERG: Tell me again what the purpose of the letter is.

DR. FRANCIS: The purpose of the letter is going to actually be to recommend sensitive categories of information for an architecture. You will see more —

MS. BERNSTEIN: Is that the only purpose? Is that the only thing you want to do in this letter, is to nail down the categories?

DR. FRANCIS: You will how far we can get on that. You will see more.

MS. HORLIK: Are you going to reference the letter where you said —


MS. HORLIK: Okay, then that might —

MS. GREENBERG: That letter already had a statement about choice. We certainly heard some pushback on that approach yesterday, I thought.

MR. HOUSTON: I don’t think it is really — if we start to talk about patient choice, we are going to end up in December or the following year still fighting about this letter. What I thought was really important and what we are really being asked for here is people are saying, We need to understand what are the categories of sensitive information. What is really considered sensitive?

We heard a lot of dialogue by example about psychiatric information. Just because it is labeled as psychiatric information may not mean that it really should have that sensitivity applied to it. There are certain types of psychiatric information that really is sensitive, but there is a lot of other information that is gathered in the psychiatric context that really does not need to or might be harmful to consider to be sensitive. By example, medication lists, things like that.

So I think the purpose of this letter is to try to articulate this so that other people who are trying to put together architectures, whether it be at the state level or HIEs or otherwise, can say, Okay, I can take this information, and as I build my architecture, I can use it to understand what categories of information are sensitive and how I need to treat them as I build my architecture up.

MS. GREENBERG: Can I ask something about that third — can you go back to those values?

DR. FRANCIS: Yes. Back to those values, Maya.

MS. GREENBERG: Patient and provider trust, protecting privacy, clear and workable rules and definitions. By trying to bring more clarity to this issue of categories, definitions of sensitive data, you are really addressing that middle one.


MS. GREENBERG: But I would say the subtext of that patient and provider trust and protecting privacy is that there may be some choice here, patient choice — I understand what you’re saying — but then it’s almost like if you are going to identify sensitive areas — and the only reason to identify and be clear about what are sensitive data is that you might then want them to be treated differently, or people who have a heightened sensibility for consent or sequestering or for some choice of treating it differently than all other data, and then you’re just going to have to accept that you won’t have complete and accurate patient data in all cases if you allow that. Of course, we don’t now anyway.

DR. FRANCIS: But there’s a difference between whether you have the data in the exchange and whether it is available or sequestered. So let’s look at the next little bit and see if it captures what you’re saying.

MR. HOUSTON: And by the way, I would almost prefer, based upon Marjorie’s reaction to this, which I think is important, I would almost prefer to take some of this out to make the letter clearer. If it is less clear because we are trying to say too much, maybe we simply do reference an earlier letter that does describe this. Maybe that is what we are better served doing, because I think, again, we don’t want to dilute the letter, and I think we want to stay focus on what we try to accomplish.

DR. FRANCIS: What we tried to say — let’s take that language, the goal of this letter — this is what our idea is — the goal of this letter is to give guidance in identifying categories of sensitive information for the purposes of building a privacy and security architecture, so that segmentation capacity can be developed that allows for the possibility of sequestration, the possibility of special consents, and so on, in interoperable EHRs or HIEs and so on.

It is not to say that we are recommending that that capacity be used in any particular case; it is to say that these are the categories that need to be on the table for the purposes of building the architecture, and it is crucial that this be done now as record systems and HIEs are being put into place.

Now, one idea would be to say that that whole goal stuff should come at the very beginning before anything about values — that is to clarify your point, Marjorie — and I think that is the way we see this, but this was just kind of how — this is not the right order, this is not wordsmithed, but this is the idea, and that when we’ve done that, that we would also say that the reason why we are attempting to achieve this goal at this point is we are building on our prior sensitive health information letter.

Does that work for you?

MS. GREENBERG: Yes, except that I think you can build this capacity into the architecture without having defined what is sensitive data, because I would be very concerned that you built the capacity in a way that it only meets certain definitions of certain data, because things can change. Frankly, what is sensitive to one person is not necessarily sensitive to the other.

So I actually do not see these — I think your basic principle that was articulated in the previous letter, that the architecture needs to have the capacity to treat sensitive data in maybe a different way, or to allow it to be sequestered or to allow all these different things, then that drives what needs to be done from the point of view of the capacity of the records.

Then the policies — if you are not going to let every individual person define what is sensitive to him but you want some kind of generic policies — then you need these definitions of what are most reasonable to be considered as sensitive information. But there is no point even identifying or defining sensitive information if you don’t have the underlying assumption that the capacity is there to treat it differently. I really don’t think you would want to hard-code that capacity.

MR. HOUSTON: I disagree, and I will tell you why. I think right now there is zero capacity. First of all, people are asking very clearly what is considered sensitive information; what are the types of information that we are going to consider sensitive? There is an enormous difference, if you look on a system-by-system basis, on an HIE-by-HIE basis, as to how they treat it. Some treat it not at all, others have the ability to select any type of information as having some sensitivity assigned to it, and then others will define it by category, like what we are talking about.

I think the issue that I see right now is that without some type of attempt to overlay some type of logic that can then be used for a regional as well as a national exchange, there is no way to then impart that logic later on in the process, to be able to say, Oh, that was psychiatric information that got passed from A to B, or that it was genetic information that got passed from C to D.

If you cannot define these categories in some way, shape, or form, there is no way then to impart the logic into the different HIE capacities.

DR. FRANCIS: Yes, and just a comment, going back to the prior sensitive letter, we made it very clear that there needed to be defined categories. So to say you are just going to have a kind of free-for-all as different people —

MS. GREENBERG: No, it’s a two-part thing, I think.

MS. MILAM: I just wanted to jump in. What is sensitive at the first level is a matter of law. So you have to look at federal and state law, and those categories are already defined. So that is how we are grappling with how to make those real.

But then above that, what you are referring to, Marjorie, is the opportunity within HIPAA that allows a patient to request special restrictions, but providers don’t have to meet them under current law. Now they will in a narrow category where people pay in cash and it is very narrow, but a lot of the sensitivity really is not a matter of personal preference.

DR. SUAREZ: Marjorie, I think, in my mind, there is a clear reality in our country right now, which is there are laws that require segmentation. There is no question about them. So we have to — number one, they are laws. Number two, there is confusion and there is a variety of perspectives about what the definition is of those. Number three, as John pointed out, there is a lack of system capabilities to address — I mean some systems have some ability to produce that, but there is a clear lack, because of the lack of good understanding and good definitions, there is a clear lack of functional capabilities in systems to categorize, segment, and then, more importantly, carry forward that segmentation into operational aspects.

MS. GREENBERG: I don’t disagree with anything you are saying, but would you agree that if that functionality is built into a record, it could be activated for something other than one of these categories? That is all I am saying.

MR. HOUSTON: Absolutely. That leads to something that we talked about outside before this meeting, Leslie and Sallie and I. This is my phrase, I called it “situational sensitivity.” That comes down to, the best example I can think of in the context of all our discussions was if there was abuse. The fact that somebody had been spousally abused, their address in this situation —

MS. GREENBERG: That is exactly what I was thinking.

MR. HOUSTON: But that is one of the recommendations of this letter, which is that in addition to defining classes of sensitive information —

MS. GREENBERG: There are sensitive categories of people — adolescents, maybe, abused —

MR. HOUSTON: In the case of things like adolescents, as to what Walter said, there are statutory — you get some guidance from statutes as to what we need to be concerned with.

When it comes to things like spousal abuse, again, there could be a whole variety of things, including something as simple as an address, and that is why the situational sensitivity is something — there still might need to be a catch-all flag, but that is compatible with this notion that we should still have categories that are specifically considered sensitive, because they will always be sensitive no matter what the situation is.

MS. GREENBERG: Like the celebrity thing, too, that we heard about at the end. I mean the person has an ingrown toenail. You don’t want anything about them maybe.

DR. FRANCIS: Yes. Maybe we could look at what some of the findings — maybe if we look at this as a whole, we will get a better sense of what we were talking about. If Maya can go back up and — because I don’t think we are disagreeing with you, Marjorie.

MS. GREENBERG: No, I understand.

MS. BERNSTEIN: I’ve got your comments on one side, and I don’t want to mess with the letter too much with that, so I am just going to put them in the document.

DR. FRANCIS: Let’s just go through the whole thing and then come back, just to keep going.

MS. BERNSTEIN: Instead of putting all your comments in the file, I am going to put them in a separate place.

DR. FRANCIS: That’s fine.

MS. BERNSTEIN: This is the document.

DR. FRANCIS: Let’s just zing on down and see what — here are some candidate findings and some candidate recommendations, and then we can come back.

MR. HOUSTON: Hey, Maya, when you get to that gray bar, put your cursor on it and click it. See if you can click the bar itself. If you can click on that, I think it will take away the — yes, there you go.

DR. FRANCIS: So here are some of the findings that we were talking about: that segmentation is a reality need, should be a foundational principle guiding — all this kind of stuff — architecture development — and that’s a reference to our earlier letter. We can take out some of this, we can decide, whatever — that HIEs need the capacity, consumer control, custodian tools — these are just various things we were throwing in — education, policy and technical consistency — keep on going down.

I am not sure at all about these. What I think is more important is when we get down to — you can see we were just throwing stuff in — get down to findings, I mean get down to recommendations, because I think they are the crucial things.

Some of them are more general and some of them are less general. One of the general ones is that state HIEs and the process of developing an NHIN must have a plan about the identification of sensitive data categories, even if it is to say they are not going to do it at all, and that needs to be public and people need to know what it is. Sallie added there that consumers need to have input into it. So a requirement as a state HIE is rolling out is that they need to address this issue.

MS. BERNSTEIN: Can I just ask a vocabulary matter?


MS. BERNSTEIN: All these words, segmentation, sequestration, masking —

DR. FRANCIS: We need to fix that. Pick one.

MS. BERNSTEIN: The last time around we picked sequestration, I think, in the few last letters.

DR. FRANCIS: Yes, and I think we want to back up and say identification without necessarily saying — identification that gives the capacity for segmentation and sequestration.

MS. MILAM: Capacity for special handling, and there are a variety of ways to accomplish that, through sequestration, consent, flagging, that we talked about.

MR. HOUSTON: I agree. I think that is a good way. Again, we don’t want to make recommendations actually on what they do but rather this is guidance on again the categories that they might consider for it.

DR. FRANCIS: Then the next one is the issue that you were raising, Marjorie, which is that HIEs need to have the capacity to indicate that a whole record or a part of a record needs to be situationally flagged.


DR. SUAREZ: I don’t disagree with that. I think what I read is it was too much focus on HIEs. HIEs don’t exist yet. I shouldn’t say that. The HIEs, of course, are going to be evolving and some of them exist and all that. But the key element is really not so much the HIE part; it is the EHR capability.

The point that Marjorie was saying is in our EHR, in the EHR of the care providers around the country, there must be the functional capability, just like the EHR now is required to have a functional capability of decision-support tools, the EHR must have now the functional capability of segmentation an carrying forward that segmentation, and then within the exchange of an HIE, that functional capability can be extrapolated into some other policy —

MS. BERNSTEIN: So, Walter, are you suggesting that this should be changed to EHR instead of HIE?

MR. HOUSTON: I understand Walter’s point. I think we have to be more expansive. I am not sure how we state it, but I think, rather than the ability to sequester, it all goes back to being able to identify sensitive information so that it can be operated upon both internally to the system as well as that logic being able to be exchanged. Do you see what I am saying?

DR. SUAREZ: The critical part is really being able to identify it so that that identification can be operated upon, whether it is segmentation, sequestration, internally.

MR. HOUSTON: I agree with you, but my point is that is not just internally but that logic also needs to be able to be passed forward. That is a big problem, is that the logic — and I think some of your discussion about standards for security and privacy, the issue is that a lot of the standard transactions, as soon as the data is passed by some standard transaction, all that logic that might allow you to say, “Oh, that’s sensitive,” falls by the wayside. I think that is a huge issue, that you need to be able to carry the logic forward.

DR. SUAREZ: Yes, carry the — when you say logic — carry the mark, the identification.

MR. HOUSTON: Sensitivity, yes, exactly.

MS. GREENBERG: Your earlier letter, several letters, was about the NHIN.

MR. HOUSTON: Yes, it was NHIN specifically, or it was discussed.


MR. HOUSTON: I believe so, yes.

MS. GREENBERG: I think so. So then it wasn’t really about the electronic health record or the health record in the context of exchange of information.

MR. HOUSTON: However, I think — I don’t think you can get even to talk about NHIN unless you start where Walter is at.


MR. HOUSTON: So I think what we are trying to do is simply say, Okay, here are the sensitive information categories, and at all levels then it is going to roll up.

I guess, to your point, we are just trying to lay this foundational understanding of sensitive information and allow people to go take that forward in whatever context it is. So that is sort of to Walter’s point, which is it could be an EHR, it could be an HIE, it could be NHIN, it could be a lot of different contexts.

MS. GREENBERG: I think the hearing yesterday was not just limited to NHIN.

MR. HOUSTON: I think, even further than that, I think it was really intended to be a discussion about sensitive data categories without any context.

DR. SUAREZ: That is why, in a couple of the panels, I specifically asked that question: Do you believe that electronic health records should have the functional capability of protecting that data that you are saying needs to be segmented? And they all said yes.

Furthermore, CCHIT, of course, and its various members — by disclosure, I am a member of CCHIT’s privacy work group which defined the certification and standards for the electronic health record with respect to privacy. This is something we need to get to.

MS. GREENBERG: Right, and my question is, is the committee actually on record regarding this for the electronic health record, or is it only in the context of the NHIN?

MR. HOUSTON: I think the focus was the NHIN. But it sort of punted the issue in a way that I think that it really begs for what we are talking about here —

MS. BERNSTEIN: You can’t tag this at the time that you’re going to share it. It has to be tagged at the time it’s in the record. Whether or not you use it in your practice inside a hospital or inside a particular doctor’s office in the clinical record is neither here nor there. But it has to be tagged if you’re going to share it so that at the time of the sharing, the tags are already there. Then you can a policy —

MS. GREENBERG: Yes, but pointing back to previous recommendations, you have to make sure that they are the right recommendations.

MS. BERNSTEIN: But for a variety of reasons, as I remember, there were some hesitations about talking about the electronic health record just in the context of a closed clinical system. We limited ourselves to talking about sharing over NHIN. But at this time the committee may be, after further thought or it’s a couple of years later now, willing to go further, then that is something you should talk about.

MS. GREENBERG: I am fine with that. I am just saying let’s not say the committee said something that it didn’t say.

MR. HOUSTON: I understand.

MS. BERNSTEIN: But we can go look that up another time. I think we are in basic agreement —

MS. GREENBERG: Yes, we don’t have to worry about it right now, just —

MS. BERNSTEIN: We are in basic agreement, and we have limited time today.

MR. HOUSTON: Let me say this, though. I think, though, that what we’re talking about doing is very compatible with the earlier letter and what the earlier letter sort to teed up to say needs to be done. It is just intended to have applicability not just to NHIN but outside, sort of as a foundational element.

I know, Walter, you wanted to say something?

DR. SUAREZ: I was just going to say we should point back to the appropriate context we made references to before, but we should not be limited or in some way constrained by this.

MS. GREENBERG: You are not constrained by it. I just want to make sure we don’t refer to something that is not what we said.

MR. HOUSTON: Right, and I think we can even say in this letter that it is consistent with our earlier recommendations specific to the NHIN. We provide this recommendation more generally to describe the sensitive information categories and considerations for their use in sequestration, et cetera.

DR. FRANCIS: Yes, because since we are not taking a position about every electronic medical record ought to sequester, we are not taking that kind of position; we are just saying, Look, you cannot have the architecture in an NHIN or in an exchange if you don’t have a way of identifying it before it goes in.


DR. FRANCIS: Okay. Let’s go back to — can you go back up?

MS. BERNSTEIN: These are your recommendation lists.

DR. FRANCIS: Yes, so then the recommendation list that we just went over was that we want to have something on the recommendation list about the capacity to flag, to have a situational flag, and that was the abuse point.

MR. HOUSTON: But the thought is it is more general than it is abuse. It could be applied to almost anything for which there is some situational significance, whether it be a VIP record.

DR. FRANCIS: Exactly.

DR. SUAREZ: But one point about the HIE again because I think when we say — I don’t know if that’s where we are in that statement — are we in the HIEs must have the capacity to segment and sequester? Wherever we say HIEs must have the capacity to, we are making a technical assumption that the HIE will have data that they will be responsible for in a database. They will be responsible for sequestering that, and that is not, in my mind, an appropriate assumption in the sense that many HIEs are not going to have that kind of data.

MR. HOUSTON: Let’s try to reword this to get HIE and EHRs out of the actual statements, and I think maybe putting put it in a passive voice or something. I agree with you. I think we don’t want to be overly restrictive in these recommendations. So if we can figure out a way to state it so that it doesn’t make reference to HIEs or EHRs, I think it will help us out, because then it will be more broadly applicable.

DR. FRANCIS: So the next point there was that there are some legally defined categories, that there needs to be some identification — I am just going to call it roughly identification capacity to ally what we were just doing.

DR. SUAREZ: Which paragraph are we in?

DR. FRANCIS: The next one. That there are some legal categories that need to be there in whatever identification capacity we are talking about. The legally defined categories that we know of at the federal level are GINA, SAMHSA, psychotherapy notes, anything from — and some of these may require a little more looking at — anything from VAWA, the Violence against Women Act, and we also understand that different states may have different views about whether particular categories require special treatment.

So what we are saying there is that whatever this architectural capacity is and for what, it has to address the GINA definition of genetic information, the SAMHSA idea about treatment in a substance abuse facility, the idea about psychotherapy notes in HIPAA, and the idea about VAWA.

MS. BERNSTEIN: And also the pay-cash business, right?

DR. FRANCIS: Okay, yes, and the pay-cash business in high-tech. Those are the ones we could think of federally, and we wanted to point out that it may be complicated at the state level because different states may have different views.

Now, one thing I want to point out a little bit before we actually talk about some of this is that we also have a bullet about how, given the consent/confidentiality issues with adolescents, it may be especially important to have segmentation identification capacity in adolescent records, or they are just going to be left out of the whole HIE business.

MS. BERNSTEIN: Do you want to make that as a separate point?

DR. FRANCIS: I just wanted to call to people’s attention that there is a separate point about that.

MR. HOUSTON: By the way, I am thinking there might be one other federal law that has applicability.

MS. HORLICK: By SAMHSA do you mean part 2?


MR. HOUSTON: There might be some FERPA implications. I am not sure. We should probably go back and make sure.

MR. HORLICK: I was also wondering about the ADA, but that might just say about the physicals, it might not address actually the confidentiality.

DR. FRANCIS: No, it doesn’t have a definition.

MS. BERNSTEIN: Sorry, John, you said something about FERPA?

MR. HOUSTON: Let’s look to make sure FERPA doesn’t have some applicability here that would potentially limit it.

MS. BERNSTEIN: But specifically excluded from HIPAA?

MR. HOUSTON: We are not talking about HIPAA. We are talking about laws that might create some type of or have some sensitive information implications. I just want to make sure we don’t — I don’t remember FERPA well enough to know whether that is the case or not, so I think I just want to keep it teed up here in case there is something.

MS. BERNSTEIN: Are you talking about school nurse records? We are talking about medical records, right?

MR. HOUSTON: I am talking about medical records. All I want to do is put a placeholder here saying let’s check FERPA to make sure that this doesn’t trigger some other category. That’s all I want to do here.

MS. BERNSTEIN: FERPA only applies to school records, is my point.

MR. HOUSTON: I understand that, but if school records become part of an exchange and there are FERPA — I don’t know if there could be FERPA implications or not. All I want to do is leave it on as a placeholder so that I can check to make sure we don’t have an issue.

MS. BERNSTEIN: It would have to be in a federally funded school.

MR. HOUSTON: Well, yes. We are talking about an exchange which is potentially going to handle all sorts of information, including potentially records that come from schools or immunization records or things like that, and I want to make sure that if there is some sensitivity associated with FERPA that we keep it on the list so that we don’t forget about it.

DR. FRANCIS: And if anyone knows of any other federal things we ought to be thinking about, put them on the table right now, that are legal — because a strategy here is to say, as a recommendation, that the architectural capacity needs to be in place to handle these legal categories.

DR. SUAREZ: The other one is CLIA as it relates to laboratory health information and the ability to disclose or to exchange that data. It is protected, actually. So if we are listing federal laws that provide special protections to certain health information, CLIA is one of them.

MR. HOUSTON: Yes, and there is an interesting twist to CLIA because it has a timing component.

MS. BERNSTEIN: What does CLIA stand for again?

DR. FRANCIS: Clinical Laboratory Improvements Act.

MR. HOUSTON: It was actually an amendment.

DR. FRANCIS: Yes, sorry.

MS. BERNSTEIN: And we might want to include the Public Health Service Act or 301(d) or 308(d) for the certificates and assurances of confidentiality.

MS. HORLICK: Those are for research, right?

MS. BERNSTEIN: Well, assurances or research and surveillance.

MR. HOUSTON: That actually triggers, even though it is probably not a whopper, again the idea of sequestering research information as part of a record.

DR. SUAREZ: That is FDA.

MS. HORLICK: But it is not all research. It is only — the certificates and assurances both apply to research. The assurances also apply to surveillance, but they do not apply to all research.

MR. HOUSTON: My point is —

MS. HORLICK: Just to make it broader?

MR. HOUSTON: Yes. There might be things that in certain research contexts you can prevent the patient from seeing the research information. So, again, that might not relate necessarily to the exchange between providers, but since we are teeing things up, we probably should make sure we get this.

MS. HORLICK: Like in 45 CFR, the Human Subjects —

DR. SUAREZ: The human subjects protection law, right. I think that is it.

MR. HOUSTON: I think somebody talked about that yesterday.

DR. SUAREZ: I added it as a category of clinical research.

MS. BERNSTEIN: I am confused about what we’re trying to do, because now expanding the definition, I mean expanding the kinds of information in the scope of what we’re talking about very, very significantly. We were just talking about medical records being shared. Now we are talking about research records, student records, all kinds of records.

DR. SUAREZ: We are trying to list federal laws that provide special protections to certain health information. So CLIA provides special protections to certain health information, called laboratory data. FERPA provides special protection of certain health information called school records. FDA human subject protection laws provide special protection to health information related to clinical research. That is what we are trying to do is list —

MS. BERNSTEIN: Do you want to add the Federal Privacy Act which protects health records that the federal government has? There are federal records that are medical records. I mean how broad are we trying to get here?

MR. HOUSTON: I think what we are trying to accomplish here is when we look at a record and we look at subcategories of information within the record, those subcategories, do they have some law that says we need to treat that data specially, as sensitive information? If there is, then we need to make sure we include them. If not, we throw it back off the list.

MS. BERNSTEIN: All right. So let me just back up for a second. On the whole, in privacy laws, the protections for privacy laws do not follow the record except in very unusual circumstances like the substance abuse law. They follow the custodian of the record. So Privacy Act records are covered if they are in a federal agency.

If you move that record to a state, it is not covered by the federal law anymore, it is covered by state law. It might be covered by HIPAA. HIPAA depends on who the custodian is. The custodian has to be a provider, a payer, or a clearinghouse.

An HIE is not covered by any of these things because it is not an entity that is a custodian that is currently regulated like that.

So when you say school records are protected if they are in the school that gets federal funds, once they are properly disclosed outside of that arena, they no longer get protections.

Substance abuse records are unusual in that the protections follow around the record. But that is an extremely unusual case.

So when we talk about these laws that apply to everything, it is not clear to me that just because it has protections where it started out, it is going to have those protections if it gets shared in an HIE. If it gets moved to another covered entity, then it will get whatever protections are appropriate for that entity. If it is a state, then state law; if it is HIPAA-covered entity, then HIPAA. Do you see what I am saying?

DR. FRANCIS: Yes, I see what you are saying, Maya, but I think — here would be the way I would put that point. I think for each of these we need to think about whether it is a definition that follows the data rather than the custodian.

MR. HOUSTON: Exactly.

DR. SUAREZ: A specific type of data.

DR. FRANCIS: Right. All we are saying at this point, without necessarily having — what we are going to have to draft up is if we are committed to the general principle that an architecture should be developed that allows for identification of categories that are defined in certain federal and state statutes, we would like to have a list of those categories, categories where the protection follows the data type. Does that make sense?

I am inclined to think that the research data is actually different than, let’s say, FERPA, because I think with FERPA it is who holds it, but I think — and I really have to think about this — but I think that with data in a research study, it is not who holds it but it is research data. But I am not sure about that.

MS. BERNSTEIN: Usually the constraints of the research are you can’t give it out in that form to anyone else. So it is not moving to anyone else besides the custodian who collected it in that form. It is only getting disclosed once it has been aggregated and scrubbed.

DR. SUAREZ: No, no. And any of the participating clinical research centers, which incidentally could be in any other state, and incidentally are subject to the same law protection. So it is disclosed from one clinical research center to another in two different states, but the data protection of that clinical research data set is protected under the federal FDA law.

MS. BERNSTEIN: Because it is also going to another entity that is also covered. It is not moving outside that entity.

DR. SUAREZ: No, no, it is not the same entity, it is different entities.

MS. BERNSTEIN: Another entity that is also covered by the same law. But during the time that it is in transit, it is not covered in the same way. You have to assure the security of that data, but there is nothing that is regulating an HIE at the moment. That is my point.

If it flows from the University of Michigan to Ohio State University, then if both universities are covered by human subjects research and so forth —

DR. SUAREZ: Well, who says the HIE is the way that the data is communicated? It is not.

MS. BERNSTEIN: Okay, then what are we talking about? I am losing the —

DR. SUAREZ: We are talking about exchanges, not HIEs.

MR. HOUSTON: Let’s be a little bit more basic than this. Whether we have a federal mandate or not, we are trying to identify categories and information for which some sensitivity attaches, or should attach. We are trying to make recommendations.

We may decide in the case of FERPA that there is a compelling reason to make information that is typically subject to FERPA sensitive in the context of whatever, and that we may decide not to, but that we are putting it on the list because we think we need to further examine it because we think it is of potential interest.

MS. BERNSTEIN: Do you think financial data is of potential interest or not?

MR. HOUSTON: Whether we have an obligation or not is something that we think we need — it doesn’t mean we shouldn’t explore it.

MS. MILAM: I am wondering, given the time — it’s about 10 or 4 — when I go back to the letter, perhaps it would be useful for us to identify the different areas of sensitive information, what we heard from the hearings, the different types of special handling, whether we can marry them up or not, and then develop a parking lot for additional work and put FERPA into it, because it is really not a category of sensitive information, but it definitely is a privacy law that would put additional requirements on people who possibly handle that data or receive that data. We don’t know at this point.

MR. HOUSTON: It is something to consider. I think this is a parking lot, and it is only intended to make sure that we don’t miss something. The last thing I want to see with this letter is we publish this letter and somebody says, “Didn’t you realize you still have this obligation under FERPA?” or whatever it might be. And we look stupid because we didn’t think about.

I agree that our primary focus is those things we discussed yesterday, but I think all we were talking about trying to do here, it sounds like, was ensure that we are complete in our evaluation, and if there are other regulations that might trigger us to do something or at least it triggers us to consider them, we should.

DR. FRANCIS: Some kind of a special handling flag, whether it is segmentation or not. These issues came up in the discussion, so what we were trying to do here was brainstorm about what are all the things we ought to be thinking about, which is not necessarily to say they are going to go in the letter.

Do you have an objection to that that you need to talk about?

MS. BERNSTEIN: I just don’t want us to get so broad that we are trying to put every privacy law that might apply to some record, because we can imagine one day that they might hook up to a network. There is health data in banks and there is health data in schools and there is health data — but I don’t think we can make our scope that broad because we are never going to do what John’s goal is, which is to capture everything if we do that. We are going to miss something that way.

MR. HOUSTON: No, no. My goal here today is only to make sure that we have listed those things that we might think are applicable and then ensure that we are not missing something so that when we do this letter, there isn’t some glaring hole. If we can go back to FERPA and look at FERPA or we look at CLIA and say, “You know something? It really doesn’t apply to our discussion here,” we take it back off the list.

All I want to do is the question that was asked, people, what are some of the things we need to make sure we are not missing?

MS. BERNSTEIN: We can always write another letter if we miss something. We can confine ourselves to something manageable, something that we can — I don’t want us to bite off something more than we can chew for a letter which your original goal is you want to be able to get it quickly through the committee in September and you want to bite off a piece that you don’t think will be too controversial.

I think if we try to include everything, it is going to be challenging to do that. We can always go back and expand our —

MS. GREENBERG: Do you see this almost more of primer on the subject?


MS. GREENBERG: You don’t?

MR. HOUSTON: No, I don’t. Again, all I am trying to do here is as a parking list, as Sallie said, was make sure we’re not missing something so that we don’t come back and we bring it before the committee and they say, What about FERPA or what about this? I want to make sure that we have thoughtfully deliberated those things that we think potentially are in, and we can take them off the table as we are going through this over the next couple of months when we say, “You know something, they don’t apply.”

DR. FRANCIS: Just so everybody is on the same page about this, one of the things we want to try to do is have the recommendation that there should be architectural capacity where there are important special legal definitions. We were trying to make a list of what may be way too many of those in our parking which fall in that. But the general point right now is we want to make a recommendation about architectural capacity for legally defined categories.

MR. HOUSTON: By the way, in thinking about this, and let’s just take FERPA for a second, here is a possibility that a school may become part of an exchange for some reason, to exchange data between schools. I don’t know where this might all go. But if there is an obligation, if two schools decide to exchange FERPA-protected information for some purpose — which I don’t know, maybe it does, maybe it doesn’t happen — maybe it is applicable. I don’t know.

MS. HORLICK: The main issue with FERPA has been that it requires consent, not that they can never disclose the information. So if they decide to obtain consent, they can send it wherever they want, to public health or to their schools.

MR. HOUSTON: Right. But there may be areas where FERPA allows the exchange without consent. I don’t know. I want to make sure we are not missing something and we don’t miss some use case that is reasonable in the context of an HIE, and I keep looking at Sallie because you know more about HIEs than I do. I don’t know who the particular participants may be in an HIE.

MS. MILAM: Schools certainly could potentially very easily be a participant. I know we’ve had discussions in West Virginia with school health, and some of what they wanted to do could easily be done by an HIE. I am not aware of people doing it, but you know, a lot of schools have primary care clinics within the schools as well. So a lot of health care is delivered to the student at the schools, and a lot of schools are looking for an electronic way to capture the data in something that looks more like an electronic health record than the kinds of systems they have been using. So I think it is all evolving.

DR. FRANCIS: The next thing is we listed the categories we heard. What I thought for the last part of the time we have to devote to this now, what I would like to make sure we do is we look at this list, we see if there are subcategories that need to be given special treatment under any of these categories, and if there is anything else that I missed hearing yesterday.

So here is the list. Again, we are not saying that all of these are going to stay on the list. This may be more than we want on the list. But these are the categories we heard about yesterday.

One category we heard about yesterday was domestic violence and abuse. We heard about that as a separate category because there was the worry that the abuser might be upset about the abuse having been reported, or the person who was the victim of the abuse might feel stigmatized or be stigmatized by having been a victim.

So domestic violence — there is no category that is legally defined there. These are all segmentation, possible categories for definition that we don’t have an ex ante legal definition of in the same way we do of genetic information in GINA.

One category, it’s a suggested category in our prior letter, and it’s a category we want to say needs to be defined and an identification capacity created for the potential of segmentation.

MS. GREENBERG: I guess when you asked that question and they expanded on it, reproductive history —

DR. FRANCIS: Different category.

MS. GREENBERG: Oh, I thought you had already gone to reproductive history. I am sorry. So it is not only the fact of the domestic violence and abuse but also the —

DR. FRANCIS: No, no.

MS. BERNSTEIN: Do you want to put that here?

DR. FRANCIS: No. What we wanted to say —

MS. BERNSTEIN: The fact of treatment for domestic violence in the content of the medical record.

DR. FRANCIS: The fact of domestic violence is a category.

MS. GREENBERG: Of information?

DR. FRANCIS: Of information, that might either stigmatize the victim or incite an abuser. That was discussed as a separate category in our hearing yesterday from the ability to flag a record as having a sensitive context.

MR. HOUSTON: Yes, situational —

DR. FRANCIS: So situational flagging. So you might want to situationally flag a record —

MR. HOUSTON: The entire record.

DR. FRANCIS: The entire record, because although an address is not sensitive, you might want to be able to flag the record so people cannot get the address. But you might also want to have the architectural capacity to separate out the abuse victimization because of — people said that as a separate point.

MS. BERNSTEIN: Yes, right, but it didn’t occur to me that you would need to separate the entire record for that, just the parts of the record that — I mean if the woman comes in for something that is not the result of abuse, if she comes in for her annual Pap smear or something, then it’s no big deal. But if she comes in and says she was beat up on such-and-such a date —

DR. SUAREZ: That was the clarification I was asking, because it was clearly the importance of protecting access to information within the record that had nothing to do with the domestic violence. Again, certain people that will try to access it, so the entire record has to be protected.

MR. HOUSTON: The easiest example is the address. The address in of itself has no significance other than if somebody is trying to hunt somebody down, they are going to go look for the address, and so, out of an abundance of caution, you say there is a point where you say you have to flag the entire record.

MS. BERNSTEIN: Are you saying that instead of just hiding the address as a separate sensitive piece of information, you are going to close the whole record? You are going to hide the whole record?

DR. SUAREZ: No, no.

MS. BERNSTEIN: Instead of hiding the part that indicates that a woman was beat up on such-and-such a date, you are going to hide the whole record?

MR. HOUSTON: You are going to hide the whole record because it might not even be that the woman has been seen — let’s assume that the woman has not even been seen for spousal abuse, that there is no evidence on the medical record that she has actually been abused. But she has a violent ex-boyfriend who is trying to figure out where the heck she is because he’s going to go beat her up, or he’s homicidal, and so therefore, there is a concern that she could be abused or harmed, and therefore the whole record is flagged.

A great example of where this gets triggered, having done PFAs on a pro bono basis — protection-from-abuse orders — I can tell you that often women will come in because of serious threats from boyfriends or from ex husbands or from husbands, and she may say, “I don’t want him to know where I’m at, I’ve moved out, I’ve moved” — they want to be left alone.

In that particular case, if the boyfriend works in a healthcare environment, in an exchange, he can very well look up the record, and the existence of the record might give him enough information such that he could find out where she lives. I think that that is an example where something very benign, and in fact there is even no evidence of abuse, but a record might be sufficient.

MS. BERNSTEIN: Yes, that is fine.

DR. SUAREZ: I think there is an important distinction that we should make. There is a difference between flagging and segmenting. One thing is to flag from a perspective of an electronic health record system that has a design support tool that flags as soon as I want to try to access the record, entire record or whatever. It will tell me that there are some important things that I should consider when I am trying to access that record, whether I am the registration person at the front desk or whether I am the doctor.

Then there is the segmentation per se, which is an exclusion of access of certain data within the record. So I think it is important to make that distinction from a functional perspective.

DR. FRANCIS: That is right, and that is why we tried to have a recommendation about the situational flagging capacity and a separate recommendation about domestic violence as a category.

MR. HOUSTON: Right. They are both relevant.

MS. GREENBERG: Just like alcohol abuse is a category.

DR. FRANCIS: But as a category for what? What is a category defined as sensitive, for identification as sensitive? There is a difference between having a record be situationally flagged, or part of a record be situationally flagged, and having a separate sensitive information category.

The domestic abuse people —

MS. HORLICK: Are in both categories.


DR. FRANCIS: They are in both.

DR. SUAREZ: Can I comment on the second one? The second is reproductive history including STIs or STDs and HIV tests.

MS. BERNSTEIN: What is an STI?

DR. FRANCIS: Sexually transmitted infections.

DR. SUAREZ: It is really diseases, STDs.

But the comment I wanted to make is there are two parts of this. There is the STD- and HIV-type information, which is sensitive to everyone, and then there is the reproductive history and contraception, as well as the STD and HIV, reproductive history, contraception which is sensitive in the case of adolescents and children.

MS. GREENBERG: No, any woman.

MS. BERNSTEIN: Any woman might have — if you’re Catholic, you might or might not want anyone to know that you are using contraception, or if you’re an Orthodox Jew, for example, particularly your spouse.

DR. SUAREZ: Then if people consider that that’s sensitive across the board — I heard it during the hearing in the context of adolescent health. I didn’t hear it in the context of every —

MR. HORLICK: There is also the example of, if I went to the ophthalmologist, do they need to know whether I had an abortion X many years ago? So it could be any woman’s reproductive history.

DR. SUAREZ: Yes, but what about I go to the OB-GYN and they look at my ophthalmology record. I am just trying to compare certain —

MS. HORLICK: I know, but I am just trying to make a point that I think we are considering reproductive history to be a sensitive category not only for adolescents.

DR. SUAREZ: Right.

MS. BERNSTEIN: It includes things like infertility treatment, abortion. I think for any person who is of an age where their sexual health is an issue, then I think lots of these things are sensitive.

MR. HOUSTON: However, I think the issue of adolescents and sexual health, even though it is the same issue, it actually has different — there are different considerations of why it is sensitive. I mean they are both sensitive on the face in my mind, but with the expansion of the use of personal health records and parents having rights to access information related to an adolescent, certain classes of information should not simply not be made available to them.

DR. SUAREZ: Oh, yes.

MR. HOUSTON: That is the reason not only adolescents but I think as an adult, everybody is —

DR. FRANCIS: Could I just add in that part of how we structured these hearings was on the basis of the earlier hearings that we had had. So we have considerable testimony in the record about reproductive history and adults, and what we did not have was testimony about the reproductive history and adolescents.

So when we finally write this, one of the things we are going to do is go back to some of the earlier testimony, to the extent that it is also relevant.

DR. SUAREZ: I think that will be important.

DR. FRANCIS: Yes, that is crucial.

The second category is the reproductive history category.

MS. BERNSTEIN: I just listed some things here in bullets, that’s all.

DR. FRANCIS: Vasectomy and sterilization should be — I mean it is not just men who get sterilized.

MS. GREENBERG: Do you want to call that reproductive and sexual history?

DR. SUAREZ: Sexual and reproductive.

MS. GREENBERG: Because STDs and HIV tests really don’t have to do with reproduction.

MR. HOUSTON: They may or may not.

MS. GREENBERG: I mean there is no reproduction, but still —

MR. HOUSTON: Actually, HIV probably could be separate because you don’t have to necessarily have sexual contact.

MS. GREENBERG: That is true.

MR. HOUSTON: Transfusions. Same thing with hepatitis.

MS. BERNSTEIN: If you want to have a separate category for infectious diseases that are sensitive, we can do that too, hepatitis and HIV and — or other kinds of, even —

MR. HOUSTON: For clarity we should probably say infectious diseases.

DR. SUAREZ: I think the general category in clinical is sexual and reproductive history.

MS. BERNSTEIN: There you go.

DR. SUAREZ: That includes STDs, it includes HIV, it includes contraception, includes sterilization, includes gender change, for example, and other medical and surgical procedures.

MS. GREENBERG: Wouldn’t that artificial insemination, whatever, wouldn’t that belong under there?

MS. BERNSTEIN: That’s two below, down here.

DR. SUAREZ: Contraception, sterilization, artificial insemination, reproductive —

MS. BERNSTEIN: That’s infertility treatment, or fertility treatment if you like it better.

DR. SUAREZ: Gender change, for example, is a very specific —

DR. FRANCIS: Actually, I think I have that later.

DR. SUAREZ: I have a separate category myself.

DR. FRANCIS: Yes, I think we have that later.

DR. SUAREZ: I didn’t see it.

DR. FRANCIS: I think it is down — yes, you may be right, we didn’t have it in there.

DR. SUAREZ: I think sexual orientation is what you had.

DR. FRANCIS: Yes, sexual orientation is an issue.

MS. BERNSTEIN: That’s a different — do you want to put that in here?

DR. SUAREZ: But not gender change. Sexual orientation is different, at least within the context —

MS. BERNSTEIN: It is different than sex-change operation.

MR. HOUSTON: We can look at ways to try to refine this and categorize it in a way that is meaningful. I think we all sort of have a general sense of what we’re talking about here.

We do need to get to the presentation at some point.

DR. FRANCIS: Let’s just look at this list and see if there is anything else that ought to be on the list.

DR. SUAREZ: Certain surgical procedures should be identified as sensitive — cosmetic surgeries, gender-change surgeries, even transplant-type procedures. If we are getting into categorizing certain data of record, I think that would be an element.

MR. HOUSTON: Why transplant?

DR. SUAREZ: Transplants of different types, from cardiac to —

MR. HOUSTON: Why is that a sensitive data type?

DR. SUAREZ: Well, it would be sensitive to those that receive the transplant in many cases.

MR. HOUSTON: I think the clinical relevance is so incredibly strong, whatever their context.

DR. SUAREZ: I am not talking about sensitivity in the sense of limiting access from provider to provider for treatment. I am talking about sensitivity of disclosing information from others and for other purposes.

MR. HOUSTON: We are talking about — this is related to treatment, though. I think we are trying to focus this letter on treatment-related —

DR. SUAREZ: I didn’t get that restriction though.

MS. GREENBERG: No. If you’re dealing with like parents’ access or spouse access or whatever, they are not involved in the treatment.

MR. HOUSTON: The parent is.

MS. GREENBERG: They may be or they may not.

DR. SUAREZ: In my sense the most critical part was there is some need to look at segmentation for treatment disclosures, but more importantly, there is the segmentation for non-treatment disclosures, everything else.

MR. HOUSTON: It should require an authorization.

DR. SUAREZ: Not necessarily. Payment on healthcare operations doesn’t in many cases. In fact if I’m going to bill for mental health services, I’m going to have to bill for mental health services, unless they paid in cash.

Anyway, surgical is another one that I think is important to identify, at least.

DR. FRANCIS: We don’t have any testimony in our record at all about surgical, and we didn’t get anybody about cosmetic surgery.

MS. GREENBERG: Why not? Other than Dan at the end.

DR. SUAREZ: We got about anonymity, I mean in that context, I suppose, but it could be a stretch, I guess, an extension.

MS. BERNSTEIN: Or sex change.

DR. FRANCIS: We did have some comment now —

MS. BERNSTEIN: We have John’s knowledge, which he brought up in the last meeting, which is at his hospital or whatever the common reason for wanting anonymity is cosmetic surgery. Also, we had an offer from the kind representative from AHIMA that he could survey his folks and find out for us, which we might consider taking him up on. Let the record show he is nodding in the background.

MR. HOUSTON: By next week, by July 4.

MS. BERNSTEIN: I am sure that we could consult him and find out what would be a reasonable scope of such a study and what would be a reasonable deadline and whether it would be possible to do that so that we could work it into our September letter.

He is nodding more quietly in the background.

DR. FRANCIS: So the other possible categories, again we had the testimony about mental health information, where we had — I just made a quick list of the distinctions that we had there. We had additional — I wasn’t worrying about — actually, Maya, if this ever gets written, I hate bullets. Take them all out.

MS. BERNSTEIN: I just want to be able to see them now. This is an outline. I am putting it in outline.

DR. FRANCIS: Yes, that makes sense.

MS. BERNSTEIN: It is hard to read from over there, I think.

DR. FRANCIS: We had some distinctions in the testimony between medications problem lists, danger to self or others, treatment notes, and descriptions of traumatic events. I just want to point that out to people. We have those distinctions.

DR. SUAREZ: We should add also laboratory in that list, because it is not just medications. It is laboratories related to mental health.


MS. BERNSTEIN: The most interesting thing that I think I heard about was that Dr. Ackerman was making a distinction between mental health treatment where a person comes in for mental health treatment and mental health effects of other treatments. So I got dementia as a result of something, like some other medication, or I was delusional — whatever the correct medical term is — I was on steroids and it caused me to have mental health effects, which is not per se mental health treatment, it is just — I don’t want to call it side effect — an effect of treatment — that there should be a distinction. He basically said those things should not be considered sensitive or mental health, right?

MR. HOUSTON: I think his point was that you could have the same set of symptoms that are due to — one might be a mental health condition, others might not be. An example was effects of anesthesia might have symptoms that are identical to certain mental health illnesses, but they are anesthesia-related, and so therefore they are not a mental health issue. Dementia I think is one of those.

DR. SUAREZ: Yes, there are many examples. I think the other part is the difference, I guess, between a mental health record and mental health information within a health record, in the following sense: There are full sets of mental health records, patients who have gone to psychologists, psychiatrists, for years or months, and they have a mental health record. Then there is the consultation done one time at an acute care of any hospitalization, for a psychologist during the hospitalization to see if there was any problem, and there are notes on that. So notes within that full acute-care-record setting are mental health notes on an acute-care record. One thing is segmenting a full mental health record, which is a lot different than segmenting selected mental health information within a comprehensive record.

DR. FRANCIS: And then there were a few more issues that came up in the adolescent discussion that I believe we are going to be getting more information about, including information about adolescent sexual orientation and educational testing, which was not clear that it could come within the idea of mental health information. We weren’t sure about educational tests and so on, things like identification of a learning disability or whatever. Again there I just put in we are not sure whether — people might regard that as mental health information, people might not, but that needs to be clarified.

MS. BERNSTEIN: Do we talk about children and adolescents anywhere here just generally?

DR. FRANCIS: Yes, right there.

MS. BERNSTEIN: This is at the end.

DR. FRANCIS: No, go back up, Maya. Okay, go to recommendations. There, segmentation is particularly important in the case of adolescent medicine where parents and children may have different entitlements to see different parts of the record. In the absence of such segregation, EMRs and interchange are likely to prove particularly challenging for providers of health care to this population. Then we were also observing that there is a labyrinth of statements there.

MS. BERNSTEIN: Are we not going to get more specific about children in this letter? Do you want to, or are you prepared to?

DR. SUAREZ: I have a number of other recommendations down below, so why don’t we maybe finish those?

DR. FRANCIS: Yes. There are some more up below and then there are some more below.

MS. BERNSTEIN: Just the recommendations. Okay, we will go through this now.

DR. FRANCIS: These are additional recommendations, and some of them are redundant, but we might want to look at them.

That there needs to be HHS guidance on clarification. I think that the next one is something that probably goes up, that we have already — it’s a rewording, maybe a better rewording, of what we’ve already said. Best practices —

DR. SUAREZ: Down at the second bullet, I think it should be a standalone bullet that deals with EHRs and functional capability and certification. I think there should be a separate bullet perhaps next to this, and when we reorder this in a final letter, it should be a statement and EHR functional capabilities and then a separate statement about HIE functional capabilities.

DR. FRANCIS: Yes, that makes sense. Then working with industry. I also think we need to have a bullet about education of providers and patients somewhere in there.

DR. SUAREZ: I had it in E, the findings.

DR. FRANCIS: I think you had it down there.

DR. SUAREZ: Well in the findings, but I don’t think I put it in there.

DR. FRANCIS: yes, you had it in the findings. And then the remaining ones are the categories that we’ve already talked about.

MS. BERNSTEIN: Oh, I see. Okay.

DR. FRANCIS: Whether it’s a separate letter or not, but it is clear that the EOB issue is huge.

DR. SUAREZ: Yes, that is a major, major issue.


I didn’t mention yesterday I got a call about 2 weeks ago from a woman who managed to find me on the Internet, a member of the public, who was basically in tears because her EOBs were going to her ex-husband. They had separated, he was living at another address, but she was still covered under his insurance, and he was receiving all her EOBs and she was not receiving them, and Blue Cross would refuse to change the address or refuse to send hers to a separate address, and so forth, I presume on the theory that he is responsible for payment; he needs some minimum amount of information to see whether the treatment payment or whatever is correct. But she was really, really upset about it.

DR. SUAREZ: You know, Maya, that is even an additional statement because that bullet that is written there about the EOBs is applicable only to — basically, the concept of kids and adolescents and now as young adults after 26. But I think there is that important element of beyond that —

MR. HOUSTON: Any people who used to share a household and who no longer do, for whatever reason, whether they are children and parents or spouses or other family members who were living with you and no longer do.

DR. SUAREZ: And when you combine that issue with the domestic abuse issue, it is a major problem because, yes, the patient who goes to an emergency room because of domestic abuse, well, the bill will come back.

MS. BERNSTEIN: Yes. Do you have something on EOBs somewhere in here?

DR. SUAREZ: EOB is in that bullet that is right above there before the recommendation, that one.

DR. FRANCIS: We need to segregate that out, I think, as a separate bullet, not as a sub-bullet, but something about EOBs.

MS. BERNSTEIN: This says “in most cases,” but we don’t really mean that. It could be ex-spouses, which is quite common, I think. So I am going to make this more general.

DR. FRANCIS: I am going to recommend that we ask Maya to send this around and that people have at it and just send any further thoughts, and then Maya and John and I will try to knock this into a sensible draft and send it around.

Now we need to go to the slides.

MR. HOUSTON: We will take about a half-hour or 45 minutes on this, and Sallie is going to lead the discussion. No? Just kidding.

MS. MILAM: I haven’t even seen the slides.

MR. HOUSTON: Okay. Then Leslie and I will do it.

DR. FRANCIS: We hope we didn’t screw up with these.

MR. HOUSTON: When you leave it to the prerogatives of the chairs, you never know what you might get.

MS. BERNSTEIN: Are we done with this part, this letter?

DR. FRANCIS: Yes. Obviously, anonymity is the same point as the situational flagging. We’ve handled victims of abuse and domestic violence in the two different things, so we can get rid of that last —

MS. BERNSTEIN: Let me make sure exactly what my assignment is before we move to the next thing. You want me to clean this up? Do you just want me to send this to you as is or do you want me to take it out and clean it up?

DR. FRANCIS: Take out that last thing, recommendations regarding other sensitive information.

MS. BERNSTEIN: The whole section?


MS. BERNSTEIN: Because we already did it?

DR. FRANCIS: Right. And accept all the changes and send it around to all of us.

MS. BERNSTEIN: I got it.

DR. FRANCIS: We all know that this is an outline, and it has also got all kinds of comments in it and warts and good stuff like that.

On to the slides.

MR. HOUSTON: Where are the slides? They are on the computer.

MS. BERNSTEIN: I don’t know what we’re talking about when you say slides, but okay.

MR. HOUSTON: The 60th Anniversary slides.

DR. FRANCIS: For tomorrow.

DR. SUAREZ: I have to say since Judith is here that the expediency of our Privacy Subcommittee in drafting recommendations the day after the hearing is going to be challenging for us to meet, when we have our own hearings on health ID. We just had the hearing yesterday and we are already finishing up the draft letter.

MR. HOUSTON: We are fast.

DR. SUAREZ: So that is almost real-time drafting. Trying to meet that is going to be challenging for us.

DR. FRANCIS: Just have a little insomnia.

(Housekeeping discussion regarding finding and showing slides)

MR. HOUSTON: The first couple of slides are simply background, since the Standards and Security Subcommittee and the Privacy — the security component of the Standards and Security Subcommittee were moved over to the Privacy and Confidentiality Subcommittee. What we actually did was we made reference to both subcommittees so that we could at least acknowledge the fact that the Standards and Security Subcommittee had the security component up until 2008.

MS. BERNSTEIN: I was just going to suggest you put the privacy part first so people won’t get that confusion, and then you could understand those people and acknowledge all that.

MS. GREENBERG: Wait. If you go back to that, when did John Lumpkin —

DR. FRANCIS: This is what was given to us by Marietta, I think.

MS. BERNSTEIN: You sent an email when we asked for the names of the last, I don’t know, 5 years of the lead staff and the chairs of the —

MS. GREENBERG: John Lumpkin chaired the Standards and Security Subcommittee after Simon became the chair of the full committee.

MR. HOUSTON: No, no, it would have been before.

MS. BERNSTEIN: Lumpkin was the chair before Simon.

DR. FRANCIS: So this is the full committee.

MS. GREENBERG: Yes, I know, but —


MS. GREENBERG: I think he was if you’re doing the whole decade.

(Conversation off microphone)

MS. GREENBERG: He certainly was on the committee in 2000.

MS. BERNSTEIN: He was before Simon, then he became chair and then Simon became chair.

DR. FRANCIS: But was he chair of the subcommittee or the full committee?

MS. GREENBERG: No. John chaired the Standards Subcommittee before he was the chair of the full committee.

DR. FRANCIS: But the question was whether that was in 2000 or whether that was before 2000.

MR. HOUSTON: It would have been after 2000. I guess we should say “till present,” which is 2010.

MS. GREENBERG: That’s true. Don Detmer left in 1999, so then John would have moved on to chair of the full committee. So I am sorry, okay.

MR. HOUSTON: That is correct.

DR. FRANCIS: And we should do it to 2008 because that subcommittee got folded in, so that should not be till 2010.


MR. HOUSTON: Then the next one — Privacy is still till 2010 then.

MS. BERNSTEIN: Was John Fanning actually ever lead staff?


MS. BERNSTEIN: Was John Fanning, my predecessor at HHS, ever lead staff of the subcommittee?

MS. GREENBERG: Yes, he was.

MS. BERNSTEIN: Well, he told me that he managed to avoid this assignment. Was he ever the lead —

MR. HOUSTON: He was obviously very influential. Out of respect, I think we can leave him on.

MS. BERNSTEIN: Yes. That’s fine.

MS. GREENBERG: I was trying to think of Stephanie’s last name today. Thank you. Kaminsky.

MR. HORLICK: Since the time I have been here, John Fanning was not lead staff, since the time I have been here, in the late 1990s.

MS. GREENBERG: He was right after the first round, around 1990. You could put him there, though. When did he retire?

MR. HORLICK: I don’t know.

MS. BERNSTEIN: He retired in 2005.

MR. HOUSTON: 2007, 2006.

MS. BERNSTEIN: I am sorry, July of 2004, and I started at the Department in February 2005.

MR. HOUSTON: Then for the next three slides, just so you know what we did was we simply listed in chronological order the different recommendations and letters that we put forth.

MS. BERNSTEIN: Let’s go back to that privacy advocate letter?

MR. HOUSTON: I think we have some of these things flipped. We have these two slides flipped. Hold on one second. They should be like that, all right.

MS. GREENBERG: They are busy beavers.

MR. HOUSTON: Yes. I don’t think — this is just a simple listing.

The next one is really a statement as to — this actually comes from the document that is contained within the pamphlet for the 60th, whatever you want to call that document that we put together. We really tried to take one of the key privacy statements out of that document and put it into this slide.

MS. GREENBERG: The other thing with the slides, those previous three slides, you obviously are not going to read those.

MR. HOUSTON: No, but I think we just want to bring —

MS. GREENBERG: Which one of you is presenting, by the way?

DR. FRANCIS: John is going to do the first half and I am going to do the second half.

MS. GREENBERG: Oh, okay.

MR. HOUSTON: I can flip through these slides in like a minute.

MS. GREENBERG: Because each of the other subcommittees, just one person is presenting, but it’s all right.

MR. HOUSTON: Leslie and I can decide.

MS. GREENBERG: It’s okay. If you want to split it up, it’s okay. But I mean here you are not going to obviously read all of those.

MR. HOUSTON: No. All I am going to do is to say that there is rich history of recommendations and letters, just simply literally page through them like this, let people understand the fact that this is sort of the history of the subcommittee without reading them specifically. No, we are not going to do that.

MS. GREENBERG: Are you going to mention any key topics or whatever?

MS. BERNSTEIN: It is hard to absorb those paragraphs when they’re on a slide like that. It looks like a big bunch of words that’s hard to read.

MR. HOUSTON: I think all we’re trying to do here is demonstrate that this subcommittee has accomplished a lot in terms of letters, and I don’t think we’re trying to —

MS. GREENBERG: You just might want to say we’ve addressed a whole variety of issues including marketing, fundraising, whatever, just to give a flavor of it.

MR. HOUSTON: That’s fine. We can do that.

Again, this is taken right from that document we put together, really tries to describe some of the new issues with privacy and security, especially due to the rising interoperability of electronic health records and global access to data and emerging new uses of data and stuff like that. So we wanted to sort of set the stage on why privacy is really fundamentally changing.

MS. BERNSTEIN: They can absorb that.

MR. HOUSTON: And then really coming up with three separate sort of overarching challenges. I think some of these are expressed in terms of the healthcare reform, like cost containment, need to balance individual rights and need —

MS. GREENBERG: Do you want to remove “and” there, the proper balance between what, individual rights?

MR. HOUSTON: Individual rights and the need —

MS. GREENBERG: Do you need an “and” there?

DR. FRANCIS: It should be between individual rights and the needs of society.

MR. HOUSTON: No, between an individual’s — oh.

MS. GREENBERG: It would either have to be “an individual’s” or —

MR. HOUSTON: You’re right. Or you could say “an individual’s rights.”

DR. FRANCIS: And there’s a mistake because it shouldn’t be capitalized.

MR. HOUSTON: All right. Establishing an appropriate privacy and confidentiality security framework. Again, this is done in the context of the prior slide.

MS. BERNSTEIN: Make that a comma instead of a slash because they are not equivalent. And you have a run-on sentence.

DR. FRANCIS: Privacy, comma, confidentiality, comma, and security framework.

MS. BERNSTEIN: Thank you.

MR. HOUSTON: And ensuring that privacy laws do not inappropriately impede efficient and effective delivery of health care. So it is the different balances we see.

MS. GREENBERG: Do you want to say anything — I mean you’ve got balance. Do you want to say anything about trust? That seems to be something that has gone through all of your discussion, or was that in a previous slide?

DR. FRANCIS: Why don’t you say “appropriate privacy” — go back to that — “appropriate privacy security protections are essential for trust.”

MR. HOUSTON: Where, right here? I am sorry, I am missing —

DR. FRANCIS: Instead of saying “appropriate,” say “privacy, confidentiality, and security protections essential for trust.”

MR. HOUSTON: But then we have all these other concepts here.


MS. BERNSTEIN: That is very difficult to absorb no matter what it says. Two big paragraphs like that, you cannot really absorb what it says.

MS. HORLICK: I would actually like either the following slide to go first or perhaps say “challenges for the next decade.” Maybe instead of “how do we balance,” because we all know what we’re balancing, but maybe “colon, balancing privacy and” I don’t know, some other word, “data sharing” or something.

DR. FRANCIS: Why don’t we just say “challenges for the next decade”?

MR. HOUSTON: Actually, I think the only reason why we put that that way was if you look at subsequent slides, there are certain cases where we add another footer(?) below “what are the challenges of the next decade?” Some of them we do, some of them we don’t.

DR. FRANCIS: Call that, how about “an overview”?

MS. BERNSTEIN: So that’s the challenge’s overview? We have to consider all these things, and then you have the —

MR. HOUSTON: You mean like this?

MS. BERNSTEIN: Yes. I think that’s better.

MR. HOUSTON: Yes, Leslie, is that what you want? Okay.

MR. HOUSTON: I think, then, to Marjorie’s point —

MS. GREENBERG: I am just trying to think of some of the key things you’ve talked about over the years.

DR. FRANCIS: If you go to the next one —

MS. GREENBERG: “Establishing the proper balance between” —

DR. FRANCIS: “Confidentiality and security framework,” just put after that “essential for assuring trust.”

MR. HOUSTON: For establishing trust? Actually establishing a privacy — essential for — actually we could do this.

MS. BERNSTEIN: Can I make a suggestion about the first bullet?

MS. GREENBERG: I think the third one is certainly true there, but I don’t know — well, I haven’t seen the next slide, but it is the whole area of secondary uses or research, population health, whatever —

DR. FRANCIS: Let’s go on and see —

MS. GREENBERG: Let’s see what it says next.

MS. BERNSTEIN: Can I make a comment on this bullet before we go on? May I do that?

DR. FRANCIS: So you’ve got new data types, new data flows — new data types, new structures of data, and new data flows. Then we’ve got — and here was where trust came in.

MS. GREENBERG: Well, now there you have it.


MS. GREENBERG: So you can take it out of the other one.

DR. FRANCIS: Then we did “values in tension, trust, individual rights and choices, improving health care, cost effectiveness, public health and biosurveillance, research.” That shouldn’t have a capital C.

MR. HOUSTON: By the way, the reason for the last bullet, this is an issue of tension and there is again a great —

MS. GREENBERG: What are you saying about access to data for commercial benefit?

MR. HOUSTON: This is the tension. These three are in tension.

DR. FRANCIS: These are tension. People want it.

MR. HOUSTON: We are not advocating the use of data for commercial benefit but that the desire to use data for commercial benefit is clearly out there, and we are just identifying the fact that it exists.

MS. GREENBERG: It is just that you’ve made sort of normative statements in the first two, “appropriate security,” da, da, da, “protections to maintain trust, protect rights” —

DR. FRANCIS: I am happy to take it out. Just dump it.


MS. GREENBERG: Otherwise you would have to say something about it, I think. It hasn’t been a major — well, it is, at some points it has been a major focus, actually.

MS. BERNSTEIN: I am still concerned with the first bullet and how it relates to the next slide. I have not been yet recognized.

DR. FRANCIS: I am sorry. I didn’t understand what your problem was.

MS. BERNSTEIN: I have an issue with the first bullet I would like to express. We haven’t gotten there, on this slide.

DR. FRANCIS: On which slide?

MS. BERNSTEIN: The one that John just left, that one, where it says “proper balance.” I really don’t like the concept of proper balance because it implies that as we get more individual rights, we somehow get less of whatever else there is, or as we get more societal needs, we get fewer individual rights.

I would rather think of the world as like a rising tide lifting all boats, that when you get more privacy, we want you at the same time to get all these other things and find a way to do both.

DR. FRANCIS: How about “protecting an individual’s rights” or I would say “protecting individual rights,” that’s what I would say, “protecting individual rights, because it is more than just an individual. So “protecting individual rights” —


DR. FRANCIS: No, not “while.” I was going to say “protecting individual rights,” period, end.

MS. GREENBERG: That gets into the whole issue of the extent to which people have a right to privacy.

DR. FRANCIS: Yes. We are not going to say that. We are just going to say “protecting individual rights” and then new bullet, “respecting the needs of society.” Those are all challenges.

MS. GREENBERG: I will say, too, that whatever you present tomorrow, you can always modify it or clean it up or whatever before we put it on the Web.

MS. BERNSTEIN: I think you have a similar issue with the next slide that you were also working on that has the same kind of message. It’s the idea that these things are in tension. It is a challenge to get all of them at once, but they are not competing with each other necessarily. I think we think of them that way, but the idea — we think about having privacy as meaning we get less good health care. But it is not true. People don’t come in for health care if they don’t understand that their privacy is protected. People avoid care.

So I want to get the sense that we have these challenges, but not that they are necessarily in competition with each other but that —

MS. GREENBERG: Then why not say “values”?

DR. FRANCIS: Why not say “respecting many values”?

MS. BERNSTEIN: There you go.

MS. GREENBERG: Wasn’t there a previous one about balance, though?

MS. BERNSTEIN: We just fixed that one.

MS. HORLICK: I hear what you’re saying, Maya, but I know in public health it has always been the balance. These changes are happening, data is moving, and so how do we do this and do it right so that we balance what we need to protect the public’s health, to do research, to get good quality health care and still protect the rights of individuals? So I understand —

MS. BERNSTEIN: I just don’t like the word “balance.” I agree with what you’re saying, because the word “balance” to me implies that as you get more of one, you get less of another, where we can get more of both at the same time.

DR. FRANCIS: Let’s just say “respecting many values,” okay?

Now let’s go on to the next one, “identifying issues,” and here we had a list of some of the issues that were treated in our symposium at Utah, and then indicating what — so if you just make that look — it is not the top of the slide — if you make it look like what we can see, you will see —

MS. GREENBERG: I am glad you have a slide from the conference.

MS. BERNSTEIN: It does occur to me that we can elevate all the bullets one level, because we only have one top bullet.

DR. FRANCIS: If you do too much, you’re going to be in trouble —

MS. GREENBERG: What you could do is just say the conference sponsored by NCVHS identified many high-priority issues for privacy, and then —

DR. FRANCIS: Yes, just take it out, because now you’ve got it too big.

MR. HOUSTON: I was going to change it, make it smaller.

MS. GREENBERG: Are you asking, is that the top of that slide right now? Do you want to say “current work” or something?

MS. BERNSTEIN: That’s a question about the title? That’s what we’re doing now, what we’re working on next or in the coming year?

MR. HOUSTON: How about that, “current priorities,” “current activities”? Give me a word.

MS. BERNSTEIN: Maybe instead of our priorities — our priorities are not the hearings. The hearings are a steppingstone to what — our priorities are making recommendations? The priorities are giving the Secretary advice. The hearings are a tool. You can say we had hearings.

MS. HORLICK: Maybe the first bullet might be the recommendations on that, and then the second one might be hearings on governance.

MS. GREENBERG: When you present this, you can say in fact we had a hearing on this subject two days ago or something.

MR. HOUSTON: Should we say “recommendations regarding the categories and treatment of sensitive health information”?

DR. FRANCIS: Just say “categories of sensitive health information,” and we can elaborate in the discussion.

MR. HOUSTON: All right. Is that it? That is the last slide. I can send this in.

MS. GREENBERG: Thank you.

DR. FRANCIS: Are we adjourned?

MS. BERNSTEIN: You’re the chair.

DR. FRANCIS: We are adjourned.

(Whereupon, at 5:10 p.m., the meeting was adjourned.)