[This Transcript is Unedited]

Department of Health and Human Services

National Committee on Vital and Health Statistics

Full Committee

June 22, 2006

Hubert H. Humphrey Building
Room 505A
200 Independence Avenue, S.W.
Washington, D.C. 20001

Proceedings by:
CASET Associates, Ltd.
10201 Lee Highway, suite 180
Fairfax, Virginia 22030
(703) 352-0091


P R O C E E D I N G S [8:35 a.m.]

Agenda Item: Call to Order

DR. COHN: Good morning. I want to call this meeting to order. This is the
second day of meetings of the National Committee on Vital and Health
Statistics. The committee is the main public advisory committee to the U.S.
Department of Health and Human Services on national health information policy.

I am Simon Cohn. I am the associate executive director for health
information policy for Kaiser Permanente and chair of the committee. I also
want to welcome committee members, HHS staff and others here in person.
Hopefully, we will have others on the Internet shortly.

As always, I want to remind everyone to speak clearly and into the

With that, let’s have introductions around the table and around the room.
For those on the National Committee, I would ask if you have any conflicts of
interest related to any issues coming before us today. Harry. Would you please
so publicly indicate during your introduction?

I want to begin by observing that I have no conflict of interest.

MS. GREENBERG: Good morning. I am Marjorie Greenberg from the National
Center for Health Statistics, Centers for Disease Control and Prevention and
executive secretary to the committee.

DR. STEINWACHS: I am Don Steinwachs, Johns Hopkins Bloomberg School of
Public Health, member of the committee and no conflicts.

MR. ROTHSTEIN: Mark Rothstein, University of Louisville School of Medicine,
member of the committee. No conflicts.

MS. WARREN: Judy Warren, University of Kansas, School of Nursing, member of
the committee. No conflicts.

MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield of North Carolina,
member of the committee and I am chair of the CAQH Core Initiative.

DR. TANG: Paul Tang, Palo Alto Medical Foundation, member of the committee.
No conflicts.

MR. LOCALIO: Russell Localio, University of Pennsylvania School of
Medicine, member of the committee. No conflicts.

MR. HOUSTON: John Houston. I am with the University of Pittsburgh Medical
Center. I am a member of the committee. Since we are not on the Internet, my
only conflict is with Harry and that has nothing —

MS. MIELLA: I am Ara Miella. I am the liaison from the Bureau of Scientific
Counselors to the NCHS and I am from the University of Pennsylvania, Department
of Sociology in the Populations Center.

MS. MC ANDREW: Sue McAndrew, Office for Civil Rights, liaison to the

MR. STEUERLE: Gene Steuerle from the Herbert(?) Institute and member of the
committee. No conflicts.

MR. SCANLON: Bill Scanlon from Health Policy R&D, member of the
committee. No conflicts.

MR. HUNGATE: Bob Hungate, Physician Patient Partnerships for Health, member
of the committee. No conflicts.

DR. CARR: Justine Carr, Beth Israel Deaconness Medical Center, Boston.
Member of the committee and no conflicts.

DR. HUFF: Stan Huff with InterMountain Health Care and the University of
Utah in Salt Lake City. Member of the committee and no conflicts.

DR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention,
liaison to the committee.

MR. BLAIR: Jeff Blair, Loveless Clinic Foundation, member of the committee.
No conflicts.

MR. J. SCANLON: Good morning. This is is Jim Scanlon. I am the executive
staff director for the committee and I am the deputy assistant secretary for
science and data policy in HHS.

MS. SIDNEY: Cynthia Sidney, staff to the committee.

MS. FRIEDMAN: Maria Friedman, Centers for Medicare and Medicaid Services,
lead staff to the Subcommittee on Standards and Security.

MS. JACKSON: Debbie Jackson, National Center for Health Statistics, CDC,
committee staff.

MS. GOVAN-JENKINS: Wanda Govan-Jenkins, National Center for Health
Statistics, CDC.

MS. DEERING: Mary Jo Deering, National Cancer Institute, lead staff to the
Workgroup on the National Health Information Infrastructure.

MS. CANAAN: Susan Canaan, writer to the committee.

MS. BICKFORD: Carol Bickford, American Nurses Association.

MR. ESMONGA: Don Esmonga(?), American Health Information Management

DR. COHN: Kevin, would you like to introduce yourself?

DR. VIGILANTE: Yes. Kevin Vigilante, Booz, Allen, Hamilton. A little tardy.

DR. COHN: Anyone else that needs to introduce themselves that were not part
of the initial round? Okay.

Well, this morning we begin with action items that we discussed yesterday,
just as a for your information. One of the letters from the Subcommittee on
Standards and Security that related to identifying or matching patients to
their records and information has been deferred for this meeting and I think
will be brought back for subcommittee discussion. We may be seeing that in
September. But we do have two remaining items. I guess one was passed and the
letter related to HIPAA will be discussed today as an action item.

We also have the privacy letter, which I think has gone through some
revision in terms of recommendations and we will actually be addressing that
first during the morning session.

After the break, we are pleased to have Don Detmer, former chair of the
NCVHS and John Quinn with Accenture joining us to talk about emerging policy
issues in health information and health information technology policy. Then we
will have reports from subcommittees and workgroups, a review of future
meetings and issues, before we adjourn the full committee somewhere between
probably the 12:00 and 12:30 time frame.

With that, Maya, welcome. Good morning.

I think committee members have copies of the most recent version of the
letter and we will turn to Harry — actually to Mark and to Maya to lead us
through the changes and I think new recommended verbiage.

Agenda Item: Subcommittee on Privacy PHIN

MR. ROTHSTEIN: Thank you, Simon.

You should have at your places two items. One is the changed version of the
revisions that we made after yesterday’s discussion that we will go through and
also a separate list of the recommendations so you can use either one, of

Our first change item is on page 5 in the text and we are not going through
too much text today. We simply added at the end of the first full paragraph the
sentence, “NCVHS was unable to reach agreement on this issue to reflect
the discussion that we had yesterday.”

That deals with the opt in, opt out issue.

MS. BERNSTEIN: On the copies I made a little comment on the side because
you and I had not agreed on this but it occurred to me just reading the flow of
this paragraph that this issue would be ambiguous by the time you got to the
end. So, I suggested on the right something you and I have not agreed on, which
is in your copy.

MR. COHEN: Maya, were you proposing the comment in the right as alternative

MS. BERNSTEIN: Right. And as an alternative, which Mark and I have not
discussed, but as I was reading it — I was editing it last night — I just
tried to read the flow of the paragraph and it did —

MR. ROTHSTEIN: I think your suggestion is much better.

MS. BERNSTEIN: It says, “NCVHS was unable to reach agreement on which
approach to adopt as to how individuals should exercise this choice.”

MR. ROTHSTEIN: This is page 5.

MS. BERNSTEIN: It is the section on opt in, opt out.

MR. ROTHSTEIN: At the end of the first full paragraph, the alternative
language —

PARTICIPANT: I am just wondering if you should read the whole paragraph.

MS. BERNSTEIN: Yes, I will be happy to do that or, Mark, do you want to
read it?

MR. ROTHSTEIN: Go ahead.

MS. BERNSTEIN: It says, “There are two basic approaches for giving
individuals the choice of whether to have their health records accessible via
the NHIN, opt out and opt in. Under the opt out approach, individual health
information is presumed to be available to authorized persons via the NHIN, but
any individual may elect not to participate. The advantages of this approach
are that it may be easier, less costly and result in greater participation in
the NHIN.

“The other approach, opt in, requires that health care providers
obtain explicit permission of individuals before allowing their information to
be available via the NHIN. Without this permission, individual health
information would not be accessible via the NHIN. The opt in approach increases
individual autonomy, but is more administratively burdensome and may result in
fewer individuals participating in the NHIN.”

Want me to read my last sentence? It would say, “NCVHS was unable to
reach agreement on which approach to adopt as to how individuals should
exercise this choice.”

MR. ROTHSTEIN: I think maybe we want to change one thing that reflects
yesterday’s discussion and that would be “NCVHS was unable to agree
whether to endorse either approach” because I think there was some
discussion that there might be a third way somehow and that gets us out of the

DR. COHN: Actually, can I just break in for just a second? I just want to
welcome those who are coming in on the Internet. I understand that the Internet
is just activated. For those listening in, this is a meeting of the National
Committee on Vital and Health Statistics and we are discussing the letter on
privacy and confidentiality.


MR. HOUSTON: Do we want to say — is there sort of a preface in this
sentence, “While NCVHS believes that patients should have the right to
participate, we were unable to reach agreement regarding which approach —

MR. ROTHSTEIN: We have previously said that. On page 4 under 2, the second
sentence, “The NCVHS believes that individuals should have a choice about
whether to participate in the NHIN.”

MR. HOUSTON: Maybe we want to move that down in front of this last sentence
then. Because I think there is a value in saying that we believe that they
should have the right, but we are not sure which method would be appropriate.

MR. ROTHSTEIN: I just want to see what is left of the first paragraph.

MS. BERNSTEIN: Where is the sentence — I am sorry.

MR. ROTHSTEIN: On page 4, under 2, “Mandatory or Voluntary
Participation,” the second sentence, “NCVHS believes that individuals
should have a choice about whether to participate in the NHIN.” John is
suggesting that we move that to the end of the sentence before the —

MR. HOUSTON: Actually, I am looking at the entire paragraph. I apologize.
It really is linked. It almost makes it disjointed if you move that sentence. I
don’t know. I just think it needs to be somehow stated along with —

DR. COHN: Well, John Paul, let’s take a look at that sentence and see if
maybe there is a parenthetical beforehand.

MR. BLAIR: Could I suggest that rather than moving — I agree with John
that it would be helpful to have that statement. So, is there any reason why we
can’t be slightly redundant by restating that sentence at the beginning of this
one, so it is in both places?

DR. COHN: Well, dah, dah, dah, dah, dah, NCVHS —

MR. J. SCANLON: — supports the principle of — although NCVHS supports the
principle of choice, we were unable to blah, blah, blah, blah, blah.

MS. GREENBERG: How did you say it, Mark? You changed that — I mean, I
think it would be fine to just say NCVHS was unable to reach agreement on which
approach to adopt period. I don’t think you need this other language, which I
think you get a little lost in. But you had a different way of saying this.

MR. ROTHSTEIN: Well, Maya put it up on the screen there, which says we were
unable to agree whether to endorse either approach as to how individuals should
exercise this choice and so that it gets us out of the either/or and holds up
in the possibility that there might be some other way that would be better.

DR. TANG: Just from a sentence construction, how about if we — unable to
agree whether to — unable to agree on a specific approach as to —

MS. GREENBERG: For exercising —

MR. HOUSTON: Just a lot of words is what we don’t need to have there.

PARTICIPANT: We could just say an approach.

MR. HOUSTON: An approach period.

DR. COHN: I would say — we have talked about this a hundred times but I am
just wondering, we can either just say we were unable to agree or is it the
sentiment of the committee that we felt that it was premature to endorse an
approach. I guess I have made a couple of comments — I just don’t think we
know quite yet, which — it is a little bit early. So, I guess I would offer
that for consideration.

MR. ROTHSTEIN: We have got Gene and then Bob.

DR. STEUERLE: I am not sure what to do with this, but as I was listening to
the radio this morning, the discussion was over Senator Hatch’s proposal that
data be sent immediately, I don’t know to whom, maybe it is Centers for Disease
Control, I don’t know, but on the use of non-prescription — I think it was
vitamins, wasn’t it — there was a big supplement issue and I am guessing. I
don’t know. I am guessing that if this was 20 years from now and there was an
NHIN out there, the proposal might say that they want this data to be sent to
the Centers for Disease Control and I don’t know whether they would be asking
people personally whether they wanted it to be sent, especially if there was no
personal identifier sent along with that.

So, even the language on giving people choices, there are some areas right
now, I presume, where we send things to the Centers for Disease Control, where
there is no choice. And if we imbedded what we do now into this NHIN, we
wouldn’t give a choice. So, I guess the vaguer we are about this or at least
maybe a friendly amendment might be giving individuals the choice where they
have their health records. Maybe it says — is the first sentence in that
paragraph, have their health records or portions of their health record
personally identifiable.

I am not quite sure where to go with that, but it seems to me we just need
to be a little careful here — we all have different views about what —

MR. ROTHSTEIN: I do want to refer you to footnote 1 at the bottom of page
5. So, I think that may go to part of your concern, but we can, you know,
consider the other language that you had.

Yes. Okay, Bill.

DR. SCANLON: I have a similar concern and it is the recommendation in C2 is
setting up a system where we are not going to be able to use the NHIN for
surveillance. We are going to have to have another system that runs in parallel
for who have opted out, that if they have a reportable condition, that is going
to have to be reported separately. It is that kind of implication that worries
me now in the sense that we don’t have a good fix on what the NHIN is going to
be and, therefore, how are we going to be sort of content with the consequences
of living up to this recommendation. Other recommendations do two things. One
is they mostly ask for study of what will be the implications of options before
we actually select one.

They also are much more sort of kind of targeted. Everything is more
conditional. Who is going to have access? What kinds of information is or is
not sort of allowed to sort of opt out of the system? Those are very different.
C2 is very broad. We are saying that if you opt in, we may say you can’t
exclude certain data later on. But under C2, you could opt out completely and
all your data is not there. So, you are going to have to have a separate system
and I guess it is that idea that we are going to say that there is going to be
two systems and there is going to have to be, you know, some maintenance of
potentially very suboptimal parallel system that is potentially disturbing. You
could respond. Well, if we do a really great education job, there is going to
be so few people that are involved in this that it is not going to matter. But,
you know, that is kind of begging the question in my mind.

MR. ROTHSTEIN: I am not sure what your sort of bottom line is.

DR. SCANLON: My gravest concern is about C2. I mean, it has been about the
fact that it is one of the few things that we are absolute on; whereas, in the
others, we are asking HHS the way the pros and cons of options and I am not
sure that at this point that it is sort of possible for us to know all the pros
and cons of C2 and to reach such a strong conclusion because it is more
absolute and sort of C6 and, you know, which is whether individuals have the
right to control access to specific items. He has got the right to be out of it
completely, but you don’t necessarily have the right to say X, Y and Z is going
to be sort of excluded.

MR. ROTHSTEIN: Let me explain the thinking behind C2. It may be the most
absolute. I think you are probably right in that, but that is the intent
because for at least the members of the subcommittee and we are certainly free
to discuss other approaches, that this is an absolute foundational principle
upon which the NHIN should be built. Now, we have in footnote 1 exempted all
the sorts of disclosures that are going to be made for law enforcement, public
health and so forth from that control.

I think that ethically and politically the NHIN is going to fail and never
get off the ground — this is my personal view — not speaking for the members
of the subcommittee — unless language of this type is — an approach like this
is built into the system because if you think Congress jumped on the national
identifier to shut down HHS, wait until you see what happens when HHS is
considering a system of everybody’s electronic health records get zipped around
and you have no choice in the matter. I mean, that is my personal view, just as
a political statement, but I think the committee felt that as a sort of an
ethical and policy principle, we ought to give people a choice.

Now, in the later sections, as you have pointed out, we do constrain that
choice somehow because of practical considerations. I mean, you can’t have
people, you know, picking and choosing what goes. It just won’t work, we don’t
think. But the basic principle is that you need the permission of the
individual to send their clinical information around in identifiable form.

DR. SCANLON: I think, I mean, for me the fundamental issue is privacy and
we are talking about that privacy right, but in terms of public health and the
criminal justice system, we are willing to compromise sort of that right to
privacy for the greater social interest.

The argument you make on page 4 is in some respects the political argument,
which is this is not going to generate enough popular support if we don’t sort
of provide sort of this kind of absolute right to have a form of privacy in the
sense of opting out, but, again, it is not — we are not really sort of
protecting or giving them sort of the ultimate in privacy. What we are saying
is we can’t use computers to compromise your privacy.

We could accomplish that through a different means, which is to create sort
of such confidence in the security of these data, in the access to these data,
that people are going to opt in and it is going to be politically acceptable to
say you are going to be part of this because right now you are already part of
a system where we are going to make your conditions reportable. We are going to
be able to use things for criminal justice purposes.

See, I think it is — we are kind of working around this because we don’t
have confidence in the ability to protect the data in the NHIN. That is in part
sort of the problem that exists for the Congress in terms of the politics here,
which is that they are concerned about this issue that people are going to be
harmed by the information sort of being available in an electronic fashion.

That is the fundamental thing we should be attacking as opposed to creating
something where as Stan talked about yesterday, this is another area where we
are talking about cost. This is now a cost to everyone in terms of having to
maintain this parallel system. I think that is — the import of that is
something we should be thinking about if we are going to support C2.

MR. ROTHSTEIN: Well, I just want to say one other thing and I don’t want to
be sort of monopolizing the discussion and that is the recommendation in C2
does not flow from the internal discussions of the subcommittee. It reflects
the overwhelming sentiment of the witnesses that we heard from all different
sort of perspectives. There really was, you know, profound support among the
people that we heard from and I won’t burden you with the groups and
individuals behind this.

Okay. Who is next on the list? Bob.

MR. HUNGATE: I wonder, just to follow on Bill’s comment, whether, in fact,
there should be another footnote attached to the recommendation in the case of
someone just reading the recommendations and not reading the supporting
material. The footnote only applies back to the verbiage, not to the

MR. ROTHSTEIN: So, what would your footnote say, Bob?

MR. HUNGATE: I would just a footnote 2 and say see footnote 1.

MR. ROTHSTEIN: Simon, do you want to break in?

MR. HUNGATE: I had something else before I leave the other.

On the wording of the opt in, opt out discussion, I am not convinced that a
fundamental choice between the two needs to be made and your wording clarified
that, Mark. So, I appreciated that.

MR. ROTHSTEIN: Okay. Thank you.


MR. LOCALIO: I didn’t want to make this comment, but I think it is
appropriate now and that is I think that we should limit the C2 as it is here
and not worry about issues such as what can or might be the use or cost or cost
effectiveness of the NHIN because I don’t believe there is any good evidence
that an NHIN can be used for surveillance or research or for pay for
performance. I don’t want to get into that now. I think we should be limited to
the issues of privacy. If we want to get into uses of the NHIN at some future
time and the costs or cost effectiveness of that, I think we should defer that
and I would propose that prior to doing that, we do hearings and the whole bit
on the potential uses of the NHIN.

DR. COHN: Actually I was going to follow-up on Bill Scanlon’s comment and
as I reflected on it, I think most of his comment relates actually to the
footnote or is addressed by the footnote because all the concern I heard was
around public health and other aspects of that. I am actually just wondering as
one who, while I love footnotes, sometimes footnotes get lost in the body of
the recommendation. This may be a place where it makes sense to actually add
what is in the footnote to the recommendation on C2, where we explicitly say
this non-mandatory inclusion of NHIN is not — you know, this is not intended
to disturb the public health stuff.

So, we should stick that on as an actual second sentence, rather than just
footnoting it. I don’t know if that addresses some of your concern, but I think
we just need to — I mean we need to sort of order this one a little bit.

DR. SCANLON: I think there is this issue of a parallel system. I am going
to continue these functions but I am not going to allow them to happen through
the NHIN. I agree with Russell. We are nowhere near today the ability to use
this — to use IT for surveillance, pay for performance, you know, quality
assurance, et cetera. But it is the idea that if you establish a right today,
you know, 15 years from now when the world is different, then do you say this
is no longer a right?

The word “right” to me sort of has very sort of great import and
I would hate to sort of be casual about in creating one today, I am going to
take it away some —

MR. ROTHSTEIN: So, if it read should have the ability to decide, that would
make you happier?

DR. SCANLON: No, I think that is just sort of a word change — it is the
idea of taking yourself completely out of this as opposed to being able to have
more — your degree of control. In the other areas we are saying your degree of
control may be limited by social considerations —

MR. ROTHSTEIN: Let me just tell you to answer that point briefly, we had
witnesses who told us that if they couldn’t opt out of the system, an
underground health care system would be formed in which there will be no
records, no nothing for people who were sort of really very concerned about
privacy issues. I mean, that would be worse arguably.

Okay. The list is Gene, then Stan and Jeff and Marjorie.

DR. STEUERLE: I wonder, assume we remove footnote 1 up, I wonder if we
could make it just a little clearer since I think the language is a little bit
obtuse. This discussion of a non-mandatory inclusion in NHIN is not intended to
disturb traditional principles of health reporting, which might be achieved or
might not be achieved through the NHIN or other established legal requirements.
I think it would make it a little clearer to get to Bill’s point that we are
not trying to say, well, we are not trying to say — well, we are not talking
about a separate system out here. We haven’t even addressed whether this public
health reporting would be achieved or not achieved through the NHIN.

It seems to me that gets at Bill’s concerns. I am not sure if you agree,
Bill, or it is closer.

DR. SCANLON: It is closer.

MR. ROTHSTEIN: Okay. Stan.

DR. HUFF: Yes. I would just like to speak in favor of the current wording
and then there have been a couple of assertions that we don’t know what the
NHIN is and that we don’t know about use of the system in biosurveillance and
other things and I am not — well, there are certainly lots of things we don’t
know about the NHIN. At the same time I don’t think there is any vision of this
that doesn’t involve people in offices and hospitals collecting information and
that somehow we are sharing that nationally and that is the basis — you know,
there are lots of things we maybe don’t know about that, but I think we know
that much. It isn’t anything if it is not at least that.

In fact, there are, you know, aspects of this that are already in place.
There are projects going on within InterMountain Health Care and other places
within CDC, where they are actually real time data for purposes of
biosurveillance. So, these things are in place and there is the assumption
that, quote, unquote, there would be a parallel system . I don’t see it as a
parallel system at all. If I am InterMountain Health Care, I am collecting the
data. People who opt in, I can share outside of my institution if I am
requested to do so, based on public health interests, then that is obviously an
exception and it is moving through the same network. It moves by exactly the
same mechanism. It isn’t a parallel system. It is just a matter of whether
permission has been given to share that externally.

So, I don’t think there is a huge cost associated with this. I think we
know a lot about it. I really support the wording. I think this should be a
right. If we can make it so by saying it, then I am really supportive of doing

MR. ROTHSTEIN: Thank you. The next on the list is Jeff.

MR. BLAIR: This is one of the issues that I chose to keep quiet on
yesterday. I agree with Bill Scanlon. I think that saying that something is a
right is a very, very strong political position and it is something which while
I could wind up agreeing that if we want to encourage as many people to sign in
and we want to avoid political controversies to some extent, that to say you
could opt in or you could opt out, that encourages as many people to sign up
and I could accept that, but to put it in the point where it is right, I think
from a long term standpoint with the world that we live in, I think that there
are implications there, which could be dangerous for the future for the public

So, Bill Scanlon, I think, was proposing something to the effect that to
say exactly what we were thinking when we were winding up saying opt in or opt
out and choose between the two. We are choosing that because we want to try to
have as many people buy in and accept this as the world is today and I would
agree with that. But to wind up declaring things as a right, I think that is
way beyond what our testimony has yielded. That is way beyond what NCVHS is in
a position to do. So, that is my opinion, but I will accept whatever the
committee rules. If Bill and I are in the minority, then, you know, I accept
the will of the committee.

MR. ROTHSTEIN: Maya wanted to —

MS. BERNSTEIN: Jeff, could I just ask you to elaborate a little more on how
you think it might be dangerous to have this right in the future? You were
saying that it might be dangerous to the public health. Could you just talk a
little bit more about that?

MR. BLAIR: Sure. We are facing a world that during the next 15, 20, 30
years, where we may not only have to defend this particular country, but other
parts of the world against bioterrorism on a wide scale basis. The thing about
it is that the early detection means that you have to identify a minority of
folks. You have to — to get early detection, you have to indicate the cases
that come up early and if you have five, ten, fifteen percent of our population
that has opted out and that means that the response of our country to
bioterrorism is delayed by a week, now that may mean hundreds of thousands or
millions of people die, a week delay.

So, now many people probably will look at this and say, well, they don’t
believe that is going to happen today. But five or ten or fifteen years from
now, we may be facing that with much more seriousness. So, putting something in
the form of a right is something our country feels very strongly about the
rights. They are something that goes into either our constitution or the legal
process and we defend our rights.

So, I think that I could agree that opt in, opt out in the current world,
in order to accept as much buy in is something I might even vote for, but to
declare it in the form of a right, I feel, is overstepping.

MR. ROTHSTEIN: Steve had a — I think wanted to respond to Jeff and then we
will go to Marjorie and Jim, if that is okay, Marjorie.

DR. STEINDEL: With the permission of the group, I have been sitting here
silent through the discussion and, obviously, the agency I represent is right
in the middle of this discussion and the profession I represent is also right
in the middle of this discussion. I really — it is very difficult for me to
respond to the discussion that is going on, but I think we are all aware that
at this point in time, CDC is in the middle of rolling out, as Bill puts it, a
parallel system and DHS is in the middle of coordinating multiple parallel
systems for the whole idea of biosurveillance. This is being done in an
unidentified fashion for patient information because really what we are looking
for is not necessarily who has it, but if it is there.

So, we are doing this in a fashion that we can protect the privacy of the
patients from a national aggregation point of view, but we are also doing it in
a fashion that if something is detected that is of severe consequence to public
health in a locality, public health in that locality can use their legal rights
to find the patient and resolve the public health problems.

We have made this decision to go this route, I think, for two reasons. You
know, one reason is time. We are under an obligation to put this monitoring
system in place and actually Secretary Leavitt visited CDC two weeks ago
tomorrow and really changed the time frame a little bit. Basically this, you
know, our time frame was we were assuming we would have, you know, a few
hundred hospitals this year and maybe some more next year and he kind of told
us he wants 3,000 hospitals supplying data to us next year. So, this kind of
changed our time frame.

So, we are putting in the parallel system. We are using that parallel
system and we are starting the type of discussions that Russell indicated
earlier within public health to see how public health and its monitoring
systems can interact and potentially benefit with the NHIN, but, you know, I
really feel that, you know, we should talk about the rights independent of the
public health monitoring systems and the judicial monitoring systems because
those discussions are going on separately.

I was happy with the statement of the footnote and it sitting in the
footnote. I felt that just made a very clear statement that there is
independent stuff going on. You know, from Jeff’s comment, I really felt I had
to react because I think we have to think about the right to the NHIN as
separate from the responsibilities to protect the public.

MR. BLAIR: I just want to make — if I could have the microphone for a
second — I would just like to indicate that I thought Steve’s statements were
very, very compelling and based on what Steve has just said, that I would feel
okay with using the word “right” in this context because of what
Steve has just said.

MR. ROTHSTEIN: Okay. Thank you.

We have Marjorie.

MS. GREENBERG: I think this has been a really good discussion and I am
continuously amazed by really, I think, how well this committee works because I
think, you know, we need these kinds of discussions no matter how much the
subcommittee has dwelled on these things. That said, I remember Lisa Iezzoni
once saying after some — when she presented a report and somebody made a very,
you know, positive comment, she knew what was coming next.

That said, and as much — as high in esteem as I hold this committee and I
do, we are not the founding fathers here. So, I don’t think that the committee
asserting that something is a right has the kind of strength that has sort of
been indicated. I think we need to — you know, I think we need to come down a
notch here and say this obviously is an evolving situation. There is a sentence
that has been put in the letter here. The NCVHS acknowledges that the broad
contour of the NHIN is still being determined. We will continue to update and
refine these recommendations as the architectural and functional requirements
of the NHIN advance.

So, I think that kind of covers us. So, my only suggestion is that this
footnote be put — keep it as a footnote but put it with C2 because it doesn’t
really belong where it is. This is really where it belongs, I think.

MR. ROTHSTEIN: In other words, drop the footnote from the end of the
recommendation, end of C2 instead of from wherever it is —

MS. GREENBERG: Put the footnote with the C2 recommendation not up here
where you are talking about people foregoing medical care and I mean it doesn’t
flow from that. I think this is really where it belongs. Okay. That is all I
have to say.

MR. ROTHSTEIN: The list is Jim, Judy, Justine. We are up to the J’s.

MR. J. SCANLON: I was just going to say the same thing that Marjorie did.
It is amazing when you get smart people in a room that you can identify and
clarify hopefully. But as I see the discussion this morning, there is actually
a couple of things that don’t seem to be all that clear and I wondered if
earlier we make it clear that this applies to identifiable information, not the
anonymized — do we make that clear somewhere?

MR. BLAIR: Yes, that is critical.

MR. J. SCANLON: We are not talking anonymized or micro record kind of —

MS. GREENBERG: But public health does sometimes need identifiable —

MR. J. SCANLON: No, but I mean in general, this is the — this whole
framework applies to —

MR. ROTHSTEIN: Jim, what we could do, in C1, the recommendation says the
method by which personal health information is stored by health care providers
should be left to the health care providers. We could make C2 say —

MR. J. SCANLON: — personally identifiable. That is the key.

MR. ROTHSTEIN: We could say individuals should have the right to decide
whether they want to have their personally identifiable health records
accessible via the NHIN.

MR. J. SCANLON: Yes. That would help. And secondly, I think there is an
analogous framework in HIPAA where, you know, the NHIN does not trump all of
the other statutory requirements that —

MS. BERNSTEIN: And we specifically use different terms that are used in
HIPAA to make clear we are not referring only —

MR. J. SCANLON: — there is a framework in HIPAA where a number of public
policy objectives, including — and certainly statutory requirements, research,
public health and so on, are sort of treated — you know, there are disclosures
authorized under certain conditions for those. I am just wondering if there —
those are basically public

— how do we refer to them? They are either statutory or public policy
objectives and, obviously, the NHIN does not trump those.

If something is required to be disclosed because of a statute or state
public health law or so and — we have to be a little clearer. I think the
footnote gets us started in the right direction and we should move it up.

MS. BERNSTEIN: Right, although I want to point out that things that are on
the NHIN, you know, some of those entities that we might consider to be part of
that, not necessarily covered by HIPAA, because they would have to be covered
entities. There are other — state law and other schemes, right —

MR. J. SCANLON: And you can’t — I don’t think people — you cannot give
people the choice of opting out of statutory —

MS. BERNSTEIN: No, of course not.

MR. J. SCANLON: — requirements. I think that is kind of what —

PARTICIPANT: There are all these reporters, who aren’t covered entities.

MR. J. SCANLON: My recommendation was going to be, No. 1, to move up the
footnote into Recommendation 1 and — C2. I am sorry. Not just public health
reporting. I think we would have to say public health —

MS. BERNSTEIN: Well, it says for other established — it says other
established legal requirements. You can see up here on the screen. I will move
it up so you can see it better.

MR. J. SCANLON: Well, is it legal alone? Is that — I mean, if there is not
a law?

MS. BERNSTEIN: What other sorts — I mean, the public health requirements
are, in fact, established in

law —

MR. J. SCANLON: Sometimes they are statutes. Sometimes they are not.

MS. BERNSTEIN: But they don’t have to be — legal doesn’t necessarily mean
statutory. It could be regulatory. It could be administrative law. It could be

MR. J. SCANLON: It is consistent with other traditional principles of — if
a public policy objective has been established through statute, then clearly
NHIN doesn’t trump it, is there anything less than that that is being trumped

MR. ROTHSTEIN: Well, the concern that I would have is if we go back to the
HIPAA analogy, there are mandatory disclosures and there are permissible
disclosures and it would seem to me that if we went into the field of
permissible disclosures by either what are now covered entities under HIPAA,
but what would be custodians of the health information, then that really opens
things up very much more and sort of takes away from whatever, quote, rights we
are giving to individuals so personally I think that if we tethered it to legal
requirements for the moment, we would be better off.

MR. J. SCANLON: It would be hard to object to.

MR. ROTHSTEIN: So, we have got just —

MS. BERNSTEIN: Before you go on, Mark, you made a statement just before Jim
spoke that I failed to capture about a wording change. I am trying to remember
what that is.

MR. ROTHSTEIN: Oh, personally identifiable health information?

MS. BERNSTEIN: Did you want it to go here in C2?


MS. BERNSTEIN: Instead of electronic?

MS. GREENBERG: No, in front of electronic.

MS. WARREN: I just felt a need to make one comment. I mean, the way the
conversation is going now, I am not as concerned as I was before. But I do know
that the people that I work with, including my own family, we will always
choose whether or not to put our health information somewhere, whether we have
the right to do that or not. You know, personal choice is going to be there and
I think we need to support that. In fact, if we change C2, I am not sure I
could support the letter. To me, that is kind of a fundamental piece that we
have in our country, especially people from the Midwest are just not going to
do anything else but say that they have a right to choose. I mean, this is just
fundamental to who we are as a people.

MR. ROTHSTEIN: Judy, can I ask you if you could support the current wording
up there on the screen?

MS. WARREN: Yes, the current wording as it is now is fine.

MS. BERNSTEIN: — addendum with the footnote in the second sentence or
without or —

MS. WARREN: I don’t have a problem with public health reporting and I don’t
think most people do. What I am responding to was the discussion that said that
we should have everything go at the NHIN and everybody should be able — should
forward their information there and that we don’t have the right to decide to
do that. That is what I am concerned about.

So, the way it is currently, I am very happy with. It is just I felt we
needed one more voice for the intent of what the subcommittee had in there
because I do agree if we take that out, there is going to an underground and
there is going to be a backlash that will make unique patient identifier — so,
maybe you should have that in there. Then my letter would be okay.

MR. ROTHSTEIN: Okay. John Houston –oh, I am sorry. Justine.

DR. CARR: Thank you.

As I am reflecting on this, I have tried to create the context of what we
are talking about, what are the building blocks and I just want — I don’t have
an exact wordsmithing, but just where are we focusing because I think we are
focusing on one answer for four different areas. If we think about the building
blocks, we have always had patient information that a physician has about the
patient. The President has asked that information now be stored electronically.
We are moving to electronic health records. We have another initiative that
that information can be transmitted electronically and we in this letter are
talking about where it goes and to whom it goes.

So, the analogy I have is sort of the railroad analogy, which I think we
have had here before. But we are — our electronic health records are railroad
cars and the NHIN is the railroad, but when it comes to how things traverse the
railroad, if a traveler goes from here to there, we all think about that. No
big deal. If there is explosive materials going on that, there are local rules.
There are state rules. There are things that apply. It doesn’t really affect —
the traveler doesn’t think about it on the day to day.

If there is a fire in the next town and the fastest way to get water from
here to there is on the railroad, it goes on the railroad. So, in my mind, we
should be more focused on who we are talking about. We are talking about
travelers going from here to there that may want to go on a local. They may
want to go on an express. They may want to get off at the first station, not
the last station.

We are not talking about explosive materials that we have to protect in
another way. We are not talking about emergency vehicles that have to get from
here to there to bioterrorism. So, I don’t know if it helps you but it helps me
to think about what is the area that we are focusing on and how do these rules
apply. So, I don’t think we are saying are we going to have electronic health
records. I think that is a national initiative. I think we are building the
highway and that is — we are already committed to that, but we are saying
today how does information travel on it and whose information are we talking

MR. ROTHSTEIN: Okay. Thank you.


MR. HOUSTON: Just one minor comment. I agree with the recommendation. I
don’t have a problem with it, but my one thought is is that thinking about how
requests for information typically come from the government, whether it be due
to mandatory reporting requirements or whatever.

One sort of latent concern that I have is that does NHIN create an
environment whereby information can be gathered in a way that circumvents the
way the laws are structured and the rights and obligations of the covered
entities with regards to how reports are to be communicated. What I mean by
that is like we have an obligation to make certain reports of communicable
diseases and other types of infectious diseases, but it is our obligation to
actually make the report. I am not sure how this all plays out, but I would be
very concerned if rather than us pushing the information, somebody was out
there and just pulling the information without necessarily the covered
entities, the providers knowing that that is occurring or understanding whether
their obligations have been met and things of that sort. So, I think there are
some legal twists associated with making information available for all these
different purposes in this scheme. I just want to sort of bring that up and I
don’t think it needs to be discussed now, but it is something I think is going
to be an issue down the road.

MR. ROTHSTEIN: I do think the wording now, “traditional principles of
public health reporting,” would at least at some level satisfy your
concern, but —

MR. HOUSTON: I was just bringing it up because I think there are some
issues — I am bringing this up because I think there are going to be some
challenges here in using NHIN for these purposes.

MR. ROTHSTEIN: Are there further comments on C2? Well, what I would sort of
ask you to consider is the language on the screen and we have now taken out the
footnote. It is only there as a placeholder, I guess, right? Footnote 2?

PARTICIPANT: Yes, that doesn’t say anything.

MR. ROTHSTEIN: And footnote 1 is now removed as well so that —

PARTICIPANT: Is that right? You want to remove footnote 1?

MR. ROTHSTEIN: Well, if that is the will of the committee and the sentiment
of footnote 1 is now in the text. So, without any objection, we will do that.

Now, onto C4. This was the topic of considerable discussion yesterday and
this is our attempt to capture the discussion and so C4, let me read it, now
says, “HHS should monitor the development of the opt in, opt out issue at
the local and regional level, collect evidence on the health, economic, social
and other implications and continue to evaluate in an open, transparent and
public process, whether a national policy on opt in or opt out becomes

Now, let me just explain the language for a second. Maya and I wrestled
with substitutes for opt in, opt out and it just didn’t work. I mean, it took a
whole sentence to explain the concept that people automatically understand when
they see opt in, opt out, even though we are not necessarily endorsing sort of
the dichotomy.

MS. BERNSTEIN: And I personally hate slashes —

MR. ROTHSTEIN: So, now we are open for comments on C4. John is first.

MR. HOUSTON: Just a couple of comments. First of all, you talk about opt in
and opt out as an issue and I am not sure it is an issue. It is approach,
framework, something like that. Secondly, I think opt in, opt out, you said a
local or regional level. I am not sure whether — I mean, this is NHIN is — I
think whatever framework you have will have to ultimately translate into the
national approach towards patient rights over their information being added to
the NHIN to —

MR. ROTHSTEIN: I am happy to change that except yesterday there were some
people who made the point of, you know, laboratory of democracy and so forth.
So, if you want to revisit that —

PARTICIPANT: Is the implication that it ultimately flows up to a national
scheme of patient rights ever —

MR. ROTHSTEIN: I don’t know. I am not sure who made that point yesterday.
That was not my change. Anybody want to take credit for it?

MS. GREENBERG: What was C4 before?

MR. ROTHSTEIN: Well, it is —

MS. BERNSTEIN: Shall I read it?

MS. GREENBERG: Oh, excuse me. Yes.

MS. BERNSTEIN: Shall I read it?

MR. ROTHSTEIN: Sure. Why don’t you read it?

MS. BERNSTEIN: The previous C4 says, “HHS should decide whether to
adopt an opt in or opt out approach to individual participation in the NHIN or
to allow local or regional entities to decide on their approach.”

DR. FITZMAURICE: I think part of the issue was that HHS may not have the
authority to decide this. It may be a power that Congress hasn’t granted. So,
the best we could do is monitor it and inform rather than make that decision
for the country.

MR. ROTHSTEIN: Okay. We have got Gene and — oh, I am sorry. John.

MR. HOUSTON: Just the very end, second to last word of C4, I think is
rather than becomes —

MR. ROTHSTEIN: So, he is suggesting to replace the word “becomes”
with the word “is.”

MS. BERNSTEIN: So, we are saying whether a national policy on opt out is
appropriate —

DR. FITZMAURICE: Or some other policy.

MR. HOUSTON: Yes, that is by implication. “Becomes” seems to be
the wrong word.

MS. BERNSTEIN: Whether or not —

MR. ROTHSTEIN: Okay. The next one on the list was Gene.

DR. STEUERLE: I wonder if we might say HHS and C4 should monitor the
development of the opt in, opt out issue, consider local, regional and provider
level variations, and go from there. Let me tell you the reason for this and
there is a more elaborate issue that we don’t have time to get into in many
ways, but referring back by way of analogy — can you hear me?

I guess I wasn’t close enough. Consider local, regional and provider
variations, and go on from there. Now, let me tell you the reason. Again, I am
making this by way of analogy to the debate over retirement account, opt in,
opt out issues is I say for most part employers have provided opt in, opt —
options right now. There are a number of lawyers and a number of firms who say,
you know, we think we can do opt out already, you know, that we are legally
okay if we — we are just going to do this, you know, just like you are — if
you want to like when you go into the doctor and you get your — you send your
blood work, right? They don’t give you a statement that you opted out of this
particular part of your blood work or this particular part of your blood work.

They just sort of do it, but you have certain — but somebody has
interpreted it that some of your rights haven’t been violated. So, there are
some employers who feel like they could do opt out right now. So, by way of
analogy, there may be providers, who think, you know, okay, we set up the
system and, you know, we have had people sign on some big bottom line that they
joined our network and we think, you know, they send 500 pages, but in there
they have some protections and we think we could do opt out.

In the employer world, where there is a desire to move towards opt out, I
am not saying that is where this committee is, there are a lot of people who
feel that what is really going on in terms of preventing opt out is that a lot
of employers are afraid of being sued; that is, employers will say I am in the
business of providing — making widgets. I don’t want to be sued or have to
worry about, you know — so, what they want is they basically want a safe
harbor. They want to know if they do opt out, they are safe, even though they
might have 30 lawyers to tell them they are safe, they don’t want to have to go
to court and fight over it.

So, there is movement to have legislation where the legislation would
absolutely clarify that if they do opt out, under certain ways, they wouldn’t
be sued. I think there is going to be a similar thing here, whether it is opt
in or opt out anything is most providers out there, I am guessing, are going to
want to have some standard set somewhere or set of standards or five ways you
can do this thing — if I pick option A, I am not going to be sued. I am safe.
I am not going to be sued.

I don’t think that right now the language that monitoring development fully
conveys the fact that HHS is going to really have to strongly consider which
types of approaches are going to minimize the legal threats to participants who
want to be in this network.

Anyway, you are going to have to provide them options. If they think they
are going to get sued for doing — say you give them opt in, opt out, but they
think they can get sued either way, they are not going to know what to do. So,
there is this strong need to develop — and I know we don’t have time to get
into all this.

MR. ROTHSTEIN: If we change the word “consider” to
“evaluate,” would that connote more of —

DR. STEUERLE: It is less than I am objecting to this. I think HHS really is
going to have to have an obligation to really consider ways to make this
feasible for providers. Whether it is opt in, opt out or anything else. I am
not sure that is fully conveyed here. It is not just a question of which one we
like or we don’t like. Whichever one we like, it is going to have to be done in
a way that when John Houston goes to his board and says I know we can do — you
know, HHS has made it clear under some regulation if we do this, we are okay.

MR. ROTHSTEIN: How about if we add at the end whether a national policy on
opt in or opt out is appropriate and feasible? I mean, that adds a little —

DR. STEUERLE: I don’t think it resolves that. I am just saying I think it
is an issue for the future. I don’t have a wording change that is going to
quite take care of it.

MR. ROTHSTEIN: Who is next? Bob.

MR. HUNGATE: I think we are getting there. Part of my original point was
that the discussion of opt in, opt out is a broad one. There are polarized
positions. You know it is not going to be possible to make a clear decision. so
that it needs to be in this evaluative — and I think there is benefit in that
educational process and public acceptance of the result downstream. So, it is a
process question as much as an absolute question, I think.

MR. ROTHSTEIN: So, Bob, are you —

MR. HUNGATE: I am happy with —

MR. ROTHSTEIN: Oh, you are okay. Is there anyone else on the list?

So, Maya could you read the current version of C4 and see if everyone is
okay with that?

MS. BERNSTEIN: Are we including Gene’s amendment about considering local,
regional and provider variations? Yes?


MS. BERNSTEIN: This says, “HHS should monitor the development of opt
in, opt out approaches.” That takes care of the fact that there might be
multiple ways to do it. Right?

“HHS should monitor the development of opt in, opt out approaches,
consider local, regional and provider variations, collect evidence on the
health, economics, social and other implications and continue to evaluate in an
open transparent and public process whether a national policy on opt in or opt
out is appropriate.”

MR. ROTHSTEIN: We may need to work on the punctuation, but other than that,
I take it as —

C5 is next and you will see what we did to C5 is strike out the first part
and add another — a bit to the end. So, I will read the new C5. “HHS
should require that individuals be provided with understandable and culturally
sensitive information and education to ensure that they realize the
implications of their decisions as to whether to participate in the NHIN.”

Seeing no hands, I interpret that as overwhelming. Now, on page 8, we made
some changes to the text that doesn’t really change anything, just to answer
some questions about the Danish testimony and we changed Recommendation C6 and
the language now is consistent that we have used throughout. So, C6 now reads,
“Based on an open transparent and public process, HHS should decide
whether individuals should have the right to control access to the specific
content of their health records, via the NHIN and if so, the appropriate

Okay. First is Mike.

DR. FITZMAURICE: I don’t know under what circumstances HHS could make that
decision effective, put a regulation out under HIPAA. It doesn’t cover the
individuals. I don’t know how they could do that, how HHS could do that.

MR. ROTHSTEIN: How about should seek the authority to decide?

MS. GREENBERG: I was sort of thinking about this whole thing yesterday,
too, as to where all this authority comes to HHS to make all these decisions. I
mean, we know under the —

MS. BERNSTEIN: My sense has always been in developing this letter that in
making these recommendations if the Secretary in considering the
recommendations, if he determines that he does not have adequate authority and
he wants to move forward, he would seek the authority by making a legislative
proposal and going through the regular, you know, process of getting that
cleared and so forth.

But if he thinks that the recommendation is appropriate, he will do that.
If he doesn’t, he will not seek the he needs to carry forward.

DR. FITZMAURICE: But it implies that NCVHS is not very knowledgeable about
what the Secretary can do and what the Secretary can’t do.

MS. BERNSTEIN: Well, but we are not the legal counsel also to the —

DR. FITZMAURICE: We have legal counsel at the table.

MS. BERNSTEIN: Well, we do not actually have legal counsel at the table.
Neither of us work for the general counsel’s office.

DR. FITZMAURICE: I suggest we —

MS. BERNSTEIN: But the counsel cannot advise the advisory committee, as I
understand it. They can only advise the department.

MR. J. SCANLON: The NCVHS is not the source of legal advice.

MS. BERNSTEIN: That is exactly right. That is what I am saying.

MR. BLAIR: There is some wisdom here, Maya. Let’s listen to it.

MS. BERNSTEIN: No, I am just saying that the NCVHS is — you know, it is
not that there is not people at the table who can help with this. It is that I
am not sure that the committee can be expected to understand every legal nuance
before making a recommendation and that certainly the department when it
receives the recommendations will have to look into the legal nuances of all of
these things and certainly will do that.

DR. FITZMAURICE: I guess with regard to this recommendation, I would
suggest that there is nobody in this room who thinks that the Secretary does
have this right. So, maybe we shouldn’t say that the Secretary — that HHS
should do this, that we should phrase it some other way.

MS. GREENBERG: I am looking at the other recommendations, particularly as
they are evolving because I think Mike has a point here. Basically these
recommendations are to HHS because the National Committee advises HHS. That
hasn’t always been the case through its long history. It also makes
recommendations to the health community, public, private, whatever. It has
value in that. Okay. If you look at C1 and now C2 through C5, the only one now
that says HHS should do something, I mean, monitoring, of course, we always
have that right, is require that individuals be provided — I think that is
fine. That is well within our educational mission. We modified C4, which had
said HHS should decide and, again, it was unclear whether HHS really, you know,
could do that on its own. So, I think it is good we have modified that now that
to C4.

If you look at the others, mostly they are supporting, investigating,
convening. There is this one here, D1, require that role-based criteria apply.
That might be a little questionable, too.

So, I think it would be better to have some kind of slightly different verb
here that — because it is sort of — I mean, I think of the CHI situation.
Clearly, the government can require things for its own systems and then there
is this idea of leading by example or the tipping point. But right now, I don’t
think it is clear that other than say for Medicare or something like that, one
of our programs, we can just all record systems should be this, should be that.
So, I think you do need maybe recommend or should consider. I don’t know.
Something, but I would have to agree that I would try to make these all
parallel and not give HHS absolute rights that it may not currently have.

MR. ROTHSTEIN: Jim, do you want to —

MR. J. SCANLON: This is more of a word change along these lines. Since this
is more of the nature of a principle and so I — and maybe we and there is a
better way to say this. You could say that decisions are policy about whether
should be based upon an open public transparent process. This could be
Congress. It could be the industry.

MS. BERNSTEIN: I want to capture what you are saying, Jim. HHS should —

MR. J. SCANLON: No, no. It is not HHS. Decisions concerning whether
individuals should have the right to control access and so on should be based
upon an upon an open public transmitter process.

MS. BERNSTEIN: So, I don’t have a subject for this.

MS. GREENBERG: Decisions should be based on and that leaves it a little
open as to whether it is HHS making the decisions, Congress.

MR. ROTHSTEIN: Okay. Russell was next.

PARTICIPANT: Does she understand what she is —

MR. ROTHSTEIN: The first word of C6 should be “Decisions.”

MS. BERNSTEIN: This says, “Decisions about whether individuals should
have the right to control access…” — whatever.

MS. GREENBERG: Should be based on an open, transparent and public —

MR. J. SCANLON: This is more in the nature of a principle now and a

DR. TANG: Can I suggest another alternative?

MR. ROTHSTEIN: Only if you talk into a mike.

DR. TANG: I am asking for permission to talk into the mike.

I did use the word “HHS” here but let’s — so, HHS should assess
the desirability and feasibility of allowing individuals to control access to
specific contents of their health record to give NHIN and if so by what
appropriate means. It does suggest about HHS, but it is assessing the
desirability and feasibility.

MS. BERNSTEIN: Of? Keep going.

DR. TANG: HHS should assess the desirability and feasibility of allowing
individuals to control access to specific content of their health record via
the NHIN and if so by what appropriate means, through an open and transparent
— yes.

DR. COHN: Well, that actually might be a good first sentence to C6 with the
C6 be the second sentence.

MR. ROTHSTEIN: So, Simon is suggesting that sentence 1 of C6 should be HHS
should assess the desirability and feasibility of allowing individuals to
control access to specific content of their health records via the NHIN.
Decisions about whether should be based on an open and transparent process. Is
that what —

DR. COHN: Is that okay, Paul?

DR. TANG: I think it is okay, but there is a clause that you missed and if
so, by what appropriate means.

Then I think actually we can eliminate C7. So, this actually is sort of the
principle and the need for evaluating what is going on and if that seems to be
a desirable thing and feasible thing, let’s figure out how to do it in a
reasonable way that balances the privacy and the need for information.

MR. BLAIR: Can you just tell me what C7 says?

DR. TANG: C7 originally said if — first decided whether they should have
any rights to control access and C7 said if individuals are given the right to
control access to specific content of their health records, be the NHIN, the
rights should be limited, such as being based on the age of the information,
the nature of the condition or treatment or the type of provider.

MR. BLAIR: And that is what we are eliminating?

DR. TANG: Well, I am saying it is — basically, if you assess the
desirability and the feasibility, you are — and then if that is a good thing,
by what appropriate method, you are basically incorporating all of that.

MR. BLAIR: Thank you.


MR. LOCALIO: In response to Jim’s language on E5, you had suggested a
similar language. HHS should use an open transparent and public process. My
suggestion is we just use that phrase whenever you think it is appropriate to
cover the problem about how HHS should obtain the necessary authority to do
what is recommended.

So, can we just use that phrase in these other recommendations where you
think it is appropriate?

MS. BERNSTEIN: We actually tried to do that. Mark and I actually put that
language in a couple of other places where we had agreed to do it.

MR. ROTHSTEIN: No, but Russell was talking about can we put it in C6.

MR. LOCALIO: It can be in C6 or in any other recommendation where that
concern arises. Then that would be our standard language for this issue. Is
that okay?


MR. REYNOLDS: Either in the retreat this afternoon or maybe in a subsequent
meeting — I am struggling a little bit with what we are recommending or not
recommending versus what I know is going on in some of the architecture efforts
which are addressing exactly the same things and will be making — spending a
lot of money making some of these decisions and setting up these frameworks,
which are also under HHS purview. So, it would be helpful to me as a chair of a
subcommittee that at some point we kind of get a sense of how does this play
because I am meeting with companies that are going to be maybe making more
serious statements that we are that are under the exact same umbrella.

So, I am not challenging anything that is going on. I am trying to
understand because I think our recommendations are from hearings about what is
going on, you know, a good cross section and these are from individual private
companies that are doing — so, I am struggling as to exactly how to fit
because I think our information is very important and I don’t understand how it
is going to weigh and I don’t understand how it is going play. So, I am not
trying to change the meeting now, Simon. I think that would be a good
discussion later on.

MR. ROTHSTEIN: I would like to respond to that briefly.

Harry, I think you make an absolutely essential point and that is if we
take — and I am not talking about C6 or any particular recommendation. If we
take the recommendations in this report and start infusing them with waffling
language, should consider, should evaluate, should monitor, should do all this
stuff and lay out ten different options, the world is going to rush right by us
and we are not going to have really the input that we want to have into this

So, we have — we being the subcommittee has considered based on the
witnesses and so forth, specific recommendations that even if perhaps the
Secretary doesn’t have the ability to implement under the current legislative
regime, they would, I think, be very valuable in shaping the contours of the
NHIN with regard to privacy.

I am concerned that if we, you know, fudge the language too much, just to
cover our bases sort of legally because who doesn’t — we don’t have this
authority or that authority or the Secretary doesn’t have this authority today,
then we are going to make the report sort of irrelevant and not usable and
things are just going to happen the way they do without our influence.

John was next.

MR. HOUSTON: I just think this all comes to timeliness and I think the
earlier we can put out these types of recommendations, even if there is some,
you know — even though this is maybe a little bit watered down, the more
likely people consider them in what they are doing. I think, again, I come back
to the thought that we have got to get on the bus now because we are in
jeopardy of missing it and that is the worst case is is that you put out a
report after the point where everybody has made these decisions.

We are painfully close to that and, you know, hindsight, I think, is
something we — I wish we would have gotten those at the last meeting —

MR. BLAIR: I would like to echo that and going back to Mark’s statement of
yesterday, I really feel that the most important value of this letter is that
it frames the issues. The recommendations may or may not be adopted either the
way they are or with modifications, but I think it is very important that this
letter get up to the Secretary as quickly as possible because it does an
excellent job of framing the issues.


DR. COHN: I think I am just agreeing with everybody else. I guess I would
— I think clearly we need to move forward with a letter. If you remember on
the front page of the letter, we are sort of saying we will come up with more
definitive recommendations as more is known about this one. I think it is sort
of is a statement that we recognize that a lot of this stuff is going to have
to be further refined as we get it into more specific cases.

Now, having said that, were you upset about the way C6 had been modified or
are you fine about it?

MR. ROTHSTEIN: No. I am okay with the latest version of C6, but it seems
that I am just making an observation that it seems like we are adding all these
footnotes and parentheticals, not literally, but I mean sort of figuratively
and I don’t want to sort of water down the message that we have in this.

MS. BERNSTEIN: Yes, I think that — I think what the subcommittee’s
approach was to this, I mean, obviously, we have some understanding of what the
department’s kind of authorities are, but even when we said when the
subcommittee drafted originally HHS should decide whether individuals should
have the right to this or that, I think the intention was there is a policy
decision in there that we are identifying needs to be made and that is all we
are saying. We weren’t really saying anything and I think throughout the
letter, we are not really intending to make particular statements about the
current authorities that we have or don’t have because, frankly, I don’t think
anybody knows what the current authorities of the Secretary are with respect to
the NHIN. We don’t know what it is. It hasn’t really been fully explored and I
don’t think the subcommittee was in a position to really be able to understand
that even if there were counsel present.

So, I just didn’t read it in the strong way that some of you are reading
it. I just thought it was identifying a place where a policy needed to be made.

MR. ROTHSTEIN: Simon and then we are going —

DR. COHN: Well, actually I was going to move on a little bit because it
sounds like we are all in agreement with what this is. I was actually just
going to comment on 7. I actually thought that 7 maybe a 6A.

MR. ROTHSTEIN: Could you just hold that for a second? I want to just read
for the record the language that we are now sort of signing off on, which is
the blue language and it says, “C6, HHS should assess the desirability and
feasibility of allowing individuals to control access to specific content of
their health records via the NHIN and if so, by what appropriate means.

“Decisions about whether individuals should have this right should be
based on an open transparent and public process.”

Okay? All right. Now, Simon, your point about C7?

DR. COHN: I actually thought that actually C7 had some value, but I think
it is really C6A because it references specific — I mean, I know it is sort of
a funny thing to do, but I would put it indented under C6.

MS. BERNSTEIN: We can renumber the recommendations certainly if you want to
add one up here.

DR. COHN: I think C7 is really a subset of C6. I think there is actually
value to it. It just directly references that. That was really my —

MR. ROTHSTEIN: Okay. Stan, do you want to comment?

DR. HUFF: I didn’t get a chance to ask yesterday, but I was wondering about
the motivation for C7. I mean, it seemed to me that somehow there was a concern
that, you know, it was going to be technically hard or something to do these
things. So, we wanted to — I was wondering about the motivation for limiting
the right and, in fact, what was being excluded. You know, if I followed C7,
what couldn’t I do in terms of controlling my content.

MR. ROTHSTEIN: Well, this flows from the discussion on page 7 under 4, the
degree of control and then 5, the methods of individual control. Basically, the
argument is that if you give individuals unlimited control, health care
providers would likely place less confidence in the accuracy and completeness
of the records. In an earlier version, I made the statement that people didn’t
really like so much for the wording, but it would be that you would turn EHRs
into PHRs if patients had sort of unlimited control and then the clinicians
would see sort of the patient generated or amended health record and say, well,
I can’t use any of this stuff. I don’t know what is in, what is out. And I had
better get a new history. I had better get a new this and a new that and it
would make, you know, it would sort of make things more complicated and less

So, I think that was the thinking behind it and even though we wanted to
give or recommend that individuals might have the ability to control certain
aspects of their records, we said, okay, but this should be limited and in the
text we talk about, well, maybe anything that is over ten years old or maybe
certain kinds of conditions, mental health, HIV and so forth, or type of
providers would — you could leave out, you know, psychiatrist visits or you
could leave out OB/GYN visits or things like that.

DR. HUFF: I understand the intent better now, but I am not sure this —
well, I am not sure what you were intending is clear by what we said here. But
the other thing is if you do that, I am not sure how that — I mean if you
allow this, even with this restricted thing, I mean, unless you tell m, which
Ph.D.s thing is in a particular record can be missing, I don’t think I have
confidence if —

MR. ROTHSTEIN: The idea was that there would be a prescribed, approved list
of things that individuals could do. In other words, you know, there are ten
types of providers that could be excluded if you want to elect that. There are
certain kinds of medical conditions that could be excluded and that is it. So,
as the —

DR. HUFF: This isn’t being done on a personal basis. This is like policy
for the whole system.

MR. ROTHSTEIN: Right. Here are your choices. I mean, you want to take some
stuff out. You can take psychiatric stuff out and treating a patient, you would
know that they would have — they had the option that — you know, delete
psychiatric information. There might be stuff there.

MS. BERNSTEIN: I guess the idea was that there should be some rationale for
not random things missing, but, you know, that there should be some rationale
for the types of things that patients were —

MR. REYNOLDS: Stan, we also had discussed that if that occurred, that there
would be some message accompanying saying that information had been blocked so
that at least the doctor would realize something — not what specifically.

MR. ROTHSTEIN: So, where are we now —

DR. HUFF: The record for your vasectomy has been removed.

MS. BERNSTEIN: The record for your abortion when you were 18. I mean, I
think that is kind of the issue.

MR. ROTHSTEIN: But Harry brings up the flagging issue, which we decided to
delete in the report on the grounds that it is at a level of granularity that
we can’t get into at this point.

So, I want to go back to the comments on whether C7 should be moved as a
sort of C6A or the other option is

— there are two other options that occur to me. Leave it at C7 or delete

MS. BERNSTEIN: I have to say I am not sure what the — how it improves the
thing to renumber it.

MR. ROTHSTEIN: So now the choice is either C7 or delete — and Paul was the
one who —

DR. TANG: Fine.

MR. ROTHSTEIN: He is fine. Okay. We are moving on. On page 9, we wrote —
we rewrote D1 and apparently not well enough because Simon and I had a brief
chat about this this morning. Let me explain the reasoning behind D1 and then
knowing that and assuming everyone agrees with that, maybe we can figure out
what people would want to do.

Okay. D1 deals with the issue of role-based access criteria, whereby not
everyone in a health care institution has the same access rights and as we
discussed yesterday, it is OCR’s position that that concept already is imbedded
in the privacy rule.

MS. BERNSTEIN: It is in the privacy rule and it is imbedded according to in
the concept of minimum necessary, that the requirements for minimum necessary
essentially are a description of what role-based access would be, as I
understand it.

MS. MC ANDREW: Within the institution, the minimum necessary uses of
information even for treatment purposes are defined essentially by who needs
access to what information —

MR. ROTHSTEIN: Okay. So, our intent here was given that, that HHS should
clarify that and make that expressly know because it doesn’t use those words in
the privacy rule and we are certainly using those words here in our
recommendation and we are also suggesting that the principle of role-based
access criteria should apply to all individuals who have access to — who use
health — personal health information, personally identifiable health
information, as well as information that is transferred by the NHIN. So, that
was the intent of D1, to take a concept that already is founded in HIPAA, to
extend it to other currently non-covered entities and also to apply throughout
the NHIN.

We may not have done that.

MR. BLAIR: Is there any reason why you just identified role? Because, you
know, security — access controls could be by role, by class or location. Why
did you just pick role?

MS. BERNSTEIN: Because contextual access is in the next recommendation.
There is one for those other things. There is a separate recommendation for

MR. ROTHSTEIN: Okay. We have got Simon and then Steve.

DR. COHN: Yes. Well, I guess I ha a wordsmithing suggestion here and I am
not sure I still have it quite right but I am thinking that really what we are
trying to say here is is that HHS should clarify that the implementation of
role-based criteria is required in all EHRs and that principle should also be
applied to — applied, was it to data, access to NHIN.

MR. ROTHSTEIN: So, let me read —

DR. COHN: That may not be quite right in the second part there, but take a

MR. ROTHSTEIN: “HHS should clarify that the implementation of
role-based criteria is required in all EHRs and that principles should also be
applied to data accessed by the NHIN.”

MS. BERNSTEIN: I think it is fair if we read what it previously said so
Jeff and others on the web can —

MR. ROTHSTEIN: The old version or the —

MS. BERNSTEIN: The old version — our version from last night. I guess. If
you want to read all three, we can do that, too.

MR. ROTHSTEIN: So, it is the new old version.


MR. ROTHSTEIN: Okay. We started the day with — let’s put it this way — we
started this morning with D1 that said HHS should expressly require that
role-based access criteria apply to all EHRs and the NHIN and now Simon’s
suggestion is that we change that to read “HHS should clarify that the
implementation of role-based criteria is required in all EHRs and that
principle should also be applied to data access via the NHIN.”

Jeff and then —

MR. BLAIR: I sort of feel like we are heading into the same situation.
Access by role, by class and location is a principle in the security regs,
which is with respect to personal identifiable health information. So, it is
broader than just EHR systems. I don’t believe that it winds up saying
specifically EHRs. I think it is personally identifiable health information and
you could wind up having it by role, but if you don’t identify it by class and
location, you have only picked one out of the three of the constraints.

So, anyway, that is just the point that I would make. So —

MR. ROTHSTEIN: Let me ask you this, Jeff. One of the things that we
expressly stated in this letter and I could show you the place, is that there
are a whole range of security issues relevant to the NHIN that we are not
addressing —

MR. BLAIR: Okay.

MR. ROTHSTEIN: Wait a second and that we hope to address them in the
future. So, my question is in a non-security privacy oriented letter, do you
think we need to say what you just said or can that wait?

MR. BLAIR: It can wait. Like I said, there are a number of things here
where if we were in a different setting and a different time, there are a
number of things where I would, you know, raise issues and sometimes from time
to time, I get out of my seat like now and I wind up asking questions like
this, but I still feel the most important thing is we come to agreement today
and we get this letter passed.

MR. ROTHSTEIN: Okay. Well, thank you. I mean, your point is a good one. We
will have to make that later.

We have Steve and then Marjorie and then Maya.

DR. STEINDEL: I was going to suggest wording that was very similar to
Simons and so I support what Simon has to say, up until the very end. But I
would like to extend it where it says NHIN, I would like to add the phrasing I
suggested yesterday, NHIN and its components because I think we want role-based
access extended throughout the NHIN and we don’t know what that is defined. We
have spelled out EHRs but I think we understand that the NHIN might go beyond

MR. ROTHSTEIN: I don’t think anyone would have a problem adding that.

Okay. Marjorie.

MS. GREENBERG: Well, clarify. What do you mean clarify? This sort of
assumes that you understand what was being discussed right now. I know you
don’t — you haven’t wanted to refer to HIPAA, but one way — if we don’t want
to just say HHS should do this — because I mean the thing is that you don’t
really lose anything by not saying HHS because then when HHS makes
pronouncements on any of these subjects, they are obviously — they are suppose
to be looking at this. But you could just say role-based access criteria, which
are already required under the HIPAA privacy rule, should also be applied to
data accessed via the NHIN and its components.

MR. ROTHSTEIN: Well, I agree with that, but one of the things that we tried
to get in here was most of the members of the subcommittee were unaware that
OCR considered role-based access criteria a component of the current privacy
rule. Certainly, I was — I mean I understood minimum necessary, but I didn’t
understand that that was viewed as tantamount to having role-based access
criteria, as a HIPAA requirement. So, that is why I was of the opinion that,
you know, it would be better expressed.

MS. GREENBERG: Well, at a minimum I would say HHS should clarify that
role-based access criteria are required in all EHRs and that that principle —
I mean, the implementation of role-based — it just gets too wordy.

MR. ROTHSTEIN: Maya, yes.

MS. BERNSTEIN: I had a little side conversation with Sue here as to whether
there are any EHRs that are not covered by HIPAA and, in fact, there may exist
such things. So, we can’t really clarify that it applies to all EHRs because it
does not currently apply to all EHRs and that, I think is when we had the
wording above, if you want to — if we want to include all personally
identified information and EHRs that are covered by HIPAA and those that are
not and anything that goes over the NHIN, we need — we can clarify for HIPAA
but we have to say that we are adding something new for anything that is
outside of HIPAA.

MR. ROTHSTEIN: I think the language that Marjorie had at the end should —
I mean, at the conclusion of her discussion, yes, would be that role-based
access criteria already apply under HIPAA and HHS —

MS. GREENBERG: And decisions — well, and should be required in all EHRs
and all personally identifiable data accessed via the NHIN and its components
or something like that.

PARTICIPANT: [Comment off microphone.]

MS. BERNSTEIN: If you pay cash, you are covered. If it is not a transaction

DR. FITZMAURICE: If you don’t engage in HIPAA transactions.

MS. BERNSTEIN: Right. If you don’t engage in HIPAA transactions things are
not going to work.

DR. STEINDEL: So, it would be a provider, who is just operating strictly on
a cash basis and paper claims.

PARTICIPANT: No, we are talking about EHR.

DR. FITZMAURICE: We are talking about covered entities.

PARTICIPANT: The point is who is a covered entity.

MR. REYNOLDS: One thing we kept as an overarching understanding, by the
committee is — and the reason I like Steve’s idea of the word
“component,” is we don’t know how PHRs are going to fit. We don’t
know how any of this other stuff — remember, we don’t have this clearly
defined yet. So, consequently anything that can be — that can have somebody’s
personal identification health information, a lot of that is not covered under
HIPAA right now. You have got vendors and all on the street right now selling
individual PHRs that have nothing to do — they are nowhere near a covered

So, we have tried to keep that as an umbrella that we have looked at
because until we have that clearly — and that is why we say subsequent
hearings and subsequent understanding, so you can get real mesmerized by HIPAA
but you have to be careful in this because there are other things going on out
there right now that are real that are outside that purview that could end up
in all of this.

MR. ROTHSTEIN: Harry, that is a good point.


MR. J. SCANLON: I guess my only concern is, you know, it doesn’t have to be
— and many of these recommendations are principles and whether or not HHS does
it or has the ability to do it, it doesn’t matter. We are hoping that these
design principles will be included in, as Harry said, what is already underway.
And, again, my worry here is that it is one thing to set forth principles that
we understand will have to be applied in specific situations. There will be
experimentation and variation.

Are we getting ahead of that idea here in specifying a specific technology
or approach that may or may not be tested and useful? Why don’t we just say
minimum necessary —

MS. BERNSTEIN: I am not sure — I am not the expert on this — role-based
access criteria, does that specify some particular technology? To me, I have
always read it as saying it depends on who you are, whether you get stuff. Your
role in the organization, but it doesn’t say say how that would be implemented.
Am I wrong about that? Does that — is there some technology associated with
those words?

MR. ROTHSTEIN: No, I think we heard testimony from different organizations
that did it different ways and had different criteria, but —

DR. TANG: In a sense, minimum necessary, the principle or the criteria is
more stringent and more precise than role-based access because role-based
access is just flipping a switch and you can include as much or little,
everything from scope of practice of practice issues to scope of need for
information. It is a how to and if you don’t implement it by the minimum
necessary criteria, it has no meaning.

MS. BERNSTEIN: I think if you look at all the recommendations together, we
have role-based access, which depends on who you are and then contextual access
is about what it — you know, what the information is and what the purpose is
and so forth. So, I would think that the intention is that they work together.
Is that the rest of the subcommittee’s understanding, too?

MR. J. SCANLON: Having said that, my wording here is instead of saying and
should be required, say should be encouraged or —

MS. BERNSTEIN: Should apply.

MR. J. SCANLON: Remember, it is a principle. It is a principle. It is not a
regulation. We don’t govern these things and you want people who are not
governed by HHS regulations to consider this as well.

DR. STEINDEL: From a practical point of view, I mean, apply is fine. From a
practical point of view everything that is developing now by the private
sector. the HL7 functional model for EHRs, the CCHIT criteria for certifying
systems, I think we will see next week in every architecture of the NHIN, the
models that are developing for PHRs from the private sector. Everyone of them
have role-based access.

So, from a practical point of view, this is just stating what already
exists. So, I really don’t know how much time we should spend fine-tuning it
because the private sector has adopted this.

DR. COHN: I think it is looking good.

MR. ROTHSTEIN: I would like to propose the following change. It is a very
minor one and then I will get to Paul’s point. “Role-based access
criteria, already applicable under HIPAA, should apply.”

MS. BERNSTEIN: At the risk of opening Pandora’s Box, the use of the term
“personally identifiable health information” without further — which
I think is fine — in the room we have all been talking about EHRs and the
health care context, but personally identifiable health information could
appear at your bank, your mortgage company, your employer. I am not — to be
fair, I am not sure that this group is meaning to go that far, even though I
think there are some members in the group who would want to.

So, I think we need to narrow it. I think we are talking about the health
care context and not, you know — maybe you are willing to go that far, but I
just want to point out that we are not talking — we have not identified in
this recommendation in the language that we have there that we are just talking
about the health care world.

MR. ROTHSTEIN: Well, the idea was — and maybe we didn’t make this clear
enough in the text, was that role-based access criteria, we talk about within
health care institutions and organizations and systems and when it gets beyond
that, then there is a different principle and that is the contextual access

DR. STEINDEL: Maya, we are also only talking — to get to this information,
we are requiring a role-based access on information that is accessed by the
NHIN and its components. You know, if we — if an NHIN component allows
role-based access to one of these other institutions, we may not like it, but
it is still covered under this —

MS. BERNSTEIN: I just wanted to make sure that the committee is
comfortable, that that is fine with me if they are.

MS. GREENBERG: Would it be okay to just say should apply to all information
accessed via the NHIN and its components?

MS. BERNSTEIN: Well, but I think the intention is to include things that
are not over the NHIN and also those that are.

MS. GREENBERG: No, I think that goes —

MR. ROTHSTEIN: Paul had a comment and then we are going to get sign off.

DR. TANG: Yes. This is just a friendly amendment. Role-based access is not
a criteria. It is a mechanism. The criteria we are using is minimum necessary.
My proposal would be that role-based access should be employed as a means of
implementing minimum necessary.

MS. BERNSTEIN: We haven’t talked about that word in the text at all. So, we
don’t have anything to base the term “minimum necessary principle.”
We don’t know what that is because there is nothing in the text that describes

DR. TANG: I think we need to clarify that because that is actually going to
be the basis by which you talk about contextual access. You basically do not
want to disclose more information than is necessary to accomplish whatever
purpose somebody — an authorized user got to access that information.

PARTICIPANT: I agree with Paul.


DR. STEINDEL: I think introducing the term “minimum means of
implementing the minimum necessary principle,” I think it introduces
complications in this. I think what we — if you want to get to the point that
I am trying to make, I think we should say something like role-based access
should be employed as a means to limit the information accessible and not
introduce the jargon buzz word. Role-based access is not a criteria.

MR. ROTHSTEIN: Okay. So, let’s see where we are now. Role-based access
should be employed as a means to limit the information accessible —

MS. BERNSTEIN: Where, by whom, what?

MS. GREENBERG: You might two sentences. Accessible through the NHIN and its
components. Maybe that is all you need. Unless you want to make the HIPAA point
and then say this already — principle already applies under HIPAA, HIPAA
privacy rule.

MR. ROTHSTEIN: Originally, I wanted to make the point about the need to
clarify that it exists under HIPAA, that the Secretary should do this. But this
is an NHIN letter and to the extent that we are going to sort of get down
another side trail, I am willing to drop that out.

So, Maya, when you are ready, just tell us what we have got.

MS. BERNSTEIN: I don’t have it yet. So, I can’t read it to you.

Role-based access should be employed as a means to limit the personally
identifiable health information accessible via the NHIN and its components.


MR. ROTHSTEIN: Moving on — it is interesting, we start with a real short
one. It grows to three pages and now we are back to — okay.

The next correction was on page 13. We are actually pretty close to the end
here. I think I have done all the tough stuff. But I could be wrong.

E9 and E10, this relates to a comment that I think Jim Scanlon made
yesterday, where we added some of the language from E10 or the beginning of E10
into E9. So, let me just read the revised E9 and E10 for you.

MS. BERNSTEIN: Note that I have a little comment in the margin over here.

MR. ROTHSTEIN: That I don’t have, but I will just read it.

“HHS should seek to impose by appropriate means severe penalties for
egregious privacy, confidentiality or security violations committed by any
individual or entity.”

And “E10, HHS should seek to ensure through legislative, regulatory or
other means that individuals whose privacy, confidentiality or security is
breached are entitled to reasonable compensation.” This was our attempt to
make a recommendation to the department, recognizing that there may not be
current authority to do those sort of things.

So, a proposed revision to both of them or — E9. Okay. Now, let me read
Maya’s alternative to E9. That would be, “HHS should impose or seek to
impose by appropriate means severe penalties.”

MS. BERNSTEIN: In other words it deals with the question of whether we have
the authority or not.

MR. ROTHSTEIN: Which HHS now has but for a limited set of covered entities.

DR. FITZMAURICE: And also it depends on what you mean by severe penalties.
We can’t chop somebody’s hand off, but we can fine them up to $250,000. No. DOJ

MR. ROTHSTEIN: I have no problem with Maya replacing the old — you know,
the E9 with your version. Does anyone have any comment on E9 and 10?

DR. FITZMAURICE: Well, it seems to me that you are asking HHS to seek a
change in the HIPAA law because the HIPAA law establishes a hundred dollars per
violation. So, if you want to make them more egregious than that, you have to
go back and ask HHS to change the law.

DR. STEUERLE: I don’t think we have examined the level of severity we want
a penalty. I don’t know why we want to use an adjective that we don’t really
fully interpret. Does that solve your problem?

MR. ROTHSTEIN: Whose problem was severe? Mike.

DR. FITZMAURICE: I don’t think we know what severity is and also do we have
the authority to impose any of this stuff. We don’t know what HIPAA gives us
the authority to do.

MS. BERNSTEIN: Impose or seek to impose?

DR. FITZMAURICE: So, we should seek a legislative change if we want to do
this. We should say here is what want HHS to do. Ask Congress to give us more

MR. ROTHSTEIN: Justine and was there anybody else who had their hand up?

DR. CARR: I would just like to go back to what we talked about yesterday.
Do we want — is it easier to have principles than to have specific
recommendations of the details of what HHS should do?

MR. ROTHSTEIN: How would that translate into E9 and 10?

DR. CARR: I think we can — it makes it easier to convey the concept that
we believe that there should be and then how it is done or who does it, I think
we would be less bogged down with trying to say who does it and what
modifications —

MR. ROTHSTEIN: Okay. I think that is a good point and I would refer
everyone to the text that precedes these recommendations, that paragraph that
begins on the bottom of 12 that says “Among the enforcement
principles…” and we talk about a wide range of penalties, penalties
should be progressive with the most severe ones, et cetera.


MR. HOUSTON: I think if we go any further than that, I think there is going
to be — I am sure that if HHS decides to go forward on this recommendation,
there is going to be an analysis amount of analysis by — I am assuming there
are attorneys as to exactly what they can do and how they can do it and what —
I mean, I just think there is an enormous amount of depth. Legal analysis has
to on into this recommendation in going any further. I think we have gone as —
I just don’t think it is something we can do.


MR. J. SCANLON: Along the same lines, we seem to be getting more specific
here and I don’t know that that — the principle clearly is that egregious
violations should be subject to appropriate penalties and we are getting a
little complicated. I mean, you could say that simply, you know, or you could
say that HHS should ensure that appropriate penalties — if you want to do it
the other way around —

DR. FITZMAURICE: It would be hard even to ensure without appropriate

MR. J. SCANLON: Yes, but it is different than impose. Ensure doesn’t mean
we do it. Ensure means that somebody does it and we know that somebody does it.
So, maybe HHS should ensure —

MR. ROTHSTEIN: That appropriate penalties for egregious violations

Maya, do you have —

MS. BERNSTEIN: I just don’t feel — if you are going to use the word
“egregious,” severe doesn’t strike me as out of range because we have
clarified that we mean the most problematic violations. It is leaving it open
to what anyone’s interpretation of severe is. So, that was, I think behind what
this is. We didn’t talk — in the text as Mark mentioned, we talked about
levels of, progressive penalties and so forth for various kinds of — you know,
lots of choices and the types of penalties and so forth. So, I think this is
just saying that if something really bad happens, we want to make it clear and
public that, you know, you are out of bounds.

MR. ROTHSTEIN: I think we all agree with the principle. I just don’t know
that it is quite stating it that way. There are more words than we need here, I
think. DR. FITZMAURICE: Should we say something like HHS should support severe
penalties for egregious privacy, without saying how we would do it. We support

MR. BLAIR: Does it help if you consider using the word “strong”
instead of “severe”? Does that ease it up and open it up a little bit
more for agreement?

DR. TANG: Why can’t you say appropriate penalties because then you have
implied that the —

MR. ROTHSTEIN: Okay. So, we have HHS should support appropriate penalties
for egregious privacy, confidentiality —

DR. TANG: Why should it be egregious?

PARTICIPANT: If it is a minor crime, it is a minor penalty. If it is
severe, it is egregious.

MR. ROTHSTEIN: We have got that in the text, right, with progressive and so
forth. So, HHS should support appropriate penalties for privacy,
confidentiality and security violations committed by any individual or entity.

MS. GREENBERG: It kind of waters it down.

DR. COHN: You know, I am like underwhelmed by “support.” I don’t
know what the right term should be there, but it is — I think it is something
a little stronger — needs to be a little stronger than that.

DR. TANG: So, how about strong for egregious? Strong penalties for

PARTICIPANT: If you say something like HHS should ensure that appropriate
penalties would be imposed for egregious violations, whatever was up there, and
something like that.

[Multiple discussions.]

— sure that appropriate penalties would be imposed for egregious
violations —

DR. CARR: Or that penalties are commensurate with the degree of violation?

MR. BLAIR: We are not going to just limit ourselves to egregious ones. We
have to penalize —

MS. BERNSTEIN: I don’t know if I can speak for the subcommittee correctly,
but I think there was some sense that there is a limit on the types of
penalties now and that they don’t cover — they don’t get to the — they are
not severe enough for the most egregious penalties, that they are sort of in
the middle range and that — but I am not sure if I am speaking for the
subcommittee, but that was my sense in this discussion.

MR. BLAIR: So, you are looking for effective penalties.

DR. FITZMAURICE: So that maybe HHS should support more severe penalties
than currently exist.

MS. GREENBERG: I like ensure.

MR. ROTHSTEIN: I think people can live with ensure because it just gives
you —

MS. GREENBERG: I thought Irma was close.

MS. BERNSTEIN: I don’t know where we are now.

PARTICIPANT: — say HHS should ensure that appropriate penalties be imposed
for private — for egregious privacy, confidential — or security violations

MS. BERNSTEIN: One more time, Irma, please.

[Multiple discussions.]

PARTICIPANT: — appropriate penalties be imposed for — egregious privacy

MR. ROTHSTEIN: Okay. That has been approved.

E10. HHS should seek to ensure through legislative, regulatory or other
means that individuals, whose privacy, confidentiality or security is breached
are entitled to reasonable compensation. So, this reflects the discussion

Moving to F2 —

MS. BERNSTEIN: Are we done with E10?

MR. ROTHSTEIN: Yes. We are now on page —

MS. BERNSTEIN: You like it the way it is?

I am still working on E9 for you guys.

MR. ROTHSTEIN: That is okay. You can catch up.

On page 15, F2, the proposed amendment is HHS should strengthen enforcement
of the HIPAA privacy rule or if necessary, amend the HIPAA privacy rule to
increase the responsibility of covered entities to control the privacy,
confidentiality and security practices of business associates. This was a
change that — to make the statement sort of more direct. It was sort of
obscure in its earlier version.

DR. FITZMAURICE: Aren’t these two different recommendations? A, strengthen
the enforcement of the HIPAA privacy rule and then B, amend it to increase the
responsibility of covered entities to control their business associates?

MR. ROTHSTEIN: Well, here is the thinking. To some degree, HIPAA already
has the authority to — the Secretary already has the authority under the
current privacy rule to go after that conduct. But thinking to the future, we
think that maybe they might need to amend the privacy rule to put other duties
on covered entities besides the three things that are specified —

DR. FITZMAURICE: You want to strengthen the enforcement of the current
HIPAA privacy rule and then secondly to increase the responsibilities of the
covered entities by changing the privacy rule.

MR. ROTHSTEIN: I think it is just the latter. But we say or if necessary
because it is not clear that we need to do more stuff besides just enforce — I
mean, we don’t have that experience.


DR. COHN: I think it is wordsmithing. I think that it isn’t or. I think it
is and without a comma, which rather than it makes it sound like 2 is really 1
with doing 1 and then if necessary doing another.

MR. ROTHSTEIN: I think that is fine.

DR. COHN: Get rid of the comma after and.

MR. ROTHSTEIN: Everybody okay with that?


MS. MC ANDREW: I guess I would just ask for a little clarification. I mean,
the recommendation is that there needs to be stronger enforcement in the
business associate provisions of the rule?


MR. J. SCANLON: This sounds a little broader than that.

MR. ROTHSTEIN: That is a good point. HHS should strengthen enforcement of
the business associate provisions of the privacy rule.

MR. J. SCANLON: Well, I mean, you could back it up and say assess or
examine — I don’t know what —

MR. HOUSTON: It is not a matter of enforcement as much as it is
strengthening the responsibilities of the covered entity or the covered
entities with regards to the actions of the business associates. I don’t think
enforcement is as much the issue, I thought as much as it was —

MR. ROTHSTEIN: Well, you are focusing on the sort of the second half,

MR. LOCALIO: I had brought it up and the only context was the issue of the
inadequacy of the current HIPAA rules in terms of policing non-covered
entities, business associates, domestic and foreign. That was my only point
when I first brought this up.

MR. HOUSTON: So, to my point then if that is the case, then really we are
not talking about enforcement of the HIPAA rule as much as we are talking about
the HIPAA rule — ensuring that the HIPAA is adequate with regards to the
responsibilities of the covered entities over the business associates.

There are two different principles.



MR. BLAIR: I support my understanding of what I think the intent is to
extend the HIPAA privacy coverage beyond just the covered entities, but I think
that we have just erected a new constraint by just saying the business
associates. It is not just business associates that we want to extend it to. We
want to extend it to any entity that have access to the NHIN and we want to
extend the HIPAA privacy requirements to any entity that would have access to
personally protected health care information over the NHIN.

Am I wrong? Is that not the intent of what you were trying to get to?

MR. ROTHSTEIN: Yes, you are mistaken, Jeff.

MR. BLAIR: The first time today.

MR. ROTHSTEIN: No, the point that you are making is one that we expressly
make in E1. E1 says HHS should work with other federal agencies and the
Congress to ensure the privacy and confidentiality rules apply to all
individuals and entities that create, compile, store, transmit or use personal
health information in any form and in any setting, et cetera, et cetera, et


MR. BLAIR: Well, if we have got it covered there, then why do we need this

MR. ROTHSTEIN: Okay. That is a good question. And the answer is this is —
it may not be a good answer, but it is a good question. This is in the section
that is called the relationship to the HIPAA privacy rule and where we discuss
that the privacy rule was designed to do certain things and the NHIN is
designed to do certain other things. Now, there are overlaps, obviously, in
certain areas, but there are places where the privacy rule doesn’t apply and
that we think that the privacy rule needs to be strengthened in some way,
either by adding requirements or whatever, to deal specifically with the
problem of business associates, including offshore business associates being
able to access additional, more comprehensive sets of information via the NHIN.

MR. BLAIR: I understand and I am satisfied.

MR. ROTHSTEIN: Who is next? Simon.

DR. COHN: I guess I am sitting here struggling because I think — and this
was probably maybe from what John Paul was describing. I think I am just
hearing that this recommendation should be HHS should amend the HIPAA privacy
rule, too. I guess I am losing the strengthening the enforcement piece.

John Paul, I think that is what you were saying, right? And I guess I am
finding — I am just thinking that that is really all this be, basically
getting rid of that first part of the — am I missing something?

MS. BERNSTEIN: Yes. If I could clarify, I think the reason we used the
words “strengthen enforcement” is because to the extent that the
authority exists now and can be strengthened within the current confines of the
rule, that the subcommittee suggests that that be done and then there is the if
necessary clause that says if you need further authority to increase the
responsibility, then do that or some other way, increase the responsibility by

DR. COHN: In that case, I withdraw my comment and I am fine with that.

MR. ROTHSTEIN: Thank you.


MR. HOUSTON: I have a little sensitivity to making recommendations about
more enforcement. I guess as I have brought up in other meetings, I am a little
concerned about, you know, putting language in here about increased
enforcement, only because I don’t want it to sound like we are bashing OCR for
not enforcing the HIPAA privacy rule or that we are not, you know, that there
is some sensitivity to, you know, what you see in the press today about the
fact that there has been no monetary penalties. I think putting strengthening
enforcement of the privacy rule, I think almost has a negative connotation to

I think there is some value to simply saying, you know, what I had said
before, which is let’s stick to trying to expand what — to address Russell’s
concern, which was ensuring that the privacy rule adequately — puts adequate
responsibility on the business associates to do the right thing.

MR. ROTHSTEIN: Could we say, John, would this help, begin F2 by saying
NCVHS endorses strong enforcement of the HIPAA privacy rule with regard to
business associates and if necessary, HHS should amend blah, blah, blah, blah?

MR. HOUSTON: I think that would be good.

MR. ROTHSTEIN: Would that be okay? I don’t want to lose the idea that we
think —

MR. HOUSTON: I would support that. Again, I am very sensitive to make sure
that the tone here is right.

MR. ROTHSTEIN: It now sort of reads, “NCVHS endorses strong
enforcement of the privacy rule with regard to business associates and if
necessary, HHS should amend the HIPAA privacy rule to increase the
responsibility of covered entities to control the privacy, confidentiality and
security practices of business associates.” Okay?

Done. Thank you.

Now, there is only one tiny little thing left and that is G3. Maya, in the
first line where it says “the rule,” just add “privacy,”
please. Thank you.

Okay. Page 16 on G3, all we did was change the end of it and now I will
read the way it stands. Currently, HHS should establish and support ongoing
research to assess the effectiveness and public confidence in the privacy,
confidentiality and security of the NHIN and its components, which is what we
talked about yesterday.

Okay. Simon, I am finished and you want to talk about the letter or take a
break or —

DR. COHN: No. Actually what I would like to do — I think we have discussed
the letter at this point. Obviously, I mean the — the report, the cover letter
is obviously my responsibility, but I will obviously take comments from you off
line in terms of if you think it is framed appropriately.

I do think — I want to thank Mark for — and Maya.


I think we need a motion about whether — however, we haven’t voted on it.

I think John Paul was making a motion.

MR. HOUSTON: I move that we approve the letter —

MR. BLAIR: Harry and I would like to together second that.

DR. COHN: Let’s get the motion out first.

MR. HOUSTON: I move that we approve the letter or the report with the
modifications discussed this morning, leaving Mark and Maya the latitude to
clean it up, based upon all of our discussions.

DR. COHN: Is there a second?

MR. BLAIR: Harry, would you like to join me in seconding?

MR. REYNOLDS: I second it.

DR. COHN: Further discussion.

DR. FITZMAURICE: As I look through here, I see some of these are guidance
and principles and some of these are actionable recommendations. I wonder if
when it is gone through again to put in final form, if there is some sense of
do we want a separate out the guidance and the principles that we think should
be followed from direct actions that the Secretary should be taking.

MR. ROTHSTEIN: Mike, my view is that it is really not that clear that they
divide into two camps because where do you put the monitor and, you know, that
is an item but it is really a principle.

DR. COHN: Okay. Any further discussion? All in favor.

[There was a chorus of “ayes.”]


[There was no response.]


[There was no response.]



I want to give everybody a ten minute break

[Brief recess.]

DR. COHN: Okay. Let’s get started with the last session of the morning.

Agenda Item: Speakers in Preparation/Transition
for Full NCVHS Retreat

There is life after the privacy report. Now, with this section, we are
going to be doing a couple of things. I mean, we are — there is still some
business that we have which we will take care of towards the end of the
session, some letters that still have yet to be approved, but really what the
purpose of the session is to begin to transition into our strategic retreat.
Obviously, we are delighted to have Don Detmer. I think you all know him. I
would describe him as one of my early mentors, but certainly was

— yes, early mentor. That is probably a good way to describe it, but was
the chair —

PARTICIPANT: Are you suggesting that Don is older than you are?

DR. COHN: Don was chair of the National Committee from 1996 to 1999 and I
think we all think he did, you know, a spectacular job. It was very appropriate
that he should walk in when we were talking about privacy, given the he
single-handedly moved forward the NCVHS privacy agenda and really those pieces
that were related to the HIPAA privacy rule.

So, see the next phase of work coming, I think was probably very
appropriate. We are obviously happy to have him. His role now is as president
and CEO for the Medical Informatics Association. So, obviously, I want to thank
you for coming and sharing some of your thoughts about upcoming strategic
issues that we need to be thinking about as we move into our retreat.

We are also very pleased to have John Quinn. You are now with Accenture. I
keep thinking of you as —

MR. QUINN: My job is the same. The company under me keeps changing.

DR. COHN: I actually suspect that you are probably right. But we wanted to
talk about a couple of things during this session. One is this issue of future
visions and issues related to health information policy, as well as health
information technology and health information technology policy sort of going
off into the future. Sort of looking at sort of next big issues. I think it is
one of our responsibilities to look at a little further than just sort of the
near term issues.

So, we want to thank you both very much for coming and joining us for what
we think is going to be a part of our presentation, hopefully a lot of
discussion over the next hour or so.

So, I want to thank you both very much. Don, are you going on first or —

DR. DETMER: I don’t care. I can put this off —

DR. COHN: Don, I think you are coming on first.

DR. DETMER: All right. Well, first of all, it is wonderful to be back here.
It is also interesting to see that things don’t change a whole lot.

PARTICIPANT: We hope you find that reassuring.

DR. DETMER: I am not sure how I find it, but anyway that is the way I find

No, it is really nice to be here and it was nice to be invited to come and
I really commend you for taking on the — get away and reflect in a strategic
retreat. I think that is really great.

Obviously, a lot of faces around the room and Jeff Blair and I obviously go
back a long ways, as well as a number of you.

So, what I am going to be doing, although I have obviously my professional
affiliations here, some of the things I will be saying clearly are things that
AMIA has positions on. I have got my board chief here, my boss, so I will be
careful about — but I also mostly want to just sort of have a conversation
because that was the sense that I thought under which I would be coming.

So, I won’t be as officially actually talking about AMIA positions per se.
I will be talking about really in a way where I see it from having been in the
seat that Simon is in at the moment. John Lumpkin after I left the chair.

So, that is basically the spirit in this. After seeing the privacy
discussion a few minutes ago, Andretti has a comment, “If everything is
under control, you going too slow.” Obviously, not everything is under
control. Certainly policy has this really fascinating mix of total boredom,
absolutely mayhem and then some action. It just sort of goes that way. I guess
that is a metaphor in the pit stop periodically.

At any rate, what I want to do is kind of review at least what for me have
been some of the dominant goals of the past decade and there enough
perspectives around the table that it won’t necessarily all be your own kind of
cut at this. But I think I was involved also for many years as chair of the
Board on Health Care Services, the Institute of Medicine. So, at the same time
I was chairing NCVHS, I was involved in the Chasm Report and the Ayres(?)
report, a lot of those issues and so to some extent, you know, I am going to
try to bring some of that policy perspective from the dominant goal kind of
perspective over that decade.

Then I would like to — and who knows it will play out that way of what
will be some of the dominant goals going forward for the next decade because
that is, hopefully, what you folks will have the benefit of helping to shape.
So, what would be some of the priorities if we are going to do that? Obviously,
NCVHS, a hugely important group, but doesn’t control everything under the sun.
It is not advisory to everything.

So, the question is is which pieces of it really make sense for you folks
to do. I said four years. I don’t know. At any rate — just a moment here. I
actually have my earlier version and not what I want to use.

This has the pictures. So, certainly, I think the study that I had the
pleasure of chairing, Paul Tang and others, Jeff Blair, a number of people were
involved on that. I think, Simon, you were as well and maybe others. At any
rate, I think that report did actually start having some impact here at NCVHS
as well. But it was interesting. At that time, we were really talking about
computer-based patient records, principally for clinicians. Now we were talking
about not the doctor’s record and that is why it was called patient centered.
We really wanted to get more to a patient centered focus, which we felt the
system wasn’t focused if you will enough.

But it was interesting. By the time the Ayres Report came out, I think that
safety and computer-based records at that time, a variety of records, was being
in the discussion and I think certainly by the time we get up to the present,
quality, safety, within the context of electronic health records there has
really been a lot of conversation and I think it is activated a lot of
additional work and, of course, these are the principles that the Chasm Report
talked about. I think it is fascinating after having spent some time where John
Quinn spends most of his time these days, in the U.K. for a few years, it is
interesting that the U.S. puts equitable at the bottom of this list, where,
obviously, if you can’t get the care, there is a question of how important it
is, whether it is safe and effective and so forth. It is sort of an American
kind of list.

Mea culpa. I was on the committee, but this is sort of speaking
retrospectively. But I do hope that we actually will see that as — anyway, the
message obviously of the Chasm Report, one of the messages was that we really
need a national commitment and financial support to build a national health
information infrastructure and without that our quality and safety agenda is
going to go slow.

I think we still are struggling with this as far as national financing,
without a question. I think the commitment, certainly there is enough there to
argue that while we have the commitment, but I don’t know that we necessarily
are taking this on to the degree we are going to need to to really move it.

Obviously, we now talk about the NHIN instead of the NHII, but the working
group on the NHII, obviously, started while I was chairing this group and I
think as we look at this, a lot of our thinking at that point was how do you
use health IT to achieve individual clinical care, population care and health
and prevention.

Actually Ita Berner and Don Simborg and I published a paper recently that
sort of reviews the history of some of that, if you missed that. It is
available in the JAMIA journal, but the point is that was really kind of the
focus. It was focused in that area. I would say the aim was not only it
transformed some of these costly inefficient and highly variable systems using
information technology and communications to achieve the aims of the Chasm

This is the diagram, classic diagram, out of the NCVHS, that is focusing on
the kind of architecture that would combine both conversations, the
communications themselves, as well as the infrastructure to allow personal
health records, patient records or care records in the usual classic sense, but
also probably also public health and population records to be cross informing
one another because architecture is built so that you can actually learn from
each of these domains. Some of it has its own space, but some of it, obviously,
links across the others. Through that interface with that kind of an
infrastructure, really first class care should be achievable.

Now, that is a background and I want to talk a little bit about some work
that I have been doing recently and some of the, I think, possible messages for
you folks. But I was asked by AARP recently to look at where health IT systems
going in English speaking nations and what are the implications, policy
implications for the U.S. based on that analysis.

Dan Steen and I did this through a combination of surveys and interviews
and so forth and I wouldn’t say that it was exhaustive, but I think I felt
reasonably good about it and it has been well-received as I have presented it.
But anyway, we looked at Australia, Canada, England, New Zealand, Scotland,
parts of Europe as well. We got aware from — parts of Europe, obviously, speak
English. In fact, The Netherlands, the Dutch, better than we do, certainly
better than I do. Leave it that way.

But the point is, what I wanted to talk about were what I saw as some of
the take home messages from that. First, some of the similarities. Very strong
emphasis in all these countries on standards to enable connectivity and
interoperability and to some extent everybody is sort of struggling who are
working with that.

Privacy as they say is a priority and it is recognized as a greater
challenge in those countries where both federal or national and
state/provincial laws have to be aligned.

Many of these countries have a privacy commissioner, essentially most of
them, that provides a visible focal point for privacy, policy and enforcement.
Unique personal health identifiers are already planned or in use at the
national and the provincial level across Canada. The really only exception in
all of this, across all of Europe, as well as much of Asia and South America
and so forth, is the U.S. and it is fascinating to me and I will get to my take
on that when I finish this.

The public, though, is increasingly using the Internet. Internet
penetration was a little — well, Finland leads the world in Internet
penetration as a function of population. But the point is much of Europe was
slow, and certainly southern Europe, getting to the Internet. But they do their
health purposes pretty much, people really like to use the Internet to get to
health information. That is a characteristic seemingly in all of these

One other flag note, clearly is coming up and it doesn’t relate to HIT per
se, but all of these countries have a rising concern about the sustainability
of their systems. It is sort of fascinating to me that with all that we don’t
do, compared to what we spend to not get it done, in terms of health status,
frankly we are not as concerned about that in some respects as I think I sense
from some of these other countries.

Now, what are some of the conclusions? The interesting thing is in all
these countries, social solidarity is the term they use, has really an
ascendant national value. So, they actually believe that they, in fact, are as
a nation because they make sure that their citizens get services. Now, they may
not get all the services that we would say they maybe should get and so forth,
but the mindset is that we actually have become a country because we in fact
believe in this for our people and so their concern is really focused on
interestingly enough how do we sustain that, but they get this trust, they get
a lot of trust, collectively, out of this social solidarity. It really is a
piece of glue that holds them together. So that when they look at policy as it
relates to privacy, they really get past the discussions in a sense much more
easily than we do and they get on to dealing with just sort of how do you deal
with it as a practical matter. It is not so much a philosophical matter. It is
just a practical matter dealing with it because they think you will get the

So, in the U.S., I think, our prime focus seems to be on individual
autonomy and personal control and it is really a lot of control that dominates
a lot of discussion. We almost seem to look at — we will get health through
what NIH comes up with through our investment in research and discovery and so
forth and that essentially will be our, if you will, reward for a solidarity
public investment. It is so fascinating because we obviously fund a big chunk
of the world’s R&D so they get the solidarity in terms of the services but
they also get the NIH output, if you will, in terms of discovery. So, you sort
of wonder at some level where the U.S. is coming up on that in calculus as

But the point is we look at the issue of trust from the point of view of
the individual autonomy and control. We see it that way rather than actually
getting the sense of trust from our social solidarity side. It has some very
interesting issues and I think the dialogue I just heard this morning had some
echoes of that. Even the very last comment, well, some of these seemed to be
principles and some of these seemed to be kind of dynamic things.

Should we sort those out and sort of says, well, no, it is not, you know.
We can figure it out. But I think the point is it shows that we actually I
think really teeter back and forth on the issue of sort of rights and autonomy
versus how do we actually put all this together and get it necessarily done for
our citizens.

Now, the other thing that I found in the study was the ePersonal health
records, they asked me to really look at what is happening in terms of personal
health records. It came to me there wasn’t a lot happening in their nations
with regard to personal health records. They felt this again because of their
solidarity strategy. They focus on this as patient education and it is really
brought personal health record to them. We make sure that we just try to get
people information they need so that they actually can use the system rather
than this idea of sort of freestanding personal health records that become
something again to give individual control and autonomy and so forth in the

Equity of access is not, you know, here at this point. It is still a key
health care policy issue. I am not saying that we are not talking about it
still, going on. But I think the dynamic is sort of different. So, education is
emphasized more than patient control.

A personal unique health ID and national ID card is seen as something that
we need in order to actually get through the week, as well as obviously, I
think, helping you on the basis of research as well. So, some of these concerns
are I think on confidentiality and security, it is an another statement. It
balances and clearly there is no question. There are huge debates and
discussions on the privacy issues and the medical groups and so forth. So, I
don’t want to present this as too stark a difference, but I think a 60/40 kind
of thing I think is a fair statement.

I would say it is interesting because if you do look at the kind of money,
for example, Canada and the U.K. and Australia and others are starting to put
in — New Zealand is a poor nation. So, they really don’t have a lot of money
to put into this, but I think psychologically they are clearly invested in it.

But it does look like certainly if you look at the size of the budget, we
are trying to get even for Brunner’s(?) at ONC, certainly we are in a different
kind of space than the rest of the world, relative to our scale of challenge
and what is happening now, some states are stepping up to it.

Obviously, Canada, the richest province being Alberta, is clearly moving
along with a lot of their revenues and they would probably be the lead for that
country. But anyway, I think those are sort of some interesting things.

Now, another thing to flag is that the National Academies are — had
recently and some of the people who are here, had recently a planning workshop
on May 1st and they are to develop an Academy-wide initiative relative — so it
is a bit of a flag. They haven’t kind of come up on this yet. So, your
strategic exercise is moving forward. What you may want to keep an eye out on
that so that when that comes out because I like to think — and this just isn’t
the IOM. This is actually the entire Academy structure because they feel that
the engineering certainly, and less maybe so the National Academy of Sciences
has put absolutely, the Academy of Engineering and IOM are jointly really quite
keen on seeing something happen on this.

So, that is something to sort of flag up. Well, I think going forward and
maybe hopefully not projecting too much from that meeting, is a report — I
don’t know if you have seen the report, Building a Better Health Care System,
but I think after that report came out, which talked a lot about information
technology and not so much about informatics, which is how do use IT to get
these things accomplished. I think that some other discussions have emerged and
certainly by the time they got to their workshop they called it an informatics
workshop. I think that the point is is we have got to start worrying more not
just about quality and safety, but we have got to start worrying about it more
and more as a function of value.

How much health status are we getting as a function of investment because
this issue of sustainability clearly is a challenge and we talk about it as I
say, but it is really a matter of value, I think, and so I guess I would hope
that as you do your strategic retreat, you sort of raise that issue of trying
to move toward the value dimension. Quality safety is a function of cost so
that hopefully we move this forward. So, I think the future care is obviously
using informatics to deal with change and obviously that involves a lot and
these are some principles that came out of the Academy study, really
knowledgeable teams and reinventing work flow and integrating innovation and
removing outdated practices and reducing variation.

A lot of these things we have been talking about, but I think the only
shift a little bit is the so what question. You know, how much money are we
putting in to get some of these things and is there a better way to actually do

I think that health informatics is not health IT. It is really obviously
drawing across a whole set of domains. I think that is why the Academy, for
example, is looking at it that way. It really is something to — it kind of
brings out altogether and if you are going to assess the value issues and make
steps on that, you clearly are going to do that, need to do that.

So, now where are you then from where you have been? I will admit I have
been tracking what you have been doing, but I probably haven’t tracked as
closely as I should have or could have. So, it is possible that you are doing
things that I am really not aware of. But at least as I have looked still at
the web site and such and I would urge you to start now thinking about maybe
adding two new areas of sort of explicit kind of thinking to round out if you
will the strategy, particularly if you are go at it from the value dimension.

That would be to not only look at the things you are talking about in terms
of care related communications and records, personal patient population, public
health, but also now look increasingly at R&D and looking at education and
training. So that you actually look at this as a three dimensional box sort of
like bubbles, if you will. They are stuck together and really have put to that
a research and development agenda, as well as an education and training agenda.

So, you may want to consider three ad hoc work groups that might include
committee members and outside people. I don’t know how that would work, but you
have to think through that. But anyway developing a small statement on R&D
and then pursue those top three items that really seem to play most to the
NCVHS, similarly on the others. Now, the work group on this value, I think the
thing — the only reason I see a plus for that, the plus is that it gives it
some focus. So, maybe you really do discipline yourself to do that.

These things are so complicated and so forth that we can easily bore out
and not really keep that really focused tightly on that. So, one thing a work
group would do is if it is given a specific charge, it puts the monkey on your
back to try to really have things look at that. So, policy as it looks at
really return on investment kind of thing, might be different than one that is
focusing on quality and safety and sort of just the general we tend to go at

So, let’s talk quickly about the R&D agenda. Actually Starren, Balas
and myself just recently did a survey of AMIA members and also the college
informatics and theses are some of the top informatics research issues and
obviously, these will resonate quite a bit with the work this group does, but
it is interesting. Interoperability, work flow cropping up, which shows, I
think, some of this value driven mindset, but patient quality safety decisions
support and then getting down more into — more of just the informatics issues,
computer interface and so forth, but I think that the point is that is one
piece of information that could be useful to you.

I don’t know how many of you have seen the recent Road Map that just came
out. I think arguably this could be considered first education infrastructure
initiative of the NHIN because it is really how do you bring intelligence in
terms of decision support to this IT infrastructure. At least that report I
would recommend to you as something you can look at as well.

Now, how do you generate some priorities that might come out of that? Well,
an example, one of the challenges is increasingly for the clinical research
community where we are dealing with these legitimate concerns about privacy and
such is how do we, in fact, get people into play where they want to be into
play for health issues.

So, one option might be looking at an opt out personal identifier for not
only care but even it is fine by me if you let me know about IRB approved
studies that I may want to participate in. So that you have ways to get push
kinds of things to people based on their saying I want this. So, it is not like
it is over their bodies, if you will. It is with their full understanding that
says they would like to be in play. I don’t know that you would go that way,
but that is a thought.

On education, similarly, we have got to get some help and some of that that
needs the help is us. You have seen this slide. It is one of my favorite
slides. This is a little more American maybe, “An investment in knowledge
always pays the best interest.” I think the point is we have a lot of
health related — just speaking from the informatics side, but the point is
just the taxonomy of people who do this kind of work is still emerging, but we
know that we are not walking away from either IT or needing skills and people
who actually can help us relate to this.

Obviously, CDC is in a dialogue right now on what is public health
informatics and that kind of specialist, in fact, they are at work, you know,
debating the term right now, informatician versus specialist and so forth. Do
we need public policy informaticians? It is very interesting and I floated this
idea at our spring meeting out in Phoenix and we had a number of young people
— of the only comments I made that came up really were energized by that
thought, saying, gee, they really are a lot of — tradeoffs and so forth and
actually you have people who understand this, particularly as you do get, for
example, imbedded intelligence and so forth, those bring in not only a lot of
health and medical and nursing and clinical issues, but also ethical issues
about imbedded intelligence and value dimensions get into play on that, too.

So, that is an interesting kind of area. The point is that I think there is
an important area here in terms of education and training and NCVHS, it is not
a major agenda, but it certainly an agenda and it is a big issue and we have
really pretty much ignored it in the debate to date. That is not smart.
Recently, I think we — with the primary care pressures that we have in this
country, with the aging on the nursing workforce and so forth, we had better
work smarter with the aging population. The demographic is such that in my view
this education and training issue is not a sleeper issue. It really should be
moved up because if we don’t, in fact, work a lot smarter, I think we are going
to be real trouble and clearly informaticians and a curricula to help those
people do that work right and be party to working with others is going to be a

So, what could come from that workgroup will be some recommendations for a
variety of agencies where NCVHS could hold hearings on some of those kinds of
things or get some dialogue going across the government agencies on some of
these. You will have to decide, obviously, where that makes sense. I think if
you are not aware of them of MedBiquitous, there are — it is an organization
that is set up looking at specifically educational standards and values and,
again, it is a set of standards and I think it would make sense for NCVHS to
look at that.

Another document that is accessible for you to look at that, we call it a
white paper, but actually it is lime colored. So, it is a lime paper on work
force to start looking at some of that.

Then, of course, AMIA is, in fact, moving forward to try to help on that
education front. So, if it could, AMIA itself could be useful to you and we
would be delighted to talk.

As I said, this final suggestion, do you need a group that is looking at
value. I have already talked about, I think, some of the pluses and minuses of
that. I think at least I would like for you to at least think about that
certainly. We clearly need to complete the HIT and informatics infrastructure
and then we certainly do not really have the simplification through standards
that I think we saw in the HIPAA legislation. There are still areas where I
think things can be worked on. In the interest of time, I won’t go into a lot
of that. But clearly I think this whole issue is something that I think will —
you will have a partner, I think, over in the Academy structure on this as

Of course, obviously, you have been and continue to be interested in
helping people at skills. It does look like the kind of integrated PHR where
the patient is actually tethered electronically to their care. It seems like an
emerging model that really does have a capacity to be I think a serious major
dance to get the value returned, for example, both in terms of value and money,
but also value in terms of perceived value, just human value. I love this kind
of value, which is hugely valuable, too.

And the EU has I think done some really interesting work in some of its
e-Citizen programs and I would urge you to kind of look at that as a model for
this country.

Standards is a challenge always and obviously I still have an affiliation
with Virginia. So, I always have to — but I think the point is however we get
the standards, we need to treat people that develop them fairly. So, they need
to be paid for their work and they probably need to maybe be involved in
maintaining it, but at some point it has got to be there for everybody and I
think that is one of the tensions that I think you have been very responsible
to and responsive to but still hasn’t necessarily all gotten I think put into
bedrock policy as an understanding of this as how we have got to do this and
play it out internationally as well.

So, I really thank you. I have kind of thrown a lot at you and I think that
if — probably my guess would be, Simon, will probably move to his presentation
and then we could have some dialogue. Is that —

DR. COHN: Absolutely, Don, and thank you very much for the generic file

MS. GREENBERG: There is nothing generic about you, Don.

DR. COHN: John, obviously, we also very pleased to have you here and then
we will, as I said, talk —

MR. QUINN: Thank you, Simon and thanks to everybody here for inviting me.
My first reaction to one of Don’s statements was I frequently ask my British
friends when I am over there, which seems almost always now, you know, that I
have noticed that they actually have four inalienable rights, life, liberty,
the pursuit of happiness and free health care.

I actually haven’t found a single person in the U.K. that I have said that
to, regardless of what political party they belong to, who even remotely begins
to disagree with that statement. So, just put that in your frame of context
when you start thinking about how do they get away with doing some of the
things they do and answer is because they are of one mind, of social solidarity
on that topic. Maybe it is two world wars that have done that to them or the
rest of Europe as well.

But sociology is not my background, so let’s move forward. First of all,
let me say my everyday work, I find myself immersed in this topic of EHRs and
HIT. This is essentially what I do. I have several roles in this. I am the
chief technology officer of Accenture’s Health and Life Sciences Provider
Practice. So, in that role I come in contact with this — with providers,
payers, even sometimes life sciences companies that ask me questions and expose
their thinking to me about the future of EHRs in the U.S. and In some other
countries. These tend to be very practical issues around EHR planning, product
offerings uses of the EHR data on implementations and progress.

In my role as chair of HL7’s Technical Steering Committee 1991 and a board
member since 1988, I am exposed to another aspect of EHRs through HL7 and some
of the standards associated with EHRs. These issues kind of range from the
abstract to the practical because everything in HL7 covers right now the range
from the abstract to the practical.

These includes, of course, the steady progress of the HL7 EHR technical
committee and defining the EHR functional standards. These efforts continue to
evolve around the functional model, conference, direct care function, support
of functions and formative infrastructural functions and steps and principles
for creating conformance criteria for the functional model.

Finally, I have a role in my company, Accenture’s, effort to deliver on
their contract to implement the United Kingdom’s National Health Services’s
National Program for Information Technology in two regional clusters serving
roughly 20 million or about 40 percent of the English citizens.

All of these roles have a common thread that keeps me constantly focused on
provider organization’s efforts to create, use and communicate electronic
health record information. As some of you already know, my educational
background is in electrical engineering and computer science and I have been
working in this field of computer science for 33 years and I have been in HIT
for 30. So, it seems like a lifetime because it is.

I have had the opportunity to work for a computer vendor, provider
organization, HIT vendor and for the last 13 years, an HIT management
consulting to provider, payer, pharmaceutical and medical device organizations
and recently even HIT vendors themselves. So, as a consequence, a lot of my
stuff becomes fairly anonymous when I start talking about it because the
negative stuff you don’t really want to attribute customer’s names to.

Unfortunately, I not see widespread use and networked communication of EHRs
in this country as very likely before I reach my legal age of full social
security and Medicare benefits, which is sort of the demarcation line in the
sand for me or for that matter, my current age of average life expectancy. So,
for all of you that are trying to do the math, the magic number you need is 58.

I remain hopeful but increasingly doubtful. There is a formidable and
largely not technical, at least in the sense of what is known or discovered
science. The technical barriers have more to do with engineering of known
science and the resources required for the engineering to occur. In any case,
the pace of progress is way too slow for anyone in my age bracket. And looking
around the room, a bunch of you are in the same bracket.

I would like to take a few minutes to look at some of the elements of my
concern. So, let’s start with the market and the efforts. Many of us look at
the U.K. and the U.S. as parallel efforts of interoperable EHR and see a lot of
differences. The U.S. approach is bottom up, market driven. I use the term
“market” here parenthetically and with my tongue in cheek because the
U.S. health system is patently not really a market in any traditional catalyst,
economics model view of the term. When you try to think of markets, think of
consumers and suppliers and you immediately get lost in the diagram that looks
like a spider’s nest.

The U.S. plan would build a National Health Information Network
Infrastructure to connect what could be likely around 50 or so regional health
information networks that would have already interconnective local EHR source
IT systems within their regions and have already provided sharing of EHRs
within those regions. It future funding is not clear, but it would seem that
the default plan right now is that it will be funded by the users of EHR
systems and not directly by any external infusion of capital from government
sources, although some relatively small seed monies are and will possibly
continue to be applied at federal and so far some state levels.

The U.K. approach is top down. It is directed by the U.K.’s National Health
Service, Connecting for Health, CfH office. The U.K. plan now under
construction is building a National Health Information Spine — you can
substitute for NHIN for there and there would be an awful lot of overlap. That
will manage a number of national services, including the sharing of EHR
information among five regional clusters that have already interconnected local
EHR IT systems within their clusters and provided for the sharing of EHRs
within those clusters, in other words, substitute RHIOs for regional clusters.

There is a lot of difference in organization and delivery, but the
organizational structures look very similar. Their funding is through an
initial allocation from Parliament and then an ongoing assessment of local
strategic health authorities’ operating budgets. So, they actually have a plan
for sustaining — some people aren’t happy with it because it takes money out
of existing sources. The U.K.’s National Audit Office — I have got a copy of
it here — published a report last Friday on June 16th, which allows me to
actually talk in a lot more detail about this, and states that the current
provisions have been made for a total spending of 12.4 billion pounds.

On May 30th of this year, the Minister of State for Reform, that is out of
the Department of Health, Lord Warner of Brockley — he was quoted in the Daily
Telegraph and I am sure probably other papers as well, who is responsible for
the program was reported in the U.K. media as having said that the full cost of
the program will likely be near 20 billion pounds.

The last two sentences were directly taken from a report that you can get
on line, if you would like. Taking these two numbers and converting British
pounds to dollars and scaling the numbers to the approximate differences in the
population size of England versus the United States and that is not all of
Great Britain. That is just England we are talking about. We get a current
equivalent projected range of about 118 to 119 billion dollars when looking at
the U.S. That doesn’t mean that you could apply everything the same, but it
just gives us a base understanding of the relative amounts of money that they
are expecting to spend. In both cases, HIT vendor-based IT systems are the
producers of the EHR data and with the exception of display and use on web
pages, these same systems are also the consumers of that same data. Also, both
the U.S. and U.K. plans to or already relies heavily on the use of standards
that precisely define electronic health data, recording of that data, the
structure of messages that are used to transfer that data and the scenarios or
use cases that define the circumstances around the production and/or
consumption of that data.

What I have tried to convey in these descriptions of the U.S. and U.K.
approaches it that they do have a lot of differences, largely in organization,
governance and funding, not in HIT. These have more to do with the differences
of the two health care systems and are not about either the science or the
practice — the science of information technology or the practice of medicine.
Those are almost entirely identical there. They also, however, have many common
threads such as the overall high level architecture, the HIT vendor dependency
and I underscore that because we will talk more about that in a minute, and a
strong reliance on standards. In short, I think that we too easily dismiss the
U.K.’s NHS as so different that there are not lessons that we can learn. In
reality, they are the bow of the ship that is hitting some of the rough waves
before we ever see them. They are a couple of years ahead of us and they remain
that way.

Our logical sequence for EHR systems is RHIO — is EHR systems to RHIOs to
NHIN. EHR systems, we can look at interoperable EHRs in this country as a
sequence of three major technical dependencies. First and foremost is the EHR
system itself. We all in this room know that the primary prerequisite is the
EHR system that sources or creates structured coded data in the first place and
then that same, generically speaking, that is the major consumer of that data
at the other end of the interconnecting network. In other words the network
isn’t of much value without the EHR systems.

The facts are plainly clear from studies cited in Dr. Brailer’s framework
document of two years ago, that reported as little as 14 percent and a maximum
of 28 percent of physicians used EHRs in their offices in 2002. Quite frankly,
from my anecdotal experience in the industry, those numbers still seem very

Since that time, a few large organizations that provide ambulatory care
have started to introduce EHR products that specifically support ambulatory
clinical processes, such as the HIT vendor Epics, EHR products at both Kaiser
and Cleveland Clinic. I mention those two for a reason. One, Simon, is because
you are from Kaiser and I along with almost countless other consulting
professionals have spent at least some of the time assisting Kaiser in some
phase of this considerable task.

I mention the Cleveland Clinic from my personal experience. I live in
Cleveland or outside of it. I personally switched primary care physicians a
little over a so that I could have access to my own medical record and to my
physician through the Internet. I realize others that have done the same.
Nevertheless, I am sure we are a small minority.

My point here is that once I get past the very large organizations, I don’t
see a lot of uptake of EHR adoption in the primary/ambulatory care markets in
the U.S. Most care is delivered in the setting and it is the core of long-lived
information in the medical record. Unlike the acute record, the primary care or
ambulatory specialist record is the one that persists through chronic diseases
and serves all of us when most Americans receive most of the medical care that
we will receive in the latter years of our lives.

Various promises or public suggestions have been made about improving the
adoption of EHRs in the ambulatory care space, such as pay-for-performance and
Stark Law relief have both been suggested by various spokespersons of DHHS and
others. However, I still haven’t seen any significant or effective programs to
induce physicians in individual or small or medium group practices to buy or
adopt the EHR system. As it was in 2004, this remains an effective show

RHIOs. I am not very merciful here. This construct of interconnection has
had more names and aliases in this country than effective progress. Maybe this
is judgmental and a blunt statement but the RHIOs of today as viewed in our
market planning observation are suffering a similar fate to that oft-avoided
acronym of 13 years ago. And I will say it, CHIN. EHI and Connecting for
Health, that is the U.S. version of Connecting for Health, not the U.K.
version, have put forward promising numbers of the number of counted RHIOs in
formation today that numbers as of around HIMSS early this year was in the
hundreds. As a business, my company sold services and advises in the emerging
RHIO market. So, we actually carefully look at that segment and we watch these
reports closely. We size the market ourselves and engage with many of the
larger and more promising efforts that are cited.

We find — and I talked to the guy yesterday that is responsible for this
to make sure I had my numbers straight — we find a lot of discussion going on
in most every part of the country. However, our measures of effectiveness are
evidence of organization, governance and funding. We also feel that it is
vitally important that the state government have some significant stake in the
formation of RHIOs. It seems pretty clear that there is no money forthcoming
from the Federal Government for the formation of RHIOs. The Office of the
National Coordinator has seemed to focus on encouraging formation within a
state; that is, one or more RHIOs within a state. This approach then gives us a
simple metric. Does a prospective RHIO have the attention of the state’s
governor or health department and is there any serious funding available to the
forming of a RHIO?

Our threshold of believing that this state level interest exists and is
serious is roughly in the 10 to 20 million dollar funding range. Amounts less
than that support RHIOs that in what we call the Holiday Inn mode. I have
participated in a number of these meetings personally. They have enough
organization and interest to support a monthly organizational meeting with a
list of volunteer “to dos.” It is my personal experience that these
meetings are more likely to actually take place in a member provider
organization conference room than a hotel because there isn’t sufficient funds
to actually support the local hotel venue and we weren’t talking about the Ritz
or the Four Seasons here.

We currently count about seven states in this country that have this level
of state support. Some of these states are large enough that they may well need
more than one RHIO. One other state seemed to have state funding and a head of
steam but for organizational and governance problems seems to have suddenly and
mysteriously slowed down. Two more states have support that are in the 1 to 2
million dollar range. We do not believe that this is sufficient funding to get
them to the point of building and running a RHIO, even if they actually happen
to be very small states.

The NHIN, a brief statement, way too involved to go into details on this.
But we are one of the four companies building prototype NHIN. We feel that the
program is moving along nicely and the U.S. should have good lessons learned
when this program completes. There are many technical questions left to be
answered. However, the bigger ones for the eventual NHIN should who is going to
pay for the NHIN when this is done, both initial capital and ongoing use costs
and what will have to attach to the NHIN if we are to build one in let’s say
three to five years, which would seem to be the logical follow on if you just
took the end of this program and said we were going to come up with a year to
study it and come up with final rules. Think of Medicare Modernization Act and
e-prescribing and you come up with a similar type schedule.

So, alternative and supporting interest. In the upside down world of U.S.
health care finance, the provider organizations, starting with the individual
physician’s practice, need most to invest in EHRs and the local infrastructure
to interconnect them. They have the least available capital to invest and for
the most part the least understanding of why they should. Payers and
pharmaceutical manufacturers have the most or at least far more available
capital to invest and routinely each year judiciously formulate their
considerable investment plans. They, however, do not have a clear understanding
as a group anyway of how investing in interoperable EHRs would improve their

In the last several months, we have seen an increase in excitement from the
payer industry in the potential of indirectly using EHRs to improve the
penetration and adoption of care management in the provider industry that they
support. This may or may not be welcomed by the provider industry, but,
nevertheless, it is a fact. The enlightening fact for them is the proposed
HIPAA 275 attachments rules. Many of our customers who have taken the time to
study 275 gives them — that this gives them the means to managed scorecards
and measure adherence to best practices.

Before the advent of 275 many of the same payers started to understand that
electronic prescribing as defined in the Medicare Modernization Act would in
fact lower their costs by giving them a vehicle to inform physicians and
promote adherence to plan specific formularies and affect the switching, when
available, to generic alternatives.

Another comment on the 275. Some of the reactions I have had from payers
when I finally — when they finally understand what I am talking about.
Admittedly, this isn’t an easy concept. They all do remember that they had
buildings full of people that are actually doing nothing but looking at
attachments. So, they recognize the cost saving quickly — is the payer
industry tells me — many of the people in the payer industry tell me that they
have for years tried to figure out how to minimize attachments because of the
costs associated with handling paper. I am now giving them or we are giving
them a reason to want to increase the number of attachments. Okay? So, the
provider industry will be buried in these requests if they don’t have EHRs to
source the data to the attachments. No question about it.

Some of these payers have seen fit to make funds available to their local
provider organizations for first the acquisition of electronic prescribing IT
solutions and are now expanding their planning into EHRs. This the most
promising funding alternative for EHRs in this country that we have seen so
far. Unfortunately, it isn’t particularly organized and is only happening with
payers that are assertive in their strategic thinking. There are definitely a
spectrum of strategic thinkers in the payer community and when we go and talk
to ones that are hesitant and afraid of what they might decide and what it
would do to them in the future, they just can’t see this at all. I am saying
somebody could use some help here.

Our pharmaceutical consulting practice has similarly created studies that
have helped pharmaceutical companies to understand where value might exist in
EHR data for basic research, clinical trial group selection and postmarket
introduction monitoring for safety. Unfortunately, we have also determined that
the pharmaceutical manufacturers are most interested in some of the very data
that existing concentrations of EHR systems are most unlikely to provide today.

Concentrations of EHRs in the u.S. today are found in the acute or
secondary care market. Most clinical research involves drugs that are taken and
monitored outside of a hospital. While there are exceptions, I am sure all of
you can think of at least a half dozen or more drugs that are being promoted on
television today for long term conditions, such as high cholesterol, high blood
pressure, allergies and many more. All of these are prescribed and used for the
most part outside of a hospital. Diagnoses, prescribing and follow-up visit
monitoring all takes place from the physician’s office, not the hospital.
Again, we run into the problem with not having ambulatory EHRs.

A second key requirement for pharmaceutical data is that the sample set
includes a high level of diversity that is aligned with the general market.
This is not always easy for academic teaching institutions or institutions that
specialize in specific diseases or treatments where we see the very best
penetration of EHR data today. Again, the ambulatory care setting is more
likely to generally align with these data requirements.

The payer and the pharmaceutical industry segments could be a financial
contributor to the nation’s EHR goals. We should focus on how to leverage these
market segments. We could better educate them and then align our planning with
their objectives. Curiously, the U.K. does differ from the U.S. in a very
significant area that is directly related to what I just described. The NHS is
now in the second round of full deployment of GP systems, as they call them, to
all of the GPs that contract with the local NHS primary care trusts. Yes,
primary care physicians, there are independent contractors, much as they are in
the U.S.

The first round occurred in the early mid-nineties. These systems are
upgrades of technology to the very group of physicians that the U.S. needs most
to adopt EHRs but can’t seem to find out how to address. While the U.K. does
not have payers as we know them, they do have care management and they
themselves administer it directly through the NHS the financial incentives that
they make available to their GPs. So, they assume the role of the payer because
they are the payer. They do understand this connection. So, it is not a
payerless system. It is a single payer system. So, their strategy tends to be
fairly well-organized and focused when they come out with one as well.

Let’s talk about HIT vendors and HIT technology. My last prepared topic is
on the HIT vendors. This is a set of companies that are exclusive to the
healthcare industry. Make no doubt about it. Even when a large international
conglomerate has its name on the business, it is still a product and company
division that is exclusive to the healthcare industry. What I am trying to say
is that the general IT industry in this or any country has not yet figured out
how to successfully invest in health care, even if it is largely untapped and
represents 16 percent or more of the GDP and growing.

Recently, I have been asked by several different sources just how long does
it take to create a complete EHR solution? Complete here means that all
settings of caregiving are covered from individual physician through the ICU,
home health and even the ambulance. Again, it is good to think about the NHS’s
NPfiT program goals as an example of completeness. It is hard reading for
anybody. It has got 4,000 questions, over 4,000 questions. But it does cover

I have come up with several interesting examples in the industry today to
give some insight to this process. However, many of these example efforts today
still remain incomplete with no real understanding of when by the HIT vendors
of when they will be completed. I have even gone so far as to ask the following
question of a couple of the more successful EHR vendors today — think about
the HIMSS Klas reports if you need help on imagining who these might be — I
asked them, “If you had to do it all over again today, if you had all the
capital that you needed, if you knew everything that you have learned over the
life of your company, if you had the right people in place, how long would it
take for you to recreate what you have today, possibly on newer and updated

Consistently, the well thought out and considered answer comes back in the
10 to 15 year range. Despite what you might think, despite what HIT vendors may
tell you about their products and prowess in the market, we actually have a
supply capacity problem for EHR systems and an effective lack of competition
and a very high barrier to entry into this marketplace.

Also, despite what vendors might way, their track record show that they
cannot quickly produce new products that address new functional areas where
they have little or no experience. The most important factor appears to be
experienced architects and developers that have strong IT and health care
industry experience. This is a prerequisite for meeting the above timelines.
Pure intellectual property rights without the minds that created that
intellectual property appears to be of far less value. So, for all that have
gone out and bought companies, but the people have long since disappeared, they
really don’t have what they think they have.

Sharing healthcare data and scaling, that is, building systems that can
simultaneously support thousands or tens of thousands of users is extremely
difficult. No vendor today supports the variety and scale necessary for our
largest organizations. Other solutions can and have been found to integrate
multiple instances of EHR systems. However, even though the progress is good,
these solutions are still in their infancy. They decrease systems efficiency
and performance and they add to an already considerable cost of the system.

Also some of the major EHR vendors have proposed a largely unconsidered
variation of the Office of National Coordinator’s implied architecture for
nationally sharing patient specific health care data. That is the architecture
that I have been describing. This form of sharing is an opportunity, if
desired, for owners of vendor’s HIT product to make their EHRs available, with
proper concerns for patient privacy, to owners of other similar EHR systems
produced by the same vendor.

So, in Kaiser’s case, it is all the same organization. So, you have
multiple instances of — care. I am talking now about imagine if Kaiser was to
share data with Ilini(?) and the Cleveland Clinic and Evanston and a bunch of
other Epic customers. Just using Epic as an example we could create another
example for Cerner(?) or any of the other vendors. This capability is not part
of the mainstream thinking in the U.S., the U.K. or Canada. While there is
nothing particularly technically wrong with this type of alternate sharing, it
is exclusive to only the one vendor and becomes a barrier to competition. What
I am warning you is this is starting to happen in spite of the architecture
that we are defining here, the market is moving in an orthogonal direction.
There hasn’t be a lot of uptake on this, but there is almost universal offering
of this.

The committee and the Office of the National Coordinator do not appear to
be considering this capability nor are we analyzing what complications this
type of sharing might create from the expressed national EHR sharing
architecture if the market starts using it.

So, one can easily consider Kaiser as its own RHIO and say, okay, it is an
organizational RHIO instead of state aligned RHIO and it works with Washington
and it works with Ohio and other states that Kaiser is in, but this is
something quite different.

Finally, when we looked around at the products that are being delivered and
used today, when we look at the technology and architectures that really work
and work well, we find that some of the mainstream IT technologies that are so
popular today outside of health care, for example, browser-based thin client
solutions, have severe deficiencies when applied to EHRs. It may not be obvious
because if you look at demos, you can always see the thin client demo, but if
you actually go to the large hospital and you see what is running, you won’t
find that in use. You may find it from your home, but you won’t find it on the
floor and you won’t find it in the ICU. You won’t find it in the ER. What you
will find is a thick client, older technology, very efficient application. What
we find is that performance of these technologies is considerably too slow. The
coding systems in the software to use then are enormously large for the browser
to support. Think of over a million possible terms and a full SNOMED read,
ICD-10, OPCS, et cetera. That is the British version of our code sets for the
standards codes in the U.K. Try to think about downloading that into a browser
or even just the code to manage it into a browser, for those of you that are
technically inclined. For those of you that aren’t, don’t worry about it.

And the demand for complex asynchronous rules to support critical patient
safety functions too severe to work reliably. We have problems in that area as
well. So, across multiple vendors I have found unanimously when it comes to big
implementations, the large number of users, they have all been forced to rely
on older thick client server and older technologies to succeed in the largest
deployments today. This may be a critical reason why the general IT industry
can’t quite get their appetite whetted for what we need. The technologies that
they sell that they are — they are their mainstream MicroSoft, Sun, et cetera,
products, in fact, don’t work. So, they go to the vendors and the vendors say
it doesn’t work and they say, well, I don’t have anything else to sell you and
then they go off and look at other industries again.

In summary, I believe that we are currently making slow progress towards
national adoption of portable EHRs. There are many technical questions that
still need to be answered in this and other countries before this can be a
reality. However, just as the Commission on Systemic Interoperability inferred
almost a year ago, this list of the most difficult questions, issues and tasks
that remain are largely non-technical.

I thank the committee for their time and I would be glad to answer any
questions they may have.

DR. COHN: I want to thank you both. John, I was trying to think of whether
I was depressed or enlightened by your — I guess I am reminded that we may be
on — some days are not quite as far along as we like to think we are.

I would open it up for questions or comments from the committee. I think we
have 10, 15 minutes to sort of talk about things and then we need to finish up
our work.

Maybe I will start out by just, Don, asking you a little bit about — one
of the things that we have talked about at the committee and I am looking at
Carol McCall as I think about this one is the — don’t worry, Carol, I am not
going to call on you — has to do with the issue of value. Do you think that at
this point value is replacing just the simple concept of quality as really the
sort of the focus for the future in the next big sort of set of issues that the
country is going to deal with?

DR. DETMER: Well, obviously, it is not either/or. I think it is a matter of
trying to get — you know, I mean just acknowledging — I mean, at some point
we have enough money to do this. We are putting money in our system. Money is
not really the — it is the issue of will and direction. But I think the point
is if we are going to do it, I think it is going to be looking at quality and
safety from a perspective of actually value. How do we get — how do we
actually start getting more ROI on these sorts of things and determine that.
Now, some of that is going to be — I continue to be interested in some of the
work David Eddy does, for example, with the mathematical modeling and finding
out where the signal to noise ratio is and what we do to people in the name of
making them better.

I mean, there are a lot of ways we can look at this and I think we need to
take advantage of almost all those things. I guess what I really am saying is
and maybe not that clearly, but — is that unless we actually put this forward
as a clear way of thinking — things are so complicated and such that we won’t
necessarily put ourself to that discipline. I don’t know if I have made myself
clear or just continue to talk along.

DR. COHN: Other comments, questions?


MR. LOCALIO: I wasn’t depressed at all by your comments. I would just like
to add some —


There are the problems which have been classified to me as local
implementation issues and this is when a system that may be perfectly
well-designed and looks great on paper is then used and what we see is the
following types of issues. There is no common physician identifier. Physician’s
names are used. Physicians get married. They change their names, changes in the
database. There is no NDC coding of drugs. Generic names are used. Brand names
are used. Data as missing. Things are misspelled.

So, for example, you mentioned Epic. Somebody came to me on Monday with
data from Epic and I have the copy of my e-mail here, which I won’t read, but I
said you cannot use the following six variables. The reason is, you know, 20
percent of the data are missing in those variables. So, you can have a system
that a lot of people are using, maybe perfectly designed, perfectly funded, but
because it is not used consistently and optimally by the people who are
actually using it, it does not work to drive the particular analysis that the
person wants to do.

Now, it may be fine for an individual person seeing an individual physician
who knows that patient, but it falls apart when you have one patient seeing
multiple physicians or you have other people trying to aggregate the data.

So, I am not depressed at all. I think this is a good dose of realism that
I hear from you.

MR. QUINN: Let me just sort of like expound a little bit on what you are
bringing up is a very valid point and that is we have a community of vendors
that have built and installed these products, some of them for years. We have a
relatively new vision of the way we expect EHR data to be shared and this goes
to the Coven(?) standards that you alluded to.

Now, once a system is implemented and implementation typically takes many
months and tens of millions of dollars for large organizations to accomplish.
— to that software maybe applied because of bug fixes and new features, but
the one thing that typically almost never happens is a reimplementation of the
system. So, the code sets that they use, the localizations that occur are
actually part of that implementation process.

So, we have kind of a vision of a from here, go forward. We have defined
our standards. We have defined how these things should work. All is well now.
We move forward from here and the industry is saying heck no we move forward
from here. I invested, you know, gazillion dollars ten years ago on this
system. It is working fine and we are not replacing it. What you are pointing
out to me is if I go look at how Epic is installed at Kaiser, where Simon is at
or the Cleveland Clinic and wherever this is, I will find every implementation
is different. Okay?

Now, could they all be at least using the same standard code sets of data
that we have defined? Sure, but nobody has really given them a real good reason
that says you must. We said for the future you must support these and every
vendor will tell you — pick on any vendor we want in this one and they will
say we support those. If you ask them real quietly, have you ever actually done
this, they said, no, but if somebody asks us, we could. You are not going to
get that in a public presentation of HIMSS, but you are going to get that

DR. COHN: Mike, Jeff, Steve, Stan.

DR. FITZMAURICE: You have hit on the point that is really the crux of a
problem and maybe the solution for me and that is I almost don’t care about the
architecture. I don’t care about the message transportation, the message. What
I care about is that when you get the data together, that the data means the
same thing whether it comes from a doctor’s office, from a hospital. When you
pull it together from a research point of view, it means the same thing. From a
doctor’s point of view, he knows what you mean when you say hypertension if you
are on the East Coast or the West Coast, that we have common definitions,
references to common medical concepts and I would like to see more and more
common representations of things, some things like dates, many names and

What is it that NCVHS can do to raise the awareness that there may be
benefits. There may be costs with this to get a better handle on reaching a
solution to this major problem. You have kind of answered it already by saying
if you don’t make it in somebody’s best interest to do it, it is not going to

MR. QUINN: Right. I mean, you can make it in their best interest by telling
them you will find them if they don’t or you will remove their medical license
or something very drastic like that, but that is not practical. The fact is you
have got to recognize that moving forward change really has to occur and just
saying that in the future we are going to do this really sets a scenario, a
stage, when you start practically looking at it that it going to be 15 to 20
years until the industry actually replaces all these systems and makes the
changes so that we actually could have interoperable EHRs.

One of the problems with the entire concept of interoperable EHRs is it
really does require that everybody be playing off the same set of standards and
you have to induce them. Provider organizations are hard enough pressed for
money and there are financial reasons to say I just installed the system three
years ago, four years ago, five years ago. They won’t even make that thinking.
This thinking wouldn’t even occur. Effectively they are going to say, well, we
have got a new system. It is Epic. It is Cerner. It must do what we need it to
do and hopefully somebody in the IT department might actually do a little bit
of studying and say, well, actually it is the right system, but it isn’t
installed the right way to make this happen.

But your incentives also have to include something that induces change in
what otherwise appear to be good systems. So, this is not a huge cost, but it
is a significant cost that institutions for the most part are probably not
going to volunteer to make on their own.

DR. DETMER: I think one option to that is obviously, the VA and DOD. Those
are big systems and, frankly, we act as though the U.S. Government isn’t part
of this market, which is a totally loony perception. So, it strikes me that one
piece that you do have to play to is the VA and DOD and those are pretty mature
systems because when the 1991 computer-based record report came out they
started working on that report. It is just like the NHS and Australia and
Canada and everybody else did because they have national systems but I think
that is a piece of it. I do think you work with what you can get your hands on
that really do start driving some of that. I think the interoperability report,
for example, talked about trying to move forward on e-prescribing with that. If
you could work on a piece of that even with VA, DOD, you start creating some
movement. I mean, it is not easy. It is not an easy issue but I see a real
tough situation of trying to create it out in the greater country.

DR. FITZMAURICE: So, it is taking leadership, bringing the issues to the
front, relating them to issues that the public cares about and showing how
these could be solutions and starting a path. I think ONC has done a tremendous
job at starting to build the architecture and the road maps on how to get
there. NCVHS can support that just bringing in testimony about how hard it is
and, yet, how essential it is.

DR. DETMER: But ultimately it comes down to specifics. I mean, clearly — I
think what HL7 is doing, for example, is changing their organizational
structure. We will help on some of these things. Some of this we are still
trying to just build. How do we even talk to these issues, internationally, let
alone nationally? The debate we have gone on in ICD-9 versus tan(?) for
example. That is represented as an interesting metaphor that is — so some of
it is a matter of just staying at it.

DR. FITZMAURICE: Just to pick up on that a little bit. How soon will we get
ICD-11? I mean, some folks are already saying to me why should I go to ICD-10.
ICD-11 is going to be here before we implement it and by 2012, why don’t we
just wait for ICD-11?

DR. DETMER: Well, see, in fact I think it is fascinating because SNOMED in
a way starts at the molecule and builds up and ICD starts the populations and
tries to work down. I mean, at some point these two things need to get together
in a unified theory of world. I honestly because we know ten year or twenty
years iterations aren’t going to get it done either. Somehow we do need to have
a rolling game that looks through some of that.

DR. FITZMAURICE: Last question. John, what is U.K. using? Are they using
SNOMED? Are they using the ICD codes or SNOMED Read? Are they using HL7,
Version 2. something or are they really moving into Version 2.3?

DR. DETMER: It is a long inventory list there.

DR. COHN: Mike, that is your last question, right? Good. Thank you.

Marjorie,l did you want to make a comment before we go on to questions?

MS. GREENBERG: I have to comment on what Mike said since this is an open
work forum and people take things from it. There is no way that we can
implement ICD-11, which hasn’t really gotten started in any significant way in
2012. I would say the earliest is maybe really 2020 probably and — maybe 2018,
ICD-11, and in fact, it will — it is possible that ICD-11 will be so — in
many ways similar to ICD-10. It has nothing to do with ICD-9. We are absolutely
working on trying to align ICD with SNOMED and that is clearly essential and
that is an objective internationally.

DR. DETMER: Well, one of the interesting things

— I am working with a young biomathematician, who has got some of these
super computers that rev up like a Harley in the morning and do these big
log-log correlations. He is actually looking at classifications and actually
taking ICD codes versus the SNOMED codes and so forth. It is fascinating.
Actually there seems to be more correlation, which doesn’t really surprise you
in a way because SNOMED comes out of pathology primarily. But you see some
pretty high correlations in some of the coding actually with some of the
genomic data. It is all pretty arcane. It is not something I understand in
depth, but it is a very interesting kind of effort to try to find signal to
noise ratios if you will.

It kind of gets a little bit — this value proposition, ultimately we will
probably have better coding when we really do reflect as close as we can what
reality really is and not necessarily our constructs.

DR. COHN: Jeff, Steve, Stan, Harry, Judy and I guess Jim has the final
comment and then we will wrap up the final business.


MR. BLAIR: Well, Don and John, we have lived through the last 15 years with
a lot of visionaries and a lot of folks that have developed wonderful ideas for
how to move health care into the information age and we have made a lot of
progress in a lot of areas. I especially resonate to, John, your comments on
how long it has taken. It has taken much longer than we thought, just to
implement the Administrator’s Simplification Provisions of HIPAA, just the
electronic claims, years longer than we thought. We thought that was low
hanging fruit. And a lot of us thought that, you know, having clinically
specific terminology, SNOMED, LOINK and RX-Norm would really move things
forward. And it has just taken so much longer.

We see all of these other things in terms of pay for performance and
genetic coding and outcomes, measurement and management and continuous quality
improvement and they all seem just over the horizon, but it just takes so long.

The one area that seems to have moved faster than I thought it might is
e-prescribing. So, I am trying to offer that a little bit as a balance to not
go down the one path of saying everything takes longer.

So, I guess my question is what do each of you see as the near term next
major opportunity that NCVHS should focus on, where we can remove the
impediments and the barriers to accelerate development of health IT, where we
could get results in three to five years instead of ten to fifteen years?

MR. QUINN: Let me start with a suggestion I made, which was you brought up
e-prescribing. E-prescribing defined the Medicare Modernization Act.
Interesting in that the statute actually defines e-prescribing, which is a
little unique and probably short circuited two or three years worth of hearings
after the law was passed.

To me, the nearest thing on the horizon that you can use to short circuit
things is the 275 because the 275 is as I alluded to, one, seems to have strong
business reasons for the payers to want to use it if they really want to do
care management.

MR. BLAIR: And focus on additional complementary standards to supplement
the 275?

MR. QUINN: Or the adoption of 275s. In other words, you know, what I am
seeing in the payer industry is that the forward moving payer — and the others
will follow — are recognizing that 275 gives them access to clinical
information. It is pretty open right now as to how they define what it is they
need for the purposes of reimbursement. Whether we like it or not — and I
think there is probably some significant medical industry politics that will
come into this. The 275 causes two things to happen. It causes the payer to
actually start using structured clinical information. It causes the provider
that wants to eliminate their overhead of providing attachments in their
hospitals, which is primarily where we see attachments used today, causes them
to start looking for solutions as to how do they use this automated process so
that what will easily end up being an uptake in payer demand, in fact is met
with automated response as opposed to manual response.

So, you actually have some key leverage monetary forces in play there that
could actually be used to the advantage of moving us along and moving us along
to a point where we find a good business reason that people would want to use
today for using structured clinical information.

DR. DETMER: Yes, I guess I would add to that. It is interesting. I think
the piece that came out of the Interoperability Commission’s work that I think
was really probably the most exciting. I had the privilege of being on that
group was the e-prescribing piece. I mentioned it when I made my comment to
Mike Fitzmaurice. I think that, in fact, that might play nicely to this value
thing I am talking about, too, is take on e-prescribing as the poster child.
One of the things — but look at it as well at the same time you are tracking
along on the value proposition side, too, so that you are starting to leverage
actually efficiencies and so forth as part of this. Because that is how also at
some point that is how you should get buy in from even Federal Government, as
far as that goes, to start seeing this as an investment that is sensible to

But I guess the thing I like because it is also the point John made
earlier, the pharmaceuticals are very outpatient and, in fact, as health care
gets more and more powerful and more effective, it moves out of the hospital
and it increasingly is moved into the ambulatory outside and if you, in fact,
get more of these integrated linked computer-based records like he is talking
about at Cleveland Clinic and so forth, that puts the patient into play in this
thing, too, and it gives you a chance to really reinvent really the way you
look at delivering information and care.

So, I see a lot of ways in which actually taking an e-prescribing piece and
teasing that out as sort of the thing you are going to work on as your stalking
horse, if you will, for creating some of these changed regs and such moving
forward might be a good way to put together some things on a variety of these
and I think the commission’s study could be a nice piece to help you get into

Bill Stead(?) and Martin Harris and others actually would be, I think, very
useful people to come up and talk to you about how might you then try to link
that to some of what you do have authority to move on.

DR. COHN: Steve.

DR. STEINDEL: Thank you. Thank you for the two very thoughtful pieces. I
don’t know if this is going to be a question or more of a comment that you
might be able to react to. But, Don, I was really, really — the more I thought
about it and the more you answered some of the questions, was very impressed
with the idea of introducing the concept of value and starting to talk about
things about how valuable it is for the health care system because this country
really is driven on creating new value. It is our market-based economy and
investing in the ability to create that new value and taking risks in creating
that new value and if we can show directions that this is valuable, it might be
very useful.

I bring that as — say that a little bit because I take issue on John’s
statement. You know, that interoperability will happen when everybody is using
the same standard. We have been saying that for I don’t know how many years
now. We have made no progress in it and I think the better way to say that is
interoperability will happen when people see value in it and that is going to
create the need for people to exchange the information in a manner that they
can use the information and derive value and benefit from it.

I know this is a — you know, just picking up on Don’s concept and carrying
it forward, you know, you asked me what is the value of my sending my health
information from the small cadre of health care providers I work with in
Atlanta to somebody on the West Coast when I have no real reason to do that, I
don’t see any value in it. Until we can convince people that there is value in
it, people on the West Coast and people on the East Coast may or may not use
the same standards.

The NHIN right now, I don’t think is value oriented and I think it is very
important — I think Don brought up a very good area for us to start thinking

— to start exploring. We have now expanded NCVHS to have some health
economists on it, people who are discussing this, who bring up at everyone of
our meetings, you know, what is the economic impact of this. So, I think you
have led us in a very interesting area to start talking about and thinking

I really appreciate it. John, I do have a specific question. This is in
reaction to your comments to Jeff. When you say the 275 — and Karen has walked
out of the room — just walked back in — good — I would like to pin you down
on what you mean by the 275 because I gather you are using a colloquially as a
way to wrap a message containing clinical information and not necessarily the
circumscribed set of 275s that HIPAA is talking about at this point in time.

Furthermore, you are even more circumscribing that because the present
claims attachment allows two forms. One is a human readable form and the other
is a structured data form, that you are really talking about the 275 and
structured data form. My comment on that is I think it is going to take us as
long to get to that as to any other form of interoperability that we are
talking about. But one reason that may drive it faster is the point that you
made in that the insurance industry, the claims industry will see value in it.
So, they might push it faster. So, it is going hand in hand. So, my idea of
what you were meaning by the 275 was correct. And it is not necessarily
circumscribed to just the HIPAA —

MR. QUINN: Specifically I am talking about attachments in the generic
sense, the way it was originally claims attachments. In reality it is
attachments for both authorization for referrals as well as claims. The actual
number of documents that CMS has effectively imbedded in that standard right
now is actually almost over a hundred in six different types. There are really
actually four different variations of flavor from the extreme human readable
form to the extreme structured one. Obviously, what the payers are most
interested is the extreme structured one. A number of the payers I have talked
to are — one of them, very large, national payer — this was two years ago —
at that time I was sitting down having lunch at a conference and here is a CTO
with his organization and I said, well, you know — of course, we were in the
infinite hold period at that point of HL7 wondering how many times are we going
to rewrite this before CMS was ever going to publish the first NPRM on this.
And I explained to him the gamut of the spectrum of things that would be

You know, what I really expected because I had heard from other payers that
there was almost white ashen, a horrified look on their faces. You know, what
are we going to do with structured clinical data. We don’t have any way of
dealing with it. This particular CTO looked at me and said terrific and I said
really. I said that is the first time I have heard that reaction. He said we
just put in this huge XML backbone amongst all of our systems and we were
hoping that we would eventually have a point to actually use that inside of our
environment for auto adjudication of in their case claims and authorizations
for referrals.

So, you know, in reality, yes. This is the payer saying we have value. We
will make it easier for you. We will give you providers financial inducement to
bring your systems to the point where you can give us the value we see.

DR. STEINDEL: You know, I think this was what I was getting at was there is
really a tremendous amount of synergy in what the two of you were saying when
you get really down to the bottom line. Thank you.

DR. DETMER: I would almost say that the American mindset is such that we
may get ultimately to solidarity by concluding it is in value terms that we are
nuts not to. Health care in some of these areas is so darn effective and
efficient that it is a collective. We are being stupid not to do it as well as
whether we just believe in it as a sensible thing to do.

DR. COHN: We have three last people for questions, Stan, Harry and Judy.
Then I want to talk about whether or not we should take a break and finish off
or whether we just sort of work right through.

Be aware that there is a letter we still have to deal with before we


DR. HUFF: One of the promising activities that I have seen is one that has
been championed actually by the VA and others and that is the idea of producing
standard APIs as opposed to standard messaging, which has the advantage then of
sort of decoupling, if you will, sort of the data store from application
development. It means that if you could really realize that vision, you
wouldn’t have to develop new applications in every vendor’s system, but in fact
you would see now a focus on, you know, very small groups of people producing
exquisite, you know, TPN ordering applications or some other application and
not having to worry about necessarily the terminology infrastructure, the
database infrastructure and all of those kind of things.

That seems like a promising way to go forward. I would like to get your
perspective on that. Just one more additional comment is if you — for
instance, we have been talking — it just occurred to me that we have been
talking about role-based access and other things. I mean, you could actually
ask the question if we had role-based access in place and we had this kind of
API for the services in place, you would ask the question why do I even
transfer the data to the insurance company. Why don’t I just allow them access
through APIs that restrict them to the data that they are allowed to see and
they examine it in place so it doesn’t move anywhere?

So, your thoughts on that kind of a world?

MR. QUINN: We look at the NSA Spine and I know in the HL7 board meeting
last — that I wasn’t at, the NHS came to talk about XML, ITS and APE and the
questions of alternative ways of communicating besides what appears to be some
extremely high overhead XML messages.

You know, strangely enough in the procurement process for the current NHS
program back in 2003, the testing of your ability to do the HL7 Version 3
interactions with the Spine was through an NHS provided set of APIs. We
actually didn’t produce the XML messages.

Your access to Arbac(?) is actually — you are looking at more of what you
are talking about. There is no reason why we — in this day and age with
service oriented architectures the way they layer out things that we actually
have to talk about sending verbose messages. We can communicate between
programs much as I would call being pretty old school here, subroutine calls in
that fashion.

So, no, there is no reason why we have to do it the way we have done it in
the past. We don’t use 9,600 baud A sink(?) anymore and we don’t have to
necessarily format actual messages.

DR. DETMER: I do think that the U.K. because of their investment they are
putting into this is going to make sure they don’t get isolated globally on
that. The U.S. is a big thing out here. I do think there is a possibility of
the VA and actually talked and worked with the U.K. on some of those things.
You get a more throw weight than you do just trying to do it at the VA or the
U.S. kind of market, too, just because you have got more mass there. They are
pregnant with this and they are going to have the baby and it is going to live
because they made the decision. We are going to be in a back fill situation
increasingly going forward if we in fact don’t figure out ways to plug into
that, in my view.

DR. COHN: Harry.

MR. REYNOLDS: Excellent job.

The question I have is I like the idea of bringing the discussion into the
social solidarity and the individual autonomy. What characteristics can remain
in each column and us still be successful? Because obviously as you were
mentioning in the U.K. it went all the way pretty much to the left side, which
is social solidarity. Right now as we saw with HMOs in this country, that
really weren’t equally successful all over the place because people said I want
to go to who I want go to.

What are the characteristics that line up in each of those that have to be
there for us to be successful, keeping in mind some of the things that people
want in the United States?

DR. DETMER: I am not sure I got the absolute drift of your question, but I
will make a comment that I think probably will resonate a little bit with
John’s experience because he spent about four and a half years in Cambridge.

I think the most fascinating thing is how this even gets to the point of
open discussion in a way has been that European Union crunching against U.K.
law and how, in fact, some of these sorts of things then become even an issue
that you start thinking about because suddenly it is against a much bigger
denominator than you thought about it and they start talking about this
individual citizen rights of the European Union citizen vis-a-vis obviously the
way the U.K.’s sort of run their thing. Keep in mind, the U.K. generally, if
you are walking down the street and something looks interesting, the next thing
you know, eight Brits have formed a queue and about ten minutes later ask what
they are standing there for. They have a propensity to be willing to sort of,
you know, line up that we are sort of like popcorn without the lid on, you

So, some of this is culture and such. I don’t know how much of this
actually can cross over, but I will have to say it is fascinating. There have
been some really interesting debates in the House of Lords, for example, on
getting access to say data for research purposes, for example. They do see that
there are, in fact, social goods that transcend privacy. They just believe
that. They just really believe it.

So, to some extent, I think it is an interesting sort of thing that is
somewhat cultural. I don’t know if I have really responded to your point, but I
have made some comments.

MR. REYNOLDS: Again, we are getting ready to discuss what we should do
next. I was just interested in what you thought.

MR. QUINN: What Don said about the EU being actually steering the U.K. at
this point, 2003, riding on the train, reading The Times, interesting case. The
British courts found in favor of a woman, who had gone to France to get a hip
replacement. Now, hip replacement is one of those notorious whipping boys of
whether the NHS doesn’t perform and, you know, you get horror tales of 18 month
wait times, at least you did a few years ago. They say it is better now for hip
replacement, which is effectively you will never walk again because if you
spend 18 months in a wheelchair, you won’t have any muscle mass left to use the
new joint when you get it.

She had gone to France and got it done and then when she came back to the
U.K. she presented the NHS with the bill. The NHS refused to pay it. She took
them to British court. British court found in her favor based on European Union
law that she was entitled to reasonable health care in a reasonable period of
time and 18 months wasn’t a reasonable period of time. The NHS was forced to
pay. Conversely, if she had actually gone over to Canada, let’s say, which you
might think of as a closer aligned environment being part of the commonwealth
or South Africa, she would have actually had to pay the bill herself on this
basis of law.

So, it was interesting and it really put the pressure on the NHS to figure
out how to solve — in effect, you know, the cynics amongst us would say that
is how they control access to health care.

DR. DETMER: It is interesting if you look at it from a value proposition,
keeping her mobile with a hip replacement is a cost, frankly is a good ROI. So,
it is fascinating, where some of these things have been ways of looking at
rationing and now that the National Institute for Clinical Excellence in the
U.K. has come into place to supposedly start looking at what, in fact, does
clinical excellence mean in terms of I think both quality and value, you start
coming up with some very interesting issues and you look at it a little
differently and you may find in effect you are rationing the wrong way.

DR. COHN: Judy, final question.

MS. WARREN: It is mainly for you, Don. In your presentation, you made a
suggestion that we add some working groups to NCVHS, one around research and
one around education. Currently, we have three subcommittees and two working
groups. Are you suggesting that we do this in addition to what we have or are
you — can you make some recommendations how we might reconfigure?

DR. DETMER: Sure. Well, I guess my reflection, as I did look at the current
structure and working groups, was that they would allow you to talk about
something forever without necessarily having anything really say happen in
terms of a betterment of something. I guess — that is really a crude response
because I have probably my fingerprints on some of them. I know I did on the
NHII one. What I guess I am saying is I don’t know honestly the best way to
deal with that. I don’t see that the current headings particularly would
accommodate an R&D. I don’t think every single group should try to develop
an R&D agenda and every single group should try to develop an education and

So, from the near term it probably makes more sense to do these as ad hocs.
I wouldn’t make them standing for all time. You would probably want to pull
from each other. But as I said, having really put my foot in my mouth or shot
myself in the foot, whatever metaphor fits best, you know, I am not sure that
it wouldn’t be a good idea to look at some of the current name for some of the
— I don’t know if you read S. I. Hayakawa’s book, Language and Thought in
, but it was one of the great books of my thought.

You know, we live in the abstract — we think in the abstract but we live
in the concrete and he talks about directive language and it is interesting
that if you can use directive language, it will get people to do things just
because it sort of directs them to do things as a matter of how you talk about
it. So, to some extent if you can — as opposed to just something that is just
a flat term, it may be very descriptive, but it doesn’t make you kind of go
anywhere. You could sit there forever.

I am not saying that I know — again, it is your task. That is what is kind
of fun about this. I can waltz in and waltz out at this point, but I appreciate
your question and it clearly engages me because this is a hugely important
group and I want you to succeed because I have a vested interest in your
succeeding, whether it is right or not.

DR. COHN: Judy, thanks. That was a great last question.

Don and John, thank you both very much for sort of your thoughtful comments
and insights and I know the full committee had a great pleasure sort of talking
to you and sort of quizzing you both about sort of pushing the envelope a
little bit. So, I really want to thank you both very much.

Now, let me ask the rest of the committee. It is now 12:45. We have one
action item left. We reconvene in the retreat I believe at 2 o’clock. How would
you like to handle the next hour and 15 minutes. Shall we plow through? Okay.

John Paul.

MR. HOUSTON: I maybe wrongfully thought that the retreat was at the hotel.
Is that not the case?

DR. COHN: So, we are going to work through right now. We have Maria with
the letter on the HIPAA letter and then we will finish up hopefully in the next
couple of minutes and give everybody a chance for some lunch.

Maria, please.

MS. FRIEDMAN: There are two kinds of changes in this. One was kind of just
in general, clean up, and then the other it was in response to specific

In the first paragraph here we added administration simplifications of the
Health Insurance Portability and Accountability Act in response to a request
from yesterday to kind of tee it up better for the reader.

Observation 1, we have added several things in response to requests. It now
reads “HIPAA implementation has taken longer than anticipated in the HIPAA

That was in response to a request for some kind of benchmark. You know, it
has taken longer than what, from what, from when? The causes for this are
numerous and we added a footnote there, which because there was a request for
detail and the response to addressing that was to add a footnote to reference
the numerous reports to Congress on HIPAA implementation. So, that is in the
footnote and the web site is given for that as well.

Also in Observation 1, we realized we hadn’t spelled out electronic data
interchange. So, we did that. Those clean up kind of things.

Moving right along, Recommendation 1.1, we added, “And federal
standards initiatives,” in the last sentence. So, it now reads, “Such
findings would be useful for other HIPAA implementations and federal standards
initiatives in the future.”

Observation 2, we did some clean up and wordsmithing. We revised the second
sentence in response to the discussion about versioning and what HIPAA actually
requires with respect to that. So, the sentence — and we actually broke that
original sentence into two and added some stuff. So, the sentences now read,
“The HIPAA final rule requires covered entities to use a particular
version of a standard without modification. It does not permit voluntary
adoption of new versions; in contrast, this is permitted under the electronic
prescribing rule.”

Then in the next sentence, we added a couple of things in response to
discussion. It now reads, “The HIPAA rulemaking process has taken several
years in issuance of an NPRM implementation.”

MR. REYNOLDS: John, are you okay with that previous sentence?

MR. HOUSTON: Yes, it is fine.

MS. FRIEDMAN: Then we just cleaned up on the verbiage around SDOs.

We are down to Recommendation 2.1 in the bullets about the exploration of
HIPAA updates and all. So, the first bullet now reads, “An indepth review
of the applicable statutory and regulatory requirement; a comprehensive
exploration of permissible options; and a determination as to whether
legislative changes to HIPAA should be initiated.” We wanted to qualify
all that.

DR. FITZMAURICE: Maria, there should be a space between
“applicable” and “statutory.” It doesn’t show up on yours
but it —

MS. FRIEDMAN: Yes, we will clean this all up because the track changes are
messy and they don’t print well. We will make sure that is fixed in the final

Recommendation 2.3, we added something to the last sentence.
“Alignment of the timing of changes and updates to the code sets would
allow the industry to coordinate and cast an implement on the more orderly
schedule and reduce rejected claims.” We added that because we wanted to
make it clear that these were timing issues.

Recommendation 3.2, we did just some minor clean up there on some of the
verbiage and we also added vendors to the list of participants in the CAQH

The last two we changed the “musts” to “shoulds” in
Recommendations 3.4 and 3.5. And that is it.

DR. TANG: I move acceptance of the letter.

MR. HOUSTON: Second.

DR. COHN: Any discussion?

All in favor?

[There was a chorus of “ayes.”]


[There was no response.]


[There was no response.]

The letter passes.

So, basically it is now 12:55. I want to thank you all for hanging in
there. I think we do realize and I commented early on that this is a very full
agenda. We will now adjourn and reconvene at 2 o’clock for a strategic planning
retreat at the Watergate Hotel.

[Whereupon, at 12:55 p.m., the meeting was concluded.]