[This Transcript is Unedited]

Department of Health and Human Services

National Committee on Vital and Health Statistics

Full Committee

June 21, 2006

Hubert H. Humphrey Building
Room 505A
200 Independence Avenue, S.W.
Washington, D.C. 20001

Proceedings by:
CASET Associates, Ltd.
10201 Lee Highway, suite 180
Fairfax, Virginia 22030
(703) 352-0091


  • Jeff S. Blair, MBA
  • Harry Reynolds
  • Mark A. Rothstein, JD
  • Donald M. Steinwachs, PhD
  • Simon Cohn, MD
  • John P. Houston, JD
  • Stan M. Huff, MD
  • Robert W. Hungate
  • C. Eugene Steuerle, PhD
  • Paul C. Tang, MD
  • Kevin C. Vigilante, MD, MPH
  • Judith Warren, PhD, RN
  • James Scanlon, ASPE
  • Marjorie Greenberg, NCHS
  • Ima T. Elo, PHD
  • J. Michael Fitzmaurice, PhD
  • Justine M. Carr, MD
  • A. Russell Localio, Esq., MA, MPH, MS
  • William J. Scanlon, PhD
  • Carol. J. McCall
  • Steve Steindel, PhD
  • Karen Trudel


  • Call to Order – Simon Cohn, MD, MPH
  • Welcome and Introductions
  • Review of agenda
  • Update from the Department – James Scanlon, ASPE
  • Data Council
    Responses to NCVHS reports and recommendations
  • HHS implementation of PL 104-191
  • Health Insurance Portability and Accountability Act of 1996 – Karen Trudel, CMS
    • Data Standards, Including Clinical Data Standards
    • Adoption, E-Prescribing, Final Rule
    • Privacy Rule Compliance Update – Susan McAndrew, OCR
  • Update on the Office of the National Coordinator for Health Information Technology – Contracts, AHIC coordination efforts, NHIN – Dr. John Loonsk
  • Subcommittee on Standards and Security – Letters, Action June 22 – Mr. Blair and Mr. Reynolds
    a) HIPAA Recommendations
    b) Matching Patients to their Records
    c) CHI-multimedia Federal Health Architecture
  • Certification Commission for Health Information Technology–Briefing http://www.cchit.ora/ – Dr. Mark Leavitt
  • Subcommittee on Privacy and Confidentiality — Letter Action June 22 NHIN Report and Recommendations – Mr. Rothstein
  • Draft of NPI Letter – Harry Reynolds

P R O C E E D I N G S 9:10 AM

Agenda Item: Call to Order

DR. COHN: Good morning. I want to call this meeting to order. This is the first day of 2 days of meetings of the National Committee on Vital and Health Statistics. The National Committee is the Public Advisory Committee to the US Department of Health and Human Services on Health Information Policy.

I am Simon Cohn. I am Associate Executive Director for Health Information Policy for Kaiser Permanente and Chair of the Committee.

I want to welcome Committee members, staff and others here in person as well as those listening in the Internet and remind everyone to speak clearly and into the microphone.

Agenda Item: Welcome and Introductions

Let us now have introductions around the table and then around the room. As for those on the National Committee I would ask if during your introductions if you have any conflicts of interest related to any issues coming before us today would you so please publicly indicate during your introduction.

I want to begin by observing that I have no conflicts of interest.


DR. SCANLON: Good morning. This is Jim Scanlon. I am the Executive Staff Director for the full Committee and I am with the Office of the Assistant Secretary for Planning and Evaluation at HHS.

MR. BLAIR: Jeff Blair, member of the Committee. I am Director of Health Informatics at Lovelace Clinic Foundation and I am not aware of any conflicts of interest.

DR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention liaison to the Committee.

DR. HUFF: Stan Huff with Intermountain Health Care and the University of Utah in Salt Lake City. I am a member of the Committee.

DR. CARR: Justine Carr, Beth Israel Deaconess Medical Center, Boston, member of the conflict, no conflicts.

MR. HUNGATE: Bob Hungate, Physician Patient Partnerships for Health, member of the Committee, no conflicts.

DR. SCANLON: Bill Scanlon, member of the Committee, Health Policy R&D, no conflicts.

DR. STEUERLE: Gene Steuerle, from the Urban Institute, member of the Committee, no conflicts that I know of.

MS. MC ANDREW: Sue McAndrew, Office for Civil Rights, privacy liaison to the Committee.

MS.TRUDEL: Karen Trudel, Centers for Medicare and Medicaid Services, liaison to the Committee.

DR. HOUSTON: John Houston, University of Pittsburgh Medical Center, member of the Committee.

MR. LOCALIO: Russell Localio, University of Pennsylvania School of Medicine, member of the Committee.

DR.VIGILANTE: Kevin Vigilante, Booz-Allen & Hamilton, no conflicts I am aware of. I am a member of the Committee.

DR. TANG: Paul Tang, Palo Alto Medical Foundation, member of the Committee, no conflicts.

MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield, North Carolina, member of the Committee,no conflicts.

DR. WARREN: Judith Warren, University of Kansas, School of Nursing, member of the Committee, no conflicts.

DR.ROTHSTEIN: Mark Rothstein, University of Louisville, School of Medicine, member of the Committee, no conflicts.

DR. STEINWACHS: John Steinwachs, Johns Hopkins, member of the School of Public Health, member of the Committee, no conflicts.

MS. GREENBERG: Marjorie Greenberg, National Center for Health Statistics, CDC and Executive Secretary to the Committee.

MS. SIDNEY: Cynthia Sidney, staff to the Committee.

MR. OLFANO: Bill Olfano, Blue Cross Blue Shield Association.

MS. JONES: Catherine Jones, CDC, National Center for Health Statistics.

MS. CANAR: Susan Canar, writer for the Committee.

MS. GOVANTINECAS: Wanda Govantinecas, National Center for Health Statistics.

MS. JACKSON: Debbie Jackson, National Center for Health Statistics, CDC Committee staff.

MS. BEBEE: Suzie Bebee, Office of the Assistant Secretary for Planning and Evaluation, staff to the Subcommittee for Standards and Security.

MS. BEDFORD: Carol Bedford, American Nurses Association.

MS.FRIEDMAN: Gloria Friedman, CMS, lead staff to the Subcommittee on Standards and Security.

MS. JOHNSON: Maurie Johnson, AMA.

DR. COHN: I want to welcome everyone. I think I want to start out and have a couple of introductory remarks before we move into the agenda. I wanted to announce the meetings for the full Committee for 2007, and I was just checking to make sure everybody had been asked about their availability but for 2007, the meeting dates will be February 13 and 14, June 20 and 21. I am sorry, February 13 and 14, 2007, June 20 and 21, September 25 and 26, and then November 27 and 28, after Thanksgiving again. Those are all 2007 dates. We will make copies of this and distribute it around. As I said I was just checking and making sure that everybody had been asked and it seems like these dates generally seemed to work for everyone, at least at the time that you were polled.

Agenda Item: Review of Agenda

Okay, now as we move into agenda review let me start by observing that this is going to be a very full Committee meeting and indeed this is as I have been looking at things a very busy time for the full Committee.

We have a total of five letters and reports coming before us today and for action at this meeting on a wide variety of issues.

I want to specifically compliment the Privacy Subcommittee as well as the Subcommittee on Standards and Security for what I think are some very good reports coming forward for discussion in the body of the meeting today.

Additionally we will follow this meeting with a strategic planning retreat for the full Committee to discuss priorities for the NCVHS over the next 12 to 18 months, on other words timing to include this coming federal fiscal year.

Unless anyone thinks that this is the end of work for the summer, next week will be the first nationwide health information network forum sponsored by the Office of the National Coordinator.

This forum is supported by a number of organizations and entities, actually including the NCVHS. The purpose of this forum is to identify and to catalog an initial list of functional requirements that will help frame the development of the National Health Information Network.

The NCVHS has been asked by ONC too assist in the process to synthesize and refine this initial set of requirements. To do this we have established an ad hoc group on the NHIN which I will chair. Jeff Blair and Harry Reynolds will be Vice Chairs and members will include John Paul Houston, Paul Tang, Kevin Vigilante, Judy Warren and Justine Carr. Mary Jo will be lead staff for this activity and other staff includes Steve Steindel and others will be I think facilitating that as additional staff support. I am looking for people around the table, Mike Fitzmaurice and as I said, and others. We are pleased to have Margaret Amdiochen as a consultant for this effort.

This ad hoc work group will hold hearings on the second day of this forum next week to take reports from the breakout sessions and also elicit public comments. This work will continue over the summer with hearings scheduled for July 26 and 27, and additional meetings and calls as necessary. The recommendations will be brought back to the full Committee at our September meeting for action at which point assuming that there is no further work on this issue we intend to design the work which is why we are describing it as an ad hoc work group.

In addition let me not forget to mention that standards and security will be holding hearings this summer. An executive subcommittee is going to be leading to talk about plans for the 2007 fiscal year. I, also, made a Subcommittee on Populations. We will hear reports from them and quality. Obviously tomorrow we will be talking about planning hearings for this fall and the quality work group of course has a very active agenda now that involves agency health care policy and research on a number of key issues.

If this sounds to you like we are accelerating activities and we are going to have a busy year, that is certainly my analysis of the situation. The pace of events relating to national health information policy has markedly accelerated. It is certainly an exciting, fast moving time and I will acknowledge all of you for your commitment and work to help move health care into the information age.

We have often seen this acceleration in HHS and in particular in the Office of the National Coordinator and of course there is AHEC and its breakthrough work groups and I want to thank and acknowledge both Mike Walstein and John Paul Houston for serving as liaisons and members of the work groups.

I do want to take a moment and acknowledge Dr. David Braylor who resigned recently from his position as National Coordinator. Obviously he has been instrumental in this HHS acceleration and literally took the vision we foresaw when we began to talk about the national health information infrastructure and has begun to make it a reality.

Of course, in all this Secretary Leavitt’s leadership has also been phenomenal. I think we really have to acknowledge him for his leadership in terms of leading us all forward.

Congress is, also, considering how to move things forward and a number of HIT bills are under consideration which I know Jim Scanlon will be talking about later on.

In all of this I would note that NCVHS is being asked for its expert advice and guidance and I would refer you to Tab 8 which is my testimony before the House Ways and Means Health Subcommittee on issues relating to health information technology and moving things forward.

Of course, in the midst of all of this if an e- prescribing continues I know Karen Trudel will be talking about that a little later on and work continues in terms of enforcement of the privacy rule.

In sum much is happening and my introduction is probably tiring you all out even before we start the meeting, but as I looked at this one I sort of said, “Gee, a busy summer and a very busy remainder of the year for the Committee,” and I want to thank you for your help and commitment and all of that.

Now, taking a breath, with that let us talk about the agenda today. Now, to get a little lighter, this morning we being with a department update. Jim Scanlon will be leading off followed by Karen Trudel and Sue McAndrew.

After the morning break we are pleased to have John Loonsk joining us for an update on many of the new ONC initiatives and contracts underway. This will be followed by a discussion relating to those coming forward from the Subcommittee on Standards and Security.

We will, of course, if any of them are ready for balloting, we will ballot them, if we think they are ready. Otherwise they will be referred back for further word smithing and work by the Subcommittee on Standards and Security.

After lunch we are pleased to have Mark Leavitt, Director of the Certifying Commission on Health Information Technology provide us with a briefing on the work underway with that Commission.

As you know that is one of the infrastructure contracts that has been awarded by ONC. Following that Mark Rothstein will be discussing the report coming forward from the Subcommittee on Privacy and Confidentiality related to privacy in the National Health Information Network.

I guess I would hope at this point that everyone has had a chance to review it. I would also ask if you have word smithing or other issues that you would like to see in the letter that you might talk to Mark before we start discussing it publicly just so that he can capture any additional changes as we begin to go through the document.

Certainly it is a 17-page document. I don’t anticipate that Mark is going to be reading this paragraph by paragraph during our session but we will obviously talk about it section by section.So, if there are specific word smithing issues please get them to Mark in advance.

After adjournment of the Plenary Session we have breakouts for Populations and Standards and Security. I do want to remind everybody that tomorrow morning we actually start at eight-thirty and we will talk about that at the end of the session today.

Agenda Item: Update from the Department – James Scanlon, ASPE Data Council

With that let us begin our department update and, Jim, let me hand it off to you.

DR. SCANLON: Thank you, Simon, and good morning, everyone. I thought what I would do this morning, since we met in February a number of things have happened but I thought I would probably focus on some bigger picture developments including legislation, budget and some secretarial and departmental priorities kind of as a preface to our discussion as well.

First of all as Simon indicated there is a lot of interest in Congress on health IT, moving forward on health IT and really the two Houses are taking somewhat different approaches but there are several bills particularly in the House that would, in essence would amount to new versions of HIPAA transaction and code set standards and streamline the process of modifications to those standards and it would give the NCVHS a, I guess it is not exactly a new role but it is an additional; role in that process.

The main aim of those streamlining provisions seem to be to try to speed up the process from the point where the industry has agreed upon or is about to ballot some new standards to the point where it would be adopted and used to try to speed up that process. Normally that would require, as a regulatory change, would require proposed rules and so on and what the bills propose to do in a different manner, they propose to use the industry SDO public review process, the consensus process, the comment process and so on and sort of tie it into the department and the NCVHS.

The NCVHS would ultimately be having a hearing on those proposed standards that made it through that process and make recommendations to the Secretary. The Secretary would then have to react to those recommendations but there are all sorts of variations and permutations but basically for those provisions it is a streamlining of the process that is intended generally along those directions and the NCVHS would be asked to play the role of public participation, public protection as previously.

So, it is a nice recognition of the credibility an the process that NCVHS operates.

Other parts of the bills, there are various other parts. Some of them would add new programs. The House doesn’t seem to be all that much interested but there are various other processes. They would also codify the Office of the National Coordinator in statute and create a number of other provisions which we can make available to you but it looks like the two House versions still need to be reconciled within the House itself.

Let me turn to budget for a minute. The congressional deliberation is underway on the 2007 budget and you will recall that the budget included about 179 million, and I think I am fading out again.

DR. COHN: Jim, do you want to use my microphone?

DR. SCANLON: Is that better? The President’s Fiscal Year 2007 budget which will begin next October is now under discussion within the Congress and remember that that budget included the President’s budget requesting almost 170 million for health IT. It was an increase of about 58 million over the previous hear. You remember that ONC would get about 160 million. AHRQ was continuing its $50 million program in health activities to support patient safety and quality and my own office, ASPE was included in the President’s budget for about 4 million which is basically evaluation and policy research and economic analysis. So, again we don’t know how this will actually come out in 2007. It is obviously a very tight budget year for non-defense domestic spending. It is really a very tight budget along with overall budget policy. So, we will see how it comes out but it does reflect there is clearly an interest in priority and moving along these areas.

In terms of population health in the 2007 budget most of the major HHS statistical systems are being funded at straight line levels which was actually a good accomplishment. We are beginning work in all of the other agencies on the 2008 budget. That would be the budget year beginning next October, not 2006 but 2007. So, it is really not that far away. I think similarly that the budget policy will be not much growth in non-defense domestic discretionary spending except possibly for the preparedness area and bioterrorism area.

The Data Council has again been asked to look over in connection with the 2008 budget to take a cross-cutting look at the data collection statistical investments that are being proposed by various agencies and to be sure that we are operating as efficiently as we can and that we are addressing priority policy and data needs.

It is unlikely that there would be any large new initiatives in the data collection area that would come up in that process.

Let me mention one other project the Data Council is undertaking and then I want to turn attention to the, I believe you have the handout on nine health policy priority areas and I want to take a couple of minutes to go over that.

The Data Council is initiating a project on secondary uses of electronic health record data largely for survey for statistical purposes. So, again, we are looking at this. This will be a joint project with our various agencies in HHS including AHRQ and NCHS and here it will probably involve a workshop where the Committee would be involved, but this would be to look at the potential of electronic health records and other technology to be able to serve as a resource for some of our provider-based surveys.

We have a family of health care surveys and HHS as you know this would be looking forward to see what potential when electronic health records are largely available, standardized high-quality electronic health record data, what sort of a role and what sort of a resource could that be for our surveys and statistical activities. So, we will be starting that. We are just about to start that now in partnership with AHRQ and with NCHS.

So, let me turn now to this list of HHS health policy priorities that you have before you. The Secretary you will recall had the Department develop a 500-day plan and the plan focused on priority areas that the Secretary thought he would be willing and HHS leadership would be willing to spend a fair amount of time on.

He made it clear that all of the other things that HHS does are important but he was willing to have the leadership deal with those.

His personal time he was willing to put in on some of these items. In the 500-day plan he wanted to see some progress there. He views these as the big picture efforts that would actually by focusing at the larger level force a lot of other things to work. I think he uses the analogy of the clock and the many gears and if you could get that big gear to work, it sort of moves all the other gears.

So, he views these as change, possibilities for change in moving a lot of other smaller change and most recently he updated those priorities with the nine priorities that you have before you and I think we certainly on the Data Council are trying to see to what extent our data systems and our plans support some of these priorities and provide some background information and let me just really go through these briefly because I think they particularly in terms of where the Committee might want to look ahead and certainly for the discussion on our retreat these at least form a backdrop.

These are not the only things going on in the health policy world as you know but these are some of the areas that HHS has formally indicated are priorities. The first one and I will try to deal with these fairly quickly really concerns the idea of can the health industry be more transparent and clear about cost and quality information so that those who pay for care and those who treat care and consumers and employers and so on will have a better way of looking at what the costs are and what the quality of the care delivery is and I think these priorities are stated here in kind of the future, a world in which these things are occurring. So, it sort of states the ideal case.

Secondly, no surprise is health information technology and this would be the point where interoperable standardized health information technology is supporting health care. It is supporting consumers. It is supporting public health and you will see how it is phrased there.

Obviously Medicare prescription drug program, there was a great deal of effort expended since it was enacted to get this working and efforts will continue along those lines. Included would be a focus on pay for performance to increase health care quality, a modernization of Medicaid. There is a lot of work underway on this area working with the states.

Secondly, not Medicaid but a more focused kind of priority deals with the aftermath of Hurricane Katrina. Basically the hurricane and the flooding removed most of the infrastructure health care infrastructure in New Orleans; in the city itself there are still two hospitals I think that have not come back but there is now an interest in rebuilding the health care infrastructure in New Orleans as well as the area broadly, but it would focus on a more, is it an opportunity I guess is the question for a more primary care oriented approach to the health care system in a metropolitan area so that there is a fair amount of work going on there.

Another priority is a theme that deals with bringing to medicine and treatment and prevention and drugs bringing the fruits of technology and the fruits of research that foresees an area where prevention is emphasized and where health care can be personalized. It can be preempted in the sense that it is preventive and it is basically using smart medicine and other technologies to bring these to bear in everyday health care and prevention.

Prevention has always been a focus of HHS, public health efforts and particularly there will be some efforts on obesity prevention and the Department has already had a couple of public town halls and summits on this as well.

Two other areas, pandemic preparedness, HHS was asked to play an even more pronounced role in pandemic preparedness.

I think though there is an administration-wide effort to have strategies and plans in place for the federal role, HHS has a particularly central role in all of that. The Secretary has actually been spending a fair amount of time visiting any state that was interested in having pandemic planning summits in the state, so, a fair amount of time should the worst occur there.

Finally, no surprise as a result of Katrina and related efforts and sort of looks at what did we learn from all of this and how could we do emergency preparedness and response better there is a whole transformational effort underway in HHS that would try to improve the way we prepare for and respond to the aftermath and the recovery of emergency response capabilities.

Along with that is a renewal and a transformation of the Public Health Service Commission Corps which would include some focus on a mobile deployment force in the event that this was needed for future response efforts.

So, let me stop there and see if there are any questions.

DR. HOUSTON: Is this a priority order? I mean is this listed in priority or is this —

DR. SCANLON: No, I think they are more or less equal.

DR. FITZMAURICE: With regard to the House IT bills it seems the CPO yesterday released studies showing that it costs more than people believed, that some of the things in terms of allowing charitable deductions for gifts of computers to physicians by hospitals and other things increased the cost beyond what Congress thought it was.

Do you think that makes it dead on arrival or that there can be some working around it either to increase the budget deficit or to find some offsetting gains that it still is live?

DR. SCANLON: No one will make a living predicting what Congress will do. I don’t know, but I think you are right, Mike. These refer to the Starke, somewhat loosening of the Starke and the anti-kickback referral provisions that are current law so that it would make it possible for hospitals and other health care entities to provide some health information technology to others and I think as the discussion went along when the economists and actuaries began looking at this it looked like it could depending on how it was crafted and how wide open it was it could really increase costs. So, I think that will have to be factored into discussions but I don’t think any of us know how that will come out.

I think the focus on the standards though in those health IT bills remains, ICD, ICD-10, the new versions of the X12 standards and NCPDP standards.

MR. REYNOLDS: Jim, I didn’t see e-prescribing actually spelled out in any of these. Is it hidden in there somewhere?

DR. SCANLON: I think it is part of the Medicare. It is part of health. It is part of several, the health IT as well as the Medicare prescription drug program.

So, it is in several of them and ultimately it will affect Medicaid as well and actually there are several others as you could imagine and the discussion on the New Orleans health system by the way is not limited to just health care, primary care and how you construct the system but it includes the potential of health information technology. How would you actually build that as part of the plan?

DR. COHN: Thank you very much. We will have additional conversations about these priorities over the next several meetings.

Agenda Item: Responses to NCVHS reports and recommendations HHS implementation of PL 104-191 Health Insurance Portability and Accountability Act of 1996 – Karen Trudel, CMS

MS. TRUDEL: Thank you. I have a number of things to report as well and I will start with e-prescribing. You may remember that in the final e-prescribing rule really included a provision that would permit voluntary adoption of later versions of the prescription standard after a fairly nimble process of discussion as long as the standard turned out to be backwards compatible.

There were some discussions before this Committee I believe last winter about script standard version 8.1 and there was a description about whether it was backwards compatible. The Committee recommended to the Secretary that we move forward with the process of providing for voluntary adoption and in fact an interim final rule that would do just that will be published this Friday.

So, we will permit the voluntary use of script standard version 8.1 which incidentally includes the medication history. So, we are basically giving people the ability to begin to voluntarily use this additional functionality in addition to the new script.

As far as the e-prescribing pilots that were provided for under MMA we have got two quarters under our belts for the five pilots. They have been spending most of their time doing physician recruitment, finalizing their baseline criteria, doing programming activities such as getting their network together, finding technology partners, etc.

We are anticipating that data will begin to flow in very shortly and there should be a fairly significant uptake in the e-prescribing activities and the data collection will occur in the third and fourth quarters of this year.

AHRQ is in the process of awarding the evaluation contract and again because of the tight time frames we have to be finished by the end of this calendar year and have a report to Congress by next April.

The evaluation will run concurrently with the pilot and it is going to be kind of a three-legged race at the finish, but that is the plan and my staff will be doing a site visit later this summer.

Let me move on to HIPAA. I won’t go through a lot of statistics with respect to enforcement. Suffice it to say there haven’t been any significant uptakes in the number of complaints we have been receiving for transactions and code sets or security. We are still getting a lot of transactions and code set complaints having to do with training partner status and continuing to handle complaints as they come in.

With respect to the national provider identifier our latest statistic showed that we have enumerated almost 700,000 health care providers. We are moving along very nicely. We did have a push on in May that was sort of a “Get your MPI month” and actually in the last 2 months we have enumerated about 200,000 providers.

So, I think we are seeing something of a speed up there and that is probably also in part due to the fact that the Medicare provider enrollment application for new providers now requires you to have an MPI when you come to enroll in the Medicare program.

The electronic file interchange or what we were calling bulk enumeration option went operational on May 1. Organizations can submit files to enumerate groups of providers and at this point we have used that process to enumerate about 7000 providers.

In terms of Medicare implementation of HIPAA the compliance rate at this point for the 835 remittance advice transaction is at 99 percent and while I don’t have a specific announcement, I would say that there will be an announcement coming out very shortly about how we plan to end the contingency plan for the remittance advice since the provider compliance rate is so high.

Let me talk for a moment about personal health records. CMS has been working for probably the last year to get industry input on what our role should be in PHRs and we have developed an action plan and the first step of that plan is that we will be awarding probably within the next few weeks one, possibly more contracts to evaluate the use of Medicare claims data for populating an existing PHR for Medicare beneficiaries and that is really a proof of concept. It is not even a real pilot in that we are just doing a feasibility test to find out whether the data can be moved, how to move it, what pieces of the PHR our data would fit into, you know, how we link into the pieces of the jigsaw puzzle and so we won’t actually be going live in providing PHRs to beneficiaries. I want to stress that but this feasibility test really is the first step to evaluate some of the issues that have to do with data exchanges between our systems and PHR tools and to see how the data that we can bring to the table fits in with generally accepted PHR functionality of the data content and we will be looking at privacy and security and usability as well and when we have the results for this back we will then be moving into additional phases of pilots and implementations definitely in collaboration with the AHEC recommendations and work groups. So, we are very excited about taking that first very concrete step down the road.

I think that is all I have to report. I would be glad to take questions.

DR. COHN: I want to congratulate you. Your MPI work is a great idea.

Paul and then Harry.

DR. TANG: Thanks, Karen. One quick question and then I have another question. On the MPI you said that 700,00 providers already, out of a denominator of about how many? I know that probably includes more than —

MS. TRUDEL: It is hard to know the denominator. That is a really good question because we are talking about not just individual providers but it is hard to know for instance with institutional providers how many subparts they are going to want to enumerate.

So, I would guess we are maybe one-half of the way there.

DR.TANG: And the other question is the recent question about HIPAA privacy compliance and the lack of prosecution that is occurring in the media and I wonder if you want to render a response?


MS. TRUDEL: I believe I will under these circumstances defer to my esteemed colleague.

DR. TANG; She just got a phone call.


MR. REYNOLDS: Thanks, Karen. You guys are working on exciting things. Weedy and others have voiced some concerns on the speed of the MPI adoption. How do you see that process playing out as far as dealing with these? I know they have asked to possibly submit that letter through our Standards and Security Committee but how do you see this playing out as far as where it is?

MS. TRUDEL: That is a little bit difficult for me to answer. It would always be nice to have made more progress by now than we have in terms of the number of providers that are enumerated. We are doing as much outreach as we can manage.

MR. REYNOLDS; So is everyone.

MS. TRUDEL; Yes, we are working with Weedy and we are happy to partner with anybody who has ways to get to providers. What we found in the original HIPAA implementation was that there is no really good reliable way to get to solo practitioners, that that is rather difficult and so, I guess all I can say is to ask for anyone with an opportunity to collaborate with us on outreach to reach out and do that because we are happy to do that.

DR. STEINWACHS: On the PHR feasibility is that going to include medical Part D data? I understand there are restrictions about how to use that data. I was wondering is that part of the feasibility in trying to populate a PHR?

MS. TRUDEL; Not in this round, no. We are still in the process of doing the collection of the Part D data. That part has only just begun. So, we don’t really even have a lot of the Part D data right now. So, we are looking at traditional Medicare fee for service, A, B, D, but it is very clear from the AHEC recommendations and from what we have seen in these nine priorities that medication history is absolutely key. We know that that has to be done and it is clearly something that is critical.

DR. FITZMAURICE: Very shortly down the road a new technology is going to be upon us and I wondered if CMS is looking at this, contemplating any pilots on the use of the Internet, the use of XMO tech variables, how that would be coded perhaps in SNOMED reference terminology, standardizing the names for medical variables of things that haven’t been done yet in the country but yet as insurance companies are moving toward the use of the Internet these become very important, being the dominant layer in the insurance game. I was just wondering if CMS is also looking into this.

MS. TRUDEL: I am not so sure about the XML and the use of SNOMED, etc. We are doing some internal work right now on expanding our presence on the Internet and that is something that is of considerable interest right now.

DR. FITZMAURICE: I would note that FDA is using an HL7 standard to move its structure product labeling information. They have tagged XML variables and they are included in the SNOMED reference terminology. There is still much more work to be done but it is a start.

MS. TRUDEL: Thank you.

DR. SCANLON: This is a follow on about the institutions being able to designate subcomponents. Is there going to be an ability to bring them together so that you know what a total institution is doing in terms of linking the independent IDs that they have for their components?

MS. TRUDEL: I don’t know. I can’t answer that question. I am sorry.

DR. TANG: This is a follow-up to Don’s question on the Part D information on medications which is a very important part of the PHR. Someone mentioned this week that CMS actually doesn’t own the data and as a consequence wouldn’t be able to share that. Am I interpreting this incorrectly?

MS. TRUDEL: I will try to stay at the 40,000 foot view of this issue because it gets very complex but my limited understanding of it is that there are some constraints inherent in one particular provision of the statute in terms of what we can and cannot do with Part D data.

There are other provisions in the statute that essentially permit us to do what we need to do to manage our programs and we are in the process of trying to figure out what we have to do to bring those two conflicting views together

DR. COHN: Jeff, I will give you the last question on this one and then we will move on to Sue.

MR. BLAIR: Thanks. The question I have is about standards harmonization and I noticed on the agenda we did have someone scheduled from ONC to speak next. Is that correct?

DR. COHN: Yes, we will have that.

MR. BLAIR: Then I will save this.

Agenda Item: Data Standards, Including Clinical Data Standards Adoption, E-Prescribing, Final Rule Privacy Rule Compliance Update — Susan McAndrew, OCR

DR. COHN: Okay, why don’t we move on. Karen, thank you very much.

MS. MC ANDREW: Good morning. Just briefly on compliance statistics we have as of the end of May received over 20,000 complaints, exactly 20,124 and we continue to be keeping up with the closure rate so that we seem to be steadily having an open caseload of about 5000 open complaints in any given month.

Unlike Karen’s report we are noticing a continued uptake in the number of complaints in the first two quarters of this year. The complaints received in those quarters were the highest that we have experienced since the program began in April 2003.

We remain hopeful that at some point our complaint caseload will begin to at least level off but unfortunately I would expect that events that have made the headlines in recent weeks are not likely to result in any decrease in the number of complaints. I think in fact we are expecting that as more and more of these large computer system breaches become known through press reports as well as the notification requirements that entities are sending out in some cases to millions and millions of people unfortunately adversely affected or potentially adversely affected by these computer breaches that it can only mean more complaints are likely to come in from the public with respect to these incidents.

I would note that because these are computer breaches many of these cases will be handled jointly with my esteemed colleague.


MS. MC ANDREW: So, watch for that as well as Paul’s question of the CMP authority is on both the security breaches as well as the privacy rule violations and so, the spotlight is likely to be on both sides of the house before long into where are those bans in the CMPs. We have not to date imposed any CMPs. We did the press report that Paul referred to. We did work with that reporter and Winston Wilkinson was interviewed as part of that press report and the best I can say is that reporters don’t write the headlines and while we did gulp a bit to see it there above the fold on the front page actually when you got into the article it was fairly balanced I thought and reflected what we had communicated to the reporter with respect to the activities that OCR had been engaged in in terms of working with —

MR. BLAIR; Could you be more specific? What article was this?


MR. BLAIR: What publication are you referring to?

MS. MC ANDREW: It was a Washington Post article by Rob Fein about 2 weeks ago now and I can’t remember the exact headline but it was something like thousands of complaints net no fines and then something about lax enforcement critics allege. I don’t know, Paul, are you pulling it up? But it was a report that reported on an interview he had done with Winston, the Director of OCR about OCR’s enforcement activities. There were also reports or comments from various advocacy groups and other interest groups saying that they are very concerned about the absence of fines 3 years down the road and that they felt that this again reflected on whether or not OCR was serious about enforcement.

There were also various supportive comments from both the provider and the health plan communities in terms of that they felt that OCR’s enforcement tactics and techniques were very appropriate and had resulted in a lot of helpful technical assistance and improved their ability to provide.

OCR did try to stress in our conversations in this report with this reporter that we really don’t see the imposition of fines as being any kind of measure of the effectiveness of our enforcement capacity and in fact we would actually see it as a positive sign that we are able to achieve corrective action without having to resort to the fiscal whip to get people to understand what their responsibilities are under the program and to correct any mistakes for policies and to come into voluntary compliance.

So, we close at least 1000 cases a year based on corrective action that has been taken by entities to improve their performance. Often in these cases we are able to get remedies for individuals in terms of indicating their rights to either get access to their records or to get their notice or to get their records amended, whatever it is that they have been denied by the covered entity.

And we feel that voluntary compliance at least to date is working and that is not to say that down the road if we are unable to obtain necessary corrective action from an entity that we will not impose fines. The fines are there and we are prepared to use them.

The enforcement rule which governs how we will go about proceeding in a CMP action was issued final in March of this year and those are joint regulations that affect both us and CMS. So, we are prepared and feel that no CMP is good news both for us, the covered entities and individual consumers.

With that said, I would just note a few other areas in which we have been active in OCR in terms of the HIPAA privacy rule. Clearly from the Secretary’s list of priorities we have been very active with the AHIC and the various work groups in terms of ensuring the consideration of the HIPAA privacy rule in the design and architecture of these breakout activities and we are expecting to play a role as this new subgroup comes online that will specifically focus on the privacy and security issues that are crosscutting from the four breakout groups and they are working mostly with OMC to help form that route and make sure that these issues, that this group gets up and the issues get addressed as promptly as possible.

The other area that we have been quite active in in the past couple of months is with the emergency preparedness. Again we participated in a work group that the Secretary’s transformation action team, the preparedness, again, one of the work groups involved in data management systems and their accessibility and there were privacy implications with regard to that. We have also been working with the Office on Disability on an emergency preparedness and HIPAA tool to help planners understand what information may be available to them for emergency preparedness planning purposes and how they can comply with HIPAA if they need to obtain that information from a covered entity.

So, we are hoping to have that tool ready for a conference that is being held next week with emergency preparedness planners from across the country..

DR. COHN: Thank you.


MR. BLAIR: Hi, Susan. Sorry about those headlines.

MS. MC ANDREW: As they say no news is bad news.

MR. BLAIR: Two questions. What has OCR done to educate the public on how HIPAA privacy rule protects their health care information and the second question which is related to that is that if you have been doing some public education what have you been doing to track with surveys or other techniques the degree to which the public feels that their health care information is protected to see if we are making progress?

MS. MC ANDREW: Last year we developed a number of fact sheets or brochures if you would that were consumer oriented to try to boil down the HIPAA rights and what the HIPAA protections are for consumers and we have been distributing those fact sheets, those brochures at a number of events. We also have them translated in to a variety of languages and in particular we are distributing them in a number of Spanish-speaking forums that I can’t remember who exactly the sponsor was but it was in coordination with the civil rights side of OCR.

MR. BLAIR: Could copies be sent to those of us on NCVHS? I would love to see it.

MS. MC ANDREW: Certainly and we also this year did another consumer-oriented flyer which addresses both sides of OCR’s responsibilities. It combines HIPAA with the civil rights protections that the office affords and so we have a joint civil rights and HIPAA brochure for consumers and all of those are up on our web but we, also, take every opportunity when we are out speaking or when our regional folks are out speaking to make sure that they take these and pass them out if the audience is a public one.

MR. BLAIR: And the second part of my question?

MS. MC ANDREW: In terms of tracking we don’t really have the capacity to do surveys. We do pay attention to the surveys that are done fairly frequently by others including the California Health Care Foundation.

HIMA(?) does some surveying although it is not at the consumer level but there are a number of commercial surveys and we can always talk to ASPE about more public surveys but it is not something that OCR in fact does.

DR. COHN: I just wanted to break in for a second just to talk about how we are changing a little bit. Obviously it is important that this conversation go on. We will continue with that and break after his presentation just to update everyone.


DR. SCANLON: Just to elaborate we actually discussed in ASPE, my office is planning and evaluation and we actually were in the process of thinking about a project to actually work with Sue’s office and others to look at the metrics. How would you even measure and you would use all sorts of data not just surveys but I think first is how would you measure this. Then you look at what the tools are. So, I just was not able to get funding this year but I think towards the end of this fiscal year we will be working with Sue’s office to see if we can move things along there.

DR. COHN: Okay, Mark? We will do our best to accommodate everybody.

DR. ROTHSTEIN: Very briefly I would like to put on the table another possible type of maybe smaller study that could be done and that is to do a study of the complainants who have filed complaints alleging that there were violations of one sort or another, chopping out that there is no jurisdiction; there is no, it is not covered by the privacy rule, etc., a subset of people who have filed complaints that are within the jurisdiction of OCR that are non-frivolous. I would be curious to know whether these individuals thought that the ultimate relief that was obtained by OCR was valuable to them. I mean were they satisfied with the process? Did they think there were ways in which the process could be improved? So, it would have a sort of procedural component as well as a substantive component and I think that would be very important information to learn as we go forward.

I mean has the system that you administer, the conciliation model satisfied the complainants?

MS. MC ANDREW: That is a possibility. I will say that I mean in many cases as you know I mean there is no private right of action. There is no monetary remedy that we can provide to the individual and to the extent, I think we do know that many of them are seeking a much more personalized remedy that we cannot offer. It is certainly in terms of their satisfaction with the way the office handled their complaints, we can certainly look into that.

DR. COHN: Gene?

DR. STEUERLE: It is just a comment to Jim. When you go to the metrics I really hope and I have said this before that you have some way of actually addressing costs and not just benefits, you know what is the cost of these various privacy or HIPAA provisions and not just some of these more narrow questions about what is working. You don’t really need to respond.

DR. SCANLON: Forcing people to look at how would you measure excess is probably the first step before we start collecting data and the surveys, believe me I am big fan of surveys but they don’t always shed any insight. They are often, you have to do them very carefully and you have to know what you want to measure to begin with.

We, also, have the capability to do focus groups. They have to be done carefully. That is qualitative information not quantitative but that could be another way of refining the measures.

DR. COHN: Russ?

MR. LOCALIO; Actually my question has to do with the converse of what Mark asked. Do you have any information on the number of complaints that you receive that are against non-covered entities that you cannot handle? In other words, what is the level of perceived complaining do you see in the public because of breaches of patient privacy that you have no authority to entertain the complaint? Is it never, sometimes, all the time, thousands, hundreds?

MS. MC ANDREW: It is a little hard to say but I would say it would clearly be in the thousands.

MR. LOCALIO; Thank you.

MS. MC ANDREW: I would also say it is probably for a variety of reasons. I think there are a number of complaints against providers who are in fact not covered by the rule because they don’t do the transactions. There are also a lot of employment place concerns which do not derive from the employer’s health plan scenario but just involve workers and just an uncovered employers who are concerned about gossiping about their health information.

DR. TANG: We talked a little bit about educating the public and I think your main folks in the trenches are really the providers who end up gathering a lot of data and clearly we talked about what is it that we do to protect information and I found it always useful to talk about well, if they are not happy then there is backup and the original interpretation was that there was individual accountability with the DOJ kinds of ruling about no individual accountability. I think that diffuses some of that that I thought was an important part of the argument in terms of protecting the confidentiality of individual information.

Do you see that as a weak thing in the procedural protection referring to individuals and I am not talking about private right of actions just the ability of government to be able to hold individuals accountable?

MS. MC ANDREW: I don’t know. I mean it seems to me that in the same way I guess that we would look at the business associate although even a little stronger is that we would look to the entity through its own processes and sanctions to be the one that holds the individual workers accountable for keeping private and confidential the information and the rule does require that all covered entities have a sanctioned policy and it is one thing that we would look at when we go in with a complaint as to whether or not in the appropriate case that that sanction policy is in place and wasn’t applied. So, it is not that the rule does not have that kind of individual accountability. It is just not a direct governmental, we don’t hold them accountable but we expect the covered entity to hold them accountable and can hold the covered entity accountable for that.

DR. COHN: John Paul, I will let you ask the last question and then we will move on to John Loonsk.

DR. HOUSTON: I have a comment and a question. The first comment is that having gone through numerous OCR complaints as part of a very large entity I think that the process that is in place actually I think is very good. It is an extremely complex rule. It is difficult even for the best intentioned organizations and individuals to try to understand it and then to try to communicate it to the work force, the work force tries to implement it and to take it seriously but still there is just a lot of opportunities where no matter how hard you try you get it wrong or there is lapse and so I think the whole process is very informative and very good and I think I know our organization really tries to learn each time something comes to our attention and a lot of times there is no breach but still nonetheless I think the process, I think it works based upon the fact that it is an extremely complex rule.

My question comes to the fact of has OCR looked at how to address some of the issues related to the state privacy laws that seem to be being passed in large numbers? I know Pennsylvania now has a new privacy law, a notification law related to is somebody’s credit information has been breached and I think the reason why I asked that question is it is becoming more and more complex for covered entities to comply with the myriad of laws that they have to comply with.

In our case we have a law that is somewhat conflicting upon what HIPAA or it aligns with what HIPAA requires us to do and there has been a number of legal opinions that I have read where it is at variance with what we are supposed to do. So, I am just wondering whether OCR has been active in trying to address on some uniform basis some of these different laws that the states seem to be passing.

MS. MC ANDREW: We are taking a close look at what is going on in the states in terms of these notification laws. We have just completed a survey of those state laws to compile and make sure we understand who has them and what they require and how they may impact a covered entity that may have one of these computer breaches and so we are looking to see where there may be intersections with HIPAA requirements and also we are expecting and have seen in some legislation attempts to bring that notification requirement into the health bill or the computer systems and you know there definitely are pros and cons and I think there is some, certainly there is a cost factor as well as an information factor.

DR. HOUSTON: Let me give you one example how the Pennsylvania law in particular is really causing problems. I have read three separate legal opinions where they said that because HIPAA has an accounting for disclosures requirement and the Pennsylvania law defers to federal law where there is some other type of reporting requirement they interpreted the HIPAA accounting of disclosures requirement to actually fulfill the requirement for reporting under the Pennsylvania state law and when I read the rule, frankly I don’t necessarily see that but yet I continue to see that position raised in a variety of legal opinions from law firms and I really think for me and I think for other people who are involved in privacy it leaves me somewhat questioning okay, what is the proper position to take and again, if I am a small company reading these types of things I am going to take it just through, these firms’ opinions as fact.

MS. MC ANDREW: We have seen that in a couple of laws and are also scratching our heads. Again, good news, bad news in that but we are looking at that and we may, you know if you want to send me some information I can think about whether we need a frequently asked question in that area.

DR. HOUSTON; I will send you something.

DR. COHN: Okay, we are going to wrap up this part. I have actually been trying to constrain this first section to just 45 minutes, and it is impossible and we just need to make sure in future meetings that we give ourselves the time we need for these conversations because I think they are valuable and hopefully give some information to the Privacy Subcommittee and others for work that yet needs to be done or focused on.

So, we thank you, John Paul and Sue. Thank you.

Agenda Item: Update on the Office of the National Coordinator for Health Information Technology – Contracts, AHIC coordination efforts, NHIN — Dr. John Loonsk

With that we will turn to our next sort of update and we are pleased to have John Loonsk who is now one of the permanent directors of the Office of the National Coordinator and we are pleased that you could find time in a busy schedule and we know your office is a little understaffed at this point.

So, thank you for joining us.

DR. LOONSK: There are some key positions that aren’t completely full. Thank you for the opportunity to come and talk to the Committee.

I have been asked to give a brief update on some of the activities of the Office of the National Coordinator and I have a small presentation that is being handed out.

The first series of activities I wanted to update you on relate to the recent presentation of recommendations to the American Health Information Community around the working groups that that Committee has had working on very specific areas of activity that I think you are aware of.

The recommendations were brought to not the last but the previous meeting of the community and they fell into several broad areas. The first is there was a heavy reliance on an identification of the importance of the health information technology standards panel product which is due as a deliverable in September.

This is implementation level guidance to work on the standards identified to help implement the so-called “breakthrough activities” and the use cases that support them.

A number of the recommendations pointed to the importance of these standards in moving forward in these areas and some of the follow-on activities I will mention are geared to having those standards, that level of implementation guidance available for those activities to proceed.

A second set of issues related to next steps around regulatory issues particularly some of the issues emanating from the breakthroughs around lab result reporting and how that relates to CLIA, some of the issues around the provision of care electronically, remote provision of care electronically and how that may impact licensure issues and there were suggestions as to follow-up steps that needed to be pursued in the context of health and human services pursuing resolution of some of the issues in regard to these issues.

The next series of recommendations involved suggestions for actions that the Federal Government take to begin to implement itself the work that is being done around these breakthroughs and a lot of that focus was on Federal Government systems and federal health contracts beginning to pay attention to the health information technology standards panel products in the context of their activities, the systems implementing them, the contracts identifying them in the context of helping to support those activities and carry out the activities of the Federal Government and as it relates to the private sector in the use of those standards.

A number of next steps were identified from the standpoint of this representing, these recommendations representing a certain period in time. Thereafter the focus of the working groups of the community is broadening and moving on to next step activities. These recommendations represented a series of work done on the immediate breakthrough activities and the working groups are now beginning to focus on the broader breakthrough activities.

So, by example one of the working groups is on electronic health records. The broad activity is electronic health records. The specific activity was lab results reporting and how that could be advanced. These recommendations focused on the specific activity lab result reporting in the context of that breakthrough. The working group is now being asked to look at the broader activities of the electronic health record and among other things to develop a road map for their attention in the context of that activity and what activities they will be pursuing and prioritizing in terms of next steps.

We view those activities as relating to the next steps in identifying subsequent use cases that would be pushed through the overall process leading to standardization through the health information technology standards panel, consideration by next steps of the nationwide health information network process, consideration by the Certification Commission, etc.

So, the working groups have come to a pivot point. They have delivered recommendations related to their specific charges and now they are being asked to move on to their next charges.

There was also the identification of a new working group that needed to be pursued around data specifically for biosurveillance. There was in the working group a lot of discussion about what are the appropriate data for clinical care to provide to public health entities in the context of pursuing the biosurveillance mission and there was a recognized need to have an ongoing group look at those data, be representative of the various participants in public health as well as clinical care, have consumer interests represented in the context of what the minimal set of data is that needs to serve those functions but also to move to make sure that evaluation and appropriate evaluation of those data is done over time to see that they are the right set and they are advanced in that context.

There was also a recommendation to move forward with a working group on crosscutting breakthrough really confidentiality and security issues and the context for this is for this working group to focus on some of the very specific things that need to be done in the context of implementing a breakthrough in the context of identifying what subsequent needs may be for standardization in those contexts, etc., really focused concretely on producing recommendations in that area that would focus on breakthrough implementation.

The next slide talks about some other AHIC activities that have been in process as well. The Certification Commission on Health Information Technology advanced the initial set of ambulatory care electronic health record criteria to the AHIC and to the Secretary. The Certification Commission has also received its first applicants for certification process. It is in the process of providing the, actually doing certification on this first group of ambulatory care EHRs with the plan of having notice in July of those ambulatory EHRs in this initial set that are certified. That represents very significant progress.

There is also in the context of the community presentation on clinical decision support a road map moving forward. This was a joint project sponsored by the Office of National Coordinator and the American Medical Informatics Association.

It inspired significant discussion at the community around the complexities and around I think desires to put that in the right context relative to other activities and trying to prioritize their current state of clinical decision support and what next step activities should be.

Finally in the AHIC column there was the presentation of a document which has been developed by the Office of the National Coordinator as a furtherance of the strategic framework that was previously developed and this document has some suggested objectives and strategies that lay out against the goals of that strategic framework. This was put on the agenda of the community as an initial presentation and discussion is to follow. The concept here is to try to drill down into greater specificity for actions that need to be taken in accordance with moving forward with the national health IT agenda and to have the community and other groups have input into what those objectives and strategies are.

The final item that I would like to update you on I think you have had a little bit of presentation on before and I would be happy to answer questions on it. I wanted to thank NCVHS and Simon in particular for this new engagement where we are going to be working together around functional requirements in the upcoming NHIN forum.

It is a significant challenge ahead of us that we face in terms of moving forward with this. Functional requirements are a tool. They are a tool that we look forward to helping develop greater specificity as we progress down the road of the nationwide health information network.

We view the forum as an opportunity for public discussion, for input from a variety of sources into those requirements and then I think as you know a special working group of NCVHS is going to further process and refine those requirements moving toward a deliverable this fall that will be helpful to us in a variety of different ways. We view it as a necessary and important step in moving into the second step of the nationwide health information network activities starting to develop clarity on what are common requirements, what are the architectural differences that are being discussed in this context as well as feeding other processes like the health information technology standards panel which is seeking context for the specific standards work that they are doing, drilling down further into the harmonization of standards as applied to very specific activities and understanding the NHIN context for that. Also, we view these functional requirements as very informative for the certification commission in the context of both its consideration of networking certification criteria in its third year and in its consideration of updates to the ambulatory EHR criteria this year and the development of inpatient criteria this year. So, it is going to impact a variety of different activities. There are clear needs just to coordinate these as we move forward and try to make sure that we are showing value across a variety of different activities as well as moving forward with some of the standardization that needs to occur to make that value present and we think this is an important step and are pleased with the partnership of the office and NCVHS in moving forward.

So, those are the broad items I wanted to put in front of you and I would be happy to answer questions.

DR. COHN: And, John speaking for NCVHS we are obviously very pleased to have the partnership working together on these functional requirements issues, and obviously we will be looking forward to ongoing conversations as we progress on that topic.

Now, Jeff, I know you had asked a question earlier. Did you want to be the first up for questions?

MR.BLAIR: Thank you, John. There is a lot on all of our plates, isn’t there? Things are moving really quickly and I am sort of asking for clarification mainly because frankly I haven’t been able to keep up with all the activities and so each one of them every time I look at them appears to be a good idea and good initiatives.

So, my question gets at how some of them are being coordinated or interfaced and I think you recall the consolidated health informatics initiative which I thought was really doing a lot of outstanding work in trying to pull together especially the terminologies, clinically specific terminologies as much as possible to sort of lay the foundation for moving forward and one of the major efforts in that in terms of harmonization was work done by the National Library of Medicine with unified medical language systems and the mappings between the terminologies and so I was sort of focused on that piece. So, then the breakthrough areas identified by AHIC also seemed to be very constructive and then there was the standards harmonization RFP with that work, and since I haven’t been able to follow each of those as closely as I once was able to follow the CHI pieces sometimes I wonder; sometimes I worry is that foundation that was built by the consolidated health informatics initiative especially with the NLM and the unified medical language system and the mappings between the terminologies, is the standards harmonization work and the breakthrough work building on that foundation and extending it in breakthrough areas or are there some disconnects and if there are disconnects you know is that something else that needs to be addressed?

DR. LOONSK: Thanks, Jeff. We have I think made a special effort to try to see that what we think is very high quality work of the consolidated health informatics effort is integrated into the work of the health information technology standards panel. We have orchestrated the delivery of those materials to HITSP. We in the writing of the contract have described the importance of that work in the context of HITSP taking advantage of it and prioritizing its consideration.

It is important to recognize that HITSP is a public-private process and that the, while CHI was focused on the consideration of standards for federal systems by federal people and organizations that the buy in of the private sector into moving forward is an important next step and does that mean that at times there may be some standards that are different in the context of their consideration? I think that that is a distinct possibility. We have been looking to try to make sure that HITSP considers the CHI standards and the work that was done. I think the overwhelming response by those participating in HITSP has been that they have been very impressed by the work that has been done by the thoughtfulness of it and by it applicability.

In the context of the work around terminology mappings and such one of the activities that we are actively pursuing is to try to make sure in conjunction with the National Institute of Standards and Technologies that an appropriate infrastructure is available to actually test against those standards and this can be a very complicated activity. It is one that can involve a multitude of permutations of a message for example where you have an incredible complexity of possible terms that are used in different combinations that may break an implementation guidance.

So, it is non-trivial but it is critical that if we are as we move towards truly incorporating standards into a variety of different activities both federal and private the ability to educate people to what those specific terminologies are, to be able to allow them to self-test their messages, their queries, their system interfaces against them and then to actually have third party testing of them so that they can be certified as complying with those standards is a huge effort.

It is a critically important effort. We have been working on this as I indicated with NIST. We have also engaged the National Library of Medicine in this activity and the intent is as we move forward and Betsy Humphries has been supportive of the concept of the thesaurus and the vocabulary work of the NLM as playing a critical role in reporting the data sets that are used in these implementation guides and in the standards selection. So, it is a multi-body activity here. It really is going to involve certification, HITSP, NIST, the NLM and others no doubt to try to get to the point where there is a broad capability for testing and the kind of supportive infrastructure necessary to manage the vocabularies and terminologies in that regard but I have been very pleased by the response that NLM and others have had in moving forward with that.

DR. COHN: Thank you.

Mark, you are up next.

DR. ROTHSTEIN: Yes, I just had a question. Would you review the process and timetable for the four architecture consortia projects?

DR. LOONSK: Sure. This year is a prototyping year for the NHIN consortia. We have really two processes going on in parallel and it is important to distinguish them.

One process is working on architecture. The other process is working on the prototype, the actual software prototypes that are intended to validate those architectures. We have initiated both those processes. They both are responding to the use cases that were put forward that relate to the breakthroughs but then they have had to take parallel courses important to represent the fact that the prototypes that are going to be available and demonstrated in what looks like a December-January time frame will not necessarily implement all of the common architectural work and all of the harmonized standards from the health information technology standards panel and all of the other work that is done in the architecture track. Those prototypes will not implement those necessarily this year but the intent is to continue to integrate these two in subsequent rounds of this activity.

So, simply stated this year is around working on architecture. We think these public fora are important in the context of having public input into those architecture discussions. The role of NCVHS will be very helpful in that regard as well. We anticipate coming out of this year not with one architecture but with at least an architecture with variations, and there are major considerations that as an example some markets, some areas, some regions that have regional repositories, some that don’t. We would have to say right now that both are viable options. Both need to be considered in an architectural construct at least from the standpoint of where the country now stands in that regard.

Moving forward with the discussion, having tangible products that represent the prototypes, using live data in the December to January time frame can help advance the discussion and then in the next year’s activities moving further down the line of incorporating the common requirements coming to incorporate the standards that have been identified for the implementation and to drive closer to implementation level systems in the next year.

MR. HUNGATE: A question from an individual and consumer viewpoint, I have been a great supporter of decision support tools as helping to get me a better care system in the future. As I look at the entities that are listed in the functional requirement pattern I don’t see an entity for clinical decision support development.

Yet it seems to me that one of the limitations of these systems has been they have been very expensive. The return on investment in clinical decision support has not proven as individual things to be very high. So, I would think there might be an opportunity here to highlight that pattern and maybe it is someplace else and I just don’t see it.

DR. LOONSK: We recognize very much that the requirements that are now on the table are not complete. We are saying that wherever we can. We recognize the fact that there is tremendous value for example in coming forward with use cases that have specificity, focusing a number of these different initiatives on the same target so that they can support each other in moving forward but on the other hand it is not across the waterfront. We don’t have that specificity in many places and I think it is important to recognize that.

At the end of this year, at the end of the NCVHS activities we will not have complete requirements for the nationwide health information network activity. These are initial requirements. These are initial efforts.

Some of the activities you are talking about obviously are complex in the context of value. To whom is the value shown? How do you bring along the private sector in terms of implementing capabilities and their products? I think many of us see the value in some of these at a high level, at an abstract level to society and to the consumer. We anticipate that a lot of the next steps for example from the consumer empowerment working group will be to identify some of these things that will then get into the next round of prioritization.

So, we are trying to have the AHIC and its work groups guide the prioritization of next step activities and we think that we can get some of these things on the agenda through that process.

MR. HUNGATE: That is very helpful. Thank you very much and I applaud the effort on functional requirements.

DR. COHN: Okay, Mike, you have the last question and then we will wrap up and give everybody a well-deserved break.

DR. FITZMAURICE: I must applaud the ONC for its ability to respond to all the policy questions that come through it with pretty good answers.

I have two questions. One of them is when we talk about certification, the word out on the street,people who have talked to me at conferences say that the cost is pretty high It is $25,000, $28,000 to get certified to send an application in for certification to CCHIT.

Is the cost of this out of HHS’ control? It may be because we want this activity to be self-sustaining and if that is what it takes, that may be what it takes, and the second question I hear is will anybody be certified soon. They are concerned about somebody getting certified and then being the market leader and this will squeeze out all of the small VHR vendors. I am sure you are aware of this. This is not anything new.

DR. LOONSK: Yes, those issues have been presented in many different settings. I think there are flip sides t each of those issues that are also relevant and if we have hundreds of VHR vendors that have products that are widely divergent, clearly we are not in a place where we can make the fraud agenda move forward.

Relative to the cost issue I think the certification commission has done excellent work in trying to identify their costs for carrying out that process. This is an initial pass.

If you look at the potential revenues in this area they are significant for EHR vendors. That is perhaps comforting in the context of those costs and the value of the certification seal if you will I think could easily be described as carrying more value than those costs represent.

It is a complex issue. The certification process is still to some extent in its infancy and hopefully can refine the formula but I don’t think that there is a lot of fat in that cost. I think these are real costs that they face in moving this forward and as you well know we are under the tasking to really try to make each of these processes become so supporting in the context of carrying out their missions.

DR. FITZMAURICE: Secondly and lastly, this whole process that is going on is identifying sets of HIT functions, HIT standards and HIT elements. These are being identified and my question is who will certify or adopt these standards as suitable for use in federal health systems? Is that going to be the Secretary of HHS, maybe in conjunction with the Secretary of the VA and the Secretary of DOD? Is this certification by the Secretary necessary if they are to be tied in or become part of the baseline of the federal health architecture? I know OMB is looking at this. They use it to evaluate agency plans. They use the CHI standards for this and now since we are moving to a new process they are going to want to tie into something and the agency will want to know if we invest in it, it is going to have everybody’s approval, and aa I think you know there has been, we reoriented the federal health architecture efforts and the CHI efforts to fit into this overall process. I agree with you very much that the federal agencies are eager to look at what the target is for them. The two targets that are most prominent for their consideration are clearly certification criteria as they apply to their particular activities and also the HITSP standards as they are being advanced at this implementation guidance level and there is a lot of discussion going on now as to how that gets mapped out against federal priorities in moving forward in coming months and years. It is a very active area of discussion. I think that those are the two key points. I think the other one to throw on the table for which there has been some discussion and a lot of interest is how do the federal agencies coordinate with the NHIN architecture as it moves forward to make sure that federal systems can be supportive of that and the VA, the DOD in particular have expressed great interest in moving forward in that direction and I think we hope that in the next round of the NHIN activities we can express some clearer paths for how those things can support each other.

DR. COHN: Okay, well, John, i really want to thank you. I would actually pick a couple of things from the session. One is I think this fall either September or November we will have to have a conversation with HITSP. It sounds like they are ready to sort of come forward to talk a little more at this point.

I think the other piece is the clinical decision support which is probably a bookmark for the ad hoc work group recognizing that we are also looking at gaps and other things.

So, John, I want to thank you. Obviously we look forward to working with you this summer. Results from that ad hoc work group activity will be coming back in September to this group for discussion and hopefully final approval and again we will just keep the conversation going.

I want to thank everybody. We are obviously running a little late and what we will do is give everybody a 15-minute break and come back at eleven-ten.

(Brief recess.)

Agenda Item: Subcommittee Standards and Security – Letters, Action June 22 – Mr. Jeffrey Blair and Mr.Harry Reynolds

DR. COHN: Okay, this is our second morning session. Would everyone please be seated. Now, in this session we begin to move into letters and review of letters.

Now, I think some of them are, I mean we will obviously see letter by letter which ones need further work, which ones need overnight thought, which ones potentially are ready for action at this point, and I think it probably will vary by the letter.

I am going to hand things over to Harry Reynolds who I think will lead us through the letters and then as I said, we can make determinations of whether they are action for tomorrow, action for today or back to the subcommittee.

So, Harry?

MR. REYNOLDS: Just so there is no misconception we do realize that the number of letters does not relate to how well we are doing as a Committee.

These are three issues we had to bring forward to you. I would like to do the letters in the order of first if you would turn to Tab 5 which is the CHI letter.

I would like to go through it first. John just mentioned the CHI in his discussion. As all of you are aware it is a series of standards that have been brought forth for use by the Federal Government and this is just one more addition to that.

So, I will read this entire letter and then ask if there are any changes or questions on this particular one. We won’t stop partway through.

So, “Dear Secretary Leavitt:

“The National Committee on Vital and Health Statistics appreciates your continued support for the Consolidated Health Informatics Initiative, (CHI) as evidenced by the inclusion of standards recommended by CHI in many Federal solicitations. This letter continues the role that NCVHS has played in the CHI standards acceptance process. In this role, NCVHS provides an open forum for review of the CHI standards recommendations and provides an independent assessment of these recommendations.

“The NCVHS has the following comment on the attached CHI domain area recommendations

“The NCVHS concurs with the CHI recommendations for the Multimedia domain. When NCVHS originally reviewed the CHI report recommending Multimedia standards on December 9, 2003, several questions arose. These questions have been adequately addressed in this report. The NCVHS recommends approval of this CHI Standard by the Secretary and formal government adoption.

” Modification of Prior CHI Reports

“We note that CHI documents are meant for daily use and time may change some of the administration conditions, so these types of changes need to be reflected in minor version updates of the documents to remain current. NCVHS was asked by CHI to provide our input on the modified versions of the past reports that acknowledge the contributions of the Agency for Healthcare Research and Quality (AHRQ) toward the enhancement of many CHI Standards, and the role played by the Food and Drug Administration and the National; Cancer Institute (NCI) and FDA’s role in the Medical Device Domain. NCVHS is pleased to recognize the important contributions of these agencies and supports these modifications. NCVHS feels that public input on minor version updates is not necessary; therefore we recommend that CHI simply keep us informed of these updates as they occur.

“The review process that has been established by CHI and NCVHS has worked very well to further the adoption and use of health care information standards within the federal government. We are pleased to continue our role in this valuable process.”

I would like to also acknowledge Steve Steindel as our resident expert who helped us prepare this letter and Maria for her continuing positive staff work on that. So, with that I will open it for any comments or questions that the full Committee may have.


DR. HOUSTON: I have no disagreement with the recommendations. I just was stylistically since there is only one recommendation and a bullet I don’t know why you have that bullet there and just simply you don’t go directly into the —

MR. REYNOLDS: Steve has an answer for that.

DR. STEINDEL: As the topic expert on this actually this was a style we developed with previous letters and we used the style even when there was one bullet.

DR. COHN: Without trying to prevent this thing from being passed probably a colon at the end of recommendations and then it probably would be a reasonable way to describe it. We don’t want to be word smithing at this level today, but go forward.

MR. HOUSTON: Then I just think that there is one topic which is modification of prior CHI reports. It is just when I look at those two together in such a short letter I just think if it was cleaned up a little bit I think it would read a little bit better.

MR. REYNOLDS: We will take that into consideration.

DR. CARR: Just stylistically the NCVHS feels, maybe NCVHS believes. I don’t know what the NCVHS convention is on feeling but the last sentence in the second to last paragraph.

DR. COHN: Okay, my question on this one is do people, I mean we can certainly take it back to the subcommittee for minor word smithing. Do people want to see this letter again or do people agree with the spirit of it and want to act on it at this point?

MR. HUNGATE: The latter, I think.

DR. COHN: The latter, okay, is there a motion then?


MR. HUNGATE: Second.

DR. COHN: Any discussion?

All in favor?

(There was a chorus of ayes.)

DR. COHN: Opposed?

(No opposed.)

DR. COHN: The letter is passed and we will let the subcommittee word smith it a little further but I think we are okay on that.

MR. REYNOLDS: We may just slip it in with the privacy letter.


MR. REYNOLDS: Okay, let us move on to Tab 4 or Tab 3, excuse me, yes, Tab 3. We are going to do the HIPAA recommendations and in reading this one I am just going to go straight to the, I am going to read each observation and recommendation and then open the floor for discussion. For time we won’t go through the first two paragraphs but we will take comments on those as we open it.

DR. COHN: Do you want to get closer to the microphone?

MR. REYNOLDS: Okay, observation one, and let me give you a quick background. This is HIPAA lessons learned as we have had numerous hearings on you know what has occurred on the HIPAA transactions and code sets and other things up until now. We held some hearings to understand what are the lessons learned that we can forward to HHS through the Secretary to make sure that they are considered as we do other things like this and continue to build off of it. So, that is the purpose of this.

Okay, observation one, implementations. HIPAA implementation has taken longer than expected. The causes for this are numerous and include the fact that actual publication of the rules has taken much longer than anticipated as well as the fact that while payers were required to implement all standards adoption by providers was not required.

The original view was that because standardized EDI implementation would save providers time and money providers would gravitate to their use to reap the benefits of the administrative simplification.

There have, however, been unanticipated impediments. These include the reluctance by vendors to build a range of necessary software for the non-revenue related HIPAA transactions such as the eligibility transactions 270-271 and the claims notification 276-277.

Additionally there has been reluctance by some payers to robustly implement the HIPAA non-revenue transactions. For example, payers in many cases included only minimum information in the eligibility transactions which resulted in providers not being able to gain full benefit.

In addition there are still health care organizations that are not yet compliant with HIPAA standards and many of these organizations continue to use contingency plans which further delays the transition to HIPAA standards.

Recommendation 1.1. HHS should undertake a comprehensive evaluation of HIPAA implementation in order to identify areas through timely, efficient and effective implementation as well as area for future improvements.

NCVHS stands ready to advise HHS in the design and conduct of such an assessment. Once these impediments and areas of improvement are identified NCVHS pledges too work closely with the Department and the industry to identify ways to best address them.

Such findings would be useful for other HIPAA implementations in the future.

Questions or comments?

DR. COHN: Harry, I actually would only add one maybe minor word smithing. I think this last sentence that just says that findings will be used for other HIPAA implementations, i think maybe also and federal standards initiatives in the future and that would be the only, and that is I think just subtle word smithing.

Other comments?

DR. CARR: I know I participated in this but as I read it again now it would help me reading this for a more concise description of what was expected from HIPAA, what is the actual and then what are the contributions to the gap between the actual and the expected.

I will leave it at that.

MR. REYNOLDS: Help me one more time on that.

DR. CARR: Where did we expect to be today? You begin with HIPAA implementation has taken longer than expected and we have two contributors. One is the delay in the publication of the rules and the other is that the payers were required to adopt all standards but providers were not required.

Where did we expect to be today? This is saying where we are, but was there a clear statement of what was expected to be and what we are trying to say is there is a gap between where we thought we would be and where we are. So, I am just trying to get a little more clarity on what was the information that said where we would be today.

MR. REYNOLDS: I think what we could add was that obviously the rule was effective as of a specific time and the original intent was that everyone would meet at that endpoint.

DR. CARR: Right. I think that would be helpful to know that.


DR. COHN: I am struggling with this one and I guess I am trying to give even how to frame it. Obviously this may be our defect by not reading the first two paragraphs. You do realize that HIPAA was passed in 1996, and I think the original intent of the legislation was that everything would be implemented at least by legislative language by 2000. So, that is by legislative language. Now, are we going to reference legislative language or certainly we can’t implement things where rules are not developed. So, you know, if you are referencing rules, rules have only just recently actually been finalized.

DR. CARR: I think that is helpful in understanding what is going on, that when it was passed and you say legislatively this would have been implemented by 2000. Rules were not available until whenever and then this is where we are today, and this is the gap of where we might be and where we ought to be.

DR. FITZMAURICE: I think even beyond that there were contingency plans that were developed because the industry wasn’t able to adopt it as quickly as we anticipated and so for a lot of things the taking longer than expected, there were a lot of factors in there. To list those factors is going to take another page or so.

DR. CARR: Okay, I guess I am just looking for a bench mark so that we are saying we are off but we are off compared to what is the question that I have.

DR. COHN: Marjorie and Karen?

MS. GREENBERG: I think what Justine is saying is that this assumes a lot of knowledge that may be around the table and of course people really working on HIPAA in the industry know what the issues or what the problems are, what the expectations were to a greater or lesser extent but if this is kind of going to stand on its own maybe it would benefit from just a little more background information.

DR. COHN: Is that your sense?

DR. CARR: Yes.

DR. COHN: Karen?

MS. TRUDEL: Yes, I think there is a huge list of contributing factors if you go all the way back to the legislation. I think what the hearings were attempting to uncover though was once you hit the point at which the implementation clock began to tick what went wrong then that caused our expectations to be different. So, I would suggest perhaps removing the part about the rules taking longer than anticipated and focusing on the point in time where we thought implementation was going to occur and why it didn’t and where we are now and how did the gaps contribute and if that is agreeable to people I can work with Maria on coming up with that language.

MR. REYNOLDS: I am not comfortable removing that.

DR. COHN: Steve and then Jeff?

DR. STEINDEL: Actually I have no problem with the way it is worded here. I mean we might want to add just one proviso. HIPAA implementation has taken longer than expected. Actually HIPAA implementation was very clearly defined in the law and that is what we are referring to and that is our bench mark and the next sentence says that the causes for this are numerous and included the fact, blah, blah, blah.

Well, I don’t think we need to expand beyond that. If we want to, we may want to reference our annual reports to Congress which enumerate through the years the reasons why things have been delayed and that would be the only changes that I suggest and I don’t believe those changes are even needed.

DR. COHN: Jeff?

MR. BLAIR: I didn’t realize Steve would be saying what he said but it was right on the mark as far as I was concerned because this is one of those letters where sometimes we intentionally don’t say certain things. We made it very simple. We said that it was delayed and it was delayed for a lot of reasons and I don’t think it is possible to start going into the reasons without spending a lot of time recanting history that went over years where a lot of different entities for a lot of different reasons contributed in one way or another to the delay and I don’t think we want to put that in a letter. So, the reason that it was as simple as it is is because we are avoiding saying those things.

The other piece is that we felt it was essential to wind up saying that it was longer than expected because that is the whole reason we are asking for the changes is to begin to address the problem without recanting how complex it was.

DR. CARR: I find Steve’s suggestion helpful.

DR. STEINDEL: Which is?

DR. CARR: The language that he just recommended not to you know add a lot but to just have compared to what.

DR. STEINDEL: To paraphrase because we would have to work this out in the language my two suggestions were in the first sentence just add “As expected by the HIPAA legislation,” and in the second sentence just instead of enumerating just reference by footnote our annual reports to Congress.

DR. COHN: Justine, are you okay with that?

DR. CARR; Yes, that is great.

MR. REYNOLDS: Observation two, the process for changing versions or updating versions of HIPAA standards is slow and cumbersome. While the HIPAA final rule does not permit voluntary adoption of new versions in contrast this is permitted under the electronic prescribing final rule.

In addition the administrative requirements under the Administrative Procedures Act, APA necessitate notice and comment rule making. The rule-making process takes several years from issuance of the notice of proposed rule making, NPRM, to implementation.

This severely hampers the ability of the public and private sectors to keep pace with emerging needs, especially in the rapid acceleration toward the adoption of electronic health record EHR systems. In addition, the HIPAA process requires that changes to standards be vetted through various standard-setting organizations. The STO processes include an extensive comment period in which all parties can participate. However, the fact that the standards are on different approval cycles makes it problematic to synchronize changes or updates.

These differences in schedules plus the unpredictability of the time it takes to complete all the steps in the federal rule-making process create an uncertain environment in which it is difficult for providers, payers and vendors to influence or anticipate upcoming changes and develop business products and processes to accommodate them.

Backward compatibility where feasible and voluntary adoption of backward compatible standards with the named HIPAA standard could provide flexibility in version updating.

Recommendation 2.1. The Department should immediately explore ways to facilitate quicker updates and implementations of HIPAA transaction standards in a manner that can reduce or eliminate areas of redundancy in the process including the possibility of not requiring HHS notice and comment rule making for a version update of already existing HIPAA transaction standards.

This recommendation does not apply to HIPAA privacy and security regulations. The exploration should include an in-depth review of the statutory and regulatory requirements such as those under APA, the comprehensive explanation of permissible options and a determination as to whether legislative changes should be initiated, consideration of regulatory changes to permit the voluntary adoption of backward compatible updates to named HIPAA standards. Three, consideration of how to include public comment on business process issues as well as functional and technical standards issues in the review process.

Recommendation 2.2. The Department should expedite issuance of the NPRM on current HIPAA modifications. This regulation includes many needed changes identified since the original HIPAA regulations were issued in 2000 including a timely modifications process.

Recommendation 2.3. The Department should determine what would be necessary to facilitate synchronization of the timing of implementation of changes to HIPAA code sets including medical and non-medical data code sets. To minimize the scope and quantity of changes experienced by the providers, payers, clearinghouses and vendors, alignment of changes and updates to the code sets would allow the industry to coordinate, test and implement on a more orderly schedule and reduce rejected claims.

One quick sidelight is if you remember Karen’s update talked about backward compatibility. So, a lot of what we are putting in this letter and have had in our open forums is already moving forward and then there was another discussion by I think it was Jim earlier talking about some of the things that are coming through Congress, talking about speeding up the process which is exactly related to these things that we have been talking about in the hearings and some of that has actually come out from people that have been in the hearings.

DR. COHN: John Paul?

DR. HOUSTON: In the first paragraph, observation two, third line you discussed voluntary adoption of new versions. It says that the HIPAA final rule does not permit voluntary adoption of new versions. What do you mean by that? The reason why I ask is I thought what HIPAA says is you weren’t allowed to vary the transaction standards and is there another part of the HIPAA rule related to the voluntary adoption of new versions?

MS. TRUDEL; I think what that was referring to is the fact that even if a standards developing organization balloted and approved a new version a covered entity is not permitted to implement it under any circumstances without regulations.

DR. HOUSTON: Because of the fact that HIPAA says that you must adhere to —


DR. HOUSTON: Okay, I think you might want to, I thought that was the case. You might want to clarify this a little bit to state that what the HIPAA rule says is that you are not allowed to vary the standard and what that then does is that precludes then the voluntary adoption of new versions that have been otherwise approved by standards organizations, if that is what you were trying to say, I don’t know.

MS. TRUDEL: That really speaks to separate issues. There is a requirement that you cannot alter the standard that is adopted which is for instance 4010.

The second part of that is that you cannot adopt any other standard for instance 5010. So, there are two aspects of the same concept.

DR. HOUSTON: I don’t think it is really clear that HIPAA says that you aren’t allowed to — it is not a matter of voluntarily adopting. It says that you can’t vary the standard and as a result you can voluntarily adopt their version I guess was my point.

MR. REYNOLDS: We will take that this afternoon and come back with it.

DR. STEINDEL: Just as a quick comment I think Karen has noted some of the complexities and actually you have noted in putting that recommendation into play which is one reason part of this recommendation is to take a look at the legislation because if that does prove to be a big barrier we may —

DR. HOUSTON: I just wanted to make sure we were factually accurate with what we said in the letter and I thought there were some variances. Again, it is just a comment.

DR. COHN: I guess I actually had trouble figuring out where you were referencing. Harry as long as you know what they are referencing and can make the changes —

MR. REYNOLDS: John, why don’t you point to the line and that will make sure that —

DR. HOUSTON: I am looking at the version in the book. It is on observation 2, the very beginning of the third line of the observation, voluntary. It is that sentence I guess while the HIPAA final rule does not permit voluntary adoption of new versions. I was keyed on those words, voluntary adoption of new versions. That is where I was at.

DR. COHN: Okay, so what you want is basically to say that in addition to permit voluntary adoption of new versions or changes to currently implemented versions.

DR.HOUSTON: No,my point is that under the rule my understanding is that you are not allowed to, you must implement the standards as —

DR. COHN: The standard and the version.

DR. HOUSTON: Right, within the rule. So, it is not a matter of not being able to voluntarily — it says, “HIPAA does not permit the voluntary adoption of new versions.” No, that is not what HIPAA says. HIPAA says that you are required to adopt the versions and stay with those versions.

What that does is it prevents them from voluntarily adopting new versions. I just want to make sure we are factually correct.

DR. COHN: Okay, so, this is something that can be put in between two commas basically.

Karen, are you okay? Okay, I just want to make sure we are sort of capturing things as we go along.


DR. SCANLON: This is a comment not knowing all the details that the Subcommittee obviously knows but it relates to the statement that the rule-making process takes several years from issuance of a notice of proposed rule making to implementation and having seen rule makings take incredibly variable amounts of time, sort of from almost overnight, an exaggeration, to perhaps more than a decade there is a full range and so there is a question now about how much is really sort of a necessary sort of condition in terms of real rule making.

What comes away from that when you come away from that sentence is a very negative sense of rule making and so when you are looking for how do we make this better we are looking for a substitute as opposed to improving sort of the rule-making process in these particular applications and I am kind of concerned that we want them to think about both. We want them to think about what has been wrong with rule making that has been delayed. Does it need a different mechanism or does it need a will to make things more quicker because in many cases it is not process. It is will that is the key in terms of how we get the things done.

MR. REYNOLDS: If you look at the second and third, well, actually the three bullets under Recommendation 2.1 it is where we felt first that there needs to be a discussion because with e-prescribing it is different than what it was. Second, voluntary adoption which Karen referenced earlier in the e-prescribing which we were able to use, they were able to use there for NCPDP 8.1 and then one thing we feel still needs to be considered is this whole idea of public comment or business process issues as well as the other things that need to remain in it because sometimes as we heard discussion trying to speed this up could cut out the public, could cut out private enterprise from discussing it and so on.

So, we tried to put a framework without being prescriptive on exactly how it should change and I don’t know if that answers your question.

DR. SCANLON: I think it partly addresses it. I think though in the observation what also might address it would be to take the sentence that the rule-making process takes several years which seems like it is an absolute to has taken several years. It is a problem which we have identified and it doesn’t necessarily have to take several years. That is something that could be modified in thinking about it.

DR. COHN: So, you want to ease up on the observation and so rather than taking or basically has taken several years.

DR. SCANLON: I am thinking that you are setting up a problem to deal with in that sentence.

MR. STEINDEL: Bill, actually this is factual statement. The rule-making process takes several years from the issuance of a notification of proposed implementation, rule making to implementation, actually HIPAA requires a 2-year process after the rule goes into effect until it is really implemented. So, there is sort of something in the law itself that requires years.

DR. COHN: Karen has a comment on that.

MS. TRUDEL: That was correct for the initial standards but it is not correct for subsequent standards. the Secretary can adopt any implementation period that he wants for subsequent standards.

DR. SCANLON: Thank you, Karen.

MS. TRUDEL: And not to be less than 180 days, I believe.

MR. STEINDEL: I am factually corrected. Then we do need to deal with Bill’s point.

DR. SCANLON: I think Bill’s point was that the rule-making process in general doesn’t have to take, that we have done some of these that don’t take long at all. So, maybe we need to say either it can take several years or that for the HIPAA rule-making process it has taken —

DR. COHN: I just want to make sure we understand what we are doing. So, we are saying that the HIPAA rule-making process has taken several —

DR. SCANLON: I think they should discuss it.

DR. COHN: Okay. Other comments on this one?

MR. REYNOLDS: Okay, observation three, return on investment. The testifiers who were using only the HIPAA health claims transactions indicated that they were not yet able to show a positive ROI. It is important that we improve the ROI for HIPAA transactions and code sets so that they will serve as a driver for further adoption of health information technology and standards in the health care field. The following actions could significantly increase the return on investment from the use of HIPAA transactions and codes. Recommendation 3.1. HHS should take immediate steps to increase the adoption and use by providers and payers of all those HIPAA transaction standards beyond the health claims transactions such as eligibility, 270-271, claims status, 276-277 payment and remittance, 835 and referrals 278.

These transactions when incorporated into daily processes can reduce staff, parenthesis, FTEs and increase efficiency. While we commend the ongoing work in this area by the Centers for Medicare and Medicaid Services, CMS, we believe these activities should be accelerated.

Recommendation 3.2, HHS should actively work with payers to facilitate the inclusion of enough information in their responses, eligibility standards 271 and claims standard 277 to allow providers to use the information to actually improve their processes.

Continuing participation by CMS is needed in the work by the Council on Affordable Quality Health, CAQH, a voluntary group representing payers, providers and associations on standardization of the data in an eligibility transaction.

This is an excellent example of voluntary cooperation to improve the HIPAA process.

Recommendation 3.3. HHS should actively work with vendors to encourage their inclusion of the aforementioned non-claim transactions in practice management software used in provider offices.

Vendors are key to the success of pilots on these topics and more importantly for the success of final implementation by the industry. As a result their inclusion from the planning to the execution of such studies will yield more informed and usable results.

Recommendation 3.4. HHS must continue to support ongoing work by the industry and SDOs to reduce unnecessary variability of business rules as currently documented in companion guides.

Several actions are necessary. The first is to support processes to identify common business practices that are included in the different payers’ companion guides. Second, harmonization of the business practices that are not common must be promoted to the extent possible.

In addition some independent initiatives are underway to further evaluate those differences in business rules. Continued support of these efforts by HHS would advance the original intent of standardization.

Recommendation 3.5. HHS must facilitate and encourage the adoption of one of the currently non-mandated acknowledgement transactions, e.g., 997 or 999 to standardize the acknowledgement process between providers, payers, clearinghouses and vendors. This will achieve standardized process flows among the parties involved thus reducing the effort necessary to achieve expected results.

Recommendation 3.6. HHS should continue the use of pilot testing in HIPAA transactions, new HIPAA standards such as a pilot conducted with a proposed claims attachment standard to obtain a real look at the actual benefits, issues, business impact on system changes surrounding the proposed standard.

Even small-scale pilots can yield valuable information that can help speed the implementation. We look forward to advising the Department on issues related to HIPAA transactions and code sets and health information technology in 2006.

DR. COHN: Comments?


DR. CARR; Question, the shoulds and the musts, some are things that HHS should do and some are that they must do and is that intentional?

MR. REYNOLDS: It was intentional when we wrote the letter. We need to look at it again to see if it remains intentional.

I am not trying to be funny. These particular ones have taken a lot of work.

DR. COHN: Actually I think I see two musts and —

DR. CARR: Yes, 3.4 and 3.5.

DR. COHN: I think that probably should is a friendly thing. I am not seeing any other musts. Justine, do you see any?


DR. COHN: Harry, what do you think?

MR. REYNOLDS: Should is fine. We feel that our recommendations, whether it is should or must go forward and hopefully will make a difference. Thank you for your continued input.

DR. COHN: Let me ask, I think what I am seeing is a couple of things. I am seeing a word smithing change in observation 1, referencing the HIPAA implementation and footnoting that the causes are numerous with a footnote related to the previous annual reports.

I am seeing a change in observation 2 which says basically rather than the observation that the rule-making process takes, rather it has taken several years which I think is the wording and we are saying actually the HIPAA rule making process.

I am seeing changes from should to must, I am sorry, must to should. I guess I am also going to suggest that where we have reduced staff FTEs we probably don’t need to put parentheses around FTEs because it is actually really staff full-time equivalents and my question is is there anything else or is that really the changes that we are recommending making and if those are the cases should we do it now or should we make those changes and bring them back to you for final review tomorrow?


DR. FITZMAURICE: On recommendation 3.2 I am wondering it says that HHS should actively work with payers to facilitate inclusion of enough information on their responses, eligibility standards and claims standards to allow providers to use the information to actually improve their processes. I am not sure what the context of work with there but I assume that it is jargon. Does it make sense to add to that and also show this by example in the Medicare program? I am not sure if that makes sense for eligibility because eligibility is determined by other things than just have you paid your premium and so I may defer to Karen on whether that would be a helpful addition or not. It would actively work with payers to facilitate inclusion of enough information and look we do this in the Medicare program. That would even be stronger I think.

DR. COHN: Karen, I am sorry but Mike is looking at you on this one.

DR. FITZMAURICE: I don’t want to put CMS under the gun on this, maybe on other things, but not so much on this but I want to, you know, and we do it by example. We expect other payers to do the same thing to help other providers.

MR. REYNOLDS: Mike, if you look at this sentence that starts with continuing participation by CMS, we are asking CMS to continue their work with the industry on this on a particular initiative.

DR. FITZMAURICE: Yes, but I am saying do they do it themselves and are we willing to say that we are doing it ourselves and we call upon you to do what we are already doing?

MS. TRUDEL; Yes, that is correct.

MR. REYNOLDS: And, Simon one thing for the record I guess as I said I had no conflicts which I still don’t think I do but I should make it clear that I am the Chair of the CAQH initiative to do this.

DR. COHN: I guess you should have referenced that at the beginning this morning.

MR. REYNOLDS: I actually forgot it was in the letter.

DR. STEUERLE: I did have one additional comment that maybe could be easily accommodated but the only place you mention the possibility of legislative change seems to be in the first bullet, recommendation 2.1 and this is not an area in which I am an expert but I have been involved in a number of legislative efforts and I know the way legislation is often drafted. It is basically something that Jim Brady whom you may remember who was President Reagan’s first Press Secretary called bog set method. That is a bunch of guys sitting around a table which means that legislation is not always finely crafted and the result of a rule-making process to implement legislation is sometimes hindered by the fact that the legislation itself is inadequately worded. I was just wondering if that type of sentence on legislative considerations also doesn’t carry forward into this third area where you are saying that people are not finding an adequate return on investment and I don’t know that the only solutions are only things like for instance new HIPAA standards. I mean maybe there are some old ones that should be abandoned.

I am just wondering if the consideration of legislative changes ought to be carried forward a little bit further beyond just recommendation 2.1.

Again, this is not my field but is this a matter that we believe the legislation is the best thing since sliced bread and it is just a matter of we don’t know how to implement it or some of these problems of implementation and are 10 years to get rules implemented sometimes because there have been inevitable dilemmas posed by the way that the law is drafted that are not going to be resolved and the regulatory process is becoming quite expensive ?

DR. COHN: I see Karen raising her hand and I will reference that one also, but, Karen?

MS. TRUDEL: I would say in a lot of the studies that I have read when the standards are implemented for instance these eligibility and claimed status standards are implemented robustly and on a consistent basis and I, again, also, think that what the CAQH is doing is very valuable in that respect, that people do derive a return on investment. So, I am not sure it is so much that the standards are broken and legislation may be needed as much as the doing of it needs to be fine tuned and where people have to do it. I mean a lot of people aren’t finding a return on investment because they are not bothering to implement the standards. Since providers don’t have to do it they tend to for instance stick with phone communication.

DR. COHN: I am not sure I can go much further than what Karen was saying. I think we have obviously been following this for the last 10 years and I think that the view at least of the subcommittee is that there is value to be derived from the implementation and I don’t think any of us were intending to open this up to a total review of whether or not the whole effort ought to be abandoned which is I think sort of where I was hearing you going that this should be abandoned at this point.

DR. STEUERLE: You do say legislative changes and as I say in recommendation 2.1 it doesn’t carry through the rest of the document. Maybe that is deliberate.

DR. COHN: Yes, I guess that nobody thought of these other areas. Karen may have some view about that. I didn’t think that there was need for additional legislation in these other areas that were regulatory or people working together.


MS. TRUDEL: Yes, the remaining recommendations are ones that we are pretty sure we can carry out under our existing authority and our ability to partner with industry whereas there are some perceived procedural barriers to the modification and update process that may actually need legislation to address.

DR. SCANLON: I share Gene’s lack of in-depth expertise in this area. The reference to the statutory change there actually makes reference to the APA as opposed to changing HIPAA which in some respects is even more sweeping to think about changing the Administrative Procedures Act than it would be to change HIPAA.

DR. COHN: I guess I am not sure. Help me with this one. You are looking at recommendation 2.1 under the HIPAA. I am not sure that I, actually the APA. I am not sure that I saw this as a suggestion to change the APA but more changes that may be specific to I mean I may be a little out of my league on this one but I thought this was changes to the process relating to these particular transactions as opposed to an attempt to overhaul APA and if you are interpreting it as an overhaul of APA I worry that we have misdrafted this particular sentence.

DR. SCANLON: This is then a cold reader comment. I mean we have got here an in-depth review of statutory and regulatory requirements such as those under the APA and you conclude in a determination as to whether legislative changes should be initiated. Somebody coming in without a lot of knowledge is —

DR. COHN: Should we say, “HIPAA legislative changes should be initiated?” Would that help?

DR. SCANLON: But the point Gene is making is this is the only place where we are talking about legislative changes and did you mean only HIPAA or did you mean APA or should you be making sort of reference elsewhere to the HIPAA legislative changes?

DR. COHN: What do people think? I am actually thinking that we really mean, I mean it sounds like we have to take this back and word smith it some more but I am thinking we really did not intend to open up the entire realm of APA. I think we are looking really at HIPAA legislative changes.

Okay, I think I am becoming convinced by all these questions that we will bring back up a marked-up version tracking changes on it so people can see the changes and so we can look specifically at those changes in the morning for action. Is that acceptable to everyone?

Are there other issues?


MR. HUNGATE; Miine was a question more of process. The letter I commend in its content. As a long-time advocate of getting these things moving I think the observations are great.

The thing I am wondering about is that you know it took several months to get the letter together once all the data was taken in and so we are talking about a jawboning process where we are recommending HHS to do certain things, some of which is basically maybe taking this letter and making it available to all the vendors and providers.

PARTICIPANT: It was posted on the web site.

MR. HUNGATE: There is a difference between posting and encouraging viewing I guess and what I am wondering is what is the process of taking the content? Do we just turn it over to HHS or do we encourage other action along with that? In other words we are saying that the providers and vendors are the sticking point.

MR. REYNOLDS: No, I think we are saying that everybody is in in one way or another. Could I make a comment, Simon?

DR. COHN: Yes.

MR. REYNOLDS: Throughout these hearings that we have had and as you said we saw 17 hearings and 200 testifiers; so, we have been going at this a while, plus I think if we had read this letter to you before Karen spoke, before John Loonsk spoke and you had really understood that some of these things are getting picked up already, plus you have got all the SDOs that are picking it up; so some of these things that may be if you took the eligibility transaction where it listed the minimum standard making sure that that is maybe a little higher so that it is a useful amount of data rather than just minimum standard we which is the Work Group on Electronic Data Interchange which is pretty much the whole industry; it is a little bit like the NCPDP focus of e-prescribing; so, everybody that is working on this is aware of these issues. Everybody that is working on this is already working on them.

The benefit of this letter to the actual industry is probably already on the street being worked would be my feeling. Now, as far as the legislative process and actually making it happen and there are some bills in Congress right now and there are some other things going on and that is a separate thing but those are also being at least attacked. So, I am not sure there is any brand new stuff in here and I am not sure that this letter on the street to vendors and others changes it.

I think it does help the Secretary in looking at how we move forward. That is a personal input.

Simon, you are nodding, but I am not sure if you agreeing with me.

DR. COHN: I think we are an advisory committee. We are not a public relations activity or a private advocacy group. So, obviously our recommendations are really meant for the Secretary and the Department.

I think that the letters that we have traditionally written are very helpful to the Secretary and the Department by providing focus and prioritization as well as suggesting actionable steps that HHS can do to sort of help reach worthy goals and so I think rather than you know what I mean, yes, it is read by others but I think that the strength that it has is its focus and its actionable recommendations and the recommendations generally which we hope make sense and people can nod their heads.

So, I guess I would say that yes, this is put on the web site. Yes, it is sent to the Secretary. There obviously may be occasions for us to speak about it to the industry, some of which is obviously in the room and will be here tomorrow and that I think begins to move the process forward as well as help sharpen the focus.

MR.HUNGATE: I am fully comfortable with that and I just suspect that the hearings process itself was a lot of that communication and so that is helpful to me in understanding that in a good way and I am proud of our participation in getting that done.

DR. COHN: Okay. Now, I, personally, think this is an important letter as well as time sensitive. So, I think the subcommittee needs to make changes to it and we need to take a hard look at it tomorrow morning, redlined and hopefully it will have moved to a position where with the changes we have described and modifications that hopefully it will be acceptable to everyone.

MR. REYNOLDS: I would remind the Committee this is the second time this letter has actually come to the Committee. The first time we were a little more prescriptive in our recommendations and other things and have stepped back from it to make sure that what we are bringing forward is a little more actionable and a little more, in other words where a lot of work needs to go forward to figure out some things we recommended the studies. Where we felt that there were clear and specific examples we used those as recommendations. So, this is the second time we have essentially worked it in front of the whole Committee.

DR. COHN: And we will have a chance again tomorrow morning it sounds like, also.

Now, let me just talk about the agenda for the rest of the day for a moment and I guess I want you all to think about this one a little bit.

We are obviously somewhat behind where we thought we were going to be by this time which is not necessarily approval of letters but at least consideration of letters. We have a letter on matching patients that needs to also be discussed today. I do think that at this point it makes sense to give everybody a lunch break which I am all in favor of as opposed to trying to work through lunch.

John Paul disagrees but —

DR. HOUSTON: We should suspend lunch until it is done.

DR. COHN: That is right, exactly, all the letters not just that one, but at 1 o’clock we have Mark Leavitt talking. I still think it is important that we go ahead at 2 o’clock and talk about the privacy letter. I think what I am deducing from all of this is that subcommittees are likely not going to be starting at 4 o’clock. They are going to be starting somewhat later.

Now, the good news is we don’t have a planned dinner tonight.

John Paul?

DR.HOUSTON; Could I make a suggestion about the third letter that Harry has?

DR. COHN: Yes.

DR. HOUSTON: I guess if we all read it if we have comments about it why couldn’t we go to the Standards Subcommittee meeting at 4 o’clock to discuss those concerns and maybe that letter can be dispatched without having to try to find a place for it on today’s agenda.

DR. COHN: This is its first public reading. So, I think we do need to at least get everybody. Populations is going to be meeting at the same time. I just want to bring this up and we are not going to meet until 9 o’clock tonight or anything like that but it is just that we obviously have a number of things that need to get handled this afternoon.

Now, with that we are already at 12:05 p.m, and I am just suggesting that everybody take a 55-minute lunch break, reflect on the work ahead for this afternoon. I said it was going to be a busy meeting. It is definitely going to be a busy summer and fall and we will see if we can sort of move through the work this afternoon.

With that we will adjourn until 1 o’clock.

(Thereupon, at 12;10 p.m., a recess was taken until 1:07 p.m., the same day.)


Agenda Item: Certification Commission for Health Information Technology — Briefing http://www.cchit.ora/ — Dr. Mark Leavitt

DR. COHN: Will you please be seated and we can get started momentarily. I want to first start by thanking Mark Leavitt for joining us. Mark is the Chair of the Certifying Commission on Health and Information Technology and obviously we are very pleased to have you joining us and giving us a briefing and an update on activities.

We are also delighted this fits so well in with Senate hearings between where you have to be at this afternoon also.

Just for everybody’s edification Mark is going to leave right around 2 o’clock if not a couple of minutes before to prepare for those hearings.

So, we are obviously delighted you could join us.

DR. LEAVITT: Thank you. I am glad to be here. I hope to get you back on your schedule by finishing either right on time or a little early. I will save plenty of time for questions because I think that is the most valuable part.

I suspect many of you have seen the first part of the presentation. So, I will keep the background material brief.

I will give you a little bit of background on CCHIT. Actually let me quickly ask how many here have not heard anything about CCHIT? Anybody?

Right. Everyone has heard about it. Unless you want to check to make sure my story is consistent we will keep that brief and talk a little bit about our process as it has been evolving and then spend some time on the criteria, what they look like and our inspection process. That is what is very new is the inspection process because we have actually launched a certification program and then we will talk about what lies ahead for 2007 and take your questions.

Just to briefly cover the background I think you know that we are here to help accelerate the adoption of health IT and we use robust interoperable health IT as the adjective for that and we really came about following the strategic framework that was issued in 2004 by Dr. Brailer and as you know there are parallel efforts by other contractors, the standards harmonization contractor, the national health information network that does scale with our efforts and we cannot succeed without those other efforts and we think we are important to their success, too, and I will talk a little more later about how those fit together because I think it is very important to understand the whole strategy.

To briefly review our origin we were founded by three health IT organizations, AHIMA, HIMSS and the Alliance. They formed a partnership to fund and launch CCHIT. We broadened our funding support about a year later with eight additional organizations and in September of last year we were awarded the HHS contract of $7.5 million over 3 years to develop compliance criteria and inspection process for EHRs and the networks through they interoperate.

I have already hinted at our mission statement which is pretty straightforward. There are four goals in other words four ways that certification can accelerate the adoption of health IT. Probably the most straightforward and easy to understand is the reduction of risk for providers to invest in health IT. There are plenty of horror stories and also some pretty good studies that show that the results of investing in HIT are rather variable and may range from tremendous success with verifiable improvements in quality and benefit and those sort of things all the way through horror stories where they unplugged it and gave up or another form of horror story where they implemented it and someone did a study and said it is introducing errors rather than eliminating them and those risks are as you can see very hazardous. We want to try to reduce those risks.

I would say of the four goals that is probably the one that is most directly achievable.

The second though is very important. We want to make sure that as this HIT adoption accelerates we don’t create digital islands of information that were previously paper islands of information.

We want to make sure that the products that are being adopted operate through this emerging network whether we call it a national health information network or RIOs connected by a national network. We want to make sure that those products are compatible and the information does not become isolated but becomes portable and comparable.

The third goal that we have is to make available new incentives for adoption of HIT. As you know there have good studies published showing that the benefits of HIT adoption often flow to entities other than the ones who invested in it. The purchasers and payers of health care realize the cost benefits at least physicians and hospitals that invest. Often their revenues are actually reduced when you reduce inefficiencies or duplications. So, we need to connect the dots by feeding back some of those savings and that is what you call an HIT adoption incentive.

We want to make those more available because you can imagine a payer considering that would not want to have to develop their own system for evaluating the EHR products and determining whether they had potential benefits. We would have a few hundred health plans evaluating 200 EHRs, basically 40,000 evaluations going on.

Second in that point is the relief of regulatory barriers. I think you are aware that HHS has proposed regulatory changes related to the start and kickback statutes that might provide some safe harbor when hospitals help physicians with IT and certification can provide a very precise gateway for follow-up of patients with those products and finally, we need to be part of a very important effort to make sure that we don’t compromise privacy of personal health information as we make this transition.

This is probably besides financial barriers and cultural barriers if the American consumer becomes convinced that digital health information is a greater risk to their privacy than paper-based health information we can end up stopped cold. We want to make sure that during the transition privacy is enhanced and not reduced and I believe it can be enhanced.

We have a broad array of stakeholders and they involve both the private sector and the public sector. The first three I have listed providers, vendors and payers form a bit of a trilogy that we have to keep in balance for our natural tensions between those and we are always careful to make sure that we are talking to all three of those groups when we make important decisions.

We are, also, very indebted to standards development organizations. It is those standards that we certify compliance with and those working with incentive programs, quality improvement organizations. We understand research is important, public health. That is over in the public sector, right, and consumers. On the public health side as I mentioned, public health has safety net providers, all our fellow contractors and a number of federal agencies.

Just to give you an example the National institute of Standards and Technologies, NIST actually worked with us developing a means for monitoring our juror reliability and I will talk later about how we used jurors to evaluate products.

So, we worked in collaboration with a really wide variety of stakeholders and this is just a few principles. I mentioned privacy. We also feel a sense of urgency. We think that it is very important for the private sector to move forward with this now because we don’t think a legislative solution getting down into the details of what should be in an electronic health record is probably effective. So, we need to act now. We potentially could weigh the fortunes of vendors in the marketplace when we certify or don’t certify products. We have to be meticulous in our credibility, openness, transparency and the way that we work collaboratively and I will talk a little more about that and the inspection process itself has to be just as fair and reliable and repeatable as we can make it and cost effective, too.

This slide here talks a little bit about how we fit in with the other contractors. Now, you will notice our box is in the center. Everyone always makes a slide with themselves in the center and it is only bigger because we have a longer name but we work in parallel but there is a bit of a flow through here. This harmonization contractor, NC HITSP really validates which are the appropriate standards and fills the gap if there is an implementation guide missing or a standard is not sufficiently defined.

So, they are really a source of standards to us and eventually actually fairly soon, this year the national health information network prototype contractors will be a source of information for us as to what are the architectures of these networks and a little later the privacy and security solutions contractor will be the first of what are the policies we expect these systems to implement that will be uniform and useful.

We are the interface between those policies and standards and the rough and tumble marketplace of people buying EHRs, products, development, ratios, salespeople, purchase orders, you know the private sector marketplace. We coupled those two. We want to deliver the best of what comes to us and make sure that the marketplace adopts it.

By the way this has been an issue in the past. When people say that the reason we are struggling with health IT is there are no standards, that is really an incorrect statement. There are standards. The problem is the standards are not implemented in a way that makes things plug and play and interoperable and we are trying to be the missing link that makes sure that when someone says they comply with a standard we make sure that means the consumer gets the benefit. I can get a lab result without having to bring in an interface engineer and spending 20 or 50 thousand dollars in my office and likewise down the road and down the road.

Okay, a little bit about how we are organized. We have a board of commissioners. They are all volunteers. There are currently 19 plus myself. We have a modest staff of about a dozen people. Our Executive Director, Alisa Ray is here. She joined me today and she is sitting or she was here a minute ago.


DR. LEAVITT: And we have a certification development director, our certification delivery director and then we have our work groups. There are actually five, one that develops criteria and one that works on the certification program itself and they are volunteer staff and we have bumped them up from 10 each now to 14 to 16 each because of the increased work load and they all have a staff coordinator.

When you look at the organization there are about 10 or 12 staff but there are over 100 volunteers who work very hard, oftentimes meeting more than once a week, oftentimes meeting for more than 2 hours and taking home a lot of homework. We are really indebted to them and clearly all of our success owes to the work of the volunteers.

We take a lot of steps to ensure openness and transparency. We are in the private sector but we try to adhere to the more stringent guidelines that you are familiar with here of public sector activities in terms of openness.

We invite participants to be commissioners to an open call. We invite work group members through an open call. We have a defined composition on the commission making sure we don’t leave out people in the groups. In the work groups we use two co-chairs not one to separate power. We try not to have both co-chairs from the same stakeholder group, again, weight and concentration of power.

We have a pretty rigorous conflict of interest disclosure policy for all the volunteers, publish all the meetings, the minutes of our meetings, both the work groups and the commission and we publish our work product and I will show you how we do that in a minute, multiple times during the course of development and we respond to the comments and then of course we have town halls in person. We just had one here in Washington about 2 weeks ago. We had something called the HIMS(?) summit. I think we had 500 people there or more, maybe 700 in the room and we have town calls for those who can’t travel to the town halls and we will be having some of those in the next month and then we go out to specific groups. There are some groups that just don’t know about us and don’t come to the town halls and calls. Consumers are actually an example. We go out to them, find the right people and say, “Could we have a teleconference with you and tell you about our work and get your input?”

Under the contract the scope of work is to develop and begin certifying ambulatory electronic health records in the first contract year, inpatient electronic health record products in the second year and the networks through which these EHRs interoperate in the third year.

To provide some more details of that this slide here shows the time line and I would point out that even though it appears here that we work on ambulatory EHR the first year and inpatient the second, in the second year we also update and refine the ambulatory criteria. So, each of these areas that we initiate we need to refine annually.

DR. HOUSTON: Is there any desire to look at EHRs.

DR. COHN: You need to get to a microphone.

DR. HOUSTON; Is there any thought of getting into looking into EHRs?

DR. LEAVITT: It is not a formal part of our contract but we have heard informally from various stakeholders that they are interested in it and that EHRs might need certification especially as their buyers are perhaps even less sophisticated than the health care professionals are and that we need some certification or maybe we just need certification of the interoperability to make sure they can send and receive data. So, we are not officially doing it but we are certainly listening in case groups come forward and say, “We would like to see you do this. We would be willing to sponsor it.” We could offer this kind of support, but given the government contract these are the three domains that it covers and then within each of the phases we have multiple cycles of public comment.

For example, in this new phase we are starting in inpatient criteria we will have public comment twice before we publish the proposed final criteria. We will also publish the inspection process and then there is a third round of comments on the criteria after we have done the pilot work.

I will give you some more details on that actually. We begin with an environmental scan, what standards are out there, what are the priorities for each of these elements of the standard among the various stakeholders. For example, is there a standard for transmitting lab data from a lab to an EHR? How important is that physicians; how important to patients; how important is that to payers and next we say, “Is that available; is it technically feasible; is it now being delivered routinely; is it close to being delivered; is it years away; is it something that has to be developed; and can you test it?” Even if it is important perhaps it is something that you can’t actually test in a meaningful way. The group looks at all of those and creates a an environmental scan, and we publish that for public comment and again looking for extra input.

In the next phase they actually begin to draft the criteria based on those standards and we have a road map and this has proven to be a very powerful tool. We published the criteria that we will be using for the upcoming year but we also forecast the criteria 1 and 2 years in the future. We call those the road map columns.

By doing that we sort of signal the marketplace and we have extra time to vet and refine more difficult new areas that are a little bit in the future. After that is commented on we develop the inspection process and put that out for public comment and then we do the pilot test. The pilot test this year involves six vendors selected randomly from about 30 that applied. We are really not testing the vendor products. We are testing our own criteria and test process and based on that we refine the criteria, refine the test process for one more round of public comment, each of these about 30 days and at some point you stop and you say that you are done and you start certifying, and we recently did that.

On May 1, we published the final criteria for ambulatory EHRs and took applications from May 3 to May 14, and we are actually now in the testing process.

So, that brings us to the criteria. I would like to talk a little bit about our criteria for ambulatory EHRs. This is for 2006, and we go in certification years that run from May 1 to April 30. So, starting May 1, these are the criteria through the last of April 2007,

I am not going to go through the details. There are 250 criteria in functionality alone about half of which are applicable in 2006. I just want to tell you how we get them and talk about the form of them.

They are all online at our web site, www.cchit.org. If you go under CCHIT’s work and go to the criteria on inspection process you can see the documents and they were all published and they are all available for download.

They look like this. In the left columns you have the major category. This is a functionality criteria spreadsheet. The major category in this case identify and maintain a patient record, the specific criteria, system shall create a single record for each patient, shall be able to store more than one identifier for each record, should provide more than one means of looking up a patient and so on, you can see the data from the environmental scan, the priorities among providers, vendors, payers, public health, patient, the availability of the marketplace, again high,medium or low and then finally where it says, “Compliance,” that is your road map.

So, if there is an X in the 2006 column we are requiring it this year and I will talk more about this later. We actually require 100 percent compliance. The product has to meet every criteria not 97 percent of the criteria, and we will talk about that in a bit.

Now, in a few cases we had criteria that were just at the cutting edge and you know about half of our stakeholders said that we want this, and others said that we don’t think it is ready for prime time. It might not have been validated in the pilot test. We got fuzzy results. So, we made any criterion that didn’t pass our own testing provisional and that is analogous to the tests on your college boards. You know when you take it it says that some questions will appear on the boards and they don’t participate in your score. We are refining them for future use. Well, we are doing that and they are highlighted in yellow. Everybody knows they are provisional but we are validating it just by practice testing it for this year and then we will feel very solid about it and have refined it for next year.

The interoperability criteria, that is a separate document. We couldn’t do much for 2006. ANSI-HITSP didn’t exist. All of the conflicts and gaps existed and so all we could really do is create the road map for 2007 and 2008 and in 2007 have the real interoperability criteria for ambulatory, at least a handful of the most important ones.

The third area that we certify is security and reliability. An interesting area which purchasers other than large organizations like Dr. King’s, if you take a small organization, a small office they often don’t have the first clue about what questions to ask about the security or reliability of the product.

So, we are kind of breaking new ground and we found to some extent one of the challenges is while a security specialist will say that to be secure you have to have to protect the data in the software, in the hardware, in the network, in the transmission over the Internet but the vendors only build the EHR software and they say, “We don’t do the other part.” We make them tell us how the other pars are taken care of .

So, it is kind of a new and rigorous challenge for them and it has been a bit of a struggle but the security experts, the criteria said that you need to at least have them show you that they know what you are talking about and they specify this is handled by the browser, by secure sockets. This is handled by a standard network security method and this is something we do ourselves.

Those are called assignable criteria. They say assigned and the say that it is external to my product but I will tell you how I make sure the end user gets the benefit.

Everything I say here in a sentence or two was probably 100 hours of argument and discussion in the work group going around and around.

Now, to talk a little bit about the certification program itself against those criteria, this is a very open process. The vendors who wish to apply get to see everything,no secrets, all the documents we are going to work from,not just the criteria but the test scripts and the test methods and we used a test method that we found to be the right compromise between pure theory where you might take a product and put it in a testing lab, lock the doors and test rigorously and then say that it passed or didn’t in a very I will call it simple method where you ask the vendor does it do this and this and they say, “Yes, yes, yes,” you passed. Okay, those are the two extremes.

I can tell you we had stakeholders that wanted each of those extremes as you might imagine but we found something in the middle and what it is is a scripted demonstration of the product and let me show you that. It is a scripted demonstration of the product before an expert jury.

So, the vendor has the script. It is a clinical scenario. It is not that different from going and doing a demonstration for prospective customers when they say, “Show us how it would to take care of this patient,” but we have three independent jurors. We have a proctor who makes sure things are done in an appropriate way and the jurors vote independently on whether it complies with each of the items, and we felt that was the best compromise. Because it is done over the web there is no flying. That kept the costs down considerably.

The vendor has installed the product at their own facility and their own personnel operate it. That was a huge issue. How can you have a lab operate it when there is no lab tech; there is no EHR? So, that is what we came up with. So, basically the vendors can download all of that material and we have quarterly certification cycles. Because we don’t want our announcements to be dribbling out every 2 days or week we have asked them once a quarter and say, “Here are the new certified products.” So, the vendors apply in a window at the start of the quarter. We run all the tests and we announce the results. We announce results of the first batch July 18, and if we haven’t got them all tested because the first batch was somewhat unpredictable as to size and how hard it would be to test and how many jurors we could get, we have a few overflow that we will announce a few weeks later. After that we expect to be able to do it straightforward, apply it at the beginning of the quarter and announce it at the end of the quarter or the start of the following quarter.

Then once a year we update the criteria. We will run through April and then in May 2007, take applications and certify against the new criteria.

Now, this is our certification process and I don’t want to take you through all the details. Suffice it to say they apply. They have to get in their application, their fee, their at a station materials before they get to pick a date for that observed test and there are three different tests. We test functionality with an observed demo. We will test interoperability but there is no criteria yet. We test security with an observed demo and then there is a third test which is an inspection of the documentation they submitted. That is the self-attestation.

I already described how the functionality demo takes place. The test scripts look like this. It reads very much like a clinical scenario on the left and we basically tell them what to do and the jurors are told what is the expected result and you mark it pass or fail, compliant or non-compliant and when in doubt read the criteria. The point is really not the script. The point is does it meet the criteria. So, if there is any doubt reread the criteria and judge what met the criteria.

During the security inspection instead of using three jurors we use one and that is because security we found experts agree to a greater extent than they do in the functionality of EHRs. So, if the cost of having three different jurors didn’t seem appropriate we will evaluate how that goes and I will explain in a minute that there are still safety mechanisms and then that same IT security expert is the one that reviews the self-attestation materials and the test scripts were, security looked like this and they have those assignable steps. Now, let us talk about fail-safe mechanisms. One of the I would say most contentious topics was this 100 percent compliance required and I will give you the two sides of the argument. The vendors rightfully said that there are 250, actually there are about 120 functionality criteria in the first year. There are 120 criteria. If we miss just one because a juror had a bad day or something is a little off you are not going to let us pass. That seems really stringent.

So, how about if you get to miss five? In most testing 95 is a great grade. Then we said to providers, “What do you think of that?” and they said, “What if those five features are the ones only critical to the success of my office or the safety of my patient? Are you going to tell us which ones they missed?” Well, no, we can’t do that because then we create a political football about which ones they missed. It doesn’t work.

So, instead of introducing slop we said, “Let us make sure that the result on each item has a higher reliability.” So, we introduced fail-safe mechanisms. So, besides using three jurors if the product misses, is non-compliant on any items that same day when they finish their scenario you basically tell the vendor that these let us say three items were not compliant. Here is why. They actually have comments and the jurors go through the again and see if you can convince us. So, there is a same day retest. That gets around a juror inattention or a vendor didn’t understand what was needed issue. If they passed that second time they passed. If they don’t and again there are three jurors. So, two out of three or three out of three have to say, “No,” for it to be non-compliant. It is a simple independent majority vote. If they still aren’t compliant on one or more items they can request and they always will request a different jury, separate day retest of those items. You bring in three completely different jurors and go through the items that were non-compliant and see if they can be satisfied. Again, you need two out of three or three out of three of those to say, “No.” Now, you are driving down that error probability and finally if it is non-compliant on the second test they can appeal to the commission and there is a committee that will review a recording of the second day retest and the vendor can come and make their case.

So, we think what we have done is made the testing item by item accurate enough that we don’t have to introduce that sort of stuff of whether you can miss five of these and it seems to have satisfied most people although I assure you everyone is watching very closely what is happening right now.

Now, let me just look ahead at what we are doing and then I will be happy to take your questions. For 2007 now we have two parallel tracks, refining ambulatory and developing inpatient. So, the ambulatory functionality work group has to take what was on the road map for 2007 and decide what is real and are these ready for prime time. They are going to look at those provisional criteria that they gathered additional data on. They also have to support the breakthrough use cases from the American health information community and those are not purely interoperable. There is always some functionality involved to support the interoperability and we also asked them to address the issue of specialty-specific needs. During the first year we heard from specialists saying for example, specialty vendors who said, “I make a product for homology or behavioral health and your criteria don’t exactly apply,” or we heard from providers saying, “I am a neurosurgeon and I need some extra things,” or “I am a cardiac surgeon. I need extra data beyond what you have certified.” We are going to try to figure out how to deal with that.

It won’t necessarily mean we are going to create 12 different certifications. It may mean we work with specialty organizations so that they can define the six or the eight extra criteria they recommend beyond our basic criteria. We can still save them a lot of work and help create a lot more consistency.

The inpatient functionality work group is new. It has to decide how to certify inpatient EHRs. We have already got pretty strong feelings. It is too complex to try to certify a comprehensive large medical center electronic health record and have that ready in May 2007.

So, we said, “Where should you go first if you are going to go at it incrementally?” and they are settling pretty well on what they call the medication administration loop. It stars with computerized provider order entry, clinical decision support, the pharmacy system and the medication administration system.

It is just sort of where can you have the biggest benefit? Where is adoption low? Where is there confusion in the marketplace, and this is one of the areas? Now, in a separate thread is you can’t just drop those systems in. There are four fundamental systems that need to be there for these safety systems to operate, identifying patients, a repository of clinical data; so, they may also have a certification for the sort of basic foundation ready for the quality and safety improvement systems and finally, they are working on what functionality they need to support interoperability. So, it is still very much in flux and if you are interested I encouraged you to look at the work during this first public comment period. They also have to support the breakthrough use cases.

The interoperability work group is pretty self-explanatory. They have got to develop the criteria for both ambulatory and inpatient while supporting the use cases and the security work group really pretty similar .

We have a fifth group which is different and instead of the criteria they actually are watchdogs on our certification program. The application process, they are looking at how we monitor juror performance and reliability, how we allow vendors to use the certification seal. We are going to be doing the certification impact study under the contract on what is the impact on adoption of our certification activities.

So, to just wrap up a few points CCHIT has been around almost 2 years now and we, using a consensus-based development process engaging a broad array of stakeholders have developed the first compliance criteria for ambulatory EHRs. We have launched our certification program. The first results will be out July 18, followed by quarterly certification cycles and the annual updates. We have started development of the inpatient EHR domain and it will not be a comprehensive EHR the first year. There will probably be some modules in some foundations and we are tasked to expand to the network domain the following year. We will start looking at the network domain in September when the prototype contractors have their results ready and really our success is the result of tremendous support we have received from the founding organizations, the funding support and all of our stakeholders and especially everyone who has volunteered and put time into this.

So, thanks very much and I look forward to your questions.

DR. COHN: Kevin?

DR. VIGILANTE: Thanks very much for your presentation. We have sort of been looking at with the folks as ASPE some of the factors, microeconomic factors at a practice level which either impede or impel adoption and it is clear that after reviewing the literature, doing site visits to practices that the issue of uncertainty is a major impediment and at multiple levels, the level of uncertainty about benefits, uncertainty about functionality, uncertainly about vendor selection and so this effort I think is very important in helping to reduce the level of uncertainty so that any investment has the perceived risk when any investment becomes lower. So, I think it will be very interesting to see how this affects the marketplace by next year.

Just in terms of it was hard for me to read the small print in the reproduction here, in terms of the future road map do quality reporting and issues or standards relevant to biosurveillance, do those figure into the future in a prominent way and in what sequence would that occur?

DR. LEAVITT: Good question. Quality reporting was actually a topic that went on the road map and we struggled with whether we could require a specific report output now. It turns out even though there are organizations saying, “Here are the new standards,” there are multiple organizations saying,”Here are the new standards.” So, we couldn’t quite push and say, “Here is the single gold standard for quality report.”

So, what is required this year is that the system is able to collect structure data that is needed for quality reporting. If the quality organizations come together and whether ANSI-HITSP helps that or they do it themselves under new umbrella organizations, then it is going to go in there because we know that is one of the more important things tied to pay for performance and helping with those financial incentives.

So, we have started the data collection as a requirement and we would add those as soon as they are ready. You mentioned another. You mentioned biosurveillance. That wasn’t in the first year. It didn’t really pop up until the community came together.

So, I believe we will see that come in but it is probably good to point out that a new functionality that is not now in products, it is one thing if the functionality is there and the standards are wobbly; you can adjust but a functionality is not there, you know, most office systems are not designed to monitor for pandemic flu and send it to CDC.

When it is new they need a little more lead time. So, even though we might try it is unlikely we would be able to put that in as a rigorous criteria in 2007. It could be on the road map for 2008 which is a very useful thing to do or maybe an incremental step saying that we need to collect the chief complaint or something like that and be ready later and then a year later you put it in with the standard for communicating.

DR. STEINDEL: If I can comment from wearing two hats, you know, first is one CDC hat and the other hat being part of the ambulatory work group that developed these criteria we did obviously discuss the inclusion of biosurveillance during the development of the criteria . There is functionality in the 2006 that provides some of the pieces that will be needed for the system and there are some other pieces that are road map but actually the express biosurveillance criteria as being enunciated by AHEC as Mark said was not there and I think they can be added relatively quickly because a lot of the building blocks are there.

DR. COHN: Paul, you are next and then Harry and then Mike.

DR. TANG: Thanks, Mark for your very informative presentation and it sounds like a very robust process for getting this off the ground.

I just have one simple question. I am assuming vendors must put through a released product that is installed somewhere. Am I correct in that?

DR. LEAVITT: Yes. Here is how we handle the issue of is it real; is it out there. They must state whether this is full certification or a premarket conditional certification.

If it is a full product certification they have to supply one site name. We contact and verify that that version number is running.

Now, vendors rightfully said,”You know, if you become powerful enough, we won’t be able to sell that first one until you have certified it.” We said, “Okay, we would love that of course.” So, you go for a premarket conditional certification. So, we test and certify it and we don’t get the sticker until you can then tell your customers we are premarket conditionally certified, get the first customer installed. Give us the site. We verify it and then it becomes a full certification. Try to prevent a chicken and egg kind of deadlock, but the providers came out pretty strongly on this topic and there is a safety mechanism. This is the one case where we will actually accept consumer complaints.

If end users come forward with evidence having tried to work it out with the vendor first that the product being sold as certified is not the product we tested and substantially different we have a recourse mechanism. I am hoping we never have to use that but there is a safety valve.

DR. COHN: Harry, Mike and then Jim.

MR. REYNOLDS: Hi, Mark, nice job. I think you are going to really help people out there that are trying to pick the right system. The question I have for some of us that really couldn’t read the details and I am older than Kevin; so I know I couldn’t read it but I think the question is help me with the difference between an ambulatory EHR and a practice management system and how similar and how different.

DR. LEAVITT: The group struggled with that, too. There are things that are clearly in the two different arenas. The system that generates the bills, the claims and the bills is clearly part of the practice management system and the system that does drug interaction checking and records your progress notes and imports the labs, that is the, what we call the EHR.

Admittedly there are gray areas. You know you order a test and it checks to see if that drug is on formulary. I don’t think the criteria include formulary checking. It includes the drug interaction checking. So, the line zigs and zags between the two. We try to follow the natural line of the marketplace because people do market them as separate products but there are gray areas and we did the best we could.

One of the things we wanted to have was a standard for the interface between a practice management system and an EHR and there was none out there ready to use. So,we weren’t able to do that.

If we could get that from for example, ANSI-HITSP and require it we would reduce the risk of integrating your EHR with your billing system and that is one of the problem areas. That has been one of the issues.

MR. REYNOLDS: A second question and you kind of gave an answer a second ago, when somebody does a vendor or does a demo are they certifying to you that that demo that they gave is a system that is publicly available not a beta not a let’s pretend version?

DR. LEAVITT: Yes, if they applied for full certification in their statements that this is on the marketplace, this is a version that people can buy then we verify it by going to a site and looking at the version number and we have the safety mechanism. Yes, that is one of the issues. If it is a beta they can come in and premarket conditionally certify and we have to verify.

You brought up another topic which I will touch on briefly. What happens is they change their product and upgrade it. As they update it they are allowed to attest to us that the new version meets all the same criteria and we just add the version. They are supposed to come and retest it. They do a major re-architecting of the product and again you have the safety belt to protect that. You really hope that the vendors would come every year and test against the newest criteria because I think that delivers the maximum benefit for the consumer but there are costs. We had to charge for certification. For those jurors, we pay the jurors. There is telecommunication. There is administration. So, we are not able to do it without charge and that might be a roadblock in some cases and we are going to be watching that issue very closely.

DR. COHN: Mike and then Jim?

DR. FITZMAURICE: Two questions, the first one is the cost for certification is about 25 to 28 thousand dollars. Should this activity be supported in part by the government because of the government’s role to make the market operate more efficiently or do you see it become self-sustaining over time and the government’s contribution diminishing down to zero?

DR. LEAVITT: Good question. The contract itself tasks us with developing a business plan to become self-sustaining after the contract ends. The contract is 3 years but there is a 1-year option for support for another year as we refine and in a simpleminded way I think of the government contract as covering that first year very expensive development and that the actual testing should be able to support itself.

It turns out there is some overlap. The first year’s testing there is still a lot of developmental work in understanding and refinement. So, it does cover that kind of development. The pilot test for example clearly that is test and development not official certification, but we have a goal to become self-sustaining and not indefinitely supported by the government. I think if there are new areas such as PHRs, personal health records that we get into we would though probably need funding. We probably wouldn’t start those on our own without some kind of development funding because that year of development when you are not testing products and there is no revenue and the volunteers and staff, it costs something.

DR. FITZMAURICE: Second question, and last one, at what point will CCHIT take its HITSPE recommended standards and NHI-recommended core functions as good enough to make them certification criteria or does AHEC have to bless them? Does ONC have to bless them? Does the Secretary of HHS or DOD or VA have to bless them or does HL7 have to incorporate them into a standard?

DR. LEAVITT: That is a tougher question. I don’t believe that the government needs to in the interim step between a well-known standard that the industry accepts and then formally approve it before we certify against it. If it is either a clear standard everyone agrees on or a controversial standard that ANSI-HITSP has resolved the controversy on we are going to move ahead with it and not necessarily require that that go through some kind of government process of approval but in general the government has set up the process and funded ANSI-HITSP. So, their hand is in it. It should be at a strategic level, I don’t think a tactical level of bits and bytes.

DR. SCANLON: Thanks, Mark. That was very informative. I have a question about sort of the overall

process and you have indicated that for the 2006 and 2007 cycles you are focusing on functionality and in a sense it is a pre-interoperability world. Assuming that the standards and interoperability capabilities are then factored into products how will the process catch up with those? Is it really a temporary certification, pre-interoperable kind of a certification that has to be renewed later when standards are available or is there some other way?

DR. LEAVITT: Good question. First let me just say that I actually believe the 2007 criteria for ambulatory I believe will have some interoperability. It is up to the work groups in a lot of cycles but I think that two of the three high priority ones are going to be in there.

DR. SCANLON: They require interoperability.

DR. LEAVITT: Yes. But the way that we drive things into the marketplace is just the market pressure, if physicians start saying, “I will only buy a certified product,” that puts pressure on the vendors to get certified each year which shortens the delay time. Technically they could certify in 2006 and market the product and not change it. They have a limited 3 years that they can use it and they pay an annual fee if they want to reuse it the second and third but I am hoping that market pressure will encourage them to meet the newer standards which will include interoperability.

So, I believe we will get some interoperability in the ambulatory area. We will have to see what we get in the inpatient area. We may get some there but I think in 2008 is when you will really see it blossom because HITSPE will come out with their first report in September. The architecture contractors will come out in September. So, we will really some remarkable progress I hope in 2008 or beyond.

DR. SCANLON: Would someone be certified for functionality and security and not, I mean do you have different categories?

DR. LEAVITT: Not in the ambulatory case but in inpatient we now understand we probably need to certify modules because people don’t necessarily buy it monolithically the way they buy their ambulatory EHRs. We would certify a provider order entry. We might certify certain interoperabilities as modules.

DR. VIGILANTE: I am curious how many vendors or products are in the pipeline for 2006 and then do they all apply for certification at the same time and if not how do you adjudicate between sort of the competitive advantage of the first cohort and the first quarter and that is sort of one question? The other one is does usability come into the picture here at all and if so how do you handle that?

DR. LEAVITT: Two good questions. I will make these the last questions then. First was what are the numbers. There are probably more than 200 vendors who say that they market an EHR in this marketplace but there may be of that 200 a number that have sold one or two or three and may or may not be interested in certification.

We open the certification in a window each quarter and as many as want to come come and then we ramp up our capacity to meet it. We had a little more than two dozen apply. I can’t give you exact numbers. We are only going to announce the certified ones. We are actually not going to announce non-compliant testing. We can come back and test later. It is too negative and potentially harmful but we had around two dozen apply and I expect that that may be the biggest quarter. I don’t think we will have that every quarter. It makes sense that the first quarter was the biggest. I wouldn’t expect that many each quarter.

I wouldn’t also, expect that all 200 come and apply or 300 or whatever the number is. I think they will self-select if they are not compliant and not apply for certification. So, basically we will take all comers every quarter and ramp up capacity to meet it.

Let me see now your second question?

DR. VIGILANTE: Usability.

DR. LEAVITT: Yes, good one. We are refraining from trying to test usability. It is difficult and challenging and subjective. So, we are not. The jurors are told, “Don’t judge whether you thought it was slick or clumsy. Was it able to do it?” but we have opened the door in the future that test method with a script and a jury and it is on the web and you could record it and you could actually technically time it, shutting off the stopwatch when people are gabbing and turning it on when the doctor is doing the thing and begin to test usability you know. In a rough way the vendors that get through the test in 4 hours and the vendors that may take 8 or 12 there may be a rough measurement there. It is too early to say whether that means anything or there are too many other confounding factors but farther into the future potentially that could become part of it. If it grossly seems to take more than three times as long as the average product maybe a flag comes up and we say they are going to have to do that again and get through it and —

DR. VIGILANTE; Because it is certainly in terms of uncertainty in the marketplace, that is certainly one of the larger hurdles and one could argue that at a certain level of threshold of usability below a certain threshold you actually affect the functionality.

DR. LEAVITT: Yes, right or use or function.

DR. VIGILANTE; And the ability to perform that function.

DR. LEAVITT: We are watching it and it is a good point to raise. It is too early to try to do that and it is quite subjective. When we do it we have to do it well, but the potential is there in the future.

Thank you very much for inviting me. It is always a pleasure.

DR. COHN: We will look forward to some more updates as you move forward and we are all very curious about how the inpatient module piece is going to work and reflecting what obviously is a very complex area partly because there is so much implementation. It is always a lot easier to go out and certify and develop criteria when you don’t have much of an installed base. So, in some ways I am sorry you aren’t working on the network next.

DR. LEAVITT: We have enough on our plates but thank you just the same.

DR. COHN: Good luck.

Agenda Item: Subcommittee on Privacy and Confidentiality – Letter Action June 22 NHIN Report and Recommendations – Mr. Mark Rothstein

Okay, I don’t see Mark Rothstein in the room. I am sure they are working on the letter. Let me first of all move to Tab 6, if you would which is one of the five letters that we have to deal with.

I don’t know whether we should read this letter. We will read this letter since the person this is to is actually in the room. It says, “Dear Dr. Friedman. Thank you for your exemplary role as lead staff to the Subcommittee on Standards and Security for the NCVHS. We appreciate your commitment to issues addressed by the National Committee and wanted to take the time to let you know how much your efforts have contributed to the Committee’s success and accomplishments.”

MR. BLAIR: Maybe not everybody understands why this letter was written. Do you want to express that?

DR. COHN: Why don’t I finish up the letter and I will comment afterwards?

MR. BLAIR: Okay.

DR. COHN: “The past several years have been a period of unprecedented development in health information technology and activity for the Committee. For example, Congress has directed the Committee to play a central consensus development and advisory role in data standards, initially HIPAA and subsequently the data standards needed to support the electronic prescribing provisions of the MMA. Your take-charge approach as lead staff for standards and security including your active participation as staff on the Executive Subcommittee was exactly what the Committee needed to tackle the ongoing issues of HIPAA implementation and CHR architecture matters. Your skillful mastery of the content area helped the Subcommittee handle the significant tasks associated with e-prescribing directives of MMA and the resultant whirlwind of hearings which successfully resulted in various sets of recommendations.

“The Committee could always rely on your strong clear explanation and analysis of rather complex and sometimes convoluted legislative and regulatory language. You never met a federal puzzle you couldn’t clarify and always with an engaging manner and the utmost charm and care.

“Whether participating as a lead staff or serving as acting CMS liaison your passion and respect for the work touched every project for which you were associated. Your efforts have been instrumental in proving both effectiveness and responsiveness of the Subcommittee and ultimately the National Committee.

“All of these efforts set the stage for an interoperable standards based health information system to deliver high-quality service safely, efficiently and effectively.

“On behalf of the Committee I would like to thank you for your personal and professional commitment and dedication to the work of the NCVHS.

“We will you well in your activities and hope that our paths will cross on future projects. You will be missed.”

I think you all note from the letter that this is actually Maria’s last meeting as a federal employee and as a staff support. We obviously congratulate her and wish her well in her decision to retire at least from the Federal Government.

Now, hopefully, that addressed your issue. This is obviously a letter we prepared from the full Committee. I am hoping that we can accept this by acclaim.

MR. BLAIR; Unanimous acclaim, yes.

DR. COHN: So Bob, I will consider that to be a move, second from Jeff.

All in favor?

(There was a chorus of ayes.)

DR. COHN: Opposed.

(No response.)

DR. COHN: Thank you.


DR. COHN: With that we actually now have Mark Rothstein in the room.

MS. GREENBERG: Also, we just have a memory book that Marietta is the holder of and it is coming around. So, you are invited to write private comments or messages to Maria in the book and then we will present it to her.

MS.FRIEDMAN: I would just like to take this opportunity to thank everybody. There is no crying in NCVHS. So, I am not going to do it. You all left out the parts about the cursing and the throwing of things, too. So, thank you for taking the high road. I just wanted to say that it has been my privilege to staff this group, and I am going to cry now.

MS. GREENBERG: I think Maria will be joining us for dinner tomorrow night and we can all cry.


DR. COHN: Now, we are going to move on to the privacy report. Do we have copies for the Committee? Okay, I do want to let everybody know that we realize that the afternoon session is sort of long and I think we will find the appropriate break and I am going to defer to you. Do you want to break now or do you want to break in the middle in the letter or what would be your preference on this?

MR. ROTHSTEIN: I would like to start now and reserve the right to break at any time I want.

DR. COHN: I will let Mark make some introductory comments and I think I am going to follow on some of his comments before we get into the actual body of the letter.


DR. ROTHSTEIN: Thank you. Just to bring you up to date on where we are at this very minute we made some additional changes this morning that reflected input from several additional Committee members. So, the letter that you received by e-mail is being changed and we will have by the time I am finished talking with my introductory remarks I hope a hard copy of a tracked change version of the new additions and corrections that we made this morning and Maya is also putting that version up on the screen so that we can follow along, in the unlikely event that someone actually wants to make some changes.

Let me just briefly make some introductory remarks about this process and our product. As you may know we began working on this issue, the privacy and confidentiality issues raised by the NHIN in late 2004.

We started having our hearings on the issue in early 2005 and in fact in 2005 we held four 2-day hearings, two here and one in Chicago and one in San Francisco.

In addition the Subcommittee met on several occasions in Washington for half-day or full-day-meetings in conjunction with regular NCVHS meetings and over the last 2 months we had five 2-hour conference calls in which we discussed various aspects of the report and on those conference calls as you will remember all the members of the NCVHS were invited to participate.

We also have had at least three presentations before the full Committee sort of gearing you up for this exciting day and also distributing early drafts at least of sections of that we have done. So, this should not be a new issue to any of us.

I want to thank before we get started Maya Bernstein for her outstanding work supporting us as lead staff as well as the other staff members to the Subcommittee and I also want to thank the NCVHS full Committee members who participated in our multiple conference calls especially Russell, Bob Hungate and Jeff Blair as well as of course the Subcommittee members themselves.

Now, one thing I should say about the report overall is that I think it is a little different than some of the kinds of letters that we have seen over the last couple of years in the sense that we are not recommending detailed technical solutions to problems or which information systems should be used or what coding system or what have you. We are dealing with obviously more abstract issues and also highly controversial and political issues as well and therefore even though I think that our recommendations are valuable and important and I don’t want to minimize that I think the greatest value of our report may well be in our ability to frame the issues for the Secretary and for the public as we go forward with the NHIN and to raise the kinds of things that will need to be worked out.

This is very much a consensus document. It reflects seemingly endless hours of deliberations and negotiation and as you go through the document if there are places where you notice that we don’t specifically recommend things where we just raise issues and say that the Secretary should decide, that is not by accident.

Those are areas in which the Subcommittee members basically could not reach an agreement and we suspected that the full Committee was also not likely to reach agreement and therefore we felt that we would be performing a valuable service to the Secretary by saying that you could do A or B and here are the advantages of A; here are the advantages of B where we were unable to reach decisions among ourselves.

Clearly there are many areas where there are good faith disagreements and we just worked through them the best we could.

I want to emphasize that I don’t think there is a single member of the Subcommittee who would say that this document represents my views from A to Z. It doesn’t represent my views. This would not be the letter that I would write. It is not the letter that Paul would write or Harry or John or Simon but it is a letter that we are all very much committed to. It is a compromise document. It reflects trade-offs. It reflects our very best efforts to accommodate the often disparate views of our colleagues on the Committee and now that we have got a document we strongly support it.

The process I want to go through, Simon wants to say a few words first, but I just want to say that we will go through this by sections although not word by word and I want to add my thoughts that it is absolutely essential that we if at all possible, that we reach agreement and approve a letter today or tomorrow.

We have been at this for a long time and it is not that we are trying to dodge work, and I specifically asked Dr. Loonsk this morning about this time issue because I want to really emphasize the fact that timing is important.

If NCVHS is to take a lead role, an important position in helping with the debate on privacy regarding NHIN the time is now to get this moving forward.

I would also ask you to consider and take the position that all of us on the Subcommittee did and that is reviewing the document as a whole and there may well be things that individuals wouldn’t say it that way or that is going in a direction that I wouldn’t go in. We all have had those feelings, and we just resolved it somehow as best we could and much of our focus I think is going to be on the recommendations and when we get there we are going to key on the recommendations in each section and work through them and I am not presenting this to you as a sort of no amendment, take it or leave it, because that is not the way we work but I am asking you to keep in mind the complexity of these subjects. I can think of a dozen issues that would take not only the 2 hours that we have this afternoon but all weekend to work through and we might not have any greater insights than we have now at this point.

So, if you want we can talk about anything you want but I just will add my plea to exercise some degree of restraint and, Simon?

DR. COHN: It sounds like a warning.

DR. ROTHSTEIN: Just a plea.

DR. COHN: I think Mark has said many of the things that I probably would also say. I think it is a very good document. I think we said that 3 months ago but I think there has been a lot of work that has gone on by the Subcommittee and as you know one of my joys even though I am Chair is that I get to participate in a number of subcommittees and I certainly know the hours of time the Subcommittee members have spent trying to work on this.

I think that the document is reflective of the fact that there was not single consensus at deep levels on every aspect of privacy and I think in the interests of creating a document that everyone could hopefully agree to and I am afraid almost to make it that strong but I think we recognize that there were some issues where there are honest differences of opinion and if they exist within the Subcommittee we are sure that they exist in the full Committee and so there are areas where you see location of various sides of an argument but the Committee not taking necessarily a side on this and yet there are things that we can all agree on, needs for education, public awareness, etc., as you will see in the document.

Now, this document is a little different than the letters that we have been dealing with recently. This is 17 pages long. When you are dealing with documents of this size or larger reports and many of you have dealt with larger reports that come to the full Committee and race and ethnicity recommendations was one such document, it is not the practice of the full Committee to read over every single word here and indeed what I have asked Mark to do primarily to focus on the recommendations and as I say that if you look through and you identify word smithing issues what I would suggest is that Mark Rothstein is probably open for business before and after this conversation.

However, this is probably not the time to start to reframe an entire section of the entire document and if that is the case then we will obviously wind up holding it to the September meeting.

So, I think we need to be careful with that. This is much more of an actual report along the lines of major reports that we have seen and I know we are terrific at word smithing but if we come up with special words and a new way to write a sentence where it sounds clearer I think we could consider that to be a friendly amendment but once again not something we should take our time during these 2 hours that we have to discuss this.

Does that make sense to everybody?

Okay, Mark?

DR. ROTHSTEIN: Just to save a little time any opposed?


MS. BERNSTEIN: I have the document here up on the screen so that those of you here in the room can all see it. It has the changes that were made since the draft that you have from Friday, just the ones that were made just today. I have it with red line and strikeout.

I would like to be able to see the whole page at one time if I can. Okay, I think I can do it that way. I was just going to ask if you like, if there is a consensus on whether you like balloons or it is okay to have red line strikeout? I just want to make it easier for people to see what the text is actually saying now. I could make the strikeouts go away to a balloon.

Okay, we are good.

DR. ROTHSTEIN: Okay, what I would like to begin with is to start at the beginning and ask if anyone has any comments or questions or concerns in the first two sections, A and B. There are no recommendations in Sections A and B. A is the definition section and B is the background about why privacy and confidentiality are important in EHRs and the NHIN.

MS. BERNSTEIN; The latter are the introductory remarks.


MR. BLAIR: You know my readers read these letters to me and this is the first time ever my reader and I after reading these first two paragraphs actually the first several pages that we just paused and we said seriously this was the most beautiful explanation that I have ever read about this complex subject of privacy and confidentiality. My reader was able to understand it and understand the complexities and it is really hard for me as being on the Subcommittee on Standards and Security to acknowledge that the Privacy Subcommittee has come up with such a beautifully written letter but really it is.

DR. ROTHSTEIN: Thank you, Jeff. I would like to defer that praise until the end.


DR. ROTHSTEIN: But I will take it wherever we can get it.

DR. COHN: Mark, do you want to just read the sentences where you put a couple of changes in?

DR. ROTHSTEIN: The fourth paragraph under B, the paragraph that begins one of the major, there was a change made in the second sentence. So, it now reads, “Ironically this fragmentation has the unintended consequence of preventing disclosure of health information.”

The other change is in B in the next to the last paragraph, the paragraph as the NCVHS recognizes the sentence that begins, “At the same time.” It is the fourth sentence. This was just to make it more readable. “At the same time individuals have a strong interest in giving health professionals the ability to access their health information.” It is not really a substantive change and while we are at it that next paragraph, that should be NHIN.

Any other questions or comments on A and B?

Okay,let us move on to C. I can’t imagine anyone having any questions on C. Maybe we can begin with the recommendation C1 and go through that and then we can discuss that language and if no one has any problem with it then we don’t need to go back to the text.

C1 is the method by which personal health information is stored by health care providers should be left to the health care providers.

Okay, that is probably the least controversial . Then C1 on Page 6 —

DR. FITZMAURICE: Excuse me I want to point out the method by which personal health information is stored is there some personal health information that shouldn’t be stored, that is should not be part of the medical record?

DR. HOUSTON: That is a different issue.

DR. FITZMAURICE: In other words is all personal health information open season to be put into the medical record by the health care provider?

I am not quarreling with it. I am just trying to get —

DR. HOUSTON: That is not part of the privacy discussion. That really is a discussion of HIN policy and what constitutes the official medical record of a facility.

DR. FITZMAURICE: Okay, so that is really content as opposed to where you start.


DR. ROTHSTEIN: Let me just point out that this recommendation comes from the paragraph immediately preceding it, the last paragraph under initial issues where the individuals have the right to continue having their personal health information maintained only on paper records and we took the position that the answer to that is no and that is the basis for C1.

DR. FITZMAURICE: I agree with the context.

DR. ROTHSTEIN: Very good. C2 on Page 6, individuals should have the right to decide whether they want to have their health records accessible via the NHIN.

C3 providers should not be able to condition treatment on an individual’s agreement to have his or her health records accessible via the NHIN and then I think those are not nearly as difficult to deal with as C4 and 5 which we spent a lot of time on.

HHS, this is C4, HHS should decide whether to adopt an opt in or opt out approach to individual participation in the NHIN or to allow local or regional networks to decide on their approach and C5 under either opt in or opt out HHS should require that individuals be provided with understandable and culturally sensitive information and education to ensure that they realize the implications of their decision.

DR. SCANLON: My reaction was until you explained it earlier that this was an uncharacteristic recommendation to essentially lay out the options and say, “Pick one,” and I think explaining that you couldn’t reach a consensus and maybe that where you come out of this meeting that the Committee can’t reach a consensus on this is something that should be stated explicitly and that the Secretary needs to gather sort of input to make this decision, not that this recommendation in some respects because our recommendations what we normally do they sort of prescribe something; they have eliminated other options, etc., this is saying this is an important area. It is an important decision but we are not prepared at this point to tell you what our recommendation is. We think you need to engage in a process that is going to gather information through other means to be able to reach this kind of conclusion.

DR. SCANLON: A friendly amendment along the same lines. I think it is as valuable for the Department to know where there was not agreement or consensus or a majority as it is to know where there is and I would not want to see forcing a consensus where there isn’t one because then it doesn’t help anyone but in terms of pointing that out, I think the recommendations could be stated in a way that you could either say in view of the different views on this issue HHS should through a public participatory process continue on for example with C4. So, again it is not HHS should by fiat, No. 1 and No. 2 there was disagreement and it is legitimate disagreement here just different ways to look at this.

I would suggest adding in that vein to C4 something like in view of the, well, it actually applies to all of these I think.

MS. BERNSTEIN: Would you add it to the text instead as opposed to the recommendation which is sort of the conclusion.

DR. SCANLON: You could say that the Committee emphasizes that there was disagreement or no consensus on some issues and we advanced these discussions to promote that.

DR. SCANLON: I would agree that it belongs in the text but I think that at the same time the recommendations should be distinguished between those upon which there was an agreement and it is concrete versus the way the wording of the recommendations read can’t reach agreement and I think it was clear that those are the ones you didn’t reach agreement on and you are telling them to engage in an additional information gathering process.

DR. ROTHSTEIN: Let me make a suggestion for the Scanlon suggestion. How about if we put in the text before the word “under” which is like five lines up from the bottom which is the end of the discussion of opt in, opt out a sentence that says, “NCVSH was unable to take a, doesn’t take a position on this issue or was unable to reach agreement on this issue” and then make the next line under either approach a separate paragraph because we want to talk about maybe that separately and then in C4 incorporate some of the language that you moved for earlier. Would that work for both of you?

Okay, Maya, are you —

DR. ROTHSTEIN: Oh, I am sorry.

MS. BERNSTEIN: Is that big enough for you guys to see? So, here I added, when Jim was talking did you mean to suggest that we should make not just for Section C or for this paragraph but a more general statement that on some things we couldn’t come to agreement; on some things we could and so overall the document reflects both of those kinds of recommendations or did you mean to — we could put it in the cover letter instead of dealing with it right here..

DR. SCANLON: It should reflect that the testimony, I mean first of all it was the testimony I think that you heard different views and then the Committee as well as unable to agree or was not able to —

DR. ROTHSTEIN: I would prefer that we include that language at each point in the letter where that is the case because I don’t want to give the impression that we just couldn’t agree on anything.


MR. HUNGATE: It seems to me that we are kind of being encouraged to accept the recommendation of the Subcommittee on this particular recommendation without going into full discussion of that recommendation at the full Committee and I am uncomfortable saying that we couldn’t agree unless we have had the discussion and I realize that you are not encouraging that very much, that we want to get this report finished and I agree with that but it seems to me that if there is substantial disagreement amongst the Committee that the two positions should be well developed and maybe there are alternative recommendations that are different which then have arguments with them for why one approach, we are an advisory body and it seems to me we should advise on the difference rather than just toss the ball. Do you follow my logic?

DR. ROTHSTEIN: You raise an interesting question and that is is it fair to say that the full NCVHS, the first question is it fair to say that the full NCVHS could not reach agreement without a discussion by the full NCVHS.

DR. FITZMAURICE: If NCVHS doesn’t object I would say that yes, they do agree and that the Committee should say, “I don’t agree with this part of it. Let us discuss it.”

MS. BERNSTEIN: I think the members of the Subcommittee would agree.

DR. ROTHSTEIN: The members of the Subcommittee agreed with the point that we couldn’t agree and if the members of the Subcommittee couldn’t agree that represents I mean how is the full Committee going to agree if the Subcommittee doesn’t agree?

MS. BERNSTEIN: It sounds like Bob wants an opportunity to persuade them.

DR. COHN: Bob, let me give a couple of options because I actually think that it would be fine for us to take a couple of minutes to discuss this area but C is an area that we spent probably most of the 30 or 40 hours that we discussed this document around. There is a couple of options. I mean normally the Committee works on the basis of consensus and agreement. Certainly if this is something where if there is a nine to one or a fifteen to one or twelve to three or whatever, we can certainly pass it and approve it. That would not be my preference. I thought it would be more if there are differences of opinion that are strong that there would be other supplemental information that other members can write in that we append to this representing other views and we could certainly make that available as an opportunity. So, I mean there is a variety of options in a group like this and we certainly do not want to stifle the fact that people have a wide variety of issues on this, but why don’t we take a minute to explore your concerns.

MR. HUNGATE: If it took 40 hours of Subcommittee time a minute is not enough for the full Committee. I appreciate the importance of the time but let me make a full argument for an alternative wording and promote discussion and I am a fairly rational person. I am usually willing to go along with the group but I am not willing to remain silent on those things that I think are important.

MS. BERNSTEIN: Bob, can you give me your alternative wording so we can be looking at it while we having the discussion?


MS. BERNSTEIN; Are you replacing this paragraph, adding it? Tell me what to do and I will do it.

MR. HUNGATE: I would give you a different C4. C4 as i would do it and that is all the change I would make should encourage an opt-in approach to individual participation in the NHIN while allowing regional networks to implement either opt in or opt out.

MS. BERNSTEIN: One more time.

MR. HUNGATE: HHS should encourage an opt-in approach to individual participation in the NHIN while allowing regional networks to implement either opt in or opt out.

My rationale is as follows. Lessons learned. The HIPAA implementation approached me as the conserver with pieces of paper when I showed up in the office to get care that were either three to five pages in length. Those were not consumer friendly documents. Those to me told me that the lawyers had protected the interests of my provider. They didn’t tell me much about my protection and so I think there is an unintended consequence of that that creates a resistance which shows up in the personal identifier area of discussion of the NHII where there is resistance to personal identifier. We have a population that has a wide variation in its understanding of this process and what is going on. I think by not favoring opt in in C4 that we are making a structural choice that affects the process of communication which will affect the outcome of this particular content.

Structurally we are setting it up so that if this doesn’t take a position and I think we should take a position that we would like to see the decision to opt in be a positive one. So, I am trying to set up a positive decision on the part of a person as opposed to an opt out which is a negative which is more what we did before. I think it is more consumer friendly, adapts to the profile of the population.

I think if you do that in C4, C5 follows more readily. I think it is more natural. I think the needs in G1 and G2 will be diminished. That is the main substance of the argument. It is the way in which the process will flow. I think that the sensitivity around personal identifiers as we go downstream will resolve from the personal health record side as people say, “I want not to be misidentified. I want to make sure that my identity is correct and well understood.” There is a plus to being identified correctly and I think if we set the conditions up for the education to work right we will be happier with the answer downstream. So, that is the rational I take for that position. Given the uncertainties and the resistance you will do better in the long run with an opt in and that we should argue in that direction.

DR. COHN: Okay, I have John and then Steve.

DR. HOUSTON I just want to comment because I think that we had great debates about opt in versus opt out and I think if you really were to take the debate to its extreme I think there were some of us on the Subcommittee who actually went as far as to have originally said. “I don’t think there should be an opt in or opt out. It should just simply occur, that you should be part of an NHIN by default and you shouldn’t have a choice because what we are trying to do is to improve quality and reduce error rates and things like that and frankly there is a good argument to be made that should simply be that there should be no choice.

Now, I think that is an extreme argument and I think that that led us to say that the — and the concern over opt in was that you would have a much larger set of individuals who would fail to opt in and therefore would not be able to avail themselves especially in emergencies to have their information available as necessary to provide appropriate care.

That is why I think we came to the balance and at the same time we could not get to the point where we could gain a consensus about opt out, still, nonetheless, and that is why we left this as an open argument.

I honestly believe personally that you are not going to achieve our objectives within HIN if we require, if we try to do an opt in and so again I am way at the other extreme personally.

DR. STEINDEL: I could say I just totally agree with John but because this is such an important issue I am going to actually restate what he said.

DR. HOUSTON: More eloquently.

DR. STEINDEL: No, I don’t think I can do it more eloquently but you know there are I think endless arguments and discussions for whether the policy should be opt in and opt out and I think it is not just the period of time that the Subcommittee has worked on this letter but it has ben discussions for years in NCVHS about opt in, opt out and there has been discussion in public health about opt in and opt out about many of our functions and there is no clear consensus on that and what I think is extremely significant about this recommendation, C4 and was very pleased to see it was the NCVHS is coming out very cleanly and says that there should be an opt policy. You know, whether it is opt in or opt out, which is what John just said, and that is a major step forward because there are a lot of people in this country who are arguing for the creation of an NHIN without any type of opt policy and I think at least stating that there should be one is a major step forward and let more focused debates on this occur which is what we are recommending and so the time that you want taken to explore these issues in more depth will occur outside and getting this letter on the street in a hurry will actually promote those debates much quicker than us trying to resolve the issue because we haven’t resolved that issue for years and I am totally happy to see just a recommendation for an opt policy.

DR. SCANLON: I would just sort of underline Steve’s comments. This is a major public policy issue. It is not a technical issue or an efficiency issue and I think what the Committee heard in the testimony and what you are hearing now and in the subcommittee discussion was again a public process I think and that is what we are proposing to add.

This is a public policy process. There is no right or wrong. It is not a technical issue. It is not an economic issue. This is something where society has to decide where it wants to go.


DR. STEUERLE: I guess I would like to amend your comment about it not being an economic issue.


DR. STEUERLE: There is a story about Milton Friedman. Once he was in a big debate with Jim Tobin and Friedman always no matter what the discussion was brought the issue back to the money supply. So, Jim Tobin said, “You know, Milton, you know everything reminds me of sex but sometimes I keep it out of the conversation.”


DR. STEUERLE: But to get to my point the draft right now as it is structured is fairly much of a legalistic argument about rights in the discussion so far, but it is not empirically grounded.

I think the people, and I guess I lean towards John’s view is that there is a literature not on this opt- in, opt-out policy because it doesn’t exist but there is a growing literature of participation rates in opt-in, opt-out policies. Right now it is driving the debate over pension policy and there is actually a tremendous movement toward having employers move toward opt-out policies for patients because basically after 40 years of subsidizing pension policy basically we have discovered that is a tremendous number of people mainly low-and-moderate-income people who do not participate in 401(k) and other plans which is the direction that pensions go.

I guess the bottom line is if you want to pass this today I guess there is not time to put in a paragraph on related literature on participation and the reason by the way the participation rates vary so much is because lethargy rules and so if you just simply have simple opt in, you get low participation rates. If you have simple opt out you get very high participation rates and by the way there are things in between. You could require people to at least check something and a lot of times you don’t even get a paper that requires you to check anything or you don’t have to check every year; you know, once you never opt in you never get asked again by say that doctor or that employer. So, there is a lot of empirical stuff that is not in here.

So, I would say at a minimum the draft should recommend that the findings should be based upon empirical examination of the advantages of opt in versus opt out and potential costs to society from the much, I would say much lower,but you say lower participation rates you are liable to get. I don’t think we —

DR. ROTHSTEIN: We didn’t hear any 401(k) —

DR. STEUERLE: You have to do it by analogy.

DR. FITZMAURICE: On C2 an individual should have the right to decide whether they want to have their health records accessible via the NHIN. I am not sure what that means because as I read it, accessible by whom, by their own doctor, by any covered entity for treatment of payment and health operations purposes, by him or herself and if it is via the NHIN to whom is it sent, who has it and are we talking claims? Are we talking electronic medical record data? Are we talking personal health record data? There is a difference. If you take away claims for example going to the NHIN you are taking away a lot of the economic value of NHIN and as you know people opt out. There is another economic argument as more and more people opt out the value of that becomes smaller and smaller and it may not support itself. So, if we think there are benefits beyond the costs and we don’t have really good measures of that, then we need to weigh that policy very carefully but to get back to C2 I am not sure what it refers to. Is my data out there floating somewhere and can someday lasso it with the NHIN whereas they can’t lasso it without and NHIN? I am not sure what C2 refers to.

DR. ROTHSTEIN: C2 refers to the ability of an individual to have their personal health records; this is not about claims data —

DR. FITZMAURICE: You mean their personal health , you mean their —

DR. ROTHSTEIN: Their medical records, their electronic health records, I am sorry, disclosed in the course of treatment or to other third parties on the basis of an authorization.

DR. FITZMAURICE: So, if I go to a doctor and it is a cardiologist and he says, “I would like to see your base-length(?) cardiogram,” and I say, “No, I am not going to let you get that.” You would have to get it digitally or over the NHIN. You can’t have it over the NHIN. So then can the provider say, “Well, I can’t give you the best care that I want to give and I choose not to give you care under less than ideal conditions”? So that works it into C3.


DR. FITZMAURICE: I wasn’t sure what C2 meant and then that has implications for C3. Can a provider give care when there is information there and he or she doesn’t have access to it and is it negligence not to try to get that information?

DR.HOUSTON: May I make a suggestion? Maybe we should say that individuals should have the right to decide whether and to what degree they want to have their records accessible by the NHIN or is that —

DR. FITZMAURICE: So, it is records that they own and posses, not their records in the doctor’s office?

DR.HOUSTON: No, their records in the doctor’s office.

DR. FITZMAURICE: They are records that would otherwise be available by the NHIN through a provider’s EHR.

DR. STEINDEL: I would like to comment on this. This actually goes along a little bit with Jeff’s earlier comment that I thought this was a very well written, well-constructed document and when I read these recommendations I kind of looked at C2 the same way as Mike just did and said, “What is it referring to?” But then I saw the construction of the recommendations in this area and I saw it as a building block and I saw C2 as just a simple statement that there should be an ability for a patient to decide whether or not to have their records available in the NHIN with no provisions attached to it and it is just a right that they can decide what to do with it in its environment and then C3 says that there will be no negative consequences if a patient decides not to do it in terms of the type of treatment that they would get.

Then C4 specified C2 a little bit better and in a sense it didn’t specify it a little bit better because we didn’t say opt in or opt out but it just basically said, “Okay, HHS now that we have said that patients should have the right to decide whether or not their records should be available in the NHIN we couldn’t reach a conclusion on whether it should be opt in or opt out.” So, I saw it as a logical progression going through those various thought processes.

DR. FITZMAURICE: I think that is a logical progression but that is only one arm. I can see should it be accessible outside of the NHIN.

DR. STEINDEL: That is not what this —

MS. BERNSTEIN; I think that you will find that both of your questions are actually dealt with in later sections of the report. Outsiders getting access is dealt with in a different section and also whether and to what extent is dealt with in a discussion about blocking, deleting and so forth.

DR. FITZMAURICE: So, the question is what difference does NHIN make if somebody else can get access or cannot get access, and you say it makes it easier and it makes it cheaper but punish the inappropriate access, punish the inappropriate use but don’t punish an efficient means.

MS. BERNSTEIN: I can try to clarify because I think Hugh has it right. We were trying to go from the general too the more specific. All C2 is saying is we have previously said that you don’t have the right to tell your provider whether to keep your records electronically or on paper, but you do have the right to say whether your record stays in your provider’s ambit or whether it is available to the system, whatever the system the NHIN turns out to be. That is all it says.

DR. FITZMAURICE: But the privacy rule lets the provider send records to another provider who is treating that particular patient, right?

MS. BERNSTEIN: That is correct but this is not —

DR. FITZMAURICE: What distinguishes between electronic means and paper means for that?

MS. BERNSTEIN: We are not confined by the privacy rule here necessarily. It is the current rule but the subcommittee is making recommendations that might have implications for what the privacy rule does.

DR. FITZMAURICE: I understand that. So, it qualifies the privacy rule to say that you can send it on paper but you can opt out of having it sent electronically.

DR. ROTHSTEIN: Harry was next and then let us have comments on, we are kind of getting off track a little bit because we started talking about C4 and 5 and now we are back to C2 and 3.

Let us see if we can finish up the C2 and 3C issue and then we will get back to the C4, C5 issue.

Okay, so, Harry?

MR. REYNOLDS: Mine is a quick general comment rather than that. Nobody knows what the NHIN is. So, part of our deliberation is we had exactly these same debates as each of us mentally defined it and each of us personally defined it and so the No. 1 structure here and the No. 1 thing as you read this and think about it, there is no such thing as the NHIN. There is a discussion about what it might be. There are no specifics. We are going to be handed some of those possible specifics for our next session with the NHIN Committee. So, as you hear this and as you think about this make sure that you keep that in mind. So, in a bit of a way we are talking about the over arching issues related to something we don’t exactly know what it is yet but we know what it might or might not do.

DR. COHN: Other comments on the C2, C3 issue?

Yes, Stan and then Justine?

DR. HUFF: I agree with C3 as its intent and one of the things that occurred to me in reading this was it specifically talks about providers and it would seem to me one of the inescapable consequences of opting out is that in fact it might as Mike has alluded to is it may be more costly in fact for me to care for people who opt out and I wonder if we shouldn’t address that specifically an say something about the fact that in fact people might depending on the choice you make it would be okay for people to actually discriminate in terms of what they charge to care for people who choose one option or the other.

PARTICIPANT: I think it is mentioned someplace in the document, isn’t it?

DR. ROTHSTEIN: I don’t know how we could say that given Medicare rules and since we don’t know what the NHIN is that is kind of a road that I wouldn’t like to go down.

DR. FITZMAURICE: But as a policy statement I mean we are advising on policy here and it is a policy statement as reasonable as many of the others.

DR. ROTHSTEIN: So, you are saying that if people want to exercise their privacy rights that we are saying that they have under C2 they may have to pay for doing that. I just want to understand what you are saying.

DR. COHN: Okay, I am going to have a list now. Justine was next and then was there someone on this side? So, it is Steve and then John.

DR. CARR: This is just on C2. Do we mean to add the word “electronic” to health record? Individuals should have the right to decide whether they want to have their electronic health records accessible?

DR. ROTHSTEIN: I think that is fine.

DR. CARR: To add that word?

DR. ROTHSTEIN: Making that clear. Michael, would that be okay with you if we said, “EHRs”?

DR. FITZMAURICE: It wouldn’t take care of my objection but it might make it clear about what data we are talking about, electronic health records held by the provider.

DR. STEINDEL: I would like to comment to Mike and Stan’s comment and this is building a little bit on Harry’s. We don’t know what the NHIN is going to look like. We don’t know what the electronic exchange network of health records in this country is going to look at and to bring back an old term which has been dropped and probably REOs will change with the new national coordinator because every national coordinator seems to have a new acronym for this, but let us look at local health information exchange and let us say that the future of electronic health interchange involves a national network and a local network and a person decides I am going to make my information available locally but I don’t want it accessible nationally because most of my health care is available locally. So, that addresses kind of the question that you are talking about, about well, we are at a disadvantage because t he information is not going to be transferred electronically to my provider. Well, it is going to be transferred electronically to 99 percent of your providers and if you decide you want to send it to Mayo Clinic and you live here you can choose to do it. So, it can still transfer electronically. It just depends on what the NHIN looks like. So, I don’t think we should preclude information being transferred electronically in the new world.

DR. FITZMAURICE: It is hard to comment recently on recommendations on something we don’t really know what it is.

DR. STEINDEL: That is why they are vague.

DR. FITZMAURICE: Why don’t we pick up on Stan’s comment and say that it is not necessarily that you have to pay to exercise your privacy right. Maybe I have to pay more because I want to use the HNIN to send my stuff digitally to somewhere else.

So, the payment could go on either side.

DR. VIGILANTE: Aren’t those the consequences you learn about when you decide to opt in or out? Then there is the downstream more deliberative issue that comes in as part of the opt in or out decision, not the principle that you should have control which is a different principle.

DR. ROTHSTEIN: Okay, so, we have got Paul and then John. Is there someone else waiting? Maya? Okay.

So, Paul?

DR. HOUSTON: My comment is on C4.

DR. ROTHSTEIN: Okay, thank you. We are on C2 and 3. John?

DR. HOUSTON: I want to just respond to Michael and try to put this to rest because if we go, I hate to say this to move even farther forward but if you go specifically to recommendations C6 and C7, let me read them to you. HHS should decide whether individuals should have the right to control access to specific content of their health records via the NHIN and if so the appropriate means and C7 says, “If individuals are given the right to control access to specific content of their health records via the NHIN the rights should be limited such as being based on the age of the information, age or condition or treatment or the type of provider.” I think this attempts to address those two attempt to address this concept of how much and are there going to be controls over what it is that is available.

DR. FITZMAURICE: I think what John suggests makes more sense if we take out the “via the NHIN.” Why not give those rights to individuals?

DR. HOUSTON: That is a provider issue and I will tell you right now when it is within a provider environment I can tell you there are very few providers who are going to want to say, “We are going to allow restrictions to be placed on the information that we use within our facilities in order to care for you because the liability and the quality, the liability goes straight up and quality goes down. Opportunity for errors goes up.” Information within the provider itself, the providers I think have to have the right to be able to give the information that they have in their records in order to treat somebody. It is when it gets outside the four walls of the institution is where this issue about the NHIN comes into play and if you look at most state laws today if one institution wants another institution’s information they have get a release from the patient anyway.

MS. BERNSTEIN: To defer to members of the Committee always, Jeff, why don’t you go ahead?

MR. BLAIR: Maybe this is just a mind set but it is a mind set that I had as I read through the letter. I looked at the recommendations from as narrow a viewpoint as I could and I don’t always do that but this was privacy and confidentiality related to national, the nationwide health information network and I am saying that only from the standpoint that if this narrow viewpoint is acceptable to the Committee it would preclude other valid considerations such as economics who pays; who shouldn’t pay; does it affect quality; does it not affect quality? Those are all valid issues, but I just sort of feel as if we expand the scope to issues of quality and safety and economics in this particular letter it will certainly not pass today and probably will need a lot of other more hearings and testimony to appropriately consider those.

So, at least that was the viewpoint that I had.

MS. BERNSTEIN: I was wondering if Jeff’s comment satisfies Stan. You had a comment about adding an economic discussion and Jeff just was responding to that. My comment was related to that. So, if he has satisfied your concern then I have nothing to say .

DR. HUFF: I think as I said I agree with C3. So, in a sense I was asking for something additional not to change anything that is there and so, it doesn’t answer my issue but I actually am fine because it doesn’t speak to my issue. So, I can make up whatever I want as I go along. I guess my final, you know I am not going to fall on my sword. I wouldn’t vote negative on this document if we don’t add a statement. I will put that up front but it seems to me that we are being somewhat inconsistent in that we are arguing in one sense the argument for having an opt out option is the assumption that there is value and in fact probably tremendous value in sharing of information and that we get efficiencies and better care by that and so I agree that people should have a choice. What I don’t believe is that everybody in the population should pay for bad choices equally.

So, if people choose to opt out and that costs the system, it costs more for health care I would rather the people who opted out and made that choice bear the consequence financially of their choice. You could state it in a more positive way and say, “Let us offer incentives then,” and instead of saying that they have to pay more just say, “Let us offer incentives to those who opt in for whom we can then apply more efficiencies and accrue better benefits to those individuals.”

DR. ROTHSTEIN: Stan, I think the way we tried to deal with your concern is through the educational process and the later section, in fact, the last section of the report goes into the importance of educating people about the benefits of the system and we made the statement that we need to suggest to people why it is in their interests to do that rather than hitting them over the head or charging them more or whatever. If the system works people should be banging on the door to get into it and that is what we want to have happen. At least that is the goal.

Is this on the C2, C3, Gene?

DR. STEUERLE: Right. I am just wondering if to meet Stan’s objection we could since we are not going to resolve it here, you could add a line to the effect that we are making these choices and this affects by the way C6 and 7 as well which I don’t like but in making these choices consideration should be given to the cost to society imposed by those people who do not participate and so that puts Stan’s concern in without saying that the —

MS. BERNSTEIN: Okay, so now my comment becomes relevant again.

DR. ROTHSTEIN: Do you want to raise that now or when we get to C6 and 7?

DR. STEUERLE: Stan raised with C2 but I am saying it actually comes up in two or three places. I am just saying that he is phrasing the issue about the people who are not in the system. It is actually whether it is opt in or opt out in C2 and 6 and 7. He is raising the issue that the people who aren’t in because they don’t opt in or because or they opt out are the way the system works or C2 that some consideration needs to be given to the cost that those people who don’t participate impose upon other members of society especially recognizing what is commonly called a free rider problem.

DR. ROTHSTEIN: Okay, we have got Maya and then Karen and then Russell.

MS. BERNSTEIN: I have no objection to the fact that there are possible increased costs with one kind of system or the other. We did hear for example, that it is less costly if you have one version or the other. We made a note of that and we also said over here in the paragraph above that it would be administratively burdensome one way. It would be less costly the other way and so forth but I think to take the position that you are advocating there seems to be an inherent assumption in the discussion and in both Gene and Stan’s comments that those cost should be borne by patients. It is possible that those costs as a policy matter could be borne by the system, by providers, by others who participate for one reason or another. I am not advocating it. I am saying there is a policy choice to be made there and whether or not we agree or disagree with it that would significantly enlarge this discussion and the possibilities that are in this document and I am not sure we are prepared to do that today but it is a policy, particular policy choice you are talking about advocating.

MS. TRUDEL: I just wanted to point out that people make poor health choices every day, a lot of them much more significant in terms of cost than this and I am not sure why we are singling this particular issue out.

DR.HUFF: That is exactly my point. In most other cases you do. They discriminate against you based on your driving record. Your insurance rates change based on your driving record and your insurance rates change based on whether you smoke or don’t smoke. That is all I am asking. I am not even saying which way the costs might be borne. It may be that it turns out it costs less to take care of people who opt out. I don’t know. It just seems like we are tying the hands to say two things. You can’t discriminate in the care provision. So, you have to allow the choice and right now it doesn’t say anything but if we were to add the second thing that you can’t discriminate in the costs of care based on how they choose then I think you are unduly tying the options of how you can equitably support people who make the choice but as I said initially I am fine leaving it the way it is.

DR. ROTHSTEIN: Let me just say before I call on Russell I want to go back to something that Jeff said earlier and I think it is a very good point and I think now you have seen why it took us 18 months to work on this because you pull out one little issue that you are concerned about and look what is dangling attached to that issue and so you very quickly get into all sorts of areas of health policy and information policy and civil rights and economics and you name it, and what we tried to do very carefully is to the extent possible keep this focused on the narrow charge that we have and that is privacy in the NHIN.


MR. LOCALIO: You covered my point. Thank you.

DR. ROTHSTEIN: Sorry, if I stole your point.


Great point, Russell.


MS. GREENBERG: And I agree with Russell. Just briefly I wanted to say first I really thank Bob for encouraging the Committee to engage in this discussion because although I, personally, feel it is very important that we either decide that there will be no letter in the foreseeable future from the Committee on this subject or that if there is going to be a letter that we move this along forward in some way because of just what else is going on in the external environment and I think we could come up with a letter that maybe people would be somewhat more comfortable with in a year but I don’t know that it would be relevant, but I think it is very important that people not feel that this letter was shoved down their throats. People of course did have the opportunity to participate in conversations on the phone but we all knew that nothing substitutes for this environment here and I think that it is really important that we are having this discussion but I think that it points out a few things that people have already said but I just kind of want to bring them together.

One is that they will really have a number of public policy issues here as several people have said.

I think that this Committee is not actually charged to probably be the arbiter on really major public policy issues. That is really more in the political process but it is certainly charged to give its best thinking to demonstrate the pros and cons and I think this was a very credible effort to do that and if part of its best thinking is we can’t, this is just not something that we can reach agreement and it is pretty obvious that we can’t, then I think that in itself is useful to tell people that these — some people may just have an easy answer to this and they don’t understand why people don’t agree with them. You have got a lot of really bright concerned sensible people around the room and it is obvious that even after a lot of discussion these issues cannot be easily decided one way or the other and I think you do a service that way.

I think I really support on this line what Jim has said to add to wherever either in a global statement or each one where a decision is not reached and in a sense we have punted; the Committee has punted back to HHS that the environment will suffer if there is no decision on this if we move forward and it needs to be resolved through a public participatory process.

I think those words are really important because it is not that your process wasn’t public. It was and to some degree it was participatory but not in the way that the department is able and obligated to do and so I think that it is very important language and I also think that just this talk about whether people should be charged, etc, really a lot of it has to do with one’s view of community and what it means really and maybe I am going too far here but what it means to sort of live in a community and whether the community supports the good and the bad choices of people because otherwise you might have chaos or sometimes it doesn’t but I mean what you said, Stan about you pay more for your health insurance if you smoke; well, you don’t in the Federal Government. I mean this is not a national policy that you pay more for your health insurance. If you are in group plans, you know, nobody is asking me what my bad habits are, thank God but I mean in certain environments because that community has decided and is able to make those decisions but I really like the fact that you have suggested that one option would be to allow local or regional networks to decide on their approach.

That may not be the right decision but it also shows the nuancing. Some of these things are really at a national level, you know maybe beyond ever reaching one agreement but we have set up RIOs and we do have this regional and local approach.

So, I think all of that is helpful and useful and even though it is disappointing in a way to have as many areas as agreement couldn’t be reached but there is good reason for it.

DR. ROTHSTEIN: Okay, next on the list is Simon.

DR. COHN: Marjorie, thank you. You actually said that very well. I was going to say that I think we have moved beyond two and three and on to four and five.

DR. ROTHSTEIN: I am not sure.

DR. COHN: Once again what I heard was that Stan raised an issue that he was concerned about and then has I think seen that the document doesn’t preclude or even enter into the conversation and I think as long as he felt that the issues were not being discussed forcibly one way or another he was probably at the end of the day fine with it. Am I mistaken about that, Stan?

DR. HUFF: That is exactly what I said.

DR. COHN: So, I think what that means is that we have resolved that issue and we are on to three and four.

DR. ROTHSTEIN: Okay, so, everyone is okay on two and three?

Okay before we open up the discussion on four and five I wanted to respond to Bob’s comment.

If I were king of health I would actually support an opt-in approach but I don’t think C4 really matters. I think the key is C5 and I will tell you why. I can envision an opt-in approach that is absolutely worthless where you sign in at your doc’s office and they give you another paper to sign. You know, can we bill your insurance company? Can we send your medical records? And you sign, and there is your opt in. You have signed and that is worthless. On the other hand I could imagine a wonderful opt-out approach where there is a very good educational program and materials and you have to take the initiative to go the next step if you decide you want to do that.

So, it is really not that so much for me at least that is the key even though that generates a lot of heat. I think the key is No. 5. If we are going to have a system where the individual has a choice about whether they are in or out under whatever framework it has to be an informed and intelligent choice and that is the essence of No. 5 and we weren’t able to reach agreement on exactly how to do that.

So, who is next?

Okay, Paul?

DR. TANG: This is originally a comment that I think John mentioned a lack of empiric evidence about it and also the cost proposition. So, if for example what you say is correct and I think it is very reasonable then maybe we should decide on the efficiency, the cost basis and the time also gave me time to look it up on the literature which is in the New England Journal. After HIPAA passed Minnesota passed a state law in January 1997, that said, “Regardless of HIPAA you will do an opt-in research.” So Mayo Clinic did go do that and at great expense got it and 96 and 97 percent agreed.

So, that is the empiric data that one, people, that is not directly this exact issue but that people will agree with it and so on the expense cost side wouldn’t it be easier to let the 4 percent opt out than go chase after the 96 percent? Anyway just providing some empiric data that does exist.

DR. STEINWACHS: I was going to say that I am more of the Jeff school of thought and I thought the document was well done even though I didn’t agree with everything and so I guess I was just expressing, want to express the view that I was really hoping that by 4 o’clock I guess Simon said we could go beyond that but by four that the Committee members could have gotten suggestions from everyone about each of the sections and so tomorrow they may have some suggestions back for change and there could be a chance to sort of vote this up or down or have a straw vote, something. I sort of get the feeling that we are going to be at this, it could be all night but which is fine if that is the way we go but I would like to see some way to get to the end of this and to a decision point no later than tomorrow.

DR. ROTHSTEIN: Okay, Bob and then Kevin?

MR. HUNGATE: The discussion that I hear leaves a lot of credibility to the inability to decide between the two. Yet half of the option we are giving HHS is to in fact decide between the two. We say, “Should decide whether to mandate an opt in or opt out or to allow local or regional.”

Now, that is suggesting that HHS has one option to try to do what we have been trying to do which is decide between the two and I don’t think that is really what we want to say. As Harry points out the NHIN is as yet somewhat of an unknown and so at this stage to force you it would be almost impossible to mandate it seems to me.

So, I think we should almost say that HHS should not decide to mandate one or the other because of the difficulty of the content but use the local, the other decision process. That is what I hear from the discussion which I think is different from the recommendation.

DR. FITZMAURICE: Bob, are you saying that you don’t think HHS has the scope of authority to mandate this stuff?


DR. FITZMAURICE: I would say that.

MR. HUNGATE: I don’t think it would be wise to try to mandate either an opt in or an opt out. Yet our recommendation gives them that choice as well as another choice. That is part of what troubles me but I will accept the Committee’s decision and withdraw my suggested alternative when we finish this discussion. I think that this is the only place that I have substantive disagreement with what I think is otherwise an excellent document.

DR. VIGILANTE: I actually want to share earlier perspectives that Don and Jeff expressed and I would personally approve this document as it stands even though i am not 100 percent with everything but there are no deal breakers in here for me.

However, if I were to just on the C4 issue if this helps arrive at consensus and if this is helpful fine; if it is not, you know if we are uncomfortable with waffling, if that is the issue for you, Bob and you want to not be right on the fence but a little on one side versus the other I think actually what I would recommend is very similar to what you said. I mean clearly the lack of consensus here is probably a microcosm of a broader lack of consensus which is partly based on lack of empirical evidence and we often talk about the laboratory of the states. Here it is really the laboratory of the networks and perhaps we should be maybe a little bit firmer about recommending because it has been so difficult to achieve consensus and we are dubious about more input provided at a high level producing more consensus maybe our experience tells us that what we are really encouraging is that this be a more locally decided policy decision and then as we learn from that then at the federal level we may decide based on evidence to go one way or the other and maybe that is less of a waffle and it may be in fact more in line with where we are at. I don’t know.

DR. ROTHSTEIN: Okay, Harry and then that comment seems to have elicited several replies. Gene, Bill, Simon and Marjorie.

MR. REYNOLDS: We mentioned local but the definition of RIOs and local are as unclear as the NHIN. In North Carolina we happen to have a RIO that is a coordinating group. They are not anyone that would have the authority or take the authority to recommend what people would or wouldn’t do locally in the health care setting. So, part of our concern is local is no more defined as to what the entity that drives local is nor is it nationally nor is NHIN nor is some of the other. So, nor is in my opinion the fact that it would be less costly to be in the NHIN. We just went through the HIPAA lessons learned. We aren’t there yet. So, just because we automated doesn’t mean it is going to be, yes, around the table individuals could explain how you could automate it to make it great but you have got to see it. You have got to touch it and if it is great then I can vote maybe different than I would normally.

So, I think that we don’t have a clear definition on a lot of this. So, we are trying to frame the discussion and really trying to frame the debate and then once those start showing up as real then I think the next level of debate allows you to really move in some substantive way to make your next set of recommendations.

DR. ROTHSTEIN: I want to ask for your permission, Gene to jump you in favor of Simon who wanted to get in and then Jim.

DR. SCANLON: I apologize. I was expressing to Mark that I am as you know fully prepared to go beyond 4 o’clock on this topic just to let you know that we don’t all bounce off to subcommittees at 4 o’clock if we need substantive progress here. I did want to however, suggest something that I think does need further word smithing but I have heard and I had actually previously thought about this concept and I think Bob maybe it goes along with you view that it may be premature at this point for HHS to make a final determination on this but then adding I think the other thought that HHS should, what was that, public initiate a public process to further evaluate and let me see whatever we have up here, I mean based on, we need to further evaluate this information. It should also be further informed by work of local slash RIO entities and work ongoing. I guess I haven’t quite got the right wording but is that sort of, I mean that is one straw man. That becomes a positive recommendation.

DR. ROTHSTEIN: I think it sort of says what C4 is saying. So, I don’t know if that is a friendly amendment or —

DR. SCANLON: Along the same lines I think I can see the Committee is sort of struggling with trying to lay out all the options here and I don’t think we are at the stage where we need to have all the options. This is kind of a principle and a direction and I think whether you include it, if HHS decided to initiate a public process or Congress did or someone else did we would look at all the options. So again I think your direction is that this is a difficult public policy issue and accordingly you are recommending that HHS should initiate or whatever we call it, an evaluation of the opt-in, opt-out approaches, other approaches. I think with some wording all of these, evaluation means looking at the consequences and the implications as well. I don’t think it is in the community’s best interests to try to make up options now when we are really in the pre-option stage. We are really in the policy stage and we would certainly in HHS interpret it that way. We wouldn’t rule something out because you didn’t mention this specifically.

DR. ROTHSTEIN: I think the value of the document is to frame issues, not necessarily to resolve them because we can’t and on behalf of my colleagues on the Subcommittee I want to thank the rest of the Committee for confirming our point that it is very difficult and cannot be easily dispensed with.

So, we are back to Gene.

DR. STEUERLE: It seems to me that most people as I hear most of the comments here they are actually agreeing with you that they are willing to waffle and some interpretations of the comments are going, “No, you don’t want to waffle. You want to state this.” I think the waffling is still of concern to some people and I will give you an example. I see in C3 and C4 a lot of issues having to do with what happens legally in terms of lawsuits and everything else depending on how you participate. Let us take C5 which is the easier one, requiring doctors to provide an educational process in this type of loose language could impose enormous costs on a system.

So, saying you are in favor of education may sound really easy to state but this is not to me stated in a way that it really guides me for what I should do which is one reason I stated earlier I would put in some language of basing things empirically on studies of costs and benefits or something and let that just, I don’t know where you

put that overriding sentence but stick that more in to guide these things and in C4 the one you have left out actually on an opt in, opt out which is the direction they are going with the private retirement plans is to let in that case the employer or the individual provider and you don’t even have that as an option. You say local or regional networks. What about the local doctor providing opt in or opt out and in that case the big question there is not whether they can do it. It is whether if they do opt out can they get sued; is there some safe harbor where if you provide opt out there is a safe harbor that can’t get sued for doing that and I am not saying you could examine this but you have already the way you have written this precluded it.

So, for instance I guess my two things were to put it there a little more strongly because you don’t have all the costs of things in the paragraph but it should be empirically based upon various estimates of the costs and benefits of different options and then C4 I would add the local and regional networks. I would also say individual practices.

MS. BERNSTEIN: How about if we said local or regional entities? I mean that gets to Harry’s point which is that networks we don’t know what they are, how local, how we draw a circle around them and entities could be providers, organizations, hospitals, whatever. Does that satisfy that part of your —

DR. STEUERLE: I suppose if by entities you are including individuals doctors, hospitals, then yes.


I am sorry, Marjorie?

MS. GREENBERG: I just wanted to try to capture the first part of what Gene was saying which I lost while I was trying to figure out the second part.

DR. SCANLON: I unfortunately don’t have wording changes but I guess maybe in reading the document originally I was blinded by the brilliance of it in terms of it was really a good balanced discussion of sort of these issues but the discussion here today has just created so many doubts about these recommendations in terms of like we don’t know what we are recommending about the thing we are making recommendations about, NHIN. We have got these local entities. I mean if I cross the border into Prince Georges County what are going to be the implications of this, I mean in terms of my jurisdiction lets me withhold my records and what happens in treatment there.

DR. ROTHSTEIN: We actually do have a section on that.

DR. SCANLON: But I think Marjorie raised the issue of how far do we stray into the policy question. We talk about rights. I mean if you substituted motorcycle helmets in the first sentence for your right to withhold your records from the NHIN what would be our reaction to that? I mean I guess I am concerned that we have got a very good discussion of the issues but the precision of the recommendations doesn’t sort of match up and I don’t think we can get to that level of precision. So, it is going to be a question of do we like the discussion of the issues so well that we are going to gulp and vote for this or do we move for something with many fewer recommendations, more deference to HHS and to the public participatory process and because if that is important in terms of the agenda at this moment then that is something we need to think about.

MS. GREENBERG: Like everyone else I think everybody, I had something I wanted to say about 20 minutes ago and then everybody who said things has triggered other thoughts but I am just going to go back to what I was going to say 20 minutes ago or whatever when I got on the list and that is again going back to Bob’s statement I think Bob raises a legitimate point about this being a temporal issue to some degree and then you talked about it being premature because if you were, C4 sounds like maybe HHS should decide soon. It does. I mean when you read it in my mind it was sort of eventually when all of these things get rolled out then HHS will have to make this decision based on whatever but so I think that this alternative language about either initiating an evaluation process or you know public participatory process but not just public and participatory I think the evaluation as well but which includes a lot of the costs stuff does need to go in here because otherwise it is not like other recommendations where we have made, all right we have made the recommendation to HHS and have we heard back from HHS and I mean we are not saying that. We are saying that when kind of all of this gets worked out that is going to be a decision that has to be made in the public policy arena and so I do think there is a problem with the way C4 reads now that could indicate that we are saying that this needs to be decided now.

DR. WARREN: I guess my response is back to a comment that Bill made about we don’t know what these recommendations are for. We don’t have any idea and I guess from the perspective of different projects that I have been on in the past many times none of this stuff is nailed down. I mean it is a building process that needs to go on concurrently. So, when I think of the fact that we are busy trying to outline what an NHIN is doing and we are starting that previously through ONC and we will be doing more of that next week and adding that as a project of this Committee I would hope that we would have some of the guidance from this document about the privacy issues at NHIN to help guide us with some of those discussions.

So, I guess I don’t have as much of a need as what I am hearing from other people to lock some of this stuff down. To me these are pretty good recommendations for where we currently are in the process of doing all this.

Now, that may be that if we come up with something new or NHIN goes in a direction none of us anticipates that next year we may need to come back and revisit and make new recommendations and I think that is kind of an okay thing, too. to have happen.

So, I guess I would just caution about trying to be too prescriptive at a point where there is not much to be prescriptive about and it is more important to get the issues laid down and out there than it is for us to sit here and worry about everything being in place.

That is all.

MR. REYNOLDS: I would to play off of Judy’s comments for this reason. I think this is a very key topic. Last night I had dinner with one of the companies that won one of the ONC bids because they happened to be working in our state. So, I did it as my other job last night. You will be seeing next week more specific sets of recommendations from real companies who have been paid real money to talk about what this thing is. We don’t know exactly what it is and every single issue that we are discussing right now will be very key to have on the table for ONC, for the Secretary and everyone else because when they come and talk about an architecture and they come in and talk about a recommendation it already discusses matching patients to records which is one of the things we, the other letter we have. It already talks about using existing standards and it absolutely talks about every single thing in this letter.

So, there is a reality out there that yes we don’t know the details but we know the philosophy of what is coming and I think if we don’t get this stuff on the street there will be things that will happen because they are going to demo systems that have already decided some of these things, philosophically, I mean really and so I think we have got a real tipping point here where we don’t know but I am where Judy is. I implement a lot of that. You don’t quite know it where you do the functional specs or the next specs but you have got to be willing to step out there to keep the conversation going the right way. So I think this is like paramount to keep moving because it is going to happen and it is happening and it is happening a little faster, soon than it is right now.

DR. ROTHSTEIN: Let me just ask a question. I know we have got Jeff and Paul and Kevin on the list.

MR. BLAIR; Before you do this may I ask a question? I think maybe my comments might be helpful before you make that summary comment. I have been on the Subcommittee on Standards and Security for what, like 8 years? Whenever we write a letter we have a mind set and the mind set is that the recommendation should be clear and actionable. They are the purpose of the letter. Everything else is a prerequisite to support the recommendations. That is the reason for the letter is the recommendations.

This is different. This is a different kind of letter. This has a different purpose and in this case the purpose is to frame the issues and I know I have to swallow my pride but seriously this letter just does a beautiful job of framing the issues and I would have to tell you and I am not going to tell you which of the recommendations I completely disagree with but there is a couple of them. I completely disagree with them but it doesn’t matter. The value of this letter is that it does a tremendous job of taking us a big step forward in framing the issues.

So, the perspective I have is to whether you want to say swallow, accept, ignore, whatever, compromise on the recommendations because I feel like the framing of the issues is so well done in this. The value is so high that I feel like I just want to make sure the letter gets passed during today and tomorrow.

DR. ROTHSTEIN: Thank you, Jeff. Here is the question that I have to raise for you. We have heard a lot of suggestions on what to do with C4. We can’t rewrite C4 here but we can rewrite C4 tonight and bring it back. So, the question is the people who are on the list and those who may want to get on the list would you be willing to defer the final up or down vote on C4 until we can come up with another version for you and then agree to move on to C6 and 7?

Thank you. Okay, so, —

MS. BERNSTEIN; I have a modest suggestion up there if people want to think about it overnight or send me an e-mail if you are available tonight or whatever.

DR. ROTHSTEIN: You can read it but no comments.

MS. BERNSTEIN: The wording isn’t exactly so but it says, “HHS should monitor the development of this policy issue at the local and regional level, collect evidence of the economic, social, public health … implications and continue to evaluate in a public participatory process whether national policy and opt in or opt out becomes appropriate.”

DR. ROTHSTEIN: Okay, let us now move to C6 and 7.

Oh, Kevin, sure?

DR. VIGILANTE: This will be very quick, just with permission of the Chair because I don’t know if it is appropriate but just a non-binding show of hands just to see in fact how many people actually favor opt in versus opt out. I am just curious off the top of your head where do you stand? Is that appropriate or not appropriate?

DR. COHN: I don’t think that is appropriate. I don’t think it matters.

DR. VIGILANTE; What about those who possibly don’t agree with either? I just want to see how much consensus we do or don’t have right now.

DR. ROTHSTEIN: Okay, C6 is on Page 9 and let us put this into context. We said earlier that we are giving people or that they should have the right to decide whether they want to release their records, their health information via the NHIN and now the question is in this section what methods should individuals have to control that and what should they be able to control from disclosure, C6. HHS should decide whether individuals should have the right to control access to specific content, other health records via the NHIN and if so the appropriate means and C7 if individuals are given the right to control access to specific content of their health records via the NHIN the rights should be limited such as by being based on the age of the information, the nature of the condition or treatment or the type of provider.

So, let me give you some context for the Subcommittee discussion. There was disagreement in the Subcommittee about whether people should have the ability to go down to a level of detail or whether they should be all in or all out, right? And C6 says, “Well, this is one of these things where HHS should decide whether we are going to allow people to make finer decisions about what they want to have go via the NHIN as opposed to we are in it or we are out,” and so we punted on that particular issue but then C7 says that if HHS makes the decision to allow individuals or to require whatever entities control this so that people should be able to limit in not an all-or-nothing fashion but limit certain information from disclosure our Subcommittee then agreed that they should not, individuals should not have the right to have an open-ended choice as to the kinds of information that they wanted to not have go out there. As described in the text that would maybe kill the whole confidence providers had in health records but the right should be limited but we don’t know exactly how yet and some ways could be based on the age of the information or the nature of the condition or the type of provider. So, that is an explanation of where we are. This is another one of these kind of easy ones. So, the floor is open for comments.

DR. SCANLON: I will add again my friendly amendment that C6 should have an introductory phrase that says based on a public participatory process.

DR. ROTHSTEIN: Thank you.

Okay, I can see general consensus on that. So, we will move to —


DR. COHN: Should we give people a brief break at this point?

DR. ROTHSTEIN: Okay, we are going to have a 10-minute break and we will resume at three-fifteen with Section D.

(Brief recess.)

DR. COHN: Okay, let me make it very clear, we are obviously going to be making changes tonight in the letter. We will be bringing it back. I do want to make sure there is enough time for at least a reading of the MPI letter before we break up into subcommittees.

What I think that will mean is that we are not going to be doing word smithing on it, but we will be asking for all of you to read it again tonight and try to come in eight-thirty in the morning with changes or word smithing on it, and we will try to get that quickly into a revised version for consideration tomorrow if that is okay.

Mark, would you like to —

DR. ROTHSTEIN: I would love to.


DR. ROTHSTEIN: We left off with Section D. D is the controlled disclosure of personal health information and in this section we proposed the use of role-based access criteria and contextual access criteria and the recommendations are as follows: D1, HHS should expressly require that role-based access criteria whereby custodians of health information limit disclosure to those persons and that data required to carry out an approved function apply to all EHRs including those available via the NHIN.

D2, HHS should investigate the feasibility of applying contextual access criteria to EHRs and the NHIN enabling health information disclosed beyond the health care setting on the basis of an authorization to be limited to the information reasonably necessary to achieve the purpose of the disclosure.

D3, HHS should support research and technology development. I am sorry, should support research and technology to develop contextual access criteria appropriate for application to EHRs and inclusion in the architecture of the NHIN, and D4, HHS should convene or support efforts to convene a diversity of interested parties to design, to fund and develop role-based access criteria and contextual access criteria appropriate for application to EHRs and the NHIN.

So, the floor is now open for comments, questions.


DR. COHN: Yes. I think just a word smithing issue which I don’t have the word smithing but I can’t figure out, I mean D1 I had issues with before and I think it is better. I just am not quite sure what whereby custodians of health information limit disclosures to those persons and that data required to carry out an approved function. I may not be smart enough to know what that means.

DR. ROTHSTEIN: Let me explain what D1 was intended to do. Does that help? Okay, D1 takes up the issue of whether individuals who work or let us just use the HIPAA term for covered entities in any capacity get access to the entire health record when they only need access to a certain part of it and in the text we use billing clerks or food service employees or whatever, and so this is a way of asking that HHS should expressly require that role-based access criteria be applied.

Now, Sue McAndrew mentioned on one of the telephone conference calls that we had that her maybe interpretation is too weak, her pronouncement is that under the privacy rule role-based access criteria already is a required standard of conduct but our recommendation is that without disputing that HHS should expressly make a statement that role-based access criteria will be required not just for EHRs but also for information that is accessible via the NHIN. So, that is the purpose of D1.

MR. BERNSTEIN: Simon, this is my formulation actually because we had to reword this, but it just basically was supposed to be a short, concise, parenthetical or a positive actually. It is supposed to be a short explanation of what role-based access criteria is which is that it requires custodians of data to disclose information only when the person is the right, you know only to people who need it and only the amount of data that is needed by that person.

That is the idea, that it is limited to who needs it and what they need to do, whatever the job is that they say that they are doing or that they are permitted to do.

DR. ROTHSTEIN: So, my question, Simon, would it make you more comfortable if we just took that whole phrase out, and it would then read HHS should expressly require that role-based access criteria apply to blah, blah, blah, blah, blah? It would use the text for the explanation of what it is.

DR. COHN: I think that would actually help a lot. I guess the only question then I would have is whether it is applied to or be implemented in, and I am also wondering if it is just EHRs or whether it is EHRs and any other sort of access to the NHIN, since I am not sure that the only access to the NHIN will be through EHRs which seems to be what —

DR. ROTHSTEIN: I concur with that.

DR. COHN: Right now it says, “Apply to only EHRs including those available via the NHINs,” and so I sort of going with you. Are we talking really data on vocational health? Are we talking about health information data available via the NHIN?

MS. BERNSTEIN: It means within a hospital setting for example.

MR. BLAIR: Simon’s point is that any patient health information might be available over the NHIN. Don’t limit it to EHR.

DR. COHN: Is there an assumption here that the only way you get to the NHIN is through an EHR.

MS. BERNSTEIN: No. Do you want to expand the word, I am sorry I thought you were talking about a different part. Do you want to say instead of should apply to EHR, you want to say that it should apply to personal health information.

MR. BLAIR; Do you want and instead of including?

DR. COHN: Yes, and would be helpful but I am just not sure what the EHRs and personal health information accessible over the NHIN and access to personal, and I am kind of making this up as I go along but I am just trying to —

MS. BERNSTEIN: What if it said, “It should apply to all personal health information including EHRs available via the NHIN”?

DR. COHN: Better. That is good.

DR. TANG: How about, “Should apply when access to personal health information via the NHIN”?

MS. BERNSTEIN: That is not what Simon was saying I don’t think.

MR. BLAIR: I think it may be what Simon was trying to get to and I think that is correct, it is all personal health information.

MS. BERNSTEIN: Just to point out, that would change the meaning of what this said which was that would change it to just information available over NHIN and not other information. For example, HIPAA right now —

DR. ROTHSTEIN: We want to ask that what already is in the privacy rule with respect to covered entities be expressly stated.

DR. TANG: I think this would help do that without tethering it to any technology or I mean it is basically, what you want to do is if we are going to create this interconnectivity you want to make sure that you have HIPAA-like protection when anybody touches that stuff. So, if we just say that you have role-based access criteria for accessing personal health information over this NHIN that I think would be universal and uniform.

DR. STEINDEL: Maya, since you said that this was your wording why did you use EHRs including those available by the NHIN for D1 and on all the other places you used EHIRs and the NHIN?

I think what I am hearing is people would be happy if the first encompassed the idea of EHRs and the NHIN, so, you know, the same construction throughout the whole thing

DR. ROTHSTEIN: It is not a substantive problem for us. Okay, so we have solved D1. Anybody on our list for D2, 3 or 4?

I can see everyone is anxious to move to E which is the section on regulatory issues and the first subpart of that deals with jurisdiction, scope and relationship with other laws and we have three recommendations from Section E1.

E1 recommendation, HHS should work with Congress to ensure the privacy and confidentiality rules apply to all individuals and to entities that create, compile, store, transmit or use personal health information in any form in any setting including employers, insurers, financial institutions, commercial data providers, application service providers and schools.

E2, HHS should explore ways to preserve some degree of state variation in the health privacy law without losing systemic interoperability and essential protections for privacy and confidentiality and E3, HHS should harmonize the rules governing the NHIN or the HIPAA privacy rule as well as other relevant regulations including those regulating substance abuse treatment records.

I will give you a few seconds to think about those.

Okay, Judy?

DR. WARREN: Just because we have run into this in standards and security, where does this work when we want to work with the DEA on sharing of health information especially in substance abuse? Are they being included in this in working with Congress or are we just talking to HHS.

DR. ROTHSTEIN: HHS of course controls the SAMHSA but not DOJ obviously. So, we did not specifically make a recommendation that the Secretary do anything with regard to other federal agencies. E3 only says —

DR. WARREN; I am just asking so I understand. It is okay that it is not mentioned in here. I am just asking so I understand the scope of the recommendations. I am not saying that we should add that here. I just want to be clear on that. I just want to know where we are going because we have heard testimony in Standards and Security that sometimes this puts up a barrier in sharing information.

DR. ROTHSTEIN: I am sorry, Steve?

DR. STEINDEL: Yes, Judy just brought up a very good point that is a little more troubling and it is not necessarily DOJ. It is DHS because they really want to get their hands on this data.

MS. BERNSTEIN: The HIPAA rule applies to covered entities but there are various exceptions there. They are worked into the privacy and confidentiality rules and generally you have exceptions for necessary uses that society finds you know and anti-terrorism, counter-terrorism, Homeland Security, law enforcement are those types of things that often come up.

DR. STEINDEL: I think Judy’s point was that what we were doing in E1 was restricting it to HHS which is really all that we could do and we might want to use the phraseology we used in some Standards and Security reports. HHS should work with other federal agencies and Congress you know just to indicate that we are cognizant of the fact that this may apply outside of HHS in other federal agencies.

DR. ROTHSTEIN: I have no problem with that. I mean they want to work with Department of Education or with FIRPA(?) rules or whatever.

Anything else in E, I mean E1, 2 and 3.

The second part of E deals with procedures and E4 says that HHS should incorporate their information practices into the architecture of the NHIN and E5, HHS should use an open transparent and public process for developing the rules applicable to the NHIN and it should solicit the active participation of affected individuals, groups and organizations including medically vulnerable and minority populations.

I just got a thumbs up from the Populations Subcommittee. Okay, so, Section E3 is enforcement and let me go to the recommendations on Page 14, E6 through 10. E6, HHS should develop a set of strong enforcement measures that produce high levels of compliance on the part of custodians of individually identifiable health information but does not impose an excessive level of complexity or cost.

E7, let me just comment that the change that was made, it originally said, “Cost that discourages investment,” but I think we are referring to cost in a broader sense than just that, and it would be cost for maintaining it and so forth.

E7, HHS should ensure the policies requiring a high level of compliance are built into the architecture of the NHIN.

E8, HHS should adopt a rule providing the continued participation in the NHIN by an organization that is contingent on compliance with the NHIN ‘s privacy confidentiality and security rules.

E9, HHS should impose severe penalties for egregious privacy, confidentiality or security violations committed by any individual or entity and E10, HHS should support a legislative or regulatory approach to provide individuals whose privacy, confidentiality or security is breached, I think that should be with reasonable compensation, right?

DR. FITZMAURICE: Who would pay it? Are you suggesting that the government might pay it?



MR. BLAIR: I am wondering whether to add an item here. One of the things that has frustrated me for a long time is I have felt that the HIPAA privacy regs, the greatest value of that was to reassure the public that their health care information would be protected in electronic form but the way that we administered it was we really put the emphasis on compliance of the health care industry. So they felt that this was a burden, and we have done very little to educate the public on something that really is a benefit to them.

So, I am wondering here as we get to the NHIN and we are talking about privacy maybe we should be explicit and add in this particular item that we should have a comprehensive public education program. Let the public know that these privacy protection and enforcement activities have been put in place.

DR. ROTHSTEIN: Jeff, that is Section G. I appreciate the comment and when we get to G if that is not satisfactory we will pick up your point.

Okay, we are still talking about E6 through 10.

Okay, we have got Justine.

DR. CARR: Just to follow up on what Michael was saying do these align with the purview of HHS? I mean is this within the scope of what HHS can do? He had mentioned the financial one but I am just —

DR. ROTHSTEIN: I think that is why certainly in E10 we say, “Should support a legislative or regulatory approach.” It may well be that there is going to be a requirement that Congress enacts enabling legislation to do that and not to give a flippant answer to your question, Michael, I mean who would pay, presumably the entity that did the breaching and caused the harm to the individual would have to pay but I don’t know the specifics of that.

DR. CARR: So, for example, should impose severe penalties for egregious privacy, I mean is that a function of the HHS or is there an arm that could do that or where would that responsibility be assigned?

DR. HOUSTON: First of all at least to the degree that the entity is a covered entity today and now I understand that there are other recommendations later on that discuss expanding the scope of some of this but today I guess what OCR can do is that there is the ability to impose several monetary penalties. So, as we spoke about it this morning, it is not something that has been done yet but I think you could take that and apply it this, I believe, I think because at least to the extent that it is a covered entity that has done something wrong within the NHIN environment because still you are dealing with a covered entity at that point in time. I am looking at Susan, but —

MS. MC ANDREW: I mean I would need probably a legislative, I mean what we could impose is if they did something that is a breach of the, if it was a HIPAA privacy violation you could impose —

DR. HOUSTON: That is what I mean, yes.

MS. MC ANDREW: — the CMP that is in the HIPAA statute to that activity. It may also be a breach of a policy for the NHIN.

DR. HOUSTON: I am just saying that right now I think you have at least partial authority as it relates to covered entities to fine them for things that would otherwise violate HIPAA privacy rules which would take you part of the way.

MS. MC ANDREW: But we couldn’t on our own authority say that we are now going to impose the HIPAA CMP structure on other entities for violation of other policies and procedures including the NHIN procedures.

MS. BERNSTEIN: I think maybe Justine was asking a more general question. So, criminal penalties are generally imposed by the Department of Justice. If we find that there may be a criminal penalty that needs to be investigated at any agency other than DOJ generally we will refer that for investigation to DOJ and some agencies have the ability to impose civil penalties. EPA, for example, has the ability to impose civil penalties on environmental violators and other ways of compensating people exist such as private rights of action and so forth. So, there is a variety and what Sue is responding to is our current authorities. If the authorities are not there to support this and the Secretary sees fit to seek expansion of the authorities the Secretary can seek that authority if he sees fit. He has to go to Congress in some cases if he doesn’t believe that he has the current authority.

DR. CARR: I guess I wasn’t even just limiting it to criminal but just is there a function within HHS that could be an affecter arm of all the things that we are recommending or is this just very, are some of these theoretical good ideas but would take a lot of work to —

MS. BERNSTEIN: Are you asking does the authority exist now to do this or are you asking if an agency could have such kinds of authority?

DR. COHN: I am sorry, I just want to short circuit this conversation only because I think the language in E10 that you underlined actually should probably be cut and pieced into a couple of other areas since it seems to solve the problem.

I actually don’t know that we need to decide whether it is going to be HHS alone or whether it is through some regulation or whether it needs legislation or whatever but I guess I am wondering whether that language that is underlined in red in E10 should apply to E9 and I guess the only other question I would have is potentially whether it would be E6. Some would be regulatory. Some would be legislative.

MS. BERNSTEIN: I think the language that is underlined is underlined to show you where additions were made.

DR. COHN: I am commenting because I think it does well as a —

MS. BERNSTEIN: Just let me finish my thought which is just that it was drafted relatively quickly to try to capture the idea that in some cases we don’t know whether we have the authority or not. If the Secretary needs the authority he should seek it and if he has the authority he should use it. We are not saying that the Secretary should certainly seek legislation. As I understand it I mean the Subcommittee wasn’t saying that, just that the Secretary should support this and however it is required to support that sort of a thing the Secretary should go ahead and do it. Is that a fair statement?

DR. ROTHSTEIN: I think what Simon is suggesting is to move that red language from E10 as the intro to E9.

MS. BERNSTEIN: Right, but it would mean that we already understood that we need legislative or regulatory, that this is the proper approach legislative or regulatory and we might need to tweak that.

DR. ROTHSTEIN: I don’t think that approach is needed for E6, 7 or 8.

MS. BERNSTEIN: Right, this is my point and in some cases it is not necessary and in some cases it might be but I think there is no problem with the general idea.

DR. COHN: So, I think we are saying that it would be appropriate for E9.

MS. BERNSTEIN: I don’t know how Sue would characterize the existing penalty structure that is available to OCR under HIPAA but it could be that those —

DR. ROTHSTEIN: But the jurisdiction isn’t broad enough. So, we might as well just add that.

MS. BERNSTEIN: Right but there are some cases where she had the authority and some places where it doesn’t exist.

MS. MC ANDREW: And I guess the other thing to keep in mind particularly and this goes I guess to E8 was how much of any of this NIH anticipation with regard to private entities was going to be a regulatory mandate from the government as opposed to voluntary market-driven participation. So, how some of these penalties get laid out may not be, the government regulation may not be the mechanism that would appeal to the driver.

MS. BERNSTEIN: Right, that is what I am saying. It is possible that that would be done by a private right of action. It is possible that private entities would self-regulate like they do in the securities area. There are possible other ways of doing this.

DR. ROTHSTEIN: May I make a suggestion? We have two items on our list for evening massages, C4, FD1 and now — Jim?

DR. SCANLON: In E10 are you suggesting specific types of compensation? In the text are you suggesting a right of individual actions?

DR. ROTHSTEIN: No. We are suggesting that if someone suffers a tangible loss as a result of this disclosure then they should receive compensation. We have —

DR. SCANLON: I see the text.

DR. ROTHSTEIN: Do you see the text?

DR. SCANLON: Against the perpetrator?

DR. ROTHSTEIN: Yes, but not private right of action in that tort context because we say that at the bottom of 13. Enforcement of principles are the following and we set that out and federal/private right of action should be avoided.

Any other comments on E6 through 10?


DR. STEINWACHS: For E6 just for clarification HHS should develop a set of strong enforcement measures that produce high levels of compliance and I am asking with what. So, then I go back to E5 and I see well, the rule is applicable to the NHIN. So, I recommend putting it high levels of compliance with the rules applicable to the NHIN after that so we know what the compliance with what is.

DR. ROTHSTEIN: I think that is fine unless anyone else has objections.

Thank you.

Anything else on E6 through 10?

Okay, we are now up to F, secondary uses and we don’t have too many. These recommendations actually are shorter than you may have remembered them last go round. They keep getting shorter all the time.

F1, HHS should support legislative or regulatory measures to eliminate or reduce as much as possible the potential discriminatory effects of health information disclosure. In this we are talking about discrimination in employment and life insurance.

DR. FITZMAURICE: Do you want to preface that by the potential harmful discriminatory effects because it may be more efficient to penalize people who smoke and have them pay higher health insurance premiums? That may be something that society decides to do.

DR. ROTHSTEIN: So, you want to add the word “harmful”?

DR. FITZMAURICE: Then we can quarrel over whether it is harmful or not. If it is harmful then we should penalize people who do it.

DR. STEUERLE: Do you feel that you have made adequate discussion in here particularly the secondary use is an area that is perhaps elsewhere on whether at times distinctions need to be made for research purposes? I am thinking particularly of a lot of issues I know where confidentiality and privacy issues have really dampened ability to do all sorts of things. IRS by the way has a national data set but there are huge sets of privacy rules with respect to whether that data could ever be disclosed and so there are all sorts of nuances. That is published, by the way in a national network. It has to be sent to the IRS. So, it is not just locally disclosed to a local IRS agent and IRS does on occasion release data files without identifiers.

So, for instance one way research issues are sometimes dealt with is you might develop an information network where identifiers are not available and the main purpose is to send to CDC or something some set of information and you could develop a separate survey but you might view this NHIN, develop a separate way and you haven’t thought of all the things you could research.

I just wonder if you don’t need some slight exception here that says that some of the previous discussions with respect to identifiable information do not necessarily without going into details, do not necessarily apply to the gathering of information often in NHIN network that might be used for research purposes. Don’s issue of all that it means I just, you could read some of the stuff as, and I have seen this happen again and again where research that had no threat of privacy or confidentiality harm really got dampened because the privacy and confidentiality rule that was developed from language like this basically made the lawyers say, “Hey, I am just going to interpret this as strictly as possible, no information available for research. You can’t even let people go into a department and look at records.”

MS. BERNSTEIN: Are we still talking about F1?

DR. STEUERLE: It is just secondary uses.

DR. ROTHSTEIN: Let me see if I can describe the context for this. First of all I agree with your comments about research. The long-term members on the Committee know that the Subcommittee on Privacy and Confidentiality has worked on research two or three times over the last 5 or 6 years and has sent a couple of letters to the Secretary on that issue and that is on our agenda to take up again, yet again because of a conflict between the HIPAA privacy rule and the common rule and the burdens it has on research.

That being said, the purpose of the secondary uses discussion in F1 is really to —

DR. STEUERLE: I am not talking about F1.

DR. ROTHSTEIN: In F, okay? Is really to deal with sort of the substantive side of our earlier discussion in D on contextual access criteria and let me see if I can explain how this comes up? If you have a third party who conditions a contract benefit employment, whatever on signing authorization we say in D that we think the disclosure of the information should be only that information that is relevant to the third party use. They shouldn’t get everything necessarily.

Well, that is not good enough because getting everything means getting it via the NHIN and you have a right to get your own information and what we want to sort of complete the circle is to say that you can’t ask for that information regardless of how you got it. You couldn’t ask the person who is applying for disability insurance or long-term care insurance or employment to get their own records and give you stuff that they couldn’t get through the NHIN because of the rules that we are putting in under D1 and so this is the need for substantive legislation and that is why we have in these things dealing with this to prevent discrimination.

On your point about whether we should specifically stick in the language you want on research why not do that for public health? I think you could make an argument that you don’t want to impede public health from getting access to the legitimate records and you could make arguments for all sorts of things that I would support in the abstract but I don’t know that this is the right vehicle for making those points.

DR. ELO: May I follow up on that a little bit because I think that the point that Gene made is a very important one. In fact, when I read E1 I thought —


DR. ELO: E1 where it just expressly requires access criteria, access to some of that information if it was relevant to that particular research but I misread it probably. Let me give you an example. Even within HHS it has sometimes been very important to have the ability to link CMS data to survey data. Ultimately it would be useful to be able to link the National Health Interview, these records to survey data. You could go and ask the individual’s permission presumably when you do that survey whether you could link the electronic records for them. Now, would that be preventive under the use recommendations?


DR. ELO: So, you don’t think it is necessary to say anything about it because HIPAA was creating a lot of problems for some of us.

DR. ROTHSTEIN: You would have that access because it is relevant to the lawful use of the information for the purpose for which it was intended. So, I don’t see that problem. I am at the head of the line in saying that we need to deal with the research issue and that is on our agenda for the fall assuming that we get through the NHIN report.

DR. TANG; I think if I am not mistaken we were considering having further hearings about the whole secondary data use topic as follow up for the privacy work group because this came up and actually in the testimony expanded even some of our scope of what we didn’t even think of before. I think this has come up. Perhaps a placeholder and even verbiage that says that we found this to be an important topic and we plan to have further hearings may be warranted.

DR. ROTHSTEIN: I have no problem with that. You may recall that last January, that is January 2005 we had the first of these when we had a full day hearing on employers’ access to health information and we heard from various employer groups and occupational physicians and the like and so it is a continuing interest of the Subcommittee. So, maybe we can work and see where —

DR. TANG: That would be fine.

DR. ROTHSTEIN: Okay, is there anybody else?

MS. BERNSTEIN: I am not sure whether I am supposed to put a placeholder in or what. Let us try to effectuate what you just decided.

DR. ROTHSTEIN: I think what we need to do is we will draft a sentence tonight to put in the introduction to Section F under secondary uses indicating some of the things that Paul said and that Gene said.

DR. WARREN: Based on the comments just expressed by Irma and Gene as we get ready to go into strategic planning tomorrow I think that these are areas that we really need to try to look at that are coming up and to address them there because they have more information than what we have because in standards and security we are also looking at secondary uses of data. There are a lot of issues that still need to be addressed just from the standards perspective not even from the privacy and confidentiality. So, I think that is probably a better venue for us addressing all of this other than the couple of sentences that you are recommending.

DR. ROTHSTEIN: Thank you. Now, have we done F2?


DR. ROTHSTEIN: We have not? Okay, this is the relationship to the HIPAA privacy.

MS. BERNSTEIN: We are not going to change the language of F1, the specific recommendation. We are going to add language into the text.



DR. ROTHSTEIN: F2 says that HHS should amend the HIPAA privacy rule to better control the privacy confidentiality and security practices of business associates.

DR. FITZMAURICE: Mark, anybody reading this wonders how should it be amended. What amendments should take place? It doesn’t say anything.

Read the last paragraph. Based on a chain of trust model that permits information appropriate among those involved in treatment; however, an interoperable information sharing environment, i.e., the NHIN for personally identifiable health information will increase the amount of information that can include priorities not originally contemplated by the privacy rule.

I don’t see how the privacy rule doesn’t cover that and that amendments to the privacy rule would cover it. I think the privacy rule does cover it.

DR. ROTHSTEIN: We say in the first paragraph if the privacy rule is not amended, this is sort of the middle of the paragraph, the new system of EHRs in the NHIN would permit domestic and overseas business associates to be able to obtain much more health information without any more oversight. Indeed in the case of overseas associateships which are increasing in the commercial marketplace understanding or controlling the use of information may be particularly difficult.

DR. FITZMAURICE: But a violation of the privacy rule is still a violation of the privacy rule. There are things you are talking about there even in that first paragraph that would be a violation of the privacy rule, right? You might want to step up enforcement or something but how would you amend the privacy rule?

DR. ROTHSTEIN: Russ, do you want to comment on this? This was your language.

MR. LOCALIO: The issue was that under the current privacy rule HHS is limited to taking action against covered entities. So, the issue was if there is expanded access to personal health information that would not be adequately protected by current rules that have that limitation. The possibility for many more non-covered entities to get access to personal health information —

DR. FITZMAURICE: Wouldn’t they still be violations of the privacy rule?

MR. LOCALIO: No, they are not covered entities. So, they are not violating.

DR. FITZMAURICE: How would they get it from covered entities?

MR. LOCALIO; They could get it from covered entities just the way they do now because they are business associates for example but they are not violating. They are not covered entities and they are not in violation of any privacy rule. They may be in violation of some contract. They may be in violation of some agreement but that is not a violation of the privacy rule and therefore none of the other restrictions or potential actions that people could have would be available.

DR. FITZMAURICE: The covered entity can still be penalized for the business associate’s violation. He has to do three things and they can avoid it.

MR. LOCALIO: That is possible, I am sure but that does not prevent, that may not deter the activities of the non-covered entities nor will it give any potential action for the individual. The individual has no relationship now to the entity that is not covered.

DR. FITZMAURICE: So, would you make business associates covered entities as the current covered entities are? Delegacy is actionable.

MR. LOCALIO: I understand but I think the purpose of previous recommendations if I can cite them for example —

MR. REYNOLDS; Go back to E. You are exactly right. Go back to E1. I think E1 kind of covers it.

MR. LOCALIO: E1 embraces this problem and it is now expanded to work with other federal agencies and Congress to, etc.

DR. FITZMAURICE: You would have everybody in the world be a personal health information trustee which I kind of agree with. I would agree with that. If I find it lying on the street and I spread it out to everybody I should be penalized for it. I don’t disagree with that. I agree with that.

MR. LOCALIO: I don’t want to answer your question. I just want to refer to E1 to say that somebody needs to consider this issue.

DR. FITZMAURICE: All right, but F2 is more specific and it looks like you just want to make them covered entities and that is fine with me, too.

DR. ROTHSTEIN: One of the things that might happen is under F2 that is not in E1 is we might face or HHS might decide to place greater burdens on covered entities now to regulate the practices of their business associates beyond the three things that are currently required.

DR. FITZMAURICE: Okay, well, I guess we have to go to Congress to get stronger penalties on covered entities to monitor their business associates.

DR. ROTHSTEIN: We have got a big shot in this Congress.


DR. STEINDEL: Yes, when I first read F2 I interpreted it kind of the way it has been broadly interpreted that we would amend the HIPAA privacy rule and as Mike put it essentially make everybody covered entities, however, it is effectively done, but when Mike was talking I saw that my comment was how can HHS amend the privacy rule to extend to entities that they don’t have any authority over and I think that was the big rub and then you pointed out that we actually covered that loop with E1 which we do and I think the solution to the problem is somehow see E1 when you are talking about F2 because otherwise anyone who is reading this is going to say that this is all well and good but the HIPAA privacy rule is going as far as it can in that area.

DR. ROTHSTEIN: One possibility would be to say in the event that E1 or until E1 comes to fruition that HHS should amend the privacy rule because suppose Congress says that for international relations or whatever we don’t want to deal with overseas, we don’t want to cover overseas companies. What HHS might do is to amend the privacy rule to put more of a burden on the current domestic covered entities to regulate their business partners.

DR. FITZMAURICE: They could just do that, Sue?

MS. MC ANDREW: I mean yes. It is in the formulation of the rule as to what duties we would require of covered entities with respect to their business associates and one could argue that after OIG regulations that a business associate would be the agent of the covered entity and the covered entity could be 100 percent liable for the bad acts of their agent. For a variety of reasons in terms of trying to reasonably balance the need for these third parties within the industry and our inability to regulate them directly and what kind of burden we should pass on to the covered entity with respect to the actions of these third parties we took a much more limited view of it and came up with the scheme that is in the rule now where the covered entity is required to pass on some contract restrictions but we have limited the liability of the covered entity for the bad acts of their business associates if they take the proper actions.

DR. FITZMAURICE: And so what is being recommended here is to put a stronger burden on the current covered entities for the improper practices of the business associates?

MS. MC ANDREW: Correct.

DR. FITZMAURICE: We should say it that way.

DR. ROTHSTEIN: Okay. Tomorrow we will see your wish is granted.


DR. COHN: I sometimes worry about what we support here but I guess we will take a look at it and see what it says.

DR. SCANLON: Another friendly amendment. You are assuming that amendment is needed and I wonder if you don’t want to back it up and HHS should examine or assess whether those —

DR. ROTHSTEIN: I think that is probably a wise amendment. Maya, you have that? Okay.

Anything else on F.

Jeff, we are on to G which is titled Establishing and Maintaining Public Trust.

MR. BLAIR; Oh, yes, thank you.

DR. ROTHSTEIN: And we have three recommendations here. The first one, G1, public and professional education should be at top priority for HHS and all other entities of the NHIN.

G2, meaningful numbers of consumers should be appointed to serve on all national, regional and local boards governing the NHIN.

G3, HHS should establish and support ongoing research to assess the effectiveness and public confidence in the privacy, confidentiality and security of EHRs and the NHIN.

MR. BLAIR; Thank you. A blessing on your head.

DR. ROTHSTEIN: Okay. We have got Mike and then Simon.

DR. FITZMAURICE: Just a question, suppose I am a private corporation and I am running the NHIN in a particular region. I have a board of directors. Would this rule require me, a private company, to put consumer representation on my board of directors?

DR. ROTHSTEIN: This one is not an HHS recommendation. This is one of these where we are just sort of making a hortatory statement.

DR. FITZMAURICE: Okay, and it says, “Recommendation.” I got confused by that. It is hard to tell.

DR. ROTHSTEIN: I understand. We have got Simon and then Bob.

DR. COHN: First of all congratulations on making it through the reading of the document. Secondly I was actually just going to suggest the naming of what this is and maybe what I am hoping is a friendly amendment. I was going to suggest this is privacy and confidentiality principles in the national health information network and maybe given where we have gone with this that it would include the word “principles.”

DR. ROTHSTEIN: I see some frowns, Simon, not me, just members are frowning.

DR. COHN: Who is frowning?

DR. ROTHSTEIN: Paul has a frown.

DR. TANG: I think it is a good idea to have created a principles document but I don’t that is what we set out to do or ended up with and that is the only objection I have. I think having a set of principles would have been a wonderful document.

MR. HUNGATE: I just wondered in J3 whether PHRs would be a part of that as well.

MR. BLAIR; I don’t know if PHR is going to be part of NHIN or not.

MR. HUNGATE: I don’t know either. It just occurred to me that there was a piece of work there. I thought I would ask the question.

DR. ROTHSTEIN: It may be that when they set this up they will want to broaden it. It is a little bit beyond —

DR. HOUSTON: There is a fundamental difference between PHRs and EHRs and it is the fact that the patient is in a position to contribute to the PHR and can make the decision what to and what not to put into the PHR based upon the privacy practices of the PHR. I think we wrote a letter about some of that, too, correct? So, I mean I think we have covered some of the issues related to that already if I am not mistaken.

MS. DEERING: With regard to that I think for those of us who are beginning to work already on the forum next week we know that as a matter of fact the consortia were directed as one of the use cases to include PHR. So, it is a foregone conclusion. No, I shouldn’t say that, but at least in the preliminary proposals EHRs really figure fairly prominently.

Now, what the outcome is is something different but they are explicitly included in use cases and called out as functional requirements within what is going to be presented next week. I am not making any statement about what that means for your letter though.

DR. STEINDEL: May I suggest in G3 we just say, “Privacy, confidentiality and security of the NHIN and its components”?

DR. ROTHSTEIN: I think that is very helpful.


DR. STEINDEL: Take out EHDs.

DR. ROTHSTEIN: Okay, thank you. Other comments to G?

Anything else on the letter at all? We have got four or five issues that, I am sorry, Mike?

DR. FITZMAURICE: How many consumers is meaningful?


DR. ROTHSTEIN: Okay, any other comments?

Thank you very much and we will revisit your favorite issues tomorrow.

MS. BERNSTEIN: Did we decide about is it you and me? Am I doing this? Are we going to convene the Subcommittee all together?


DR. COHN: Mark, congratulations and Maya thank you very much.

DR. CARR: It would be helpful to have all the recommendations listed now that we have gone through the whole document if we could just see them.

MS. BERNSTEIN; We can make it like an executive summary of the recommendations in the front or something.

DR. ROTHSTEIN: It might be easier to deal with assuming that everybody —

MR. BLAIR: I guess the real value or purpose or thrust of this letter is those recommendations. I really feel it is framing the issues. So, I mean I don’t care if you decide to do that but I almost feel like it is putting the emphasis not where the real value is.

DR. CARR; I am sorry, I didn’t mean for the Committee to have it in addition to, not instead of.

DR. COHN: Okay, Mark, again, congratulations, Maya, and I am sure they will be happy to take recommendations off line, also, if you discover anything else.

Agenda Item: Draft of NPI Letter – Harry Reynolds

Now, I do want to take just a couple of minutes and ask Harry to I guess give us a reading of the NPI letter since that is something we need to talk about, matching patients to their records. I think the expectation would be that there are substantive issues. I think we need to hear about it, word smithing and we would ask if that could be delivered to Harry or Judy.


DR. COHN: To Judy either at the end of the day or first thing tomorrow morning.

MR. REYNOLDS: Would you like the whole letter read?

DR. COHN: I think you had better read the whole letter.

MR. REYNOLDS: I agree. I just wanted to make sure. Okay, by popular demand even after privacy we are back.

“Dear Secretary Leavitt:

“The National Committee on Vital and Health Statistics (NCVHS) has responsibility for recommending standards for HIPAA and e-Prescribing transactions. In addition, the NCVHS has a responsibility to recommend to the Secretary health care information standards that will improve health care quality, patient safety and efficiency. This letter will identify and recommend methods and standards to improve the process of successfully matching patients to their records. Successful matching of patients to their records directly impact patient safety and efficiency.

“During the past year the Committee has held six hearings on the topic of matching patients to their records. The role of unique patient identifiers was identified in the testimony to ensure a complete discussion of the matching process. Successfully matching patients to their records is essential for HIPAA-related transactions and Medicare Part D transactions as well as for the functioning of electronic health records and Regional Health Information Organizations.

“According to testimony the health care industry has developed various approaches to uniquely identify patients and match them to their records for treatment, payment , operations, administration and research purposes. The Committee heard from a variety of testifiers on how patients could be appropriately identified and matched to their records. These testifiers represented care providers, researchers, vendors, e-prescribing switches such as RxHub, payers and government agencies including the Veterans Health Administration (VHA) Affairs, the Indian Health Service and the Social Security Administration (SSA). This letter summarizes testimony heard during the last year and provides the Committee’s recommendations based on that testimony. Additionally there are important privacy and security concerns associated with the development and use of unique patient identifiers that are outside the scope of this letter but will be addressed in future NCVHS recommendations.


“There are several ways to match patients to their records. They are described below.

“Unique Patient Identifier. The unique patient identifier is a data element that can be used to match patients to their records. Many entities assign a unique personal identifier to their members/patients, primarily for administrative purposes. For example, health plans routinely assign members a health plan identification number and/or case number. Medicare assigns beneficiaries a Medicare number upon enrollment. Care provider organizations assign identifiers for internal use. Coupled with demographic and other data the assigned identifier is a key element for matching patients to their records within individual enterprises, such as health plans. However, because the internal numbers assigned to individuals very among plans, providers, pharmacies and others, there is interoperability of such numbers across enterprises and sometimes even within enterprises such as those with multiple campuses or corporate names.

“The Social Security Number is a widely used patient identifier because it is consistent among organizations for the same patient. However, given issues of identity theft related to access to SSNs, many entities are moving away from using this number as an identifier and are assigning a unique organizational identity number. In addition the validity of the Social Security Number as a unique personal identifier has eroded in recent years because there are more frequent instances where several people used the same SSN.

In addition in rare circumstances the same SSN has been issued by the SSA to more than one individual and an individual may have more than one SSN.

“Many have called for a national unique patient identifier as required in the administrative simplification provisions of HIPAA in 1996. However, in response to Congressional directive the federal government has ceased its efforts to select and implement a national unique patient identifier. Several testifiers observed that the private sector is not similarly constrained. Further, the potential value of a national patient identifier to the efficiency of the health care system and specifically for matching patients to their records has not been thoroughly investigated.

“Methods for matching patients to their records. Most organizations have implemented master patient indexes (MPIs) or enterprise patient identifiers as defined above to meet the need for accurately matching records to patients within their domains of responsibility. These methods are often based on a core set of data.

“Many entities use a core set of demographic data to identify patients with a high degree of probability. These include first and last names, date of birth, gender and zip code.

“The core set may include a SSN and/or organizational identifier such as previously calculated or assigned health plan identification number.

“Using these and potential additional data one of two methods are commonly used to match patients to their records.

“In the first method, a deterministic matching determines if the direct one-to-one correspondence with a given number of variables exists between known patient data and data in the record.

“In the second method, a probabilistic matching algorithm assigns weights to the variables and calculates the probability that a match exists when there is not an exact correspondence between the known patient data and the data in the record.

“Testifiers indicated a high percentage of correct matches result when they use either method usually around 95 percent. When “unique” and accurately recorded patient identifiers are used the matching accuracy goes as high as 97 percent. When the probabilistic method indicates that the probability of match does not meet the organizations’ standard for acceptance the match is assigned to a human reviewer to adjudicate whether a match exists. Adjudication may incorporate additional demographic traits, such as Mother’s Maiden Name, Place of Birth, City and State. This is a labor-intensive and time-consuming process.

“There are a number of factors that prevent a perfect match regardless of the number and the perceived quality of variables used for matching or the intensity of human scrutiny of records review. For example, transposition of digits in key data (zip code SSN, date of birth, misspellings and variations of names and abbreviations and recording the wrong city of residence (Jackson, MS, instead of Jackson, MI) plus other kinds of clerical mistakes are common errors that prevent perfect matches. Other common problems include blending of records for similarly named people in the same family, blending or misalignment of records for different people with the same name or nearly the same name and appropriate age, lack of key data (such as date of birth, errors introduced by the patient (such as the use of a different birth year for different circumstances over time) an system issues such as duplicate entries for individuals, duplicate numbers and issues dealing with patient records from different sites in the system. Normal changes in life events (surname changes, address changes) also provide challenges in matching patients to their records.

“In addition there are variations among entities in their standards for a perfect match versus a near-perfect match. These standards depend on the entity and its purpose for the match. For example, the standard tolerance for error may be less stringent for certain kinds of research and administrative uses and more stringent for medication history, drug administration and other situations where clinical decisions are required to ensure patient care and safety. In addition, entities must weigh their tolerances for risk of false positive and false negative matches as well as for the administrative time and expense needed to adjudicate questionable matches or rejected non-matches. Some entities such as the Social Security Administration use the risk schema developed by the National Institute of Standards and Technology (NIST) which also forms the basis for evaluation risk issued by the federal Office of Management and Budget.

“Public Trust. The testimony from the care providers and the RHOs indicated that a public trust is essential for successful matching of patients to their health records. Fist, the patient and his/her records must be accurately matched. Second, the health record must be accurate and securely transmitted. Third, authentication of the entities providing and receiving the information must be done. Fourth, protection must be in place so that health records can be accessed by only those authorized by the patient or provider.

“Observations and Recommendations

“Observation 1. The opportunity to improve the quality of patient care and patient safety is based on the interoperability of EHRs and the accurate linking of data in EHRs to the correct patient. Care providers are justifiably reluctant to use potentially erroneous information when making decisions about treating patients. For RHIOs and the Nationwide Health Information Network to be successful data and information must be interoperable and accurate. This requires health data to be matched to the correct patient. Moreover, if two organizations need to share patient data but use different matching methods then there is a possibility that the data from the first organization will not be properly matched to the correct patient in the second organization. There are no singularly agreed upon performance criteria to judge core patient identification data sets and methods for matching patients to their records.

“Recommendation 1a, HHS should identify and recommend minimum criteria for successfully matching patients to their records. The NCVHS recommends that the Office of the National Coordinator for Health Information Technology (ONC) establish a specific program to provide national leadership and direction for this purpose. NCVHS stands ready to advise the Department on such a program.

“Recommendation 1b. HHS should create a number of data sets for use by entities for testing the accuracy of their patient matching to records.

“Recommendation 1c. HHS should collaborate with public and private organizations on the development and deployment of Record Locator Services (the MPI between organizations). This should complement the above ONC program that will identify criteria to facilitate the accurate matching of patients to their records.

“Observation 2. A standard does exist that defines the format and content of patient identifiers. ASTM E1714-95 standard specifies a 16-digit number followed by a character delimiter, a six-digit check sum and an optional four-digit encryption scheme. The DoD and the VHA use this the ASTM standard for their patient identifier and they are developing a plan that will enable them to transfer patients from the DoD to the VHA without the need to create a new number for the patient identifier. This plan will enable interoperability.

“Recommendation 2a. HHS should work with DoD and VHA to study the technical, financial and social impact of use of the ASTM standard to create and maintain patient unique identifiers to match patients to their records and increase interoperability.

“Recommendation 2b. HHS should work with the DoD and the VHA to collect data from patients throughout their populations that have been assigned a unique health identifier and assess the positive and negative aspects to their trust in the system.

“Observation 3. The provision in the 1996 HIPAA legislation that called for the creation of a national unique patient identifier caused a public outcry based on privacy concerns. This resulted in a directive from Congress that federal funds not be expended to implement a national unique patient identifier. As a result the potential value of a national patient identify to the efficiency, cost effectiveness and accuracy of patient data has not been investigated nor has there been public discussion about whether and/or how the privacy concerns might be addressed.

“Recommendation 3a. HHS should investigate whether the use of a national unique patient identifier will improve the efficiency and patient safety of authentication, registration and matching of patients to their records. This investigation should examine the potential benefits of a national unique patient identifier, real and perceived privacy issues and estimates of the economic impact. HHS should share the results from this investigation with the health care industry and the general public.

“We appreciate your consideration of these recommendations to improve the process: successfully matching patients to their records.”

Before we have any discussion the Committee would like to thank Judy Warren for her leadership on this. We had so many letters going on that we had different people step up to take the initial lead on this. So, Judy, thank you.

So, the floor is now open for substantive changes.


MR. HUNGATE: This is really more of a question. The second page of the description talks about the private sector not being similarly constrained with respect to a personal identifier. Is there any evidence of enterprises advancing a product with an identifier and a patient card or something like that which would articulate that?

In other words, recommendation 3 says that HHS should do something but if there is something going to occur in the private sector that would provide the same experiment that is another option in that direction. I wondered if that was considered.

MR.REYNOLDS: I don’t believe in the testimony we heard any national initiative to address this. There are absolutely individual entities that are doing that for themselves but I don’t believe we heard anything. Judy, jump in. I don’t believe we heard anything about any private industry or any standards group or anybody else.

DR. HUFF: You are right. We didn’t hear any testimony to that effect, but there is a company that is offering the opportunity for people to sign up and get a national patient identifier. I received a solicitation to sign up. I could find out who it is if we care.

MR. REYNOLDS: Bob, we didn’t hear anything that would have driven us in this letter to call that out but we did hear that private industry is not equally constrained.

MR. HUNGATE: That just suggested to me that there might be something going on there.

MR. REYNOLDS: We were stating fact and that is why there is nothing in the recommendation about it.

MR. BLAIR; There have been individuals that have observed that the constraint that the Federal Government has put on itself did not necessarily apply to the private sector and therefore there have been some professional organizations in health care that have discussed the idea of going forward with a voluntary patient identifier. I am not aware that anything has gotten enough steam where it has gotten widespread interest.

MR. REYNOLDS; Okay, we have got Russell, Paul, Jim and John and then Mike.

MR. LOCALIO: I just had a question whether the statement in observation 3 that the directive from Congress that federal funds not be expended prevents HHS from investigating in recommendation A the use of the national patient identifier will improve so and so, and I haven’t seen the text of the directive from Congress, but I would ask should you be saying in recommendation A that HHS shouldn’t —

DR. COHN: Could you use the mike?

MR. LOCALIO: I am wondering whether recommendation 3a should indicate that HHS should work with Congress to investigate whether — in other words is HHS precluded from doing what you recommend in 3a by the congressional directive in observation 3?

PARTICIPANT: You can investigate but you cannot finally implement.

DR. SCANLON: To be honest I think you are recommending things that it would be extremely imprudent in an advice for HHS to do. I guess that is my big concern.

This is again a public policy issue. There are technical and there are other aspects but this is largely a public policy issue. How do you do this and when Congress directed HHS not to proceed along these lines whether it is literally true in Fiscal Year 2007 or not, I don’t think HHS would, I mean you are basically recommending that HHS proceed along the lines that we have been told not to. That is my concern.

The other thing is I think you are inadvertently giving prominence to unique health identifier technology rather than the other methods and I don’t know that that is, I think what you heard was that there is a whole panoply in the armamentarium and why would you single out, I mean looking at techniques for doing this without sort of favoring one is one thing but I am a little concerned that you are sending HHS recommendations that we couldn’t do and it almost puts the Committee in kind of a —

MR. REYNOLDS: Let me break your question into two pieces, Jim. We did hear that with the unique identifier whether local or national that the degree of match is better. We did hear that.

Now, the second part is whether or not there is discussion about that being a national identifier. I think I get your point clearly but I think the testimony that we heard clearly was when there is a unique identifier and as you would think of the NHIN and you think of the stuff going between disparate, the unique identifiers that have been used up until now that we heard testimony on are within institutions in many cases and those work great because you have got a kind of a controlled environment. As soon as it steps outside the boundaries of those organizations what we heard is that is where it starts to come apart and you are only using the demographics and then your degree of match drops.

So, that is an explanation. That is not a defense, but we hear you loud and clear on whether or not we should be pushing this hard on this recommendation. I take that very seriously what you said.

Let us keep going through the list. Paul?

DR. TANG: I think the background about the issue is very, very clearly articulated and the options and the trade offs. Actually I didn’t hear as clearly as I just heard what your conclusions or summarizations from the hearings were.

So, it was very clear what you just said is that there is an advantage that you heard from your testimonies of having a unique identifier and that actually didn’t come quite as crisply out of here as I just heard.

The other thing is I guess reading the recommendations I got a little bit lost in the train of thought. I would almost reverse it if I were to try to see where you are going is one if you took recommendation 3 it says that you ought to figure out whether it would actually do any good to have one of these things before you decide not to do it.

Second, somebody has already embarked on using an identifier that is really long and I will hold on the editorial for right now and then the first one was to go look at having a program within ONC. So, that would have made more sense and created a logic for me but I think I share Jim’s opinion that it sounds like you are presenting your conclusion that we didn’t actually hear in the letter the evidence for that conclusion.

The other thing is I wonder whether you, did you have testimony from Markles’ Connecting for Health Program?

PARTICIPANT: They never responded to the invitation.

DR. TANG: Okay. So, the answer is no for whatever reason and it speaks a lot of, in fact, RLS is sort of their coined term that they give a rational for why they came out against having a unique universal identifier and have three prototypes using their RLS using their matching algorithms and have results that they can report to you at least and perhaps that is even one of the answers to your recommendation No. 3.

Just a moment on recommendation 2, as far as this ASTM standard and maybe it is captured in the recommendation 2b but one of the values of having a number if you are going to have one is that the individual can memorize it and 16 digits is really long.

MR. REYNOLDS: We agree that it is long. However, the purview of the Committee was we obviously clearly heard testimony that two significant government agencies involved with the Secretary are in fact adopting standards that are in fact moving forward. So, understanding if that is going to be viable understanding it is a little bit like CHI, I mean understanding if it is going to be viable, understanding if it is going to be implemented is key as we look and so in no way are we endorsing it necessarily but we also, can’t in fact ignore that it is going on especially in some very large agencies that are major factors in this arena.

So, that is why we felt that that one was one that we needed to keep some attention on.

DR. WARREN: I just wanted to clarify with you, Paul about the logic that you saw. It was really clear to us that in the foreseeable future we are not going to be doing a national unique patient identifier. However, we did want to look at one to see where it fit. So, that is why we came out with really spending more time and talking about the algorithms being used out there and heard lots of testimony on that. We then found out from the testimony from the VA and the DOD about the use of a standard which was kind of interesting because none of us knew about the ASTM standard nor did any of our testifiers know about the ASTM standard. So, we thought that this was a good natural experiment to ask people let us pay attention to how the members that have the DOD and VHA identifier respond to that especially from a social perspective.

It then was brought up that no one has ever really looked at is there any efficacy or efficiency in having one of these and should that question also be asked which is why it was put off until last. We kind of started off with what we thought the more important ones first and then picked up very specific things that were coming up.

So, you still have your concerns about the logic of presenting these three recommendations. I am trying to get some help from you about how we might reorder this.

DR. TANG: It seems like we want to understand is it a value because there is certainly a lot of controversy and that is where I guess recommendation 2 goes because somebody is already doing the natural experiment.

Still the military and VA probably do have a different group of folks that would or would not keep their card, for example, as one of those things. Then I guess my only thing is with No. 1 those data out there to learn from which is the Markle experiment using the RLS and then I guess I am still nervous about 3 as not implementable because HHS has been told not to do that. So, it seems like that is not a feasibility study you have access to.

MR. REYNOLDS: Jim, you were on the list. Did you have another comment?

DR. SCANLON: No, I think I had mine. I think I have a suggestion.

DR. COHN: Obviously we should get additional comments but I would like obviously to allow the subcommittees to begin to break up at some point.

John Paul, do you have a final comment on this one or do you want to sit on with the Subcommittee on Standards and Security?

DR. HOUSTON: I just have a very short comment, that being having read through this one thing I have advocated and I know it is really not in the context of the letter but it is No. 3. I just would somehow relate to No. 3 as the fact that I think even though that Congress said that you cannot spend money on this, I think that there is a value in trying to look at a national health identifier and one way I think to depoliticize that is to say that a national health identifier could not be used for any other purpose other than TPO. I think that was basically —

DR. COHN: Say that again?

DR. HOUSTON: The reason why I think the national health identifier didn’t go forward for other reasons but one of them was because of the abuses that I think people saw with the Social Security Number and I think one way to depoliticize adopting a national health identifier would be to say that there are strict limitations on its use and that it is illegal to use it for any other purpose other than for TPO and I understand and I don’t know how you fit into the letter that way but I think there is some value instead of trying to push for a national identifier I think that that is one way of strategy or one recommendation you could make to try to get some interest in allowing things to move forward and that is my only point.

DR. COHN: Why don’t we break up into subcommittees and at that point we can have further discussion on this to see if it is ready for really being forwarded at this meeting as well as obviously discuss the other issues.

MR. BLAIR; Actually the comments that I made are really relevant to the full because the subcommittee already knows these and with respect to recommendation No. 3 in Jim’s piece, Jim’s comment I am trying to see if we could resolve that for the full Committee.

DR. COHN: I think Jim will stay with us.

DR. SCANLON: This is public policy and honestly the letter looks like we are trying to tweak Congress or something. I just have an uncomfortable feeling about it and I would rather we rework it in the context of more of an evaluative, and I don’t think it is intentional but you know it is sort of like it is pushing back where it is really public policy. It is not technical.

DR. WARREN: We didn’t intend. We were trying to make it —

DR. SCANLON: I know but I think in the context in which other people talk about the unique health identifier we would have to be very careful and this is probably not the letter you want to re-enter that debate with.

DR. COHN: Steve?

DR. STEINDEL: I have a very quick comment. I think it was Bill who made the comment earlier or it was Gene, I forget which one but it was that corner of that table asking about whether NCVHS letters are read and could be used for these purposes. I started receiving e-mails approximately twelve-thirty this morning from the CHI group about our passing of the letter and just received two comments thanking the Committee from the Chairs of the Multimedia Work Group. So, I can assure you these letters are read and very quickly.

DR. COHN: Steve, thank you. Why don’t we allow the Subcommittee on Populations to go to 325 and the Standards and Security will deliberate here. We obviously will start again at eight-thirty in the morning and I want to thank everyone.

(Thereupon, at 5:20 p.m., a recess was taken until 8:30 a.m., the following day, Thursday, June 22, 2006.)