[This Transcript is Unedited]



Subcommittee on Privacy and Confidentiality

Hearings on Privacy and Health Information Technology

June 7, 2005

Hubert H. Humphrey Building
200 Independence Avenue, SW
Washington, D.C. 20201

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax, Virginia 22030
(703) 352-0091


  • Introductions and Opening Remarks – Mark Rothstein, J.D., Chair
  • Panel I – Integrated Health Systems
    • Lehigh Valley Hospital and Health Network, Allentown, PA – Harry Lukens, Senior Vice President and Chief Information Officer
    • Winona Health, Winona, MN – Kathleen Lanik, Chief Health Information Management Officer
    • Veterans Health Administration – David McDaniel, Deputy Director of Business Development for HIPAA
  • Panel II – Health Systems
    • Availity, Inc. (Florida BC/BS-Humana Partnership) – Jon McBride, Chief Technology Officer
    • Aetna Health Information Solutions – Paul T. Sheils, J.D., President and CEO
  • Panel III – International Health Systems
    • Canada – Michael Sheridan, Chief Operating Officer, Canada Health Infoway
    • United Kingdom – Don E. Detmer, M.D., President and CEO, American Medical Informatics Association
  • Panel IV – Regional Health Information Organizations
    • Secure Architecture For Exchanging Health Information(SAFE Health), Worcester, MA – Lawrence Garber, M.D., Associate Medical Director for Informatics, Fallon Clinic, Worcester, MA
    • Primary Care Coalition of Montgomery County, MD – Thomas L. Lewis, M.D., Chief Information Officer, Center for Community-Based Health Informatics
    • Utah Health Information Network – Jan Root, Ph.D., Chief Privacy Officer
  • Australian Health Information Systems – Brian Richards, Jeanine Ward

P R O C E E D I N G S (9:10 a.m.)

Agenda Item: Introductions and Opening Remarks

DR. ROTHSTEIN: Good morning. My name is Mark Rothstein. I am the Director
of the Institute for Bioethics, Health Policy and Law at the University of
Louisville, School of Medicine, and Chair of the Subcommittee on Privacy and
Confidentiality of the National Committee on Vital and Health Statistics.

The NCVHS is a federal advisory committee consisting of private citizens
that makes recommendations to the Secretary of HHS on matters of
health-information policy.

On behalf of the subcommittee and staff, I want to welcome you to
today’s hearings on the National Health Information Network.

We are being broadcast live over the internet, and I want to welcome our
internet listeners as well.

We will begin with introductions of the members of the subcommittee, staff,
witnesses and guests. Subcommittee members should disclose any conflicts of
interest. Others need not do so.

I will begin by noting that I have no conflicts of interest on this topic.

Harry, welcome back.

MR.REYNOLDS: Thank you.

Harry Reynolds, Blue Cross and Blue Shield of North Carolina, member of the
subcommittee. No conflicts.

MS. CHAPPER: Amy Chapper, staff to the subcommittee. CMS.

DR. VIGILANTE: Kevin Vigilante, Booz-Allen, Hamilton. No conflicts.

MS. FYFFE: Kathleen Fyffe. I work for the Office of the National
Coordinator for Health Information Technology within HHS, and I am staff to
this subcommittee.

MR. MC DANIEL: David McDaniel from the Department of Veterans Affairs,
Veterans Health Administration, HIPAA Program Management Office.

MS. LANIK: Kathleen Lanik, Winona Health, Winona, Minnesota, Chief Health
Information Management Officer.

MS. WATTENBERG: Sarah Wattenberg, staff from Substance Abuse Mental Health
Services Administration and the Center for Substance Abuse Treatment.

MR. HOUSTON: John Houston, member of the committee as well as the
subcommittee. I have no conflicts.

MS. BERNSTEIN: I’m Maya Bernstein. I work in the Office of the
Assistant Secretary for Planning and Evaluation. I’m the privacy advocate
of the department and the lead staff to this subcommittee.

MS. FISH-EDDY: Linda Fish-Eddy(?), Veterans Health Administration.

MR. SHEILS: Paul Sheils, Aetna Health Information Solutions.

MS. IVENO: Charlie Iveno(?), Aetna.

MS. MATTHEWS: Aaron Matthews(?), American Society of Clinical Oncology.

MR. BARKLE: Mark Barkle(?), Academy of Managed Care Pharmacy.

MR. CHARNER: Sam Charner, Faster Cares(?).

MS. KIRBY: Pamela Kirby, American Association of Nurse Anesthetists.

MR. GILE: Frank Gile(?), American Dental Association.

MS. FRANKLIN: Angela Franklin, Blue Cross, Blue Shield Association.

MS. LENIN: Ann Lenin, the Society of Professional Benefit Administrators.

MR. GROPPER: Adrian Gropper(?). Med Commons(?).

MR. MC BRIDE: Jon McBride, Availity.

MS. ZIGMAN-LUKE: Marilyn Zigman-Luke(?), America’s Health Insurance

DR. ROTHSTEIN: Welcome to all of you.

This afternoon, from 3:45 to 4:15, members of the public may testify for up
to five minutes on issues related to the topic of today’s hearing. Please
note that there will be no public testimony tomorrow. If you want to testify,
please sign up at the registration table.

Invited witnesses have been asked to limit their remarks to 15 minutes.
After all of the witnesses on a panel have testified, then we will have our
question-and-discussion session.

Witnesses may submit additional written testimony to Marietta Squire within
two weeks of the hearing.

At this time, I would request that witnesses and guests turn off their cell
phones and other electronic devices that could interrupt the hearing.

Also, because we are being broadcast over the internet and recorded for
transcription, we need to remember to speak clearly and into the microphones.

The hearings today and tomorrow are the third in a series of hearings on
the National Health Information Network held by this subcommittee.

At the first round of hearings in Washington on February 23rd
and 24th of this year, we heard from experts on privacy and
confidentiality as well as representatives of consumer organizations. These
individuals explored the privacy and confidentiality issues raised by creating
an interoperable system of comprehensive, longitudinal electronic health

At the second round of hearings in Chicago on March 30th and
31st, we heard from a range of healthcare providers to get their
perspectives on these important issues.

At this third round of hearings, we will hear from representatives of and
experts on integrated health systems, health plans, international health
systems and regional health information organizations.

A fourth round of hearings is scheduled for August in San Francisco when we
will hear from technical experts on health information network design.

Additional details about this hearing will be published in the Federal
Register and on our website as soon as they have been finalized.

To introduce the topic of today’s hearing, let me briefly note that
one of the anticipated benefits of a national health information network is
that it will facilitate the increased use of evidence-based medicine. This is
certainly a laudable goal, and, in this spirit, I would ask the following

What is the evidence that developing the National Health Information
Network will increase the use of evidence-based medicine?

What is the evidence that the National Health Information Network will
reduce errors, increase access to health records, reduce costs and improve
efficiency as its supporters claim?

How can these benefits be maximized?

In addition, how have existing health-information networks undertaken to
balance the privacy and confidentiality interests of individuals with the
clinical and public health interests in broader disclosure of health

Let me clarify that this hearing is not intended to focus on the security
of electronic health records, but on the rules for inclusion, retention and
dissemination of health information for healthcare purposes, as well as
disclosure to third parties for non-healthcare purposes pursuant to an

These are some of the issues we hope and expect that today’s and
tomorrow’s witnesses will address. These are difficult, but essential
questions as we move forward with the National Health Information Network.

Agenda Item: Panel I – Integrated Health

DR. ROTHSTEIN: At this time, I want to welcome Panel I on integrated health

We have two witnesses in person and we also have a virtual witness, Mr.
Harry Lukens from Lehigh Valley Hospital and Health Network.

Mr. Lukens, are you with us?

MR. LUKENS: Yes, I am.

DR. ROTHSTEIN: Good morning, and let me ask you to begin the testimony

MR. LUKENS: Thank you.

My name is Harry Lukens. I am the Senior Vice President and Chief
Information Officer at Lehigh Valley Hospital, which is in Allentown,
Pennsylvania. We serve Allentown, Easton and the Bethlehem area, known as
Lehigh Valley.

We are an acute-care hospital. We are about 800 beds, 1,100 physicians,
43,000 admissions, 100,000 ED(?) cases.

From a technology standpoint, we are one of just 38 hospitals named to
America’s top hospitals and most wireless(?). >From a nursing
perspective, we are a magnet hospital. We are a Level 1 trauma care, and, just
yesterday, we were awarded the 2005 American business award for best IS
organization. That is a bit of chest thumping, but I am really proud of that.

The points I would like to make today about the electronic medical record
is, first of all, it is the right thing to do. It is the right thing to do for
patients. It is the right thing to do for us.

I want to tell you a personal story. Two years ago, I had a heart attack
and was brought into our emergency room here at Lehigh Valley. The physicians
in the emergency room did not know who my cardiologist was nor did they have
access to those records.

After being – released, my cardiologist did not have access to the ED
records. So there is a case in point, a very personal case, where the lack of
patient information could have caused a clinical issue. It did not.

Our vision here – actually, my vision is that we provide an electronic
medical record for all of our physicians, all 1,100 docs, where they would
share clinical data, selected data elements agreed upon by the physicians and
only the clinical data elements. We are not interested in sharing patient
financial information or, to a certain extent, demographic information. The
system is hosted by LVH(?). It is accessible by the physicians locally,
remotely and, by the end of June, through the web.

It is our goal to have 250 physicians on line by the end of December and
another 250 by the end of December ‘06.

From that, Phase 2 is to begin discussions with local – other local
institutions. Our long-term goal is to create an electronic medical record for
residents of the Lehigh Valley. The purpose of that would be that if any
patient in the valley who sees a physician in any of the institutions, that
clinical information would be available to any other physician, so that if a
Lehigh Valley patient presents in the St. Luke’s ED here, those docs in
the ED will have access to that information. Again, it is the right thing to

We have been doing an electronic medical record here since 2002. WE have
gotten over the interfacing issue, because I see that as one of the biggest
problems in deploying an electronic medical record. That system has to talk to
other systems, lab systems, radiology systems, hospital-information systems,
and the data has to be two way. That takes some time to do.

Other obstacles, in my opinion, is the culture. Physicians are not easily
convinced to share their patient data. While patient care is foremost in their
minds, they are also businessmen, and to share all of the data about their
patients could lead to losing patients to other physicians. Physicians are
always concerned about not getting their patients back to them when they are
referred somewhere. So the culture issue is a big one.

Another one is cost. There’s capital cost in acquiring systems –
hardware, software – and it is not only one-time costs for capital, it is
ongoing support issues.

We have overcome that somewhat by hosting the EMR here at the hospital IS
shop so that the physicians don’t have to acquire themselves or support
it. We do that and bill that cost back to them.

The National Health Service in the UK has budgeted $6.2 billion to fund an
electronic medical record for the UK. We have not come anywhere close to even
thinking about anything that starts with a B.

To answer your question, will an electronic medical record prevent errors?
I believe it will, because your allergies and your medications and any other
pertinent information that you may have forgotten to tell another doc will be
available to that physician.

The system that we built here provides immature, if you will, decision
support saying to the physician, Do you know this patient is on an
antidepressant and you are prescribing something that could interact with that,
that was the first thing we put in place. I say immature, because we continue
to work on it.

To answer your question about cost, will it lower cost, not in the short
term, because you are going to drive the physician’s productivity down,
because – as he learns to use this.

Long term, however, I believe that productivity will come back, and,
because of the ability to look at a patient’s record longitudinally, we
should be able to reduce unnecessary tests, tests that the doc doesn’t
know about, and, perhaps, admissions.

Our goal is to be able to do predictive medicine. As we get more and more
docs and more and more patients in this database, we will be able to do the
research on disease management for the Lehigh Valley. We should be able to see
how many 50-year-old men who are overweight and not taking aspirin are at risk
for something. Those are the things we can do that will reduce the costs,
because they will reduce testing.

Thank you for listening to me.

DR. ROTHSTEIN: Thank you very much, Mr. Lukens, and if you can stay with
us, we’ll have questions for you during the panel discussion after our two
witnesses who are present. Is that okay?

MR. LUKENS: That’s fine. Thank you very much.

DR. ROTHSTEIN: Thank you.

At that time, I want to recognize Paul Tang, a member of the subcommittee
who has arrived, and, Paul, could you introduce yourself and list any possible

DR. TANG: Sure. Paul Tang, Palo Alto Medical Foundation Center Health,
member of the subcommittee and no conflict.

DR. ROTHSTEIN: Thank you.

And good morning, Ms. Lanik. If you are ready, we are happy to hear from

MS. LANIK: Well, good morning. It is a pleasure to be here this morning to
testify on behalf of Winona Health in Winona, Minnesota, regarding our
transition to an electronic medical record with a focus on privacy and

Winona Health’s journey to a paperless system continues, and it is
exciting, challenging and rewarding.

Winona Health is a non-profit community-owned, integrated healthcare system
with a 111-year tradition of serving the Winona regional community.

Our services address the full spectrum of the community, the
community’s primary healthcare needs from birth through end of life. These
services are provided in a primary-care hospital, physician clinics,
assisted-living communities, a skilled nursing home and through home-care and
hospice services.

Winona Health includes a 99-bed general acute hospital, a 166-bed skilled
nursing facility and a medical office building, two memory-care residences, a
61-unit assisted-living complex two miles from the main campus in Winona and a
primary-care physician clinic located in Rushford, Minnesota, which is about 20
minutes from Winona.

Winona Health’s vision is to create an exceptional healthcare
organization designed to meet the current and emerging healthcare needs of our
community, and as our mission states, Winona Health is devoted to improving the
health and well being of our family, friends and neighbors.

To that end, one of Winona Health’s key initiatives was a major change
in Winona Health Services, the use and continued development of a
community-wide, integrated electronic medical record.

Our journey began in 2000. So we are five years into – almost five years
into this now.

Winona Health made major resource commitments to ensure that technology was
available to empower staff to access information, align processes and take
action to improve performance at the highest possible levels.

Winona Health’s goal for the onset for integrated electronic medical
record was to connect healthcare providers in the Winona area with a single
system that allowed them to share patient information in a secure setting to
increase the quality and safety of care provided to our patients and to improve
operational efficiencies.

It was a vision by our area physicians and our hospital to have all the
information about our patients in the same database. A single electronic
medical-record database would then be accessible wherever the patient would be
and would move with them through the healthcare system.

Winona Health, working with Cerner(?), a healthcare software company,
Family Medicine of Winona, an independent clinic, and Winona Clinic, another
independent clinic, began making this vision a reality, as I said, beginning in

In February of 2002, family medicine and Winona Health’s Rushford
Clinic were piloting the integrated electronic medical-record software. A year
later, our hospital went live with the medical-record software, and the Winona
Clinic implemented the software in the spring of 2004. So, now, our Winona-area
patients’ medical records are accessible to healthcare providers
throughout the community.

Our mission, from the onset, was to find a way to accomplish these goals
without jeopardizing the patient’s right to privacy and to be compliant
with privacy regulations, both state and federal. The question we had was how
do three independent entities share the same integrated clinical information
system and satisfy those state and federal privacy regulations.

We declared to the community that three independent entities would function
as a single organization for the purpose of maintaining an electronic medical
record. We developed a joint Notice-of-Privacy Practices. We evaluated model
documents from the American Hospital Association and the Minnesota Hospital
Association and presented our recommendations to our Information Technology
Steering Committee. We created that joint document after, of course, obtaining
legal counsel from our Winona Health attorneys who specialize in HIPAA
regulations and Minnesota law.

We wanted to connect the appropriate persons, knowledge and resources at
the appropriate time and location to achieve the optimum health outcome for our

To ensure privacy among providers, we work together – all of the
entities – to develop and deploy a single privacy compact across the community.
Specifically, privacy was addressed by granting privileges to view and update
information based on a staff person’s role in the organization. Audit
trails were developed and processes were designed to perform those audits.
Winona Health policies were updated and they are aligned with the other
entities, and they corresponded with the flow and availability of information
and consequences were clearly articulated for violation of privacy standards
among all entities.

All staff are oriented on privacy and confidentiality policies and
procedures, of course, but regular audits are a mainstay of all system users.

Firewalls and fire scanning systems are in place, and users entering
patient information have their own secure log in and have access only to the
information they need to do their jobs.

As I said, at Winona Health, confidentiality – or Winona confidentiality
policy was created using Community Memorial Hospital, Lake Winona Manor, our
long-term care, Rushford Clinic, Winona Clinic and Family Medicine to provide
private information – to protect the privacy of the information. This policy
includes a statement that is signed from everyone from volunteers to
physicians, students, staff. We have privacy officers for each entity, and that
is outlined in our notice. The privacy officers from all entities meet weekly,
communicate via email or phone, and, starting in July, we’ll be meeting
actually on a monthly basis with all the privacy officers.

The results of our audits that we conduct are reported to our governing

Dr. William Davis is our medical director for health information
technology, and he sent a quote along for me to share today.

Electronic medical records are the ideal records for privacy and security,
unlike paper records that can be accessed by anyone and easily misplaced or
stolen. Electronic records are protected by user names and passwords and access
to the record can be monitored and audited. Access to the records can be
restricted by department or by classes of users. For example, access to
mental-health records can be restricted to only physicians or to mental-health
treatment professionals. When physicians access the records from remote
locations, such as from home, two separate user names and passwords are
required for access. Patients can feel very secure with electronic records.

The integrated electronic medical record is improving the quality of care
that we provide to our patients. Because of its instantaneous documentation and
accessibility to the patient information, information that clinicians need is
at the point of care.

Another quote from one of our physicians said it is right there. It is hard
to beat that, and electronic prescribing is a huge advantage. All patient
medications are listed on the record. The interactions are documented and it
avoids errors.

Our integrated electronic medical record means better healthcare services
for Winona-area residents entering our emergency department. After a quick
registration, all information entered from previous clinic, hospital and
outpatient visits automatically is displayed on our ED computers, from
allergies and medications to lab results. So our emergency department staff
know they have access to a patient’s most recent health data allowing them
to determine any change in the patient’s health status.

As Dr. Davis also noted, the electronic medical record allows us to get the
most current patient information anywhere, any time.

The Winona health organization has several committees that evaluate and
provide recommendations to our information technology steering committee
regarding updates and purchases. They are instrumental in communicating the
changes that will occur for users.

We have a satisfaction survey, of course, to our patients and residents and
we continually ask them about our privacy in our satisfaction survey results,
and when we utilize Presgane(?) for our satisfaction survey results, we came in
number one to our peer group on privacy from our patients and residents.

Our information steering committee receives input from our patient IT
steering committee, information systems department, health information
management department, and on the patient care IT committee and the IT steering
committee, all entities are represented. They are included in our privacy

We have experienced better working relationships with our area clinics. It
has provided better insight to each other’s needs. We now think about the
entire care continuum and decide on best practices based on that. We shared
educational sessions with each other as well as policies and procedures.

Our clinical information systems is allowing us for better registration
process, for recording our patients’ wishes.

We anticipated that the physicians would not utilize the paperless system,
but were surprised to discover that they saw efficiency and value and have
embraced it and have created an evidence-based committee that is looking at, of
course, the computer physician order entry. This acceptance continues to move
the momentum forward to our goal of being totally paperless.

As we move from our current hybrid record to a paperless record – because
our legal record is partially electronic and partially paper at this time – we
continue to reorganize, restructure and reengineer our job functions. Each of
the process leaders for the particular functions had to submit a cost-benefit
analysis to our CEO and CFO as to the efficiencies that we are experiencing.

Every department has a dashboard that looks at performance improvement and
on there we are looking at efficiencies.

Our turnaround time for chart completion, which can be a safety issue, and,
of course, a continuity-of-care issue is at what we call gold standard. Last
two joint commission surveys had stated they had not seen turnaround time of
electronic records that efficient, and, of course, it has to do with the
electronic medical signature.

We currently are reviewing what is still paper, what is working and what is
not, and we are facilitating a way to migrate documents that are not electronic
to the electronic format. We are looking at a proposal for low-volume scanning.
We are very cautious to scan anything and everything. We are looking at what is
important to scan and, again, moving paper to electronic.

Winona Health benchmarks itself in IT using the Hospital and Health
Network’s most wired survey, and we were named the most wired for small
rural hospitals three consecutive years. Results from that survey are used to
create plans to keep Winona Health competitive.

We also received a patient safety improvement award in its innovation and
patient care from the Minnesota Hospital Association. We have just recently
applied to the Minnesota Quality Council, which uses the Malcolm Baldridge(?),
and we received the second level of recognition there, and, just recently, we
completed our national Malcolm Baldridge application.

SPEAKER: Explain what that is, because I don’t know if everybody

MS. LANIK: Oh, the Baldridge?


MS. LANIK: The Baldridge is a set of criteria, seven criteria that’s
used across the continuum to improve your organization. It is an award given by
the President of the United States every year, and in 1999, the Healthcare
Criteria were introduced along with education, and our Minnesota Council for
Quality uses the same criteria, the seven criteria, and we looked at – went to
our governing board to see if it would be possible to take a look at using our
resources to make application to the state level first and then to the national

The national Baldridge application is a lengthy process. It is a 50-page
application, and it takes a look at – as I said – seven criteria, everything
from how we handle our strategic planning and leadership to how we measure and
monitor for performance improvement, and the Minnesota Quality Council was
extremely impressed with how we handle our electronic medical record and made
many comments to that as well as did the joint commission, but the criteria is
stringent, but we are hoping for a good response.

Thank you very much.

DR. ROTHSTEIN: Thank you very much. Appreciate your comments.

For those of you who have our agenda, you’ll notice that Dr. Peter
Basch was scheduled now to testify, but he has been – he is unable to make this
morning’s meeting.

I also want to recognize Dr. Richard Harding, a member of the subcommittee
who has just come, and ask you, Richard, to identify yourself and indicate if
you have any conflicts.

DR. HARDING: I am Richard Harding and I am Chairman of Neuropsychiatry at
the University of South Carolina and a member of the committee and subcommittee
and have no conflicts in this situation.

DR. ROTHSTEIN: Thank you, Richard.

And, now, our next witness is Mr. David McDaniel from the Veterans Health
Administration. Welcome.

MR. MC DANIEL: Thank you, Dr. Rothstein. It is always good to see a fellow
Louisvillian here in Washington.

DR. ROTHSTEIN: Yes, indeed.

MR. MC DANIEL: Thank you folks for being here.

I also have a short clip, if time permits, I would like to share with you
that we put on the internet for our veterans that sort of outlines the benefits
of our electronic medical record, if we have time for that.

Again, my name is David McDaniel, and I am the Deputy Director of Business
Development and the operational lead of the HIPAA Program Management Office in
the Veterans Health Administration, one of three distinct organizations in the
Department of Veterans Affairs.

VA’s mission is to serve as a principal advocate for America’s
veterans and their families and to ensure that they receive the care, support
and recognition they earned by service to this nation.

VHA is charged with administration of the health programs of VA through an
annual budget of more than $27 billion. As such, VHA is the largest national
integrated healthcare system.

VA serves a patient population of more than five million veterans, employs
nearly 200,000 individuals and operates more than 1,300 sites of care,
including 162 hospitals, 850 community and facility-based clinics, 135 nursing
homes and domiciliaries and 206 readjustment centers.

We also are a major contributor to medical and scientific research and the
nation’s largest provider of graduate medical education.

My office, the VHA HIPAA Program Management Office, was established at the
direction of the Undersecretary for Health and is aligned within the chief
business office. We are responsible for ensuring that VHA complies with HIPAA
and providing guidance during the compliance process.

The HIPAA PMO assists offices in identifying current and future activities
and initiatives that may be affected by HIPAA regulations.

In addition to VHA status as the nation’s largest healthcare provider,
VHA is also, perhaps, the most scrutinized healthcare system in the United

We have established VHA as a model healthcare system characterized by
patient-centered, high-quality, high-value healthcare through adoption of
evidence-based practices, proactive approaches to patient safety and the use of
advanced technologies. VHA’s success in improving quality, safety and
value have allowed it to emerge as an increasingly recognized leader in
healthcare while increasing its customer satisfaction.

VHA did not undertake this transformation to polish our reputation, but to
create the best possible system of healthcare for our veterans. In doing so, we
have blazed a trail in the field of electronic healthcare records and
management. We believe that the adoption of this technology offers the
possibility of ever better healthcare. The need to improve on the delivery of
healthcare is always before us.

Among the alarming statistics concerning the healthcare industry today are
these: One in seven hospital admissions occurs because healthcare providers do
not have access to previous medical records. Twelve percent of physician orders
are not executed as written. Twenty percent of laboratory tests are requested
because previous results are not accessible. Ninety-eight thousand Americans
die each year from medical errors.

In VHA, we are proud of the advances we have taken in technology that help
to address some of these issues. VHA has had automated information systems in
its medical facilities since 1985. Beginning with the decentralized hospital
computer program information system, which included extensive clinical and
administrative capabilities, the Veterans Health Information Systems and
Technology Architecture, or VHISA, which also supported ambulatory and
inpatient care, delivered significant enhancements to the original system with
the release of the computerized patient record system or CPRS for clinicians in

CPRS provides a single interface for healthcare providers to review and
update a patient’s medical record and to place orders, including
medications, special procedures, X-rays, patient-care nursing orders, diets and
laboratory tests.

CPRS is flexible enough to be implemented in a wide variety of settings or
a broad spectrum of healthcare workers and provides a consistent event-driven
window-style interface.

CPRS organizes and presents all relevant data on a patient in a way that
directly supports clinical decision making. The comprehensive cover sheet
displays timely patient-centric information, including active problems,
allergies, current medications, recent laboratory results, vital signs,
hospitalization and outpatient clinical history. This information is displayed
immediately when a patient is selected and provides an accurate overview of the
patient’s current status before clinical interventions are ordered.

CPRS capabilities include a real-time order-checking system that alerts
clinicians during the ordering session that a possible problem could exist if
the order is proceeded, a notification system that immediately alerts
clinicians about clinically-significant events, a patient posting system
displayed on every CPRS screen that alerts clinicians to issues related
specifically to the patient including crisis notes, warnings, adverse reactions
and advance directives, the clinical reminder system that allows care givers to
track and improve preventive healthcare for patients and ensure timely clinical
interventions are initiated, remote data-view functionality that allows
clinicians to view a patient’s medical history from other VHA facilities
to ensure the clinician has access to all clinically-relevant data available at
VHA facilities.

VHISTA imaging is also operational at most VHA facilities. VHISTA imaging
integrates traditional medical-chart information with medical images, including
X-rays, ethology slides, video views, scanned documents, cardiology exam
results, dental images and similar visual data into the patient record.

On the medication side, bar-code medication administration addresses the
serious issue of inpatient medication errors by electronically validating and
documenting medications for inpatients. It ensures that the patient receives
the correct medication in the correct dose at the correct time and visually
alerts staff when the proper parameters are not met.

Health Vet Desktop is an application framework that will host the new
generation of VHA clinical applications. Care management is the first
application to run on this new Healthy Vet Desktop and is an enhanced version
of CPRS designed to assist healthcare providers in identifying clinical
interventions that might otherwise be missed.

Care management provides an automated method for tracking followup actions
and tasks for a panel of patients or for a designated period of time.

Implementation of the care management project will improve patient care by
ensuring that appropriate clinical interventions are provided on a timely
basis, ensuring that clinical notifications are processed on a timely basis,
reducing the amount of time primary-care providers spend reviewing individual
patient records and reducing the risk of erroneous data entry.

These technologies have shown their worth in the increased quality of care
in VHA, which compares favorably to the best performers in the industry in 18
performance-quality indicators in areas such as breast-cancer screening,
cholesterol screening, diabetes care and pneumococcal immunization.

At the same time, VHA has outscored the private sector in customer
satisfaction and ambulatory care, inpatient care and pharmacy services as well
as in the overall satisfaction scores.

VHA is proud of our accomplishments and we are working to share our
knowledge with others who hope to improve the availability and quality of
healthcare to all citizens.

However, as we move toward implementing electronic health records across
all of healthcare in the United States picks up speed, we are becoming more
aware that the impacts of these initiatives have on privacy and confidentiality
of health records as well as the impact that privacy laws and regulations are
having on the ability of healthcare providers to implement these strategies.

As someone who deals daily with the issues surrounding the privacy of
health records, I can tell you that the promise of a national health
information infrastructure remains a lofty and valued goal. Reaching that goal
will require a concentrated effort to overcome the hurdles to sharing
information both as a result of the many varied privacy laws with which we must
comply, and in the daunting task of finding a means of coordinating and
facilitating the progress toward that goal in an environment where everyone
brings an agenda to the table.

The internal development and implementation of electronic health records
and its component parts was not difficult for VHA as long as we were working
internally, but looking externally, even to a partner as close to us as the
Department of Defense, we began to encounter regulatory barriers to
accomplishing the mission that the President had set forth for us.

For example, the need to share medical records between VHA and DOD is
obvious. However, our efforts to streamline the sharing of data with DOD has
met with difficulty because of the various laws designed to protect the data
that each department holds and in the interpretations of those laws. Many of
the laws we must consider are common to each of our departments – the Privacy
Act and the HIPAA Privacy rule, for example – but each department has
interpreted those laws and even the guidance provided about those laws somewhat
differently. In addition, each department has its own privacy and
confidentiality laws and procedures that also must be reconciled.

This struggle to understand and apply privacy legislation in partnership
with other organizations is not unique to VHA and DOD. I anticipate that as a
broader population begins discussing how to make information-sharing a reality,
the same struggle to gain a common understanding of how to protect the privacy
of a patient’s information will be a paramount issue to overcome.

VHA is approached by private non-federal entities with an invitation to
participate in local or regional health-information organizations. This
benefits our veteran patients who may be receiving fee-basis care or care by
providers through private insurance by making healthcare information available
to all concerned providers for a more holistic approach.

VHA must reconcile federal laws with local or state laws regarding privacy,
particularly privacy of medical records in each state where we participate in
these organizations.

VHA has facilities in all 50 states as well as Puerto Rico, Guam and the
Philippines. We do not advocate the wholesale repudiation of any of our privacy
laws. VHA is firmly committed to protecting the privacy of our veterans’
records, but we realize that our ability to expand on the advancement scene in
the VHA healthcare system requires walking a fine line between protecting
privacy by limiting access to records and the disclosure necessary to enhance
the accessibility and quality of care.

The technology that would allow us to partner with other providers to
enhance care is available, but we haven’t overcome the legal hurdles
necessary to allow us to effectively share the data.

We look forward to a United States healthcare arena where this balance can
be found where a patient’s rights to protect his individual identifiable
health information and the healthcare provider’s ability to know all of
the necessary information to provide high quality, well-informed care can

On behalf of VHA, I thank you for the opportunity to share our experience
with you.

DR. ROTHSTEIN: Thank you, Mr. McDaniel, and I believe we will have time to
see your film clip, thanks to the ability of all the witnesses on the panel to
keep within their time limits, so I thank you for that.

I want to welcome Dr. Simon Cohn and invite you, Simon, to introduce
yourself and indicate any possible conflicts.

DR. COHN: Okay. Well, I’m Simon Cohn, member of the subcommittee and
chair of the full committee. I have no conflicts of interest.

MR. MC DANIEL: It’s telling me I can’t play the file. I’m
sorry. I’ll make it available to you. It is actually on a clip that is on
our internet, so it is readily available on the internet. We just don’t
happen to be on the internet here. So –

DR. ROTHSTEIN: Okay. Well, that was a short – very short –

MR. MC DANIEL: Very brief.

DR. ROTHSTEIN: – film clip.

I know that my fellow panel members have – or fellow subcommittee members
have lots of questions for all three of you, and I have a couple of
informational type questions that I want to ask to get on the record before we
follow up on those, and let me begin with Mr. Lukens.


DR. ROTHSTEIN: You didn’t mention whether the physicians who entered
the patient medical records into your network obtained any consent or
authorization from the patients. Could you tell us about that?

MR. LUKENS: The patient signs basically two documents. One is the HIPAA –
the standard HIPAA form that says this is what would happen just in the general
course of treatment.

The second document is something we developed that says this data could be
shared with other care givers who are treating you, and we also have something
in there that says the data is not going to be shared with anyone that they do
not provide consent for.

To date, we have yet to have a patient that says no, don’t release my
information to other doctors.

DR. ROTHSTEIN: So tell – I am just trying to get clear this second
document. The first is just a – first is the acknowledgment – right? – of the
notice of privacy practices?

MR. LUKENS: And the second is a document that says that Lehigh Valley
Hospital is in the process of developing a patient clinical database with
information from all patients whose physicians are part of this program and
that their data will become part of this clinical database, unless they
specifically opt out.

We also tell them that the benefits of this is if they appear in an
emergency room, the practice data will be available to the ED docs or any other
physician that they may go to for treatment.

DR. ROTHSTEIN: Okay. Thank you.

Let me ask you, Ms. Lanik, is there an opt-out procedure or something
similar to that in your system as well? Suppose someone didn’t want their
records shared with the other two entities?

MS. LANIK: Yes, we have that. We have the processes in place, but we lock
it down. We lock down the – whatever clinic – For instance, if they are a
patient at Winona Health, the hospital, and they, for some reason, don’t
want Winona Clinic to see that, we have the capability of locking that down.

DR. ROTHSTEIN: And has anyone done that?


DR. ROTHSTEIN: So they have all elected to have the –

MS. LANIK: All elected to.

We have questions from patients. As soon as our notice went out, we had
calls from patients in the community saying, Does this mean that you are going
to sell my information? No, and that we would have – we had community
gatherings where patients could come and ask about the electronic record and,
of course, have information available to them about it, but, no, they have all
opted to – because we have tried to do a good job of communicating to them and
educating them on the fact that it is safer.

DR. ROTHSTEIN: And let me follow up by asking about your scanning operation
that you are embarking on. Do the patients have any input or any role in
deciding what in their medical records is scanned or what is not scanned?

MS. LANIK: At this point, we haven’t brought that into it. Right now,
we are looking at the possibility of scanning. We don’t scan at this time.


MS. LANIK: So we don’t scan yet. It is one of the things that we were
going to do, but it was cost prohibitive at the time, and we realized when we
didn’t get the scanning function it really helped us look at what we have
in our paper record, so that we weren’t scanning garbage, garbage in,
garbage out.

DR. ROTHSTEIN: What about for the current electronically-developed records?
Do the patients have any control over what goes into the system?

MS. LANIK: Well, they don’t have any – Let me see how I can answer
that to the best of my ability. They have the right, of course, to exclude
anything in their record, but, at this time, they are not part of our IT
committee to look at what should be in the electronic record.

DR. ROTHSTEIN: Have any of the patients exercised that right to exclude


DR. ROTHSTEIN: Okay. And for the VA, is there any content control that is
vested in the veterans?

MR. MC DANIEL: When we do scanning, photographs, things like that, we do
follow the requirements of the Privacy Act in getting an authorization before
the photograph is taken, and they know that that is going to be used as a part
of their record, but from the standpoint of it living in the electronic record
versus living in a paper record, we treat it as though it is individually
identifiable health information and we would protect it regardless of what
avenue it was in. Whether it was in a paper version or whether it was in an
electronic version, we would treat it the same way.

DR. ROTHSTEIN: Well, my question is not that so much, but whether the
patient has a right to have certain information not in the record.

MR. MC DANIEL: Well, we certainly do give the patient the right to amend
their record or request an amendment for the record. So if there is something
in their record that they feel is erroneous or something that they do not want
to have reflected in their record, they do have a right to request that, an
amendment to the record to exclude that.

DR. ROTHSTEIN: And many covered entities have a policy of not granting
those requests. Does the VA grant those requests?

MR. MC DANIEL: Not that I know of that we would have a hard-and-fast rule
that says that we do not. Certainly, we want the medical record to be as
accurate as possible, and if there are things in the record that are not
correct or not appropriate, we would not want those in the record anyway, and
if the patient brings those to our attention with an amendment request, we
would likely grant that.

DR. ROTHSTEIN: Okay. I recognize Mr. Houston and then Ms. Fyffe.

MR. HOUSTON: Thank you. I have a couple of questions for Mr. McDaniel.

With regards to CPRS – and I guess, as well, as your other clinical systems
– are they facility-based at this point or are they deployed as an enterprise
solution where information contained in it or is available between the
different VA facilities right now?

MR. MC DANIEL: There is a capability to dial into another facility and get
information from another facility, but it is not a single solution. It’s –
they have the capability if, for example, we know that a veteran is seen in two
different hospitals, distinctly – which happens quite often with Snowbird
Veterans who may live in the north part of the year and in the south part of
the year – they would be able to access information from that other VA medical
center, but the CPRS system itself would be exclusive to those facilities that
would just have access.

MR. HOUSTON: And is there some type of MPI that enables one VA facility to
know that that same individual has been seen at other facilities or do they
just need to know where to go for it based upon a patient’s –

MR. MC DANIEL: They would need – at this point, would need to know where to

MR. HOUSTON: Okay. A couple of other questions.

I was interested that you are, obviously – like a lot of other entities –
are wrestling with the variety of privacy laws that you must comply with, and I
guess two questions.

One, have you figured – what is your process right now to try to evaluate
the different federal and state laws and how they interplay?

And, then, secondly, do you have any strategies, right now, as to how you
think you are going to try to sort of weave everything together into a – you
know, so you have a system that is transparent and, you know, can –

MR. MC DANIEL: Right. Our strategy with implementation of the Privacy Rule
of HIPAA, because we already had the requirements of the Privacy Act as a
federal agency, was to create for our employees at the facility level a privacy
program that, to them, was transparent. Their policies and procedures, their
business processes and requirements weren’t specific to HIPAA or
weren’t specific to the Privacy Act, but were specific to our privacy
program, and we tried to encompass all of those privacy requirements and
resolve any conflicts or issues related to folding those together –

MR. HOUSTON: Is that including state laws?

MR. MC DANIEL: – before we put that together. We did not deal with
state laws because we operate on federal property, and we are not required to
adhere to state law, except where that state law impacts us when we are doing a
business relationship with somebody who does have to comply with that state
law. For example, a medical center in the community, we couldn’t cause
them to break a state law in order to satisfy our business needs.

So, up to this point – up to the point where we are now being asked to be
considered as a part of that network of programs sharing information, have we
really started to think about, okay, how does a state law fit into what we
already know from the Privacy Act and from the HIPAA Privacy Rule and how do we
manage that?

To answer your question as to what our strategy is, we are currently
discussing with our general counsel on some of the requests that we have gotten
to participate in these sharing groups and trying to determine how we do go
forward, because once we have made the decision to do that, we have that
decision made times 50, because we have to then address each one of the states
that might ask us to do that as well.

MR. HOUSTON: So you are still trying to –

MR. MC DANIEL: We are still trying to get our arms around that from the
standpoint of how we incorporate the state-law implications into what we
already have in the federal laws.

MR. HOUSTON: Is there any time frame in which you think general counsel is
going to – or you are going to have some type of solution?

MR. MC DANIEL: It is a primary discussion that we are having with them
right now. It is one of the top things on our list to discuss because we have
gotten those requests and we are trying to be responsive to those.

MR. HOUSTON: I would be very interested. I don’t know what the
capability is to – once that decision is made, but I would really love to
understand what the strategies are. I think it is really important to – you
know -organizations that are in multiple states – or are going to ultimately be
in multiple states. So should try to understand what that strategy is.

DR. ROTHSTEIN: Sarah, you had a followup question?

MS. WATTENBERG: Yes. Since you are a federal agency and I know that the VA
provides a lot of substance-abuse services, do you integrate compliance with
the federal confidentiality regulations for substance-abuse records?

MR. MC DANIEL: We do, and, in addition to that, we also have to consider
the Title 38 regulations that are imposed on us as well. So, for example, very
sensitive issues like HIV and things like that, we have our own regulations
that we have to comply with. So there are a quite a number of those federal
components that are incorporated into our privacy program today.

MS. WATTENBERG: So your systems have already sort of figured out where Part
2 is relevant, where HIPAA is relevant and they can accommodate both of those?

MR. MC DANIEL: Well, it is actually built more so on our business processes
and how we use and disclose protected health information, not so much on the
system itself.

MS. WATTENBERG: I see. So you do it before information enters the system
via the consent process for Part 2 or – Okay. That is interesting.

MS. FYFFE: Thanks, David. Good testimony.

Hypothetically, if – let me describe a scenario to you. If an 18-year-old
person on active duty, a woman, has a pregnancy which either went full term or
was terminated and that person eventually becomes a veteran and is in your
record system, if that individual wanted not to disclose the fact or let anyone
know that she had a history of a pregnancy or a termination of that pregnancy,
how would the VA system be able to handle that or not handle that? That is a

MR. MC DANIEL: That is a really good one, Kathleen.

MS. FYFFE: Okay. That’s why I asked it.

MR. MC DANIEL: I think probably, based on my understanding of how we
receive information from the Department of Defense, because that record would
have been created by the Department of Defense, the request to redact that
information would have to be made to the Department of Defense and whatever
record that we got from them would be the record that we would have on that
individual. That wouldn’t say that we couldn’t redact that
information, if there was an appropriate reason and need for that information
to be redacted. Once we had that record, they could make an amendment request
and it would be determined, at that point, as to whether or not the information
would be taken out of the record.

DR. ROTHSTEIN: But suppose you didn’t get it from the Department of
Defense. Suppose you got it from this woman’s private healthcare provider?

MS. FYFFE: Yes, before she went on active duty.


MR. MC DANIEL: I think, again, the scenario would be the same. Either she
would choose to have that other physician redact the information before we
received it or she would make an amendment request to us and it would be
determined at that point whether it would be taken out of the record.

DR. ROTHSTEIN: Mr. Reynolds.

Okay. Yes. If you’ll stand by for a second, Harry, we’ve got a –
Maya wanted to know how that same request would be handled in the other two
systems. So, Ms. Lanik.

MS. LANIK: It was a very good question.

For us, if it is – As I stated earlier, we have four different – our org
security is broken down in four different parts and one of those are the
restricted patient, as I stated.

If it was a woman who came in and was at the Winona Clinic, for instance,
and then was a patient at the hospital, and that information was – the hospital
– they didn’t want that information from the hospital to be seen at the
Winona Clinic, we can restrict that.

However, her care providers, her physician and the clinicians taking care
of her would have that information at our organization.

DR. ROTHSTEIN: So she couldn’t keep it from other physicians?

MS. LANIK: Not from the physician that is taking care of her, no, not
currently the way it is set up right now. She could restrict – Let me back up
just one moment. At our organization, Winona Health, at the hospital, if a
patient came in and there was information from the Winona Clinic – at the
Winona Clinic that she did not want present the hospital record, that could be
restricted and vice versa. Does that answer it?

DR. ROTHSTEIN: I’m not sure. I suppose the question is she comes in
now for a sprained ankle and who, taking care of her for the sprained ankle,
gets access to this information?

MS. LANIK: Right. If she is a Winona Clinic patient being seen by a
physician there who has privileges at our hospital, when she becomes a patient
with us, she could, in fact, say to our hospital, I don’t want the
Community Memorial Hospital to see the records from Winona Clinic. We can lock
that down.

MS. BERNSTEIN: And even her care giver would not be able to see them.

MS. LANIK: No, I’m sorry. That’s different.

MS. BERNSTEIN: That is the question.

MS. LANIK: Her physician and the clinicians would have to see that.

MS. BERNSTEIN: So to whom would they be restricted? Who would have no
access to them?

MS. LANIK: Only the physician that is taking care of her and the care
givers. It is by user. We define access by important – for information that you
need to do your job. So the access to it would be only people that had access
to taking care of that patient while they were there.

DR. ROTHSTEIN: Mr. Lukens.

MR. LUKENS: At Lehigh Valley, we follow the same process. The physician or
the care giver providing care has access to all the medical records. Physicians
outside of that care, we would not provide that data. We would basically lock
it down.

We have similar situations with psychiatry patients, but I do want to
emphasize that the care giver would have access to all medical-record

DR. ROTHSTEIN: So that the physician treating this hypothetical woman for
the sprained ankle would have access to the reproductive history?

MR. LUKENS: That is correct. We follow the same idea that the physician
needs all the information to treat a patient.

DR. ROTHSTEIN: Do you think someone treating a sprained ankle would need
that information?

MR. LUKENS: I believe a physician needs all the information to treat a
patient. There could be – let’s say blood studies that were done when she
was pregnant or some type of ultrasound studies that he may want to reference.
I don’t know, but I do know our philosophy is all the medical-record data
for the treating physician.

DR. ROTHSTEIN: Okay. Thank you.

Harry, sorry for the interruption.

MR. REYNOLDS: No, that’s fine.

Thanks to all of you for your testimony. Some of us are on other
committees, so the more we can learn about what you are doing in electronic
health records is a plus.

I heard a number of statements – share clinical data that was agreed upon
by physicians, clinically relevant, easy to use, accessible – and then when you
think of the individual patient, I guess a couple of things.

One – and all three of you can respond – is the data accessible to the care
giver or is it required that the care giver look at it?

Secondly, how do we really, in the end, explain to the patient – And I just
finished a 10-day inpatient stay, so I am your worst nightmare – (laughter) –
from the standpoint of being on the other end. How do you truly explain to the
patient what your medical record is, what you are going to do with it, who has
it? Because I can’t answer any of those out of my current stay within a
large teaching institution. I know we signed something just as they put me out
– (laughter) – but I can’t tell you what it was, and I sure can’t
tell you how it worked.

So, no, I mean, our job is to look at the privacy and the understanding of
the person, not so much, you know, exactly what the doctor thinks or the
institution thinks or the institution is made up of 15 entities rather than one
you happen to be a resident in at the time.

So how do we really, as a country, really explain to the person what is
going on and when they sign something, yes, they could get to the record, but
how many really even know there is an electronic record?

And so how do you help us view it from that person’s standpoint and
from the standpoint of – You know, there’s discussion in the country now
about certification of systems. Well, should there be something – certification
of privacy, and if you have an electronic medical record you have to go through
– you know, you have all the quality – you know, CAQH, everything else. I
don’t know, but –

So I would love your comments, because you have all done a great job and
you’ve got a lot of data, but, now, there is information and, now, there
is the person, and so how does it work?

MR. LUKENS: If I may start – This is Harry Lukens.

I am only speaking for Lehigh Valley here. We do not do a good job of
explaining to a patient pretty much what they are signing. I mean, we answer
their questions. We give them the basics, but we do not give them an EMR 101
course, just as when we had a paper medical record, we didn’t necessarily
go through what would happen with that. It is a flaw in the system. We believe
that the patient understands all the buzz words and all the access, and, in
reality, they don’t.

I don’t know the answer to this. I mean, I don’t believe the
answer is yet another form. I don’t know – and I also don’t know how
other places handle this, but I know we here do not do a good job of that.

MR. MC DANIEL: I’ll speak next.

One of the things that we have been working on since 2003 when we
implemented the Privacy Rule of HIPAA has been to try to not only see HIPAA as
a legislative requirement, but also see it as a part of how we treat our
patient and try to help our organization understand that protecting the
information of an individual veteran is just as much a part of treating that
person and caring for them as giving them a shot or giving them a brace to walk
on, and I think that that is not something that you change overnight. You
don’t move culture overnight, but I think that is something that the whole
industry needs to embrace is that as we broaden and become more electronic and
as we become more capable of making the information accessible, we also help
our providers and help our organizations understand that that information needs
to now become a part of the treatment process. How we manage that, how we use
it and disclose it and even down to how we help our patients understand how it
is maintained and used is a critical part of that treatment process. I think
that is probably one of our greater challenges to becoming more able to share
information broadly is how do we change the culture that goes along with that,
not just putting an electronic medical record in place, but making all of the
things that go around that happen.

MS. LANIK: What I was going to say, too, that is a very good question and
it is fair, and I think it is one of those opportunities for improvement for
all healthcare organizations, whether electronic or not.

When we looked at implementing the Privacy Notice, the samples that we got
from the Minnesota Hospital Association and the American Hospital Association
were almost 50 pages long, and to think that patients would be able to
understand that and read that and – it was just impossible. We got ours down to
just a few pages, but it is small print – (laughter) – and we tried to put our
pledge to them right out front in big, bold letters that our pledge was to keep
their information private.

But I think that is a really fair question. It is one that I’ll take
back with me, because what we try to do in our rounding for our patients – We
do rounding. Our managers do rounding on patients and ask them about privacy
and we have a one-on-one encounter when patients come into our department, for
instance, and ask for their information, their health information, What is in
my record? So that happens. We do things locally in our paper, on our website
about what the electronic medical record is all about, what is in there.

Just recently, we hosted the Chamber of Commerce from Winona that came. We
had received an award from them on our electronic medical record, but, again,
when we showed them an example, one of the Chamber members said, How do you
ever get that out of there, then, if I am in a car accident in another state?
And so we could say to them, Well, we are not connected to that state, but that
information can be printed, faxed, called, and that calmed the patient to
understand, so, again, what is in there.

I think that is a great question, because we – as I said, we try to do that
with – we have posters throughout our organization, talk about what the
electronic medical record is, what is in your health record, what your rights
are. Every patient gets a booklet. I’m sure you got it, you know, 50,000
pages in there to try to understand, and we have social workers that go around
to try to help people understand those things, but it is a very fair question
and one that I think we need to work on.

DR. TANG: This is a followup of Mr. Houston’s question in terms of
particularly with the VA having to work in 50 states and territories. You
explained how the internal movement of information can be on federal property,
so you would only have to obey the federal laws.

What about patients’ access to the information? So on paper, whether
you only have to follow the HIPAA guidelines?

For example, in the State of California, although HIPAA guarantees that a
patient can walk in and get their paper record of all the transactions, if they
want to have access to electronically, we have laws that prevent the disclosure
electronically to them in four different categories, which includes abnormal
pathology results, which, for us, one of the big disappointments, it includes
PAP smears. So we actually have to block our electronic access to patients of
their own results, just because of California laws. Multiply that by 50. Is
that something you also are protected as a federal agency and not have to
follow all these state laws or do you have to follow them for –

MR. MC DANIEL: As I understand it, because we are a federal agency and
because we operate on federal property, we do not have to abide by state laws.
However, where we have been able to meet the needs of a patient request – For
example, if they wanted to see their record electronically, we would make that
available to them electronically. If they wanted it in paper form, to the
degree feasible, we try to accommodate our veterans.

And from the standpoint of redacting information or taking out information,
that would really be not something that would necessarily be a standard
practice in any of our facilities, if they requested a record.

DR. TANG: Maybe the other groups can talk about when a patient from a
different state needs access to their records.

MS. LANIK: Are you asking if someone lives in Wisconsin –

DR. TANG: Right.

MS. LANIK: – and you’re talking electronically? We don’t do that
at this time. It’s a signed consent per Minnesota state law and we give it
to them in paper.

DR. HARDING: We were in Chicago a couple of months ago and a ob/gyn doctor
from Chillicothe, Ohio, or something like that talked to us about – it’s a
mega group in Chillicothe, of ob/gyn only, and he said that there were two
problems. One was the issue of that they did not have their system – they are a
paperless system – did not have their system on the internet. It is a
self-contained, intranet, I guess, and the other was backup for the electronic
medical record in that he said their system would go down weekly and for
periods of an hour or two hours, they did not have access to the material, the
health information. Have you all had that? What is your backup system in a
paperless – you are moving towards a paperless, I know you were saying, and I
didn’t – I came late for the Lehigh Hospital, but I assume that they are
working on a paperless system. What is the backup in an acute-care hospital for
a paperless medical system?

MR. LUKENS: We, at Lehigh Valley, have what is known in the business as a
hot backup which is a replication of the data that occurs real time, so that if
our primary processor dies the secondary processor kicks in, and it kicks in
automatically, and we have the same redundancy in our network. Network – one
node goes down, there’s a second node that picks it up.

DR. HARDING: So you have not had that kind of an hour of no information.

MR. LUKENS: No, I think I would be looking for work if that happened. We
are – our up time is 99.8 percent here on average for systems. So we could not
survive with an hour down time every week, as you said.

MS. LANIK: T he same with us. We have never had an interruption in our
information. We have an ASP model and fiber-optic cable.

MR. MC DANIEL: All of our facilities have disaster-recovery plans and
backup plans that would allow them to reinstate very rapidly, and that is
different for each hospital, because each hospital may have particular needs or
particular risks that they want to address. So the means of recovery would be
different by facility.

DR. HARDING: And is it also true that all of you don’t have hookup to
the internet?

MS. LANIK: Right.

DR. HARDING: You don’t. So –

MR. MC DANIEL: We do not use the internet. We do use the intranet.

DR. HARDING: You have to dial into get information from another VA to that
VA or another hospital.

MS. LANIK: Ours is fiber-optic cable.

MR. LUKENS: Lehigh Valley does not yet have internet access to our
electronic medical records. We are in a pilot mode with our vendor, Next
Gen(?), to provide what is known as Next M.D.(?), which would give the
physicians internet access, but I really – the bugs I have seen in that, it is
probably six months away.

DR. ROTHSTEIN: Okay. We’ve got two followup questions. Dr. Tang.

DR. TANG: One question, Ms. Lanik, when you mentioned you using ASP model,
who owns the software and the hardware that it is running on? Is it Winona?

MS. LANIK: Cerner(?), Kansas City.

DR. TANG: Okay. So the question there relates to HIPAA. As you know, Cerner
is not a covered entity, so you are a covered entity, presumably, that has a
business associate agreement with Cerner?

MS. LANIK: Correct. Correct.

DR. TANG: There has been examples, especially around the dot-com era, when
people did use the ASP model. In the contracts, the company that ran the
information system owned the data that was in the system.

MS. LANIK: They do not –

DR. TANG: When the company – and they, too –

MS. LANIK: They do not. We own it –

DR. TANG: Okay. And that is by contract?

MS. LANIK: That is correct.

DR. TANG: So if the company were acquired or merged or went bankrupt, you
would – they have a responsibility to destroy the data?

MS. LANIK: That is correct.

DR. TANG: And they can not aggregate your data with others –

MS. LANIK: Correct.

DR. TANG: – and resell that?

MS. LANIK: Correct. That is correct. Good question.

DR. ROTHSTEIN: Mr. Reynolds.

MR. REYNOLDS: Yes, the idea of having hot spares(?), whether it is data or
processors or you mentioned the lines in where you would have to have multiple
paths into your hospital so if a backhoe got the front yard, you’d still
be okay in the back yard, which all of us have to deal with, that’s gotta
add – I guess from the tone of your voices, you feel that is mandatory if you
are having a true electronic medical record that is being involved in care.

As we move to the smaller practitioners and we move to the smaller
environments where that has gotta be a more prohibitive cost at those levels
than it is at the larger ones, so that is something we are always trying to
keep in mind, too, is how can you proliferate the model? The model amongst the
big players usually can be somewhat self sustained and somewhat justified.

How do you see the model transferring to the smaller clinicians? Do you see
– ASP was mentioned. Do you see that the larger facilities house that for them
so that they get access – they use your backup and other things or do you see
this actually being proliferated into the smaller environments?

MR. LUKENS: I don’t know how the small two- and four-physician
practice can afford all of this, not only from a hard-dollar acquisition, but
from the ongoing support. If you have backup processors, you gotta have
somebody that knows what they are doing with them.

I believe the ASP model will be the one that will provide the smaller
practices with this type of technology, and, in our case, we would be the host
for those software and databases. I don’t know how else it can work,
besides an ASP model. Perhaps the ASP would be the vendor, like Cerner or Next
Gen or IDX, but I believe it has to be an ASP model.

MS. LANIK: And that is truly the only way we could afford it. I mean, even
then, we spend 41 percent of our capital budget on information technology, but
that is with the ASP model because we are fairly small, a 99-bed hospital.

DR. ROTHSTEIN: Dr. Vigilante.

DR. VIGILANTE: Yes, just actually a followup on Harry’s first
question, and it is a bit rhetorical in some way, but I just wonder, you know,
it is kind of hard to explain to folks what an EHR is if you are not one of the
true believers, and I just wonder if, in fact, that understanding only comes
through use and whether PHRs, personal health records, are actually the way
that people really understand what an EHR is and it is engaging folks at that
level that really produces the kind of depth of understanding you need to have
in order to wrap your head around it, so that – sort of observation and just –

And, secondly, do any of the folks here have a personal health record to
compliment or a personal health dimension of your electronic health record? I
know VA does.

MS. LANIK: We do, yes.


MS. LANIK: It is called Winona Health Online, and that is how we initially
started in 2000, become an alpha site for that. Just a few problems along the
way and so we are back in the infancy stages again, but that is another good
way to answer your question, too, on getting the public involved and the
community involved in understanding what is in their health record, but we are,
right now, testing that. The electronic – it is called Winona Health Online for
the public health record, and we are looking at working with diabetes
management in the community.

DR. VIGILANTE: That started first, did you say?

MS. LANIK: Well, it started, but it –


MS. LANIK: It started and it was – Again, in a small community, to get
people to sign up, it was – What is that? You know, I’m a little leery,
and, of course, we had some technical problems as well, and that spurred us to
look at – we were looking at vendors at the time – to look at moving to
electronic medical record, and then that is why we eventually partnered with
Cerner, because – they actually found us because we were considered so wired as
a small community – to look at the public health record.

So that we had to put aside, and, now, we have been working on all this
while, but we are really in the testing phases again of looking at a true
public health record. It’s been –

DR. HARDING: Is the vision of the personal health record to have – what –
are there restricted domains that a person will not have the right to you or is
it going to be fairly comprehensive?

MS. LANIK: That is a huge long-term goal that would be a comprehensive.
Yes, right now, they take a little test and – as far as their health needs and
we have done some testing and back and forth on diabetes – diabetic patients,
for instance, doing their testing and getting their lab values back and certain
things like that we are working with. It is not perfected yet. We have done
some great things with it, but we are not ready to – you know – blow our horn
totally about what we are doing yet with Winona Health Online, but that is a
great question, because it helps expand the information to the patient and the

MR. MC DANIEL: As we are working through the My Health Vet Program, we – I
Can Cope Vet – we also help the veteran better understand the concept of the
electronic medical record. If they have their own personal record that they can
maintain and that they can keep information in, and that information is theirs,
they put it in there and it is theirs to manage and monitor, but I think you
are absolutely right. We have to get to the point where we can help them better
understand this migration to an electronic record and that doesn’t just
come from the vapor. It has to come from our efforts in helping them.

DR. ROTHSTEIN: Mr. Lukens, did you want to respond to that?

MR. LUKENS: We have started with something we are calling Physician on Line
where a patient can communicate with their doc electronically. The physician or
the practice then can patch back to the patient lab results, scrip refills, but
as far as building – having a patient build their own health record, we are not
there yet.

I do believe that is one of the better ways to educate patients because as
they start to build their own record, we can then supplement that record with
the information that we have in the EMR.

DR. ROTHSTEIN: I have two questions that I would like to ask our panel
members. The first one is suppose there were a breech of your security somehow,
say a rogue employee created a file and took it home and did who knows what
with it or perhaps some business associate suffered a hacking incident or
whatever, tell me about your policies to notify the patients that there has
been a security breech. Ms. Lanik.

MS. LANIK: Well, at this time, our policies don’t cover alerting the
patient of the breech, unless the patient brings it to us that they feel that
it has been breeched.

DR. ROTHSTEIN: But you know that it’s happened. You have discovered
that there’s been this breech, and you currently do not have a policy to
notify all –

MS. LANIK: For all breeches. For instance, we have had patients say they
feel there might have been a breech, whether it is electronic or paper, if it
is spoken or what have you, and then we have policies in place how we handle
that and get back to the patient if there’s a complaint or a concern about
the privacy of their information.

As far as the breeches that – as I said, we audit the medical record at all
times, and most of the breeches that we are seeing have to do with our staff
feeling that they can look at their own medical record on line, their
electronic medical record, and so then we have – of course, we take it right to
the Human Resources Department. Those are the things that we are seeing.

We have had a breech with a – an attempted breech for one of – a patient
death, for instance, where – not from our hospital, from one of the clinics
that they had gone into a record that they did not have access to, and it did
end up in termination and in termination. The patient was deceased, but they
had no right to be in the medical record.


MS. LANIK: And it is after a thorough investigation, but right now, I guess
that is a very fair question, and I think we have to – of course, we have
disclosures for when there’s errors at their medical care. We don’t
currently have a disclosure policy for when there is a breech of their
electronic information.

MR. LUKENS: We, probably, like everybody else, run intrusion detection
software on our network that we would probably see the breech, and, like
Winona, we have only dealt in the past with folks who believe that the records
have been compromised, and there have been those occasions when we have seen
that and it has been an employee looking at their neighbor’s record or
whatever. In Lehigh Hospital, that is a termination offense, and we have
terminated people because of that.

Our policy is to contact patients and let them know if we believe their
records have been compromised. We have not had to operationalize that and I am
not sure how that would really work if one of our major databases were hacked,
because there would be literally tens of thousands of patients, potentially, in

DR. ROTHSTEIN: I understand. There is a model in the financial services
field in California for sure.

Mr. McDaniel.

MR. MC DANIEL: We aggressively investigate any instances where we believe
that our information has been breeched. If it is an employee issue where the
employee has used or disclosed information that is inappropriate that is not
within the minimum necessary standard, we would pursue that with that employee
and we would offer sanctions up to termination if that were the case.

With our business associates and our trading partners, certainly, if we
find that there’s been a breech, we try to mitigate that. We actually did
have a breech where our clearinghouse accidentally sent several patients’
information in one envelope, and the patient that got the envelope recognized
that there was other patient information in the envelope, brought it to the VA
Medical Center and not only did we formally apologize to them, we contacted all
of the other veterans whose information had been disclosed and we provided them
with insurance coverage for the protection of their privacy and gave them
access to the three major credit bureaus and wrote contact letters for them. We
tried to make it as easy as possible, so that they didn’t suffer any
damages as a result of that.

If we were talking large numbers, so I am not sure how we would handle –

DR. ROTHSTEIN: Okay. We’ve got two followups on the breech issue. Mr.

MR. HOUSTON: I’ve heard Mr. Lukens’ speak to what the actual –
the fact that they have terminated an individual –

MR. LUKENS: Sorry, I can’t hear you.

DR. ROTHSTEIN: A little louder.

MR. HOUSTON: I’m sorry. I heard you speak specifically to the fact
that you have terminated employees for inappropriately looking at patient
records. Do each of you have a formal policy as to what type of corrective
action is based upon an employee’s inappropriately revealing a
patient’s record, and, if so, is that something you can share?

MR. LUKENS: We do have such a policy. I don’t see why we couldn’t
share it with you.

MR. HOUSTON: Just the highlights.

MR. LUKENS: Just want to make sure I clear that with the folks here, but it
is really pretty simple. We have auditing software that watches what I say to
people. As soon as you log on, we watch where you go. That includes physicians.
The process for sanctioning a physician lays with the medical staff leadership
because only a fraction of our physicians here are employed by the hospital.
The non-physician is handled by our HR policies and it is very clear. I have no
reason not to share that with you.

MS. LANIK: Our policy, as I said, with also the other two privately-owned
clinics, is the same, and it is pretty strict criteria, but if an employee – it
is pretty clear in the policy that if an employee had no right to be in that
record for any reason, they are terminated, and it is, of course, a thorough
investigation first. If they were in there for – but if they have no right to
be in there or haven’t created the partnership, they are terminated.

MR. MC DANIEL: We do have a standard policy for sanctions against
employees, and we also have guidelines that map to specific types of
infractions as the suggested application of that sanctions policy.

DR. TANG: Mr. McDaniel, you mentioned in that breech that you – where you
shared additional patient information in one patient’s envelope and you
offered them – I think you said insurance for privacy. Maybe you could explain
that a little bit.


DR. TANG: That sounded very interesting.

MR. MC DANIEL: Sure. There are insurances that will protect a person’s
identity – it is an identity insurance, essentially – that if there is an
inappropriate use of that person’s identity for a period of a year or
however long you purchase this insurance coverage, it will actually help pay to
mitigate any damages against that person.

DR. TANG: And that is financial only? In other words if someone did
identity theft and got a credit card under your name and used that versus,
let’s say, somebody obtained some other – let’s say there were
damages that you could quantify to release of private – you know – private
health –

MR. MC DANIEL: I think that would depend on the policy and who you were –
you know – which company you were getting it from. It probably is different
from one to the next.

DR. ROTHSTEIN: I have another question for Ms. Lanik, a special question
for you.

Since 1983, Minnesota has a state law that prohibits employers from
requesting and healthcare providers from disclosing information about an
individual in the employment context that is not job related. So suppose you
have an individual who applies for a job with Target and wants to be a manager
at the corporate headquarters or wants to drive a truck for 3M or some
Minnesota employer and the authorization that your hospital system gets says
send me all the records relevant to whether Joe Smith can work in the office,
how do you deal with that request? In other words, how do you send out only the
information that is relevant to whether they can do that job?

MS. LANIK: We talk to the patient, you know, as far as exactly what they
need, but we don’t give our information that they have restricted.

DR. ROTHSTEIN: The patient hasn’t restricted it. It’s an
authorization –

MS. LANIK: From the company, you mean.


MS. LANIK: Right.

DR. ROTHSTEIN: And so the patient is now going to determine what is
medically necessary?

MS. LANIK: I guess I am not understanding your question as far as the
medical necessity. For them to do the job at Target?

DR. ROTHSTEIN: Or drive a truck for 3M or fly a plane for Northwest
Airlines or –

MR. MC DANIEL: Suppose they have a seizure disorder and they don’t
want that to be shared –

DR. ROTHSTEIN: Correct. Right. So in that situation, you are vesting the
responsibility with a patient to disclose what they want?

MS. LANIK: Actually, we get a request like that, if we are not allowed to –
if we are unable to give the information, we just tell the company we
can’t give that information. Is that what you are asking?

DR. ROTHSTEIN: Well, I’m trying to figure out how you respond to a
request to restrict information when it is not clear on its face what the
information that you are supposed to give out is. If you give out everything,
it’s – you know – they can’t – it is illegal to request everything.

MS. LANIK: Right. Limited disclosure. Yes.

DR. ROTHSTEIN: They can only request a limited amount under Minnesota law.

MS. LANIK: Right.

DR. ROTHSTEIN: Well, maybe Mr. Lukens can help us, because everywhere it is
the law that – the same thing with regard to current employees. It is only
different in California and Minnesota with regard to conditional offerees. So
you get a request. You want to check up on a – an employer wants to check to
see whether a current employee is still capable of performing the job at Lehigh
Dairies, and you get a request that says, Tell us whether Joe Smith can still
drive one of our dairy trucks. What medical information do you send to the

MS. LANIK: See, we don’t give it.

MR. LUKENS: Do I also get an authorization from the patient to release
their information?

DR. ROTHSTEIN: Yes, the authorization says you are hereby authorized to
release all information relevant to whether I can drive the truck.

MS. LANIK: And the patient has signed it. That was – I was asking before –

DR. ROTHSTEIN: Correct. The patient has signed it. Yes, so how do you
decide what is relevant and what technology do you use to screen out what is

MR. LUKENS: To be honest, I don’t know the answer to that. I
don’t know how frequently we receive something that is that restrictive or
that requires carving out the records, because I am not sure we could even
speak to that, unless there was something glaring like – as you said –
seizures. So I really don’t know how we would handle that.

DR. ROTHSTEIN: I bet you’ve got one today.

MR. LUKENS: You do?

DR. ROTHSTEIN: Yes, you probably get one every day.


DR. VIGILANTE: What if there was a request form that had specific
conditions to check off, would that make it easier to answer the – because that
is usually the way it happens.

MS. LANIK: That is how our form is.

DR. VIGILANTE: Usually, there is a form that comes that says, You have
these disorders that are – you know – that –


DR. VIGILANTE: – driving a truck or flying a plane or something like

DR. ROTHSTEIN: Well, those are when it is a government-mandated – whether
it is ICC or FAA, they have specific forms, but other employers don’t –
they just sort of request stuff. The fact of the matter is that healthcare
providers send everything as a matter of course, because it is too expensive to
do it otherwise.

MR. MC DANIEL: I know when patients come to me, they usually have a form.

MS. LANIK: Right. Same with us. It is very specific.

MR. MC DANIEL: Can I do this and, you know, I have to check it off –

DR. ROTHSTEIN: Okay. Let’s suppose you have a form that someone comes
to you and says, We want to know about 15 things and one of which is whether
they have orthopedic problems or vision problems or whatever. Do you have a way
of searching the electronic record to disclose only that information and not
disclose other information?

MS. LANIK: What we have done in the past – how we handle a request like
that is we have got a policy that says what is the minimum necessary to give
out for any record. So if we had a request and that particular person had been
in the emergency room, for instance, we wouldn’t give them every nursing,
every lab value. We would give them the summary of what we call our T sheet,
which is just a quick summary. If they had been in the hospital and they had a
surgical procedure, we would give a history and physical on the operative note
only. So we have specific things that we do on all release. I guess, to answer
your question on any release request that came in it is minimal necessary. We
have a policy that outlines what that would be for that particular encounter.
Does that help? And if the patient has signed – Sometimes, we do call the
patient to have them understand. Do you understand what you have signed here
that this employer is asking –

DR. ROTHSTEIN: Well, it wouldn’t be – the request wouldn’t be
encounter based because no one would know what the encounter was beforehand. So
they – you have an authorization that says, Send me all the orthopedic and
opthomologic records of Joe Smith. Now, do you have any software that
let’s you punch two buttons and only send that stuff?


MR. LUKENS: No, neither do we.



DR. ROTHSTEIN: Could you?

MR. MC DANIEL: I don’t know the answer to that.

MS. LANIK: Could we assess the record or what are you asking? Could we –

DR. ROTHSTEIN: No, could you develop – could you imagine developing that
sort of software? Do you think your system would –

MR. LUKENS: I think the software could be developed. The problem would be
in the acquisition of the data. In your example, assuming the software was
there and the data was correctly acquired, you would be able to go in and look
under, let’s say, a hospital service or for orthopedists and pull out
encounters that are attached to that.

DR. ROTHSTEIN: But it would have to be coded in the first place, which –

MR. LUKENS: Yes, it would.

DR. ROTHSTEIN: – adds all sorts of expense and so forth.

MS. BERNSTEIN: Yes, Mark, I think part of the problem with the issue that
you are trying to deal with is that the coding, as you said at the end, is
probably the key. We heard in the last hearing from, for example, a dentist who
was saying that there is information about erosion of the teeth that will tell
you that a patient is bulemic. Is that a mental-health record? Is it a dental
record? You know, what kind of record is that? And it would depend on how you
coded that or where that person was treated and so forth whether that fell into
one category or the other, I think.

DR. ROTHSTEIN: Well, which is sort of a medical determination in the first
place, but the answer is that even if you had a medical determination and
wanted to comply with it, and this is not a fault of your system, it is – the
fact of the matter is we just don’t have that capacity now, and the
question is whether it is – the cost of doing that is justified by the privacy
protection that would be on the outside of it.

Well, I want to thank all three members of our panel for very important
testimony, and I am sure you could judge by the feeding frenzy during the
question period how interested and concerned we are about these issues and how
we are thirsting for knowledge, and your testimony has been very helpful.

MR. REYNOLDS: Mark. Mark. I would really like to ask one other –

DR. ROTHSTEIN: Oh, I’m sorry.

MR. REYNOLDS: I mean –

DR. ROTHSTEIN: And, now, the final –

MR. REYNOLDS: I don’t want to loose these guys –

DR. ROTHSTEIN: Okay. See, we are – I told you we’re thirsty.

MR. REYNOLDS: No, each of you – as we see everything coming out of this
building and Washington in general, interoperability, and internet is always a
key word, and each of you – if I recall your testimony precisely, each of you
stayed away from the internet. As you – so if true interoperability – if
regional interoperability has to include the internet, because private networks
aren’t going to get it, and national definitely involves the internet, you
are going to have to do some – Do you see – You, obviously, decided not to use
the internet. So was it more of a firewall, a security, a privacy or all the

MR. MC DANIEL: I think for us we probably would have to really look long
and hard at the security implications of a solution like that, and given that
the internet is so freely accessible by so many people, many of whom would be
more than happy to cause harm to our patients by using the information that
would be housed on the internet that it would be – there would have to be some
sort of ironclad solution that would provide us with the kind of confidence
that we could use the internet or protected health information in a way that we
were confident that it was not going to be taken and misused, and I think that
that is not something that we have seen today.

MR. LUKENS: I think that was well said, and I would second those comments.

MS. LANIK: Myself as well, yes.

DR. ROTHSTEIN: And for those on the internet, Ms. Lanik is nodding as well.

Well, thank you again, and we are going to take a recess until 11:05, and
then we’ll have Panel II on Health Systems.

(10:54 a.m.)

* * *

(11:09 a.m.)

Agenda Item: Panel II – Health Systems

DR. ROTHSTEIN: Good morning. We are back on the record, and Panel II on
Health Systems is here to further educate the members of the subcommittee, and
without any objection, I would like to proceed in the order listed in the
schedule and begin with Mr. McBride. Welcome.

MR. MC BRIDE: Thank you.

First, I would like to thank the committee for allowing Availity the
opportunity to share our experience, thoughts and needs regarding privacy and
health information technology, specifically with respect to the creation and
deployment of a national health information infrastructure.

My name is John McBride. I am a computer scientist and currently serve as
the chief technology officer for Availity.

I have worked across a broad spectrum in healthcare IT from clinical IT
developing electronic medical records for emergency department information
systems to global provider collaboration portals to my current position with
provider/payer connectivity and collaborative applications.

Some of what I will say here today has thankfully been addressed in what I
feel is a very positive way according to the press release yesterday from the
Department of Health and Human Services. My company and I were one of the many
who responded to the NNRFI, and the responses so far from the department have
been very encouraging.

Briefly, I would like to give some background on Availity for context.
Availity is an independent joint venture created in Florida in 2001 between two
large health plans, Humana and Blue Cross Blue Shield of Florida.

One of the purposes for the creation of Availity was to provide a
utilitarian internet solution to the looming HIPAA compliance deadline in the
State of Florida. By collaborating with others and consolidating provider
portals, via a geographically redundant ASP model, provider workflow could be
improved and healthcare costs could be reduced.

Eligibility and benefits, authorizations, claim statuses and, of course,
claim submissions and – advice were available securely on line, and all of this
was provided at no cost to the providers, which was another appreciated

In addition to our payer-owners, today, Availity has connectivity to over
1,000 payers nationwide, including real time connectivity to a total of 10
payers that represent approximately 58 percent of the private payer market in

By offering functionality via these payer connections to providers across
the state of Florida, Availity services over 90,000 portal users and 400 vendor
partners. This has resulted in 14,500 out of 15,000 provider sites, using
Availity in Florida in some way, shape or form, which is over 90 percent of
provider sites in the state representing approximately 40,000 providers.

On behalf of our users, Availity submits over eight million HIPAA-compliant
transactions to payers each month and is on a run rate to exceed 100 million
HIPAA-compliant transactions in 2005.

The formation of an NHIN, national healthcare information network, could be
based upon this and other proven methodologies. The NHIN will likely evolve
from existing networks and technologies and will not be revolutionary or
installed in a massive system implementation. As such, the evolution of the
NHIN should be incremental in a phased and structured approach. The NHIN must
be open, not only in standards, but in participation by all industry
constituents. NHIN governance must consider and allow every size and
configuration of those who access the NHIN to participate in a collaborative
manner per guidelines to be determined.

Based on evidence from Availity’s administrative experience in
Florida, we believe that with enough payer market share in other regions,
providers and vendors will modify behavior towards more efficient workflows.
Market share drives adoption and utilization, since there is an efficiency to
be gained in the provider work flow.

More patients being seen will be covered by a connected payer. Then,
utilization will drive down costs and the repeating cycle of improving the
workflow can continue. However, the administrative transactions are only the
beginning of what can be interconnected.

Administrative communication provided by the connectivity and network. Now,
many follow-on applications can now take advantage of that investment and
infrastructure and utilization. The electronic health record can be created by
appropriately combining the provider-based electronic medical records, the
payer-based health records and aspects of the consumer-based personal health
record. This does not necessarily mean that the records are stored in a
centralized location, but rather that centralized record pointers could provide
locating and accessing services.

Given privacy and other concerns, some may question the need for a national
health information infrastructure. To those people, I would like to introduce
Amy as a real-world example of how sharing healthcare information could have
made a difference.

Amy was 27 and pregnant with her first child when she developed an aneurism
near her spleen. Unfortunately, Amy’s care providers did not or were not
able to collaborate and share information to create a complete picture of her
medical history.

Later, it was determined that even though Amy’s lab and other
diagnostic information was available it was not shared. She visited the same ER
on two separate occasions before her obstetrician ordered an emergency
delivery. Sadly, Baby Madeline did not survive her mother’s aneurism.
Surgical intervention was not immediate because Amy’s doctors did not
collaborate and share information. It is possible that with more medical
information shared at each point of care, Madeline would have survived.

In the national health information infrastructure, patients should control
their data and their personal data should remain private, except in certain
well-known and appropriate circumstances also to be determined, perhaps such as
the one Amy endured.

In Amy’s case, the ER physicians may have reviewed her history via the
NHIN and perhaps would have had a better chance of quickly making the correct

So, finally, I have six key recommendations and requests on the creation of
the NHIN for the committee as follows:

Uniform application of laws and government leadership should be applied to
the NHIN as well as other national healthcare initiatives. There are too many
federal, state and local laws and departments that conflict. Without one clear
governing body, any initiatives at the national level will be extremely
complicated, if not impossible, to support.

In addition, HIPAA needs to be completed so that it can be used as a
building block for the NHIN and other initiatives. As the primary foundation
and standards backbone, it is clear that until and unless the industry can do
the easy part, HIPAA, it will never be able to meet the challenge of the more
complex clinical delivery, especially as a voluntary effort.

A user model in associated use cases must be created to clearly define who
administrates, controls, authors, accesses and edits health records. The NHIN
governing body should consider the creation or selection of one or more trusted
entities, which is only, perhaps, solely responsible for servicing the request
for data, but does not necessarily store the data.

Patient participation in the NHIN should be voluntary for patients, but
opting in requires patients to follow the standards established for the NHIN.
Consumers should, therefore, be represented on NHIN governance boards.

While implementation of the HIPAA National Provider Identifier is
proceeding the remaining HIPAA identifiers, such as health plan, individual
identifiers are critical to helping evolve healthcare interoperability.

Registries that securely manage the digital identities of patients,
providers, payers and medical staff are a core requirement to the secure
operation and adoption of the NHIN. Without unique ID’s, locating records
and communication will remain inefficient and prone to error.

The usage of standardized data elements and concept and context management
should be mandated by the NHIN governing body. This will allow the data to
remain meaningful across network boundaries.

Interoperability standards, including privacy and security requirements,
must be created at the national level. Wherever possible and appropriate,
existing standards should be leveraged. For instance, the internet must be
uniformly embraced by all public-facing government healthcare entities, as well
as the remaining public entities.

Availity believes that in order to achieve the goals as stated for the NHIN
in the time frame allotted, a line must be drawn in the sand for the planned
obsolescence of technology. This should happen with the creation of the NHIN,
but also be an ongoing strategy of the governing body or bodies of the NHIN.

Sunset and maintenance rules must be created and adhered to, perhaps tying
funding with established time frames. A continuous 10-year rolling plan, for
example, should be published with achievable milestones.

The DHHS should create a federated model of regional networks, RHIOs or
otherwise, by whatever name, which when connected make up the NHIN. Regional
networks could apply for connectivity with the NHIN based on meeting minimum
interoperability standards. This would allow many networks to evolve in
parallel, but keep them driving towards the same requirements and goals.

So that concludes what I am asking for you to consider. I realize there is
no single silver bullet here, and there is a lot to tackle, but by focusing on
a few key points, we can begin making progress in a logical, methodical

Thank you very much for your time.

DR. ROTHSTEIN: Thank you, Mr. McBride, and we’ll have questions for
you after we hear from Mr. Sheils.

Mr. Sheils, please.

MR. SHEILS: Thank you.

My name is Paul Sheils. I am the CEO of Aetna Health Information Solutions,
which is a unit of Aetna, which is a national health plan with 14-million

My interest in this area dates back, actually, to 1998, when I was CEO of a
company called Medscape, which was a professional healthcare content site that
is currently owned by Web M.D.

In 2000, we merged Medscape with an electronic medical record company,
called Medical Logic, which is currently owned by GE Medical, and, currently, I
joined Aetna about two years ago with the goal, really, of leveraging
Aetna’s information and data and analytic assets to help make patients
make better-informed decisions.

The purpose of my testimony today, really, is to describe very initial
efforts at Aetna and our trade association, AHIP, America’s Health
Insurance Plans, to contribute to the goal of developing an interoperable EHR,
a national health information network, by encouraging the nation’s health
plans to develop – to leverage their claims data, health content, analytic
capabilities and their existing relationships with providers and patients to
build a claims-based, informatics-informed, patient-controlled personal health

Now, by way of context, we obviously applaud and support enthusiastically
most of the EHR initiatives you heard about this morning, and we are, in fact,
involved in several RHIO initiatives around the country.

What I am going to describe today, really, is what we believe is a parallel
effort to develop, really, a practical, near-term solution to delivering
important health information to the nation’s patients in a
patient-controlled PHR.

Now, the distinction, as you know, between the EHR and the PHR is clear.
What I am talking about today really is a patient-controlled and really claims
populated initially, but certainly patient populated in parallel
informatics-driven – this gets to the issue raised this morning about how
important evidence-based medicine is in the application of these kinds of data
elements to the patient, and, of course, the goal of this personal health
record is that it is interoperable with the electronic health record. So that
is the point.

The simple answer as to why plans are trying to get into the business of
providing personal health records is that we have access to very important data
elements, analytic tools, technologies and relationships with the stakeholders
that I think is important for the adoption of these personal health records to
take hold.

First, obviously, is the data, and, as most of you know, plans currently
are an essential repository for a lot of information about an individual’s
healthcare, and for decades, plans have been using that data for research
purposes to determine things like trend and predictive modeling and the like.
So there is a lot of expertise in the nation’s health plans about how to
manage claims data.

There is also the notion that most plans, obviously, have substantial
technology platforms that enable them to manage these massive data warehouses
and they have sufficient and sophisticated websites that currently interact
with both providers and patients.

In the analytic world – and I want to spend some time talking about the
reason that some of the personal health technology data can be massaged and
analyzed for purposes of providing better decision support to the patients, is
that many plans, as you know, also have significant analytic capabilities, both
in terms of staff members who are informatics experts, but also in the sense
that they have substantial amounts of technology platforms that do automatic
analysis of claims, and to do that right, the results of those analyses often
give important insights into a patient’s health record and of health
status, and provide the patient with some significant decision support tools
enabling both the patient and, we believe, the provider to make better-informed

One of the reasons, actually, you may have read that Aetna purchased a
company called Active Health Management last week, and Active Health Management
really is a company whose core competency is, in fact, the analysis of claims
data to determine if an individual’s claims history indicates a care gap
or a care contradiction as it relates to certain therapeutic guidelines and
peer-review literature searches.

So we have already applied the power of analytic engines to help patients
and physicians make better-informed decisions by using the claims data and
analyzing it against current guidelines in the industry.

The additional sets of data elements and assets that plans uniquely have
are, in fact, the relationships. We currently have, obviously, relationships
with both patients and providers, and that is an important element in enabling
the adoption of personal health records to take hold.

And, finally, I think, we have the motivation. Obviously, all plans are
interested in improving the quality of care and reducing the cost of care, and,
like many plans in the country, Aetna is firmly of the belief that information
is an important part of the formula to improve the quality of care.
Better-informed patients make better-informed decisions.

Now, if you turn, actually, I have given everybody a couple of pictures to
describe how a system like this might work, and I am actually heading out this
afternoon to give a similar presentation to AHIP(?), which is the industry
trade association for the health plans, and I should point out that this
proposal was reflected, actually, in AHIP’s response to Dr.
Bailer’s(?) RFI. So this notion of – in that document, it was actually
called an individual health record. It has already been outlined in the
response to Dr. Bailer’s initiative.

And what I am going to do this morning and at AHIP is really try to define
how, for all the plans in attendance at AHIP, they could build a system that
enables them to provide a personal health record that is informatics informed
that also, in fact, satisfies a notion that it will ultimately be interoperable
with EHRs.

So if you look at your slide 3, really, it is just a schematic
demonstrating the input of the data elements that plans currently get and
sometimes – and soon will get, but, principally, it relates to the fact that
there is a significant amount of information in claims data, medical claims,
prescription claims and lab values that currently plans already receive.

Now, the goal would – really, to have this member-centric information
platform be – have that platform enable the patients to input into the member
record self-reported data from a health-risk assessment or any kind of
additional areas in which the patient could actually input data themselves.

The goal, obviously, is to make sure that whatever structure a platform
takes that it is – it becomes – you know – along the standards that John has
just mentioned, interoperable as either a downstream recipient of EHR data or
we can – the plans could upstream relevant information that is not currently
involved in electronic medical records back to the EHR.

So the goal of the PHR is to do a parallel, essentially, development effort
that it ultimately becomes an interoperable set of systems with the EHR.

And, really, what this graphic demonstrates is that once you have the
member-centric health profile, the importance for us is not only that there is
tremendous value in the raw data – the list of medications, the list of
vaccinations, the diagnoses, the number of encounters you had – there is a
substantial amount of data. It is not, obviously, as rich as an EHR. Let’s
put that on the table. It is not the full Holy Grail, but there is substantial
value, we believe, in the information that we can glean from transaction-based
claims data. It includes things like lists of medications, list of
vaccinations, encounters, and, ultimately, lab values and lab results.

The last page of the deck(?) actually shows some of the data elements that
are currently available in claims-driven systems.

But I would like to point out that, really, the value beyond the basic
information that can be provided through a personal health record that is
claims based is this evidence-based decision support tools. So we are
encouraging the health plans to actually wrap around the member-centric record
this claims-based analytic capability to enable you to determine things like
you are predisposed for X, you have to have a refill, you didn’t go get
your refill done, all kinds of alerts, recommendations that are done, really,
on the ongoing basis. As claims come in, they are run against the rules engine
to determine really two sets of things, one of which is clinical and
therapeutic recommendations. That is what this active-health acquisition
actually focuses on.

So, in addition to running – Now, you’ve got claims coming in that
indicates you are comorbid with diabetes and hypertension. Those claims will
then be run against that profile for how that is supposed to be treated by
certain guidelines in the country, and it’ll kick out. In fact, if you are
on two drugs that are contraindicated, it will indicate an alert that you
shouldn’t be on that kind of drug.

The second kind of what I would argue is rules-based analytic ability is
once you have the ability to determine the full member-centric record for an
individual, you can then deliver personalized health content to that
individual. In addition to the care consideration of the care-alert-based on
guidelines, this capability, member-centric information platform, enables you
to actually target specifically-related information or health content about
your specific condition to you.

So, for example, the patient could say, I have just been diagnosed with
diabetes. The simple thing is to send them articles from JAMA or the New
England Journal of Medicine about diabetes, but the power of these systems
enable you to get far more refined, to the extent there are articles out there
that are specific to your individual case of diabetes, you can actually target
those more specifically.

So think about the PHR really as a limited – you know – shorthand
definition of a member-centric information platform that plans can use to
target information to the member, both from a therapeutic perspective and from
a healthcare content perspective. You can see the flow, then, results.

If you turn to the next page, which I think is your slide 5, this is just a
mockup of what one personal health record might look like, and it is really
designed to show that there is substantial value in this limited amount of
information to the patient.

For example, you can certainly see that the – it is really one of the first
places you are going to be able to turn to that gives you a comprehensive view
of your member’s physicians, the medications, the diagnoses, and one of
the powers, obviously, is that this will be a patient-controlled device,
meaning, unlike the EHR, which is more clinician-controlled, the design behind
a PHR, really, is to give the patient ultimate control of who sees the
information in this.

This – for example, this mockup shows that, on the bottom, there is a
printer-friendly format. The goal being, obviously, that you want to optimize
your physician encounter. So you want to be able to hand this to the physician
and we’ll have the appropriate disclaimers. It is claims based. It is not
an EHR, but, in fact, has valuable information that you, as a clinician or a
care giver to this particular patient may want to understand.

So the point would be that you enable the patient to – either
electronically, by the way, or through authentication and significant levels of
security through the online authorization or in a paper format. If you are the
patient, you want to print this one-page summary of your personal health record
based on claims out, you can walk it to the doc and give it to him.

Now, there’s also significant amounts of other applications or
transaction capabilities in here, but if you turn to page 6, what I’ll
show you, really, is some of the value of the engine that you wrap around the
record. So slide 5 really is the raw information, which in and of itself, we
believe, obviously, is of significant value to the healthcare system.

And the second would be that this is kind fo the results of some of the
analytic capabilities that plans can apply to that data to push personalized
recommendations, content to the patient, and, by the way, to the extent the
patient authorizes it, to the provider.

So, again, our view is that this is a patient-centric model. We are
delivering a limited data set, although valuable to the patient, and permitting
the patient to determine who and what portions of the record that patient makes
available to either care givers or others.

You can see, by the way, on slide 6, that you’ve got the ability to
not only push specific articles about this particular condition to a patient,
but, also, they are going to be able to get the alerts regarding some – you
know – contraindications on drugs, care gaps or care contradictions, and you
can see this really is designed to show that it is a full service, you know, a
plan-based portal, by showing you an additional – you’ve got some
information about your deductibles and your other – you know – your
disease-management compliance points, for example.

So it is really a full service. The relevant portions for this committee is
the areas regarding the claims-based PHR and the analytic capabilities that
plans can uniquely deliver.

So let me just go through, I think, a couple of the elements and benefits
of the PHR from plans. Again, it is very preliminary. This has actually not
been approved by the board of AHIP and will be, in fact, I think, addressed
this week at the convention, but the goal would be to enable the board of AHIP
to propose this to their membership and have standards bodies working obviously
with perhaps this committee and others to make sure that whatever standards
that the AHIP comes up for its PHR initiative actually are interoperable with
the standards for the EHR.

So the first issue is obviously that it is patient controlled. We believe
actually in strict authentication and authorization issues. The patient
determines who sees what, and, like other systems, it’ll be an audit trail
to determine actually who did see the information.

Obviously, a big issue is determining that the systems are built in a
HIPAA-compliant and state-privacy-law compliant manner.

We believe, obviously, with all our heart, that they have to be inoperable
with the EHR, not only should there be common data fields, one issue we are
struggling with is in order for plans to feel comfortable about being able to
differentiate between one plan and another, you can certainly argue that the
base information on the PHR should be standard, obviously. The data elements
should be standard, but there is a notion that we are toying with that the plan
should be able to make the patient accessible via the PHR – you know,
CIGNA’s could be green, Aetna’s could be yellow – but when you get to
the online authorization of a provider to see the PHR, that should be common,
so that there is no kind of issue that Physician X in the emergency room has to
figure out where Aetna’s list of medications is, as opposed to where
CIGNA’s list of medications is.

So there is some notion that we could enable the plans to differentiate on
the PHR level, but when it comes to the physician-accessible patient-authorized
PHR, that should be standard. That is our view.

We obviously think it should be portable. This is a big deal, as you can
imagine, with the plans that the operating assumption of a PHR is that at the
end of a member’s stay with Aetna, Aetna will transfer the data to the
next plan. It is a big deal. So that is part of the deal. So if, in fact, an
Aetna member becomes a CIGNA member, Aetna is required to transfer the medical
information, the PHR data, to the next in line plan, and, obviously, that
increases, from our perspective, the longitudinal view of the record and
becomes more valuable as the patient moves from plan to plan.

As I mentioned before, we think this does enhance the physician engagement
with the member. We think the member is obviously capable of determining what
elements of the PHR he should show to her – she should show to her physician,
and the physician should benefit from that in ways that we can enhance by
providing the same level of analytic ability that we provide to the member to
the patient – to the physician as well.

We believe, obviously, in the power of the informatics component of this,
the ability to apply analytics to this data to enliven the encounter with the
patient and provide – support tools to them, and there’s other benefits,
obviously, to the system that enables the patient to have e-visits, e-messaging
and e-prescribing in the same kind of platform.

So we turn to slide 7, actually, you’ll see a very – I think a set of
data elements that plans currently get that could form the basis of the data
elements in the PHR, and, again, I’ll emphasize it is not as complete,
obviously, as the EHR piece, but it provides some significantly valuable
information for both patients and providers.

So, finally, I think the goal of the PHR really is to improve the quality
of care. We believe that if you engage in form and provide decision support to
both patients and providers, healthcare will be improved. We believe that the
PHR, if adopted by the plans, will, in fact, provide a practical, near-term
parallel effort to the EHR in the development of the national health
information network, and, of course, we are committed to working closely with
this committee and other committees in HHS to ensure coordinated development of
the EHR and the PHR.

Thank you very much.

DR. ROTHSTEIN: Thank you very much, Mr. Sheils, and if the panel is any
indication, I am sure our group has many questions for you.

Let me just begin by asking Mr. McBride a question from his testimony. On
page 2 of your testimony, sort of in the middle, you say, in the NHII, patients
should control their data, et cetera, et cetera, et cetera. How?

MR. MC BRIDE: That’s a –

DR. ROTHSTEIN: Simple question.

MR. MC BRIDE: Simple question, right.

There’s many ways to do this. One – you know – certainly, you know,
there’s a lot of depth and breadth to the question. Patients can control
this at many levels. The simplest, I think – and then I put in here sort of
opting in, so that means that – you know – there’s two things going on.
You know, first of all, if I want to even participate in this, that is my
choice. You know, that is just to begin with, but, now, once I participate,
there are a set of rules, you know, that would be established to be determined,
what happens now. So you could have cases, you know, that are within the NHII
guidelines on privacy where, let’s say, mental health and substance abuse
and so forth is not shared, you know, without further, you know, further
approvals or so forth. That is just an example.

If we are talking how technically, I think, that technology exists, you
know, coming from a technological standpoint, you know, but I don’t
necessarily think that technology is the issue, to answer your question.

DR. ROTHSTEIN: So you are comfortable with the idea of different fields in
terms of levels of disclosure, certain treating physicians or other providers
would get access to different levels of information. For example, psychiatric
information would be available, mental-health professionals, that sort of

MR. MC BRIDE: I am not a doctor. If you separate this from the technical
side, which – what you are saying is possible. You can certainly do that.

I do believe you can share the information as appropriately, you know,
using the technology, but the business rules or the medical rules would have to
be created to decide when that is appropriate and when it is not. I think that
is the way to start.

Certainly, just as technology has evolved, you know, we could make rules
and the technology match, as time goes on, to get a little bit more granular
with information.

I am just suggesting that to get started, especially with the time frame
allotted, you know, there is an opt-in, opt-out type of scenario. That would
allow us to get started and start to place more granular controls of business
rules and technology solutions to address what you are saying.

DR. ROTHSTEIN: Okay. I have one question for Mr. Sheils as well, and that
is I am certainly willing to concede that PHRs have value to patients in terms
of health promotion, health monitoring and so forth.

I am not sure the extent to which PHRs would protect patient privacy at all
in the sense that treating physicians are not going to want to treat people on
the basis of their self-selecting PHR information. They would want access to
the complete EHR.

At the same time, third parties who are going to be making assessments
won’t take the PHRs either. So I am a life-insurance company and I want to
decide whether I want to issue a policy and what premium and so forth, I am not
going to rely on the PHR either. I want the EHR.

So am I right that the PHR is really not designed for or very valuable in
protecting privacy interests. It may be quite valuable in other respects – in
disease management, in reminding people what they need to do and so on and so
forth – but, as a tool to protect privacy, that is not why it was created nor
is it its essential use. Am I right?

MR. SHEILS: Well, I think there’s two points, really, one of which is
that we have no conception that the PHR is as valuable as an EHR. Obviously, a
physician with an option to have access to an EHR and PHR would pick the EHR,
and we support that.

On the other hand, that’ll be a long time coming, and I think one of
the benefits of the PHR is that it can be done fairly quickly, and so some
number of Americans who will not have the benefit of access to the patient
viewable portions of an EHR can, in fact, view the limited elements in a PHR
fairly quickly, and those elements are, in fact, a value to a physician who
does not have access to the EHR. So, for example, just the minimum list of
medications is of value. It is not the definitive, but certain elements of the
PHR enhance the physician’s understanding of the full patient encounter.

So we are not suggesting that the PHR is the goal. It is one of the
parallel paths that should be adopted by the nation’s health plans to
assist in delivering additional information to patients who may make that
available to providers in as much detail as we can, which is, in fact, the

But I don’t think it is an issue of preferring the PHR over the EHR.
It is really the first step in a parallel step.

DR. ROTHSTEIN: And a followup question I want to ask, you are concerned
about the following scenario for use of PHR in employment-based health

You have an employer who, in an effort to save money on premiums and
outlays for employee health insurance says to employees, We will give you a
$30-a-month reduction in your employee contribution to your health plan if you
agree to give our health-risk-assessment contractor access to your PHR and
agree that you will work with them to promote your health, and, of course, that
is increasingly common now without the PHR component, but under the scenario
that I posit, instead of online or other sort of information that is generated
by the employee, now, the PHR immediately goes to the –

MR. SHEILS: Or the –

DR. ROTHSTEIN: – HRA company. Yes.

MR. SHEILS: The HRA goes to the HRA company.

There’s two issues, one of which there’s self-reported data
through an HRA –


MR. SHEILS: – which can be incentivized by the plan or the employer to have
the employees fill out.

Second is the claims-populated portion of the PHR that is completely
separate. It is essentially plan populated, and the patient or the member has
the ability to – I don’t want that. I don’t want the PHR. I
don’t want any part of it, you know. Don’t do it for me. Thank you
very much, but I am not interested in having you develop a PHR for me. So we

The second issue I think you raise is the incentivization for members or –
excuse me – employers and plans to get people to contribute additional data
beyond the claims data to the record, which is the HRA. You fill out the
health-risk assessment and you get, you know, you get weight. You get smoking
habits. You get all those kind of loser types of data than from the claims
data, and the issue, then, is, again, part of the contract in which you sign up
for the HRA indicates what uses you will enable the plan or the employer to put
to that information, and we would say, you know, that is a matter of contracted
contract between the employer and the employee. If the employer wants to
incentivize the employee to fill out the HRA, it should be very clearly stated
what the purposes of that – what purposes that data will be put to.

DR. ROTHSTEIN: Well, here is my concern, coming from an institution that
has adopted this here: The prospect of some non-HIPAA entity having access to
my PHI, not knowing what they are going to do with it, not knowing the
qualifications of the individuals reviewing it, calling me to hassle me about
what I am eating and what I am doing is not very attractive, and I feel that –
I mean, there’s essentially three ways that I have seen this response.

You can basically waive the $30-a-month benefit and pay essentially a
privacy tax, so you don’t have to share that information. You can lie on
your health-risk assessment, saying that you don’t smoke, you don’t
drink, you are not overweight and you exercise every day for a half hour, and
they don’t have access to any basis for corroborating whether you are
telling the truth or not, or you sign up and tell the truth and have these
people hound you – not that that’s – I don’t want to display any sort
of prejudgment.

MR. SHEILS: There are benefits to filling out an HRA. (Laughter).

DR. ROTHSTEIN: If you do so voluntarily and you are inclined to do that. I
mean, I have actually reviewed the data and it only has value – If you are
coerced, it doesn’t really have value.

My concern about the PHR being tied into this is now you have lost lots of
your options, and you have just eliminated – you are either in or you are out,
and if you are a low-paid employee, it seems to me that this is just another
way in which your privacy is going to be violated.

So that is my concern about linking the PHR with the HRA.

MR. SHEILS: I think you are raising, really, an ethical issue with respect
to the way plans or employers provide incentives for employees to fill out
HRAs, and that is obviously a societal issue, but I think the technical issue
that we would address is that at the end of the day, the employee has the
option of either participating in the HRA or not, and whether or not the
employer has some underhanded – or the plan has some underhanded way of trying
to get access to the data is really kind of an issue that should be addressed
in ethics committees as opposed to the technical side.

But I think there is tremendous value – and for those folks who are not
opposed to the notion of completing an HRA, obviously, once you submit the
additional data, the enrichment of the data enables better analytics to take
place, so you have, actually, an argument to the employee that there is a
downstream benefit to you as an employee to enable the plan or the business
associate of the plan to take that additional data and run analyses against it
to help you with your healthcare decisions.

So there is certainly value. The way it is actually accomplished,
obviously, you raise some good issues about some issues that should be
discouraged, but the value of an HRA supplement to the PHR, I think, is fairly
well documented.

DR. ROTHSTEIN: Okay. Thank you.

Okay. We’ll go this way this time. Dr. Tang.

DR. TANG: Mr. Sheils, let me just test my understanding of what you
described. I think it is an ASP-hosted version of a PHR for your members, and
then you said that if you change a health plan, then you would pass that
person’s claims, in a sense, onto the next payer.

MR. SHEILS: Correct.

DR. TANG: Is there a thought of once you start this, if people are willing
to both comply with the standards and to share, as people move around, could
you go get all the previous claims history just to better populate an
individual’s –

MR. SHEILS: I think that may be a prospective goal, but I think it will be
almost impossible to start now and go back and try to get claims from the
various – because they haven’t been created or stored in the right format.
So I think it is almost impossible to view it retrospectively as going back and
get the longitudinal record.

There are companies, as you know, that try to do that. There’s
Verispan and NDC that have tried to create with these algorithms kind of
virtual longitudinal records based upon historical access to claims data, but I
think, for our purposes, it would be plan based and, prospectively, that once
you are in the PHR for Aetna and you move to CIGNA, Aetna would be obligated to
move the PHR data to CIGNA.

DR. TANG: And do you anticipate that there’ll be any competitive
concerns with the sharing?

MR. SHEILS: I think that is the big issue. That is why I mentioned before
AHIP is going to have an interesting debate about why Aetna should want to
supply CIGNA with the PHR – because the obvious goal is to retain the member.
We don’t want to make it easy for the member to switch from plan to plan.

I think the way to address that at the board level at AHIP is to say, as I
mentioned before, there are competitive advantages and differentiation
capabilities in the PHR that you would say to your member, If you stay with
Aetna, for example, we give you more powerful analytic tools. We – you know –
we provide you with greater insights into your healthcare than the subsequent
plan might, but the base raw information is a commodity. It actually should be
transferred from plan to plan. It is the analytical – you know – enhancements
to that that should provide, you know, essentially competitive – you know –
comfort to the plans as they adopt this system.

DR. TANG: And would it be possible for the subsequent plan to apply
analytics to the claims history –


DR. TANG: – of the previous plan and –

MR. SHEILS: Yes, absolutely. Yes, but it is really the nature of the
analytics, I think, that are going to be the differentiator.

DR. TANG: Well, I mean, glean information about the previous plan and –

MR. SHEILS: Well, yes, I think – they won’t give them the kind of plan
design-based information that really kind of tells the subsequent plan how much
they charged. It would be the raw – you know – medical – derived claims data
information about list of medications, those kinds of non-plan-design issues.

MR. REYNOLDS: Thanks to both of you.

I think it is interesting. As many discussions go on, we say electronic
health record, we act like we all see one doctor, and I think that what the PHR
is going to allow is almost some kind of a data-rich index as to the things
that are going on with a person. If HMOs had won to where everybody had to go
through a gatekeeper, it would have been different. So I think more and more
there is a correlation between the two.

Then, obviously, whether or not the person puts everything in the PHR and
whether or not there is something on there that says I purposely left stuff
out, because of – you get into good medicine versus good privacy versus good

I might want to put all mine on there, in case I’m up here and I faint
today, and somebody could – a doctor could access it from one of the hospitals
in Washington and they would really know who I am seeing and what is going on
with me, that would – I would like that.

But I think the question still becomes, as we look at it from a privacy
standpoint, regardless of whether there is an EHR – a magical EHR in the sky or
it pulls together all the doctors or there’s a PHR that says who my
doctors are and then maybe I can get a link to their system to find out what is
going on.

What do you see as the mechanism to decide – for the person to decide who
gets to see it and what is the type of data that they have to put in so that
you know it is a doctor, you know it is an entity that should get it in?
Because, in the end, we are just electronically setting up data and now we go
at it. So that’s our issue continually.

MR. SHEILS: Many of the vendors, by the way, in the – I’ll call it the
payer PHR space have elaborate presentations which I would recommend the
committee view regarding the security and authentication systems put in place
to address that very issue. A company called Care Keeper, for example, I would
highly recommend you look at their system.

What they do is essentially format the PHR in discrete data sets that
enable the patient to determine what components of the PHR should be viewable
by whom, and they also have an elaborate system, certainly – and it is all, by
the way, patient controlled, not family-member controlled. It is really down to
the patient – and then they go through this elaborate system of saying how the
patient gets authorization to access the data, and, then, there’s
different kinds of security protocols they can apply to what providers have
access to what portions of the data, but I am not the one to actually go
through the detailed technical analysis of how those authentication systems
work, but those folks would be more than happy, I think, to present to the
committee their solutions to those authentication and data-segmentation
capabilities for their systems.

MR. MC BRIDE: I’ll just add to that and say there are a number of
vendors that I have also run across that are dealing with just that issue.
There’s Care Key. There is also You Take Control.

Some of these companies are acting sort of like Switzerland, if you will,
in the sense that their sole purpose is to – you know – basically serve up the
data, point to where it is and so forth, but they track the patient
preferences, so when you say like you take control in that example, the patient
actually takes control of who sees what data down to a very granular level.

So, once again, that technology exists, and a lot of the detail around the
business or operating rules needs to be built on, you know, exactly when a
request comes in, you know, how is it serviced and who has the right to see
that request and who has the right to respond to it, and should it be stored,
in fact, going to previous questions that you have asked.

DR. TANG: Just a quick followup on the authorization, and that is an
interesting description of Care Key and their authorizing various levels of
access, but the original, actually – so one of your members wants to set up a
PHR, how do you authorize that individual as the party actually accessing that
piece of data?

MR. SHEILS: Well, it depends on which protocol you select, but there is a
series of password protections, identification that is specific to the

Right now, to get into the claims database – or, excuse me, to get into
your claims history of payment at Aetna, you have to give you password – your
ID, your password and then some other level of identification.

MR. TANG: How do you set up your original password? I mean, how do you
authorize – authenticate the member?

MR. SHEILS: I don’t know how it is done today at Aetna, but,
prospectively, it would be some form of probably written authorization that you
then say to the patient, You have to authorize Aetna to set up a PHR for you
and designate which password or which security protections you want to – you
know – you undertake.

DR. VIGILANTE: Actually, Harry addressed one of my questions, but I made
the reference earlier that a doc would always want the EHR, but, you now, as
somebody who spends life in ER medicine, where you, by definition, take care of
people you don’t know every day and who seem to invariably not know some
of the most basic things about their health and what is going on, particularly
medication, recent lab results and a list of diagnoses, I personally would find
this actually very valuable, particularly in the ER setting, just to be
grounded in what is going on with a given patient. So I think this is – at that
level, this is very useful information.

DR. ROTHSTEIN: But you could also have that summary type record through the
EHR. You wouldn’t need a PHR.

DR. VIGILANTE: Right. If an EHR exists.


DR. VIGILANTE: Right. The nice thing about – this is claims generated, and
so is it typical of claims-generated data to have actual lab values, a), and b)
is there any hope that one would – claims data would actually generate –
because the other things I would like to see would be – you know – a result of
a stress test or an MRI or something like that. Any hope of getting that in the
same way –

MR. SHEILS: Yes, well, the answer is no. Typical claims databases
don’t actually – you know – store lab values, but many of the plans have
long ago contracted with the lab companies to deliver those lab values, so that
they can employ them in their analytic abilities to determine, you know, trends
and predictive modeling capabilities.

So, yes, I think the goal of the PHR infrastructure would be that you
certainly start with claims data, but that you create the system in such a way
that it is open enough to enable claims – excuse me – lab values to come in,
images from radiology departments to come in. It starts to sound a lot like an
EHR, and that is kind of where this parallel development effort has to occur,
because once you build the member-centric record, you can import data into it
according to standards that get it closer and closer to being the same goal as
the EHR. Won’t be as rich, but it is clearly the first steps would be lab
values, radiology images into the system.

DR. VIGILANTE: So lab values now would say come from something like –
wouldn’t come from the hospital. It would come from –

MR. SHEILS: Come from Quest.


MR. SHEILS: Yes. That’s correct.

DR. VIGILANTE: Right? And so your – Okay. So it would get – the more
fragmented that market, the more difficult it is to get that data in terms –

MR. SHEILS: In that case, it is not a very fragmented market.

DR. VIGILANTE: – isn’t, but MRIs –

MR. SHEILS: Correct. Right.

MR. MC BRIDE: We take a very similar approach as well, as far as in the
State of Florida, again. If you look at the payers that we have brought
together – Aetna, Blue Cross, you know, a number of payers in Florida – if you
look at the labs, as an example, you can do the same thing. You can apply the
same paradigm of having them go through – you know – for lack of a better word,
a clearinghouse, but somewhere where this information can be consolidated
appropriately and securely, taking the same approach.

MR. HOUSTON: Yes, I heard both of you discuss the fact that there is this
need for a patient’s authorization scheme in order to approve access to
the information via a provider, and yet on looking through the testimony of Mr.
McBride, I know that one of the things you did say is the need for uniform
privacy laws, and I guess part of my cynicism says we probably won’t have
– not have that, but I think that – personally believe that an authorization
scheme – a robust authorization scheme would tend to be able to address the –
sort of the landscape of varying privacy laws throughout the country, and I
just would be interested in sort of telling me whether I am right, wrong or you
think that it is workable to deal with – a robust authentication scheme or
authorization scheme to try to bridge – you know – bridge this issue?

MR. MC BRIDE: You are talking primarily about security or the privacy –

MR. HOUSTON: Well, I think what I am hearing is the patient would authorize
what information about them is made available to a provider, and I think that
that is a basic rule that seems to be pretty common amongst state privacy laws
is that the cornerstone of all the privacy laws seems to be this concept of
patient authorization, and I am just wondering if, based upon the architectures
I am hearing you both indicating, it sounds like you could use that as a way to
sort of bridge this issue.

MR. MC BRIDE: You could potentially do that. I believe, you know, the
higher up you go – once again, starting off, you have to consider the time
factor here, too. If we want to do this quickly, I am suggesting this opt into
a system that would be at a more national level, possibly easier to understand,
because from the last testimony I just heard from three different
organizations, it sounded like not a single patient declined being part of –
you know – EHRs and PHRs, whatever are being built there. Not a single patient
decided not to participate in that.

MR. HOUSTON: So you are saying opt out versus opt in.

MR. MC BRIDE: I am just saying in that circumstance, none of them opted
out. They all opted in. They chose to sign an agreement basically allowing
their information to be included in a database. So, once again, I think that
boils down to now there’s three different entities with their own privacy
rules that they have just decided to enact and a patient has signed this.

I’m saying the more of those you have, if we let that get out of hand,
every single one of those agreements are going to be different. So when you try
to hook up at a national level, it would be extremely complex to navigate
through all of the agreements.

MR. HOUSTON: Do you think within an HIN – you sort of talk about this
concept of a – even though there’s a lot of local control over information
and the like, but there’s still this governance that’s through some –

It seems to me, I think, what you are saying, though, is in your written
testimony is there is a sort of a governance that is national. Do you believe
that that national governance could dictate the form of an authorization that
then could be used as the basis for – you know – a common authorization that
then could be used, which would then satisfy – you know – different varying
state and federal laws regarding privacy?

MR. MC BRIDE: I do believe that that is the case, and, once again, at the
national level, I would be talking about a minimum set of requirements. So it
would be very scaled down, compared to what you could do maybe at a local
level, perhaps. So, you know, the fact that there are different agreements that
maybe pertain to how you pass from department to department, maybe they are
more stringent or – you know – they are just different.

I think that is okay. It is when we start to interconnect and we start to
talk about interoperability that the real issue of – We need to have something
high level, a minimum agreement about what needs to be authorized and what can
be passed. Without that, the interoperability aspect becomes, once again, very

MR. SHEILS: I think it is fair to say that as you increase the rigor of the
authentication and authorization standards applied to an electronic record, you
decrease the risk of violating state law, but you do not eliminate it. So I
think that it would be too much to say that a bulletproof authentication and
authorization standard gets you out of the soup of making sure your system
complies with state privacy laws.

MR. HOUSTON: And I have one other question.

DR. ROTHSTEIN: Well, I think Kathleen has a followup, and then we’ll
come back to your question.

MS. FYFFE: I don’t know that it is a followup. I want to get back to
the lab discussion.

DR. ROTHSTEIN: Okay. Then we’ll put you in the queue.

MS. FYFFE: Thank you, sir.

MR. HOUSTON: One of the other questions that – one of the other things you
said in your written testimony was that you sort of – the concept of the
internet as being sort of – it is being the vehicle, and I guess the question I
would pose is should that be a given or should we be looking at some type of –
you know – internet two style – that is probably not the right way to phrase
it, but some other alternative private network where RHIOs and an HIN creates
to be able to ensure maybe a higher level of security than otherwise would be
available via the internet, at least for the high-volume transactions that
might go on between a RHIO and the different providers and the payers, knowing
that there is going to be a lot of volume in that type of environment?

MR. MC BRIDE: I think the internet can serve as a part of the stack of
technology, and I am a big believer in it. I think that the standards have come
– you know – quite a long ways since the inception of the internet, in terms of
security and communication and so forth.

So what I am suggesting is, where appropriate, we use the internet,
especially the standards and protocols that have been developed, for
communication and security.

Whether we build more on top of that, I think that that is certainly
something that is up for debate. I think that there can be additional levels of
security, but, once again, it can’t be something, you know, in a vacuum.
It needs to be something that I think is an open standard, even if open in this
context means open within the healthcare industry. So, once again, I think the
internet is very secure.

When you talk about leased lines and a lot of things today that serves up a
lot of connectivity and healthcare, it is arguable, but leased lines are not
necessarily as secure as a VPN over the internet, let’s say, because
oftentimes, a leased line is not encrypted, and, as you look around at
technology today, if you look at switches, for instance, almost every switch
today is a virtual switch. You don’t actually have – you know – a point
with a wire connected all the way down from Washington to Florida. These are
all virtual switches. Virtual switches use quite a bit of software and
technology where you are literally passing unencrypted data over virtual
switches. So when you talk about some of the security through the internet, it
is actually more secure in some circumstances.

DR. HARDING: I would like to give a compliment and a caution.

I am an educator, and I was delighted to see in the plan here from Aetna
that there would be an educational process in the PHR, where, I think you
mentioned, you would send JAMA articles to individuals who had diabetes or
something along that line.

The caution is that from previous testimony that we have had through the
last year or two that sometimes there is a very close call between education
and marketing and that if Aetna is giving out recommendations of healthcare,
then we would assume, of course, that that is nothing but the scientific facts
and has nothing to do with Crestor(?) versus Lipitor(?) or those kinds of
things, and just wondered if you had thought that through a little bit.

MR. SHEILS: We actually spent a lot of time understanding the implications
of those kinds of issues at Medscape. Medscape actually created a fairly
well-known brand in the space by making sure that information provided to
physicians was not influenced by, in fact, in Medscape’s world the
sponsors of the site. So we hired, actually, George Lundberg(?), former
Editor-in-Chief of the Journal of the American Medical Association, to ensure
that integrity of the editorial process.

In the plan environment, I think it is less – first of all, there is no
pharmaceutical sponsorship of the PHR that is contemplated in any proposal that
I have been associated with. So it really may be a matter of determining from a
– maybe an editorial board which evidence-based information is delivered based
upon this particular clinical profile. It would not be influenced by the fact
that – you know – one pharmaceutical company would benefit from having the
favorable article in JAMA submitted as opposed to somebody else.

So we are very aware of the potential perception of influence by
pharmaceutical companies and others on the independent evidence-based
information we would supply to a patient based upon claims data.

DR. HARDING: But, see, Aetna would be subcontracting with a
pharmacy-benefits group.

MR. SHEILS: We have our own, actually.

DR. HARDING: Okay. Pardon me, but that group could benefit.

MR. SHEILS: Sure. Yes, those plans that have a PBM, have the apparent
conflict that – you know – there is a relationship between the pharmaceutical
companies and the PBM that would potentially influence a plans information
distribution to the member, and we are very aware that that – we can’t
cross lines in that respect.

DR. HARDING: Thank you.

DR. ROTHSTEIN: Thank you.

Two final questions. Dr. Tang and then Ms. Fyffe.

DR. TANG: They may be very related, because it is on lab as well. So it was
interesting to hear that a plan could get all the lab values from lab
contractors, and what is the HIPAA basis for getting access that kind of

MR. SHEILS: I think the – I don’t know the specific answer. I would
argue that, as a covered entity, you know, we can get access to information for
purposes of health operations. So we can use the information from the lab to
conduct analyses of the data on a global level to determine, you know, trends
in predictive modeling for the benefit of the patient population. I don’t
know the specific HIPAA issue with respect to whether or not there is
additional information, additional regulations relating to use of that
information in the PHR. That will be one of the things we are looking at as we
conduct a legal evaluation of the PHR as it relates to all the data points that
we would bring in in addition to the claims, things like lab values as well.

MS. FYFFE: That is part of the question. Actually, Jon, you sort of said,
well, the labs – Tell me a little bit more about the labs –


MS. FYFFE: – and under what circumstances there would be data feeds of not
the requests for the lab tests or the fact that you have paid for a lab test,
but the actual clinical values.

MR. MC BRIDGE: To make sure I understand your question, let me take a stab
at answering this.

MS. FYFFE: Yes, thanks.

MR. MC BRIDE: But when I talk about Availity servicing labs and payers, our
customer, the user, is actually the provider. So Availity looks at the work
flows and serves up portals to providers. This would be providers, perhaps,
that wanted to refer a patient, one of their patients, to another provider, and
that provider may need to see a lab.

In that case, this doesn’t really have anything to do with the health
plans. This would be a provider saying, I have this lab value. I would like for
Dr. Smith to see this, and Dr. Smith, she may decide, you know, I need
something else, and may ask for some information from another provider. So it
could be collaborative on the provider side, not necessarily the payer side,
the health-plan side.

DR. ROTHSTEIN: Well, I want to thank both of you for your testimony. That
was very helpful.

I don’t know whether we are closer to any answers, but we are closer
to the questions – (laughter) – and we will resume at one o’clock, after
our lunch break, with international health systems.

(12:13 p.m.)

* * *

(1:05 p.m.)

Agenda Item: Panel III – International Health

DR. ROTHSTEIN: Good afternoon, everyone.

We are now prepared to resume our hearings on the National Health
Information Network, and I will attempt this afternoon not to do to
international relations what I apparently did to wellness programs this

Let me also say that, in addition to our two witnesses on Panel III, at
four o’clock this afternoon, we will taking testimony from Dr. Brian
Richards and Ms. Jeanine Ward from Australia about the Australia health system,
and, tomorrow, at 11:00 a.m., we’ll be hearing from Ib Johansen at the
Danish Centre for Health Telematics, and so this is – we’ve got two
in-person witnesses and two witnesses by telephone from Australia and Denmark,
and if you have heard part of our session this morning, you know how we are
searching for answers and we are searching for help, and anything that you can
provide us with along those lines that other countries are doing, have
considered, where you are on this issue would be very helpful.

So I am pleased to welcome Mr. Sheridan and ask you to proceed.

MR. SHERIDAN: Well, thank you very much –

DR. VIGILANTE: Can I just interrupt – I just want to – interest of full
disclosure, I just wanted to say that Booz-Allen has recently done work for
Canada Health Infoway. I don’t believe there is any conflict of interest,
but I just wanted to disclose that and be cautious in conversation.

DR. ROTHSTEIN: Thank you, Kevin. We’ll have that on the record.

MR. SHERIDAN: The work wasn’t that great, Kevin, so – (laughter).

Thank you. It is a pleasure to be here today and appreciate the
opportunity, Mr. Chair.

I guess, basically, I’ll just – I won’t bother with my – Oh,
well, maybe I will bother – So basically talk a little bit about the drivers
for healthcare reform in Canada, and, you know, at the end of the day, I
suppose the patient is at the end of the drive and the process, and so perhaps
not a whole lot different than some of the issues with U.S. patient and
healthcare, but, certainly, at the end of the day, we are looking at a set of
fundamental issues looking at how to improve access, how to reduce wait times.
Looking at our overall contingency of human health resource services, home
care, home-care issues, national pharmaceutical strategy, public-health
strategy and a public-health surveillance strategy, aboriginal health, and,
basically, in terms of the overall process, accountability vis-a-vis
expenditures and the implications in moving the agenda forward.

Just to give you, very quickly, a little bit of the flavor for the sorts of
issues, in terms of the drivers, not just demographic, but, actually, in the
actual care system, for every 1,000 hospital admissions in Canada, 75 people
will suffer an adverse event. For every 1,000 patients with an ambulatory
encounter, there’ll be 20 people who will suffer a serious drug event. For
every 1,000 patients discharged from the hospital, 90 will suffer adverse drug
events. For every 1,000 laboratory tests performed, up to 150 will be
unnecessary, and the list goes on in terms of the potential impacts in terms of
some of the challenges around the system following up on sort of three
particular venues, primarily, looking to drive forward progress in access, in
the quality and in the productivity of the care and the delivery in the
healthcare system.

As far as Canada Health Infoway is concerned, our electronic health record
program looks at six basic drivers: Demographics, which are associated with
registries, both client and provider registries; diagnostic imaging; laboratory
results; drug profiles; immunization and telehealth. Those are sort of the key
components of where we are looking to make progress in electronic health
records over the next three to four years.

In terms of the actual access, quality and productivity side of the
equation, we have pulled together some estimates from a number of different
studies looking at if we were to implement an electronic health record for each
resident of the country, what would be the ongoing savings to both the system
as well as to the care for the patient, which are sort of the penultimate

So, for us, in looking at it in terms of access, the availability of
services and access to services, we are looking at, from the implementation of
electronic health records, about $30 million a year in savings, primarily
around medical transportation savings and costs in moving patients around from
critical-care facilities to clinics, et cetera, et cetera.

On the quality side of the equation, adverse drug effects, we are looking
at a potential savings through the implementation of interoperable electronic
health records somewhere around $3.4 billion per year to the system, across the

And diagnostic imaging, using PAX(?) technology in a OHER environment,
looking at savings of potentially up to $1.6 billion per year.

So these are not just the financials that, at the end of the day, we are
talking about in terms of productivity and quality. We are also talking about
the overall care-delivery system and the health of the patient.

Canada Health Infoway was created to foster and accelerate the development
and adoption of electronic health records and information systems across
Canada. We are a not-for-profit corporation and basically have a shared
governance. The 14 jurisdictions in Canada, the three territorial, 10
provincial and one federal jurisdictions are, in fact, the owners of Infoway,
and, in fact, set the mandates and the agenda for the corporation and its

Basically, the goal for Canada over the next three to four years is to have
50 percent of all Canadians in an electronic health record across the country,
and why only 50, we can talk to the issues around 50 after that.

Infoway is a strategic investor. We do not build the systems. We do not
hold the systems. We do not hold the health data. We do not hold the clinical
data. We are strategic investors with the jurisdiction basically to invest with
them to find pan-Canadian solutions to issues around lab, clinical, drugs and
other solutions to moving to pan-Canadian interoperable electronic health

The funding formula that we use is a 75/25 formula for eligible costs, and
the capitalization of Infoway at this particular juncture is about $1.2
billion, which will be depleted over the next three to four years to get to
that 50 percent of Canadians having electronic health record.

In terms of the funding process, the gated(?) funding model that we use
provides for if it is not delivered, then we don’t pay. So there have been
some issues around that, in terms of take up from the jurisdictions, but, at
the end of the day, the cooperation model has, indeed, worked for us and is
working well.

We have nine programs, strategic investment programs that make up the
Infoway corporation: Innovation and adoption, interoperable electronic health
records, drug information systems, laboratory information systems, diagnostic,
public health, telehealth and then client-provider location registries and an
infostructure program in terms of standards and blueprints for achieving these.

We have a national agenda. We are levering what is in place in all
jurisdictions. I think that this is a slightly different – this is, I think, a
significantly different approach from what is being done in the UK and in
England, in particular.

So we are not promoting a rip-and-replace program. We are basically
building on what we have, driving across shared governance, standards,
pan-Canadian standards for interoperability and looking at the direct business
benefits for all of the investments that are made in terms of very specific
outcomes and very specific benefits for Canadians.

The business strategies, I think, I’ll skip over in the interest of
time, but there is one piece here that is important, and that is the notion of
focusing on end users. It is the end users in the system that really, at the
end of the day, trying to make these huge changes in technology, moving from a
paper-driven world to an electronic world, where, indeed, looking at our
challenges is – primarily in the area of end-user adoption for these electronic
health records in order to be able to move the agenda ahead.

Key definition for us is what is an EHR? The last two people providing
testimony here and looking at it, it sounded like the vision of EHR versus
electronic health record and electronic medical record, a personal health
information record, some terminology there that we should probably lay out
straight at the beginning.

For us in Canada, it would be a secure private lifetime record with key
health history and care within the health system. The record would be available
electronically to authorized healthcare professions, and the individual,
anywhere, anytime, in support of high-quality healthcare, also to provide
across a continuum of healthcare and healthcare delivery organizations the kind
of information that is required to manage the patients.

Quick look at the type of architecture that the EHR in Canada is proposing.
Basically, we would have a set of domain repositories which would include
laboratory, pharmaceutical and imaging information. A repository would cover a
population of about 1.5 to 2 million people. The same thing in terms of client
registry and provider registry. So, roughly, when you take a look at the
population, looking at the IEHR, in the case of, say, PAX Imaging, we are
looking at probably 25 to 30 PAX Imaging nodes across the country that would
hold those PAX information for the diagnostic imaging and be accessible from
the physician’s office and from the critical-care facility. Same sort of
thing for lab and the same sort of things for the repositories associated with
pharmacy and drug.

I should say, in terms of client registry, client registries and provider
registries are the single sole source information and demographics on the
patient, and the provider provides all of the demographics and information
around the specialist and the provider, including pharmacists, nurses and

Privacy issues, very quickly, looking at a survey that was recently done,
about 85 percent of Canadians support the development of electronic health
records, which is a very high level of endorsement on them. The results of the
survey indicated that Canadians strongly believe that electronic health records
will, in fact, improve the ability of authorized healthcare providers to
provide better quality of care, but, on the other hand, they have some
concerns, particularly about who has access to the record, how they have access
to the record and for what purposes they would have access to the record for,
and, basically, that care around their privacy with respect to the EHR
certainly came out in the survey and we certainly heard some of those
discussions this morning.

The privacy challenges for interoperable EHR solutions, I think the members
of this panel are probably quite familiar with those.

You know, we are looking at issues around consent representation
mechanisms. We are looking at authentication and authorization techniques,
role-based security and privacy, contextual access criteria to data and trust
models between systems, and I think on the trust side, the trust model side of
the equation, we are probably a lot further ahead than we are on some of the
other areas with respect specifically to privacy per se.

So I think, in terms of the security side of the equation, where we stand
today is probably further ahead than we are in some areas with respect to the

In looking at some of the work that we have done on privacy, we have, in
fact, created a conceptual architecture for privacy security in which we have
uptaken a broad set of consultations with stakeholders. In Canada, the actual
health records and the privacy associated with those have 13 different sets of
legislations associated with them, and the jurisdictional governance of the
actual health records themselves are at the provincial and territorial levels.

So what we have done in terms of privacy in trying to move ahead our
process for saying what would be the best way to build architecturally a
privacy and security set of requirements for EHRs, which turned out to be 28
sets of privacy-specific issues and 87 sets of security-specific related
issues, we put together a group of experts and people from the jurisdictions to
lay out a conceptual architecture for what a privacy and security architecture
would look like, the sorts of standards that would be in there, and something
that would respond to the individual privacy acts for each of the various
jurisdictions, and the requirements for what would be appropriate for an
interoperable EHR.

We are just finishing the work on that. We’ll probably be publishing
that in the next month to month-and-a-half, but it will lay out the high level
privacy and security requirements for an interoperable EHR.

In moving forward for us, some of the issues that – looking at in terms of
the potential of increased privacy and confidentiality, automated audit and
alert capabilities, I think, are something that are probably, in an electronic
world, developing at a very fast pace and will be particularly useful for
privacy and security; putting limits on who can access what and when they can
access to particular sets of data; automated consent validation and the
management of that consent validation and the limit of the modification of EHR
data to authorize personnel are some of the issues that we are still taking a
look at.

We think that the technology, as it has evolved today, probably puts us in
a position to clearly enforce the privacy principles, in some areas, probably
better than in others.

So as we try to move forward, some of the challenge that we are looking at
is the actual overall progress for us in terms of investment, and moving the
agenda ahead has been slower than we would have liked and has been slower than
we actually planned.

There has been some issues around the jurisdiction’s ability to find
the funding to move forward the electronic health record agenda in several
areas in the country.

As I mentioned earlier, the adoption and exception by healthcare
professions means major changes in terms of work flows and interaction with the
way, not only the way they interface with patients, but also the treatments of

And, finally, at the end of the day for us, $1.2 billion, which is about 25
percent of the total cost in terms of where we are looking in clinical
healthcare, is clearly not enough money to solve the electronic health record
issue in the country. Our estimates now are looking at somewhere in the
neighborhood of $10 billion in order to be able to deliver an electronic health
record for 100 percent of Canadians.

So that is a very quick update on where we are and what we are trying to do
north of the border.

DR. ROTHSTEIN: Thank you very much. I know we’ll have some questions
for you at the end of –

MR. SHERIDAN: That is unfortunate. (Laughter).

DR. ROTHSTEIN: You must have heard the other questions that we –

Dr. Detmer, welcome back to NCVHS, and appreciate your coming and anxious
to hear what you have to say about the UK.

DR. DETMER: Thank you.

Let me get these up here.

DR. COHN: And, actually, I just want to take a moment to just remind
everyone that Don is actually a former Chair of the NCVHS –

DR. DETMER: Good afternoon. It is nice to be here today. Actually, I was
with a different committee last week. So it is sort of deja vu all over again,
as Yogi Berra says. (Laughter). At any event, it is nice to be back, and nice
to be back in this room with you folks.

I, obviously, am not going to try to adopt my East Anglian accent this
afternoon, because it wouldn’t pass. The reason I sit here as an American
talking about the British current law relating to – as they say – privacy is
because I did sped 4-1/2 years in Cambridge up to about year plus ago, and in
the UK actually was asked by the Undersecretary of State to review their
strategy in the UK, and have stayed in touch.

Having said that, I really do consider myself a fairly weak substitute for
some other people that really could be here today and they aren’t. So if
you do have some specific kinds of questions that go beyond my capacity to
manage to this, I’ll be happy to get back to you through my contact.

Now, what I’ll be doing is focusing more on United Kingdom and, to
some extent, European Union law, because that is now playing into this whole
thing quite a bit, and, really, frankly, all of Europe is struggling to try to
figure out how to do these balances between these sets of issues, and, of
course, to put it in the context of the Infoway, as you know, the UK – and that
is really England and Wales, not so much Northern Ireland and Scotland – are
engaged on really a fairly massive effort to computer base their care system.

Now, it is interesting in the sense of how that plays out different from
the U.S. situation is they really have not had a personal health record
interface to the doctors’ records, if you will. So the National Health
Service system is really kind of an intranet sort of system that really it
doesn’t have much of a semipermeable membrane, if you will to people going
to the internet personally and then trying to relate to it. So it is pretty
much all in a contained situation, and their architecture, I think, is going to
have to go through some sort of agonizing reappraisal as, obviously, this new
kind of technology of clicks and mortar kind of care starts really moving

Okay. Having said that, what I am going to do is draw heavily on a
presentation given by one of my close colleagues in the UK, who I worked with a
lot at the Judge(?) Institute, the Business School in Cambridge, on a lot of
these topics, and he gave a presentation to the Medical Research Council at a
workshop they had last year, and it is updated somewhat, but it is sort of
their NIH.

So at the end of this presentation, I do have some things that relate to
how this is playing out relative to research – clinical research, medical
research – that I really won’t have in my comments. I’ll stop before
then, but if you are interested, we can talk about that, because I know you
have had some hearings in that area as well in the past year.

Now, to again set the stage, I think the biggest differences, really, in
how this plays out in the UK versus the U.S. is, obviously, they have universal
state provision, which means that only about 10 percent of the population
actually has private insurance, in the sense that we would talk about it here.
So their system is basically a dominant government system, and that changes the
dynamics. I really think a lot of our issues in this country relating to the
whole privacy issue really comes down to – you know – this fact that we really
don’t have universal access to care, and I think that would change the
dynamics. We worry about what happens to insurability and a lot of these sorts
of things that really over there it is just not part of the picture. So that
changes it.

The other situation, as I mentioned, there is a state of real flux going on
right now between what is EU law and what is UK law, if you will, and that
plays out in the other countries as well.

I think it is a safe statement to say that the medical community feels like
the privacy regs to date – and not so much the regs, per se, but also the
reaction to the regs, and I think we see this with HIPAA as well over here. The
reaction to it is such that it is adversely effecting research, and there is, I
think, a sentiment that it is hurting research across all types of research and
all phases of research. So it is a serious issue, I think, frankly, in the
biomedical community perceptions over there, and I’ll talk more about how
that plays out.

Compared to the U.S., electronic health records really are less of an
issue, I’d say, just publicly. They just don’t get as much press as
being that big a deal, and unique health identifier is not an issue at all. I
mean, 330 million Europeans now have a unique health identifier card and they
just don’t see this as an issue.

They are having a fair amount of debate over a mandatory citizen ID card in
the UK, but it looks like the Prime Minister actually will be effectuating even
that move in the next year for security issues.

Much less media intensity around the whole concept of privacy. It is just
not really on the scanner in the same kind of way it is over here.

So what I am going to do is to talk – give a general background a little
bit, talk very lightly about the legal backgrounds, issues of consent,
anonymization and then, hopefully, there’ll be some discussion.

I think for the general view, they have a Horace model, which is their
general information government’s model, and that basically is holding
information. Should you be able to hold information? Obtain, did you get the
information appropriately, properly? Is it recorded accurately and
meaningfully? Using it. What are proper uses for the information. Who can you
give it to and so forth, and sharing who else can hold it and who else should
have it. So it is that basic sort of framework that they use.

I would say the ethics really are pretty much parallel between the two
nations. I really don’t see that the general considerations – although we
are otherwise separated by common language, I think on these aspects, we really
are pretty much on the same page.

Now, the problem, of course, in trying to activate and really develop rules
and regs and then have them actually work is that the kinds of things that come
up in healthcare and such are so complicated and so multivaried it really is
tough to, I think, create regs that allow things to happen, at the same time
meet the needs. So it is difficult to codify.

Now, this shows you how much action is going on. There has been a huge
amount of activity, and it is fascinating that, in general, you’ll notice
that they actually got into this back in the early ‘80s, and, to some
extent, that followed this country’s development of privacy regulations
for government-held data, but because we don‘t have a national system, we
didn’t put it into our private sector. Whereas, they have a national
system, started actually getting into this for all of their systems a long time
ago, so, in many respects, much like the NHII, they are kind of ahead of us in
Canada and so forth, because they have been at it, I think, to some extent,
picked up on some of the work, obviously, that they have done, but some of the
work has been done in this country, too, but had a national system so they can
move it forward.

In any event, as you can see, this is a busy slide, but it needs to be
there because it shows you how much busy-ness has actually been going on really
to this, and I’ll be going through some pieces of this going forward.

The legal background, there is the common law of confidentiality. There are
these OECD principles that come from the members of the OECD. Going back, the
Data Protection Act in 1984, and, as you can see, a continuing set of laws that
relate to either European Union-derived activities or things actually that are
the UK equivalents of some of those or spinouts of some of those going forward.

The key, I would say, piece of legislation was the Data Protection Act of
1998, which is essentially the UK version of the EU directive which really had
to say, you know, how do you hold data? How do you use data, whether it is
paper or digital? In fact, they don’t particularly discriminate between
the issue of what is the form in which the information is held.

The Human Rights Act in 1998 was the start of an effort to even try to – if
you will – sort of give people a – quote – right to a private life, if you
will. It really wasn’t something that was even in the scanner ‘til
that time.

Freedom of Information Act in 2000. Clinical Trials Directive and the Human
Tissue Bill, which was a bill at that time in 2004 – it has now been passed
into law. So, at this point, that is no longer a bill, but a law.

As I said, Article 8 in the Human Rights Act talks about giving respect to
a private life. The interpretation of how this plays out is still not really
clear, and, in fact, much of what is going on right now, it strikes me, is
trying to figure out what do these laws sort of mean, and, as I say, that has
had an impact on the research community, but it has an impact generally as
well, as people are trying to figure out really how do we try to move these
from the idea – much like the implementation of HIPAA, if you will. You start
it, but then you have to figure out what’s this mean and how do people
really sort of respond to it and how does it shake out.

There are a set of definitions and principles in this, and there are
exemptions given for medical purposes. Now, one of the things that is
interesting in that, the tricky part, is this Section 60, which allows you to
exempt certain person-specific information to be used for medical research, but
then the question is is how do you decide what the guidelines for that are and
the mechanics of operating that, and they started this committee called the
Patient Information Advisory Group to advise the Secretary of State on that. It
applies only in England and Wales.

The issue is is that this PIAG has really had a challenge trying to figure
out how to operationalize their work, and they are underway on that. They are
trying to avoid a major backlog, but people are wanting to, obviously, move
forward on some of those things, but exactly what will be allowed direct access
and under what circumstances and so forth is still under play. There is no –
right now, there is really not a clean, clear answer to that.

The principles are, though, that you either must have consent to – the data
or anonymize the data. The purpose for the use of the data must be beneficial
and proportionate. You must have effective security, confidentiality and data
retention and disposal policies in force. So pretty much you have to follow the
general guidelines, but within those, then, you can get access to data.

Now, I’ll have to say, though, having done research in the UK at this
time myself and trying to get access to person-specific information for
diabetes, chronic diabetes management in the Anglia region around Cambridge was
tough because the point was that at that time, the hospitals – or the trusts,
as they are called – didn’t really have any particular incentive to give
you the data if they might later find themselves at some risk if they did, and
so it was, frankly, just easier for them to just sort of say, Well, we think we
probably shouldn’t do this, and so one of the problems, of course – and I
think we see elements of that here, too – if you may be causing a problem, it
is probably easier just to sort of say, Well, let’s not exposure ourself
to a risk we may not need to have, and so the other social good sort of just
somewhat falls to the side.

At any rate, there is a lot of other relevant statutes, laws mandating data
sharing relating to communicable disease like we have, laws permitting data
sharing relating to terrorism and road-traffic acts, laws prohibiting data
sharing on certain specific conditions, and there’s laws on data subject
to access to medical records and such. So there’s a lot of things out

Now, the common law of confidentiality is not written in statute. It is
based on case law. It really can result in you getting redress for damages, but
nobody is thrown in jail. I mean, you can be sued for breeches of things, but
it is not seen as a criminal kind of thing, per se.

Very few cases that are relevant to medical records, and, in fact,
generally speaking. This is not an active area of – really that active an area
of law at the moment over there. There have been a couple of key cases that
have played a big role. This source informatics case basically sort of said
that – more or less – that if the data are anonymized it doesn’t even
qualify as being of concern to anybody. The challenge, of course, is how do you
do that, so that, in fact, that is accomplished, but the case basically set
that sort of standard.

There are a variety of sanctions in all of these things. As I said, mostly,
you can be sued for damages, but I would say fewer kind of – there are some
cash penalties and such, not a lot that I think I’ll go into there.

As I said, there’s a lot of regulations, then, that play out against
these laws and try to now move these things from sort of the law to what does
this mean. All of these abbreviations are General Medical Council, Medical
Research Council, British Medical Association. There’s – it plays out
through an awfully lot of organizations and entities in society trying to deal
with this, not just the government. In other words, it is really a government
system interface that plays out at that point.

Obviously, this rather dizzying array of laws and regs is causing quite a
bit of challenge, I would say, to people trying to, in fact, just get through
their week and do their job, and so information governance, in practice, was an
initiative that, now, at the moment, has been set aside a bit because of the
effort to put in their information infrastructure, but, basically, what this
was trying to do was to pull together a number of these related initiatives.
Caldicort(?) Guardians are, for example, privacy guardians that sit in each of
the trusts who essentially are a security officer on how data are used, but the
idea was how can we actually bring a lot of these related initiatives into some
coherence, so that, in fact, people have a little better help on working their
way through it.

A tool kit was put together to try to access this and help the – Acute
trust means those institutions that get acutely-injured patients and so forth,
acute illnesses and such, but the idea was to extend it to primary-care trusts,
to mental-health trusts, to GP offices in this next couple of years. As I said,
I think this has been slowed up somewhat.

This healthcare commission ratings is the closest thing I guess they have
to what we would call the Joint Commission on Accreditation for health systems,
health organizations and such. It is a review of your activities, and they do
see having part of your evaluation when you come up for accreditation relate to
how you comply with some of these issues.

So the concept, basically, in the code is to try to protect data, try to
inform people what the policies and procedures are and what their rights are,
and, to the extent they can, provide choices to people, in a clear way, so that
they can do it, and, then, hopefully, see this thing improve over time as sort
of the model.

Anonymization, I don’t think, frankly, it is very different, really,
from the way we kind of deal with it here from what I gather.

So I am going to close at this point. As I say, I’ve got some other
slides there. Particularly, you might want to go to some of the websites and
some of the readings, if you are interested in following up on some of these,
because almost all the – either the legislation or the regs that I have
referred to have websites associated with them that I think could be helpful.

So I hope this has been useful to you.

Thank you.

DR. ROTHSTEIN: Thank you both very much. That was very helpful, and I know
we all have questions. Let me just begin with two, one for each of you.

Mr. Sheridan, could you say something additional about contextual access
criteria that has been or is in the development stage?

MR. SHERIDAN: Well, the contextual access criteria is going to be
fundamentally driven by the privacy requirements of the particular
jurisdiction. So when you say contextual access, you are talking
role-definition access? Yes.

Those have been laid out and set aside as part of the 28 items that we have
looked at, in terms of the security architecture, defining who has the role
under what circumstances and under what particular conditions to be able to
access the individual record have been set, and they are set basically in very
broad definitional terms to basically define or at least respond to the
definitions across the 13 various jurisdictions and their privacy legislations
and their access to information and privacy acts, per se.

DR. ROTHSTEIN: So each of the jurisdictions is going to have a different
framework for the contextual access?

MR. SHERIDAN: We are trying to define a common set of access and
architecture that fits into the overall IEHR. So if you look at it in that
sense, the proposal is to have a generic set that extensively covers off the
major issues.

Will a generic set work across all jurisdictions in terms of their own
individual access and privacy legislations? Probably not. Will it get fairly
close? We think so. So at the high level requirement side of both the privacy
and the security, we think that we are pretty close on those role definitions.

DR. ROTHSTEIN: And we’ll have a better idea in two months, you say.

MR. SHERIDAN: You’ll have a much better idea in two months, when we
come to the conclusion of the final process vis-a-vis the consultation on this.

DR. ROTHSTEIN: Okay. Thank you.

And Dr. –

MR. SHERIDAN: I would be more than happy to make that report available to
the committee –

DR. ROTHSTEIN: That would be excellent.

Dr. Detmer, could you say something about patient control of electronic
health records or health-record information in general?

DR. DETMER: Yes, as I said, I think, at the moment – and this is going to
change, I think, quite a bit in the next couple of years, but, at the moment, I
don’t think there’s a big sense in the general citizen’s mind in
the UK of discriminating between the paper and electronic record, and, in fact,
actually, most patients – just generally, the whole consumers’ movement is
such a different kind of dynamic in this country than I think it is in the UK
that most patients really don’t really see an interest particularly in
having their data or seeing their data. So that plays out quite a bit – you
know – differently.

On the other hand, having said that, I think the basic regulations are in
place to allow people to start acting in those kinds of ways, but, at the
moment, for example, electronic health records are not something that most
patients actually even sort of interact with or would even particularly think
about particularly interacting with, and, in fact, the GP’s who have
electronic prescribing, now, at the level of – you know – almost 90 percent
plus – 95 percent – basically, write their prescriptions electronically, but
those prescriptions don’t necessarily go through their system
electronically. So, in fact, there is not necessarily a lot of transmission to
pharmacy or apothecary, you know, to the Main Street pharmacist.

So the point is is that the system really doesn’t move a lot of data
electronically or necessarily that much in paper, but the public is also not so
much I think even alert to really be thinking about this that much.

I don’t know if that is very responsive –

DR. ROTHSTEIN: Would it be fair to say that the public in the UK is more
concerned about consequential harms than, you know, intrinsic harms from
privacy violations and more likely politically to address them directly by
restrictions on the use of the information, rather than restrictions on access
to the information?

So, for example, in life insurance, the UK has a moratorium on the use of
genetic information in life-insurance underwriting where we don’t have
that, and we would be more likely to try to regulate that by some access rule.

DR. DETMER: I’m glad you brought that one up. That is probably the
only point on the genetic information and insurance discovery sorts of uses
where this is of some issue in the general population and at least the press,
the media. How much of it is actually – you know – at the citizen level, I am
not sure, but that clearly is a point where there is debate, and it is being
handled, I would say, quite differently –


DR. DETMER: – than it would have been handled over here, by far.

DR. ROTHSTEIN: Okay. We are going to go this way for this round. Mr.

MR. HOUSTON: Thank you.

It is interesting. It is good to get a comparison of different systems in
privacy law sets, and a real simple question, I guess, to sort of balance, you
know, our system against the British and the UK – or the UK and the Canadian
system. I am going to give you a sort of – I am going to make a statement and
then give you four different scenarios and ask you which would you prefer to
be. Now, this is going to sound weird, but it is important.

If you were one of the following, would you prefer the U.S.’s privacy
laws or the privacy laws of Canada or the UK? One is if you are a patient or a
consumer concerned with privacy. If you are a hospital or provider of some
sort. If you are a RHIO – somebody is trying to implement a RHIO or some other
type of community-based record or if you are a researcher. Which – I mean, it
is good to sort of get a sense of where we stand in the U.S. versus your
countries on all those different areas. What would you prefer to be if you were
in those four shoes?

MR. REYNOLDS(?): Go ahead, Doctor. (Laughter).

DR. DETMER(?): No, go ahead. I’m interested in your answer.

MR. SHERIDAN: You know, quite frankly, I will say – I was doing a little
background reading on the U.S. laws before I come up here, and the preliminary
sort of preface on it was last year there were 3,000 different privacy laws
either proposed or passed in the United States through various legislatures –
state, federal, et cetera, et cetera. So I got a little discouraged at the
notion of 3,000, and I will be quite frank and say that I do not know enough
about the various privacy acts and the HIPAA acts and legislations in the
United States to be able to make a comparable comment about – you know – which
one of the sets of legislations, Canadian or U.S., do I think I’d be more
comfortable with.

I can certainly say, in Canada, that patient-hospital RHIO equivalents are
extraordinarily well covered in the provincial legislation that exists in the
provinces with respect to medical records, who has access and how they get

I think researchers in Canada are probably – in terms of access to
information around medical records and processing medical records – are
probably at a slightly higher disadvantage in Canada than they are in the U.S.,
and I say that from – basically, from my statistical background, but I think
I’m – that is a long way to avoid your question, and I apologize.

DR. DETMER: Yes, having actually – with Richard and Simon – sat through
like 75 hearings on privacy some years ago, I think a patient isn’t a
patient on this. So there’s such a broad spectrum of people’s
attitudes and – you know – views on this, that, frankly, I don’t think you
can answer your question as a patient.

I think if you are a patient privacy advocate, then I would say probably I
would prefer the U.S. If I were a patient – you know – not in the advocacy kind
of mode, I don’t know, frankly, where I’d come out. Probably
wouldn’t be material to me necessarily. Sort of all be behind the screen,
and I wouldn’t even be thinking particularly about it.

Practitioners, I’d say, tough. I guess I might go slightly for the UK,
just because the whole thing is just not something that is kind of visible and
it is not as thermal an issue at the moment.

From the RHIO side, I would say I would go definitely with the UK. One of
our problems, unfortunately, is we tried to have interoperability with HIPAA,
and we didn’t get it. We got 50 varieties, and we don’t, in fact,
have national standing or stature, if you will, on our regs on this, and so the
problem with – As we talked about at that time, at least you have a standard
across the country in England and Wales. Whereas, you know, here, state law can
preempt these things, and so we don’t really have a standard. I see that
as a problem.

On the researcher’s side, I guess I probably would favor the U.S.,
unless you talk about stem-cell research. Then, you go to Cambridge to do it.

So, anyway, you know, again, I would probably need to think through that
more to give more intelligent responses.

MR. HOUSTON: That was a good answer.

I was just wondering, sort of getting a level set from this committee. We
always complain about the privacy law, and it’s just good to sort of get a
sense on objective opinion as to the merits of HIPAA and the state law system
versus –

DR. ROTHSTEIN: Thank you.

Dr. Cohn.

DR. COHN: I think, in some ways, this is a follow on from John Paul’s
question, which was sort of – I mean, he was obviously asking one place versus
another, but I am sort of curious. I mean, both – It sounds like in Canada,
definitely, and also I guess in the UK, there are both national laws and – in
Canada – provincial laws. In the UK, I presume, there’s local privacy laws
that may relate to this or not. No?

Okay. I’ll ask from our Canadian representative, and I guess I’m
just curious from your perspective how much trouble or complexity are the
various provincial laws adding to your work?

MR. SHERIDAN: I don’t view them as a set of complexities in the
context of barriers. In fact, in terms of the various basic fundamental
principles that are laid out in the jurisdictions’ privacy acts, they all,
more or less, basically cover the same sorts of things and are basically
intended for the same set of fundamental – you know – privacy and access
issues. So it is not a barrier in that context.

The issue is quite clear in terms of the mix of federal versus
jurisdictional acts is that health care is defined as a provincial and
territorial jurisdictional right under the Constitution and the legislation.

So, on that front, as far as the legislative prerogative for healthcare
records, those rest with the jurisdiction. So if there is not a mix in the
context of federal and provincial in terms of actual healthcare records, the
jurisdictional prerogative is quite clear. It is the provincial and territorial
jurisdictions that hold those prerogatives.

So having – it would be – I think it would be a lot easier everywhere if
there was one set that everybody actually agreed to and moved forward, but the
realities that we are dealing with is that isn’t the case, and what we are
trying to do is find a set of standards that are reusable and that
jurisdictions will, indeed, say this makes sense in terms of our legislation,
given what we have to do to have both security and privacy protection around
health records.

DR. COHN: Okay. Thank you very much for that clarification.

So – and, once again – and this is probably sort of a silly question, but
you are obviously creating sort of a national infrastructure with, obviously,
local variation. If someone is seen in Ontario and goes to Quebec and winds up
needing care, how do the rules work, given – I would presume that they are not
the same, and how are you all going to figure that one out?

MR. SHERIDAN: Well, the access in that case, in terms of the definition of
– would be one where the actual patient would define the consent or access to
the particular information and to the particular records.

Right now, the Pan-Canadian Interchange of Health Information and Data is
not at the fore of the issues of what we are trying to build, because we are
moving these as jurisdictional models. So we haven’t come, I think, to
that penultimate – you know – Pan-Canadian exchange of data and information,
but, at the end of the day, it will certainly require that the care giver and
the patient certainly agree to that exchange of data and those information

DR. DETMER: Simon, I might come back to a question that Mark asked me,
because I think I somewhat slid by your question a little bit, so I reflect on

It is interesting that in terms of consent, an awfully lot of the UK still
uses verbal implied consent without sitting down and writing these things and
all this documentation and so forth and considers that sort of just fine. I
mean, almost if the patient sees activities going on that relates to their data
and don’t object to it, it is assumed that there is sort of an implied
consent that it is fine to do this. Making all of this sort of explicit is not
something that actually they are really particularly long on, which isn’t
necessarily your question, Simon, but I think it is worth weighing in relative
to your comment, Mark.

DR. TANG: I found it interesting that both of these countries – I think
it’s true – the UK as well – are centralizing their data, albeit by
jurisdictions or by regions, but there are central databases. That’s
correct at UK, too, Don?


DR. TANG: And Don made the comment that the British are not that worried
about the privacy aspects of that. Whereas, it is almost banned or outlawed in
this country.

Do you attribute – You made a comment, Don, about it being perhaps the
universal access or universal coverage as being one of the reasons that it has
taken away some of the impediments of privacy concern. You think that’s
what is going on in these countries that share that common – maybe it is a
privilege –

DR. DETMER: Well, I don’t know whether to give a cultural,
anthropological or political response to that.

I mean, I think – You know, according to Nora O’Neill – who has
written, I think, a very compelling book called, Autonomy and Trust in
Biomedical Ethics, University of Cambridge – America has gone totally overboard
on individualism and lost all sight of collective good. That is a bit of a
stretch for her thesis, but not by too far, and so, to some extent, I would
say, you know, whether that is right or wrong, I mean, it is just a different
way of looking at it.

I mean, I think the Europeans, generally, see themselves as sort of being
proud of being part of a collective, not just in waving a flag and saying so,
but actually have a sense of solidarity, just plays out differently, and I
think it plays into that in the sense – you know – if this is what’s
needed to see a health system work, then that is what is needed to see a health
system work. I mean, you know, it is just sort of a different point of

DR. TANG: So in Canada was there any serious objection to having
centralized databases?

MR. SHERIDAN: Well, I think we need to be careful on – I need to understand
what you mean by centralized databases.

The databases are not centralized into one, big, huge single database in
the sky. The databases are being implemented in domains across a jurisdiction.
So there isn’t one huge database of information, per se. There’ll
probably be, as I said, about 25 diagnostic imaging repositories across the
country for which the doctor or the facility can come in and get the diagnostic
image, but the diagnostic image – So these will have to be pulled down to the
actual screen face on it.

The diagnostic imaging won’t have the drug and lab information tailing
off the back end of it. You will also have to make a call on the drug
repository and on the lab repository as well to pull these down onto the
screen. So it’s not one huge central database. It is, in fact, a set of
common services with a communication bus(?) that will permit people to pick
these data up from the various domain repositories as they require them.

DR. TANG: Okay. I was referring to central, in the sense of even within a
province –


DR. TANG: – that will be still central, but I didn’t get the nuance
that you’d have the PAX database, the lab database and the medication or
pharmaceutical database. So you would pull it into your own – repository.


DR. DETMER: Paul, I want to add a trailer, if I might come back in on that.
O’Neill’s comments, I think, are really kind of interesting. Part of
the debate on the importance of having privacy controls on personal health data
in this country has been that only that will create trust in the system.
Whereas, from Nora O’Neill’s analysis, basically, focusing more and
more on privacy actually erodes a sense of trust and even gets in the way of
the doctor-patient relationship, because it just makes everybody more atomized
in the society and less sort of collectively focused.

So, you know, I think that it is interesting that it was not an American
who wrote that kind of philosophy, but I think it is a very different way of
sort of looking at what is ultimately a common kind of issue in a way.

MR. REYNOLDS: Mr. Sheridan – Well, both of you, thanks for the comments.

Mr. Sheridan, I guess I am fascinated by the 50-percent implementation rate
that you try to have by 2009 and then the 85 percent acceptance rate. So kind
of two questions.

One, how much money does, say, a general practitioner have to put in to
become part of this, and then, second, how did you get an 85-percent acceptance
rate? In other words, you got a slogan or what have you got? (Laughter). It
might not play the same way, but we – You got a jingle? Yes, you got a
commercial? What do you have?

MR. SHERIDAN: So on the – I think it was actually 87 percent, but on the 87
percent, that was basically the results of a national survey conducted for – I
think we had three sponsors for it – Statistics Canada, Health Canada and
Canada Health Infoway – and it was – the report from the survey is available
publicly. I would be happy to share the results with you, but that is basically
what Canadians said about where they were on with respect to electronic health
records, and driven by a number of underlying agendas, including better
healthcare, quicker healthcare, shorter waiting lines, et cetera, et cetera, et

So, in the context of – and, you know, it all depends – You’ve been
around research each and every one of you. It all depends on the context of the
survey, et cetera, et cetera, but I think it is probably a pretty good
indicator, and if we were – we may want to take a re-benchmark on that, and I
would expect the results, if anything else, would be – would even be stronger
in terms of that.

Fifty percent of Canadians are in our electronic health records – basically
the parameters that we have laid out for ourselves at this particular juncture
in what we can afford to do in the time that we’ve got to do it, and that
is basically where we have laid out our game plan to this particular juncture,
you know, and for us, I think, the sort of the fundamental issues around this
is we really need to have – we are in early days. We really need to have some
success stories before we start taking a look at trying to recapitalize to talk
about let’s get 100 percent of Canadians in an operable IEHR by a
particular given date.

So that is just basically where the framework was laid, unlike our friends
in the United Kingdom who actually got – it was sort of a single budgetary drop
or – I believe it was 16-billion pounds.

DR. DETMER: Um-hum, 16-billion pounds. Yes, we’d be equivalent of $85
billion, I think, is by one translation that the U.S. would be if it were going
to get at this –

MR. SHERIDAN: So it was a very large influx with a large amount of money at
one time in one place versus the approach that we have taken, which is going to
be incremental.

DR. ROTHSTEIN: Final question, Dr. Harding, who will pass, and in lieu of
his question, I just have a quick comment.

If I had to guess the 85 percent would be basically a statement of
confidence in the Canadian healthcare system by people who overwhelmingly like
it, trust it and value the solidarity that is incorporated in the system.

I thank you both very much.

Agenda Item: Panel IV – Regional Health
Information Organizations

DR. ROTHSTEIN: And we will now, without any interruptions, move to Panel IV
on Regional Health Information Organizations.


DR. ROTHSTEIN: Okay. I believe we are ready to begin Panel IV, and I want
to welcome all the members of the panel, and if there are no objections,
we’ll go in the order listed on the agenda, beginning with Dr. Garber.

DR. GARBER: Thank you for this opportunity to inform the committee on what
our RHIO in central Massachusetts has been doing to address issues of privacy
and confidentiality.

I am Larry Garber. I am a physician of internal medicine at the Fallon
Clinic. I have been there for 19 years, and the Fallon Clinic is a 76-year-old,
multi-specialty group practice with 250 physicians at 25 sites in central

I am also the Medical Director for Informatics there, and I have been doing
that for seven years, and we are in the – leading in implementation of
Epic’s(?) Electronic Health Record.

I am also cofounder of SAFE Health, which stands for the Secure
Architecture for Exchanging Health Information. SAFE Health is developing
software to run the Health information Exchange Network in central
Massachusetts with the assistance of a $1.4 million ARK(?) implementation grant
for which I am the principal investigator.

SAFE Health is a community-based project led by the three leading
healthcare organizations in central Massachusetts, the Fallon Clinic, Fallon
Community Health Plan and U Mass Memorial Healthcare System.

Fallon Community Health Plan is a not-for-profit insurer for more than
175,000 members. It has provided significant resources towards the SAFE Health
Project, and is also providing to our RHIO claims history on medications,
health-maintenance procedures and disease-management procedures.

U Mass Memorial Healthcare is central Mass’s largest not-for-profit
healthcare delivery system with over 1,500 physicians in a multi-campus
tertiary and community hospital network.

U Mass also has free-standing – clinics, long-term-care facilities,
home-health agencies, hospice programs and mental-health services.

Committed to improving the quality of care, patient safety and operational
efficiencies, SAFE Health is developing technology that securely stores,
transmits, aggregates and consolidates the display of – consolidates and
displays patient-specific health information, then entirely distributed,
federated architecture.

Like other distributed health information exchange architectures, the
patient’s protected health information resides behind the firewalls of
healthcare organizations that are involved with the patient’s care.

What is unique about SAFE Health is that there is also a distributed
federated master person index. So there is no central master-person index.
There is no central storage of demographic information.

SAFE Health is also unusual in that it integrates decision support into the
network to alert physicians to significant events, such as drug interactions or
significant statuses, such as abnormal test results that are overdue for a
followup or medication levels that are overdue for monitoring. This is
particularly important to patient safety in the ambulatory environment.

Now, it is interesting to note that vendors who are selling e-prescribing
software often tout the benefits that include drug-interaction checking and
also that there won’t be any misinterpretation of handwriting when using
e-prescribing, but in the ambulatory environment, where patients receive
prescriptions from physicians in multiple, separate healthcare systems,
drug-interaction checking may not involve the patient’s entire medication

Furthermore, we did a study with Dave Bates that was published in JAMA and
JAMIA(?), which showed that there are very few adverse events associated with
difficulty interpreting handwriting. To the contrary, most adverse events have
to do with inadequate monitoring of drug levels or inadequate monitoring of
common side effects, such as declining kidney or liver function. In fact, these
were 10 times as common as drug-interaction errors.

So, now, you are sitting here thinking why am I talking about ambulatory
medication safety when you guys are particularly worried about privacy and

Well, first of all, it is estimated that approximately 200,000
life-threatening or fatal adverse drug events in the ambulatory environment
could be prevented each year by using systems such as SAFE Health. Furthermore,
health information exchanges could also help reduce the approximately two
million adverse events that occur nationwide each year as a result of fumbled
handoffs as patients are discharged from hospitals. These injuries and deaths
can only be prevented if patients participate in these networks.

This is extraordinarily important. Sixty percent of physicians practice in
small groups of nine or less. As isolated islands of information, electronic
health records have limited ability to prevent many of these adverse events.
Integrating office practices with hospitals, reference labs, medication
histories are crucial to saving these lives, but if patients don’t allow
all of their health information to flow between healthcare organizations, they
will continue to experience preventable risks to their lives.

So there are two general approaches that govern patient participation in
these health information exchanges. The first is the opt-in approach. In this
approach, patients give informed consent prior to allowing any healthcare
information to be exchanged. This is analogous to what has historically been
done with the paper record. Patient signs a consent, the record is copied and
distributed to whoever needs it.

The problem with this approach is that it puts an onerous, albeit not
impossible, burden on both the patient as well as busy office practices to
obtain and process necessary consent for participating health information

Patients will also prefer to be given options for conditional
participation, such as blocking out perhaps just their mental-health

The opt-in approach requires all patients to give consent to all of their
providers. In central Massachusetts, we have approximately one million
patients, and most patients, on the average, will see one or two primary-care
physicians through the years. They’ll see an opthomologist, perhaps
another specialist. They’ve got a hospital that they go to, a reference
lab, an imaging-system center, a couple of pharmacies. Maybe they have changed
heath plans a few times. So there are at least 10 million consents that need to
be obtained.

Now, if a consent takes one minute to be obtained and performed, that will
require approximately 100 FTEs to process these consents. Nationwide, this
translates into 30,000 new jobs, which may be a good thing or it may be looked
at as raising healthcare costs.

More importantly, until all patients have tracked down all of their current
and past providers to give the consent, patient records within the network
would have numerous unpredictable holes in it, unnecessarily effecting the vast
majority of the patients who had just not gotten around to give consent. This
makes it difficult for physicians to predict what might be missing when a
patient shows up with no medications on their medication list.

With this opt-in approach, it would take several years, if ever, to obtain
the maximal safety benefit from health information exchanges.

Real world experience with the opt-in approach suggests that this actually
may be overkill. The Patient Safety Institute’s Health Information
Exchange in Seattle, Washington, involving the – Medical Center, they use the
opt-in approach, and of the first 400,000 patients that registered, only four
chose not to participate in the network.

Clearly, we need to balance the effort to identify this .001 percent of the
population with the risks of the alternative approach.

The alternative authorization model is one that we will be using with SAFE
Health. We call it the opt-out model. Following the approach that HIPAA takes,
we will update our privacy notices as well as do advertising campaigns to
educate patients in central Massachusetts about the SAFE Health Network.
We’ll also instruct patients on how they can opt out from participation.

We are establishing four different opt-out alternatives. First is the
ability to block particularly sensitive information, such as those related to
mental health, substance abuse, HIV, STDs. Second is just to block information
generated from particular providers. So perhaps psychiatrists or psychiatric
hospitals. Third is to block certain facilities from being able to receive
information on certain patients. This is particularly for employees of
healthcare facilities who go elsewhere for their care and they don’t want
their colleagues and coworkers to know their information, and, then, finally,
is the option to not participate in the network at all.

This opt-out approach has several benefits. First is that the 99.999
percent of patients who want to participate start receiving benefits from the
moment the network is set up.

Second is that physicians using the network will feel more confident that
the data that they are seeing, in most cases, are complete.

Third is that the administrative burden related to processing opt-outs is
dramatically less than that required to process opt-ins. It does make it more
likely that physicians will be willing to join the network.

There are, however, several issues relevant to either approach. First, it
is difficult to block just particularly sensitive information. While you can
identify some lab tests and medications, it is harder to identify textual notes
that can contain this information. Natural language process is something that
we are looking at. It is the ability for computers to actually understand what
is in the sentences, but the fact is it is really not completely adequate at
this time to screen out sensitive notes.

An alternative that we are also trying to use is to screen out sensitive
notes based on either the specialty of the author or billing diagnoses
associated with the visit or admission. This approach isn’t perfect

For instance, a primary-care physician may take a history about a patient
with depression, put that in the note, but it is very possible that will not
use a billing diagnosis of depression, and the reality is this is no worse than
the paper world.


So, currently, in Massachusetts, we are required, in our consent forms, to
have three sections, one for regular releases, one for release of HIV
information and one for other confidential substance-abuse, mental-health
issues, and when patients only select the routine release without the
specially-protected ones, very often, in the body of many notes, is some of
this protected information, and it gets released. It happens every day.

Another problem that arises from the very successful blocking of specific
pieces of information are things like, for instance, MAO inhibitors, which is a
kind of anti-depressant that severely reacts with numerous medication. So when
MAO inhibitors are blocked from the medication list from viewing it is very
possible that a physician could prescribe a new medication with adverse

SAFE Health has taken a unique approach in that the blocking only blocks
the viewing of the information. We have decision support running on the
background of the network that still sees the full medication list, so that
when a medication is prescribed, if it interacts with a blocked medication, the
prescriber will be notified that there has been this interaction with a blocked
medication, and that they need to follow up with the patient and we can unblock
so that they can see what is going on. This way, both the patient and the
physician are protected.

Realistically, this blocking of particularly sensitive information is
suboptimal in that patients may feel that this is 100 percent foolproof, when
it is not, and we are going to educate them about that.

Also, physicians may not feel that they are adequately protected.

It should be pointed out that HIPAA privacy and security regulations are
very supportive of RHIOs and health information exchanges, allowing for the
transmission of all patient information for purposes of treatment, payment and
operations between covered entities without prior consent, but HIPAA is just
the floor or minimum requirement. It is often superceded by other state and
federal regulations.

For instance, there is a federal regulation for health plans requiring
prior consent – essentially opt-in – for particularly sensitive data. So the
medication histories that we are getting from the health plans and for those
that are delegated to the PBMs can’t be given without prior consent, and
that is certainly problematic as patients show up in the emergency room.

I want to take a moment to be clear about what medications fit into this
category of particularly sensitive. In Massachusetts, we have made a list. We
have gone to the health plans within Massachusetts and we have looked at all of
the medications that are classified by the health plans into this category and
grouped them together. So besides antidepressant and HIV-related drugs,
you’ve got diet pills, some cold medications, birth-control pills,
sleeping pills, most seizure medications, Ziban(?), which is something we
prescribe for smoking cessation and Compozene(?), which I’m not sure why
they put it in there, but it is commonly used to stop vomiting. Thus, many
commonly-used medications will be missing from the medication list by default
as a result of this regulation.

This, indeed, has been the frustrating experience of physicians who are
part of Mass Share’s meds info ED project, where medication lists are
delivered from PBMs to three emergency rooms in Massachusetts right now.

State regulations also supercede HIPAA. In Massachusetts, as mentioned
before, we’ll need to make efforts to block by default all textual notes
that may contain this particularly sensitive information. Even more complex,
however, is that regulations differ from state to state. Look at how we deal
with disclosing HIV-related information in New England.

Massachusetts prohibits any disclosure without prior informed consent. New
Hampshire let’s physicians notify blood banks without prior consent, and
Rhode Island and Connecticut allow disclosure without any prior consent as long
as it is DPH or healthcare professionals who are directly involved in caring
for these HIV-related patients.

So this is a RHIO nightmare and it would dramatically undermine the
effectiveness of a national health information network if the entire country
would have to revert to restrictions of the most conservative state. Several
RHIOs have had to – their rollouts because of these legal issues and the legal
fees associated with them trying to work through the regulations.

In contrast, if HIPAA was the accepted state and federal rule for operating
RHIOs, and the National Health Information Network, instead of just being the
floor, these specially-protected categories could be transmitted in both the
patient’s best interest as well as the physician’s best interest
without fear of lawsuits.

Physicians would have reliable access to a full complement of patient
information for the vast majority of patients who would prefer that anyway.
Opt-outs could be offered to the extent that it is practical for the small
minority of patients who so choose. Protections already specified in HIPAA
provide the necessary associated requirements with respect to authentications,
audit trails and punishments for breech of privacy and security in order to
further safeguard protected health information.

So, in summary, RHIOs have the potential to prevent hundreds of thousands
of injuries each year. However, in order to facilitate the creation of RHIOs,
and, thus, the National Health Information Network, while providing the optimal
healthcare to the vast majority of our citizens, HIPAA privacy and security
regulations need to migrate from being the minimum requirements to becoming the
standard across the country.

Since this hasn’t happened yet, we just unnecessarily killed another
patient during my testimony today.

Thank you.

DR. ROTHSTEIN: Thank you.

And, now, we will go to Dr. Lewis.

DR. LEWIS: Thank you, Mr. Chairman. I appreciate the opportunity to be here
today to describe some of our experiences and challenges in addressing the
sharing of personal health information along with the privacy issues for
low-income, uninsured individuals.

We have actually found that this is even more complex than some of the
challenges that you have already heard.

I think, to give the committee a sense of where my observations are coming
from it may be helpful to start with a little bit of personal background.

My first formal exposure to personal health information and privacy
actually predates the privacy Act of 1974. At that time, I was at the NIH
Clinical Center, and we were seeking approval to begin work on a comprehensive
clinical-information system to support the patient care and clinical research
at the NIH clinical center, so that my commitment, really, as a strong
proponent of both sharing information and privacy goes back a long way.

That particular system was – those of you who are familiar with the NIH are
aware – had very little to do with billing, very little to do with fiscal
management, nothing to do with insurance. It was strictly a clinical-care and
clinical-research system.

I think the context in which you may want to consider my remarks are the
challenges of building a mini-safety-net-oriented RHIO for low-income,
uninsured individuals.

Many of the themes that you have heard, with respect to privacy and
confidentiality and the benefits of data sharing, apply equally to the
under-served populations, but there are really three points that I’ll
touch on as we go forward, but, in order not to keep you in suspense,
we’ll share the conclusions at the beginning.

The first is that data sharing is considerably more critical for the
uninsured than it is for insured populations.

The second is that we have found that it is more difficult to build trust
and, therefore, to build the confidence in data sharing that would facilitate

And the third is that automated matching is much less reliable, and,
therefore, much more problematic, so that the sort of database and analytic
engines, master patient index, technologies and algorithms are much less
effective in that environment than we would like them to be.

To give you a little bit of background on the service population, the
Primary Care Coalition is a – really a compendium of non-profit organizations
in Montgomery County that are oriented to supporting one another to try to
deliver high-quality healthcare for the 80,000 uninsured residents of
Montgomery County.

There are about 10 independent safety-net clinics in the county, some
faith-based, some linguistic or culturally-based, that have come together to
form this organization, as well as a clinic that has D.C. as well as Maryland
affiliations, and we are about to begin operation in a non-profit clinic in
Virginia. So that gives you some sense of the regional aspects, which are
important in terms of some of the ancillary challenges, such as
cross-jurisdictional laws, different – many different providers.

Montgomery County is interesting in a hospital sense in that there is no
university hospital and no public hospital. They are all – there are several
non-profit community hospitals. So it is a little bit different environment
from what you find in some sites.

Our approach has been to try to leverage IT through a small center that we
set up that we named the Center for Community-Based Health Informatics.
Sometimes, if you name yourself, it helps you focus on what it is you are
trying to do, and so our notion is to see if we can use technology in the
low-income, uninsured population.

We started with a HERSA(?) cap grant for infrastructural purposes that led
to the development of what we think of as a thin, broad electronic medical
record, where connectivity patient identification in the concept of sharing
data among the partners was really the beginning point, and if you think of
these clinics as being a notch below the FQHCs in terms of funding, in terms of
medical resources, in terms of facilities – with anything else, then it will
sort of put you in the context of why we wanted to start at a very basic level.

These clinics essentially form a sort of virtual system of care, now,
handling about 80 percent of the safety-net visits that occur within the

I should add, just on the bottom line, that having spent 34 years at the
NIH building high-end clinical systems, high-end clinical research, electronic
health records, it has been an interesting – an eye-opening even to discover
that there are people three or four miles from NIH who have no care, no access
to care and really not well funded. So it has been an interesting, and, I
think, rejuvenating personal experience for me.

I’ll touch quickly on – and actually, I won’t read this slide in
detail, because I think many of you are familiar with the concept, but other
things that happen in the world effect our ability to convince people to share
health data. For those of you who had a chance to look at the Washington Post
today, Citicorp managed to lose another 3.9 million account holders. The
summary says that that is six million in the last six months, individuals in
the U.S. who have had personal financial data compromised, and you can’t
recall that data. You can change a bank account. You can recover the funds. You
can do some of the – the legal profession is not my forte, but it is very hard
to undisclose your personal health record.

My favorite example of inappropriate use in the last few years really was a
well-known Midwestern railroad that decided to do DNA testing, unannounced, of
its employees for what the Director of the National Human Genome Institute
described as junk science to try to find a correlation of their DNA with very
rare neurologic syndromes that can be associated very remotely with
carpal-tunnel syndromes, and no one – and, clearly, this was done as a way to
avoid Workmen’s Compensation claims. It clearly wasn’t something
conceived of by a nurse or a technician in the medical department, and it is an
example of, I think, the kind of activity that makes it harder for me to
convince low-income patients that they should share their data.

Dr. Detmer referred to it briefly, when he talked about why there is less
conflict in the UK. Among our patients – and sometimes low income, uninsured is
equated with immigrant populations or even undocumented immigrant populations,
but that is actually not true. Many of our patients work for small businesses
that can’t afford health insurance, and if you look at the insurance
environment, if you are a small-business employer, a plumber, an electrician,
you have two or three employees and one of them needs a heart transplant, you
may have to drop your insurance program because you simply can’t afford
the premiums in the next year.

So disclosure of health information leads to social ostracism, job loss,
insurance questions and so forth, and even occasional much worse activities.

I think the – I’ll just finish this slide by saying it is as private
as financial data, you know, clearly is not adequate.

Dr. Detmer and I did not rehearse our presentations today, but I did want
to touch on some things that were helpful to us from the UK experience in
thinking about how to approach it.

The first – and Dr. Detmer shared it – is that there’s a very high
level of trust in the National Health Service by the citizens of the UK, but,
in spite of that, a study done two or three years ago showed that only eight
percent of the people that they interviewed were comfortable putting all or a
lot of their data into a shared electronic health record. I think in the U.S.,
it is probably – there is probably a lesson there that it might be even more

So the UK, in some subsequent activities, made some attempts to reduce the
skepticism. One of the things that is interesting to read is a care record
guarantee that they put together. It is written in non-legal language. Anyone
can read it and understand it. It talks about what won’t be released, what
will be released, and it begins to get at notions of patient control, I think,
in a high-level way that was helpful to us in thinking about how to approach
our low-income populations.

First is a notion of assent, what you agree to release. The second is a
notion of dissent, what you don’t want released from your record, and the
third is an institutionalized notion of a dissent override. There’s
certain things that really must be released. Data for public health,
communicable diseases have certainly been the traditional one, but there are
other sources of – other kinds of data that need to be released as well,
because they put people at risk. If you think of HIV-positive patients going to
their dentists and perhaps that is information that some states would judge
should be released. Massachusetts apparently doesn’t feel that way, but I
think it is a notion that is a very constructive one to discuss with a patient,
because it allows you to talk with them about why information should be
released in a very non-abstract, very meaningful way.

I think HIPAA is probably not well understood by anyone. Part of the fun we
had working the legal profession was to try to get multi-jurisdictional sharing
agreements among our 10 safety-net clinics with respect to legal sharing of
data. This was using a law firm that was actually recommended by the Federal
Health and Human Services Department as being experienced in the area, and even
there there was – that was probably the most expensive single item in the
development of our shared electronic medical record environment.

So I think asking the question of whether HIPAA has actually engendered
trust or, to some extent, inhibited trust, is worth asking.

I’ll finish up by talking about the early experiences with our
safety-net RHIO. As I mentioned, one point for discussion is our assertion that
data sharing is considerably more important for the uninsured. There’s
specific patient factors, including the tendency of the patients to choose
multiple providers. There is less likelihood of a medical home, significant use
of emergency departments for primary care, and then site-driven changes,
care-site-driven changes, migrant workers across the region, frequent job
changes even for low-income individuals within the region, and the reason I
mention housing changes is because of a comment at the bottom of the slide. We
have uncovered some interesting factors that others know about as well, but a
home address, for example, is not very useful, often, for tracking patients,
particularly if you have, as is true in some of our Virginia jurisdictions,
particularly, illegal numbers of people living in the same house, then you
almost never get a correct address in that circumstance because of fear of

Just as some examples – and these won’t be new to any of the committee
members – but one of our hospitals cited an expensive, dangerous workup they
had done on an emergency-department patient that they then discovered had been
done a week before in an emergency department across town. Now, I emphasize the
dangerous. It is not just the cost. It is a patient-safety issue.

Patients concurrently seek care in multiple jurisdictions. If they get sick
at home, they may go to one clinic. If they get sick at work, they go to
another clinic. If a clinic loses a language translator, then they go to still
a third clinic. So it becomes difficult to build trust.

Again, we find that – and if you look at the bottom of the slide, first, we
find that a voluntary approach has worked very well for us, that if we actually
sit down and take the time in our clinics to build relationships with the
patients, even when the provider may be different each time, we have had quite
good success at the patient’s – having the patients understand, and,
therefore, agree to the benefits of sharing their data.

If we do it as a top-down approach, it really doesn’t work at all, for
all of the reasons cited at the top of the slide – cultural biases, immigration
status, the difficulties of conveying trust, legitimate historical reasons to
distrust the system, language and educational barriers – and the consequences
of distrust are quite evident in these populations particularly. They tend to
forego medical treatment requiring expensive care later, and also the risk to
all of us as a public-health issue if appropriate information isn’t

People like to cite bioterrorism. Really, my bigger fear is the
introduction of things like multiple drug-resistant tuberculous into Montgomery
County by a very easy hop, skip and a jump from Central America into the
chicken-and-strawberry fields of the Eastern Shore and into the Washington
area. This is a two-, three-, four-day transit in some cases, and I think,
statistically, that is a much larger risk.

Some quick comments on why we found automated matching to be more
problematic, and one of the groups we have worked with actually is a group
called the Open Health Records Exchange, which is experimenting with a variety
of matching methods to try to develop reliable algorithms for these
populations, but it starts with the fact that there is no insurance ID. If you
look at some of the MA share work, insurance ID’s, pharmacy-benefit
managers are their main source of information about medications. That simply
doesn’t work here.

Cultural naming conventions. We’ll have – people may register
perfectly honestly under different names on subsequent visits to the clinic.
That is where you get into the less-honest ways for registering under different

Frequent changes of address and phone numbers.

Unknown birth dates. You would be amazed at the number of people who were
born on January 1st when you do a histogram of our birth dates.

Multiple occurrences of the same patient even in the same clinic, so that
the certainty of the match goes down. There are problems of false inclusions
and false exclusions, and, again, I have mentioned the examples, so I
won’t bother you with them here.

The global considerations on this slide are basically the same ones you
have heard before, but what I really want to emphasize is point 3 and point 4
that a national framework that could then be implemented locally would be very
helpful. When the framework keeps changing, it is quite different, and, unlike
the previous speaker, I am not sure that, in my point 4, that HIPAA is exactly
where would start. I think a clearly-worded something in the form of a
guarantee – Now, I realize that guarantee is a difficult word and it isn’t
quite the – it is not quite the word I am looking for, but something that
approaches that in that notion with appropriate penalties for people like
railroad CEOs that think – anonymous – think that not-informed-consent DNA
scanning is a good idea.

I’ll just finish with the three safety-net challenges that I think are
different in our environment. Data sharing is considerably more critical for
the uninsured, but it is more difficult to build trust, and therefore, to share
data, and that automated matching is thus reliable.

On your printed handouts – I’m not sure if they made it to this one.
No, they didn’t. On the printed handout, there are also some references to
sharing agreements that we developed for use in the clinics that have been
actually fairly widely requested by other clinics.

I’ll stop there. Thank you.

DR. ROTHSTEIN: Thank you very much.

We’ll be back to you with questions after our final witness, and that
is Dr. Root.

DR. ROOT: Thank you for inviting me to be here.

I have to apologize because I got caught in that rainstorm yesterday. I
hear it rained here, and I ended up in Minneapolis and my luggage ended up
someplace else, and I still haven’t reconnected with it, and all my
handouts and everything are wherever my suitcase is. So the best I can do for
you is to read off my laptop. So I apologize for this sort of primitive
presentation, but it is the best I can do.

Thank you for the opportunity to share some of UHIN’s experiences in
the area of privacy and security. My name is Jan Root. I am the Assistant
Executive Director. I noticed in here it said, Chief Privacy Officer. I am also
the security officer. We employ all of, I think, eight people, so we wear a lot
of hats. I have been with UHIN since its inception about 12 years ago.

I am a little bit outclassed here, because UHIN doesn’t actually share
clinical information right now. We share administrative information, which, of
course, contains clinical information. So most of my comments are based on the
experiences that we have had in the administrative arena. We are moving into
clinical, but we are not there yet.

We are a small not-for-profit company. We securely transmit administrative
healthcare information between entities through a central internet gateway.
UHIN and its members believe that the entire healthcare record should be kept
private and confidential, and we take our privacy and security responsibilities
very seriously, and we encourage our members to do likewise.

We were first incorporated in 1993, as a Utah not-for-profit corporation.
UHIN was born of the Community Health Information Network, CHINs, CHINs.
Remember CHINs? Do any of you remember CHINs? Yes, okay. CHINs, yes. We are
CHINs. That is where our name comes from. We are one of the few that are still

Our purpose is to provide the consumer of healthcare services with reduced
cost, improved healthcare quality and access. We do this by creating and
managing a value-added network, developing standards for these exchanges. All
the participation in UHIN is voluntary.

Whenever you get your handout, you will see there’s a section there
about UHIN’s structure. The membership is very diverse. We have a lot of
competing entities – pair organizations that compete with each other, provider
organizations that compete with each other, government, consumer groups.
Because of this diversity, we made three important decisions at the beginning
that I think have an impact on what we are doing in terms of privacy and
security right now.

One, we are a value-added network, not a clearinghouse, and the distinction
is very important. We don’t open the envelope. We don’t massage data.
We don’t save data. We don’t store data. We are like the Post Office.
If I can read your handwriting and it is a real address, I ship it. Okay? If it
is garbage, it is not my problem.

The way we do this is we develop community standards, since the receiver
needs to know – this is an electronic message – need to know what is coming
down the pipe, the community got together and created standards. We have about
a million hours, we estimated not too long ago, that has been donated by the
community. You know, we sit around a table like this and we say, Okay. We need
to create a standard about – you know, whatever the community wants to create a
standard about. I take really good notes, and, through a rather lengthy
process, we create a community standard that works for everyone. That is the
goal is to create a very practical working standard.

We have also been very active on the national scene at X12, HL7 and at
WEEDI(?). We have encouraged a lot of our members to participate there as well.

Another thing about UHIN that you should know is that we are run on a
consensus basis, not majority rule. It creates some very different political
dynamics to do a consensus-based organization. We did this to encourage
adoption and to ensure that one entity would ever control the company. Instead,
it truly is controlled by the community.

We are a community-based organization, and we have a commitment to serve
the entire community, from the very large entities to the very small entities,
and, as a result, we often use technology that people kind of laugh at.

When we first started, for example, we used a dial-up system. We had hours
and hours about how do you standardize Kermit(?). So that everybody could use
Kermit the same. We are up to an internet now. We are doing better.

We do have connections to over 1,500 end points. We connect about 20
national clearinghouses and about 400 national payers. So we handle about
50-million transactions a year right now. We have ben very successful. We are
completely self-sustaining. Okay. That is our background.

CHINs, like I mentioned, we were a CHIN. It is just interesting, when we
wrote the ARK proposal, the current term then was LHII. Now it is RHIOs, and I
recently heard SNOs, Subregional – Subnetwork organizations, SNOs. That was at
the Connecting for Health meeting a couple of weeks ago. So I don’t know
what it is really called. I am going to stick with RHIOs for right now.

It is interesting because CHINs were created to solve the same problems
that RHIOs are being created to solve. It is really not a different thing. Just
a different name for trying to reduce costs, improve care and improve patient

As you know, the CHIN movement was largely unsuccessful. Most of the CHINs
didn’t survive.

We believe UHIN was successful, though, because we focused on creating
value and we focused on creating trust. I think all of us have talked about
trust. This is absolutely essential to our survival.

Our vision, even though we have had a history of exchanging administrative
transactions, we have always anticipated that at some moment in time we would
do clinical exchanges. This seems to be the time to do it. Certainly is a lot
of it nationally. Witness all of you sitting around here.

Our vision is to extend our current network. We have a redundant,
multi-site, state-of-the-art internet gateway for administrative exchanges,
broadband on demand, constant monitoring, performance security, all that stuff,
and we want to add a little bit to it to handle clinical exchanges.

We anticipate that we are going to develop a statewide master person index
and probably a statewide master – we don’t have a good name for this, but
clinician/facility/provider, something like that, index, and we are considering
what the Connecting for Health folks are calling a record locator service, but
we haven’t made a firm decision on that one yet.

We do not anticipate any centralized PHI database, at least it doesn’t
seem to be a politically viable suggestion in Utah.

So our primary challenges right now are, one, develop a sound business
model for clinical exchanges. It is rather prosaic, but, first and foremost,
UHIN is a business that has to stay alive in order to provide service to the
community. So we have to figure out how to fund this in a reasonable and
appropriate way.

Also, we need to create or adopt necessary standards, and we need to
address some new issues in privacy and security. So what is new? You’d
think we’ve been doing this for 12 years, we would kind of have privacy
and security nailed, right?

Well, what is new for us – Okay. You have to remember we are a RHIO. We are
not a doctor. We are not a payer. We are not a hospital. We are a RHIO. What is
new for us in the patient. Okay?

For those of you that got to go through HIPAA like I got to go through
HIPAA, the patient largely wasn’t in that conversation a whole lot.
Patients don’t really care a whole lot about how their claims get paid, as
long as they are not harassed. Long as you do it, they don’t care.

So for us, as a RHIO, as a CHIN, as a whatever you want to call us, the
patient is a new element, and so we are having to learn how to figure out how
to interact with the patient, which is really going to be a challenge.

Our goal is always to be a trusted and neutral third party in the
community, and the community trusts us with actually two kinds of information.
So I want to talk about both of them briefly.

One is PHI, but the other is proprietary information about our
members’ businesses. It is UHIN’s highest priority to protect both of
these types of information.

Let’s talk about PHI first, and remember, we are coming at this from a
12-year history in administrative exchanges, all right? So this may sound real
obvious to you, but it was an eye opener for us.

One of them is that we are learning is that health data is health data is
health data is health data is health data. It doesn’t really matter
whether it is a claim or a pharmacy prescription or a lab result or a whatever.
It is all the same stuff, and so we have decided to treat all the information
that flows through our network equally. It’s all protected under HIPAA,
but we had originally thought that, well, you know, this is clinical data.
Somebody might die. We need to be more careful, and we have since said, No. It
is all going to be benchmarked at the same spot.

The second lesson for us – and this comes from our history as a CHIN – is
that RHIOs – at least RHIOs in Utah – should not function as central PHI data

We know we hear a lot of discussion about centralized data repositories. We
certainly hear them at the Connecting for Health meetings, and there is a lot
of good reason to do that. It is a lot easier technologically. You can get a
lot more bang for your buck and so on and so forth.

We heard all these discussions during the CHIN movement. For those of you
that were around then, I am sure you heard them then as well. Basically, the
argument is that somebody needs to do it because it is a good idea, and the
CHIN or the RHIO looks like a good, logical and very convenient place to do

Our thoughts about this are that the first task of a CHIN or a RHIO is that
they have to be trusted entities. If they are not trusted, they don’t
survive, and the trust that is necessary to keep a RHIO alive just doesn’t
thrive in an atmosphere of controversy. It just withers.

When we look at central data repositories, they inevitably, at some point,
seem to engender controversy about a whole variety of things, particularly when
you use them across competing organizations. Several of the early CHINs
foundered upon this very issue. They developed central data repositories, and
the various entities decided they wanted to use them differently, set up
different evaluation criteria, and it was their undoing.

Our observation then, and now, is that whoever holds this data repository,
if you decide to do that, has to be a pretty bulletproof entity. CHINs and
RHIOs are not really very bulletproof, because they are community
organizations. They are coalitions. So they are inherently kind of fragile,

It is not that a central data repository is bad, you know. I am all for it,
if you can figure out how to do it. It is just that we don’t think that
the RHIO is a good place to do that because they are rather controversial.

In Utah, we do have a solution. We do have a central data repository. It is
held by the Health Department. Okay. The Health Department is pretty
bulletproof. They have taken it on the chin many times for this data repository
and done a wonderful job with it, but it has been a very difficult row to hoe
for them. So we have managed to keep UHIN as the entity that maintains the
community trust, brings the value, maintains the network allows this
information to be exchanged, and then the Health Department is kind of the
gladiator that has fought the battles to use this information in a wise and
kindly fashion.

I would like to talk a little bit about patients. As you know, patients
certainly aren’t a new factor in healthcare, but they are a new element
for us. As I mentioned, patients just weren’t a whole lot involved in the
HIPAA conversation. Some of you were at X12 with me, all the years of going
through X12, and it there wasn’t a whole lot of discussion about, Well,
what do the patients think about to use an ICD9 code or this or that? Nobody
really cared.

That is really not true now. Patients, at least in Utah, seem to care quite
a bit about this. We have a consumer advisory work group that we have started,
and we are definitely very much neophytes at this, and I was really listening
to your comments with great interest because one of our biggest supporters
right now is our local community health network. Community health centers are
very, very interested in trying to utilize this system we are bringing up.

There’s two things that we are seeing coming out of this consumer
advisory workgroup, and I should tell you that this group is mostly composed of
people who work as patient advocates or just low-income advocates in general.

One, consumers don’t appear to be very well versed in just regular old
clinical exchanges, stuff that happens right now. They don’t know that you
can put a diagnosis on a prescription. They were outraged. What do you mean you
can put a diagnosis? You know, the pharmacist has no right to know that. Ta-da,
ta-da, ta-da, and you’re like, Well, think about it. You know, and after a
while people calm down, but there has been this consistent surprise that all
this stuff gets exchanged, albeit very poorly, but still that it gets exchanged
at all, and so one of the things we are concerned about is that we might have
to do a pretty good educational program on just what is going on right now in
order that when you do it in electronic there isn’t this perception that
somehow this electronic thing is new and, therefore, dangerous.

The second thing we are seeing is that consumers do have a very high level
of interest. We have been around and talked with several groups, and everybody
gets very exercised over this. Part of it, again, is I don’t think people
are very aware of what is going on right now, but there is also a constituency
that wants to micro-manage the exchange of their health data, and while I
don’t know if that is even doable or not, we certainly have to be willing
to listen to people that do want to micro-manage their data, because some
people do.

The one other kind of information that we are entrusted with is proprietary
information, and, again, from a RHIO perspective, I just want to mention that –
you know – we are a – neutral third party, and we work with all portions of the
healthcare market, and, as such, we often hear about a member’s business
plans or their strategies to how to out-compete this person or that person, who
also sites on my board – okay? – and we have to keep all of that extremely
confidential, and that is an absolute drop-dead requirement for the success of

As has been mentioned here previously, we have great concerns about the
lack of privacy standards when you cross state lines. It was interesting.
Several of our board members, actually, this group came to Salt Lake City once
quite a while ago and interviewed people, and a couple of our board members
testified, and one of their issues was this difficulty about a lack of privacy
standards, and, basically, they were just sort of told to deal with it.

They were mostly payers, and, you know, payers are bad guys, but, now, it
is not payers anymore. It really is about patient care, and so we would like to
make a pitch for the committee to reconsider the idea of standardizing privacy
across the country. I totally agree with everybody’s comments here that
unless you do this, it will greatly hinder the ostensible goal of a national
health information organization. It is just not possible to keep all this stuff
straight. It is just not.

From a security perspective, understand that UHIN operates a
front-door-to-front-door service, okay? I’m the Post Office. I pick up
mail from your mail box. I drop it off in yours. I don’t go in your door,
all right? That is not what UHIN does. Several other emerging RHIO
organizations do go inside of people’s offices, but you UHIN does not.

So we have taken security and we have divided into two hunks. We have
security that is the pipeline. Okay. That is our problem, and then we have
security that is inside the member’s facility. That is your problem or
that is their problem. All right? That is how we split it up.

So our responsibilities are for managing access, and the reason I am
bringing this up is I am hoping that, essentially, at some point, we’ll
get some kind of standard for how RHIOs are supposed to operate on a security
level, because this is going to be another critical issue for the success.

We have to authenticate new members. In fact, I had a thought. What was the
company that they were being scammed because a regular customer turned out to
be a front for some – Right. I was just thinking, we have to be careful,
because what if someone in Utah comes to us with a tax ID, looks like a
healthcare, like we need to be more careful about this.

Luckily, Utah is pretty small. So if they are not a real healthcare
provider, we’ll know it pretty soon, but that strategy is not going to
work here on the East Coast.

Anyway, we need to authenticate new members’ control access and
monitor security of the pipeline. In your handout, there’s details about
how we bring new members up. We have everyone sign an electronic commerce
agreement. It is all uniform and they get a trading partner number, logon and
password. They are the only persons that know the password. The password has to
comply with our specifications, you know, eight characters, ta-da, ta-da. Have
to be changed four times a year.

One of the suggestions we would like to make here is that, in terms of
standardizing security and privacy, is that RHIOs be EHNAC certified. EHNAC
stands for – if I can do this – Electronic Healthcare Network Accreditation
Commission. Bingo.

What EHNAC does, it is kind of like JAKEO(?) or NCQA or one of those
national organizations that is trying to set very high level professional
standards for clearinghouses and value-added networks, such as ourselves. They
offer a certification. It is rigorous, I can tell you. We just went through it.
I twas a lot of work. I twas very difficult to achieve a certification.

We would like to suggest that the committee consider – you know – I
don’t know exactly who is going to ever define RHIOs, but if they ever are
defined that EHNAC certification be part of that, because they are all
clearinghouses or VANS(?). They all exchange information in some fashion, and
EHNAC has some very good security and privacy criteria.

One of the things, of course, that we do is we encrypt. We encrypt. We are
compliant with CMS’s internet security policy. We require all of our
members to have a very short list of browsers. There’s not a whole lot of
them that do 128-bit encryption, and the handout – when I get that to you – has
got the details there.

We do have a kind of an interesting PKI design. I’m sure – I know. We
are running out of time. Sorry. I am almost done.

We manage about 1,700 endpoints with about 20 keys. So, again, if you are
interested in learning how to do that, I can tell you at a later time, but it
works quite well. It is a doable PKI. In terms of member responsibility, as I
mentioned, all members are responsible for security within their own facility,
and privacy, too, for that mark.

One of the things we are concerned about, you know, we do realize that
clinical information does have possibly more dire consequences, if you misuse
it, than administrative. I mean, if you misuse administrative, you get accused
of fraud, but you misuse clinical information, you kill somebody.

So one of the things we are trying to do is to take the HIPAA security
rule, which is just generic, and actually create some specific technical
specifications for small provider offices that are implementable, reasonable,
appropriate, don’t cost an arm and a leg.

We did have an interesting anecdote. One of the products that we are
bringing out recently actually allows physicians – you know – credentialing.
Everybody know what physician credentialing is, where you go to the payer, get
on their panel?

We have created a product whereby physicians can put their credentialing
database into a single database and then they control access to it, and when we
started to trot this out, all of a sudden the small doctor offices are getting
a lot more interested in security, because it is now their personal
information. So maybe that’ll help. We’ll see.

I would like to encourage, again, standardization across the RHIOs. We hope
that the RHIO connection, the national health information organization, will be
a hub. Hubs make it much easier from a security management perspective. You
don’t have as many entities to authenticate to. You can also create – it
creates an impetus to create a standard architecture to – across the RHIOs
through the hub. We know that standardization is not easy, but we really think
it is important to make any kind of national health information organization
economical to run, and trusted.

We use SSL, server-to-server keys. We hope that that would be considered as
a standard. Along with the web services architecture, it is a lot easier to
manage your security with that.

And that is it. Thank you very much for the opportunity to speak with you.

DR. ROTHSTEIN: Thank you very much.

And, now, the floor is open for questions from my colleagues.

Well, while they are contemplating, I have one question for Dr. Garber to
begin with, and that is in your testimony, you said that an opt-in approach is
infeasible because you would have to get from a million doctors and that sort
of thing, correct?

DR. GARBER: Difficult.

DR. ROTHSTEIN: Okay. It would be very difficult and expensive and time
consuming and so forth.

Why couldn’t you get a single opt-in for each RHIO, and so all you
would need is one opt-in, if you had 10 doctors, and as soon as you got one,
you could fill up the RHIO form and that would serve all of your doctors?

DR. GARBER: To some degree, that is possible, but then when you go to your
next physician, how does that physician know if you have opted in yet? So while
they may not have to do the consent at each location, they need to verify it.

So, in other words, there may still be some work. It depends on whether you
are saying, Okay. Go to the RHIO and talk to them, as opposed to each
physician’s office being responsible for, Okay. I can do the single
consent for everyone, which is probably how you would do it, but then when you
go to other offices, they presumably would want to check to make sure that it
has been taken care of. So it takes less time, but it still has to be done all
over the place.

DR. ROTHSTEIN: But it would only have to be done once, and the patient
wouldn’t have to do anything. So when you check in they would press some
keys and verify that they were a RHIO member.

DR. GARBER: Right. By pressing the keys. You are right. It would be less
than a minute per person, and we actually – You know, while we are going to try
to do the opt-out approach, we are prepared to do an opt-in approach, if it
turns out that is the public consensus.

DR. ROTHSTEIN: Okay. Thank you.

Dr. Cohn.

DR. COHN: Yes, I just wanted to explore the issue with probably all three
of you, just sort of a – I certainly don’t know that I have the answer to
how things should work across states, but I was sort of taken – and you may
have listened to the Canada discussions, where they were sort of primarily
focused on within their provinces, and then sort of figuring, Well, if you went
to another province, you would have to sign at that point an authorization.

Now, I am seeing in my own mind – realizing that there is actually a pretty
wide variation in state laws relating to privacy, and there was a reason why
the HIPAA Privacy Rule was a floor, not a ceiling. I also am probably one of
the survivors the last time we went through HIPAA privacy, and I know that
these conversations are typically not very easy, and they certainly aren’t
very rapid, generally, because it really does sort of open up a lot of
societal-value discussions, many of which have been handled by the state.

So I guess, as I think about all this one, let me just ask, I mean, is a
model – and tell me the down sides here. I mean, is a possible model that
states have a lot of the responsibility for figuring out the privacy within
their states and that there is a – somehow a different mechanism a la
patient-specific decision making as they move to go to another state or
whatever in those cases where they need to get healthcare? Is there a major
down side to that? Can you help me?

DR. GARBER: We are in central Massachusetts, kind of right in the middle
there, in the Worcester area, and I have a bunch of patients who live in
Connecticut who come to see me. Now, I am not even close to the border with the
state, and the reality is that people who – there are tons of people who get
their healthcare in Boston who live in New Hampshire. So if people just stayed
in their state to get their care and where they lived, you know, that would be
fine, but people – there is a lot of healthcare that takes place across
borders, you know, getting in both places, and I don’t know what
percentage that is. Maybe it is – you know – five percent of the population,
but there is still a lot of people who get healthcare across borders, and that
could be problematic.

DR. ROOT: So your question was would it work to allow the patients to
control the access? Was that your –

DR. COHN: I guess I was just wondering if there could be a somewhat
different way that was cross state versus interstate, and I was just trying to
explore that to see if it held any water. Pardon the expression.

DR. ROOT: You know, the whole sort of emerging business model of a
patient-centric record, which will probably be like the conversation about
privacy – very long and slow – but the idea that the patient somehow subscribes
to a service and that physicians feed that through some kind of secure thing,
you know, maybe down the road, maybe that is a possibility because then it is
the patient actually sharing the information. It is not the responsibility of
the physician or the hospital or the payer. It is the patient that controls
that information, and when we talk about it, we don’t see anything right
on the horizon right now to enable that thing, but that is about the only real
suggestion that we have heard that sounds at all pragmatic, unless you are
going to try to reform the privacy laws and create a floor and a ceiling, which
we acknowledge would be extremely difficult to do.

DR. LEWIS: Just wanted to make a quick comment with respect to both of your

First, the sharing agreement that we negotiated among the 10 clinics works
very much the way you describe. So that if a patient agrees to have their data
shared when they visit any one clinic, then that pops up on the screen should
they appear at one of the other clinics, as well as the sort of inverse
notification that if they go to one of the other clinics and they have not
shared a sharing agreement it notifies that clinic and encourages them to talk
with the patient and obtain one for the patient’s benefit, as Dr. Garber

I think the possibility of negotiating suitable privacy-protection
agreements across jurisdictions is certainly there. We did it with D.C. and
Maryland, and we expect to be able to do it with the clinic that will be
joining the group from Northern Virginia, but each time is a sort of new
experiment in a new component, and my final thought isn’t intended to be a
critique of the legal profession, but what we encountered in the process was an
interesting one. My background was in mathematics before it was in medicine. So
I am totally out to lunch when it comes to legal issues, but our first deed was
to frame it as a collaboration not an adversarial proceeding. We didn’t
want – we wanted the clinics – we wanted new clinics to be able to join without
having to renegotiate the entire set of agreements and without having to have
everyone resign all the contracts and so forth.

So the first part of the activity and one that others have come after us –
was setting a framework of collegiality and collaboration in the interests of
helping achieve the goal of sharing, rather than protecting one organization
vis-a-vis a different one.

MR. HOUSTON: I just had a short comment back to your original question
about the opt-in versus opt-out, and I remember when John Fanning(?) was still
working with this committee. I remember him circulating an article from – I
think it was a Canadian publication. It was related to research, but I think
it’s very relevant, which was that while most patients would opt into a
research registry, they want to be asked. So it’s – this whole concept of
– and most people will say yes, but they like the courtesy of being asked
whether they want to be part of it, and I think that is sort of – you know –
back to the point of opt-in versus opt-out. I think there is still a
sensitivity regarding that, and I think that is one of the tings that be
interesting to look back after your experiences in opt-in versus opt-out and
find out what you end up with, because of those types of patient sensitivities.

DR. GARBER: That is part of our evaluation with the grant is to see whether
that approach was successful in terms of getting it past the public, and we may
find that it is not. That’s why we’ve got our bases covered.

DR. ROTHSTEIN: You don’t mean getting it past the public. You mean –

MR. HOUSTON: Public scrutiny.

DR. ROTHSTEIN: – generating public enthusiasm for your program.

DR. GARBER: Well, as we have talked about is it has to do with building an
appropriate trust, and whether it takes – opt-in is the way to do that or
whether we can do that through education –

MR. HOUSTON: You might want to try to – I wish I could find – have the
article off – right off my fingertips, but you might want to do Google and see
if you could find it, because I thought it was an interesting article, just
simply – and, again, it was sensitivities of patient subjects and research in
Canada, but –

SPEAKER: I’ll just call John.


DR. ROOT: In Utah, we have the Utah Immunization Registry, which has been
in its place for about – I don’t know – six or seven years now, and it
started out with an opt-in, and that became extremely problematic, just to
administer, partly because the patient – the database was focused on children.
So you might have one parent who opts the kid in and then the next parent opts
the kid out, and it just got insane. So they finally went to a straight opt-out
approach, just because the administration of it was just impossible, just as a
little pragmatic note.

DR. TANG: Jan, just a little comment on your suggestion that we have these
PHRs as a way of – you know – somebody else that would operate a PHR and then
subscribe to it. Ironically, those kinds of third-party PHRs are not covered by
HIPAA at all.

DR. ROOT: Yes, I know.

DR. TANG: So, in actuality, the patient would have the least amount of
protection and guidance.

The question I had for you is did I get you correctly that Utah –
essentially, the Department of Health maintains or at least owns – I think you
operate the central database for the administrative data you have been sharing?

DR. ROOT: The Utah Department of Health has the legislative right to
collect clinical information about patients in Utah. One of their sources of
data are claims data, which we ship to them, if the provider opts to do that as
a way to ease their reporting burden. Most of it – you know – inpatient
discharge database, sort of your standard kind of stuff.

DR. TANG: So – and it sounds like as you transition to clinical – and that
is a new piece of information that you have a statutory permission to
accumulate –

DR. ROOT: Not me, but the Department of Health.

DR. TANG: Yes, the Department of Health to accumulate
personally-identifiable health information for this on behalf of the state, and
that went okay? When was this passed and what was the rationale?

DR. ROOT: Let’s see. It was passed, I believe, about 1990. I believe
it was getting off the ground in ‘91. The rationale was to improve the
quality and care of Utah citizens and reduce the costs. It is still alive, if
that is any testament to its ability to survive and to be functional, and they
are expanding. They started with inpatient hospital discharge database. They
have now expanded to include ambulatory-care centers and one other kind of
center that I’m not focusing on, and then they have a new project now to
use prescription information that they are getting from payers as proxy
measures for chronic conditions. So if you have some kind of asthma medicine,
then you probably have asthma, those sorts of things, and to look at rates in
the hospitals of these chronic conditions and try to correlate that with this
proxy measure of how well are you managing this condition.

DR. TANG: And isn’t there a big genealogy project within Utah, and is
that –

DR. ROOT: Yes, there is. There’s the Mormon Church’s genealogical
records. It’s actually –

DR. TANG: It’s not state related.

DR. ROOT: It is now – part of it is housed up at the University of Utah and
has been merged with a large number of vital records – births and deaths. I
think they have somewhere in the neighborhood of 3.4 million people in it. It
is an extraordinarily clean database, and it is largely genealogically
oriented, yes.

DR. TANG: So that is one approach is to legislate it into – (laughter) –

DR. HARDING: Just a couple of clarification questions.

A VAN, you mentioned, just passes through information from – you don’t
retain it for any period of time? There’s no backup? Once it’s
through it’s through and you don’t have any way to check to see if
you got the right stuff? I guess that is only in another kind of entity that
would do that, not a VAN, but the clearinghouse.

DR. ROOT: If the content was correct or not? That is what clearinghouses
can be contracted to do, to edit your dat, check to make sure it is consistent.

DR. HARDING: So you don’t keep it for two weeks in order to – in case
there’s a –

DR. ROOT: No, unfortunately, as several members have found, we don’t
keep data, and if you lose it, we can’t help them.

DR. HARDING: Okay. The other thing I was asking, you are dealing with the

DR. LEWIS: Yes, that’s right.

DR. HARDING: A great deal, anyway, the majority. What do you think – is
there a clear difference between uninsured about the privacy and the insured?

DR. LEWIS: I think they’re – initially, for some of the reasons I
describe, they are much more hesitant to share data, although what we find when
they talk with – when we talk with them carefully and when they begin to build
a trust relationship with the clinic that they then see the benefits of sharing
that data, because they are much more likely to have multiple providers, end up
in an emergency room without access to their records. So once we go through
that with them, it is kind of like the research question. If you are asked to
participate in research, then you probably will. That certainly was my
experience at NIH, in any case, but, interestingly enough, the data that they
don’t want shared has to do with country of origin and Social Security

DR. HARDING: Well, yes, if you get into illegal aliens and all, I can
understand, but just plain uninsured, it is counter-intuitive, it seems like.
It seems like they have less to lose by – so to speak – by having information
out on the internet or wherever, and it just doesn’t quite – it
doesn’t quite seem intuitive to me, what you said, but –

DR. ROTHSTEIN: Except there are some studies that show that they are
worried about ever getting health insurance.

DR. LEWIS: It is not necessarily a rational process. That is one of the
things that we discovered in working with it. For some parts of the population,
it is simply that they view themselves as having been experimented on in the
past and so they are suspicious of any kind of data-acquisition process.

In others, it is much more concrete. They are afraid that if their disease
gets back to their employer, they’ll lose their job, and for these
populations, there is generally a labor excess, not a labor shortage, so that
loss of job is – it may or may not be a real fear. It is a little hard to tell.

When we use community workers, people who are – with whom they are
comfortable, to describe the benefits of the data sharing, then we don’t
have a lot of trouble getting – it depends on how you define trouble. We
eventually reach where we would like to reach, which is that they trust us to
be good stewards of their data and to use it appropriately, but it is a longer
process, but not necessarily – from our point of view, not necessarily a bad
one, because it brings with it ultimate trust in the health system and the
benefits that they would receive from it.

DR. HARDING: And the final part of my question is how – you brought up the
issue of education several times. How are we going to educate the uninsured as
opposed to the insured? Are there special things that we are going to have to
do for education sake, other than a trust relationship that takes a while?

DR. LEWIS: That is a hard question to answer, because it is partly – I
think partly it is cultural and sociologic and partly it is – in the sense –

DR. HARDING: We haven’t been able to educate anybody real well, I mean
a big group. So I just wondered if there was any certain –

DR. LEWIS: But, as an example, the Margle(?) Foundation likes to show this
person falling off a ladder and saying, You have – you know – three
milliseconds to remember your entire medical history. I think that is not quite
the right analogy, even for most of us. I mean, what we have found, for
example, is that when these patients end up in the emergency department, that
is not the best place to – I mean, they may sign a consent form, but it is not
the place to build a trust, and it is not the place to help them see the
benefits of data sharing.

But I think part of it is acknowledging – I mean, there’s a general
risk-reward calculus, if you – People who look at the things Americans worry
about find that we all worry about things with the lowest probability of
happening, if the consequences of them are catastrophic. So I think there is a
certain sociology where the uninsured and the insured are identical.

But we are really working at three levels. One is building trust within the
safety net, an individual clinic. The second is trust across the
safety-net-clinic environments, and the third is linking that safety-net
environment to mainstream healthcare, and to the extent that –

So, so far, education has been our best tool, some of it quite passive,
simply having – and, therefore, less costly in a way – having a receptive and a
comfortable environment.

If you look at the clinics – We have several Hispanic-oriented clinics and
African-American clinics run by local churches; an Islamic clinic; a Pan-Asian
clinic, run by the Chinese Cultural Society, and, there, the trust comes simply
as a – to get the analogy backwards, guilt-by-association phenomenon. They
trust the individuals in the clinics and they, therefore, are comfortable with
the data sharing, and it begins to bubble up from the bottom, as opposed to an
advertising campaign that says, share your data or you might die.

So I am fairly optimistic about the process, if it happens in a community
level with the right connections, and if it happens there, then they trust the
emergency departments in the hospital and then it flows upward in a way that I
think benefits everyone.

DR. TANG: Just a followup question. It is a little ironic that, for the
uninsured, at least when they are not undocumented aliens, non-residents, it
seems like you would have less risk of sharing it with people who you are
worried about, like the insurers or the employers, since, if you are uninsured,
you are paying by cash and it shouldn’t go anywhere.

SPEAKER: Well, you’re not – no.


SPEAKER: You may be getting free care.

DR. TANG: But then it doesn’t go – It is not flowing out to the payer
or the employer.

DR. LEWIS: The employers often are connected to it in interesting ways.
Many of the small businesses in the county can’t afford insurance and they
actually send their employees to the free clinics. They have lists of the free
clinics and they say, Go to this one, and it is an interesting – I mean, in the
grander scheme of how do you manage, which is, fortunately, not my purview and
I guess maybe not something you guys can avoid also, but the dynamics of
insurance and uninsured actually have very odd ramifications that are not –
again, as I say, not entirely logical.

But getting back to the question of – in the UK and Canada, since you are
assured of healthcare, lots of concerns drop out of that equation, irrational
as well as rational concerns.

MS. WATTENBERG: Dr. Garber, coming from SAMSA(?), we do substance abuse and
mental health. That is our constituency, and I am not a technology person, but
I am always on the hunt for technology that will help patients who have
substance-abuse and mental-health data, helping them both participate in
national health information networks and also protecting the data to the level
that it needs to be protected, and you talked about – and here is where I sound
like I really don’t understand anything, because I don’t. You were
talking about the ability for software that monitors adverse reactions for
medicines that – you know – can remain invisible to the eye for somebody
accessing the record, but, in the background, it is still doing whatever it
needs to do to monitor the reaction.

Is that common in software? Is it easy? Is it –

DR. GARBER: Well, I should tell you where the status of our project, so –
just as background. So we have a proof-of-concept that works. So we have shown
that the technology works. We have these knowledge modules called RHINOS(?),
and our technologist – I don’t remember what it stands for. He is the one
that came up with these, but so we have shown that we can do a distributed
federated model for the clinical data and for the master-person index with
probabilistic matching, and that we can put decision support on top of the
network, and we are in the process of making this a production system that we
can actually move real patient data in and a million patient demographics in
and make sure that the system still works. So, you know, we have another year
ahead of us before we actually are truly live, but the concept is not that
difficult and it is something that I am not sure if anyone else is doing it,
but it was fairly easy to do.

The filter is just saying that we are not going to display or transmit into
someone’s electronic health record certain pieces of information if we
have decided that we can’t show, based on this list, the proic(?)-acid
levels, because that just happens to be one of the medications. You know, it is
a seizure medication, but it is considered protected, or, you know, let’s
use that as an example.

Now, the network will transmit a new prescription for Depico(?), valproc(?)
acid, and when the network sees that a new prescription has been sent or
there’s been a new – from the PBM, there has been a new charge for this
medication, the network monitors, to make sure that a followup level has been
done at some point, at one of the labs that are connected, and regardless of
the fact that no one can see that this medication has been prescribed, the
network looks for – in temporally, for a drug level to have been done, and if
it hasn’t been done, the prescriber is alerted, whether it’s – it
will be – we have fax, email, alpha page. We have various different mechanisms
to accomplish that. They are alerted that they have done something that needs

Now, it turns out, of course, they are the ones that can actually see it,
but no one else could have seen it. There are analogous kinds of things like
that where they may have written a prescription that interacts with MAO
inhibitor that the patient is on and the network sees, the next day, that they
are either – right now it is probably going to be through the PBM – sees that
there had been a charge for that medication, knows that there had prior been a
charge for MAO inhibitor, knows that there is a drug interaction and alerts the
doc the next day. So it is not real time, but it is better than never to learn
of possible interactions. So that is how we are doing that.

DR. ROTHSTEIN: Well, thank you very much, all three of you. It was very
interesting, and we appreciate your testimony and also your colloquy.

Let me tell everyone the rest of the schedule for today.

We will be taking a break now until four o’clock, and I would ask you
to return before four, because, at four o’clock we will have our call from
Australia testifying on Australian health information systems, and it is 6:00
a.m. in Australia and if we don’t call them on time, they are going to hit
the snooze bar – (laughter) – and we are going to lose them. So I would ask you
to be prepared to begin promptly at four o’clock. Thank you.

(3:35 p.m.)

* * *

(4:03 p.m.)

Agenda Item: Australian Health Information

DR. ROTHSTEIN: Thank you very much for getting up at such an ungodly hour
to speak with us.

DR. RICHARDS: It is my pleasure.

DR. ROTHSTEIN: As I guess you have been told, we are conducting hearings to
learn about many things related to health-information technology, including
hearing from international health systems to try to find out where they are
relative to our preparations for protecting privacy and confidentiality in
electronic health information systems, and so anything that you could share
with us, we would greatly appreciate.

DR. RICHARDS: It is a pleasure to participate. Thank you for the

DR. ROTHSTEIN: So do you have a prepared statement or something that you
want to tell us about where Australia is on this or would you just prefer to
respond to questions?

DR. RICHARDS: I’m happy to respond to questions, and I do not have a
prepared statement, but just some introductory comments.

Australian Ministers for Health commissioned an Electronic Health Records
Task Force in 1999.

SPEAKER: Excuse me. Just a moment, please – I’m not getting an answer
for Janine Ward.

SPEAKER: Okay. Thank you.

DR. ROTHSTEIN: Okay. Thank you very much.

SPEAKER: Okay. Thanks. I’ll continue to try, if you want me to.

SPEAKER: Yes, please.


SPEAKER: Want me to continue to try her?

DR. ROTHSTEIN: Yes, please.


DR. ROTHSTEIN: Sorry, Dr. Richards. We are trying to get Jeanine Ward as
well, but please continue.

DR. RICHARDS: Thank you.

As I mentioned, our Electronic Records Task Force was established in 1999
to advise Australian Ministers to Health on whether or not electronic health
records were a good idea and whether or not Australia, an Australian government
should start to support a formal process to develop those – a system of
electronic health records.

That task force reported in 2000 and strongly recommended that Australia do
proceed down the path of developing electronic health records, and a project
was commenced, called Health Connect.

Australia is a federation of states, and we have a national government, and
eight state or territory governments. Under our Australian Constitution, health
care is a responsibility of the state and territory governments and the
national government does not have direct commonwealth powers in relation to
health, but the commonwealth government does have responsibility for sort of
national coordination of activities, and so its taxation payers and so its
funding payers has, over the time of Australia’s federation, increasingly
plays an important role in developing national approaches to healthcare.

Each state and territory jurisdiction is responsible for the provision of
public-hospital services and many community-health services. Most primary-care
services and community-based specialist services in health in Australia are
delivered through the private sector, and most of those services are subsidized
by a national health insurance, universal health-insurance system called

The provision of health services, therefore, occurs in the environment –

SPEAKER: Excuse me. Jeanine Ward is joining.

MS. WARD: Hello.

DR. ROTHSTEIN: Hello, Ms. Ward. This is Mark Rothstein, again, in
Washington, D.C. Thank you very much for joining us, and your colleague, Dr.
Brian Richards, is on and he was telling us about the general framework for
electronic health in Australia.

MS. WARD: Um-hum.

DR. RICHARDS: Good morning.

MS. WARD: Good morning.

DR. RICHARDS: So the Australian Health Services – health services in
Australia are performed in an environment in which both state and territory and
Australian government’s national commonwealth government legal frameworks
apply, and privacy, therefore – issues related to privacy are managed both
under the Privacy Act, which is a commonwealth government act, and also
different states and territories also have a variety of pieces of legislation
relating to the confidentiality and privacy of health records specifically.

The Australian Government has modified its Privacy Act to specifically
encompass the provision of health services and a number of provisions of the
Privacy Act apply specifically to – health information.

In developing the Health Connect, electronic health record system for
Australia, certainly, all stakeholders are mindful that the issues of privacy
and confidentiality of personal health information are central to public trust
and public participation in the system.

At this stage, the Health Connect project has been – has just concluded a
series of pilots and trials and field tests and is just now moving into a
national implementation phase, which is starting on a state-by-state basis. So
we are starting commencement of statewide electronic health records in a number
of the smaller states and territories in Australia, building on national
infrastructure, but the issue of privacy and confidentiality have been
receiving some significant – attention in Australia in the last couple of
months as the Health Connect projects go live, and so the level of public
interest in privacy and confidentiality in the context of electronic health
records is growing in Australia.

DR. ROTHSTEIN: Let me ask you, one of the issues that we have been
exploring is the degree to which patients – individuals – have control over the
contents of their health records, as well as the release and distribution of
information in health records. How have you dealt with that issue?

DR. RICHARDS: Australia doesn’t have legislation that is directly
analogous to the HIPAA legislation that exists in the U.S.

DR. ROTHSTEIN: That legislation is known all over the world. (Laughter).

DR. RICHARDS: It certainly is. Not least of which is the impact that that
legislation has had on the development of software for health services.
Obviously, any company that aspires to an international market for its
healthcare products needs to comply with the HIPAA legislation, and, to the
extent that the HIPAA legislation does not apply in Australia that can
sometimes be a problem or us in purchasing software to meet our needs.

The issue of the ownership and access to health records in Australia is a
complex one. There was a legal case that went to the Australian high court,
which established some common law precedent on the ownership and rights of
access to health records, which is referred to as the Breen(?) and Williams
Case, in which a patient was seeking access to their medical records held by a
specialist, and the high court of Australia found that ownership of the health
record rested with the medical practitioner, not with the patient, and that the
patient did not have a common-law right to access information held about that
patient by that medical practitioner.

That ruling provoked significant reaction from – within the Australian
community, which has led a number of the states and territories to pass
legislation specifically concerning a right of access to health information
held by medical practitioners to patients, but that legislative framework is
not consistent across the different states and territories of Australia,
although it is now largely accepted within the medical profession that patients
do have a right to view and understand and access information held about them
in their record, although the degree to which patients have the right to
correct information held in a medical record which they believe to be incorrect
varies across the different Australian jurisdictions.

DR. ROTHSTEIN: And what about any right to delete information that they
think is sensitive and perhaps not medically relevant anymore, could be old

DR. RICHARDS: Again, the exact situation differs across different
Australian jurisdictions, but, in general, my understanding is that a patient
does not have a right to seek material deleted, but does have a right to seek
that material annotated, in some jurisdictions, to indicate that they believe
that this material is incorrect and potentially prejudicial.

DR. ROTHSTEIN: And as you shift over to electronic records, is there
greater concern about privacy and confidentiality among the public or
haven’t you seen that yet?

DR. RICHARDS: The development of electronic health records has certainly
contributed to the public debate and raised the issue of privacy and
confidentiality of health records generally within the Australian community.
Clearly, technologies can either be privacy neutral or they can be privacy
enhancing or, indeed, they can damage and undermine a person’s privacy.

Obviously, electronic and internet technologies can allow a sort of wide
dissemination of information that was previously fairly inaccessible on a paper
record, and so it is generally accepted that it is incumbent on anyone
developing electronic health records to ensure that the technology is utilized
to, if anything, enhance the privacy of the individual, rather than, in any
way, undermine that.

DR. ROTHSTEIN: Ms. Ward, would you care to comment?

MS. WARD: Yes, I think that is correct. There has been a greater concern
with electronic health records. The public is concerned – for, you know,
greater exchange of information, and whether privacy can be maintained in that

DR. RICHARDS: In the development of Health Connect, the way – and
recognizing that a national system of electronic health records in Australia
needs to operate within a legal framework of multiple state and territory
legislation as well as the Australian common-law legislation, the development
of an electronic health record that is share-able and accessible by a range of
providers and, indeed, the consumer themselves, the development of those
records has largely revolved around the concept of informed consent. There is
some ongoing debate in Australia as to whether, in certain jurisdictions, it is
acceptable for an electronic health record to be developed on all patients in
that jurisdiction with individuals having the right to opt out of having such a
record developed or whether, in fact, there should be no electronic record
created unless the individual patient has gone through a specific
informed-consent process to opt into the development of such a record.

In these discussions, we certainly are mindful of some international
experience in the issue of whether it should be opt-in or opt-out, and that
debate is not yet resolved in Australia, but there is a universal agreement
that there should be a process of informed consent, so the patients should
understand the uses to which information held about them in an electronic
health record can be put and the degree to which they have authority to control
access to that health information.

Now, the common law and legislative frameworks that apply to the ownership
of the record that I discussed before obviously also have an impact. If the
common-law situation in Australia prevails, in that medical practitioners have
an inherent right to own the record that they create, the situation in which a
shared electronic health summary record is developed to which information is
contributed by multiple practitioners creates some interesting issues in
relation to ownership of the record and associated responsibilities for its

One of the ways in which we are looking to manage that situation is when a
provider does supply information to a shared electronic health record about
their patient to which other healthcare providers are also contributing, we are
exploring, currently, the issues of providers giving a license to use, in
effect, a copyright license to the use by other practitioners of information or
intellectual property which they have contributed.

DR. ROTHSTEIN: Is there any effort being undertaken to treat certain
sensitive health information separately or at a higher standard, such as
psychiatric records or HIV records and the like?

DR. RICHARDS: At this stage, the experience of the Health Connect trial and
pilots and field tests has been to treat all health information as potentially
sensitive and to create levels of access control and levels of consent and
authorization for access, audit trails and the like, as applying to all
information as if it were that degree of sensitivity.

Clearly, patients who have substantial concerns about potential bridges of
privacy and the impact on them of the broader availability of some sensitive
information, those patients are more likely to withdraw or not provide consent
for participation, although, it is recognized in many cases that participation
in such records, access control is managed appropriately, does, in fact, confer
a benefit on the individual.

DR. ROTHSTEIN: Patients who are concerned about loss of privacy, do you
think they are mostly concerned about the tangible loss of benefits that might
accrue? In other words, are they worried about losing a job or not getting life
insurance or something like that or are they just concerned about the
embarrassment or stigmatization that might occur from someone learning
sensitive medical information?

DR. RICHARDS: I think it is both. I think that, certainly, individuals have
justifiable concerns about a range of consequences of a potential breech of the
confidentiality of their health information.

DR. ROTHSTEIN: Okay. I would like to recognize one of my colleagues who has
a question for you, John Houston. John.

MR. HOUSTON: Yes, thank you.

A quick question about – just to follow up on that last question. Are there
similar laws in Australia regarding non-discrimination for medical conditions
or disabilities or things of that sort?

DR. RICHARDS: Yes, there are, and Ms. Ward may wish to comment on that.

MS. WARD: Yes, there are laws dealing with discrimination and preventing
discrimination on the basis of medical conditions.

DR. ROTHSTEIN: And a question from Mr. Harry Reynolds.

MR. REYNOLDS: With so much – appears to be so many degrees of – levels of
health information sensitivity and the informed consent and the opt-in,
opt-out, are you looking at things like e-prescribing? And if so many people
have a right to opt out, how can things like e-prescribing and some of the
other protections about knowing all the health information, how do you see
yourself balancing those?

DR. RICHARDS: The way in which we are progressing these issues in the
jurisdictions in which we are moving into in the implementation phase is to
differentiate between the electronic storage of information at the point of
care – that is, the electronic clinical record maintained within the precincts
of the individual medical practitioner providing the service – and a shared
electronic health summary record, which is in a data repository which is
accessible by the web by – potentially by a wide range of healthcare providers,
and in between those extremes is the point-to-point transfer of structured,
secure clinical messages between providers directly involved in providing the
care to the patient, most of the issue related to opt-in and opt-out and
consent relate to the development of a shared summary record in a data
repository to which potentially a significant number of providers will not only
contribute but be able to access information.

The decision of an individual practitioner or an individual service
provider to move from a paper-based record to an electronic record that is not
accessible beyond the practice in which the record was created is generally not
regarded within the community as being a decision that a patient has a right to
consent, though, if, for example, a physician decides to stop recording their
clinical notes on paper, but records them in an electronic system within their
practice, it is generally regarded that the patient doesn’t have a right
to say, No, I want you to keep my records still on pieces of paper.

I guess there is a common law – the balance of the fiduciary duties of the
provider to the patient that certainly medical professionals in Australia, as
elsewhere, have an ethical and common-law duty of confidentiality to the
patient, and that is to retain – ensure the confidentiality of information that
passes in confidence between the patient and the provider is respected and

However, there is an increasing recognition in both common law, but also in
certain jurisdictions in Australia in statute that the provider has an ethical
and common-law responsibility to maintain accurate records about that patient
and to use that information to make appropriate clinical decisions.

For example, a medical practitioner records an allergy that a patient has
towards a particular drug and then subsequently prescribes that drug to the
patient, if they haven’t maintained their records in such a way as to
ensure that information is readily accessible, there is certainly a cause for
action by the patient.

Once the information leaves the practitioner to whom the patient has
divulged information – say, if it is sent as a referral message to another
physician or sent as a prescription to a pharmacist, then, clearly, the duty of
confidentiality also applies, but the health system also has an interest in how
those messages are managed.

I mentioned that in Australia we have a universal health insurance called
Medicare, which is funded through taxation revenues and to which all Australian
residents are entitled to participate, and we also have a national
pharmaceutical subsidy system, called the Pharmaceutical Benefits – These large
national health insurance programs – health benefits programs and a number of
other national health programs are administered by a national organization
called the Health Insurance Commission.

The Health Insurance Act which oversees Medicare requires for a number of
things to be done in order for a service to be able to be claimed – for a
benefit to be claimed under Medicare.

For example, a specialist consultation is – the financial rebate for a
specialist consultation is significantly higher than the Medicare rebate for a
consultation with a family physician, the general practitioner, but that higher
level of rebate, he is only payable where a family practitioner has referred a
patient to a specialist for care, and that referral must be signed by the
individual medical practitioner.

We have in Australia an Electronic Transactions Act, which permits an
electronic document to have the same legal standing as a paper document, and to
determine whether or not a practitioner has signed a referral, the Health
Insurance Commission has introduced a system – the structure of healthcare, and
so all healthcare providers who operate under the Medicare banner are able to
receive, without charge, a digital certificate, either a personal digital
certificate, which equates to an individual signature, or a practice or a
location certificate, which equates to a – like a letterhead on a letter that
provides the non-repudiation and certainty that information is from a
particular healthcare location.

These digital certificates are increasingly widely used, not only for
transactions between healthcare providers and the Health Insurance Commission,
for example, submitting claims for Medicare benefits or providing – or signing
referrals between practitioners, but also, increasingly, being used between
practitioners for regular patient care, point-to-point clinical communications,
and so the public infrastructure provides encryption – highly-secure encryption
for health information flowing out of the internet between – in an electronic
form between providers. It provides – for the confidentiality of that
information to be preserved – preserve the message integrity, and, importantly,
for claims information and for some of the legal frameworks, it provides a way
of digitally signing that information in a way that is non-repudiable.

DR. ROTHSTEIN: Thank you.

We have just one last question, then we’ll let you go have breakfast,
and that question is I wonder if you could give us a bit more detail on Health
Connect, and that is is there a sort of a central repository in each state and
territory or is there a central system of interconnectedness of linkage with
the healthcare providers or are there multiple systems within each state and

DR. RICHARDS: At this stage, Health Connect has been rolled out as a – in a
preliminary pilot or an early implementation phase. There has been a single
repository in each jurisdiction for the storage of health records.

The current recommendation, in terms of the national architecture, is for
there to be a single national repository of those shared electronic health
record summary data sets for individual patients, and it is expected that those
data sets in that repository would be managed by the Health Insurance
Commission. HIC has a highly-secure internet gateway that is accredited by
Australia’s Defense Signals Directorate and is widely trusted as an
organization that handles security of electronic information extremely well,
but the final decision on those architectural questions is still to be made,
and it may be that, in fact, we end up with a federated system of records, and
so patients could have some – potentially some choice as to where their record
is maintained.

The current thinking is that an individual patient should only have their
record maintained in one place, but they may have a choice in what that place
is with the Health Insurance Commission being the default repository if the
patient does not elect to have their record stored by, for example, their
private health insurer, but those architectural issues are still being assessed
by an organization recently established in Australia to look at standards for
electronic health – called the National A-Health Transition Authority.

DR. ROTHSTEIN: Okay. And, finally, I guarantee this is the last question.

MS. GREENBERG: It’s a short one.

DR. ROTHSTEIN: Ms. Marjorie Greenberg has a question for you.

MS. GREENBERG: Thank you for participating. We appreciate it.

I just wondered how patients are uniquely identified in your system or are
they or what is your process?

DR. RICHARDS: At this stage of the development of Health Connect in which
it is largely original implementation of electronic health records and the data
are held within that region of Australia. We do, for each of those early
implementation phases, issue an identifying number for the purposes of the
Health Connect trial.

Again, the National Electronic Health Task Transition Authority, NEHTA,
which is the body I just mentioned, has been – to define the standards, in the
final stages of making recommendations to – and this is in relation to a
national health identifier, and the current draft proposal is for, again, the
Health Insurance Commission to manage a system of national health identifiers.

MS. GREENBERG: Thank you.

DR. ROTHSTEIN: And, Ms. Ward, any final words from you?

MS. WARD: No, I have nothing else to add. Thank you.

MS. BERNSTEIN: This is Maya Bernstein. I sort of found you – (laughter) –
identified you, and I am very glad to have you participating.

I just wanted to know if those recommendations will be available to the
public when they are finished?

DR. RICHARDS: Yes, I’m sure they will be. I’ll just draw your
attention to a couple of websites from which you could probably not only get –
information now –

MS. BERNSTEIN: Thank you.

DR. RICHARDS: – but you could monitor for developments over the next few

The first is the Health Connect website, which is at
www.healthconnect.gov.au. We
have, just last week, published a legal-issues report on Health Connect which
is quite an extensive piece of work which we commissioned from one of
Australia’s leading law firms to look at the legal issues in relation to
electronic health records, and I would commend that report to your committee.

There is a summary report, summarizing the key findings and
recommendations, and there is also a much more detailed report available on
that website.

That website also has information on the implementation strategy for Health
Connect and some evaluation materials on the range of pilots, trials and field
tests of the electronic health records in Australia.

The other website that I would draw to your attention is the website of the
National E-Health Transition Authority, which is at
www.NEHTA.gov.au, and that will have
information on the standards and architectures for electronic health record
systems in Australia moving forward.

DR. ROTHSTEIN: Well, once again, thank you very much for taking the time to
speak with us, and it was very helpful, and best wishes to you as you go
forward with your electronic health system.

DR. RICHARDS: Thank you very much for the invitation, and I am happy to be
of assistance should any further questions arise.

DR. ROTHSTEIN: Thank you, and for those of you who are listening live on
the internet, I just want to tell you about the schedule for the rest of our

We have had no requests for statements from the public.

The subcommittee is deferring its discussion session until tomorrow at
11:30, from 11:30 a.m. to 12:30.

And if there is no further business, we will be adjourning for today. We
will resume promptly tomorrow morning at 9:00 a.m.

Thank you.

(Whereupon, the meeting was adjourned at 4:30 p.m.)