[This Transcript is Unedited]

Department of Health and Human Services

National Committee on Vital and Health Statistics

Full Committee Meeting — Plenary Session

June 20, 2007

National Institutes of Health
Natcher Center
Bethesda, Maryland

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax, Virginia 22030
(703) 352-0091

TABLE OF CONTENTS


P R O C E E D I N G S (9:00 a.m.)

Agenda Item: Call to Order, Welcome and Introductions, Review of Agenda

DR. COHN: I want to call this meeting to order. This is the first day of
two days of meetings of the National Committee on Vital and Health Statistics.
The National Committee is a statutory public advisory committee to the U.S.
Department of Health and Human Services on national health information policy.
I am Simon Cohn. I am Associate Executive Director for Health Information
Policy for Kaiser Permanente and Chair of the committee.

I want to welcome committee members, HHS staff and others here in person
for our second meeting of 2007. I also welcome those listening in on the
Internet.

I do want to remind everyone, because we are using a different microphone
system this time, you need to bend over and get close to the microphone.
Otherwise, people are not going to be able to hear you.

I want to thank the National Institutes of Health for hosting us at the
Natcher Center for this meeting. It is a very nice room and very nice table for
us to have discussions at for today, tomorrow, and for the other subcommittee
meeting on Friday morning.

Let’s have introductions around the table and then around the room. For
those on the National Committee, I would ask if there are any conflicts of
interest to any issues coming before us today, would you so publicly indicate
during your introduction. I want to begin by observing that I have no conflict
of interest.

MS. JACKSON: National Center for Health Statistics, Debbie Jackson,
committee staff.

DR. FRANCIS: Leslie Francis. I am professor of philosophy and law at the
University of Utah. I am a member of the committee and I have no conflicts.

DR. STEINWACHS: Don Steinwachs, Johns Hopkins University, member of the
committee, no conflicts.

DR. GREEN: Barry Green, University of Colorado, no conflicts.

DR. OVERHAGE: Mark Overhage, Regenstrief Institute and Indiana University,
a member of the committee, and I have no conflicts.

DR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention,
liaison to the full committee.

MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield of North Carolina,
member of the committee and no conflicts.

DR. WARREN: Judy Warren, University of Kansas School of Nursing, member of
the committee, no conflicts.

MR. HOUSTON:John Houston, University of Pittsburgh Medical Center. I am a
member of the committee and I have no conflicts.

MR. LAND: Daryl Land, Executive Director of NASIS, member of the committee,
no conflicts.

MR. SCANLON: Bill Scanlon from Health Policy R&D, member of the
committee, no conflicts.

DR. TANG: Paul Tang, Palo Alto Medical Foundation, member of the committee,
no conflicts.

MS. TRUDEL: Karen Trudel, Centers for Medicare and Medicaid Services,
liaison to the committee.

DR. CARR: Justine Carr, Beth Israel Deaconess Medical Center, member of the
committee, no conflicts.

MS. MC ANDREW: Susan McAndrew, Office for Civil Rights, privacy liaison to
the committee.

MS. BEALE: Alison Beale, American Health Information Management
Association.

MS. BITFORD: Carol Bitford, American Nurses Association.

DR. FRIEDMAN: Hayley Friedman, American Academy of Pediatrics.

MS. RIAZ: I am Fatima Riaz from Booz Allen Hamilton. We are supporting the
AHED Quality Work Group.

DR. CONNELL: Mike Connell, American Dental Association.

MS. KANAAN: Susan Kanaan, writer for the committee.

MS. FRIEDMAN: Maria Friedman, RxHub.

DR. COHN: Welcome, everyone. Before we move into the agenda review, let me
make a couple of opening comments. First of all, I want to congratulate Don
Steinwachs on his new role as interim provost and academic vice president of
Johns Hopkins University. We are very pleased to have you join us in your new
role. So congratulations.

DR. STEINWACHS: Thank you very much. I have decided the interim job is
really the best job. They don’t expect too much, and you might actually do some
good, who knows?

DR. STEINDEL: Simon, if you are going to congratulate people, I’d like to
congratulate Judy Warren, who got an endowed chair at the University of Kansas.
I think she has a picture of it for anyone who wants to see it.

DR. COHN: Steven, thank you. You stole my thunder, because that was my next
comment. Judy, congratulations. I just wanted to congratulate you in public. If
any of the others of you get endowed chairs or become presidents of
universities between now and the next meeting, we will make similar
announcements.

We have a very full meeting today and tomorrow. The activities of the
committee continue at a fast and I would observe, accelerating pace, reflecting
the increased importance of federal attention being placed on health
information technology, and of course the role it can play to improve the
quality and cost of health care, as well as the health of all Americans.

Within HHS, Secretary Leavitt continues to consider promotion of
interoperable HIT, one of his key issues. His leadership in this area has
really been phenomenal. And of course, in all of this, we the NCVHS continue to
play an important role advising the Secretary and the Department directly, as
well as providing expertise and liaisons to other HHS initiatives moving the
vision of the NHII forward, including our liaison activities with a number of
the AHIC work groups.

I should also mention that recent work products of the NCVHS are now being
increasingly actively utilized within HHS. Specifically, the excellent report
on privacy and the Nationwide Health Information Network, as well as our report
on functional requirements for the initial definition of a Nationwide Health
Information Network are now part of the recent Office of the National
Coordinator RFPs that have just come out, and I think will be due sometime in
mid-July.

Also since our last meeting, we have formed a new ad hoc work group on
secondary uses of health information. Specifically, we have been asked by HHS
and the Office of the National Coordinator to develop an overall conceptual and
policy foreign worker that addresses secondary uses of health information,
including a taxonomy as well as definition of terms.

We have also been asked to develop recommendations to HHS on needs for
additional policy guidance, regulation and/or public education related to
expanded uses of health data in the context of this evolving and developing
Nationwide Health Information Network. This of course is with an emphasis in
the areas of quality measurement, reporting and quality improvement.

I will be leading that work group, but I really want to thank Harry
Reynolds and Justine Carr for so graciously being willing to be co-vice chair
of this effort. I will be depending on them significantly, as will the
functioning of that work group. I also want to thank the members who have
volunteered and been drafted at this point to be members of the work group.
That includes Paul Tang, Bill Scanlon, Mark Overhage, Kevin Vigilante. I also
want to thank the many of you who responded to my e-mail a couple of weeks ago
asking for either fuller involvement or being in the reviewer status for the
duration of this. I think most everyone has responded that they are at least
willing to be a reviewer, so I want to thank all of you for this participation.

I should also mention the various liaisons that will be represented on this
— be functioning with this ad hoc work group. Kelly Cronin from ONC, Mary Beth
Tarquar from AHRQ, John White from AHRQ, Mike Fitzmaurice, who I can mention
his name since he is not here, from AHRQ, Steve Steindel, here today, Karen
Trudel. I think we also are petitioning another CMS representative to be
involved in that?

MS. TRUDEL: Actually I won’t be representing this, but there will be two
other CMS representatives won’t will be able to a attend this meeting, but will
be on board for the next session.

DR. COHN: Great. We can’t do this stuff without staff, and I want to
particularly thank them, Jim and Marjorie, and I want to thank Debbie Jackson
for serving as the lead staff. I really appreciate your work on this, and
Kathryn Jones, Maria Squire.

We also have Margaret A., who is the lead consultant on the project, and I
want to thank Booz Allen Hamilton and Fatima Riaz, as well as Christine
Anderson and Erin Grant. One of them will be calling in tomorrow, the other one
is on vacation this week, who have been also assisting the work on all of this.

So anyway, we have got a lot going on. This is going to be in some ways
like the NHIN ad work group in terms of being very fast paced. We expect to be
having draft recommendations and report for everyone to review in September, so
we will be spending a fair amount of time tomorrow, and I will talk about the
changes to the agenda that will occur for tomorrow. We will spend a fair amount
of our time on briefing and discussion, providing background in this whole area
so both the background group as well as the full committee has a broader
context for the conversation and understanding of what we are going to be
doing.

MR. HOUSTON:You said that one of the things that is within the purview of
this ad hoc work group is suggestions or recommendations for regulatory change.
Can you expand on that and what the scope of that is?

DR. COHN: I think I will bypass that one for the moment. We will talk about
that tomorrow. I don’t believe that our initial intent is to be involved with
legislation for this. The question is whether or not we need to be recommending
to the Secretary further guidance or whether there needs to be something — and
the issue of further guidance on regulation versus modifications to regulation
is a fine line.

So did I sidestep that one appropriately?

MR. HOUSTON:No, that was a fair answer.

DR. COHN: I think we will know more as we get into it exactly what the
landscape looks like in this area. As I said, we will be talking about this
more tomorrow, and the ad hoc group will be meeting at the end of the day
tomorrow and into Friday morning.

I did also want to comment briefly on the May executive subcommittee
meeting and some changes to meeting structure that had been recommended by the
executive subcommittee.

While the main focus of the executive subcommittee was on reviewing what we
did last year, plans for the remainder of this fiscal year and next, we did
spend some time reviewing committee function. As mentioned, the committee is
getting busier and the agendas are becoming much fuller. We will be meeting
until 3 o’clock tomorrow as a full committee.

The issues we are dealing with are also becoming increasingly complex and
interrelated. We have all seen the need for increased cross fertilization
across subcommittees and work groups.

Good morning, Marjorie.

MS. GREENBERG: Good morning. Don’t ask.

DR. COHN: Yes. An important first step which we initiated as a result of
our last full committee strategic retreat has been to expand the discussion of
issues that are being discussed at the subcommittee and work group level to
come before the full committee early on, so we can provide input and guidance.

We have also established time limited ad hoc work groups on specific issues
that typically include members with a wide variety of perspectives and skill
sets. We were just talking about the second one of those that we have
developed.

While we think that there is progress being made in this area, we believe
that more needs to be done. As an immediate next step, I have asked chairs to
be especially vigilant in identifying these areas of overlap and making sure
that we are getting consultation from the appropriate subcommittees and work
groups on the appropriate issues.

We are also moving subcommittee and work group reports to the beginning of
the committee meetings to enable early vetting and discussion of work underway
in our meetings, as opposed to something which we have historically done at the
very end as everybody is getting ready to leave. So hopefully we will spend at
least a couple of minutes talking about the work going on in the subcommittees
and work groups.

Additionally I will also be having conversations with a number of you about
your participation on subcommittees and work groups, not so much with the idea
of insuring greater participation, but more just exploring the idea of getting
some people, what I would describe as a little bit out of their comfort zone in
terms of their committee participation and involvement. I think many of us have
observed that all the standards people are in standards, all the populations
people are in populations, and it goes on and on, and we need to think about
maybe mixing this up a little bit.

I think Don is going back to being provost again. It may be easier.

Finally, to assure that we have time for important discussions as a full
committee, we have also decided at least on a trial basis to reduce the number
of routine reports from the Department that normally occur on the first
morning. Instead, we are going to be replacing them with written briefings, and
we will from time to time engage the various departments and agencies with more
substantive conversations. We will have a little more time to talk about the
issues coming before the various groups.

These changes are reflected in the agenda that we will look at today. Let
me just briefly go over the agenda and talk about the lay of the land today and
what happens for the rest after the adjournment.

As soon as I am done, I am asking Justine Carr to lead off with a
discussion of subcommittee and work group activities. I have asked Don
Steinwachs to give a brief review after that. Depending on how our time goes,
my intent was to have Harry Reynolds talk about standards and security, and
then Mark Rothstein. We will need to play with timing a little bit. We may ask
you to lead off that conversation before your letters as the day goes on, and
provide the discussion at that point, but we will play that by ear.

Following this is a presentation by Karen Trudel of CMS and Harry Reynolds,
one of our co-chairs for standards and security, providing an overview of the
first orientation of the 5010 transaction which you see up on your screen.
These are updates to the currently approved HIPAA transaction standards, and
hearings are going to be held by the standards subcommittee during the summer
on this, with recommendations coming back probably later this year or as
appropriate.

Then after you morning break, we take up two letters being brought forward
by Privacy and Confidentiality for our consideration. After lunch we have two
letters from Standards and Security. Finally, we have a letter being brought up
by the Populations Subcommittee on data linkages.

We will be adjourning as a full committee about 3:15, and have various
subcommittee and work group meetings happening this afternoon both in this room
and Room D, also followed by Quality later on.

Now, committee and staff dinner tonight is at Jaleo’s at 6:30, so it is a
little earlier than our usual dinner. This is the Bethesda Jaleo’s, not the
downtown one. I thought maybe we would take the opportunity at this point to
get a show of hands. We will let people think about dinner. We will grab
everybody right before lunch and see who is going to be coming for dinner.

With that, let’s begin our subcommittee work group update and discussion.
Justine, would you like to lead off?

Agenda Item: Subcommittee and Work Group Activity
Scan

DR. CARR: Thanks, Simon. We held a hearing yesterday. This came about from
a conference call that many of you participated in in February and also
followed up on in a conversation we had with Carolyn Clancy.

There is a lot going on in quality, and we don’t want to duplicate what is
going on. The role of the hearing yesterday was to identify how is quality
being served by the information resources available today. So we had an array
of superb speakers, absolutely superb, talking about the transition from paper
to hybrid and to some electronic elements.

I just had a couple of bullet points that we learned from this hearing
yesterday that will inform what we do going forward. Clinical outcomes are
getting better. Transparency is increasing. The public is becoming engaged.
Metrics are becoming refined by blending administrative data with clinical
elements. We heard some very elegant science related to that yesterday.
Physicians and other clinicians as well as senior leadership are getting
involved, collaboration is increasing. Public reporting in and of itself is
improving participation as well as outcomes.

Then we also heard about the administrative burden, which is large and
growing, as we are navigating both electronic and chart abstraction. The
financial commitment is large and growing, both for FTEs to do the abstraction
as well as for taking the step into the world of the electronic health record.

This afternoon, the Quality Work Group will review what we heard yesterday,
and think about the themes that we want to emphasize. We are also going to take
a look back at some of the reports that have been done, going back to May of
’04, where we had some 20 candidate recommendations, and take a look at where
we are with those and rank some of the work that we have done over the last
couple of years to inform what we do going forward.

Questions?

DR. COHN: Thank you for the early view of activity. Very good hearing
yesterday. Don?

DR. STEINWACHS: Let me just bring you up to date on where we are. Simon did
let me go to Alaska for two weeks to study the populations, but it turned out
these weren’t very human populations. There seems to be a lack of humans in
much of Alaska, but I wanted to add that report to my further inquiries into
health in America.

We have two major areas that we are pursuing. One is on data linkages,
looking for how to enhance the opportunity to link data sets that can tell us
more about the health and well-being of populations. Some of these linkages as
you well know link surveys to administrative data such as Medicare or Medicaid
data sets, to things like the health interview survey or other surveys, so they
provide a level of detail and a level of potential.

Out of the hearings that we had, we have a letter that we are bringing
forward today to try and improve some of the access to linked data sets. The
other issue that we are hoping to address in the near future, be talking about
in our committee meeting today, is ways to facilitate how quickly you can put
linked data sets together or get access to them within government agencies, as
well as the outside. Much of the letter discusses more outside arrangements.

Linkage also raises privacy concerns. One of the things that I am hoping we
will discuss today is whether or not we ought to be talking more in the Privacy
Committee, Confidentiality, about having something that may be a joint effort
to try and look at some of the regulations, laws, other things that make it
more difficult to put data sets together. Immediately when you create linked
data sets, almost always you have a privacy problem, because now you know much
more detail about someone, either geographic or otherwise.

The second area is on surge capacity. We had a one-day set of hearings. I
am going to ask Bill if he can say a couple of things about next steps, because
we have a working group on the next steps.

MR. SCANLON: It was a very good hearing back in January. I think it
illustrated the fact that this surge capacity issue is rather broad. You can
think about it starting with the issue of hospital capacity and hospitals’
ability to deal with a surge in cases of various types, but it goes beyond
that. It goes into the emergency medical systems and response of systems within
communities to the work force, to the availability of supplies that you can
bring into communities, et cetera. Then there are multiple types of problems in
the sense of how do you do with a Katrina type case, where the capacity that
you might have been relying upon is now gone completely, versus another type of
situation where you have got a catastrophe and you can take advantage of the
capacity that you have been building over the years.

While that was all interesting, the issue that we face is that we are a
data committee, we are not a catastrophe policy committee. So therefore, we did
hear some testimony about the data collection related to surge capacity. That
is the area that we are pursuing now. What we are doing is, we are going back
to some of the participants in the hearing to talk with them more about which
avenues would be potentially most productive for us to pursue, and we will put
together another hearing for the late fall or early next year on the basis of
the advice that we get from these individual participants.

DR. STEINWACHS: Two other things quickly. One is that Bill has been serving
as our link to the Board of Scientific Counselors for the National Center for
Health Statistics. There are discussions there trying to build stronger
collaborative activities. Data linkages is one of those areas.

There are other issues too that come up for discussion. Funding has been
one of the concerns that the National Center for Health Statistics has and was
talked about at the executive subcommittee meeting. So some of these areas are
shared.

We did seek at the last meeting of the Board of Scientific Counselors their
input on the draft letter that we are bringing forward today, the idea that
those areas that are mutual concern, we ought to be getting the input and
participation to the extent that members of the Board of Scientific Counselors
have an interest and have time to do so.

So I think that is making some progress. Again, it is a series of many
steps as we march along, because they are very busy with their own agenda, but
yet looking for ways to draw that together.

The last is that we still have on our plate for discussion, and I am hoping
today we will have a chance to talk about next steps, is the idea that the
committee would move ahead to look at in my view the updating of the report
that we did over five years ago on health statistics for the 21st century.

Part of that updating it seems to me in looking at it again brings in
electronic health records, brings in other issues that were not as central, and
maybe some things that were not as concrete. So that is a great conceptual
foreign worker and part of what would help the subcommittee and I would hope
the whole committee to take some steps to make some of those things more
concrete, and to keep the life and vitality in this. I think unless we keep
coming back to it at periodic points, it will disappear into the shelves. It
seems to me it is a very useful foreign worker as we move ahead.

So that is what is on the agenda right now.

DR. COHN: Questions, comments for Don? Harry, I think I had you on next.

MR. REYNOLDS: As you can see, we brought two letters forward today. We will
be talking about the 5010 in a little bit to give you a sense of the next set
of standards that are going to be coming out and what impact that is.

After that, there may be some other standards that could be appearing soon.
One will be claims attachments, which we have discussed in here briefly before.
ICD-10 obviously is still in everybody’s horizon. That would be one — we are
talking about primers today, that would be one that we would probably have a
couple of primers to get everybody completely aware of what that was as a full
committee before we would take action on that.

We need to continue to monitor the NPI implementation. As you know, that
has been moved to May of ’08 for implementation. We do have a responsibility as
we have all along, every time we have a hearing, to continue to at least keep
an eye on that and the status, and make any further recommendations on how
things are going.

Then we are going to talk this afternoon in our breakout group about how we
want to continue to stay involved in any recommendations on how to continue to
make the progress better. You will see our streamlining letter today, but also
as we have seen with HIPAA, we wrote a lessons learned from HIPAA, and now we
are seeing some of those lessons that got learned in NPI, some that maybe we
haven’t all learned completely well yet. So we need to continue to stay
diligent as a group in trying to help the industry get better, because we are
going to have these rolling out continually. It is something we need to
continually take a look at and see what benefit we can offer to that process.

So that would be where we are headed as it is right now. I’ll take any
questions. Thank you.

DR. COHN: Mark.

MR. ROTHSTEIN: Good morning. Later this morning we are going to consider
two letters from the Privacy and Confidentiality Subcommittee, the first
dealing with the relationship between FERPA and the HIPAA privacy rule, and the
second dealing with the currently non-covered entities. I will defer until then
a discussion of that.

I just want to bring you up to date on what our current activity is and our
plans for bringing that activity to completion and back to the full committee.

There is a provision in our June 2006 letter on privacy in the NHIN, in
which we say HHS should assess the desirability and feasibility of allowing
individuals to control access to the specific content of their health records
by the NHIN, and if so, by what appropriate means. We also say that if
individuals are given the right to control access to the specific content of
their health records by the NHIN, the rights should be limited, such as by
being based on the age of the information, the nature of the condition or
treatment, or the type of provider.

That is an important statement, but it is pretty general. What we have
attempted to do over the last couple of months is to add some level of detail
to that recommendation for the benefit of the Secretary and others working on
this NHIN initiative.

We held a hearing in April, in which we sought the input from many of the
people who would be affected by any recommendation we would develop, such as
physicians from specialty practice areas, the American College of Obstetricians
and Gynecologists, the American Psychiatric Association, and an addiction
center. We also heard from more primary care docs, from the American College of
Emergency Physicians, the American Academy of Family Physicians, and the
American College of Physicians, and others as well.

We held a meeting yesterday, a substantially all-day meeting, of the
subcommittee in which we by the end of the day reached agreement in principle
on directions to go in this. If you think about this, this is really the
fundamental privacy in the NHIN, what degree of control of the information,
even within clinical settings, should the patient have. It is a very difficult
question, because you are balancing quality of care with privacy and public
health and all sorts of things.

At any rate, our plan is the following. We are going to have a draft letter
circulated to the subcommittee members in mid-July. We are going to schedule a
series of conference calls of the subcommittee members. The goal is to have a
letter to the full committee for our September meeting.

Because of the importance of this, I would like to follow a practice that
we started with our NHIN letter a year ago, that is, make the conference calls
available to all the committee members, not just the subcommittee members, and
distribute drafts of our letter to you and invite you to participate. Obviously
you are not required, but you may have some input that would be very valuable
to the subcommittee. So that is our plan over the next few months.

DR. STEINWACHS: Mark, has there been any communication between your
subcommittee and what is going on in HITSP, in the security and privacy
technical committee? They are really exploring in depth the questions
concerning how to encapsulate the privacy issues with the present security IT
infrastructure. They have produced a list of standards that might be
considered, and that was put out for comment about three weeks to a month ago.
They are now working on their second set, and meeting vigorously right now in
San Diego.

MR. ROTHSTEIN: I have had no dealings with them. I certainly think it would
be appropriate at some point. I’m not sure the degree to which their new
standards are attempting to incorporate these kinds of global privacy issues.
Are they?

DR. STEINWACHS: I think that is why I brought it up. Initially, the first
meetings of the technical committee involved the discussions of whether to
confine it just to the HIPAA area. There was very vigorous discussion and a
general consensus that it needs to be expanded beyond that. They are
considering the NCVHS privacy letter as a guiding force.

MR. ROTHSTEIN: But the letter, as wonderful as it is, does not provide
sufficient detail for someone to develop standards.

DR. STEINWACHS: That is what they are providing. They are using it as a
guiding principle type document and asking the questions of what type of
standards exist that can implement some of these features; do they exist, do
they not exist, what is needed, how far should the standards go in today’s
world to allow the free convey of information that is needed for certain
aspects of the NHIN, and how much of it should be restricted. One of their main
discussion points is the level of control and how do we have control mechanisms
attached to the data.

MR. HOUSTON:I’m interested, is HITSP’s focus primarily, on the privacy
implications on the security standards? Or how far are they — I don’t know how
to say this. What is the balance between privacy and security on this
particular activity?

MR. ROTHSTEIN: is part of their discussion. Obviously what they are charged
to do, because they are HITSP, is to make recommendations to the Secretary with
regard to what standards should exist in this area. But I think we are all very
well aware that — and as pointed out in our privacy letter, the articulation
of standards to use cannot happen within a vacuum. There has to be policy
behind it.

So they are drifting into areas where they discuss where the policy is
weak. I think just this week, I believe, if not the latter part of last week,
Dr. Kolodner announced that there will be something coming out of the Office of
the National Coordinator with regard to health care privacy within the next few
months.

MR. HOUSTON:My concern is, it is a lot easier to develop security standards
because they can be more concretely drafted. I understand why they want to
encompass privacy. So I am just trying to figure out where things start and
stop.

But also, to your point about what Kolodner is advocating doing, it really
does demonstration there is an amount of disjoint here in terms of who is doing
what and how everything works together, and the timing. I think these are just
examples of that. We have talked before, but I think it is meaningful to try to
get everybody on the same page and decide what everybody’s roles are and what
everybody is going to be working on, so we don’t all end up either doing things
that are out of sequence or become moot because of the timing of whatever
someone else has done.

DR. STEINWACHS: John, I think that was really the essence of my main point.
I just wanted to make the privacy subcommittee aware of these discussions, and
perhaps they might want to consider reaching out and finding out exactly what
is going on with them.

MR. ROTHSTEIN: I think that is a very good suggestion. I would have an even
broader suggestion. I think it would be very helpful if we could have a
meeting, and around the same table have the OMC people, the HITSP people, the
NCHS people and so forth, and everyone say what it is they are working on and
what their plans are. We are on the same team here, and we should coordinate
that.

But I don’t think it is our role to make that happen, because we are all
advising the Secretary. I think it probably ought to be ONC that coordinates
that. I can’t tell them what to do. Maybe Simon, in your mysterious ways, you
could make this happen.

But I think we would all be well served by having a discussion of where
everybody is, so we are not stepping on each other’s toes or leaving gaps in
this area.

DR. COHN: Well, let me say that I am worried less about stepping on toes
than I am about leaving gaps. I think that is the bigger danger. This is an
area I would rather see more than too little. I do think it is one of our roles
as advisors to help bring people to the table.

I think we will be seeing some of these groups potentially testifying as we
talk about secondary uses. Maybe there is a way to find out a little more about
what else they are doing in this area. If you think about it, some of the
secondary use conversations do begin to insinuate into the privacy
conversations, so we can certainly begin to get into some of that.

Now, as Chair I am happy to continue to engage in conversations with the
various groups that you are describing about how everything works. But there is
also a role for the Privacy and Confidentiality Subcommittee to invite in open
session the various groups that we were just talking about, so that everybody
can hear what everybody is doing, and if there are data gaps or any issues that
we are hearing. So I would certainly invite Privacy and Confidentiality to
consider this at a time of their choosing as a topic for our next hearing.

MR. HOUSTON:You also need to involve the Standards and Security people. I
think it is right up their alley as well, at least as it relates to what HITSP
is doing.

DR. COHN: That’s true.

MS. GREENBERG: I’m just trying to sort out all the groups and which ones we
are represented on and which ones we aren’t. Obviously we have our own
subcommittee, and then AHIC has a privacy — is anyone around the table
participating? You are participating in that. I would think they would be
pretty closely aligned with the HITSP, but that hasn’t come up there?

MR. HOUSTON:I don’t want to say they are aligned. I don’t see that, let’s
put it that way. I believe there has been some discussion about it, but I don’t
think anybody is doing things with the level of coordination we are expressing.

MS. GREENBERG: It is my understanding that the HITSP is driven by these use
cases which are given to it by AHIC. They had decided they would form a work
group to look at the privacy implications of all these different use cases, and
I guess the security implications. That has evolved now into an actual
technical committee, am I correct about that, Steve?

DR. STEINWACHS: To a certain extent, yes. I think the technical committee

MS. GREENBERG: Hetty Kahn on my staff has been participating in that and
following that. So we have got the AHIC group, we have got the NCVHS group, we
have got the HITSP group. Was there a fourth one?

MR. HOUSTON: I think it’s ONC.

MS. GREENBERG: Well, ONC, they are also obviously playing in this area.
Karen Bell is going to be here from ONC tomorrow morning, so maybe we can
continue to pursue that with her.

DR. COHN: That is true, though it is not her area.

MS. GREENBERG: But she is like the deputy, isn’t she?

DR. STEINWACHS: Marjorie, I think we have already left off one other person
who is very involved in this. She is sitting right next to Simon, the Office
for Civil Rights.

MS. GREENBERG: That is true, it goes without saying. But they are not like
a committee. They are a real place. That is why I didn’t include departmental
organizations.

DR. COHN: Maybe these departmental updates, taking them off are not such a
good idea here.

MS. GREENBERG: I’m sorry that I was caught up in some kind of traffic
situation here on campus and I was a little late, but did we go over the
changes tomorrow morning?

DR. COHN: No, I figured I would do it at the end of the day today, based on
progress made by the committee on all the other issues.

MS. GREENBERG: As to exactly when we start tomorrow morning, it is a little
open. But I did think we should explain the change in agenda tomorrow,
particularly even people listening on the Internet and the audience or
whatever, so they know how we are going to schedule things tomorrow.

DR. COHN: Let’s finish off the previous conversation and then we can move
to that. I don’t think we are settled on the privacy issue, but I would think
this needs to be a discussion that we have in terms of — that may impact when
Privacy and Confidentiality has the next hearing. It is also an issue of, John
Houston brought up very appropriately that Standards and Security we know is
having a hearing later on this summer, and whether or not this all fits into
that as a panel or a conversation on the security issue.

I think we do once again observe that there are at times close
relationships between privacy and security, and sometime the boundaries are not
always clear. So we have chosen at this point to keep security and standards
and privacy and confidentiality on the other side. But it just speaks once
again of that issue of integration and interrelationship, which is what I
talked about earlier in the day.

So we will talk about that one without coming up with an answer.

MS. GREENBERG: Just one other thing. I know sometimes we do this. I am
wondering, if the Privacy and Confidentiality Subcommittee is planning to bring
forward a letter the end of September on this really critical issue of patient
control of their data, if it wouldn’t be a good idea to just send a paragraph
letter to the Secretary with a CC to ONC saying that. Some things are going to
be going on this summer that could elicit a variety of reactions: we are
already taking care of that, or could we meet or various things. But I just
wonder if there shouldn’t be some official alert that we are going to do that.

MR. HOUSTON:I think the letter was intended to be a summary letter in
September with the intent to follow up with more detail. I don’t mean to speak
for you, Mark, but isn’t the letter really intended to be the notification that
we believe there is an issue, and we intend to delve into it more fully?

MR. ROTHSTEIN: No, I think it is supposed to be where we set out our
framework. In subsequent hearings and letters, we are going to drill down in
some of the specifics.

This is an incredibly complicated area when you get into trying to design
rules. There are lots of important policy questions. But we felt that it is
important to get in front of the Secretary and all the interested groups the
framework in which we think this discussion should be taking place, and if
people agree with it, then we can march forward on all these specific areas.

DR. GREEN: I appreciate this conversation. I would like to ask that we not
leave it without a clear definition of our path forward. As I read the reports
since 2002 through 2003, four, five, six about this, and as I recall our
hearings yesterday, the real problem here is our stutter steps and inability to
forcefully move effectively into a high performance health care system enabled
by an information technology standard with the appropriate data and data
standards.

This conversation suggests a great deal of activity, but it is not clear to
me that we have got our act together about how we create forward motion amongst
all these groups. In a devil’s advocate sort of way, why doesn’t the NCVHS call
for a summit of these folks that are working on these different privacy issues?
I think we have agreed until the privacy thing is attended to, many other
things must wait. I don’t have any sense from our subcommittees or the
discussions I have heard here that this committee feels like things should not
be pushed forward as expeditiously as possible.

DR. COHN: Larry, thank you. I am reminded of our conversation and my
comments about committee members going into other areas.

Without trying to answer your question for the moment, I know Paul had his
hand up, then I’ll ask Mark to comment on what you were just saying.

DR. TANG: It may be a pickup of what Larry said, but it also goes back to
Mark’s request that there basically be an in-person kind of congregation so we
can sort these issues out. It would be nice if there was coordination in work,
explaining each other’s role ahead of time, so that the panel of folks
involved, HITSP confidentiality, our confidentiality and privacy, our standards
and security, AHIC’s CPS and ONC’s individual effort that is Kolodner is
leading. So it would be nice to have a panel of public disclosure and how we
are coordinated, but I think that will take some pre-work that helps figure out
how we are coordinated or how we can get coordinated.

DR. COHN: Mark, how would you like to proceed? I tend to call these things
less summits and more hearings, or they could be roundtables or whatever. But
what are your thoughts about how Privacy and Confidentiality should move
forward?

MR. ROTHSTEIN: The end result is as Larry described. That is what I would
like to see. How to make that happen, I’m not sure of the best course
politically.

I would like to get some other input into that, and maybe take that up
later in the day or tomorrow or something, because I don’t want to undermine
our efforts. The role of a federal advisory committee such as this which is
open and so on, is not exactly the same as a departmental role, which is not
subject to open process and the like, so I don’t know. I want the end result,
but I don’t want to be in the position of trying to corner the Department into
doing something they don’t want to do. It might be easier if we invited them to
do what we want them to do, unofficially. I don’t know.

DR. COHN: I have a comment, but I couldn’t tell whether Paul has his hand
up or not.

DR. TANG: Maybe I can offer an observation in terms of what I think is
going on with these various groups. AHIC’s activities are focused around their
breakthroughs and their use cases. Where issues come up, they try to find a way
to address those issues.

So for example, the consumer empowerment work group created a
recommendation that the AHIC adopted that says we should have floor privacy and
security policies imposed on operators of PHRs. So they charged the consumer
empowerment work group to work with the CPS group to come up with those things
that would then get passed on to HITSP.

MR. ROTHSTEIN: But one point of clarification. It is specific to PHRs,
though. That is a big clarification.

DR. TANG: That’s correct. That is what I am trying to point out, that it is
a focused activity. I think it produced a useful output that is going to go
forward once it gets to full work groups and then gets passed on to HITSP. That
seems like a very clear road map.

What NCVHS is focused on is the broader NHIN context in privacy and
security and the role that that plays in that broader context. HITSP also has a
group looking at the broader context. So it seems like NCVHS would come up with
the principles for the policies, and that HITSP is a receiver that would try to
implement the standards necessary to implement those policies.

So in my perhaps simplistic mind, there is a way to carve out a road map, a
path and a converging path on the appropriate policies and the appropriate
standards and procedures that need to be created, so the NHIN and PHRs can
operate in a safe way. It would be nice if that were actually true, and that
the folks involved, who probably haven’t talked as much to each other and
figured out that this was in fact everybody’s game plan and that we were really
truly working on something that was not conflicting and was converging on a
path.

MR. ROTHSTEIN: Paul, what you recommend is certainly reasonable and
logical, but it is not reality now. I’m not sure what reality is, that is the
problem.

I serve on yet another panel that hasn’t even been mentioned. AHIC has a
working group on personalized health care, which is in parens genetic
information. There is a sub work group of the work group on privacy and
confidentiality, which I am on. When we were considering certain issues
relative to this, I thought they had a somewhat narrow focus, and I wanted to
expand the kinds of global policies that we would need to have with genetic
information, and was told, no, somebody else is dealing with that. I don’t know
who somebody else is. I think that is the problem.

There may be other groups out there who have the same jurisdictional
assignment. What I would like to suggest is that we come back to this issue. I
want to have some private conversations with some folks during a break and come
up with a plan.

DR. COHN: Mark, I don’t think anybody is intending to put you on the spot
of what you absolutely need to do. I think we are having a conversation, and we
will finish it up here pretty rapidly, and then we will later on talk about
additional next steps. Harry, Leslie, and I think Mark had a comment, and then
we will wrap up this part of the conversation. This of course is exactly why we
want to get issues out early.

MR. REYNOLDS: I think Larry made a great point. We talked about some of it
yesterday as far as our path. One of my assignments out of the session
yesterday was to get with Jeff.

I thought I understood clearly that the RFP that just came out for the
health information exchanges in public health clearly stated that two of the
three main requirements were to follow what NHIN did on the functional
requirements, and NCVHS’s letter on privacy.

So I think we are in the midst of a glide path right now. If we stay
focused on NHIN and we stay focused on as Paul and Mark have said continuing to
stay a little bit ahead of the overall picture, chasing the use case is a hard
game for us with the way we are set up, but driving the real vision and the
real thinking and standards and privacy and other things that would really move
the NHIN forward, I think we have a glide path going on.

I think we felt the urgency yesterday in privacy to continue that, and to
come forward with — that is why the intensity and the speed of the letter and
the intensity of the discussion yesterday ratcheted up as far as what that next
level of structure would be.

So I think we are positioned well. That is why it is exciting to see it
actually starting to be used as a collateral for these RFIs, which are people
spending a lot of money. So I think if we continue to stay where we are and
continue to make sure we don’t lose sight of that glide path, I think we are
going to make a big difference.

DR. FRANCIS: My own way of viewing what we were doing yesterday was, we
were trying to get as clear as we possibly could on the goals of both good care
and privacy, and then how we would essentially try to put those together in
realizable recommendations. So I just think it is absolutely essential that the
discussions get interlinked, because I think we will be at a level that is not
implemental in certain respects unless they are linked, and they will be
headless, or goal-less, or something like that.

DR. OVERHAGE: Maybe Harry proposed the answer, but I think this is a
broader issue than just the privacy and security. I am very worried about the
cacophony of voices that the Secretary is hearing.

In our role as an advisory group and all of these others, it is not clear
to me where the synthesis happens. I certainly don’t have the time and energy
to really understand what each of the different groups is doing and where the
conflicts and issues arise.

So what is already happening is, we are seeing conflicting and incoherent
— not incoherent in terms of un-understandable, but incoherent in terms of not
nicely fit together. So for example, as HITSP is going down the road with
security standards, they are charged with finding some standard somewhere which
does something that needs to be done. So you end up with this mish-mash of
things that I don’t think necessarily is the best way for the country to move
forward.

If we can be far enough out front — but and I don’t know how we reflect
this, but what I worry about as a committee, our advice to the Secretary may
not be very effective, because these are tough complicated issues. Just to read
the material, synthesize it, and say here is what HITSP has got and here is
what our privacy letter says, and here is what is going on elsewhere and make
any sense out of it, is a month-long job. I don’t know who is doing that job. I
really think that we run a risk of ending up with a set of recommendations and
moving forward with some of these efforts and setting ourselves up for failure.

MR. HOUSTON:After hearing Harry and everybody else and remembering what
Marjorie said about trying to get some statement out there, maybe one of the
things we can of value is — and to Harry’s point about staying out in front of
this trajectory, but if we put out a statement of where we intend to go and a
schedule in which we try to accomplish that in, maybe that will be helpful to
allow other groups and the Secretary and Kolodner to understand exactly what we
are planning on doing with enough detail and concreteness that they either come
back and say, we need this sooner or yes, this makes sense, or maybe it causes
them to back off some of the plans that maybe they would otherwise have because
they know we are working on it.

Is that something we could reasonably do?

DR. COHN: I think we have heard a variety of comments. I want to thank you
for getting the conversation going. I thought this might be dull for awhile
there.

The committee performs a number of functions. It doesn’t do the same thing
for every topic area, and it doesn’t necessarily always do the same thing
consistently. But we are an advisory committee. One of the things that we do
very well is bring the many players to the table to talk about common names,
which of course for all of us is a healthy America, improved health care system
and all of that.

This is an area where you are talking about various aspects of privacy, but
I come away continuing to be convinced that Privacy and Confidentiality is
doing the right thing. We are taking a leadership role, looking at the forests
rather than the trees, looking out to the larger dimensions, looking at an
integrated health care system as opposed to specific use cases. I think we have
been doing a very good job on that.

Now, having said that, I do think it is very timely to ask key other
participants in this area to come for a roundtable, hearing, whatever you want
to call it, to sit down and find out what everybody is doing. The fact that
some of our conversation is, we don’t know what is happening with X, Y and Z, I
think it makes sense for everybody to be hearing everybody.

Traditionally, the good things about our hearings is that everybody else
gets to hear what everybody else is doing. That helps with alignment and
coordination. We can from that identify if there are issues, we can advise the
Secretary on that. That might be a very helpful piece in privacy and
confidentiality. I think what we are hearing is that it is the right time to
begin to put together a hearing on that.

Mark, I’m sure you probably don’t disagree with that as a reasonable piece.
That is not the same as trying to solve all the problems of the moment, and we
should talk about when there is a good time for that. Those are certainly
conversations we can have with the various players, including HITSP, ONC,
various others, knowing that around the table there is a fair amount of
representation in all of that.

But I think that is a reasonable next step, and then we can figure out
where we go from there. Does that make sense to everybody? And we always need
to remember that that is what we agreed to.

Now, Harry, we are unfortunately running a little late. What I am going to
suggest is, Marjorie had asked — and this is something I was holding off until
the end of the day to surprise everybody with how different tomorrow is really
going to look. But Marjorie I think is right that we need to at least run by a
little bit of what the agenda is going to be like tomorrow. I am going to
suggest we take a couple of minutes to do that. Knowing that we are running a
little late, why don’t we take a break then and then we can take up 5010 right
after the break.

MR. REYNOLDS: We will remember over the break what we were supposed to say.

DR. COHN: Okay. Let me try to explain to you how tomorrow is going to be
different than what you thought. One of the questions that we will not answer
until the end of the day is whether or not we are starting at 8:30 or not. The
difference has to do with exactly how many outstanding action items we have,
which is why I was not going to get into it quite at that point.

What we are going to do is, we are going to start out either at 8:30 or
9:00 with the action items that are unresolved from today. Some of the letters
we will probably need to come back, others we will look at, and they will be
good enough for us to pass either as is or with minor wordsmithing, or
referring to the executive committee for additional wordsmithing, as we choose.

Anyway, after that we will continue to have Jim Scanlon talking a little
bit about the Data Council and a little bit of Department update. We are having
Karen Bell coming from the Office of the National Coordinator to give us an
update. We probably should listen very carefully and ask her about what is
going on with privacy based ont this conversation.

From about 10:30 to 12:00, and this is what is different on this agenda, we
are going to be having a series of briefings. This will be led off by Fatima
Riaz and Kristin Martin Anderson. This is about secondary uses of data, and
briefing context setting, talking a little bit about the quality work group
from AHIC and their vision and work, then moving to the discussion led by John
Lunsk that has to do with the NHIN core services, and then finishing up the
conversation about the quality use case and how it applies in all of this
context around secondary uses, presentations, conversations as background and
context for all of these secondary uses work that we are going to be doing this
summer.

Probably around noon we will take lunch, once again different than on this
agenda. After lunch we are having Betsy Humphreys talking about the
international terminology standards development organization formation and
activities. I do need to disclose that I am a U.S. alternate on the governing
board. No pay, but I just wanted to disclose that I am part of this new
activity.

Then we will follow with Marjorie Greenberg and Steve Steindel following
the conversation that we started two meetings ago around international
activities around coding and classification and standards, their perspectives
and next steps.

At 2 o’clock we then connect with John White from AHRQ, who is going to be
talking a little bit about the data stewardship RFP that has been produced by
AHRQ. Once again, it is one of those issues that we will need to be talking
about as we talk about secondary uses.

With whatever time we have left at the end of that day, we will probably
talk a little bit more about secondary uses, finish up the agenda. Everyone
needs to remember, at 3:30 we convene the ad hoc work group which will continue
to the end of Thursday and then from 9:00 to 12:00 on Friday.

So we will be able to tell everyone a little better about when the meeting
starts, but these are the broad outlines of how tomorrow is going to look. So
look at the 21st, realize that it doesn’t look anything like you would have
expected it to be, but I think it should be a lot more interesting and a lot
more fun. So that is the good news. I am an emergency room doctor. I am used to
controlled chaos, I guess is the best way to describe this one.

With that, why don’t we give everybody about a 15-minute break. Then we
will come back for 5010. Think about whether you want to join us for dinner,
and maybe we will take a hand count right after you come back from the break.

(Brief recess.)

DR. COHN: Like I said, we are running a little bit late, but not terribly
so. Our next item is Harry Reynolds and Karen Trudel talking about 5010.

Agenda Item: 5010 Overview

MR. REYNOLDS: Karen is going to kick it off.

MS. TRUDEL: I am going to start by providing just a little bit of
background. We will start with, what is 5010.

5010 is a new version of the suite of administrative transactions that
affect the non-retail pharmacy sector. So we are talking about transactions
that affect physicians, hospitals and other institutions and health plans that
they communicate with, as well as the vendors and clearinghouses that serve
that sector of the NHIN.

The 5010 transactions, which is the way of naming a version, were developed
by the standards developing organization X12N. This is the first time that
these transactions have been updated for HIPAA purposes at least, or that we
have even anticipated updating them. So the version in play right now is the
original set of transactions that were adopted by HIPAA 4010 and the 4010-A
modification to them. These have been in place since about May of 2000, so you
can see it is about time for an update. There are a lot of new business
functions in these transactions.

What we will be doing, the end result of this process, is a modification to
the HIPAA standards. This would be done by notice and comment rulemaking. Then
these standards would replace the 4010 standards and all HIPAA covered entities
would be required to adopt them.

The reason that this process is in place for NCVHS to review these
potential standards is that while the standards developing organization
meetings are open to the public, there is concern that participation generally
consists of a limited group of very technically savvy industry representatives.
So the point to this process is to broaden the potential for input to get a
sense of what the impact, any concerns that the general public have about these
transactions, are these good to go, are they not, and NCVHS is the venue for
receiving and distilling that input, with the final result being
recommendations to the Secretary.

MR. REYNOLDS: We just put together a few slides. This is the first of the
committee efforts that you will all be going through as different committees,
trying to get the full committee to at least understand the subject before we
come roaring in with a letter and say, read sentence three and you get it. So
this is written at that level. We want to make it perfectly clear this is a
primer. We are going to have industry experts come in and talk to us and tell
us the impacts and so on. So we are not here testifying what 5010 is going to
do to the world. However, on the other hand we do want to give you a general
picture of the overall impact that it is going to be.

As you have heard us talk a number of times, it is a prerequisite for
ICD-10. The current versions of the transactions will not in fact handle
ICD-10.

These are the nine transactions. We won’t go through the buzz words, but
basically what we are saying to you is that it affects enrollments in health
plans, premium payments, eligibility and inquiry responses, authorizations, the
actual claim itself, claim inquiry and the payment remittance. So all the
transactions listed here. We won’t geek you with the numbers, but it pretty
much affects everything we did in HIPAA, and is pretty much end to end on the
information that flows back and forth between the entities related to HIPAA.

You have heard a number of times in here, we have implementation guides.
There are industry implementation guides that explain the regulations and the
transactions and what do the fields mean and so on. Each one ranges between two
and 600 pages. Most pages contain changes of 5010, so let’s do a little quick
math.

Every entity has to look at between 1800 and 5400 pages that may have a
change on it, and then decide what it actually means to them as an entity. We
will talk a little bit about that. You see the changes; some of them are logic,
some are just wording, so you are not saying the world is changing dramatically
on every page, and you are not saying that the world isn’t changing
dramatically on every page, or you are changing what you are doing as a
business or anything else. You are just making it clear that there are changes
in pretty much every page of these things, in one way or the other, so the
industry has got to go take a look and make sure that it sees what is going on.

The other thing is, what we will hear in our hearings, and we had tried to
get that earlier, but we are not going to be able to get it to our hearings, is
what is the real business impact to this. I think what has gone on in the
standards organizations right now is, these are the changes to the data, to the
formats, to the other things, but we need to hear, and it is part of our
responsibility to hear what it does to the overall industry and what those
impacts might be, and that may or may not affect what recommendations we would
or wouldn’t have to the Secretary as we go forward.

Each entity in the health care industry, whether it be a clearinghouse or a
payor or a provider or anybody else that is involved, CMS, the Medicaids and so
on, after they review the implementation guides and decide their impact, change
their systems and processes again, and then test those systems and processes
internally, and then do it with all the trading partners that they are involved
with. So if a clearinghouse is doing it for a lot of providers, once they get
ready, they would work with the payors that would receive that. It is the same
kind of testing that originally went on, not nearly to that extent because you
are changing, not building. So everybody has built their testing in thinking
about HIPAA, so now you are just changing all that, you are not rebuilding it.
So as some people said, it is not HIPAA 2. It might be HIPAA on steroids, but
it is not HIPAA 2, it is not a re-do of HIPAA.

Then you have got to work with your business partners to implement, then
you are going to have the same kind of thing, when is it effective and how do
we track it as to how it is being affected. You heard us all talk from
Standards and Security on NPI, what is the due date, how is everybody doing, is
everybody coming together at the right point, and are we going to make it, and
what kind of contingency plans are in place and what kind of dual processing,
and all the other things that normally go on.

So we are going to begin hearings on the 5010. Our first one is July 30 and
31, where we are going to have the industry come in. WITI will also be coming
in, and hopefully giving us a survey that they have done of the industry on
what some of the impacts would be to the business. We will be hearing from all
the same constituents that we pretty much heard from, or a good many of those
that related to HIPAA initially. We have got to hear from everybody as to what
they think and see.

We are looking, since it is a prerequisite to ICD-10, since there is a flow
that is going to be coming along, trying to put together something for the full
committee in the September time frame, stating what it looks like and mean, so
that can be input to the Secretary and CMS and others as they look at putting
out a proposed rule and other things accordingly.

Yes, Justine.

DR. CARR: Will this work with ICD-11 also?

MR. REYNOLDS: I’m not good enough at 10 to go one past there. Marjorie has
got her hand in, so we will let Marjorie jump in. Remember, this is a primer.
You are getting serious on us here.

MS. GREENBERG: We can talk about this a little bit more tomorrow, but the
idea is that ICD-11 would be the same alphanumeric structure as ICD-10. So as I
have said many times, ICD-10 is a pathway to ICD-11, but ICD-9 is not.

DR. COHN: Harry, I guess this is an industry question, and perhaps you have
a better sense. Do you anticipate that this summer people will understand the
impacts of 5010, in terms of the business aspects? How do you anticipate
eliciting that sort of thoughtful input?

MR. REYNOLDS: I’ll speak as a member of the industry for a moment.
Everybody knows it is coming. People have begun working on it. The quality of
the testimony will tell us where it is. But I think the key point is, the thing
that we would want to recommend to the Secretary as this committee is, get into
some idea of sizing it, get into the idea of — what we have asked WITI to do
is take what are the cosmetic changes, what are the changes that actually
correct the things that were not where they should have been on 4010, and then
what are the real business changes.

You are going to have those three categories, so when we get to the third
category, I think that is where it is going to be, does the 5010 really change
the business processes amongst players. It may change somebody internally, but
does it also change what is going on amongst players, which will be where — if
I would say that it would be a lesser quality of input, it might be at that
level, because people have looked at it themselves in a lot of cases, but I’m
not sure a lot of businesses have looked at it amongst themselves, who they do
business with.

Again, this is a primer. We are going to have the right people come and
talk. WITI has agreed to take that responsibility and is working on breaking
that down that way with their industry input. But we wanted to make sure the
committee at least understood the premise of what was going on. We are going to
have the right people at the table now. We will find out then, and that will
help everybody that is looking at putting the NPRM out. That will help us to
decide whether or not, if we have something for September, we may need to have
something else for the full committee for the next meeting after that to add
further, based on the fact that the industry all of a sudden realizes that
there are other changes or implications in whether or not we want to have
those.

If we really hit a train wreck on what we hear, then maybe we don’t have
something for September. We are trying to set a path, not necessarily a mandate
that we have to do it. So unless we get a major surprise, I think we could have
something for September, but the testimony will tell us a whole lot as to how
we position what we say or don’t say.

Are there any other questions from the committee? The other thing that I
think would be good is, since we are the first, any input to Simon or anybody
else as to whether this is the level that you are looking for in these primers,
because we are the first one out of the chute. You are going to hear it on a
number of other things. We are going to be doing some similar things on the
secondary uses possibly and some other things, you are going to hear a lot more
tomorrow from other people on that, but trying to put this together and figure
out how to say it is the question.

DR. GREEN: I think someone who can put into three PowerPoint slides with
that size font something that is subject to 5400 pages should be commended.

MR. REYNOLDS: Thanks goes to Karen also.

MS. GREENBERG: I might mention, one of the things in addition to ICD-10
that is accommodated by the 5010 was prominently mentioned by every speaker
yesterday, and that is the present on admission qualifier. That just came out
in every presentation as being very critical.

DR. TANG: Just a minor comment. To answer your question, I think the primer
is very, very helpful. I think that is a good way for us to continue to keep
the committee informed and elevate the level of understanding as we go along.

The other thing is, I don’t see how anybody can take summer vacation or how
we can accomplish all we have scheduled for September based on what I have
heard this morning.

MS. GREENBERG: I heard on the ride here that nobody is taking a summer
vacation. So we are in good company.

MR. REYNOLDS: Simon, that completes our presentation.

DR. COHN: Thank you very much. Our next set of actions, Mark, have to do
with letters coming forward from Privacy and Confidentiality.

Agenda Item: Subcommittee on Privacy and
Confidentiality Action – Action June 21

MR. ROTHSTEIN: Thank you. Each of you should have at your place a copy of
the revised letters that Maya circulated this morning during the break. They
are slightly updated versions of what appears in Tab 3 and Tab 4, so you can
follow along.

The first letter I want to take up is the FERPA letter. Of the two letters,
you can identify it by the fact that there is no big block quote on the first
paragraph, that says R-12. Same date and same introduction. There is a block
quote with the R-12 recommendation, but that is the second letter.

I assume, Simon, that we want to go paragraph by paragraph, so let me go
over the first two paragraphs for the benefit of those on the Internet.

Dear Secretary Leavitt. On June 17, 2004 the National Committee on Vital
and Health Statistics, NCVHS, sent a letter to your predecessor, Secretary
Tommy G. Thompson, making recommendations on the disclosure of health records
by health care providers to schools for both treatment and public health
purposes.

The NCVHS revisited the issue of sharing health information with schools,
and also heard testimony on the disclosure of health care information by
schools during a series of hearings in September 2006 and January 2007, as part
of our effort to monitor health privacy protections by entities currently not
covered by the Health Insurance Portability and Accountability Act of 1996,
HIPAA.

Most schools fall into this category, because the education records of
schools that receive funds from the U.S. Department of Education are subject to
the Family Educational Rights in Privacy Act, FERPA, and are specifically
excluded from coverage under the HIPAA privacy rule. Even the medical records
that schools create, for example, through the school nurse or athletic
programs, are considered education records subject to FERPA, and explicitly
excluded. This letter is intended to bring to your attention a broader set of
concerns about the protection of health information in the school setting.

Any comments or suggestions on those two paragraphs? Hearing none,
paragraph three.

At the time of the 2004 hearings, we were concerned with the ability of
schools to obtain information about students’ prior immunizations, both to
facilitate registration for school and to avoid duplicate immunizations.
Providers may not disclose immunization information to schools for a purpose
other than treatment without a HIPAA compliant authorization, because schools
are generally not considered public health authorities and therefore do not
fall into the HIPAA exception for public health disclosures.

We recommended that HHS deem such disclosures to be public health
disclosures under HIPAA. We also reported that there was confusion about the
need for authorizations for the purpose of treatment, because HIPAA does not
require authorization to share records for the purpose of treatment, but FERPA
does. HIPAA compliant authorizations, which are required to share records other
than for treatment, were difficult to obtain to confirm that a student had
already been immunized. Even where there were HIPAA compliant authorizations,
some health care providers refused to disclose records to schools in response
to valid authorizations, delaying registration in school or causing students to
undergo duplicate immunizations.

That is a long sentence. Any concerns, comments? I’ll let you ponder that
for a second.

DR. COHN: I would suggest we just note wordsmithing issues as opposed to
fixing them on the fly.

MR. ROTHSTEIN: So noted. The comment was that we need to break up that long
sentence to one with semicolons. It probably would be easy to just chop it into
three sentences. But we don’t need to do that now. Any other comments? Next
paragraph.

The interaction of HIPAA and FERPA has consequences in three areas. One,
release of health information from educational institutions, two, privacy and
security of health information held by educational institutions and three,
differentiating health information of students covered by FERPA and health
information of employees of an educational institution covered by HIPAA.

MS. GREENBERG: What about release of health information to educational
institutions? Is it only from?

DR. FRANCIS: That was the subject of the previous letter.

MR. ROTHSTEIN: This is the new information. The first letter, we were
concerned about stuff getting to schools. In this we are concerned about
information getting out of schools to for example public health authorities.

MS. GREENBERG: But if you say the interaction of HIPAA and FERPA have
consequences in three areas, that is clearly one of the areas.

MR. ROTHSTEIN: Maybe we should qualify that. The interaction of HIPAA and
FERPA in the following three areas need to be —

(Simultaneous discussion.)

MR. ROTHSTEIN: So this letter addresses the interaction of HIPAA and FERPA
in the following three areas? Okay, thank you. Other comments?

Release of information. In our more recent hearings on the subject, we
heard from the American School Health Association, the American College Health
Association and the National Athletic Trainers Association about a problem
related to release of information. These witnesses told us that absent an
emergency, FERPA requires parental authorization prior to disclosing a
student’s medical information to public health officials or even to a student’s
personal physician. Parental authorization is not required for a health care
provider to share records for the purpose of treatment under the HIPAA privacy
rule.

The requirement for parental authorization under FERPA limits immunization
reporting, mandatory communicable disease reporting and surveillance, hearing
testing, autism screening and other health information collected in school
settings that might be disclosed to public health officials or health care
providers for surveillance and followup treatment.

Comments?

Privacy and security. Sorry.

DR. GREEN: On the limits hearing testing, I think the issue is more of a
coordination of hearing testing. What is going on is, these intervention
programs that the schools are running, the public health departments have the
hearing programs, so they are not able to get the information back from the
schools to know if a child needs to be tested or not. So I’m not sure if it is
listing hearing testing as more of a matter of determining if there is a need
for hearing testing.

DR. FRANCIS: Is it reporting of the test results?

DR. GREEN: That is what their health departments are wanting, is the
reporting of tests and results, yes.

MR. ROTHSTEIN: How about this suggestion? In the sentence that begins, the
requirement, really what we are saying is the requirement for parental
authorization under FERPA limits the effectiveness of immunization reporting,
mandatory communicable diseases, et cetera. Is that the point that you want to
make?

DR. BERNSTEIN: It can’t move out of the school system to the public health
authority because FERPA did not contemplate public health disclosures.

MR. ROTHSTEIN: No, I understand that, but what I am trying to get, which I
think was Garland’s point, is that the problem is that these programs are not
as effective as they could be because of this limitation. That is how I am
trying to fix that.

MR. SCANLON: Since the subject is parental authorization, maybe that
parental authorization is an obstacle to reporting.

DR. BERNSTEIN: Well, we specifically do not want to say that, if I can
characterize the committee’s discussion, because it characterizes a privacy law
as an obstacle rather than something that promotes privacy. The point is, the
effect of it is to reduce as Mark was saying the effectiveness of the public
health issue, rather than to call it an obstacle.

DR. FRANCIS: The awkwardness of the sentence was that what it is supposed
to say is that it limits reporting in all of those cases. So maybe it just
might say, the requirement for parental authorization under FERPA limits
reporting of, and then put a colon. That way it doesn’t look like reporting is
linked just to immunization.

DR. BERNSTEIN: Say that again?

DR. FRANCIS: You put a colon after reporting of, and then you just say
immunization, mandatory communicable disease surveillance, hearing test
results, autism screening and other health information. That way it is clear
that the reporting is about all of those results, and that is what it is meant
to say.

MS. GREENBERG: So the mandatory communicable disease and surveillance
doesn’t exactly go well.

MR. SCANLON: Reporting of communicable diseases.

MS. GREENBERG: You would have to take out communicable diseases. I think
you would have to take out surveillance, too.

MR. ROTHSTEIN: Is everybody comfortable with that fix?

DR. WARREN: I don’t know how much grammar you want, but I have a knee jerk
putting a colon after the word of. It should be of the following, and then the
colon.

MR. ROTHSTEIN: Thank you, Miss Warren.

DR. BERNSTEIN: I’m happy to take her edits.

MR. HOUSTON: I think if you want to stick with the word limits, I think
maybe it should be has limited. It doesn’t necessarily — the requirement for
parental authorization doesn’t necessarily limit reporting. What it says is, if
you get the authorization you can then report. The problem that you have
encountered is that you don’t always get the authorization. So it is
experience. Probably what you heard is that it has resulted in people not
getting the authorization, and therefore we have not had all the reporting we
would like.

MR. ROTHSTEIN: Yes, because it doesn’t technically limit. It has had the
effect of limiting. Thank you.

Privacy and security. Representatives of two school health associations
testified that they and other school organizations would generally prefer that
health information be protected in schools the way it is in health settings.
Furthermore, both acknowledged that having more robust guidance on security
would be helpful, since school environments generally lack the security
protection required by HIPAA. Nevertheless, there may be other individuals or
groups that would prefer to continue to have school health records only covered
by FERPA, which has fewer disclosure exceptions than HIPAA, and we do not hear
from them.

Consequently, although we do not have a specific recommendation now, we
want to alert you to the problems in this area and advise you that the issue
warrants further action.

Before we get to the question of the wording, let me explain what we are
trying to say here, maybe not as artfully as we could.

It is kind of outside of our purview to say that Congress — we tried to
skate around the issue of whether Congress should take jurisdiction away from
the Department of Education that is has under FERPA and stick it under the
department, under HIPAA or anything else. So that is the explanation for why we
said what we did.

MR. LAND: I guess I am not sure what we are really recommending then. If
the Department can’t do anything about FERPA, if there has to be a change in
the law to activate some of these issues and results of these issues, then what
are we asking the Department to do?

MR. ROTHSTEIN: We are asking at the end, the recommendation that is on page
three in the first full paragraph, therefore NCVHS reiterates our
recommendation that HHS work with the Department of Education to improve the
interaction of FERPA and the privacy rule with respect to health records in
school settings, and to resolve the issues noted above. The effort should
clarify the circumstances under which each law applies, et cetera.

So that is the recommendation. The two Secretaries could get together and
decide that it is not really solvable and they want to go to Congress and do
something.

MR. LAND: This implies that it is just a matter of interpretation of the
law and different rules could be promulgated to resolve it. It is my
understanding that Department of Education and the schools are saying that is
the way the law is, and we can’t do anything about it. So having the two
Secretaries get together isn’t going to help.

DR. BERNSTEIN: Sure, the Secretaries could get together and recommend
legislation jointly. They could propose a legislative change. Of course, it
would have to be cleared in the normal way, but the Administration does that
all the time. They make legislative proposals where they see fit.

MR. LAND: I guess I would like to see something like that in the letter,
that if in their consultations they feel the legislation needed to be changed,
that they make those recommendations to Congress.

MR. SCANLON: There seems to be a leap here in this paragraph. The paragraph
is, we got some information, we didn’t get information from others. It seems
like the next step would be, maybe we should get information from the others.
So the action that is implied in my mind is the idea that this issue needs to
be investigated further before anybody does anything as concrete as proposing
legislation.

So the question would be whether further action should be modified to say,
warrants further exploration, so that people can understand that you think
there is another viewpoint out there. The paragraph also in some respects
implies that; you didn’t hear it, but you think it may be out there.

MR. ROTHSTEIN: Right. If we were to pursue it, theoretically what we would
have had to do is have another hearing and invite for example the parental
rights people or the pro-FERPA people, whoever they might be, to come in and
make their case why they think that FERPA should continue as it is. That seemed
to be a little bit out there in terms of our charge, investigating the
jurisdiction of FERPA. So that is why we just wanted to leave it like this.

Would it satisfy your concerns, Bill, if we just changed the word action to
explored? So the very last word, warrants further exploration?

MR. SCANLON: Yes.

MR. ROTHSTEIN: Garland, tell me where you are.

MR. LAND: I just know that this is a major issue for public health. It
seems like we need to be giving some real impetus to — I don’t know for sure,
but I presume that this is going to require the law to be changed, is that
correct?

DR. BERNSTEIN: I haven’t explored enough to know, but it is my sense that
that is probably right. FERPA is pretty specific.

MR. LAND: But we don’t mention anything in here that that is our
understanding, that it is going to require a lot of change. We are kind of
leaving the implication that two good people can get together and resolve this,
and I’m not sure that that is really —

MR. ROTHSTEIN: Perhaps this is not the place to — if I can ask you to hold
on to that thought, when we get to the recommendation paragraph on page three,
maybe we can add that on there. Other comments on the privacy and security
paragraph?

Student employees of educational institutions. Another problem identified
by the American College Health Association at our 2006 hearing was the
overlapping coverage of HIPAA and FERPA in the very common instance where an
individual is both a student and an employee of a college or university.

As a student, all of the individual’s education records including health
records, are covered by FERPA. As an employee, an individual may be enrolled in
a group health plan where the individual’s health records are subject to HIPAA.
In either role, the individual may become a patient of the associated
university health center or hospital where both FERPA and HIPAA records are
under the roof in the same institution. Consequently, ambiguity and confusion
arise as to whether the individual’s medical records are covered by FERPA and
thereby excluded from coverage under HIPAA.

Another example is the case of the athletic trainer who treats a student
covered by the university’s health insurance plan so that it is not clear
whether the trainer is creating records covered by FERPA or HIPAA.

I’ll let you think about that for a minute. We have conveyed the degree of
confusion. Here is the paragraph that we may need to touch up a little bit in
terms of recommendations.

As we highlighted in 2004, FERPA was enacted at a time before students with
significant physical, developmental, behavioral and mental health conditions
regularly attended school, and before schools became providers of a wide
variety of physical and mental health services. NCVHS recognizes that over 30
years ago, at the time of the passage of FERPA, the role of schools as health
care providers and as partners with public health officials was not as
prominent as it is today.

Therefore, NCVHS reiterates our recommendation that HHS work with the U.S.
Department of Education to improve the interaction of FERPA and the privacy
rule with respect to health records in school settings and to resolve the
issues noted above. The effort should clarify the circumstances under which
each law applies to insure that disclosures to and from schools for public
health purposes work smoothly in appropriate circumstances.

Garland, if we want to add that, I think this would be the appropriate
place. Can you suggest some language that you would like to —

DR. BERNSTEIN: If I could just point out, I think the reason that this
sentence, therefore NCVHS reiterates, that is language that comes from our
previous letter, so we knew that it had already been blessed by the committee.
Nevertheless, the committee is free to change its wording now.

MR. ROTHSTEIN: And we can supplement it, too. We can take that sentence and
add something after the word above.

MS. GREENBERG: At the end of the paragraph you could say something about,
further the need for any changes in current legislation or regulations should
be explored, or something like that.

DR. GREEN: What would you think about, instead of restricting it for public
health purposes, inserting the phrase for public health or personal health
care? It is a bidirectional issue. These kids, these trainers, these athletes’
personal health care depends upon changing this information in the other
direction just as much.

MR. ROTHSTEIN: We have got that up there now. Would that do it for you, and
insure that disclosure to and from schools for public health for personal
health care purposes?

MS. GREENBERG: I don’t know if you need the word personal. You need just
public health or health care purposes.

MR. ROTHSTEIN: Okay. What about the last sentence that was added in that
paragraph, further the need for any changes in legislation should be explored.

DR. BERNSTEIN: Other than the passive voice.

MR. ROTHSTEIN: So the next revision of that final sentence is, further, the
Department should explore the need for any changes in legislation or
regulation. Is that okay? Okay, good, we have got a sale.

DR. COHN: We seem to be having problems here. I know how hard it is, this
is a new system, but we will keep reminding, because people on the Internet are
having a little trouble. I don’t think we are able to record it if it is not
lit. Garland, it is not you. We are all having trouble with this.

MR. ROTHSTEIN: So could you restate that question?

MR. LAND: Do we know what happened to your first letter, in terms of what
action the Department took?

MR. ROTHSTEIN: I would ask Sue McAndrew to comment on that.

MS. MC ANDREW: The first set of recommendations are under consideration in
the Secretary’s office. Particularly the recommendation about student
immunization and its treatment and public health has been the subject of
discussion about whether or not a regulatory change to the HIPAA privacy rule
should be done to accommodate that route.

I would also add just for the committee’s information that I believe it was
last week, the Secretary together with the Secretary of Education and the
Attorney General released a report to the White House which contained a number
of recommendations that would be encouraging information sharing from
educational systems. This was largely in reaction to the Virginia Tech
incident.

So there is going to be ongoing cooperation between the two Departments to
ascertain how FERPA and HIPAA can be — what guidance is necessary, and
potentially further actions may be necessary in order to insure that
appropriate information sharing is done, and that those privacy rules do
accommodate important sharing activities.

DR. BERNSTEIN: If I am not mistaken, that report is available on the
website. Also, on the White House website, it is the report that the Attorney
General and the two Secretaries did in response to the Virginia Tech tragedy. I
can’t remember the exact title, but that is the nature of it. If anyone wants
it, we will be glad to provide you a link.

MR. HOUSTON:You said the NCVHS’ website?

DR. BERNSTEIN: No, the HHS website, our Department’s website.

MS. MC ANDREW: The Department website. This is a copy of it.

DR. BERNSTEIN: What is it called, Sue?

MS. MC ANDREW: The Report to the President on Issues Raised by the Virginia
Tech Tragedy. It is dated June 13.

DR. BERNSTEIN: So if anyone wants to see that, we can send you the link.

MR. LAND: The way we have it now, the last sentence for me about looking
into changes in legislation and regulation just hangs there. We have embedded
in the sentence before that a broader purpose than looking into the issues
noted above, assuring that disclosures to and from schools for public health,
et cetera, that that is the ultimate thing we want. We want the issues we have
noted above dealt with, but we really want — if there are other questions that
are interfering with these transmissions, we want those addressed as well.

I would move that purpose into the prior — instead of ending, the issues
noted above, say, to resolve the issues noted above and to insure that
disclosures to and from schools for public health, et cetera. So we have set
that up and we have two specific tasks for them to do in this effort. One is to
clarify the circumstances under which each law applies, and then secondly to
explore the legislation and regulatory changes.

DR. BERNSTEIN: That is going to make this sentence really long, but —

MR. ROTHSTEIN: John, do you want to comment?

MR. HOUSTON:I just was looking up what Sue had just indicated;
www.hhs.gov/secretary/violence.html.

MR. ROTHSTEIN: Let me for the benefit of those on the Internet read what I
think it says. Therefore, NCVHS reiterates our recommendation that HHS work
with the U.S. Department of Education to improve the interaction of FERPA and
the privacy rule with respect to health care records in school settings and to
resolve the issues noted above.

MS. GREENBERG: I think you can just skip that now, to resolve the issues
noted above, because the main thing will be to assure.

MR. ROTHSTEIN: Correct, so let’s try that again. With the U.S. Department
of Education to improve the interaction of FERPA and the privacy rule with
respect to health records in school settings, to assure that disclosures to and
from schools for public health or health care purposes work smoothly in
appropriate circumstances. The effort should clarify the circumstances under
which each law applies and explore the need for any changes in legislation or
regulation to accomplish these goals.

Bill, Garland, are you okay with that? Anyone else?

DR. TANG: I just think the word is insure rather than assure.

MR. ROTHSTEIN: I agree, I think it should be insure. The last paragraph.

We also recommend the Department strengthen its outreach in education
program to eliminate the unintended confusion that has arisen in recent years
with respect to the protection of health records in schools. We appreciate the
opportunity to share with you our additional thoughts and recommendations on
the issue of school health records.

Any comments on those paragraphs? Any overall comments about the letter?
Simon, do you think it is appropriate to vote now, or do you want to vote
tomorrow?

DR. COHN: I would ask the view of the committee. I think it is an excellent
letter, which was even further improved by the work we just did. Does anyone
feel that we need to think about it over the evening, or would you rather just
move forward as an action?

DR. WARREN: I just had one question. One of the things that I was looking
at as I was reading through this is some of the questions we have had in
Standards and Security. If I am an executive reading through this letter, I
have to really dig to find the recommendations. I am wondering if we should
enumerate those at the end of the letter so that they can easily be found.

DR. COHN: As in bolding them?

MR. ROTHSTEIN: Can we pull them out and bullet them or bold them or number
them?

DR. WARREN: Yes, a bullet I think would be better, because then you could
skim the letter.

DR. COHN: I would take that along the lines of wordsmithing. You’re right,
these are hidden in the body of the text.

DR. BERNSTEIN: I still need to break up this previous one we were going to
break up into two sentences.

DR. COHN: I think that is formatting and bolding.

DR. CARR: I would concur. The more we can have the format of our letters
look the same and the recommendations easy t find. I would also encourage that
we might have a headline of what the letters are about, because as evidenced by
today, it is very hard to figure out which letter we are on, other than the
visual appearance.

MR. ROTHSTEIN: I think that is a very good suggestion as well.

MS. GREENBERG: Yes. In fact, I wouldn’t necessarily want to make this the
guinea pig, but I think the headline like we sometimes do on an agenda is very
good. This is what we are about here.

But also, it is this idea of starting with the end in mind. Even maybe
something right in the beginning of the letter that says that, sending the
recommendations to you in this letter follows up on that or something, and
specifically recommends further efforts by the Department and the Department of
Education to bring clarity to these problems.

That is really what these recommendations are about. Then you can go
through the whole — build the case and the specific recommendations. We did
this with the latter last time, just bring the essence of the recommendations
up to the first paragraph.

MR. ROTHSTEIN: So you are suggesting adding a last sentence onto the first
paragraph.

MS. GREENBERG: Yes.

MR. ROTHSTEIN: Which basically summarizes what we are trying to do here?

MS. GREENBERG: Yes.

DR. TANG: Or summarizes the issue. If you just say this letter addresses
the confusion that has arisen between FERPA’s interaction with HIPAA, that sets
the context and describes the problem.

MS. GREENBERG: And recommends approaches to address it, or something like
that. But it is wordsmithing, what are we about here. You have certainly made
the case well that this is very confusing, but we could lose the reader before
it ever got to our recommendations if we haven’t told them right up front.

We will work on that. I think we agreed to work on it with Susan Kanaan, on
trying to get a more standard set of template or guidelines for all these
letters.

DR. FRANCIS: What you have there is just another paragraph, though. So what
you really should do is, before it is Dear Secretary Leavitt, it should be
almost like the way you would have in a memo, re.

MS. GREENBERG: We will do that too.

DR. FRANCIS: But I think the recommendations should be up there, too. It
should be interaction of FERPA and HIPAA, recommendations one, two, three, and
then have the letter.

MS. GREENBERG: That would be more radical, but we will take that under —

DR. FRANCIS: You can really see it then.

MS. GREENBERG: I don’t think we should do that with this letter, but that
will be under advisement as we consider a template.

MR. HOUSTON: It is not that long of a letter, either. I could see if we had
long letters and we decided to make recommendations in order to clarify, but
this is two pages.

DR. COHN: I guess we will move into this, but I do think bolding RE’s are
very useful. I think what you are describing is an executive summary. I don’t
think a letter this long needs that. But you’re right, it does need clearly an
RE, which we will talk about.

Now, with all of that, how are we with the letter? Are we talking about
formatting, bolding? Are we okay? I am seeing people feeling that we can move
forward with a vote on this. No?

DR. BERNSTEIN: I just want to make sure that I understand what it is that
we are clearing. I need to have a subject. It would be good if the letter were,
with the exception of minor editorial fixes, exactly what you want to say.

MR. ROTHSTEIN: I think we’re fine. We have to split that one sentence into
three sentences, and I think that is about it.

DR. BERNSTEIN: So you people are happy with the sentence I just wrote on
the fly? The reason I didn’t put FERPA and HIPAA in there is because I would
have to explain what both of those laws are before saying that, and it would be
hard to do. It took us a whole paragraph to figure out how HIPAA worked.

MS. GREENBERG: That’s okay.

MR. HOUSTON: Even though I am a member of the subcommittee, can I make a
proposal that we approve the letter, subject to any wordsmithing that Mark
would need to do just to clarify these last two points?

DR. COHN: Sure.

MR. LAND: Second.

DR. COHN: Any discussion? Without discussion, all in favor?

(Chorus of Ayes.)

DR. COHN: Opposed? Abstentions? The letter passes. Mark, on to your second
letter.

MR. ROTHSTEIN: Thank you. The second letter was originally in Tab 4. It is
the one that deals with non-covered entities. I’ll give you a second to pull
out the revised draft that Maya distributed. There weren’t that many changes,
and they appear primarily on page two. So let me begin by reading the first two
paragraphs, because the first paragraph is not controversial.

Dear Secretary Leavitt. On June 22, 2006, the National Committee on Vital
and Health Statistics, NCVHS, sent you a letter report, Privacy and
Confidentiality in the Nationwide Health Information Network. Among the 26
recommendations was the following. R-12, HHS should work with other federal
agencies and Congress to insure that privacy and confidentiality rules apply to
all individuals and entities that create, compile, store, transmit or use
personal health information in any form and in any setting, including
employers, insurers, financial institutions, commercial data providers,
application service providers and schools.

The NCVHS held a series of three hearings in 2006-2007 to learn more about
the health privacy practices of entities that make significant use of health
information in their day to day operations, but are not covered by the Health
Insurance Portability and Accountability Act, HIPAA.

At the first two hearings we heard from representatives of life insurers,
insurance regulators, human resource professionals, occupational health
physicians, financial institutions, primary and secondary schools and colleges.
The third hearing focused on health care providers and other entities in the
health industry that are not covered by the HIPAA privacy rule.

We inquired about the degree to which they are regulated by other federal
or state laws, and the possible effects that federal health privacy coverage
would have on their operations. What we learned from the testimony strongly
reinforces our conviction that all entities that deal with personally
identifiable health information should be covered by some federal privacy law.

The NCVHS would like to share with you some additional observations in
support of our earlier recommendation with respect to this last group of
non-covered entities, those operating in the health care arena.

Okay? Next paragraph.

A significant concern is that many of the new entities essential to the
operation of the Nationwide Health Information Network fall outside HIPAA’s
statutory definition of covered entity. Health information exchanges, medical
record banks, regional health information organizations and other new entities
established to manage health records have proliferated in recent years.

While some of these entities may be business associates under the privacy
rule and thus obligated by contractual agreements with covered entities to
maintain similar standards, it is the view of the NCVHS that business associate
arrangements are not sufficiently robust to protect the privacy and security of
all individually identifiable health records. Business associates are subject
only to contract claims brought by the covered entity, and not through
enforcement actions by HHS or the Department of Justice.

Furthermore, the majority of participants proposed as service providers of
the NHIN, e.g., health information exchanges, regional health information
organizations, record locator services, community access services, system
integrator, medical record banks, are not covered entities or business
associates.

The health information technology community is moving quickly in response
to the Department’s efforts on NHIN, but our hearings have revealed that even
today, numerous individually identifiable health records are not subject to
federal privacy and security protections. This remarkable fact underscores our
view that all individually identifiable health information created, collected,
stored or transmitted should enjoy the protection of a federal privacy
standard.

DR. OVERHAGE: My ignorance here. So does this imply for example state and
local public health departments should be covered by a federal privacy
standard?

MR. ROTHSTEIN: Well, at some point they are. If they are covered entities
under HIPAA they might be.

DR. OVERHAGE: No, they are not, I believe. I could be wrong, but I think
they are carved out. They are not covered entities. We have gone around and
around with this with health departments, who have said we are not covered
entities, we cannot sign a business associate agreement, because we are not,
and we don’t want to be.

MR. ROTHSTEIN: I’ll let Sue clarify this, but they can be a hybrid entity
or they could be a covered entity at their election, depending on what services
they provide, correct?

MS. MC ANDREW: By and large, the public health departments within states
would not be considered covered entities. That is not to say that some of them
have not in fact, because of their definition of what legal entity they are a
part of, and/or they may be a direct provider of health services and may bill
electronically. They may be — part of them maybe a covered entity. Most of
them we have encouraged to get into a hybrid situation so that their public
health functions are not part of the HIPAA compliant component.

MR. ROTHSTEIN: So in answer to your question, we had originally said in
R-12, we sidestepped the issue of whether it should be federal or state law,
and we also avoided the question of whether, it federal law, whether HIPAA or
some other law. So that is why it reads, to insure that privacy and
confidentiality apply to all individuals. We didn’t say that here, we are
saying federal.

So there is an argument that could be made that we should just take the
word federal out, I suppose.

DR. OVERHAGE: I don’t have a position. I just want to make sure we knew
what we were recommending.

DR. FRANCIS: It is of course possible that a federal standard would defer
to states in certain areas. So I actually don’t think that language takes a
position on the point you raised.

DR. OVERHAGE: I guess maybe somebody can explain that to me. So a state
health department for example, which is a particular example that is not a
direct deliverer of care — again, I am just ignorant about these things —
this says that entity because they have personally identifiable health
information, should be covered by federal privacy law.

MR. ROTHSTEIN: But federal privacy law could say that all information in
the custody, under the control of a state agency has to comply with federal law
or a comparable state law, if there is one. What that law would say would be,
you can’t have information that is maintained by a state health department
unless there was a state law that protected it, or then it would be subject to
the federal law.

DR. FRANCIS: It doesn’t for example include the word uniform, which would
be — I think your worry would be a real worry if it included the word uniform.

MR. ROTHSTEIN: Or pre-emptive.

DR. BERNSTEIN: You could say a minimum set of standards plus whatever the
state wants to do, but we didn’t say that. It could look like lots of different
things. HIPAA for example says that state law that is more stringent in certain
places continues to apply.

MR. ROTHSTEIN: Would it be better if instead of the word standard we put,
enjoy the protections of a federal privacy law? Would that imply more
flexibility or less flexibility? No? Or should enjoy federal privacy
protections?

MS. GREENBERG: You already said, enjoy the protections of a federal —

MR. ROTHSTEIN: Well, take that away, or transmitted should be subject to
federal law. I am just trying to accommodate the concern.

MR. SCANLON: I think the federal privacy standard may be fine. There is a
precedent here in the other portion of HIPAA that deals with insurance reform,
and sets a standard that there has to be guaranteed issue for certain people.
That was something that was left, because insurance regulation is a state
function, left to the states unless they fail to do so, and then there was a
federal fallback.

So I think we have got a precedent here. Standard is a vague enough but
specific enough term at the same time that I think it will accomplish what you
intend.

MR. ROTHSTEIN: Any other comments? Are you okay with that, Mark?

DR. OVERHAGE: I didn’t have a position, but only that I thought we wanted
to make sure that we knew what we were saying in that specific instance,
because they are a little bit different than a lot of the organizations that we
think about.

MR. ROTHSTEIN: We sometimes know what we are saying.

DR. COHN: I won’t tell you that I spent a lot of time wordsmithing this
paragraph. As many of you know, you have seen iterations of things getting
crossed out.

I had almost a question of fact that I just want to clarify and make sure
that we are right on here. I am looking at a particular sentence that says,
furthermore, the majority of participants proposed service providers of the
NHIN, e.g., health information exchanges, regional health information
organizations, record locator services, community access services, system
integrator, which may or may not be the right group to be included as medical
record banks, are not covered entities or business associates.

Is that a true statement, I guess is my question? I can believe many. I
just wonder if we have evidence to support the fact that the majority of them
are not covered entities or business associates? Mark, do you have information?
Either Mark.

DR. OVERHAGE: I don’t have any data other than personal knowledge of those
organizations. I don’t know of any that are not business associates.

DR. BERNSTEIN: But they are not required it be, right? They choose to do
that as a matter of their business. They decide that that is a good business
practice. But I’m not aware that they are required to do that.

DR. OVERHAGE: Well, I guess it depends on your perspective. If you are the
holder of the health information, if you are a covered entity, you are required
to have a business associate agreement with the people you contract with that
are going to manage protected health information. If one of these organizations
is going to manage protected health information, they would be required by the
covered entity to be their business associate.

DR. BERNSTEIN: Sue, is that a precise statement? I don’t mean to pick, but
I just want to make sure. I think it is right to ask about this.

MS. MC ANDREW: I think in the world today, most data managers, I would
hazard a guess, all data managers are business associates of the covered entity
that they service. We are presuming that some form of that relationship will
carry over into a RIO setting. It becomes difficult to decide whether or not
they fit the business associate model, simply because you have the central
player that is connected to a whole array of different providers, and also may
have some relationships and obligations to yet other networks independent of
the providers.

It is not clear yet where the data will reside and what their range of
functions will be. Some of them may actually be engaging in functions that
would be independent of a business. They are not things that come out of a
covered entity and get passed on to this entity as a business associate. They
may be business functions independent.

So they wouldn’t be doing everything on behalf of the covered entity or
even multiple entities. So conceptually as we get further down the RIO road and
the networks road, it does become challenging to figure out if the business
associate model truly functions and functions effectively in that environment.

DR. OVERHAGE: I am looking at examples like the Memphis project and ours.
Everyone I know of, we all have many business associate agreements.

DR. BERNSTEIN: My question was, are they required either by the law or by
the rule to be business associates, or is it just a good business practice to
do that. Those are different things.

MR. ROTHSTEIN: Let me recognize Paul, and then Harry wanted to comment, and
then Marjorie.

DR. TANG: Maybe I would like to try to resolve this discussion by taking
out the or business associate phrase from that sentence. We spent most of the
paragraph setting up the claim that business associate is such a weak
instrument that it is a bit moot.

It is true that none of these folks are covered entities, and it is that
principle, not that they become covered entities, but that the data the store,
access, touch have the same protection as if they were covered entities. I
think that is our point. So if we take away the business associate phrase, —

MR. ROTHSTEIN: But let me ask you, Paul, if we did that, then what about
the majority? Should we just take that away, furthermore the participants
proposed as?

DR. TANG: None of them are covered entities.

MR. ROTHSTEIN: So it would now be, furthermore the participants proposed as
service providers of the NHIN, skip the parenthetical, are not covered
entities, period. Is that what you are proposing? Harry was next in line.

MR. REYNOLDS: Let’s keep in mind that more and more of this business of
NHIN and other things is going to be done over the Internet. There are going to
be silent partners in many ways, as data flows back and forth between entities
that you don’t know, you don’t see, and you don’t have jurisdiction over. So
that is where a lot of this business is going to be going.

So I think the point is, everybody that is doing business now that knows of
someone who is helping them do that business may be bringing them into the
fold. But the model that we are looking at for the future doesn’t necessarily
let you know everybody that sees or touches or gets anywhere near the data. So
I want to keep that as an overview thought, too. Everybody can defend that I
have got the right business associates, and we do the same thing. But when you
shoot it out into the highway now, you’re not sure who all is getting it and
what they are doing with it and who is who.

MR. ROTHSTEIN: Thanks, Harry.

MS. GREENBERG: I think Paul covered my point.

MR. HOUSTON:As I look at it, I think if we are going to remove business
associates, then rather than furthermore at the beginning of the sentence, I
would almost be inclined to say something like, additionally, other
participants proposed as service providers of the NHIN are not covered
entities.

We have talked about business associates above in this paragraph. We also
talked about the group that are — there is an assumption that some could be
covered entities, but there is this others category that would not be either of
those. You have to make that linkage somewhere in this sentence.

MR. ROTHSTEIN: Reading the paragraph as a whole, the change Paul suggested
makes the paragraph illogical now. We start out talking about — it just
doesn’t follow. It starts out talking about covered entities, a significant
concern is that these people are outside the covered entities, and then we say
that some of them might be business associates, but there is a problem with
business associates, then we go back and say that they are not covered
entities.

What we would have to do to make it fit together is move the new sentence
the way Paul rewrote it up into the first part and then talk about business
associates as the second part, to make that logical.

DR. FRANCIS: Another problem here is that what you might have is a network
sharing be a business associate of one entity and then a business associate of
another entity and there are issues about the consistency of those
arrangements, too. That is a problem if what you are dealing with is
enforcement only through contract claims.

I was playing with the idea of business associates with each other. That is
one way to think about it. Another way to think about it is just to weaken that
and say, may not be business associates rather than are not business
associates.

Basically we are pointing to the fact that there is a patchwork of
protections maybe afforded by the business associate model. We certainly don’t
have the protections afforded by the covered entity model. It is hard to know
exactly, but if we just changed are not to may not.

MR. ROTHSTEIN: Another way of doing it is not to undo what Paul just said,
that we like, but just to make the change, to think about the original language
which you have in front of you on the hard copy, and take the word majority
out, and just say, furthermore many of the participants proposed as service
providers are not covered entities or business associates. I think that is a
statement of fact that nobody would disagree with, and many of them aren’t,
either.

So then logically we would say, some are covered entities, some are covered
as business associates, but that is not too not anyhow, and many aren’t,
either.

DR. COHN: I think I like the way you are wordsmithing this. My own question
at this point is where it fits in the paragraph.

MR. ROTHSTEIN: If you go back to the hard copy and don’t look at the
screen, in the fourth line down, where it says furthermore, at the end of the
line, strike out the majority of and substitute many of the.

DR. BERNSTEIN: Do I have it on the screen the way you are talking about,
Mark?

MR. ROTHSTEIN: Yes.

DR. COHN: I just have a question of clarification. The way the sentence is
going, I found myself looking at this and trying to figure out how this point
is different than the first and second sentences of that paragraph. Maybe we
are making a distinction between entities essential to the operation versus
service providers. Is that the distinction we are making here?

MR. ROTHSTEIN: A significant concern is that many of the entities are not
covered entities. They have proliferated in recent years. Some may be business
associates, but there are problems with that.

DR. BERNSTEIN: And many are neither one.

MR. ROTHSTEIN: Many are neither.

MS. MC ANDREW: Those are different ways in which business associate
arrangements are not sufficiently robust.

MR. ROTHSTEIN: I sense that we have an agreement on what we are trying to
say with the paragraph, but it may not read with sufficient clarity for
everyone’s comfort. Is that pretty much true? In other words, we need to meet
privately, the subcommittee, redraft this paragraph and bring it back tomorrow,
do you think, or not?

DR. OVERHAGE: I was going to say the same thing Simon did. I think you
should strike this sentence and the whole thing would be clearer.

MR. ROTHSTEIN: Strike which sentence?

DR. OVERHAGE: The one we are discussing about, furthermore the majority of
participants proposed as service providers.

DR. COHN: That is what I was trying to say. I just wasn’t sure whether
there was anything new that we were adding.

DR. OVERHAGE: If it adds something, it is not clear to me.

MR. ROTHSTEIN: One of the things that I didn’t want to lose that maybe we
can salvage from that is, could we move that list that is in the parenthetical
into the second sentence of the paragraph, just to give a flavor of the
varieties of these organizations? Would that be okay?

DR. OVERHAGE: Yes.

DR. BERNSTEIN: If you strike the sentence, then you lose the — the
previous sentence talks about that you might have business associates and the
arrangements are not very robust. But I think it was trying to drive the point
that some of them aren’t even business associates, so there is nothing
protecting them. That point is not made if you lose that sentence.

DR. OVERHAGE: I’m not sure why you lose that point. You say in the third
sentence, while some of these entities may be business associates, —

DR. BERNSTEIN: The argument is, we are not covered entities, but it is okay
because we are business associates. From the discussion, without trying to put
words in the subcommittee’s mouth, the idea was, we don’t want them to be able
to say for business associates that is good enough, because we don’t think it
is really good enough. We think that is not very robust.

Then the point is, even though it is not very robust, it is better than the
fact that some of them are not covered at all. And they are not business
associates, and there might be some state law that applies, but probably not.
These are new kinds of business models.

DR. FRANCIS: Suppose what we did was, we take the sentence that starts,
while some of these entities may be business associates under the privacy rule
and thus obligated to maintain similar standards, others may not be business
associates, period. Moreover, it is the view of the NCVHS that business
associate arrangements are not sufficiently robust. That way, both points get
made.

MR. ROTHSTEIN: I’m okay with that. Maya, do you want to give that a shot?

DR. BERNSTEIN: I’ll do that. Then do you want to put this list somewhere?
That would mean we would kick out this part right here.

DR. FRANCIS: I believe we have that list already. We have most of that list
already in the second sentence, and we should make sure that the list in the
second sentence is complete.

MR. HOUSTON:I think what Leslie said works. If you take the parenthetical
out of that sentence that started originally with furthermore, it is a lot
easier to read. I think we can use Leslie’s approach, too. I think the
parenthetical makes it difficult to navigate, which might have caused some of
the confusion. Either way I’m okay.

MR. REYNOLDS: I am in total support of Leslie’s position on the business
associates also.

MR. ROTHSTEIN: Thank you. Other comments on that paragraph? Let me give it
a try. Are you ready for me to try to read that now, Maya?

DR. BERNSTEIN: How’s that?

MR. ROTHSTEIN: Here we go. A significant concern is that many of the new
entities essential to the operation of the NHIN fall outside the HIPAA
statutory definition of covered entity. Health information exchanges, regional
health information organizations, record locator services, community access
services, system integrators, medical record banks and other new entities
established to manage health records have proliferated in recent years. While
some of these entities may be business associates under the privacy rule and
thus obligated by contractual agreements with covered entities to maintain
similar standards, others may not be business associates. Moreover, it is the
view of the NCVHS that business associate arrangements are not sufficiently
robust to protect the privacy and security of all individually identifiable
health records. I think there is no change in the rest of that paragraph.

DR. BERNSTEIN: That second deletion. So it goes, business associates are
subject only to contract claims brought by the covered entity, —

MR. ROTHSTEIN: And not to enforcement actions by HHS or the Department of
Justice.

DR. BERNSTEIN: And is followed by the health information technology
community as moving quickly, that sentence.

MS. GREENBERG: Then you pick up again here?

MR. ROTHSTEIN: Right. So is everybody okay with that? Hearing no moans, —

DR. COHN: I don’t mean to take all the fun out of this paragraph. I just
wonder about the word remarkable.

MS. GREENBERG: I like it.

MR. ROTHSTEIN: I think an early version was astonishing. Next paragraph.

In addition to new entities that manage health records, mentioned above,
NCVHS also heard from representatives of non-covered health care providers, the
National Athletic Trainers Association, International Medical Spa Association,
a large employer participating in a multi-employer personal health records
system, a health record bank organization, and a home testing laboratory. We
also heard from legal experts who addressed various issues associated with
those entities, such as the status of concierges, medical practices and the
disposition of the health records of entities that enter into bankruptcy.

DR. OVERHAGE: Two comments. One is that I wasn’t sure why concierge medical
practice — to me that means something that covers — it is just a medica
practice that happens to operate in a different way, and I wasn’t sure why that
became a different —

MR. ROTHSTEIN: Because there are basically two types of concierge medical
practices, one of which is cash only, no billing, and therefore not covered.

DR. OVERHAGE: I guess that is my trouble, that using that word might imply
a broader group of practices, and what you really mean is people who charge
cash for their services. We have used a word that describes something
different, which is how care is delivered.

MR. ROTHSTEIN: This sentence, keep in mind this is a description of who we
heard from. We heard from a legal expert whose practice is representing
concierge medical practices of both kinds. In the next paragraph, we talk about
— we don’t use the term concierge medical in the next paragraph; we say among
the health care providers not covered by HIPAA, entities are directly paid by
their customers or another party, blah, blah, blah.

DR. OVERHAGE: My question would be, I fear it might engender some confusion
by convoluting the two things, and we might be better off saying something
like, the status of medical practices to operate on a cash-only basis or
something, and then you are going to go on and explain that further.

MR. ROTHSTEIN: This is narrowly, precisely who we heard from. But I
understand your point. So let’s make that change.

DR. OVERHAGE: Then the other is a similar vein at the end.

DR. BERNSTEIN: Mark, before you go on, can you tell me what the language
was that you wanted?

DR. OVERHAGE: I was just going to include cash only or something like that.
You could wordsmith that.

MR. ROTHSTEIN: And your other change?

DR. OVERHAGE: In the last sentence you talk about entities that enter into
bankruptcy, and I wonder if we want to say cease to exist for various reasons,
including bankruptcy or something. Again, this is in a similar vein. You heard
about bankruptcy.

MR. ROTHSTEIN: This is exactly who we heard from. We heard from an expert
on bankruptcy law, who commented on the issue of whether any promises to
safeguard privacy extend to entities that enter into bankruptcy.

DR. BERNSTEIN: Right, and also because the medical records may have value
in the market, whether they are required to sell them

DR. OVERHAGE: I understand the issue. My worry is that — and I appreciate
your point about, this is who you heard from. The question though I had was,
obviously entities cease to exist for a whole variety of reasons, one of which
is bankruptcy. The same set of issues apply when the organization ceases to
exist. A simple example is, a physician shutters his doors.

DR. BERNSTEIN: No, the same issues do not obtain if the practice just goes
out — sorry, Mark.

MR. ROTHSTEIN: Actually, the issues are different under the Federal
Bankruptcy Act. That is what we wanted to explore, the intersection of the
Federal Bankruptcy Act protections and the privacy.

Any other comments on that paragraph? The next one.

Based on the testimony we heard, we now understand that a significant
number of everyday providers of health care and health related services are not
covered by the HIPAA privacy and security rules.

These entities fall into two categories. The first category do not submit
payment in electronic form. These entities are not covered because the
definition of a covered provider is connected to the original purpose of HIPAA,
administrative simplification of the processing of claims. Since these entities
do not submit claims or bill health plans, they fall outside the definition and
are not covered.

Among the health care providers not covered by HIPAA are entities that are
directly paid by their customers or another party such as some providers of
cosmetic medicine services, occupational health clinics, fitness clubs, home
testing laboratories, massage therapists, nutritional counselors, alternative
medicine practitioners and urgent care facilities.

Simon, you have a quizzical look on your face.

DR. COHN: I see some at the beginning, and I couldn’t decide whether some
in the last sentence applies to all of these or just to cosmetic medical
services. I just couldn’t tell. Is some applying to every single one of them?

MR. ROTHSTEIN: Maybe we should put, such as some of the following?

MS. GREENBERG: Providers.

MR. ROTHSTEIN: Some of the following providers?

DR. COHN: Sure, that would help.

MS. GREENBERG: I don’t want to create a problem when we correct a problem,
but a fitness club is not a provider.

MR. ROTHSTEIN: Oh, right.

MS. GREENBERG: I don’t think you would consider that a provider. That is
just some wordsmithing.

DR. BERNSTEIN: If an athletic trainer works there, sure. Why shouldn’t they
be a provider?

MS. GREENBERG: But the issue I was going to raise is, you said two slightly
different things here. In the first category, entities that do not submit
claims for payment in electronic form. Then a little bit later you say, since
these entities do not submit claims or bill health plans. They could submit
claims or bill health plans in paper form, right? Then they wouldn’t be
covered?

DR. BERNSTEIN: Yes, you can be an all paper practice.

MS. GREENBERG: So you need an electronically in both places.

MR. ROTHSTEIN: I think we have fixed that now. Thank you for that point.
Other comments on that paragraph?

DR. BERNSTEIN: Mark, if the committee wants to add, as Marjorie points out,
those who are just paper practices are also not covered. We didn’t include them
in the list.

MR. ROTHSTEIN: We could add that. That is certainly a true statement. But
at the hearing we didn’t hear from any paper only people. They don’t travel on
airplanes to give testimony.

In the second category are providers that create records covered by the
Family Educational Rights and Privacy Act, which are explicitly excluded from
the definition, protected health information, in the HIPAA privacy rule. FERPA,
which is overseen by the Department of Education, protects records of students
in schools that receive Department of Education funds. Thus, most health
records created and maintained by school clinics fall under FERPA rather than
HIPAA.

However, some schools are not covered by either law. Some providers, such
as athletic trainers working in scholastic athletic programs or college student
health services that submit electronic insurance claims, have reported
confusion as to whether they are subject to HIPAA or to FERPA. Today under
separate cover we are also sending a letter addressing this matter.

MS. GREENBERG: I don’t remember your mentioning in the FERPA letter that
there are some schools that aren’t covered. Why would a school not be covered
by FERPA?

MR. ROTHSTEIN: Because they don’t receive funds from the Department of
Education.

DR. BERNSTEIN: There are a few that do not take any funds, and none of
their students have federally sponsored financial aid.

MS. GREENBERG: But you didn’t mention that in the FERPA letter, because
that wasn’t in the FERPA letter.

MR. ROTHSTEIN: Right. Other comments? Hearing none, moving along.

The HIPAA privacy and research rules were designed to set minimum uniform
protections for identifiable health information across the nation. Providers of
health care and related services not subject to HIPAA may also not be subject
to any other state or federal privacy law. This means they may be free to
engage in a wide range of practices otherwise not permitted under HIPAA. For
example, non-covered entities are not required to provide notices to
individuals about their privacy practices, train their staffs about privacy and
confidentiality, institute physical controls on the storage or use of health
records, protect electronic transmission of health records, maintain an
accounting of disclosures or require an authorization before re=disclosing
health information to other non-covered entities. These entities may even sell
personal health information without authorization for the purposes of marketing
or other purposes that consumers may find objectionable.

DR. OVERHAGE: Is the word may there saying that they are allowed to do that
under current law, or that they do it?

MR. ROTHSTEIN: Maybe we need the word might. Would changing may to might
help you?

DR. BERNSTEIN: In which sentence?

MR. ROTHSTEIN: In the last sentence. These entities might even sell.

DR. OVERHAGE: I guess I don’t understand whether we are saying that they
are actually allowed to, and there is a loophole, or if we are saying that in
fact they do.

MR. ROTHSTEIN: What we are saying is that there is nothing prohibiting
them, but there is a possibility that they could even —

DR. OVERHAGE: I think that is a good word. To me that says there is nothing
blocking them from doing it, therefore they may and sometimes will, is the
implication. Have been known to.

MR. ROTHSTEIN: And just for your amusement value, one version of this,
instead of doing things consumers may find objectionable, it read, for other
nefarious purposes.

DR. BERNSTEIN: I have got to have some fun somehow.

MR. ROTHSTEIN: Any other comments?

DR. BERNSTEIN: It tends to bring the subcommittee’s attention to what I’ve
written just so they will look at it.

MR. ROTHSTEIN: Right. Next paragraph.

In the context of the NHIN, it will be easier to design health information
products and services with knowledge of privacy requirements than to retrofit
them to new privacy policies. Therefore, it is urgent that HHS and the Congress
establish from the outset laws and regulations that will assure the public that
the NHIN and all its components are deserving of their trust.

As you continue deliberations on the best way to develop the NHIN, we hope
that this information gathered through our recent hearings is helpful to HHS in
acting on our earlier recommendation that all entities that deal with
personally identifiable health information should be covered by some federal
privacy law.

We appreciate the opportunity, blah, blah, blah.

DR. BERNSTEIN: From the outset? Does that help us? What do we exactly mean?
From the outset of what? Don’t we want them to establish laws right away?

MR. ROTHSTEIN: The offset is in reference to the prior sentence where they
talk about retrofitting them to new privacy policies. All we are trying to do
is say that we need to be prospective or proactive in developing them.

DR. BERNSTEIN: So if we were to follow the format of the recommendation, is
there a recommendation here?

MR. ROTHSTEIN: This is an unusual letter, in the following sense. We have
the recommendation that is quoted at the beginning, R-12. What we are saying
now is that we have followed up on our original recommendation. We have had
more hearings. We have generated more information that further supports our
earlier recommendation, and we think you should be aware of this additional
information that we have collected.

But the recommendation which we made in 2006, R-12, we still believe in,
and we don’t believe it needs to be changed. So that is what makes this a
little unusual. We don’t have a new recommendation, we have new support for an
old recommendation.

DR. CARR: So what we are saying is, there is a time issue. Not only is this
important, but it is important to do sooner rather than later.

MR. ROTHSTEIN: So do you think that is a recommendation?

DR. CARR: The way it is written?

MR. ROTHSTEIN: No. Are you suggesting that using the time element, we ought
to isolate and make a new recommendation that time is of the essence?

DR. CARR: Yes. First we told you this, now all these things have happened,
and we are back to tell you there is now a time urgency to this because we will
have a lot of rework if we don’t get this straightened out in the beginning. So
I think it is a — I’m trying to get the punch line. It is a great letter, but
it ends up with — it doesn’t punch it out as much.

DR. GREEN: I wish to speak in support of what Justine just said. I am
wondering why we don’t get rid of this from the outset. From the outset is
ambiguous. We have only been trying to do this for about 20 years already, so
it is a little late. Why not just say, Congress establish now? Or just say
established? I like the sense of now.

DR. BERNSTEIN: Now? Where?

MR. ROTHSTEIN: How about as soon as possible?

DR. GREEN: How about now?

MR. ROTHSTEIN: Then it reads like a cartoon. I want to take up the issue
that Justine raised and whether we should spin off from this paragraph a new
recommendation that goes to the need for this to be done now, before the NHIN
is set in stone.

DR. COHN: I think it is right. This paragraph says it. That sentence where
it says time is of the essence, it almost goes at the beginning of that
paragraph there. I was going to say at the very beginning. That would be fine,
too. Some formatting or bolding of that, or maybe even boxing of this. I’ll
stop there.

DR. TANG: I’d like to speak in favor of what Justine suggested, then
piggybacking on what we did with the earlier letter, put the re up in front and
label it something like, update to privacy law is required to accommodate NHIN
data sharing practices. In other words, it really punches it and says, why
should you read this letter in the first place? We said this a year and a half
ago. Now look where the country is moving in an appropriate direction. We need
to update our privacy laws and regulations in order to accommodate that now.

DR. BERNSTEIN: Paul, tell me where you want to put that.

DR. TANG: It is an endorsement of the recommendation.

MR. ROTHSTEIN: In the re line.

DR. TANG: In the re line it says, update the privacy laws and regulations
required in order to accommodate NHIN data sharing practices.

MR. ROTHSTEIN: Privacy laws and regulations. Update to privacy laws and
regulations. What was the rest of that?

DR. TANG: To accommodate NHIN data sharing practices.

MR. ROTHSTEIN: Needed to accommodate.

DR. TANG: Required to accommodate NHIN data sharing practices.

MR. ROTHSTEIN: And we are going to see that in the Washington Post, in a
headline?

DR. TANG: We will see that in the Washington Post.

DR. CARR: Just thinking again about the closing paragraph, I wonder if it
is worth saying something like, we reiterate the initial recommendation and we
add a timeliness element or something like that.

MR. ROTHSTEIN: Are you saying that in the first paragraph or the last?

DR. CARR: The last. So we reiterate our support of the initial
recommendation, but we now add an urgency, timeliness or something like that to
close it up with some strength.

DR. TANG: In the past year we have been informed of the NHIN activities
going on. That is what has caused some of these new requirements. It is not
just adding urgency to what we said. We have new requirements that have
unfolded in the past even year.

MR. ROTHSTEIN: That further support the urgency of, whatever.

MS. GREENBERG: Although I believe in now and immediately, have you ever
seen HHS and Congress establish laws and regulations immediately? It is not
even within the realm of possibility that one could do that. It is part of the
political process; I’m not saying it should be within the realm of possibility.
So I would say as soon as possible as you said, or as soon as feasible or
something would be more appropriate. Otherwise it sounds like we are smoking
something.

DR. BERNSTEIN: See how good I am at grabbing your attention? I’m not sure
this is the recommendation you want, but it might look something like this.

DR. FRANCIS: Could we change establish as soon as feasible to, should move
urgently to establish?

MS. GREENBERG: Well, we can’t tell HHS to meet with Congress.

DR. BERNSTEIN: Move urgently to establish.

MR. ROTHSTEIN: It is urgent that we move, but we can’t move urgently.

DR. GREEN: Expeditiously?

DR. COHN: I would get rid of as soon as feasible also.

MR. ROTHSTEIN: Yes, I don’t like with urgency. I think expeditiously. I
just want to ask if there are any more comments to this?

MS. GREENBERG: If you are going to make this into a recommendation, then I
think the last paragraph, not the appreciate, but second to last, is kind of
anticlimactic. I would incorporate that into the recommendation. Say, to
establish laws and regulations that will assure the public that the NHIN and
all its components are deserving of their trust.

MR. ROTHSTEIN: We might want to just put —

MS. GREENBERG: I’m not saying to get rid of it.

DR. GREEN: I thought the recommendation is to define the covered entities
sufficiently. This suddenly talking about trust makes no sense to me. The
recommendation is, get the covered entities defined so that the design can
proceed to move the information around where it needs to go. It is not about
trust, it is about defining —

MS. GREENBERG: Well, ultimately it is about trust, but I think you are
right, should move expeditiously to establish laws and regulations that will
assure that all entities that deal with personally identifiable health
information are covered by some federal privacy law. This is needed to — or,
this is necessary to assure the public that the NHIN and all its components are
deserving of their trust.

DR. TANG: It is back to insure.

MR. ROTHSTEIN: No, actually it is assure. We are going to assure the
public.

MR. HOUSTON: I have a concern over the phrase some federal privacy law. Do
we want to maybe refine that a little bit to say a uniform federal or
comprehensive federal privacy law?

DR. BERNSTEIN: Comprehensive is not the same as uniform. It means broad
coverage.

MR. HOUSTON: I’m saying the word — I’m not saying comprehensive is right.

MS. GREENBERG: We’ll take that out.

MR. ROTHSTEIN: And we are going to delete the last paragraph now, correct?
The as you continue paragraph, because we got that idea in part of the
recommendation.

MS. GREENBERG: It’s a little too wishy-washy.

MR. ROTHSTEIN: Other comments on the letter?

DR. BERNSTEIN: Do we think this is okay, time is of the essence?

MS. GREENBERG: I still like that.

MR. ROTHSTEIN: Yes, I think time is of the essence. It is lunchtime, so
other comments?

DR. BERNSTEIN: Let me show you what this looks like.

MR. ROTHSTEIN: I will read it quickly for the benefit of those on the
Internet who are anxious to see what our final version sounds like.

In the context of the NHIN, it will be easier to design health information
products and services with knowledge of privacy requirements and to retrofit
them into new privacy policies. Therefore, time is of the essence.

Recommendation. HHS and the Congress should move expeditiously to establish
laws and regulations that will assure the public that all entities that deal
with personally identifiable health information are covered by a federal
privacy law. This is necessary to assure the public that the NHIN and all of
its components are deserving of their trust.

MS. GREENBERG: I don’t think you need the public both times. It is to
establish laws and regulations that will insure that all entities that deal
with personally identifiable health information are covered by a federal
privacy law. This is necessary to assure the public, and take the public out of
the first. After that, take the public out.

MR. ROTHSTEIN: And it is assure.

DR. BERNSTEIN: Does anyone have an issue with deal with? It seems a little
colloquial to me. Previously we said collect, store, transmit. We were more
specific, right?

MR. ROTHSTEIN: Correct. That is our language. But we had a whole bunch of
them, create, compile, store, transmit or use. If we are going to reiterate our
earlier recommendation, let’s just put that in. That will be better. That will
be more consistent. HHS and Congress should move expeditiously to establish
laws and regulations that will insure that all entities that create, compile,
store, transmit or use personally identifiable health information are covered
by a federal privacy law.

I’m not sure with all that, that we need the next sentence. We have
emphasized trust, trust, trust in the June 2006 letter, and it might water the
import of this down.

MS. GREENBERG: No, I think it is okay.

MR. ROTHSTEIN: You want to keep it? Okay. Any other comments on this
letter?

MS. GREENBERG: I don’t think these are just thoughts. I think this is a
more powerful letter now. We appreciate the opportunity to share with you our
findings and recommendations on this important issue, I would say. Not
thoughts.

MR. HOUSTON: Can I move that we vote on this letter?

DR. COHN: Sure. Is everybody comfortable at this point with the letter, and
I presume friendly amendment, if there is subtle wordsmithing.

MR. HOUSTON: Subject to Mark and the executive committee’s tweaking as
necessary.

MR. ROTHSTEIN: I’m not sure we need to do any more. We needed to do some in
the last one, but I don’t think so.

DR. COHN: If we are done with tweaking, let me just ask, is fitness clubs
really a provider?

DR. BERNSTEIN: Yes.

DR. COHN: Well, with that one question, any other discussion? I hear a
motion. Is there a second?

DR. TANG: Second.

DR. COHN: Any further discussion? All in favor?

(Chorus of Ayes.)

DR. COHN: Opposed? Abstentions? The letter passes.

MR. ROTHSTEIN: Thank you, Simon. I want to thank the members of the
subcommittee and Maya for working on this, and all of the committee members for
their helpful suggestions.

DR. COHN: With that, we will take a lunch break for one hour. We will
reconvene at 1:35.

(The meeting recessed for lunch at 12:35 p.m.)


A F T E R N O O N S E S S I O N (1:40 P.M.)

DR. COHN: We are actually running a couple of minutes behind schedule but
not doing too badly. The next set of action items have to deal with letters
coming forward from the Subcommittee on Standards and Security. We are
obviously sorry that Jeff Blair is not available to join us this time but I
think he has a day job – I am told. It is sometimes now getting in the way
of things.

With that, Harry, why don’t I turn it over to you

and let you walk us through the letters.

Agenda Item: Subcommittee on Standards and Security
Letters, Action June 21

MR. REYNOLDS: Our goal is to be finished with both of these letters by the
6:30 p.m. dinner so any assistance you can give us would be appropriate.

(Laughter.)

MR. REYNOLDS: Moving right along. We will go to the NPI letter first.
Denise has it up on the screen, too, and this was the one that was passed out
and not the one that was in your packet.

The National Committee on Vital and Health Statistics, NCVHS, is
responsible for assisting and advising the Department of Health and Human
Services, HHS, and adopting the administrative simplification provisions of the
Health Insurance Portability and Accountability Act of 1996 (HIPAA). In that
role we have continued to monitor the healthcare industries progress towards
meeting the May 23, 2007 compliance date for implementation of the national
provider ID, NPI.

We last reported NPI status to you on February 15, 2007 and at that time
concluded that several key impediments remained to meeting the statutory
deadline. At that time we expressed our concern that the industry would not be
able to meet the target date for NPI compliance and made a number of
recommendations in this regard. They included –

MS. GREENBERG: Did you say “concern” or skepticism?

MR. REYNOLDS: We have changed it to “concern”. There was some
question about that so I am asking if we can put that back on the table.

MS. FRANCIS: But it should read concern that the industry should not be

MS. GREENBERG: If it is concern then you need the not.

MR. REYNOLDS: Yes, absolutely. So our recommendations back then were that
HHS should decide what information from the national plan/provider enumeration
systems, NPPES, would be made available to the industry.

Next bullet. Issue a date of dissemination notice. Next bullet; make the
data available at the earliest possible date.

Secondarily, that by May 23, 2007, covered entities should be required to
obtain their NPI’s. Second bullet; plans and clearinghouses must complete the
system changes needed to accept NPI’s on HIPAA transactions.

Thirdly, that HHS should publish contingency guidance to protect compliant
covered entities from enforcement actions if they develop and implement
contingency plans. This guidance was issued by CMS on April 2, 2007.

Any questions so far. John.

MR. HOUSTON: When I read through the letter I was a little concerned about
the way things were timed and it seemed liked – if I am getting it
correctly – there were certain things that were to happen on May
30th. There were things that – May 23rd – it
seemed like the letter the way it is structured, times have already passed and
you are sort of talking about –you are speaking of things in the current
tense and in the future tense – and it appears that the time has already
passed towards the compliance deadline.

MR. REYNOLDS: Let me address that two ways. First, remember that this is a
string of letters. Second, when this was originally done it was prior to May
23rd, as we have had the hearings and so on. We have been having
this for a while. So, do you think that we should not go back in the history or
what should we do?

MR. HOUSTON: I am almost thinking – personally when I read the letter
it seemed to be confusing and there are things that have already passed and
that is fine – I am just wondering whether you should simply look forward
to the things that still need to be done for which the deadline has not passed
yet? I guess there were a couple of cases, if I look through my notes, we can
get to it in a later paragraph but I guess the question I was left with in a
number of cases – okay, the deadline has passed – what has actually
happened. Is there a need for some of the things that you are talking about
wanting to do. A general comment.

MR. REYNOLDS: I think it is good because we actually only have one
recommendation. I like the idea earlier and we will change the format to maybe
do a “regarding” that we did on the other letter, what is the subject
and then we should make sure we bold the recommendations. We definitely need to
do that also.

DR. FRANCIS: I wasn’t confused, at least in the sense that what you have
here bulleted are your recommendations from February 15th. I think
as long as it is clear – maybe if you formatted it so these inserts were
labeled February 15th recommendations.

MR. REYNOLDS: For example, I think we could take the sentence off the last
bullet – back to your point, John, “this guidance was issued by CMS
on April 2, 2007” so we sent a letter in February, what did we say in
February, then what has happened in April, what has happened in May, and so on
and then our recommendation.

MR. HOUSTON: I guess maybe to my point, it seems like there is something
missing like there should be something said about what is actually happened
either since the guidance was issued or since the deadlines have passed that
cause you to make any further recommendation.

When I read the letter, and maybe I just missed it, but it sort of seemed
like that was missing.

MR. REYNOLDS: We will keep that in mind as we go through it and if it is
still missing –

DR. COHN: One other thing that may just help with understandability, I
think there needs to be a paragraph where it says; “we last
reported”. If you make that as a separate paragraph then all the bullets
and all of that sort of fall under that and that piece doesn’t get lost.

MR. REYNOLDS: So make a separate paragraph starting with “we
last”. Fine.

DR. TANG: Harry, so we don’t have to deal with this at the end you want to
go ahead and give us what the “re:” is going to say so that we can
set the context?

MR. REYNOLDS: I am going to let Judy work on the “re” while we
are doing this. I was accepting the fact that we need to do that on the fly. I
need to think about it exactly what we want to say.

Let us read through it and then we may need some help from the Committee on
that because the message – we will talk about that some more.

DR. TANG: I guess, maybe it is part of the same comment that others are
making, I don’t understand why we are tracing history yet.

MR. REYNOLDS: Partially we wrote the letter again, before some of the
things that occurred, occurred. I am not defending – I am making a factual
statement.

Now, playing off this morning and playing off of how we addressed this
morning, we may shorten this letter substantially. What I would like to do is
go through the substance, make sure you understand why we did what we did, and
then more to happy to consider pulling out some of the history and just going
straight to the bottom line since it is a subject of which this is a string of
letters. It is not like we are re-warming everybody up to this. This is a
subject that is in play. It is a subject that the whole industry is doing and
it is a subject that the Secretary is getting regular updates from in lots of
ways.

On May 30, 2007 the Department published in the federal register the NPPES
data dissemination notice, detailing the policy by which CMS will make certain
NPPES health care provider data available to cover these under the health
insurance portability and accountability act and two others.

The NCVHS commends the Department on their timely response to industry
requests.

If you remember that you got had in there that we felt that should be done
and then we got it. Then it came out so it is back to that same flow again.

On May 1, the Workgroup for Electronic Data Interchange provided an update
via testimony to the NCVHS Standards and Security Subcommittee that while
progress has been made there is a key outstanding issue that remains. This is
the plan by CMS to discontinue issuance of NPIN numbers after May 23, 2007 and
CMS’s plan to discontinue access to the UPN file by June 30, 2007.

That is the only new issues that we are dealing with. So that is the one
that we are making the recommendation on. Next, based on this expert testimony
at the Subcommittee hearings and our own public deliberations we have the
following observation and recommendation.

After hearing testimony, NCVHS is convinced that CMS should maintain
business as usual by continuing to issue and make available UPN numbers until
the end NPI contingency guidance period, May 23, 2008. Some health plans
currently use the UPN as a legacy number for claim adjudication and payment.
Providers who bill those plans but who will not migrate to business operation
use of their NPI’s until sometime after May 23, 2007 will need the ability to
acquire UPN for new service providers.

NCVHS also recommends that CMS make the subscription UPN database and UPN
online registry capability available through the full contingency period versus
the proposed June 30, 2007 cutoff date.

Taking some of the comments that we have had we could basically say, based
on the last letter we sent to you there were two outstanding items. You took
care of one of them by issuing the NPEZ dissemination notice and here is what
we heard on the second one and here is what we recommend.

MS. GREENBERG: There were two things that were taken care of. One was
issuing the dissemination notice and the other was publishing a contingency
guide.

MR. REYNOLDS: Yes, that is correct. I am sorry – you are right. The
floor is open for comments about that structure or questions about the actual
detail.

Yes, Steve.

DR. STEINDEL: Harry, I am going to let the questions about structure comes
from others. I think I am probably inclined to agree with them. I am left with
the question of why should we continue access to the UPN database? You never
specifically say why.

MR. REYNOLDS: We did say why. Health plans use it as a legacy number and
providers –

DR. STEINDEL: That says to me why they should continue but from what I
gather, access to the UPN number is important to develop and validate
cross-walks. I think something like that should be mentioned.

MR. REYNOLDS: Okay. Other comments?

DR. TANG: I support your follow up sort of restructuring because I think it
is actually not only it is not helpful I think it is confusing to go through
the history that everybody already knows so I would start with where we are and
go forward.

In terms of the “re”, I have some suggested wording for you

MR. REYNOLDS: I figured you would so I figured if I stalled long enough you
would jump right in there.

DR. TANG: It really focuses on your second recommendation which is the need
for UPN enumeration until NPI implementation is complete – so you are
broadcasting what your intentions are for the letter.

MS. BENNING: Paul, could you repeat that please?

DR. TANG: Actually Marjorie has the comments.

MS. GREENBERG: I am definitely not pointing a finger at anybody but given
that the implementation date was May 23, 2007, I am just wondering if it is a
little disingenuous to refer to the publication of the May 30, 2007 of the
dissemination notice as a timely response.

MR. REYNOLDS: It was a timely response to our previous letter. I could not
disagree with that but using the flow of our information to them it was one of
a more timely response.

How would that be? Let me say that politically correctly. That is a fact,
it was a very quick response to the last letter we wrote.

MS. GREENBERG: But you said industry request. I don’t know.

DR. COHN: First of all, could I take a look at the “re” up there
to what we actually have since we lost it?

First of all, it is really NPI implementation. Is it an expiration of the
NPI contingency plan?

MR. REYNOLDS: Yes, that is what it is.

DR. TANG: Or it is the full implementation because it is not implemented
yet.

MR. REYNOLDS: But we are in a contingency program. We are in a contingency
period right now. I think that is actually the proper term. Karen, do you agree
that is the proper term?

MS. BENNING: I’m sorry. What is the suggested language for NPI?

DR. TANG: How about need for continued UPN enumeration until NPI –

MS. GREENBERG: During contingency period.

DR. TANG: Or until NPI is fully implemented.

MR. REYNOLDS: How about throughout the contingency program period?

MS. GREENBERG: But it is not just the enumeration, you also want access to
the database.

MR. REYNOLDS. Yes. So we need the continued UPN enumeration and access
throughout the NPI contingency period.

I think that is a factual statement.

DR. COHN: The other comment I was going to make on this one – I think
we were loosely talking about some restructuring of this letter. I think we are
all in agreement with the recommendation but I am actually sort of thinking
that this is some pretty significant restructuring of this letter unless I am
mistaken. I am actually wondering whether we need these bullets in the middle
of the body as opposed to being in a more paragraphed structure integrating
things that have already happened – which I think you are sort of agreeing.

MR. REYNOLDS: No, I am totally agreeing.

DR. COHN: I guess we need to get other comments but it feels like something
that we need to take back to the subcommittee for clean up before we could
validate –

MR. REYNOLDS: I agree. Based on these comments, which I agree with, I want
to make sure that everybody agrees with the recommendation. When we come back
tomorrow it would be more “I don’t like your words” than “I
don’t like your recommendations or I am not comfortable with where you are
going with it”.

I am comfortable to take that back up but I want to make sure we adjudicate
those comments and issues and questions – that we do that before we would
take it back to the committee.

MR. LAND: Do we know why CMS is going to discontinue the numbers access to
UPN file. Is that relevant to understanding this recommendation why they are
proposing to do it? Is there some bureaucratic reason for it?

DR. TRUDEL: I can answer. There are several reasons. One is simply that
there is a financial cost to continuing to run the enumeration process and the
registry but more important, we felt that since there was the NPI was being
implemented and we were moving in that direction we did not want to send a
message that we were going to continue to issue UPN’s when effective May 23,
2007 everybody was suppose to have an NPI.

MS. GREENBERG: I think the piece of missing information was if the system
– the processing system could not accommodate the NPI then they had to use
the UPN. Everyone had to have an NPI but it was acknowledged which is the idea
of the contingency plan that not all trading partners would be able to exchange
NPI’s and they might have to exchange either NPI and the legacy number or only
the legacy number, until the contingency was lifted. If they are in the later
case where they can’t exchange the NPI and they have got some new provider,
then what are they going to do?

MR. REYNOLDS: I will make a comment. In looking at this further, I know
that for example, WEDI has been asked to submit considerations about this
further to CMS and others. This issue is still under advisement.

I think what we are saying here is what we heard and I think what we are
saying here is what we would recommend. They made a decision but it appears
that there have been requests for more information about that decision so I
think it is still open.

MS. GREENBERG: I was still just trying to get some clarification in
response to Garland’s question of if they did not continue – if they did
not agree with this recommendation – what is going to happen when you need
to enumerate a provider and your trading partners or whatever, can’t
accommodate the NPI?

MR. REYNOLDS: NPI is the only option. Fair statement – NPI is the only
option.

MS. GREENBERG: So you can’t invoke the contingency because –

MR. REYNOLDS: What do you mean – who can invoke it?

MS. GREENBERG: You have to use the NPI then?

MR. REYNOLDS: You are getting a new number or you get somebody to give you
a legacy number. You get a payer or somebody else to give you an older number.

MS. GREENBERG: Get a number from someone else. Okay.

MR. REYNOLDS: There can be a lot of discussion about this but there has
been a decision made and we are recommending what we heard and I know there is
further discussion. Those are the facts on the table but I think there is going
to be a lot of debate as to whether the intent was good, bad, or indifferent.
Those are the facts and kind of where we are.

Any other comments? Okay, the subcommittee will take this. We will come
back with an abbreviated and carefully constructed letter from a standpoint
– I think what we did this morning with “regarding” and some of
the other things I think is a good plus for all of letters going forward. We
will align to that and remove some of the history and bring it back to you in
the morning.

Next letter. Let me give you a little background before I just start diving
into the reading. We have in multiple hearings heard requests from the industry
as to a way to streamline this whole process of getting standards done.

If you remember in the Health IT Bill, that was out last time NCVHS was
mentioned, as a possible way to do that. Then when that bill did not move then
there were other discussions about how to have that happen so we heard further
testimony on that on that streamlining process.

As you listen to this one, there is a significant process that it goes
through to get these things passed and so we are talking about what the
proposal we heard was and we are trying to talk about how we can explain what
we do or don’t think about that streamlining process and whether or not the
public is going to have the appropriate input and so on. That is really how we
positioned this as you listen to it.

That is really the whole reason for the discussion is somewhat of a
streamlining of this process that was presented to us with NCVHS a key player
in that streamlining effort – different than some of the standard
processes that are there now. That is what we are trying to get to. We will
read the words and you can help us say it better but that is really the message
that we are trying to put forth based on the testimony that we had over a
couple of different hearings.

Paul will come with a “regarding” while I am reading this letter
and I appreciate him being part of our committee for today to do that for us.

The National Committee on Vital and Health Statistics, NCVHS, is
responsible for monitoring the implementation of standard transactions, code
sets and identifiers adopted pursuant to the Health Insurance Portability and
Accountability Act of 1996, HIPAA. Section 1174 of the Act permits the
Secretary to make modifications to any established HIPAA administrative and
financial transactions standard after the first year, but not more frequently
than once every 12 months.

The purpose is to allow updating of these important transactions standards.
During the past several years NCVHS has observed and the industry has testified
that the time required to update and receive federal approval of new revisions
of HIPAA transaction standards may take 4.5 or more years. The current process
includes the following steps.

One, development of new versions of healthcare information systems
standards by ANSI accredited standards development organizations. Estimated
time 1.5 to 2.5 years. And ANSI certification that the new version was
developed in accordance with ANSI consensus based process estimated three
quarters to a year. These two activities take place concurrently.

Two, review and approval of updates in open public forum such as NCVHS.
Estimated time one-half to 1.5 years.

Three, initiation of process of promulgation through federal government’s
Notice of Proposed Rulemaking, NPRM process, including publication in the
Federal Register with a 90 day window for written public comment and
publication of a final rule. Estimated time is 2.5 to 7 plus years.

Comments on that before we continue?

MR. HOUSTON: In number three, is there more than one step in that process
because it almost sounds like it is a notice and then a 90 day period for
comments. Where does the other 2.5 to 6.5 and some odd years –

MR. REYNOLDS: Publication of the final rule.

MR. HOUSTON: We should we then split that off into a separate number four
because it really –

MR. REYNOLDS: So you are saying take the 2.5 to 7 and break into what does
it take –

MR. HOUSTON: It sounds like the notice of the proposed rulemaking and the
90 day window for comments really is a fairly short process or a reasonable
process, it is the other piece that sounds like then the resulting stuff that
takes all the time. At least in the earlier version of the letter you talk
about –

MR. REYNOLDS: We talk about that later, yes.

MR. HOUSTON: So, I think it is out of this letter – do you want to
bifurcate that because there is a lot of testimony at least in the earlier
letter, about the fact that it takes 4.5 years to do the last part of it?

MR. REYNOLDS: No – let’s let Karen go first.

DR. TRUDEL: I would just like to respond to that and make one comment also.
It is not necessarily a 90 day window but it has to be 30 days, I believe, but
the Secretary can choose to have the comment period be 60 days or 90 days but
there is a certain comment there.

Actually the development of the proposed rule that is published as a Notice
of Proposed Rulemaking. The development and clearance of that process can also
be fairly long and that takes up part of that 2.5 to 7 years. It really does
almost all need to be together.

MR. HOUSTON: Okay. I got confused in the earlier version of the letter
where you talk about 4.5 years to get it finalized and I thought maybe that was
a big part of this process. I know that it is out of this version of the letter
but I still sort of thought it was part of this piece.

DR. TRUDEL: It is both the development and the clearance of the proposed
rule and the final rule.

MS. GREENBERG: Here in three, it is not 2.5 to 7 years for initiation of
the process. I think you just want to say promulgation through Federal
Government’s Notice of Proposed Rulemaking process – just take out
initiation of process.

MR. REYNOLDS: That is a good change.

MR. COHN: Yes, and actually might even call that the Federal Rulemaking
Process but we can wordsmith that one.

As I was listening to the presentation I was actually trying to remember if
there has actually ever been any modifications to any of the rules that have
gone through. I am struggling – and maybe Karen can help remind me of
– now we have had new rules coming out. Maybe we could talk about the
4010A but that was before the actual implementation date so that was a slightly
different piece. This is almost more hypothetical because I don’t know that we
have actually had a modification of a rule. Karen help me – maybe my
memory is faulty.

DR. TRUDEL: No, you are correct. That is why I said earlier this is the
first time we are doing this and we are actually proposing with 5010 to modify
the original HIPAA standards.

DR. COHN: Which one?

DR. TRUDEL: The modification that adopted 4010A did occur before the HIPAA
compliance date.

DR. COHN: Okay, then let me ask then – when we talk about the 4.5 and
7.5 years – I guess I am getting a little confused here. I think the big
news is that we have not been able to update the standards.

MR. REYNOLDS: I know it is not our standard protocol but let me jump you
forward and read just a couple of things. Go to the bullets. Go to the second
page.

DR. COHN: Which version?

MR. REYNOLDS: The one that you have in front of you at your desk. Go to the
second page and look at the two bullets. NPRM for claims attachment standards
for HIPAA was drafted in 1998 and finally published in late 2005.

DR. COHN: Of course that is a new standard.

MR. REYNOLDS: That is true.

DR. FRANCIS: One way to fix this might be to take this sentence that is the
next to last full sentence of the second paragraph where is say, “the time
required to update and receive federal approval of new versions of HIPAA
transaction standards may 4.5 or more years”. The verb “may
take” is what is confusing there because it suggests – first of all
it is confusing because it makes it sound like 4.5 is the long end of it and it
also makes it sound like we have some pretty good experience.

You might just change that to say, “is estimated to take 4.5 or more
years” or “is estimated to take a minimum of 4.5 years”.

MR. REYNOLDS: We don’t know that.

DR. FRANCIS: That is why “is estimated”. That is what we have
– we have estimates we do not have a track record.

MR. W. SCANLON: I guess I wonder if we have enough observations to make
good estimates or whether we need to talk about this. The history here is it
that it has sort of taken this long but I guess what is concerning me is
Simon’s point, which is that it is not sort of new versions – it is the
original version. That is all we have experience with.

What was resonating with me earlier with this letter was the idea if all we
are doing is making some changes kind of at the margin, why is it taking so
long. It is a very different point to say we are creating something new and it
took time to develop that.

There is still may be a lot of reasons why it shouldn’t have taken us so
long to develop something new but that is a different thing to address than the
update or the modification of an existing standard.

DR. COHN: If I could jump in – I guess I am sort of agreeing with you
and I think the point of this letter is not to talk about new standards but
really to talk about the process of updating the standards. We are sort of in
agreement with your initial view here.

MR. W. SCANLON: Right, but I think in terms of using evidence what we have
to say is we have been concerned by how long it took to create new standards.
We don’t want that experience repeated when we modify standards. We want the
process for modifying standards to be as efficient as possible.

MR. HOUSTON: Aren’t there other standards still to be – it is not like
that we never want to ever have any new standards either. Why don’t you make
the same statement about the fact that the entire process, whether it be new
standards or modification of standards, is proven to be very time consuming and
I think that is an important message to get across. I think you can infer that
from what is in the letter.

MR. REYNOLDS: These are good points.

MS. GREENBERG: I don’t think that the letter is recommending the
streamlining process for new standards. Is it?

MR. REYNOLDS: No it is not.

MS. GREENBERG: That is why you do have to differentiate.

MR. HOUSTON: The “but” to that is and I appreciate that but they
use an example though of a new standard.

MS. GREENBERG: I know. I had a problem with that.

The thing is even if it is an update as long as it has to go through a full
rulemaking process, as Karen said, you would not necessarily have to have a 90
day response but you would have to have at least 30 days. The whole rulemaking
process on top of the development of the update takes a certain amount of time
and I think experience with the rulemaking process, whether it was with updates
or with new ones, is still relevant because it is a process. You develop the
rule, you publish the rule, you get comments on the rule, you respond to the
comments, you publish the final rule.

MR. W. SCANLON: I have made this point before. The issue of the time is
partly a function of will.

MS. GRENBERG: True.

MR. W. SCANLON: — is going to demonstrate again this year that they can
develop and publish a proposed rule and a final rule all within a six to nine
month timeframe. They are going to do it with every one of the payment methods
for Medicare providers.

The question of 2.5 years or 5 years, this is way beyond what you could
think of as reasonable and certainly creditably beyond what you consider as
being necessary. It is a question of getting people to come to resolution and
pushing it through. That is what it is about.

I think that within the letter that is a point to be made. It is an
additional point. Which is it is not just the process in terms of steps you
create. The urgency here needs to be similar to kind of urgency we were
describing with respect to privacy. You have to commit yourself to wanting to
do this quickly or you are not going to get it done quickly.

MR. REYNOLDS: I am struggling with how to proceed to be quite honest with
you. Larry.

DR. GREEN: We will see, won’t we? If what I hear is that we have evidence
that on occasion the rulemaking process proceeds at a pace maybe in as little
as nine months. In other instances it appears to take seven or eight years.
That is your point, Bill, isn’t it?

We have a letter here where we are identifying a couple of locations in the
rulemaking process where we see opportunity to accelerate the development of
the National Health Information Infrastructure. Am I still tracking here?

MR. REYNOLDS: Yes, keep going.

DR. GREEN: One of those is about us. Maybe that is the way to proceed? Our
point is this is complicated, we need to move it along as quickly as we can, we
know that it can go quickly – it may be an issue of whatever. We can
identify two places where we see opportunity to accelerate. One of them is
about us and one is about some place else and we recommend that they be
considered. Is that what the letter says?

MR. REYNOLDS: Yes. Let me ask one clarifying thing. Karen, maybe you can
help me. The NPRM for issues in the pharmacy industry for billing of supplies
and professional pharmacy services – that would be an update to NCPDP or
is that a new rec?

MS. TRUDEL: That would be an update.

MR. REYNOLDS: That is what I thought. One of the things in there is related
to an update and that started in 2001. Remember, the thing we are dealing with
here is the industry is perceiving that things should move faster –
whether they do or don’t actually occur. One, some don’t occur – there is
not enough history of the ones that do occur. There have not been any actual
changes implemented but there is a process no matter what that if you add the
process up as it stands it could go as long as the 7.5 years. That is what we
are really saying.

Now what I think what we did was we all got somewhat mesmerized by the
testimony because it is complicated so we were following a thought process. I
think the questions today are excellent in the fact that it said time out, we
have not had any. Again, a lot of us that are in the space – you are
hearing what you hear and you put it in a context and you miss one of the key
points. I think you guys have done an excellent job pointing out maybe that
filter that we did not have up because we were listening in context. We were
listening to people who we have dealt with a lot in context and that didn’t
necessarily mean that we caught all the right things.

Yes, Bill.

MR. W. SCANLON: At the same I think that listening to them was valuable.
One is you are on the verge of potentially having updates. The 5010 this
morning, it was sort of an example of that and I am not sure that a reference
to that as one of the things that should be a factor in thinking about why this
is so important should not be in the letter.

We are now are on this verge of wanting to make up dates. Looking at
history, we know that we have not sort of been very good in terms of getting
out the original sort of rules. We don’t want to repeat that process and that
is a point that we want to make. Then further, the people not only came to you
with the complain that it took a long time but they came to you with ideas as
to how the process might be made more expeditious. You thought about those and
you say that these are worthy of consideration. All of those things I think
make for the letter – it is just a question of slightly recasting sort of what
the evidence is about. The evidence is about sort of this history that has
improved satisfactory for a slightly different but related sort of activity.

MR. REYNOLDS: Let me play this out. So what we basically said is HIPAA is
in place. There are changes and new regs under consideration. The process
appears cumbersome and we have some possible alternatives and recommendations.
We have that information here just probably spelling it out this way makes it a
little more viable from a standpoint that we are not just talking about hearsay
and we are actually stating that this is an industry that is continuing to move
both current changes – and the 5010 would be an example of a current
change – of a change that is being considered. Does that – with
taking everybody’s comments in place – is that the structure of what we
are talking about?

I think Simon, rather than take the Full Committee’s time, unless anybody
has anything else, it probably would be good for the subcommittee to take this
and restructure it and come back. Again, what I would like to do is I would
like to look at the last two paragraphs because that is really our
recommendation and what we are considering. I would like everybody to more or
less have a say on that. So if everybody agrees with the recommendation and
kind of where we are heading with it, as a Full Committee what they would be
willing to align to, then we could go back just like we did the other one
– we could go back. Paul.

DR. TANG: I was just going to give you your read.

MR. REYNOLDS: What would be the reading?

DR. TANG: Proposal to streamline updates to HIPAA Transaction Standards.

MR. REYNOLDS: Okay. You have another career when you choose to do it. We
could come up with blog boy.

Are you comfortable with that approach? Did you want Paul to restate the
“re” for you?

MS. BENNING: Yes.

DR. TANG: Proposal to streamline updates to HIPAA Transaction Standards.

MR. REYNOLDS: I want to go to the last two paragraphs. I want to state what
we heard and see if everybody is comfortable with how we positioned that and
then we will go to the last one which was really our recommendation.

On January 25, 2007 in response to subcommittee feedback, the three SDO’s
presented an updated proposal to streamline the HIPAA Transaction Standards
Updating Process. This proposal is enclosed with the letter. The updated
proposal retains many existing processes but offers a more efficient approach
to updating existing transaction standards. These standards encourage earlier
participation of all interested parties, including payers, providers, and
vendors, in the development of the modification of the standards by announcing
SDO meetings in the Federal Register, shortening the time for NCVHS review and
approval, and significantly shortening the time for the federal regulatory
process.

Step three. If accepted this streamline process could potentially cut three
years or more from the current standards adoption process. Opportunities for
input and participation are not eliminated but the proposal encourages
expansion of open public participation in the standards development process in
a manner that would enable modification of the NPRM process and thereby
minimize redundancy.

The proposal also helps to make the process more predictable. At the
January meeting, this subcommittee heard reactions from healthcare providers,
payers, vendors and clearinghouses representing entities covered by HIPAA and
those supporting these entities. None was opposed to the proposal, however
testimony from industry representatives expressed a desire that written
comments to HHS still be permitted within the new proposed framework. This
would ensure a predictable and timely process while at the same time preserving
opportunities for public/industry input.

Then I would like to go to a new paragraph because back to our idea of
clearly calling out the recommendation.

The NCVHS endorses the spirit and intent to streamline the HIPAA
administrative and financial transaction updating process and recommends that
the department investigate how the proposal could be integrated into the HIPAA
transactions updating process.

The NCVHS recommends that the department investigate all appropriate
options under the Administrative Procedure Act to shorten the time for this
regulatory process.

Comments? John.

MR. HOUSTON: To the final paragraph. You have a sentence that actually I
think on this version is the end of the second page where you say, “none
was opposed to this proposal however testimony from industry representatives
expressed the desire that written comments to HHS still be permitted with the
new proposal framework.”

Does that mean the framework for a new process to approve standards still
require –

MR. REYNOLDS: Still allow.

MR. HOUSTON: Okay. I wasn’t sure whether this referred to the process to
create a new process where they wanted input to the new process or related to
the resulting process. — the industry, though support of the idea of creating
an abbreviated process, wanted input onto how the process should be created or
were they saying that they wanted to have input into the resulting process that
was established.

MR. REYNOLDS: Once there is a change on the table they wanted to make sure
that even though you had public viewing with SCO’s and public viewing for
NCVHS, they still wanted a period of time that would allow you to make comments
to HHS.

MR. HOUSTON: So it is the later. Do you understand where I am at? Do we
want to clarify that to say – maybe it doesn’t need to be clarified?

MR. REYNOLDS: No, no, don’t back off it. Please.

MR. HOUSTON: All we really need to do is – it really it is not a
proposal framework but the new process for – what you are really saying is
that testimony from industry experts expressed the desire that written comments
to HHS still be permitted within the new process to establish or to modify
standards.

MR. REYNOLDS: I agree.

MR. HOUSTON: The proposal framework – I wasn’t sure what that referred
to.

DR. FRANCIS: I noticed that there is a shift from all interested parties
included payors, providers and vendors in the first of the two paragraphs over
to public industry input in the second paragraph. I just wanted to ask you
whether there is any role for other interested parties like patients or members
of the public in the rulemaking process. The suggestion at least in the first
of the two paragraphs, is that when you list the interested parties as
including payors, providers, and vendors.

MR. REYNOLDS: As the implementers of the standards.

DR. FRANCIS: Right. But I wondered whether there were any other parties who
would have interest in the implementation of the standards?

MR. REYNOLDS: There may be and one of the reasons that we felt it was
important to have everything published through the Federal Register – puts
it in the public domain – the fact that we would keep NCVHS involved and
the fact that there could be written comments to HHS after the process, I think
allows the same amount of input and the same points of input, as the previous
process did and actually adds some through the SDO process. The public is not
going to walk into a SDO meeting I doubt.

DR. FRANCIS: I am happy with that I was just a little concerned with the
suggestion that all interested parties might be limited to payors, providers
and vendors in that parentheses.

MR. REYNOLDS. Okay. Simon.

DR. COHN: Actually this is just a question that I actually need help both
from you and Judy and probably Justine. I guess I was looking at the very end
of the first paragraph that you read where it said, “none was opposed to
the proposal”. Then we go on to talk about the issue of a lot of people
wanted a written comment at the very end. I guess I am trying to remember in my
own mind whether or not none were opposed to the proposal per se, or really
that none were opposed to the intent to streamline the updating process. A lot
of people had little issues with various pieces relating to the actual proposal
including the later.

DR. CARR: I had the same question. I was just trying to go through and say
what was the idea, what was the proposal and what is the “this”. You
keep saying “this” but I am not sure when we are talking about the
idea of it and when we are talking about the specific proposal.

MR. REYNOLDS: I think your comments are exactly correct.

DR. COHN: Okay.

DR. WARREN: Simon, my memory is that even they were confusing all the
issues because the people who spoke out saying that they wanted the written
proposal also said that they supported the streamlining process in the
proposal. So there was 100 percent agreement that what was being proposed had
everybody’s endorsement but they also wanted a chance to still submit written
testimony but not for the 90-day or the huge long NPRM thing. I think it was
confusing at the end about where this written testimony was suppose to go.

It is kind of like we fully support the proposal but we also want the
ability to do this.

MR. REYNOLDS: There is a box to put it in. From the beginning of it to the
time that it is complete as a process – the proposal everybody agreed.
Others wanted to make sure that something that is in the current process, which
is the written comments to HHS, remains tagged on the end.

If you are looking at the process up to when it comes to HHS, everybody was
in agreement with that. Some people wanted to take off that discussion –
anymore public comment – because they felt there was plenty. Others said
leave it like it is. The proposal did not really go that far but as we
discussed it with people some said, no, we just like the proposal and that is
the total thing. The proposal is the total process. Others said, no, leave what
you already got at the end which is there can be written comments by other
people to HHS.

Where that line actually drew on what that proposal was or wasn’t is still
a little vague.

DR. WARREN: Harry said it much cleaner than what I did. If you look at the
proposal it does not allow for the public comment. There was a lot of
discussion and I think Karen was part of that. The way that we currently hear
things there is always a chance to write a letter to the Secretary that you are
upset and they still wanted that ability to do that. They like what was inside
the proposal. I guess the advice that we got is you really can’t stop people
from writing in comments.

DR. COHN: No, the advice you got – I was there – the advice you
got was people wanted a public comment period – I thought was the advice.
Not that people could willy nilly write in.

DR. WARREN: I agree.

MR. W. SCANLON: This relates to this discussion but it is goes more
fundamental than that. The idea of a public comment period implies that you
have to respond to those comments before you can act. That is very different
than sort of somebody just submitting information to the Secretary and the
Secretary can choose to ignore it and everything goes forward.

My bigger issue is about characterization of this proposal. In the sense of
whether it really will shorten sort of the process and whether it will make the
process more predictable. This is maybe my cynical side which is you can have
these things in place but given human nature they won’t necessarily be followed
through. The exception would be – this is not knowing their proposal
– but the exception would be if the proposal says, we are going to do A,
and if A is not done by X date, then B happens automatically, regardless,
doesn’t matter. The same thing would be if B isn’t finished by such and such a
date we are going to move on to C.

Anytime that B and C are contingent on completing A and B, that completion
is uncertain. That is the thing that we are dealing with now is that we have
got a process that involves a set of steps with no sort of force that makes
those steps be done in a particular timeframe. I think we need to potentially
reword this about the proposal’s aiming in this direction, aiming at
predictability, aiming at shortening the process, but it can’t guarantee it.

MR. REYNOLDS: Right, but I think what we heard was that the non-government
entities were willing to step up and take that responsibility. The SDO’s are
not government organizations and so what they are basically saying is we will
open doors further to the public. Let us announce that it is going to happen in
the Federal Register that we are going to start working on this. We are going
to work on it, we are going to move it, we are going to make it happen, we are
going to bring it to NCVHS.

So they were basically saying, give this to the industry. It is a little
bit like we have seen the kind of thing when we looked at the e-prescribing
efforts and some of the things that have been done with NCPDP and some of the
other things there that we have seen be very successful because that SDO really
drove it and then we used that as part of our testimony in everything we did
for NCVHS part of e-prescribing. You are allowed to adopt a current existing
standard and they worked out that they all agreed that that was a good thing to
move forward. If you remember, we used that quite dramatically in the whole
e-prescribing process as we moved along to the standard.

That is what we are saying. It is basically not that it is all going to be
driven through the government process – it is that the industry is going
to pick up that streamlining. Now, if the industry doesn’t streamline it –
shame on the industry because they asked for it.

Please, anybody on the committee that was there just as much as me, tell me
if that is not what you think you heard.

MR. W. SCANLON: I would have no problem believing them that they would do
that. I guess the issue is though on page one we have steps one, two and three.
The third being sort of the role making process. Then on page two, we are
talking about that we are going to significantly shorten the time for the
Federal Regulatory process – which I will read that as the rulemaking
process.

What I am asking is what are they going to do that actually builds in the
guarantee that you can shorten that rulemaking process? The steps leading to
that can be expedited because of a commitment by both NCVHS and sort of the
industry but where do we get the change in the rulemaking process that actually
makes it move forward faster.

MS. GREENBERG: There is really an abbreviated rulemaking process, right?
There is not a notice of proposed rulemaking, a comment period, and a final
rule. What is there a final rule with comment?

MR. REYNOLDS: Remember if you look at the recommendations we do not
specifically recommend anything other than the Secretary looking at it under
the – and we picked the words carefully – under the Administrative
Procedure Act.

In other words, we are looking at ways of how can this be streamlined? How
can the department help streamline this too? You are not asking for new
regulation – you are talking about how to fix the process. If you notice
most of the other things that we have come out in every letter that we have put
out – we recommend do this, we think you should do that. If you read the
NPI letter we recommend very specific things. This is that it be taken up by
the Department because obviously the other thing we run into is we are part of
that process. We are recommending hey, make it faster, and oh, by the way, we
should be part of the answer. So we also have a little bit of a position there.
We are playing off of what was on the HIT Bill’s before. We are playing off of
what the industry asked for and we are recommending to the Secretary that he
take a look at whether or not this allows under what his jurisdiction is under
that Act. Otherwise this has to go through some kind of significantly different
process to get the whole regulatory process.

MR. W. SCANLON: I am supportive of the recommendation. Particularly because
it is framed that way – which is the Secretary should look at this
proposal, look at how effective it might be in terms of achieving the
objective, and simultaneously considering what the constraints are that they
need to operate under the Administrative Procedure’s Act.

It is the prior to that. In some respects what we are saying the proposal
is promising, which I think is potentially overreaching in terms of making
these things a promise. I think it would also be helpful for the public that
picks up this letter – since it will be a public letter – to know
sort of what is being proposed in terms of a substitution. There are a variety
of mechanisms by which you can move a rule through. I don’t know all the terms
but as a substitute for Notice for Proposed Rulemaking, the comment period, and
then the final rule – there are some options in it.

What they are proposing is one of those options it would be good to be put
that language in here so that people who are familiar with rulemaking will know
exactly what is on the table. Right now, I am talking about this not knowing
what is in the proposal. It would be helpful for our readers to know sort of
what is in the proposal which could be accomplished by just naming the process
that they are proposing to be used as a substitute for what we do now with
Notice of Proposed Rulemaking.

DR. TANG: So I think that is helpful. I cannot figure out where the time
got struck out. Initially it looked like – if I just use the words here
– they were proposing to move more involved public comment during the
updated process. It was not clear from the letter that there was actually an
elimination of the NPRM process and instead just a secretarial update.

MR. REYNOLDS: Again, there is not an elimination of it –

DR. TANG: I could not figure out where you get the time because there is
some theoretical hope that if you invited a broader input in the Standards of
Element Process that you would shorten the public comment period during the
NPRM process but I don’t know that that is something that actually comes to
pass.

MR. REYNOLDS: As it says in the letter, we attached the proposal so the
Secretary would be clear –

DR. TANG: I know but we don’t have it.

MR. REYNOLDS: I know. I understand that. I am not disagreeing with that. So
that they could see specifically where these recommendations were, specifically
what is recommended, and specifically whether they can or can’t work within the
Administrative Procedures Act to make a difference. We did not define how they
would do that because we can’t.

DR. TANG: So that makes a little less clear my “re” statement
because I don’t find the proposal of how to shorten it clearly laid out in this
letter. I am having the same struggle that Bill did.

The other piece is and maybe I just missed this, when you invite other
non-member entities, including individuals, to the Standard Development Process
they are not allowed to either vote or submit comments that must be reconciled.
Am I correct in that?

MR. REYNOLDS: They are not allowed to vote but in the proposal they have
opened it so that those people can be more involved and they were considering
how they would handle it.

DR. TANG: So for example, in the SDO process every negative comment must be
reconciled. Would that apply to anybody who gets invited in addition to the SDO
members to this process? So they would also have a negative vote that must be
reconciled?

MR. REYNOLDS: I need to look at the proposal much clearer.

MS. GREENBERG: Does somebody have it?

DR. WARREN: I pulled up the minutes and I have the streamline process. It
does not talk about the negative votes although they did use the example that
HL7 had one open voting process when they were looking at the EHR standard
where all negatives were addressed whether or not people were members of HL7.
They were going to look at that.

What they talk about in their testimony is; “The proposal retains many
of the existing processes. It also offers more efficient approach to several of
the key areas where current problems exist. Opportunities for input and
participation are not eliminated but rather efficiency is achieved by
consolidating public participation and input at the appropriate time.
Additionally we propose adding steps that are critical to the process such as
the development of a benefit analysis report requested by OESS, Office of E
Health Standards and Services.”

When you look at this what they are proposing to do is to get the public
participation in much earlier. So during the SDO process instead of waiting
until all at the end for an NPRM to go out and gather public participation,
they want the Federal Register, the Health and Human Services ListServs and the
SDO processes to alert the industry and public about the fact that these are
changing and to encourage them to participate.

The most effective use of industry volunteer input is during the
development of the implementation specifications and not to wait until the end
when they have been developed and then hear all of that and go back over again.

DR. VIGILANTE: Would this be more easily represented with a visual timeline
graphic that shows at what step each thing is happening currently? I am having
a hard time understanding where the time is.

DR. TANG: Aside from the timeline is just the logistics of how people give
input into the process. In a SDO process it is multiple in-person meetings that
most people cannot either aren’t interested in or can’t afford to attend.
Inviting more people does not necessarily bring them in.

MR. REYNOLDS: Yes, we agree with that and we discussed that at length.

DR. TANG: If they do success in bringing more people in you could actually
get a longer process in getting the SDO timeline. Unless you do basically
eliminate the NPRM process – it doesn’t really I don’t think – there
is a chance that it doesn’t change anything about that process because all the
people who wanted in that method and with that lack of travel way of getting
there and being heard, I don’t know if it cuts down much on that.

MS. GREENBERG: There actual proposal I thought did eliminate the NPRM. It
does. I think we have to be explicit about that.

DR. TANG: So the question is is that the same input?

MS. GREENBERG: Excuse me, what?

MR. REYNOLDS: Paul, one of the reasons that the last thing in the next to
the last paragraph was put there is that we did hear that some people said if
you are going to eliminate it you still got to give us the right to make
comments to HHS.

In other words, if we don’t like how it goes in the SDO or if we don’t feel
we get our hearing in NCVHS we still are allowed to say something.

DR. VIGILANTE: Doesn’t that have a different status regulatory status than
having NPRM? You can make comments but there isn’t the same obligation to
respond to them.

MR. REYNOLDS: This whole proposal also puts a little more pressure on NCVHS
to truly be the public input. To truly make sure that we have a breadth of

DR. VIGILANTE: One last question. So these three things that we had in the
beginning of the letter – different time sequences – are those serial
and sequential or are there overlaps?

MR. REYNOLDS: As we mentioned, number one was – no, one is overlapped
and two is sequential and three is sequential.

DR. VIGILANTE: So three can’t happen until two is completed?

MR. REYNOLDS: Yes. You would not want it to.

DR. COHN: Bill and then I want to sort of figure out where we are.

MR. W. SCANLON: I would like to raise a point and then offer a suggestion.
At some point some government official has to sign off to make this thing
happen. What I am losing in this discussion is sort of exactly sort of when
that government official is going to do that in response to what. Right now it
is in response to a Notice to Proposed Rulemaking, a set of comments that comes
in, and then an agency that sort of addresses all of those comments and
decisions are made and that involves not only the department but it also
involves OMB.

We are talking about an expedited process that seems to try to eliminate
some of that but it is not clear what is going to be the input to the
government official that they are willing to put their signature on this to
make it the rule. As I get more confused I get more concerned about what we
have here.

My suggestion was is there a way that we could all have this proposal
– if it is brief enough because we are talking too much in the abstract. I
should say that some of us are talking too much from ignorance and that is not
helpful in terms of this discussion. If we could see the proposal then we would
be able to give a more informed response.

MR. REYNOLDS: Could I make a comment?

DR. COHN: Then you will be making my comment.

MR. REYNOLDS: I will save you as the Chair. We obviously have struggled
over this proposal. We had numerous conference calls. We heard it as testimony
a number of times. We struggled with it like each of you are. It is just
bringing back some of the things that we remembered that we went through.

Obviously since this was in the HIT Bill before it is going to come through
a different process and then when that did not happen then we became a process
to bring it through. I don’t have my co-chair here and obviously Simon is on
the committee too, and so are the others, I will give you a personal opinion on
this one.

We heard a lot of testimony, we heard a lot of discussion, and all of us
even had mixed emotions on how we would actually pull this off and we felt a
real responsibility to support the industry to bring something forward. On the
other hand, even though we heard the testimony, even though we have the
proposal and so on, I am not sure that it is a subject that doesn’t need a
letter. It is a subject that maybe we should withdraw as this discussion in the
Full Committee has brought forward. I am asking that as a question?

MR. HOUSTON: Don’t get us wrong. I think there is a great need to make a
statement about the fact that this process is too long and it needs to be
streamlined. I don’t think there is disagreement that –

MR. REYNOLDS: No, no, no. We have been through all this I wasn’t taking
anything that was submitted as a detriment to what we were thinking or saying.
I am saying that it continues to raise the same concerns that we have been
dealing with and the same issues that we have been dealing and basically the
reason in the end, if you go to the last sentence, the reason we ran up under
the Administrative Act – we sure did not have it – a clear direction
on how to pull this off.

Remember, we are basically handing this up to the Secretary anyhow. I guess
that is what I am at least challenging because if you give us the assignment to
fix it or you give us the assignment – and we will be happy to give you
all the information – but I guess what I want to put on the table as
co-chair of the committee, is in the end do we really have a strong stance and
do we really want to take a position and if we are going to use markers is this
one of the markers we want to use? That is a question because remember you are
going to hand this letter back to us so I want to have a real sense from this
Committee because if we bring it back again I want to know what we are bringing
it back to. That is what is key to me.

DR. COHN: I will let Marjorie briefly comment, Bill, and then I want to
wrap this piece up only because we actually have another letter – believe
it or not.

MS. GREENBERG: Putting that aside, I think it would be premature to make a
decision on that right now because I do think it is appropriate even though
once everyone sees it may continue to be ambiguous as to what actually would
happen because it is obviously somewhat ambiguous to those us who have reviewed
it in the past. But it is sort of like with our reports we have developed a
policy that if a report is going to be approved people have to be able to see
the appendices also, and the attachments because sometimes those have things in
them that have consequence.

I’d say too, even though we are not really endorsing the specific proposal
– you are not endorsing the specific proposal like “do this”,
the idea is to send it to be considered and we think it is worthy of being
considered. So I think for everybody around the table to sign off on the letter
they have got to see the proposal.

MR. REYNOLDS: I thought everybody had it. I did not realize that everybody
did not have it.

DR. COHN: I was trying to think whether it was sent for our last meeting.
That I actually don’t remember.

MR. REYNOLDS: It was not purposely excluded.

MS. GREENBERG: I realize that.

MR. REYNOLDS: I know but for the record. Nobody is trying to keep the
information back.

MR. W. SCANLON: I would just say I don’t think you should abandon this
effort unless – which I don’t think is consistent with what you have said
– that you think that it is not important enough. I think it is important
enough and I thought we were close. My sense would be that we probably should
have a discussion about the merits of the proposal itself that we may be more
qualified about what the Secretary should consider. That there are elements of
it that are maybe more clearly positive and others that they may need to take
under advisement.

The proposal has merit in the fact that it was in the IT bills that did get
a certain distance sort of within the Congress in the last Congress but there
is a big difference between our making a recommendation and the Congress
enacting a law. I used to argue that sometime you did not know what was right
until the Congress said this is what we are going to do and that became right.

We need to have other grounds for sort of knowing what is right. I think if
we look at the proposal, we think about the elements, that the last paragraph
might change sort of change modestly in the sense of we talked to you about the
fact that this proposal exists, that it has positive things to think about in
the context of the authority that you currently have and the goal that you have
in mind, which is to expedite this process. I think that is a very positive
thing for this Committee to do. It would be unfortunate if our discussion leads
to abandoning this.

MR. REYNOLDS: Again, please nobody on the Committee take that anything you
said was – that is exactly what we wanted to hear but I wanted to put that
on the table to make sure that we understood that if the Full Committee wants
to go forward we are pleased to do so. But I just wanted to make sure that the
discussion wasn’t leading anywhere else. I think that is good conversation.

DR. COHEN: I find myself agreeing with most of the people around the table
have said which is a, I don’t think this letter is ready for today or tomorrow
morning at 8:30 a.m. I think we need to take it back to the Subcommittee. I
think as we commented, we are all a little vague on exactly the fine points of
the proposal and we actually may need a way to as we review it, we may need a
short presentation on exactly what the proposal is when we bring it forward.

I think as a Committee we are very interested in anything that makes more
predictable, more streamlined, less cumbersome, the updating process. Knowing
that we actually have not been able to pull it off once yet except before the
actual role came forward. Having said that, I think we would like to get this
out as quickly as possible but in a sense the test of all of this will really
be as we begin to move forward with recommending sort of the next set of
transactions and what sort of process should be taken and all of that.

It would be nice to have this letter out three months or six months before
that so the CMS and the lawyers could review it but I think it becomes very
real when you start talking about recommending another – some updates to
the current standard. We probably just need to take it in that spirit. Whether
or not this letter comes out as a separate letter from the updates or somehow
merges together – I guess we will have to see.

MR. REYNOLDS: Can I make a couple of comments? First, part of the
e-prescribing we were able to recommend and if you remember, send forward the
next version of those standards that got put in as part of the process, if you
remember that. In one of our letters – we had the hearings and we moved it
forward.

So as NCVHS, we have in fact moved that one change forward with the
blessing of everyone, including CMS – so we actually have done that. We do
have one history of streamlining the process as it was in place. We get that
and I think that went very well.

Second, I would like to apologize to the Committee for the following
reason. Three of our experts were not here today and had I sensed that all
three would not be here, which was Steve, Mike and Jeff, I think we could have
done a much better job in presenting this to you in answering some of your
questions. I would offer that to the Committee as a personal apology.

DR. COHN: I don’t think apologies are necessary I think it has been a very
useful conversation for the Full Committee. I have been wanting to get Bill
Scanlon more enmeshed into this particular issue because he is an exception
expert on the overall process and I think for him to see this and understand
it, will actually cause him to read the appendix when he gets it.

MR. REYNOLDS: The apology was not submissive it was courteous.

DR. COHN: We appreciate your courtesy. Okay, so out of this conversation
Judy, do you have a final comment?

DR. WARREN: I was just going through the minutes that are posted online, no
where in our meeting do we have a copy of the proposal. It is the comments and
the presentation of the proposal that are posted on here so I am wondering if
we even have an electronic anywhere of the full proposal?

MS. BENNING: A copy of the full proposal was sent with the previous e mail
with the previous iteration of this letter. I don’t think it was sent
specifically for this meeting so that it perhaps where we fell short.

DR. WARREN: It wasn’t posted in our January minutes? We don’t post things
like that?

MS. GREENBERG: We post testimony.

DR. WARREN: It is not in the testimony.

MR. REYNOLDS: We will remedy it. Whatever occurred it will be remedied.

Thank you, Simon.

DR. COHN: Harry, thank you very much and we appreciate the work. Let’s do a
time check since we are pretty more significantly late. I do think it is
important for us to go through the letter. I guess I will ask for the
forbearance of the workgroup and the subcommittees that we will likely not be
adjourning at 3:15 p.m. I think we need to go through the letter and then we
will break up into our subcommittees and workgroups.

Agenda item: Subcommittee on Populations –
Action June 21 – Data Linkages

Dr. STEINWACHS: The letter is under tab 7. You should have it. We lack a
“re:” line so I am waiting for Paul to help me with this. I came up
with one quickly which he can improve upon. Which was expanding access and use
in linked health data. I think we have already painted somewhat the background
of this is that we had hearings that led us to appreciate some of the problems
in trying to use existing linked health data. The letter tries to bring those
examples forward to clarify what some types of linked health data that are
important for better understanding of the health of populations. These problems
arise both due to the process of getting approval for access, as well as
gaining physical access to the data sets and being able to get tabulations out
of it.

Let me start off unless there are questions at this point?

The National Committee on Vital and Health Statistics, NCVHS, is charged
with advising the Department on health data statistics and national health
information policy. The public investment for health information for statistics
and program management is substantial by both federal agencies and state
governments. To more fully realize the potential of existing survey of
administrative data sources for population health statistics and to inform
policy, link to data sets at the person level can be extremely beneficial.

However the linkage at the person level of two or more data sets can
increase risk to privacy and may face barriers due to varying regulatory
requirements for confidentiality protection by agency and data set.

Any comments or questions?

In September 2006, NCVHS held a workshop on data linkages to improve health
outcomes. The goal of this workshop was to stimulate interest and identify best
practices in using linkages among administrative and survey data to improve our
knowledge of health outcomes from our population over various subpopulations.

In addition, the workshop was intended to assist agencies within the US
Department of Health and Human Services, HHS, to better meet their
responsibilities for performance measurement under various laws such as the
Government Performance Results Act of 1993, by providing more comprehensive
information on the status of persons participating in government programs.

This letter describes our key findings and recommendations. A summary of
the workshop is posted on the NCHS website, ncvhs.roseliassociates.com.

I want you to know that by being a very good chair who knows how to
delegate – when this letter was at its most critical stages I left town
and Bill took it over and did a great job. I have only been able to find one
error in the letter and it took you, Simon, to find it for me.

Any comments on that paragraph? Questions?

HHS health agencies, other federal agencies outside of HHS that collect
information valuable in the interpretation of health statistics and by
researchers outside the government using linked data sets, presented a range of
examples that have proven useful to federal programs and policy making. An
important example is the recurrent finding that survey estimates of Medicaid
enrollment are well below administrative estimates. The Census Bureau’s
Medicaid undercount project is linking survey estimates of Medicaid enrollment
on the current population survey and the National Interview Survey with
administrative enrollment estimates, including data from some state records
systems, in order to evaluate the extent to which Medicaid enrollment is
undercounted on surveys and what improvements are possible.

The Office of the Assistant Secretary for Planning Evaluation, ASPE, The
National Center for Health Statistics, NCHS, The Robert Wood Johnson
Foundation, several states, and the State Health Access Data Center at the
University of Minnesota School of Public Health are collaborating on this
project.

Leslie?

DR. FRANCIS: There is a “by” in the wrong place in that third
paragraph.

MS. GREENBERG: Right before research.

DR. STEINWACH: Take it out? Make sure I got you.

Linking data sets, for example, health survey and Medicaid claims data
increases the detail person level information available and makes it more
likely that some survey respondents could be identified and privacy
compromised. This is a serious concern. As a result public use versions of
linked data sets may be limited or precluded and additional protection of
confidentiality are required to safeguard privacy.

The approach being used by both NCHS and the Census Bureau to provide
access while ensuring confidentiality is the operation of a data center where
external users may request tabulations of agency maintained data sets. NCHS
operates one data center in Hyattsville, Maryland, and recently negotiated an
agreement with the Census Bureau to make NCHS data available through Census’
nine data centers throughout the nation.

NCHS also has an automated remote access system whereby users can submit
their tabulation requests through an e mail based system and receive output has
been found not to present a confidentiality risk. NCHS is currently developing
an expanded remote access system with greater functionality in improved
protections. The increased number of data centers and improved remote access
will begin to address concerns expressed by users concerning financial and
geographic barriers to accessing data resulting from the requirement to be
present at the data center.

Questions or comments?

The NCVHS wishes to commend the NCHS for expanding access to its data. The
agreement with the Census and the development of remote access systems are both
recognized as positive steps to increase geographic access. The Committee
learned, however, that the approval process to use either the data center or
remote access can be very time consuming, sometimes requiring up to a year or
more. Such delays can seriously impede or prevent timely policy analyses using
linked data. Even federal employees needing to use these data for policy
analysis are affected by these delays. Participants in the workshop recommended
the project approval process be streamlined to minimize delays both for
analysts in government agencies and for outside users. IN addition, there was
significant support for developing other methods for sharing data besides using
a data center, either on site or remotely.

Therefore, NCVHS recommends that NCHS should streamline the project
approval process and add staff as needed to minimize access delays for data
center users.

NCVHS also recommends other agencies within the Department review their
data access policies and procedures to assure these data can be utilized
effectively. Agencies should take full advantage of new technologies allowing
secure remote use of data while protecting against the release of statistical
tabulations that allow any individuals to be identifiable.

Let me stop and get comments. You can see that Marjorie provided a comment
to the side.

MR. J. SCANLON: Not just NCHS, but AHRQ and CMS have research data centers,
and SAMHSA is moving in that direction. Maybe this recommendation should say
that other agencies within the Department that sponsor research data centers
should review their policies. I think the findings apply to not just NCHS
– and I would name them so they know who they are. AHRQ a would be the
other, CMS and SAMHSA.

DR. STEINWACHS: Okay, so other agencies within the Department that sponsor
data centers –

MR. J. SCANLON: Research data centers.

DR. STEINWACHS: — research data centers?

DR. COHN: I guess I don’t disagree with this recommendation, because it is
a nice recommendation, but in the first sentence – really I think sort of
lows I think with the previous paragraph. There is actually like two
recommendations here, one which has to do with data access policies and
procedures, and then the next one has to do with new technologies, which is
sort of a separate recommendation. I guess I was trying to see where the
antecedent – what is that recommendation? Where is the information that
relates to that recommendation? I am not disagreeing with it.

DR. STEINWACHS: I understand. The letter has gone through some changes, but
where now we talk about NCHS, in the second paragraph on the page, having
implemented systems by which you could remotely access data, is part of that.
But there was also some discussion, which we aren’t citing here, about
technology for transmitting and receiving data. So there were discussions that
related two levels of security. One is the security of the transmission, but we
did not pursue that. The other was this idea of trying to make more accessible
by using remote technologies. And may, just as you have said ro suggested
possibly it is somewhat separate and it would be just as well not to include
that at this point, because there isn’t that much background to help develop
that second part of that second recommendation.

MR. W. SCANLON: It is maybe not a sufficient reference, but in that second
paragraph, and I think this is kind of the antecedent for the new technologies,
is that NCHS is currently developing an expanded remote access system with
greater functionality and I think it was that – what we were keying off of
that that. Within the Department there are efforts to try and take advantage of
basically some better software and some of the better software that we heard
about are in non-health agencies. That may be just too cryptic a lead for the
recommendations.

DR. COHN: I almost see this as I would say it is quite editorial, but we
agree with the recommendation. It is more a question of putting n a couple of
sentences somewhere with these things you were just talking about so that it
flows and you can sort of figure it out. It really is a separate
recommendation.

DR. FRANCES: After the paragraph that is the first paragraph on the second
page, all of the discussion is about the data security issues posed by linked
data sets.

DR. STEINWACHS: Yes.

DR. FRANCES: I wonder whether you heard any testimony or raised any
questions about other ways that linked data sets could raise risks to
confidentiality? I have in mind things like with the power of linked data sets
you may be able to do work with smaller ns, where there might be questions
about confidentiality, or certain kinds of implications for groups. Those are
just two of the worries that, when you don’t have the linked data you don’t
have those worries, because you don’t have the linked data. That paragraph
leads you to think that there are going to be worries other than security of
the data sets.

DR. STEINWACHS: Maybe it doesn’t come through as clearly. As soon as you
link the data, the identifiability increases tremendously. So the reason those
data are retained within data centers, instead of public use tapes, which is
really mentioned earlier on, is because you no longer can trust them to public
use without someone being able to identify someone when you link the health
interview survey together, say, with Medicare claims data.

So the focus on the data centers is already a recognition that this is not
something that can be generally used, and may be that, if I am understanding
you correctly, maybe that point needs to come through more clearly.

Bill, were you going to say something? Harry?

MR. REYNOLDS: Your first sentence under the second recommendation – is
it just that it is used more effectively? Or do you want to expand the use of
it? Or both? The second part of it seems to say you want more people to have
access to it, which would expand the use.

DR. STEINWACHS: We want expanded use and I guess more effectively that
carries with it timely as well as expanded use means that there are purposes
for which these data are not used now. I think it would be good to have the
expanded in there.

MS. GREENBERG: Getting back to once we get down to these recommendations,
somewhere, after mentioning what NCHS is doing, then you also need to mention
that there are other components of HHS that also have these data centers.

DR. STEINWACHS: So Simon was suggesting, I think, a couple of introductory
sentences to set the stage – well, no, I guess – I see what you are
saying. That is a different thing.

MS. GREENBERG: That because the length of the approval process I am assuming
applies to all of the data centers, not just to the NCHS data center.

DR. STEINWAHCS: I am looking at Bill for my inspiration here. It was a
general complaint. It came across the board but I was trying to think did
people actually identify the others? They identified problems between
government agencies, I remember, that included outside of HHS.

MR. W. SCANLON: Delays in using the data centers applied only to NCHS, I
think, but remember this is ten months ago that we had this hearing. But there
was another issue, which we are going to come to, which is the whole issue of
within government even trying to link a data set and then use it by government
staff. There are very significant delays in doing that, getting access to link
a Census data set with an NCHS data set. So that was a different kind of delay
that was equally problematic. That one was discussed more broadly.

I think that data center access was more about the NCHS centers.

MS. GREENBERG: Did you hear from the other data centers – SAMHSA, CMS
and AHRQ?

MR. W. SCANLON: No we had representatives from CMS –

DR. STEINWACHS: And from Social Security and from Census.

MR. W. SCANLON: But not from SAMHSA and not from AHRQ.

DR. STEINWAHCS: So we heard about data centers that were outside of HHS
– but nor from AHRQ.

MR. J. SCANLON: They are all a little different. I think it is probably all
right. It was clearly the issue at NCHS. This sort of gets at that in terms of
the process itself and ease of use and more prompt analysis. But I think there
was reference to other data centers and I think in the second recommendation if
you – the way you were heading, which was basically you are acknowledging
that these other agencies – AHRQ and CMS and others – have data
centers or are moving in this direction and as they do you are asking them to
review their data access policies.

Technology is a different issue. This is not a security problem so much as
– I mean it is, but the bigger issue is confidentiality. And there are
ways to do this in a secure fashion, but that doesn’t necessarily assure
confidentiality. So I think you are heading in the right direction, and Bill,
your third point is about how long it takes just to link these, even when
everyone agrees they should be linked and protected. That looks like your next
paragraph.

DR. STEINWACHS: Yes, that’s the next paragraph.

Let me go on. Government analysts and outside researchers have frequently
identified potentially valuable applications from additional linking of data
sets. Workshop participants cited significant extensive barriers that must be
addressed before some of these linked data sets could be created and made
available to the policy and research communities. A multiplicity of laws,
including the Privacy Act, the Government Information Security Reform Act, the
Federal Information Security Management Act, the Confidential Information
Protection and Statistical Efficiency Act and the Freedom of Information Act
protect federal data. For example, Census data can only be used for the limited
purposes allowed by Title 13, mainly for purposes consistent with the Census
Bureau’s mission. Different data sets may require unique and different
requirements for access, making it much more difficult to create and share a
linked data set. Workshop participants recognized that changes in law may be
necessary to foster broader usage of linked data sets. The consideration of
such changes was beyond the scope of the workshop.

So it is really raising an issue, but not saying that we addressed it.

Even when there are no legal barriers to data linkages, workshop
participants estimated that it takes about 18 months, on average, to obtain
permission to transfer data from one federal agency to another, even within
DHHS. The standardization of interagency agreements was seen as having the
potential to substantially reduce the time currently required to link data
across agencies. The NCVHS recommends the following:

Standardized data linkage and sharing agreements should be developed to
facilitate efficient sharing of data among HHS agencies and, to the extent
possible, with other government agencies.

In summary – let me stop there. Any comments on that?

In summary, better integration and use of health data offers the promise of
improved health for millions of Americans. Information is a powerful tool in
the battle against disease, epidemics and inadequate preventive care. It is
also critical in achieving more efficient and productive health care systems.
Having made the initial investment in gathering data, either through the time
and effort involved in completing administrative records or the costs
associated with surveys, greater returns on these investments can be realized
by investing comparatively modest sums to make full use of those data. In
particular, connecting many health data sets to other useful information offers
considerable potential to understand and improve health conditions. These
recommendations are offered by the Committee to better realize the full
potential of health information for improving the public’s health. The
Committee will continue to work to identify ways to improve the utility and
benefit of health information.

Any comments? Simon, it looks like to me we ought to come back with those
changes for the Committee to look at, that really center around the bottom of
the second page, what we have done, and break out that separate recommendation.

DR. COHN: I think I am hearing – the general tone of this appears to be
people come up with recommendations and we are just looking for a little bit of
reorganization and potentially a couple of sentences that support the
recommendations so it all sort of comes together. Otherwise, certainly from my
view, it is a pretty good letter. I think I see Larry behind you with a
question or comment.

DR. GREEN: This is for Paul. I wondered what his headline was going to be?

DR. TANG: It is not earth-shattering, although the work is. Expanding and
improving access to aggregate health data for research and policy making?

DR. GREEN: You have to say something about linked data.

DR. TANG: I was a little allergic to that because of the headline nature. I
mean, basically we want to get good data out there because we want to make
better decisions, but just linking is a trigger.

DR. STEINWACHS: Paul, would you say that agains for those of us who don’t
copy fast?

DR. TANG: Expanding and improving access to aggregate health data for
research and policy making.

DR. LAND: I think the word “aggregate” may be misleading, because
we wouldn’t have the confidentiality problems if we were aggregating.

DR. TANG: But in a sense – I thought about this – because you want
to use the word “expanding,” which was, by the way, your word –

DR. LAND: It was my word.

DR. TANG: I thought one of the strengths of this proposal is that you
maintain access to personally-identifiable information within the realm of the
federal government only truly de-identified aggregate data gives out. That just
seems like a safe way of describing it. All we are looking for is a way of
describing it. If it were to make headlines, as you actually would like it to
make, it would not evoke undue thought because it has been carefully thought
out, how to protect the privacy of the individual.

DR. STEINWACHS: So expanding and improving access to aggregate health data
for –

DR. TANG: Research and policy making or health improvement and policy
making?

DR. W. SCANLON: I have to say that I would interpret that in a very
different way because what I would assume is that I am not able to work with
the individual data. You are absolutely right that the way we are protecting
confidentiality is hat the data that are released from the data center have
been aggregated, but it is that ability to specify how I am going to tabulate
individual data that is the strength here.

DR. TANG: So the question is, how do you want the headlines to read?

DR. LAND: If you took out the word “aggregate” I would be fine
with it.

DR. STEINWACHS: Yes, just cross out aggregate and make it access to health
data.

DR. FRANCIS: But that takes away any reference to confidentiality. I’d
rather see both access and confidentiality.

DR. STEINWACHS: Confidential health data.

MS. GREENBERG: I don’t see how you can’t have data linkages – if you
are going to have a headline – when the whole workshop was about data
linkages and that is what everything is about. Now there are other data sets
that NCHS, and I am sure these other agencies, have that aren’t linked to
anything and still have to be accessed through the data center because they are
small sample sized or something like that. So the data center issues actually
go beyond linked data, but in fact this whole workshop was about data linkages.

DR. COHN: But it is also about confidentiality and security, so confidential
and secure – if we are going to get into that we ought to put all those
good words in. Steve Steindel, do you have a comment?

DR. STEINDEL: My memory is relay slipping today a lot, given what I have
been involved with. But what I would suggest doing is putting the concept of
aggregated data at the end – to produce aggregated data? Something like
the expanded use of federal data sets to better produce aggregated health data
– something like that. So we get the concept at the end.

I think our basic problem is that, while Paul had a very good headline, it
doesn’t fit what we are talking about.

MS. GREENBERG: Why don’t we say “data sets?” So it doesn’t sound
like we are talking about data about an individual person, although data sets
obviously include that.

DR. COHN: Data sets sounds better.

DR. FRANCES: How about increasing use of linked data sets while protecting
confidentiality and security?

NS. GREENBERG: Yes, that’s good.

DR. GREEN: I would like to chase that and nominate “linking data sets
while securing privacy to improve decision making.”

MS. GREENBERG: But it is not just about linking; it is about getting access.

DR. VIGILANTE: But decision making may or may not be involved in any
particular research agenda.

MS. GREENBERG: I think you have enough ideas.

DR. VIGILANTE: Let me ask one thing. My memory is not too good either, but
thinking back to the testimony, was there substantial conversation around the
challenges of using data centers, just for their geographic distribution and
the ability of researchers, usually not with deep pockets, trying to get to
these places and stay in hotels? There is just a fundamental problem there that
the data center, the structure doesn’t solve. I don’t know if we have a
solution, but does that rise to the level of comment in the letter?

DR. STEINWACHS: We do talk about NCHS has been making advances in remote
access to try and deal with – we have been referring to it in the letter
as “geographic access problems,” which maybe sounds nebulous. Maybe
there is a better word for that.

MS. GREENBERG: And then using the Census data centers.

DR. STEINWACHS: And what we were talking about is this one that comes after
the one to NCHS on other agencies – that was going to be split into two
recommendations with some introduction on the second part that would address
what you are taking about, Kevin, where we talk about agencies should take full
advantage of new technology to allow secure remote use of data. So I think we
could put in a little introductory thing.

DR. VIGILANTE: But the purpose of using the data center – there is the
security issue, but then there is the confidentiality issue. It just comes with
the ability to link stuff. And the question is, does the data center, by its
very nature, and I don’t know why it would, make you less able to link stuff
and breach confidentiality than a remote access site? I don’t recall hearing
testimony on that.

DR. STEINWACHS: What the data center does is it looks at the output to make
sure that the output does not – the tabulation – does not allow
identification. That is what Paul was thinking about the aggregated. If you use
remote access that still has to be looked at, so it still goes through, at this
point, a person. It could go through possibly other kinds of technology.

DR. VIGILANTE: It might be worth describing that a little bit, because it is
not completely transparent.

DR. WARREN: It seems to me that our whole notion of these re: lines is to
make them short. I know that Paul has an allergy against data linkages –

DR. TANG: No, just about talking about them.

DR. STEINWACHS: DO it but don’t talk about it.

DR. WARREN: I was just wondering, since you titled your workshop “Data
Linkages to Improve Health Outcomes,” that that might be the appropriate
re: because it expresses what you are after, or talking about creating
confidential data linkages to improve health outcomes. Something like that.

DR. COHN: I think I agree with Paul. I think what we are relay talking about
is improving the value of the federal data resources. And this is just one
aspect of it. We are actually talking about three or four in terms of the
workshop that you did. So once again, I think this one, rather than spending
another half an hour wordsmithing this one, this is work for the population
subcommittee, to see if they can come up with something useful. But I think it
is just a question of coming up with words that they want as a headline that
Paul would still be satisfied and pleased with.

So I hope you got what you need?

DR. STEINWACHS: Yes.

DR. COHN: We are not running too far behind. I guess we should talk for a
minute about what is going to happen both tonight and tomorrow, just to remind
everybody before we adjourn the full Committee today.

(Administrative discussion of subcommittee meeting schedule.)

(Whereupon, at 3:45, the meeting was adjourned.)