[This Transcript is Unedited]




“Personal Health Records”

June 9, 2009

National Center for Health Statistics
3311 Toledo Road
Hyattsville, MD 20782

Proceedings By:
CASET Associates, Ltd.
Fairfax, Virginia 22030


  • Introductions and Opening Remarks – Leslie P. Francis, PhD, JD, Co-chair, John Houston, JD, Co-chair
  • Panel VI – Federal Demonstration Projects
    • Patrick Conway, MD, Office of the Assistant Secretary for Planning and Evaluation, HHS
    • Chrislyn Gayhead, BSN, RN, Office of e-Health, Standards, and Services, Centers for Medicare And Medicaid Services, HHS
    • Seth Edlavitch, MPH, MHA, Program Manager & Project Director, My Personal Health Record
  • Panel VII – Consumer Advocates and Attitudes
    • Susannah Fox, Associate Director, Digital Strategy, Pew Research Center
    • Dave deBronkart, Co-chair, Society for Participatory Medicine
    • Deborah C. Peel, MD, Patient Privacy Rights
    • Deven McGraw, JD, Director, Health Privacy Project, Center for Democracy and Technology
    • Robert Gellman, JD, Independent Privacy Consultant, and Author, “Personal Health Records: Why Many PHRs Threaten Privacy” World Privacy Forum
  • Discussion


Agenda Item: Introductions and Opening Remarks

DR. FRANCIS: Good morning and I am sorry that we are late. My name is Leslie
Francis. I am professor of Law and Philosophy at the University of Utah along
with John Houston who is the vice president responsible for privacy and
security at the University of Pittsburgh Medical Center. We are the co-chairs
of this subcommittee on privacy, confidentiality and security, a subcommittee
of the National Committee on Vital and Health Statistics. The National
Committee on Vital and Health Statistics is a federal advisory committee
consisting of private citizens that makes recommendations to the Secretary of
HHS on matters of health information policy. On behalf of the members of the
subcommittee and our staff, I want to welcome you to today’s hearings on the
privacy, confidentiality and security of personal health records.

We are going to begin with introductions of the subcommittee, of staff,
witnesses, and guests. Subcommittee members need to disclose conflicts of
interest. Others need not do so. I will begin by noting that I have no
conflicts of interest.

MR. HOUSTON: Good morning. As Leslie said I am John Houston with the
University of Pittsburgh Medical Center. I have no conflicts.

MR. REYNOLDS: Harry Reynolds, Blue Cross/Blue Shield North Carolina. I am a
member of the subcommittee and no conflicts.

MS. KAHN: Hetty Kahn, National Center for Health Statistics CDC, staff to
the subcommittee.

MS. GREENBERG: Good morning and welcome to NCHS. I apologize to those of you
who had some difficulties getting here. I am glad to see you all. I am Marjorie
Greenberg from NCHS CDC and the executive secretary to the committee.

DR. FRANCIS: We will let the witnesses introduce themselves afterwards.

MS. WATTENBERG: Sarah Wattenberg, Substance Abuse Mental Health Services

MS. CHAPPER: Amy Chapper, Centers for Medicare and Medicaid Services, staff
to the subcommittee.

DR. TANG: Paul Tang, Palo Alto Medical Foundation, member of the
subcommittee. No conflicts.

MS. MILAM: Sallie Milam, West Virginia Health Information Network and the
West Virginia Healthcare Authority, member of the subcommittee. I am an N2
contractor. That would be the only conflict.

MS. MCANDREW: Lucinda McAndrew, Office for Civil Rights, staff subcommittee.

MS. JAMISON: Missy Jamison, National Center for Health Statistics.

MS. JACKSON: Debbie Jackson, National Center for Health Statistics, CDC,
committee staff.

MR. DECARLO: Michael DeCarlo, Blue Cross/Blue Shield Association.

MS. TROOP: Cindy Troop from the Center for Information Therapy.

MS. FOX: Susannah Fox from the Pew Research Center.

MS. PLAKE: Sarah Plake, Office for Civil Rights.

MR. GLASS: Good morning. J.R. Glass, vice president of healthcare programs,

MR. GELLMAN: Bob Gellman, privacy consultant.

MR. DEBRONKART: e-Patient Dave deBronkart, healthcare blogger.

MS. CHRISTIANI: Jeannine Christiani, contractor for the committee.

DR. FRANCIS: Is there anyone on the phone?

MS. HOLLAND: This is Elizabeth Holland from the Centers for Medicare and
Medicaid services.

DR. FRANCIS: Anyone else? Thank you and welcome again to everyone. This is
the second session of the subcommittee’s hearings on personal health records.
Let me give a brief background on their purpose. As you are aware great
emphasis is being put on improving the quality of care while controlling
healthcare costs. Part of these reductions are hope to occur through the
adoption of electronic health record systems and the efficiencies that come
from their use along with the adoption of EHRs, their significant interest in
the deployment of PHRs. Hopes for PHRs include better management of chronic
disease and greater participation by patients in their care. But it is likely
that there will be significant changes in consumer facing health IT over the
next 5 to 10 years and that these changes will continue to raise important
issues for privacy and security. These hearings are intended to explore the
privacy, confidentiality and security requirements of PHRs and consumer facing
health IT today and in the future.

Today we are going to start by hearing from a panel on federal demonstration
projects involving PHRs. We will continue with a panel on consumer issues and
attitudes. After our lunch recess there will be an opportunity for public
comment from 1:30 to 1:45 for up to five minutes. Please sign up with the
registration table if you wish to comment during that period. We have requested
our witnesses to limit their remarks to about five minutes so that we will have
ample time for questions and discussion. Witnesses may submit additional
written testimony to Marietta Squire within two weeks of the hearing. Please do
the right thing by your cell phones and do we have Internet capability? Yes, we
do. Right, we are broadcasting over the net.

We are now going to start with the panel. This is actually panel six of our
hearings on federal demonstration projects and I believe Mr. Conway is going to

Agenda Item: Panel VI – Federal Demonstration

DR. CONWAY: I am Patrick Conway. I am the Chief Medical Officer in the
Office of the Assistant Secretary for Planning and Evaluation. Elizabeth
Holland is on the phone from CMS, but I will be presenting in the room. I am a
physician. I am not a privacy nor a security expert is my full disclosure. In
terms of background I will move through this quickly especially giving the
expertise in the room and this being a 5-minute presentation. This is just a
luster model of the current healthcare model where the patient is often to the
side with phone and paper trying to figure out what to do in healthcare. I will
also disclose upfront that part of my interest in PHRs as both as a healthcare
researcher but also taking care of a father with chronic illness where we built
his own PHR as a Medicare beneficiary when I took care of him for 12 years.

If you think about a potential consumer centric model in the future and this
is built off of some of the work by Markle, you can imagine the consumer in the
middle with a PHR portal connecting to health plans, hospitals, payors,
doctors’ offices, pharmacies on one side and also on the left side of the frame
connecting to devices, consumer PHR applications, healthcare financial
management tools. Now this is certainly a vision for the future if you will
largely and there are pockets in the US where this vision comes to fruition but
the idea being that we move towards a healthcare market place where the
consumer is really empowered with information, controls that information and
therefore can manage their health significantly better.

A few of these you will hear in my detail so a feasible pilot involved 2006
from CMS, a plan pilot that started I believe in June 2007 working with
Medicare Advantage and Part D plans and the South Carolina pilot, which you
will hear more about.

So Medicare PHR Choice. The impetus behind this was the idea that to test a
model where beneficiaries had a choice among PHR vendor platforms. It was
launched in January 2009 in Arizona and Utah for fee for service beneficiaries.
There were four PHR vendors selected based on required criteria and
differentiating criteria. There were over 40 interested vendors in the process.
Less applicants that met criteria and then four were selected by the CMS
contractor Noridian who is the claims administrator in the area. Those four PHR
vendors were Google Health, Health Trio, NoMoreClipboard.com, and Passport MD.

The pilot set up CMS is utilizing the Medicare administrative contractor
Noridian which is in those state’s areas as the contractor of the pilot and to
transfer the claims data. The PHR vendors receive no funding from CMS but all
sign data use agreements including security provisions in those data use

Beneficiaries opt into the pilot so fee for service beneficiaries can choose
to sign up for the pilot and give authorization for their PHR platform vendor
to obtain Medicare claims data on their behalf. Noridian manages an
authentication process. Medicare will auto populate up to two years of part A
and B claims into a PHR and continue to add new claims as they are available.
Medicare cannot access any information in the individual’s PHR. Individuals
keep claims data in the PHR after the pilot is over if they choose to, and if
the beneficiary decides to delete their account the claims data is deleted with
their PHR file.

The next few slides are some screen shots to show you what Medicare
beneficiaries see. So this is the branding the My Medicare, My Health Records,
online, anytime, Medicare PHR Choice. They have a screen here that you can see
with the different pilots available to them: the Medicare PHR Choice, MyPHRSC,
et cetera, South Carolina. There is information on PHRs on the web page to give
them some basic background as they think about their choices. These are just
the logos for the four participating vendors in Arizona and Utah.

When they leave the site so we have connections to the vendor sites, it is
clear to them that they are now leaving the Medicare site and going to Passport
MD or whatever site they selected to take a look at that PHR platform and learn
more. There are also pages explaining basic information of types of questions
to ask, concepts to think about, when they look at a PHR.

In terms of the beneficiary choice beneficiaries choose whether to sign up
for the pilot. It is an opt-in model. Which PHR to choose among the ones
available to them at this point? Who has access to their PHR? So all the PHR
platforms have the ability for the beneficiary if they choose to give access to
a family member or a caregiver and whether to link to other sources? So some of
the PHRs have links to pharmacy data, providers, lab data, but it is up to the
beneficiary when and how they want to make those links or if they want to make
those links.

In terms of the options the different PHR platforms have different
functionalities, data connections, tools, education materials. There is a
summary table on Medicare PHR Choice website that didn’t project well because
of the level of detail but the beneficiaries can look at some of the major
functions and see the differences between the PHR platforms and this pilot. All
of the PHR vendors offer a no cost option to the beneficiary and several offer
a higher level of service for a fee.

In terms of outreach the initial launch events were attended by the acting
CMS administrator at the time and the deputy secretary for HHS. CMS did
outreach including initial mailing to beneficiaries the website as was
described. PHR vendors are also doing outreach to the beneficiaries to the

In terms of data standards, Noridian is transferring the data to the PHR
vendors based on recognized data standards. PHR linkage to other sources of
data was a differentiating criteria and selection. So in terms of selecting the
vendors who participated, it was a differentiating criterion whether they had
these other connections that could serve beneficiaries.

In terms of the evaluation so I sit in the Office of the Secretary and an
office that is really responsible for a policy and for evaluation of programs.
This is one of the evaluation projects in my portfolio. There will be most
likely two major components. One is a survey of beneficiaries and the other is
an analysis of the impact on select quality measures and healthcare
utilization. The survey will assess factors such as how satisfied are
beneficiaries with the pilot and the PHR, the factors associated with
satisfaction. What features do beneficiaries like and dislike in their PHR?
What types of outreach and education made beneficiaries willing to use the PHR?
What effect do beneficiaries feel PHR use had their health and healthcare? Did
the PHR facilitate communication with providers and if so, how? What factors
made beneficiaries decide to continue to use their PHRs or stop using it? This
is just an example of the types of -– so this isn’t an exhaustive list but
it is the type of questions that would be asked in the survey.

For the phase on some of the claims analysis it is going to be an issue in
terms of how many beneficiaries sign up sort of the level of detail we go in
that analysis. Given this is a pilot and you will probably hear this I would
guess as a common theme today. The idea is understanding personal health
records, what can their roles be for beneficiaries to manage health, and
importantly going forward how do we design these systems so they serve
beneficiaries’ needs as much as possible?

DR. FRANCIS: Thank you. Our next speaker is Mr. Seth Edlavitch.

MS. GAYHEAD: It is actually Chrislyn Gayhead speaking next. We are actually
going to be a tag team today. I really appreciate the opportunity to testify
before the committee. As was mentioned before, my name is Chris Gayhead and I
am the CMS Project Officer for MyPHRSC, which is the personal health record
pilot that is taking place now in South Carolina. Seth Edlavitch is the project
director and project manager for QSSI who has responsibility for operating that
pilot and since the beginning in 2007 when we went live with the pilot.

Actually as you know CMS has been using these pilots to explore different
ways of making claims data available to beneficiaries electronically and a few
years ago in 2005 when we published a request for information to figure out
what CMS’ role should be among the many information tidbits we received was
that one CMS should not be in the business of operating pilots, which is why
you have the model that Patrick just talked about. But also there was a concern
about how beneficiaries would be able to understand how to use the
functionality of the PHR and how to communicate and talk to beneficiaries about
electronic PHRs making sure that they understood it and that they would get the
best use out of it.

So as Patrick explained we did design a series of PHR pilots so that we
could really understand the feasibility of moving data from Medicare systems
into a PHR as well as figuring out importantly for the South Carolina project
what kinds of outreach would be effective for beneficiaries. What was the
messaging that we needed to put forth so that they would really be able to grab
hold of this new technology? We knew that it was going to be something that
would be more important in the future and getting the claims data out so the
beneficiaries could use it was a primary concern.

What we did when we created the South Carolina pilot was to consider that
since the outreach messaging was so important, we wanted to have a secure pilot
as possible and in by doing that what we did was we created a pilot and it sort
of tied it into the CMS information security and privacy standards.

QSSI as I said before, the software company that won the bid to be the prime
contractor for MyPHRSC together with Health Trio, Palmetto GBA, and IBM,
created MyPHRSC as a pilot that provides online services for the beneficiaries
and it is only available to beneficiaries in the state of South Carolina. As
you can see it is updated daily. It provides 24 months of data part A and B
from the Medicare claims and Palmetto and to the PHR.

One of the things that we really wanted to be sure of too was that the
beneficiary would have access to the PHR 24 hours a day, 7 days a week, and
would be able to have as much control of the data that was in the PHR. We
wanted to give them one place to track all of their history and also give them
some additional resources that they could use such as to help them understand
their diagnosis and the conditions that they had.

The other thing we did was in tying the PHR system to CMS information
security policies -– one of the things we wanted to really do was to make
sure that the beneficiaries when they signed up for the PHR knew that they had
access to the information that was inside the PHR but that it was secure to
them meaning their claims data was something that we were not going to look at;
however, we were going to perform some monitoring and auditing as part of our
evaluation processes.

Later actually in 2009 we had a partnership with the Department of Defense
so beneficiaries who elect to sign up for the South Carolina pilot could also
get access to TRICARE data if they were beneficiaries of that kind of data. So
now they had Medicare data and they also had access to TRICARE data through
that. Both TMA and CMS adhere to their respective security and privacy plans.

The privacy part of the MyPHRSC we tie that again to the privacy and
security rules required by CMS and we wanted to be able to confirm that these
beneficiaries had access to a privacy policy, notice of privacy practices. We
wanted them to know that there were procedures in place for data destruction
and disposal. If the beneficiary should die or if the beneficiary decides to
opt out of using the PHR, and also we wanted to be sure that there were
policies for securing the beneficiary’s data and making sure that he also gave
specific written authorization should he want anyone else to take a look at the

We put policies in place to authenticate beneficiaries and their authorized
representatives and we made sure when we created this policy that PHR they all
look at necessary data use agreements and other kind of agreements, using the
data in place. This also made the PHR compliant with HIPAA policy and for
privacy and security.

QSSI and its partners met with CMS over time and we put together a lot of
different tests and hurdles for them to meet in terms of meeting CMS’ policy
and security. Again, there were Health Trio has a very secure PHR but we wanted
to make sure that they met the CMS standards. That would include then that they
had to have a security system plan in place along with the risk assessment and
the methodology. They needed to go through the CMS security testing and
evaluation, a pretty rigorous process that is based on FISMA. We also wanted to
make sure that there was sufficient contingency planning and that they were
also able to update their security on an annual basis.

With regard to the public perception of privacy we know that the public is
very interested in it even in the Medicare population and all of the outreach
events that we conducted in South Carolina there is about 119 to date. Just
about every event someone is asking a question about how secure is my data. Is
anyone looking at it? What about big brother? So to the extent that they were
able to be satisfied that the federal guidelines and requirements kept their
data safe to that extent they felt really comfortable using the PHR and
interacting with it. At this point it has been a pretty positive experience.
Now in order to go into a little bit about how the PHR met the federal
standards I’m going to turn it over to Seth Edlavitch and let him tell you a
little bit about the detail that they went through.

MR. EDLAVITCH: Thank you very much to the panel for inviting us to testify.
We really appreciate this opportunity. My name is Seth Edlavitch. I am the
Project Director at QSSI. We are the prime contractor. In this project we are
very excited about being involved with this project. As Chris has told you we
were required to meet all the CMS security requirements. Some of them we were
unaware of at the beginning of the project. It was a little paragraph in the
statement of order but when you delve into the paragraph you realize how
important all these elements are.

Chris also said that both our partners Health Trio and Palmetto GBA, are
very aware and invested in privacy and security when it comes to moving the
data. So some of these elements were already in place. Some of them we just had
to find. Most of the policies were in place. We just had to go track them down
and we had to write them down because as many of these companies do they say
this is our policy. We do X and Y with the data, but with the CMS requirements
we have to make sure that that policy was written down and that it is updated

The physical environmental protection controls they were in place for both
companies. Neither company did we have to say you need to have locks on the
doors for the server rooms. You need to make sure that the data is transferred
in a proper manner. That was in place. The data is moved via VPN or SFTP. That
didn’t have to be created. There were presentation, application, and data zones
that were all required by Medicare but also it was a very easy transition into
ensuring that the appropriate firewalls and other requirements were in place.

What that said we did go through the full miter, conducted a security test.
It was a weeklong test. There were roughly 130 elements that were found and we
solved everything in record time so we would not have been able to launch
without the authorization to operate from that meaning if we had not met all
the security standards from Medicare, the project would not have been live.
Data would not have been available to the seniors in South Carolina.

We are FISMA compliant. We do comply with these standards. We have a
comprehensive RA and a systems security plan that are updated annually. We do
have a contingency plan. We conduct a tabletop test annually. These are all
required under the Medicare CMS security requirements. We are fully committed
to them. These are elements that we believe in and we are fully supportive of.

During some of the questioning from the panel we were asked about SNOMED. We
do use SNOMED. I am not an expert on SNOMED. Dominic Wallin from HealthTrio
testified to the full subcommittee about SNOMED a few months ago. If you are
interested in the full testimony you can download it from the website or just
ask me. I am happy to send it to you.

It is a way though of coding that provides an opportunity to tie unrelated
data together that allows for a sensitive data categories and I know that at
the last testimony folks were very interested in sensitive data categories. The
reason those categories are created is because if you are a nonclinical person,
I’m not a doctor, I may not know what elements in my record I really want to
have protected or unseen by those that I choose to allow to view my record. It
allows to tie those elements together.

With that said like the other pilots individuals can assign authorized
representatives. Authorized representatives get their own user ID and password
and that is a choice. We don’t tell them they have to. We don’t tell they don’t
have to. We don’t guide them as to who their authorized representatives will

Just real quick I wanted to show you that this is an element in the tool
itself where an individual goes in and they can actually choose which data
classes are protected or not protected. The data classes that you probably
can’t read, such as sexual assault, drug abuse, abuse or neglect those are
automatically restricted within the too. It is an all or nothing restriction.
If you choose to allow one authorized representative to see it, all of them
will see it. If you hide it from one, it will be hidden from other. These data
classes are automatically restricted within the PHR.

There are also functional areas which are areas created by the tool, such as
permissions, claims, and social history which are automatically restrictive.
Now an individual can go in and grant or revoke access to these areas. As Chris
said we do provide the outreach and the training. We have a 70-page user guide
that is actually up within the tool and it is a picture-based user guide. I
have an image of this page and I have an arrow that says this is how you step
one do this, step two do that. I am an outreach guy by training so that’s the
way I see the world. I am like Patrick. I am not a security expert but I am

At the last testimony one of the issues that you all were interested was the
ability to import the data. There is a health records. We call it health
records summary but as you can tell it is also continuity of care record. They
can print the continuity of care record. They can create it as a PDF. They can
download it as an XML file, which then would allow them to port to another
system if they were interested in doing that. There is also the audit
capability where they can view the previous views of this page and that audit
is on several pages throughout the personal health record.

I am going to pass it back to Chris real quick to do the summary. I know we
are running short on time.

MS. GAYHEAD: Just with what Seth has said, you can see that CMS takes the
privacy and security of this pilot very seriously. We give it the same amount
of seriousness that we give to all of the Medicare data. With respect to
creating this PHR it took way longer in terms of time to meet the standards for
privacy and security then we anticipate it so of course taking the proper time
to implement it we found that that was key. Annual review not only is a
requirement but it is also a very good practice to be in terms of looking at
the security. Again, I am not a security person either but we all know that the
world is changing on a daily basis and all of us hear about things that happen
in the news, breaches, people’s whose security and/or privacy has been violated
so annual review of everything that we are doing is key.

Another thing that we really wanted to make sure of is that the PHR was
fiber weight compliant. We wanted to be sure that it would meet those
standards, again, another CMS requirement.

The most important thing, again, with Seth being an outreach person we
wanted everything to be in as plain English as possible because we know that
there are all these documents that are out there, data use agreements and
security documents and privacy policies, but if the person signing them and
like most people you kind of look at it. You are overwhelmed by the number of
paragraphs. If you want to use the tool you check it and then you will move on.
Most really wanted to be sure that what we were trying to tell them was written
in plain English.

Again, the other thing that we do for Medicare is that our customer service
line for this PHR is very robust so that an individual can actually call in and
say I don’t understand this and Seth or someone he designates which actually be
on the line to talk them through the things that they need to do and our
beneficiaries have found that to be very, very useful to them.

So thank you so much for the opportunity to testify before the committee.

DR. FRANCIS: Thank you. We will open the questions with John.

MR. HOUSTON: Great. Really interesting testimony. I have a question
specifically for Pat. You selected out of a group of 40 vendors for your pilot
and I was just interested in knowing whether it as part of your selection
criteria you had minimum privacy and security requirements that you said if you
want to play here is what they are. I guess that’s my first question.

DR. CONWAY: The short answer is yes and Elizabeth is on the phone. Feel free
to jump in. So there are minimum security requirements. As I said I am not a
security expert. My remembrance is there were NIST 800 moderate, but Elizabeth
can give you details on that but there were minimum security requirements and
then there were requirements on the privacy policy in terms of that they had a
privacy policy that would be given to the beneficiaries et cetera. So there
were minimum criteria both in the security and the privacy space.

MR. HOUSTON: Having a privacy policy is one thing. I can have a privacy
policy that says I’m going to share my data with whomever I choose. Were the
requirements prescriptive as to what was a minimum –- a floor as to what
had to be in the privacy policy and did it preclude such things as data sharing
or data mining. How far did it go in terms of what was in the minimum of the
floor requirements for privacy?

DR. CONWAY: I will start to answer it. Elizabeth, are you still on the phone
by the way?


DR. CONWAY: I will start, Elizabeth, and then I will turn it over to you.
There were requirements in terms of what the PHR vendors could not do with the
data. So I don’t say something that is incorrect I will turn it over to

MS. HOLLAND: When we posted the requirements, we also posted a copy of the
data use agreement and in the data use agreement we spelled out very
specifically what could be done with the data and what could not and actually
some of the vendors had a little bit difficulty with that and it required a lot
of negotiation on our part because one of the things that we required was
independent security testing and certain vendors never let outside people into
their system and so that was really a problem. But we tried to say that we
wanted them to comply with the privacy act, the privacy rule, and other CMS
data release policies. Whether or not the vendors totally read that when they
submitted their applications I would say probably not because when we went to
try and work with them it was a really frustrating process. For us it really
brought to bear that there is a wide variability out there with privacy and
security practices. PHRs are not covered entities and so they are all
implementing things whatever they want to and that’s really somewhat
problematic for us.

DR. TANG: Thank you. I have a number of questions. I will kick off on where
John left off in terms of it is clear that everyone worked on the security
provisions and security testing and those are a little bit more
straightforward. It is the privacy policies that have been the subject of
discussion at this committee as well as the former part of this hearing.

Let me focus in a bit on that. There are two areas. One is the protection of
confidential health information and the other area I would like to explore is
the usefulness to the consumer patient. So the first is the privacy and we just
heard about how it may have been hard to educate the so-called PHR vendors on
the privacy provision, which is somewhat distressing you have to admit. If it
is that hard to educate the vendors then what about the consumers as Chris
pointed out as well and do we really know how to educate them on what they even
need to know or be aware of.

So one is we talked about the privacy policies and your requirements on the
PHR vendor. Many of those vendors actually have subcontractors or other third
parties. How far do you reach with your data use agreement and again hearing
how difficult it was even with the primary vendor did he even reach the
secondary vendors of the third parties that operate off the data maintained by
the primary provider and what kind of jurisdiction do you have? Do you have any
contractual obligation, et cetera?

MS. GAYHEAD: With CMS there were data use agreements that were executed
between QSSI, HealthTrio, IBM, and –

MR. EDLAVITCH: For our project it was set up a little bit differently than
the PHR Choice project. We certainly met all the criteria that were needed in
order for data use agreement, interagency agreements, CMS private. We met all
the standards so it is a little bit different than the PHR Choice project,
which used a different model. I think and correct me if I am wrong, that your
question is a little more directed at Patrick or is it really applicable to

DR. TANG: It may be as long as your vendors do not then again share it with
other folks.

MR. EDLAVITCH: Right. So the data is all protected. It is all Medicare data.
Any data coming in to MyPHRSC we have received a data use agreement and then
subsequently an authorization from the individual to allow that data to
populate. So the best example is – well, there are two examples: the
Medicare and claims data. In order for an individual to sign up they have to
click yes the privacy agreement and we can all agree that the privacy agreement
may be a long document that they may or may not understand and that you asked a
question about education. How do we educate them? That certainly is a different

The other part of the data is the TRICARE for life data, which we included
in January and for those individuals with both TRICARE for life and original
Medicare they can choose to authorize that data. They have to go through the
same authorization process. So they are actually doing it again. They click I’m
TRICARE for life. Here is my information and then they get the data user
privacy agreement, online privacy and security policy, and it has all the
required information. So for us it is a little bit different because it is all
self contained. We only have data coming in. As Chris mentioned we don’t look
at the data. Medicare doesn’t have access to the data. It is the same Medicare
and claims data so it’s not new data.

MS. GAYHEAD: We really had a much more hands on approach to MyPHRSC pilot as
we did with PHR Choice. In a lot of ways I think you will see that distinction
then as we have the conversation. We work very closely with them. We in effect
consider them us as opposed to PHR Choice. That is the distinction as well.

DR. CONWAY: So to answer what was your second question. So the data use
agreement should apply to the data including anyone that that entity would then
subcontract to. I mean it is a data use agreement about the data as opposed to
-– so I think that answers your second question.

I think your first question and I will let Elizabeth jump in. Your first
question I think is incredibly interesting and I would argue we don’t have a
lot of good information about. We have office national coordinator with lots of
people including I’m sure people in this room developed a PHR facts at a
glance, the idea being that you would transmit information on privacy policies
in some standard format that therefore consumers would understand. That is
going through consumer testing now. It certainly I would guess should change as
it goes through consumer testing. But I think this issue of how you communicate
that to a consumer that they actually understand and this balance of having all
the information and therefore they don’t read it versus having the key
information that consumers really need to see and use. I think that is an area
and I am not as I said in the beginning I’m not an expert in this area, but I
think that is an area that is ripe for more investigation about what do
consumers really want to know, how do you communicate that to them, do they
understand it. I think there is a host of issues there that we don’t fully

MS. GAYHEAD: Also with the PHR, MyPHRSC pilot, one thing that we really rely
heavily on and the reason for the pilot is really to look at outreach and how
to talk to beneficiaries about PHRs. We have always had a very high touch if
you will customer service. We do a lot of utilization meetings where folks can
come in and just sit one on one and learn how to go through their PHR and get
questions answered. There have been a whole series of them throughout the state
of Carolina. We have taken advantage of many, many senior-oriented events going
on there. We have worked with trusted partners, the ships. We have an advisory
board. Seth is the one that can certainly tell you about all of that, but a big
part of getting the communication to beneficiaries has been talking one on one.
I will just let Seth go because he is the expert on that.

DR. TANG: Well, actually let me go back to the second question with respect
to the PHR choice because some of those vendors do share it with the third
party and I think what I heard you say is that you have data use agreements
with the third party, which would be a little bit unusual.

DR. CONWAY: Let me correct. I did not. So we have a data use agreement with
the primary vendor. In terms of selecting and then well go ahead.

DR. TANG: So that is a concern. The individuals participating are not maybe
fully aware of who else has access and what protections that “the
government” really applies to those third parties of your third party.

If I could go to one more area and that is the usefulness of this
information and we are all aware this is claims data because coming from
Medicare and we are going to hear from e-Patient Dave but you are also I am
sure very familiar with that story in the Boston Globe. How are you assessing
the value and the potential harm of using solely claims data and populating the
PHR and how will you get that kind of feedback from the evaluation.

DR. CONWAY: First, I am a clinician and still practice as a clinician and I
manage people with the PHR as I alluded to a family member. I think claims data
as you are starting to allude to, I think is sort of a minimal threshold if you
will and has some usefulness but is not as useful as potentially other tools.
So I think how we try to get at this issue of data usefulness as we offered an
array of products through PHR Choice. They have different connections that are
more than claims data so multiple of them have access to pharmacy data.
Multiple of them have access to lab data. All of them you can self populate.
That has its own issues. The consumer has a choice of products that have
different connection points. Some of them have access to providers in the area.
So those add on services, my guess, but this is why we need the evaluation. My
hypothesis would be those add on data elements and connections is what
consumers will truly value.

DR. TANG: And your evaluation will assess that?

DR. CONWAY: Yes. So when I said a functionality and data linkages so it
would assess what they valued in terms of data linkages, what they valued in
terms of functionality so the assessment tool would assess what the consumers,
the beneficiaries in this case valued about the PHR.

DR. FRANCIS: I think, Harry, it is your turn.

MR. REYNOLDS: I would like to commend all of you and I think the government
–- on all these efforts on PHR and I commend you for that. This community
spent a lot of time working on a subject called sensitive data and we have
written a number of findings on it. I was struck in the last hearing we had by
somebody making a statement that all information is sensitive to someone. As
you have gone through and are dealing with this there is the thought of opt in
and opt out all the way and then there is the thought of clearly defining
sensitive data and then there is the thought of people being able to parse the
data anyway they choose to. Are you approaching that? What are you finding? How
burdensome or unburdensome is it? Do the people really get it as they are doing
it and is it as useful if that kind of data is withheld?

MR. EDLAVITCH: It is a great question. I think we are working with the user
population that may not fully comprehend all of the elements of a personal
health record. They may actually not know that they have the ability to go in
and click something to grant or click something to revoke. In that case I don’t
know if we can really tell you whether or not it is useful or not useful to
this population itself. If we were to broaden it out to a younger population I
think the questions become more interesting to delve into. I do know that
seniors are very used to seeing the data that they currently get the way it is.
In our personal health record we are showing claims data. They are very excited
to see their claims data. They have been getting Medicare summary notices every
month or whenever they come. It is hard for them to organize.

So for our pilot they are very excited to have the information moved into a
certain area. We haven’t had a lot of people call. As Chris said I answered the
toll free number for the first four or five months and I currently answer the
emails. So, if you have a question, you send an email, it comes to me and I
will answer it probably at 10 o’clock at night on a Saturday.

We haven’t had a lot of people say I don’t want my doctor to see X or Y
data. We did have that request a couple of weeks ago and so we run through the
process with them. This is how you do it. I don’t know if I answered your

DR. FRANCIS: Could I just follow up and ask whether any of the providers
that you are working with in Utah and Arizona offer the sensitive information
category possibility that the South Carolina one does?

MR. EDLAVITCH: Definitely HealthTrio does because they are one of the
partners. They are one of the four so they definitely do.

DR. CONWAY: I just want to make sure I understand the question. You mean on
the PHR vendors which offer, is that correct? Okay. I may have missed heard
you. I apologize. So I know HealthTrio does. I think others offer that, but
Elizabeth do you know for sure?

MS. HOLLAND: I can’t say off hand who does and who doesn’t, but it is a
feature that many PHRs have. I would also just like to say that the data that
we are moving beneficiaries have access to through our MyMedicare.gov portal
and have had that access for a while, but the reason we wanted to look at PHRs
was because we wanted to give beneficiaries access to their data in a different
way. So although they can look at their data on MyMedicare.gov they can’t
manipulate it or sort it or even add additional information.

What we found through these pilots is that beneficiaries, for example, we
don’t include medication data, but beneficiaries like the idea of going in and
having a look up feature to help them put in all their prescription medications
as well as all of their over the counter medications. What we have found with
beneficiaries is they are using this as a tool and sharing it with others, not
necessarily their healthcare providers, but their families. These are elderly
people and their children don’t necessarily live near them, but they appreciate
the opportunity to give their daughter and son access to their records so that
they can help monitor them remotely. In one sense we haven’t really had that
much difficult with people wanting to block different data elements because
they want their children to help them any way that they can.

MR. REYNOLDS: Is there anything in the pilots that would -– as I say I
think you are really testing a lot of the base foundations and I know you talk
about a certain population. Are there any things that you are finding that
would not allow it to be easily transferred to the rest of the population? I
think the one thing you are doing by being out front is you are testing a lot
of base beliefs and base capabilities and so on. Is there anything that jumps
out at you that you would say if this were to become philosophically the
standard? Then what might be different as we try to roll it out to the entire
population based on standards, procedures, and structures, everything that you
are putting in place.

DR. CONWAY: Do you mean to the entire country Medicare population or the
broader or both?

MR. REYNOLDS: Well, no. Just the private sector – including the private
sector and others.

MS. HOLLAND: I think personally one of the biggest challenges is we are not
dealing with a particularly Internet savvy population and so that is causing
some difficulties for us. I think for us the model we are looking at more is
being able to populate any PHR and so one of the real problems we had was they
weren’t all able to accept the summary records, the C32 because PHRs are using
all different ways to move data now and so it really would be helpful if there
was some certification or standardization of PHRs so that they could
communicate back and forth. As people age onto Medicare more and more people
are being offered PHRs to their health plan so we sort of feel we need to be
ready. So if they have an existing PHR they age onto Medicare, we need to be
able to populate that PHR so that they can continue to use it.

DR. CONWAY: Two points. So one I mean in terms of scalability the PHR model
from a cost to the system perspective is much more scalable than an EHR model
just because the inherent cost of doing PHRs is multiple times less than the
cost of rolling out EHRs. I think there is also in this sort of health IT
debate and obviously most of the funds right now through meaningful use et
cetera towards EHRs I think they both become more useful in healthcare when
they are linked and Elizabeth just alluded to this.

So you imagine a model where your doctor’s office EHR actually then can
communicate to your PHR back and forth on a common set of standards. Then you
become a much more useful PHR and I would argue as a clinician also a much more
useful EHR because I could get information, glucose test, name your example,
that the patient if they want to is feeding back to me. So we are really a team
managing their care. I think there is a huge focus on EHRs and I hope we don’t
lose the factor that there is both a consumer-facing component of health IT and
a provider-facing component. To maximize our benefit I think we really need

MS. HOLLAND: In our office, the Office of e-Health, Standards, and Services
is working very hard on the EHR incentive program under Medicare/Medicaid but
we also want to continue our work with the PHR pilot.

MS. GAYHEAD: I think echoing Elizabeth and Patrick I think that it is so
important that the beneficiary, the patient if you will be the one that has so
much control over where the data is going. He is the one or she is the one that
has the circumstances that might require them to leave the area, perhaps use
another set of doctors, and just the portability of that information not having
to repeat it, having it available. We had people who made comments about well
if something like Katrina happened here I feel very comfortable knowing that my
record is stored electronically and someone can retrieve it. We had members in
assisted living facility that were very happy that their relatives living out
of state had access to this information.

MR. EDLAVITCH: From a user perspective we do have over 4200 seniors in South
Carolina. Defining use would be an interesting conversation not today because
there are some seniors who sign in once in December and then again in June and
that is use for them and yet because of the CMS security standards they then
have to go through a series of steps to unlock their account which you wouldn’t
have to do with bank account. Let’s not lose sight of the fact that people are
very interested in it. They are using it. They are very excited that Medicare
is going in this direction to provide them access to the data. So in terms of
expandability as the country learns the value of PHRs, which I don’t think
we’re really there yet. I think it is definitely expandable aside from the
technical issues that need to be worked out. I definitely think the wave is

MS. MILAM: I would like to better understand your regulatory environment and
the impact of all of the different regulators. You mentioned that you are
operating the PHRs in a HIPAA environment. Correct me if I am wrong. I will
assume that CMS is the health plan the covered entity and that the PHR vendors
are the business associates.

MS. GAYHEAD: No, this is not – the way that we are approaching this is
that it would be compliant with the rules and regulations but PHRs are not
covered entities but they are going to conduct themselves and their business in
such a way as to if they were a covered entity that they would meet the privacy
and security requirements.

MS. MILAM: They were not business associates in the pilot then?

MS. GAYHEAD: There were data use agreements that the vendors signed with us
and then there were business associate agreements between the various vendors
and each other.

MS. MILAM: Beyond HIPAA you mentioned Medicare security and privacy regs and
policy. Can you all help me understand how they were different from HIPAA? What
values add or what additional requirements they brought with them? Then from
your perspective with your at least two areas of regulation HIPAA and CMS regs,
what did they add to the process? What was too much for a PHR environment? What
was missing?

MS. GAYHEAD: I will take a start. With the PHR the more we worked with them
the more we considered that they needed to meet the CMS standards for security
because they were moving Medicare data and it was very important to us that we
apply at least the same level of security to that transfer that we require for
moving any Medicare data. Then we looked to what the information security
standards for CMS were and those are the FISMA requirements. Again, I’m not an
information security person; however, those requirements mean that the data
have to be moved in a secure fashion. We did use the NIST guidelines. We
required that they also meet as a HIPAA entity the privacy and the security
guidelines related to that. In terms of detail like what those specific
regulations are we can certainly provide those for you offline. I mean in
writing. But we did make sure that the data was extremely secure. We used a
VPN. We used SSL technology. When the beneficiary signs into the PHR online he
is in a secure environment. If he for some reason clicks out to leave that
environment, he gets a notification. So while he is in that environment his
data and his activities are secure.

DR. FRANCIS: I think we have time for one last question.

DR. TANG: All of you mentioned that part of the potential benefit is for the
beneficiary to share their information. How does an individual share it with
another and how do you authenticate that other person to make sure that only
the right people are getting it and do they each have their own log in and

MR. EDLAVITCH: So for MyPHRSC pilot there is button when you have signed
into your record that you can say assign an authorized representative. The
individual types in the key data elements, last name, email address, zip code.
There may be one or two other things that I can’t remember off hand. Hit submit
and then that authorized representative gets an email. In that email it’s got
their user ID and temporary password. When they go in to sign in they have to
change the password and then they have their user ID. The individual can grant
or revoke access to authorized representatives at any time. They can also
remove authorized representatives at any time. Let’s say they are at the
library and talking to somebody and they are convinced to assign them and the
son or daughter who is an authorized representative sees that that happens.
They can actually go in and help the parent remove people. We have not had any
issues of that. It is not a problem. That is just an example that it is very
easy for the individual, him or herself, to add an authorized representative.

DR. CONWAY: So the same and I also -– Blackberry got a better answer
with the exact language to your previous question. The DUA explicitly states
that the vendors cannot reuse original or derivative data file without written
approval from CMS. By signing the DUA vendors are acknowledging criminal
penalties under the Social Security Act for disclosure of information that are
not authorized by regulation or law, also, criminal penalties under the Privacy
Act. We can talk more offline if you want to know the details underneath that
and certainly Elizabeth Holland is a great resource as well.

DR. FRANCIS: I think John has a burning follow up question that he would
like to ask and this will be the last one.

MR. HOUSTON: Burning sounds a little strong. With regards to your –
representative what is it?

DR. CONWAY: Authorized representative.

MR. HOUSTON: I am assuming you are dealing with the patient population is
older, correct?

DR. CONWAY: Well, anybody who has Medicare. Generally the majority of our
population roughly 75 but we certainly had people who are 18.

MR. HOUSTON: Do you make accommodations for those individuals who maybe
don’t have the capability to make their own decisions? This is obvious an area
where PHRs — I know at least in my institution there is a lot of effort goes
into you have an authorized representative because the individual frankly is
not competent or they just don’t have the capacity but yet because the child is
making appointments, is doing the follow up, they are the ones that really need
the account. Is there a way for somebody to grant that individual on the side
authorized representative status as well?

MR. EDLAVITCH: It is a great question. As you know we are guided by HIPAA.
We need the power of attorney. If there is a power of attorney or something
that is legal that says that that individual has the right to the data then
that is what we can use but in other cases we certainly have had experiences
where somebody is not able to make a decision but we can’t make that decision
for them. It is a really challenging situation for a group of people who might
be older who aren’t able to make the decision themselves.

DR. FRANCIS: We are now going to take a 10-minute recess. We will cut it a
little bit shorter than the 15 in the announced agenda.


Agenda Item: Panel VII – Consumer Advocates and

DR. FRANCIS: We are going to reconvene these hearings. We are going to now
move on to panel seven. Panel seven is consumer advocates and attitudes. We
will start with Susannah Fox who is the associate director for Digital Strategy
at the Pew Research Center.

MS. FOX: Thank you very much and thank you for the invitation. Just a short
introduction about the Pew Research Center. We are a nonprofit, nonpartisan
research organization funded by the Pew Charitable Trusts. You have probably
heard of them if you listen to NPR. I like to say before I talk about the
Internet project the Pew Charitable Trusts is – the money comes from
19th century Pennsylvania oil. This is not at all a technology
related foundation, but what they see is a need for data about the social
impact of the Internet.

We began our work in the year 2000 and at that time just 46 percent of
American adults had Internet access. Only 5 percent of homes had broadband or
high-speed access to the Internet and 25 percent of American adults at that
time looked online for health information.

The slide that you see now is our most recent survey data. It is from
December 2008. It is important to note that there is a cell phone component to
this survey so we had both LANline and cell phone and also interviews were
conducted in either English or Spanish. So when you look at for example 58
percent of Hispanic adults are online, that is reflected in the entire Latino
population both Spanish dominant and English dominant.

We now find 74 percent of American adults go online. Fifty-five percent of
American households have broadband connections and sixty-one percent of adults
look online for health information.

Now what we have seen is this major growth in people going online and also a
growing interest in using the Internet as a source of health information. I
will be releasing a report on Thursday called the Social Life of Health
Information. It will be on -– sorry, not today. It will be looking at the
relationship of Internet users to health information and we were very careful
to survey all adults on this issue not just Internet users because as we saw in
for example the South Carolina example the pilot. The seniors may or may not
have access themselves which you can see they are at the lower end of this
thermometer of access at 41 percent who have access to the Internet. But they
have children who are more likely to be at the upper end of the scale and there
is the idea of the seniors saying, help them help us. That is something to keep
in mind.

What is also important to keep in mind is that our understanding of what the
Internet is will change. Over the next few years as more people access it on
small screens and that’s why I brought up the slide that shows how many people
have a mobile phone. Now of course not all these phones have access to the
Internet, but it is increasingly an option. It is also increasingly true that
populations that are traditionally offline are more likely to have a fabulous
mobile phone and here I am talking about African American young men, Latino
young men, people with less than a high school degree who may not have jobs or
be interested in having a desktop computer in their home but they have a
fantastic Internet enabled mobile phone that they frankly use like a Swiss Army
Knife. They use it for all kinds of things whereas most of us use our cell
phone like a spoon. We just use it to make calls, maybe we text message. But
there is a whole new world that is coming that creates a conversation around
information and this new report –- the reason why I called it the social
life of health information is that there is increasingly a conversation around

So I put up these slides to show you that you might be surprised about the
penetration of both Internet and cell phone as well as broadband because what
we are seeing again is that there is a change. There is a change afoot in that
more people are using the Internet to gather and share health information. The
primary relationship for most Americans is still with the health professional.
Their second source of health information is friends and family. In third place
when you ask Americans if they have a health question, where do they turn?

In third place it is actually a neck and neck race right now among all
adults between books, printed referenced materials, and the Internet. Now of
course the Internet has taken over among most Internet users especially among
people age 18 to 29 and even going up to age 50. The Internet rivals friends
and family. The story there is more about social media. How people are able to
connect to each other online. So when we talk about Internet health information
sharing we are actually kind of talking about friends and family and even
health professionals who are starting to use these tools to connect to people.
This is especially true of people who have a mobile Internet connection.

The Pew Research Center our mission is to provide data about what people are
actually doing online and we have trend data goes back to the year 2000 because
we believe that any policy discussions are best informed by the facts on the
ground whether you approve of what people are doing online, whether you like
what they are doing or don’t like what they are doing, whether you wish it was
different. I would say that it is more important to understand what they are
doing and what they are doing is sharing. They are sharing a lot of
information. They are searching for information. They are making choices about
how to conduct their lives and conduct their healthcare in ways that intersect
with the spread of technology.

What I would say is plan for the future not just for today. You can look at
our trend data back to the year 2000 and project out. We try not to pretend
that we have a crystal ball but I can give you some ideas about what is coming.
One is that mobile access is on the rise. More people have a cell phone than
have an Internet connection as we see in those slides. Wireless Internet
connections are associated with deeper engagement in social media and also it
is important to see the generational changes that are coming. Adults between 18
and 49 are more likely than older adults to have Internet access, to be using
these social technologies related to health and healthcare. Whether we are
going to see it moving quickly because of the spread of mobile access or more
slowly through demographic change, change is coming. So the rules that you make
now will need to be in effect not just for the reality of today, but the
reality of 10 years from now.

I have more questions than answers. Some of my questions are what if
personal health records could be designed to be part of the naturally occurring
network that we see in this Pew Internet project data? What if personal health
records could take account of the primary relationship between a patient and
health professional but not make it an exclusive relationship? What if instead
of a health information exchange being one to one a personal health record
allowed it to be many to many in some cases? What if a personal health record
gave people access to what doctors and nurses and insurance companies sees and
that is industrial strength information?

The Internet is creating an opportunity for consumers to have access to what
we call industrial strength information, not consumer strength, not what a
magazine might tell them or what might be on Good Morning America but the
actual medical journal article. They may not understand but a nursing student
could understand and taking into account the idea that healthcare is a social
activity and we are starting to see that online. By that I mean people are
sharing. So how can we set up a system that protects people’s privacy, makes it
secure, and allows for that kind of sharing?

DR. FRANCIS: Thank you. Our next speaker is e-Patient Dave.

MR. DEBRONKART: So I’m going to speak to you today from the perspective of
you a few years from now. I am somebody who went into that dark hole where the
world is ending and came back out and I have some opinions about what you need
once you get in there. I didn’t get into the patient game intentionally. It is
sort of like the way they asked JFK how did you become a war hero and he said
they sank my boat. I got a cancer diagnosis and I developed a point of view. I
also didn’t get into the game of having something to say about PHRs
intentionally but my style has always been to do everything I can to help my
own cause and once I emerged from my illness since I work with data in my day
job and I have always been an online guy, it was just natural for me to go to
the front tier.

This first slide that I have here, foundation principles. These are
principles that have just come into my consciousness, most of them in the last
few weeks literally because this is a hobby for me. It is not my job and the
advocacy that I’ve gotten involved in with the new Society for Participatory
Medicine and the e-patients.net blog has led me to this.

The first principle is patient is not a third person word. Every conference
I go to people talk about patients as if it is somebody who is not in the room.
Seriously and guess what? Your time will come. I am here to tell you you will
be standing by that hospital bed or you will be in it and you will face that
question that I face of what can we do? I want anything I can do. I remember my
grandfather decades ago saying to my uncle when he was on his deathbed. For
God’s sake, Jim, do something. I want us to think about this from that

I recently realized that there is a foundational right I think of a
desperate person to try to save themselves and the right to know what your
options are. I have found in working with my kidney cancer patient community
that too often patients are not informed of what all their options are and that
is a serious problem in my opinion. There is also the right I think to pick up
your data and go somewhere else as people from South Carolina mentioned also.

In his opening talk, Bob Coffield told a story of his own family history,
which showed that a pioneering spirit can run in family lines. In keeping with
that he also told about how Model T’s were just a precursor of what grew into
the interstate highway system. On my computer it just so happens that I have a
photo of my father in his Model T in Binghamton, New York 50 years ago. Now if
you know old cars you know this is not a normal Model T. This is a World War I
ambulance built on a Model T chassis and being a little eccentric and
pioneering he picked this oddball evolutionary off shoot and it was his friend
for a long time. Unfortunately he sold it shortly before I got my driver’s
license, which is too bad. Back then this was in the 1950s that car was only 45
years old which is the same as a ’64 Chevy today just to give you a sense of
perspective. The interstate highway system was just starting to be built. As
Bob said a lot can change in a few decades.

So having a spirit similar to my dad’s 14 weeks ago today I decided to take
a spin in my own Model T which was Google Health PHR and here is what happened.
As I guess many of you know the result was literally front-page news. My
hospital Beth Israel Deaconess is in Boston, which was created by John Halamka
and my physician Danny Sands, many years ago. Now has a button to push to move
your data into Google Health. I did that and really it was quick and easy, but
it was also cuckoo. What happened was cuckoo. The first thing I got was a
medication warning me about my blood pressure medication and a condition that I
had two years ago when I was being treated for cancer. Now this is a symptom of
a Model T version of a data connection. They haven’t worked out the kinks yet.
Great idea but not smoothed out. The next thing that happened that I saw was
that they had transmitted every condition I had ever had with no dates attached
to it as if everything was current. Now again is this a bad thing to do? No.
I’m headed there. I’m going to do this one way or another but there are kinks
to be ironed out.

The hospital sent some of my data but it was wrong. See this is a mistake
that is well known to data professionals. If you take data that is designed for
one use and interpret it with a different intent you get a train wreck. We also
found out that this was claims data. Now there are a number of problems. I have
since learned that a number of people have told me that their claims data is in
great shape. They don’t want us to block them from using their claims data, but
somebody with a sane head has got to look at it and say yes, yes, no, no.

One of the examples of an insufficient data model is there is no way in
claims data to say that you are just checking for something. So I got an MRI to
see if I had metastases in my brain. The answer was no but it went in as a
billing code of brain metastases and when that was interpreted as a condition
that I have the result was insanity. In fact one of the best most accurate hit
the nail on the head blog posts about my story was written by a web blog called
information quality train wrecks, data professionals who are experienced at
figuring out how plane crashes happen, how the Mars Rover went to the wrong
place, and all that sort of thing. So good idea but it is a Model T version of
the interface but should we outlaw cars. I think not.

Here’s the thing. I also want to acknowledge Halamka and Ronny Zeiger of
Google Health were both exemplary once this garbage was discovered in their
openness. They completely opened -– Halamka sent us a total data dump of
all the claims data that they had transmitted. We found additional craziness. I
learned the hard way. There is something called up coding which is like you
know you’ve got these key words in a medical incident and you can sell it to
the insurance company as one thing or you can sell it as something higher
priced. It reminds me exactly of in my supermarket. They now have a higher
priced product in the deli called extra delicious bologna. So you have up
coding and then you also have – this is it baby.

MR. HOUSTON: But you bought it, right? Didn’t you?

MR. DEBRONKART: I’m not in the market for bologna and that’s quotable I
guess. There are also things in the fine print of this chart like on one day
when I was in having a treatment for metastases in my thighbone, they added in
a billing code for nonrheumatoid tricuspid valve disease. Nobody has been able
to figure out exactly why an orthopedist would be diagnosing a heart condition
and bone and cartilage disease when I was having a tumor in my tongue diagnosed
and so on.

My point is this is a good thing to do but frankly the IT grownups have not
yet shown up in this world. With credit card data if this kind of craziness was
in there, which was the case 20, 30 years ago, you would get in there.
Something crazy shows up on your credit card statement. There is a process for
sorting it out and there is a process for figuring out how it got in there in
the first place. That is sort of like a turbo equipped sports car with
anti-lock brakes and accident avoidant software. In healthcare though we still
got a Model T. But I completely agree with Bob Coffield. We are headed in the
right direction. The highway will be built. The infrastructure will be built
out and great things will happen.

My appeal. Please make meaningful use include giving us access to our own
medical records. It is only the beginning but it is a bold step in the right
direction. Thank you.

DR. FRANCIS: Thank you. Dr. Peel.

DR. PEEL: Hi. Sorry to be a little late. I have some slides if you want to
make it easier.

DR. FRANCIS: Just so you know we started a little bit late. You are in good
time. The weather has not cooperated.

DR. PEEL: Thank you so much for this chance to come and be here.

DR. FRANCIS: We will probably run a little bit late too.

DR. PEEL: It is so wonderful to have somebody who really understands
technology here. I am Deborah Peel. I am the founder and chair of Patient
Privacy Rights. It is nice to see some familiar faces. Hi, Harry. We really
appreciate this chance to talk with you today. Patient Privacy Rights is a
consumer advocacy organization and we are a health privacy watchdog and our
mission is to restore American’s control over their personal health
information. Just so you know we have 10,000 members in all 50 states and I
also lead the coalition for patient privacy which is a bipartisan organization
with over 50 organizations that are members representing 10 million Americans.
In 2006 our coalition was joined by Microsoft Corporation because they agreed
to adhere to the privacy principles developed by consumers namely we should
control our data. Basically the code of fair information practices. But
consumers need to control their data in order to have a trusted system.

This quote of course from Forester, I think brings us to where we are. We
are just at the beginning of being able to figure out how to do privacy.
Privacy of course as you know comes from Hypocrites. He figured out that the
only way the people will talk to doctors about sensitive conditions is if they
trust their doctors. That is even more true for me.

For those of you who I haven’t met yet I am a practicing psychiatrist and
psychoanalyst. I have been in practice for over 30 years, solely practice. The
analysts believe it or not study the conditions for the best communication
where we learn the most and are the most trusted. It turns out those conditions
are absolute privacy. Even in my office setup I have a separate entrance and
exit. I have double insulation in the walls. I don’t have a secretary. I am the
only person they have contact with. I really take privacy very seriously and I
learned it from my patients. I did not learn it in medical school where 25
little baby residents and interns and medical students follow people around and
all converge on somebody’s bed. It is horrifying.

When I went into practice about the first thing that happened was people
came and they said, I want to pay you cash if you will not send my records
anywhere. I’m like okay. No problem. I really learned this from my patients and
the reason that they asked me to do this – this is long before computers.
I’m pretty old. This is the late ‘70s when I went into practice and so
that we had a paper-based system but these were people who had already been
hurt because their records went somewhere they shouldn’t and it is mainly about
jobs. So if you fast forward the reason I ended up starting Patient Privacy
Rights was when we went electronic and the HIPAA privacy rule was first
implemented. We had a right of consent and then it was eliminated, part of the
sweeping deregulation of consumer protections across the Bush administration.
Anyway that right was eliminated and so it is really obvious if there are
problems with privacy and paper. You are not going to believe the problems that
you are going to have with electronic records.

Part of what I am here to say is we have existing solutions for PHRs that
patients want to keep them private. First of all you all probably recognize and
know that NCVHS actually has tried to get the Department of Health and Human
Services to adopt its definition of privacy for two to three years. We strongly
urge you. Go with this. This is a good definition. This is the standard
definition and it is about rights of control.

The reason that we need control and the reason that we need privacy is
people don’t get treatment. Again these are HHS figures. About 600,000 people
refuse to get early diagnosis or treatment for cancer because they don’t think
it will be private, another 2 million per year mental illness. Millions of
kids, I got two of them, I know. I don’t think they are fooling around but they
could be. But they are afraid to seek treatment, again, because they don’t
think it will be private.

You all have seen these famous statistics that are getting quite old now
from the California Healthcare Foundation about the things that people do
because they don’t think that their records are going to remain private. They
don’t see their doctors. They ask them to change the diagnosis, pay out of
pocket like me. I was just reading statistics the other day. Medicine really is
a cottage industry for the most part. It really is a two-person deal. Forty
percent of medical practices are one, two, or three physicians still. We really
hear about the trust factor at that level.

From a more conservative organization and again in my area the Rand
Corporation found that there is 150,000 Iraqi vets with PTSD that don’t get
treatment because in the military it is absolutely not private. It is not
private by design. Today and you have seen stories about this again recently.
Just last week we have the highest rate of suicide among active duty military
personnel in 30 years because the treatment isn’t private.

I am basically here to tell you that the lack of privacy kills. It probably
kills more people than medical errors. We don’t get quality. Again, this is an
HHS quote. An assurance of privacy is necessary to secure effective quality
healthcare. But these are the consequences. Without privacy you get more cost.
You get people that suffer and die and we get bad data. Back to Dave. There is
a lot of bad data in these complex systems.

These are the solutions that we are suggesting. There is a group and I have
some slides about this called the National, I can’t remember acronyms, the
National Infrastructure Improvement Consortium. How about that? Okay this is a
group that have developed open source consent management tools that could
easily be applied to PHRs. We believe absolutely patients should control all of
their health information and PHRs, but of course everywhere. If you only
control your records in one place but the minute they go to this other person
she can send them everywhere on earth. You don’t have privacy. We’ve got to
have control.

Then what we are suggesting is there is a model that we already have in
federal statute. I can’t believe I didn’t catch that error. Forty-two CFR part
2, not forty-three. Sorry people. That is the famous law that requires consent
before information about addiction treatment is released. Why don’t we use
that? It works.

We’ve got this electronic consent module. We believe electronic consents are
the way to go. They are much more detailed. They can be broad. They can be
limited then simple blanket consents translated to electronic records. I want
to show you just real quick how fabulous this particular consent model is. It
has been use nine years. It is in 22 regions, 8 states, 3 more states are going
to implement this and they have 4 million patient records. The proof of this is
it facilitates consumer trust. It enables health information exchange and the
data gets where it needs to get under the patient’s control.

These are some of the data fields. You know the usual stuff. But look at the
level of screening. This is the level at which you can segment or hold back
what goes back. Everything from particular assessments, general to substance
abuse to legal to psychiatric to you can get diagnostic impression, clinician
assessments, the usual things, lab results, treatment plans, admission reports,
procedure and progress notes. This is what the patient can decide who it goes
to. I didn’t even count up how many of these data fields these are, but you see
the difference between this and the typical blanket coerced illegal consent
that we get to release everything for a year or more. There is more. Progress
notes, medication, discharge summary, follow up, compliance, a prognosis,
referral information and so forth. All of this shows up on a screen for the
patient to click. Yes, no, yes no. It’s all been – I don’t know. The
technology guys. Maybe Dave knows. The back end does it so it looks just like
anything else you click off on a computer screen.

More. I guess there must be 30 or 50 of these. I don’t know what all these
things are but these are all things that people can decide whether to release
or not. Then they get the signatures of course. With the correct 42 CFR part 2
but it explains what the consent is. Also the other reason that we love 42 CFR
part 2 is a condition of that law is that if I send my information to Bob
Gellman, Bob can’t do anything with it else. He can’t send it to anybody else
without my consent so there is an absolute prohibition against redisclosure of
data and it works fine. All of these people with serious conditions this works
fine. I am excited about this particular consent model because it really gives
us a sense of what should be and what could be for PHRs and for all data and it
should be under our control.

This is what happened to consent for those of you that don’t know. In 2001
we had for the first time a federal right of consent before any information was
used for treatment, payment or healthcare operations. In 2002 it was completely
replaced and all of the providers, 4 million of them, were given a new right to
determine when they wanted to use our data and they can do it whether we
refused over objections whatever. Privacy was completely eliminated in 2002
making it much easier for the data miners.

This is the result. Some of you have seen this slide. I know you are not
supposed to show slides like this because there is too much, but the idea is to
show all of these people according to HIPAA are inside the fence and could use
your data without your knowledge or consent endlessly.

First there is the covered entities who can then share your information with
business associates and then hopefully we have the Gramm-Leach-Bliley Financial
Services Act which allows banks, financial institutions, their affiliates, and
their non-affiliates to use and disclose medical records in the same way that
they share credit reports. It doesn’t say they will delete them. It says they
get to use them.

Then on top of that of course we have the problems with security and that’s
with the little black hat guys are meant to be the hackers and the thieves
outside the system, but we are not going to have a trusted system until there
is a couple less than 4 million people that can see your records.

That’s what we are here to talk about is how we can do this and I only
learned about this open source consent tool earlier this year. It is not
getting any publicity in the trade journals that I know of or the mainstream
media and all we hear from the health IT industry is oh my God electronic
consent is an obstacle. We can’t do it. It will block the flow of information.
But this system that has been in use now for nine years clearly shows it is
cheap. It is easy. It can be detailed. It can be very accurate and it
facilitates the flow of this extremely sensitive and personal data. Thank you
so much.

DR. FRANCIS: Thank you. Our next speaker is Deven McGraw.

DR. MCGRAW: Thank you very much. Deven McGraw I’m the Director of the Health
Privacy Project at the Center for Democracy and Technology. We are a
non-profit, public interest organization. I would say here in Washington but I
will say down the road in Washington, DC. We advocate for public policies that
promote privacy and security as personal health information is stored and
shared increasingly electronically and online. Obviously one of the latest
innovations in this space is the personal health record or the PHR. They really
hold significant potential for individuals to become more engaged in their own
healthcare and for data that isn’t even typically in the healthcare system to
end up in the healthcare system. Things like pain thresholds for activities of
daily living and nutrition and exercise logs and medication side effects as the
patient experiences them versus what is on the FDA approved disclosure list.

I think we all agree or we wouldn’t be here that there is tremendous
potential in these tools but as Dr. Peel just testified and I think all of us
know intrinsically people are not going to use these tools if they don’t trust
that the information will be protected by privacy and security safeguards. This
intuition and sense is really backed up by recent survey data from the Markle
Foundation, which I imagine that they shared with you when they testified back
in May, but the basic conclusion is that it shows great enthusiasm for PHRs
notwithstanding their relatively low uptake to date, but a high level of
concern about the privacy of the information in those records.

To build public trust in PHRs we need a privacy and security framework. I
sometimes feel like a broken record on this one but we need it here just like
we need it for sharing of data within the healthcare system. But in this case
it really needs to target the risk to consumers who are using these tools and
it really needs to be flexible enough to allow for the innovation that is
occurring in this space to meet the wide array of consumer needs. We don’t have
to start from scratch here. You guys have done some terrific work on this issue
already back in 2006 and more recently in 2008 the Markle Foundation did their
common framework for network health information which outlines privacy and
security policies for PHR and it was developed and endorsed by a really diverse
set of stakeholders including the major companies who offered these tools,
HIPAA covered entities who offered these tools and consumer organizations. It
is not entirely consistent with the recommendations that NCVHS put out several
years ago but there are definitely some similarities there. Since I know you
heard from Markle about that common framework, we won’t go into the details
about it.

But I do want to focus on a couple of critical points. Among the policies
that are endorsed in the framework is that individuals one should have a choice
of whether or not they open a PHR. Nobody should be forced to have one and the
second is that they should choose whom they access or exchange information into
or out of that account. That policy is expressed in the framework and was
endorsed by the people who signed it. This foundational principle is actually
reflected in the definition of the personal health record, which was just in
the economic stimulus legislation, which is electronic record of information on
an individual that is managed, shared, and controlled by or primarily for the

We think that at the core of this framework and that definition that is in
the statute is this belief that PHR should be governed by consistent and
meaningful set of privacy and security policies regardless of which entity is
offering them. It could be really confusing and potentially harmful to
consumers to have different protections and rules for PHRs depending on the
legal status or the business model of the entity that offers it. The potential
for harm is magnified if the policies governing PHRs do not consistently
support this consumer control, which is foundational to the concept of a PHR,
and we believe embedded in the definition at least in the economic recovery

Unfortunately we do not have this consistent regulatory framework in place
today and quite frankly after the economic stimulus legislation it is a little
bit of a challenge to get there. We know that when a PHR is offered by a
covered entity a business associate acting on its behalf, they are covered by
HIPAA and those that are not offered by a covered entity business associate are
not. Those entities that are not covered by HIPAA are potentially subject.
Potentially subject I say because not all business forms are subject to
regulation under the FTC Act but those that are would have to comply with
unfair and deceptive trade practices, which means if they have a privacy policy
they have to abide by what they promise to do. But there certainly isn’t any
requirement that they produce one or that it meets certain elements and we know
from a study that was commissioned by the Department of Health and Human
Services in 2007 that the privacy policies of PHR vendors at that time were
seriously deficient in terms of whether they met the basics of what is
typically in one of these privacy policies.

Many people have argued that the solution to this is to just extend HIPAA to
PHR vendors. You either make them covered entities or you make them business
associates and the economic stimulus legislation took either a partial or a
full step toward that depending on whether you read the legislation narrowly or
you read it more broadly. We are concerned about this because we think the
privacy rule in its current form does not provide strong protections for
consumers using PHR. It was designed to regulate the sharing of information
among doctors, hospitals, health plans, these things called healthcare
clearinghouse that I still don’t understand what they are, but nevertheless it
is sharing among entities in the traditional healthcare system.

So as a result, personal health information is permitted to flow without
consent for treatment payment and healthcare operations. There are only weak
protections against the use of personal health information for marketing
purposes because we need it to shape the definition of marketing in a way that
would permit certain health-related communications to be sent by hospitals and
doctors to their patients or health plans to their enrollees.

There are pretty weak protections against law enforcement access as well as
more permissive sharing of data for public health and for research again
because it was designed to regulate how a healthcare system entity uses data.
So like it or love it that was the approach of HIPAA. In our view if you take
HIPAA as it is today and stick it on to PHRs, you have really provided
inadequate privacy protection for patients and really of particular concern are
the marketing and commercial uses of data because the business model that
supports these PHRs they are largely free even the ones offered by Internet
companies. So it is really advertising revenue and partnerships with
third-party entities who are going to offer their product and services to PHR
holders and who thereby also need to be covered by those protections as well
because that data will float downstream. I think that is both a good thing and
something of concern.

Some have suggested that maybe I shouldn’t run around saying HIPAA is the
wrong rule and I’m looking at Sue as I am saying this. Why don’t we just create
unique HIPAA rules that match these entities and we are not necessarily opposed
to that but they need to be unique rules that target the risk that consumers
face and ideally are consistent regardless of who offers the PHR and who also
allow consumers to have greater control of this data then is the case in the
traditional healthcare system.

Now Congress really opened the door to the consideration of what would be
privacy and security protections that should be on PHRs and while the study is
by the words of the legislation supposed to be about PHRs not regulated by
HIPAA, we certainly would want to kick the door that Congress opened wider and
hope that the agencies that are making those recommendations HHS and the FTC
think about creating some consistent policies for PHRs. Again, Markle framework
provides helpful guidance but as is customary for Markle they put some helpful
policies out there but the next step in our view and CDT’s view is which of
these should be put in regulation. So we actually held a workshop about a month
ago where we brought together a number of stakeholders to start teasing out
what belongs in regulation trying to figure this is not necessarily easy to do
because on the one hand you want to have greater consumer control of these
products on the other hand acknowledging that there are some weaknesses to over
reliance on consent if all we do is say we will just throw everything to
consumers to decide whether or not this is an appropriate use of data. I’m not
sure that gets us very far from a privacy protection standpoint, but at the
same time you have – when it is a product that is for the consumer to use
telling people that they can’t share their data for a particular purpose is
just – it’s very paternalistic which is also a place where I don’t think
we ought to go. There are challenges here but they are obviously not

We are going to put out a paper later this summer where we kind of flesh out
in a little more detail what we would look for in a regulatory framework
whether that is done by HHS as part of HIPAA, whether it is done by the Federal
Trade Commission, whether there is some sort of combination of agency action
here which actually could be quite ideal given the FTC’s long history of
dealing with how to protect consumers using the Internet. That actually in our
standpoint could be more ideal.

I will stop there. My written statement has a lot more detail and I will
answer any question that you have when we are done with the panel.

DR. FRANCIS: Thanks. Our final speaker is Bob Gellman.

DR. GELLMAN: Thank you. I did a paper last year on PHRs and privacy. You’ve
got it. I’m not going to restate the points here. Basically in one sentence
putting your health records in a PHR exposes the records to greater privacy
risk than if you don’t period. There’s no question about it. Whether the
benefits of PHRs outweigh the risk is an individual decision. Some people will
say yes. Some will say no.

I want to make three points today. The first point is there was a uniform
response to the paper. The paper raised a whole bunch of issues, privilege,
leakage, subpoenas, all the threats to privacy that arise uniquely from PHRs,
and basically no one wanted to talk about any of that. The only thing they had
to say was you mean PHRs aren’t covered by HIPAA and even seasoned healthcare
people, reporters were confused by that. The only people that knew it were the
HIPAA experts. Maya says yes, we knew that. Most people did not know that. I
think that there is a tremendous confusion here and the confusion will remain
until there is a law or regulation that deals with PHR records.

It is not a unique problem as this committee knows. There are plenty of
other repositories of health information that are not subject to HIPAA: life
and casualty insurers, banks, credit bureaus, credit card companies, some
health researchers, the National Institutes of Health. It’s an abomination that
HHS put out a health privacy rule and did not include the National Institutes
of Health in that rule. It would take five words to fix that problem. In any
event PHRs need to be subject to a privacy law. I agree with Deven that the
HIPAA rule is not the right rule for PHRs. PHR privacy rule needs to be much
stricter than HIPAA. HIPAA needs to be much stricter than HIPAA but that’s
another topic.

My second point. The biggest threat in this area and not the only one
-– the biggest threat in this area comes from commercial advertising
supported PHRs. They are essentially devices to transfer health data out of an
environment where they have some legal protections and to put those records in
the hands of marketers and data profilers where they have no legal protections
and where they have the highest possible commercial value. This will only get
worse. There are many more companies in this space than can possibly survive
and so what we are going to have is a race to the bottom and the bottom of
commercial advertising supported PHRs will be very ugly.

I am actually somewhat less worried on this score about plans that are run
by employers or PHRs are run by employers or health plans because those
sponsors do not have an interest in having advertising that will increase their
costs. My other concerns about PHRs remain, but PHRs, commercial advertising
supported PHRs will eviscerate the privacy interests of patients and their
relatives and they will also raise healthcare costs in a way that no one has

My third point has to do with consent. Consent is not a way to control
privacy interests in PHRs. That’s what the industry wants. They want to have
consent. Why? Websites know how to wheedle consent from consumers. They do it
with confusing opt outs. They do it with pre-checked boxes. They do it with
unreadable terms of service. They do it with policies that are changeable at
will. They do it with behavioral targeting, with advertising that is sneakily
transfers health information to marketers. They do it search engines that
record search requests and use it to build consumer profiles that are subject
to no law. They do it with contests. Click here to enter a contest for a one in
a million chance to win a t-shirt and buried in the terms are a consent to turn
your PHR records over to a marketer. That is not too fanciful example. If it is
not there today, it will come because that is the way to get consent from
consumers. They don’t know what they are consenting to and they will check any
box. They will click on anything. They will not read the terms. That is one

Consumers really don’t stand a chance in this area without help. The right
solution in my view is to place PHRs under the same fiduciary obligations that
physicians have. They have to act. They should be required to act in the best
interest of patients and that means that certain things are simply not offered
to patients. Physicians don’t sell patient records to marketers and we didn’t
need a HIPAA rule to come along to tell physicians not to do that. There are
other people in the healthcare industry that will do so. That is why we need
those kinds of restrictions. I think it is interesting that Congress just
strengthen restrictions on marketing. Exactly what that will mean we will wait
and see. Someone will tell us more. We need some kind of very specific, very
similar rule and come from somewhere controlling PHRs. PHRs must be forced to
act in the best interest of patients and not in the best interest of the
shareholders of PHR vendors. Thank you.

DR. FRANCIS: Thank you. John and then we will go that way and then come

MR. HOUSTON: Very interesting testimony. I guess I would direct my first
comment to Dr. Pell, and then probably a couple of people will want to add some
input as well. I am going to preface my comments by saying that I recognize
very clearly that patients’ rights over PHRs and EHRs need to differ. Well,
from my perspective they do. PHRs are purely in my mind are largely within the
domain of the patient and such. I guess I hear the other side and I am very
directly involved in this where I work at. There is a very strong physician
contingent that believes that in the best interest of patient care that they
need to have very high access to a lot of information in order to do their jobs

Mind you a lot of this is on the in patient side but being at an institution
that has a very large psychiatric facility and many psychiatric programs I get
a lot of push back from our physician communities and say hey listen. I need to
see what medications a patient is on. I need to see especially certain types of
tests that have been done in the past and the results. I need to see a lot of
information because when I don’t if I have to rely in all cases on a patient, I
don’t get the information I need and I make bad decisions. I am seeing a lot of
data and then I am missing data and I don’t know what I don’t see. That is what
I hear. It is a dilemma because I can understand their perspective. I want them
to make good informed decisions.

What I hear from you is that that should all be within the patient’s purview
and the concern I guess I get is that if you give the patient the entire right
to decide how they want to paint their medical record. It can be a very skewed
record and they very well might decide to inappropriately leave out information
that is of absolute critical importance to a physician in making clinical
decisions. I would just like your input on that.

DR. PEEL: Well, we are actually on the same side. Patients always are very
selective in what they tell to whom. I am a patient and I am a practicing
physician and as you know my patients literally tell me I don’t want you to
talk to my internist, my orthopedist, my allergist. I don’t want any of this
information to go anywhere. Patients that come to see me may be more selective
or more careful about where they parse out their information, but if you think
about it we all do. When I go in to see an OB/GYN I’m not going to necessarily
tell them about my broken ankle the other week, but we always give selective
information to different physicians and it depends on many things, but the main
thing is trust. The truth is there is no obstacle to the physicians in your
hospital getting everything if they ask. We are only saying that people should
be asked and people if they trust you and particular in emergencies are very
likely to give you whatever they want, but there is many problems with all
physicians having all access to all data. The main problem is like I was
telling about from these statistics is people just won’t get help if they think
their information is going to go places that they don’t want it to go. That is
the big problem. This system is incredibly leaky. It can be either humiliating
or embarrassing or really affects jobs.

I really started Patient Privacy Rights because of jobs. People don’t get
jobs. The idea that EHRs and PHRs and whoever has your information they should
all have different rules is really wrong. Sensitive health information needs to
be under your control wherever it is. The protections need to follow the data
and that is a particular reason why I was pointing out what happens with
alcohol and drug treatment information. The protections do follow that data and
the electronic exchange works fine. The treatment works fine. The claims get
paid. Everything works fine with consent and no redisclosure.

MR. HOUSTON: Two examples that I would have that I think are meaningful. I
hear the stories about drug diversion and people going to different physicians
and prescriptions for OxyContin and whatever else and they are addicts or they
are reselling. That is one issue when you eliminate data.

DR. PEEL: That is a small issue.

MR. HOUSTON: It’s a pretty big issue –-

DR. PEEL: Actually, I don’t believe it. I practice in the mental health
field. I do not think that the major source of drug abuse in this country is
doctor shopping and reselling of drugs.

MR. HOUSTON: It’s growing.

DR. PEEL: There is some of that that goes on, but the other thing is should
everyone’s privacy and the use of those drugs be restricted because a few bad
apples are doing something wrong. What happens in the states, Texas is one of
them, where you have these onerous reporting laws where every controlled
substance prescription is reported to the Texas controlled substances. It looks
like police. Triplicate prescription. I get to have one. The pharmacist gets to
have one and law enforcement gets to have another. Guess what that does? It
makes the doctor and the patient feel like criminals and so you actually get
fewer legitimate people having access to these medicines when you criminalize
the process and you have them in databases. I know we are getting a little off
track here.

MR. HOUSTON: I think it is important. I think that the issue is that I think
you hit the nail on the head. If person are concerned about stigma and losing
jobs and societal stigma, isn’t limiting the data really the surrogate for
trying to do what is right in my mind which is ensuring that inappropriate use
of data is appropriately disciplined so that people have some other additive
incentives to be only using the data for the right purposes.

DR. PEEL: I see what you are saying. Criminalize and penalize the people
that misuse the data that are doing the wrong things with it. The problem is we
have a system with millions. Millions of entities have access and they have
millions of employees and it is going to be really hard to police all those
people. So the only way to really protect your data is if you control it.
Again, I think we do need more penalties. We have not made it a crime to
re-identify data. All of these promises that your data is anonymized or
de-identified are most likely not true because none of these entities will
actually release the algorithms that prove they can do that.

We are really looking forward to Latonya Sweeney being on one of the two
national committees because her expertise is all about proving how easy it is
to re-identify health records. Again, if you think about it, it would be a
little like leaving the doors to the bank vault open and letting any one go in
and saying well if we catch you with any money we are going to penalize you.
But when the vault is open and there is this tremendous temptation, what do
they call that in law attractive nuisance or something like that. It is just
too attractive. People are going to go in and do it.

We think that we ought to control our information up front and that was
Hypocrites genius and then we know it gets where we want it when we want it at
the right time in the emergency rooms. By the way I have been a supervisor of
an emergency room too. A lot of those people don’t necessarily want to talk to
patients very long because they are kind of busy, but that doesn’t mean that
they should be able to just take information. You can at least say hello. Okay
Deven there might be some other things. Maybe you are taking something you
don’t realize or there is something in your past that might affect what is
going on with you now. May I see the rest of your records? Deven would probably
say yes and there they are instantaneously. It is not like consent is some big
obstacle in those situations. As a patient and a physician it is a matter of
respect. It is how you treat somebody.

MR. REYNOLDS: A great panel 24 hours from now will know what my question
should have been, but because you guys have really come through it. We started
with we need to make sure there is a good quality of information and it comes
out then we went to well there are lots of ways to give people information that
we haven’t even thought of yet and they are just coming in. Then we talked
about how to do consent. Then we talked about some legislation with the last
two of you.

Some words that we also deal with on – one thing about being on NCVHS
you get to look at the whole picture all the time. Medical homes. More and more
people trying to help people do better with their illnesses whether it is
disease management, whether it is sending them reminders on their cell phone
that they are not doing this, they are not doing that. As an implementer, which
I do at home, I sit and listen to all of this and so when we get the pragmatic,
Dr. Peel as you mentioned the 50 questions, but as we have heard whether or not
the public will understand those questions, whether or not everything John
mentioned and so on. As we are driving towards health information exchanges, we
are driving towards a medical home. We are driving towards better health, which
we are all driving towards, but yet we have all these capabilities that are
there. We have more and more capabilities coming on to talk to people. For a
second step away from just privacy, which you clearly stated and remember we
have done a lot of work as a committee on. We get it. How does it all work
together? I liked your idea where the adults maybe haven’t shown up in all this
yet, but the best way to do it is somebody has to got to help define what the
adults or whoever should be thinking about in a pragmatic way so that all the
words I just said all the way from medical on to privacy work because if one or
the other wins, we are not where we want to be solely if you make it too
prohibitive. I’m asking that as a question. So how do we get all these things
and do it in a pragmatic way?

DR. FRANCIS: Answer in 10 seconds or less.

MR. GELLMAN: Let me try and deal with that. I think that is the right
question. You don’t have to wait 24 hours for that one. The problem here
-– I have been dealing with health privacy for 30 years. I worked on
Capitol Hill and tried to do health privacy legislation from there. It is not a
one-dimensional issue and that is exactly what you are saying. It is a
multi-dimensional issue and privacy needs to be respected and protected and
whatever and I’m all for that, but all of the other interests need to be
accommodated as well. There are fiscal controls that are important. There is
research. There is public health. There are a lot of dimensions here. The only
thing I can say in terms of how do you deal with all of those is that you have
to deal with them all and that you have to recognize that and you have to find
the tradeoffs and you have to say that there are real tradeoffs and you have to
make really hard decisions because there is no way that you can come up with a
system that is going to give you a hundred percent on every scale that exists.
I don’t know that we have had enough of that in the general debate. I am not
talking about this committee, but just in general there is a lot of
cheerleading for various kinds of solutions. You have the end where you want to
talk about the PHRs. You have the industry out there cheerleading for PHRs
because a lot of them want to make money. That is another scale that may not be
the primary one in this context, but it is there and it has to be recognized
but maybe they can’t make all the money in a particular way because it
conflicts with something else. There is just no way to deal with this other
than to be adults about it to recognize, to put all the issues on the table, to
put all the trade offs on the table and not to say there is one scale. As much
as I have worked on health privacy to say that needs to rule everything else
because we are not going to get to a solution that works politically or
realistically if that’s what we do.

DR. MCGRAW: I just want to add Bob’s comments. I do think we are starting
and maybe I’m just dreaming, but I feel like we are evolving to a better place
where we talk about privacy issues not in a vacuum, not in a separate
subcommittee. Not that it is bad to have a subcommittee, but dealing with them
in the context in which they arise so that the solution both empowers the data
sharing that you want to promote because it is for a good purpose but you have
also considered what the privacy risks within that context and you have the
rules that enable both the value that you want to get from the data as well as
the privacy protections that you know you are going to have to put in place in
order for people to trust the system and for this all not to blow up in our
faces because there is a million balls in the air right now.

I think this is where we are going to be for the next couple of years as the
money starts to flow out the door, under what conditions is that going to
happen, what types of data sharing is going to be propelled by the definition
of meaningful use, for example, and with those decisions come some critical
privacy and security questions that need to be evaluated both in the context of
where we are with current law but what policies we may need to build on top of
that or where current law may need to be changed. The key is to have these
discussions in that context as opposed to divorced from the context in which
they arise so that the solutions that we come up with do not then hamper in
fact what it is that we want to do with the data that is both good for the
patient and/or generates a public good.

DR. FRANCIS: Could I ask a specific sort of follow up of that? One of the
ways that PHRs are likely to be used is that you enter in data that indicates
that you have a particular kind of medical problem say hypertension or diabetes
and then you get invited to click out to another site that gives you
educational information. Now the reason I wanted to use this as a follow up is
that is great because you get education. On the other hand you have left the
womb of the personal health record and you may now be out in the context in
which you inadvertently reveal information that could then be used in a
marketing -– that’s the bleed, the information bleed problem. I just
wonder if any of you have any comments about how that ought to be handled. I
sense a tension about whether consumer consent is an adequate or even a
possible way to handle that problem. I think Mr. Gellman you might have been
more on the not that we need a stiffer regulatory framework. That’s a specific

DR. PEEL: You all might not know this but when Microsoft was developing
HealthVault, because they had signed on to our very tough consumer privacy
principles and control, they built it out that way. So one of the things that
they have on their site is they imported a search function where search is
safe. In other words, all of the search information is inside HealthVault and
so if you are looking for something scary. Let’s say you think you have cancer
or you think that your child might have a problem with something scary. You
know depression or schizophrenia. If you look up that information inside the
search function nobody outside knows about that. There is no, if you will,
footprints all over the web. That is one thing that they did was they made
searches safe. The public really doesn’t understand they are searching for
information on all of these health sites that are not bound by ethics or law to
put the patient first like physicians are as Bob pointed out. They will do
whatever they want with your information. That is one thing they did in

The other thing they did was they required by contract that all advertisers
if you leave the site to go buy a book on diabetes at Amazon by contract Amazon
cannot use the information that John, you bought a book on diabetes in any way,
in any form they can’t -– in other words use the information only for the
purpose of selling you the book and nothing else. I know this is the situation
with HealthVault and that is a pretty simple solution. It is kind of a code of
fair information practices thing. Whoever gets the data for one use can’t do
anything else with it unless they come back and get your consent. There are
solutions even about the advertising thing. That is a pretty simple one.

By contract anyone that wants to advertise on HealthVault first of all they
warn people when they are leaving like yes you are getting out of the womb. Big
buttons so that you know that and they put out the privacy policies may be
different but contractually to be able to advertise there the advertisers agree
not to reuse the data. There are some ways that this could be done. I don’t
know if other companies are doing that or other websites, but there are ways
that this could be solved.

I just got to go back a little bit. It seems like everyone feels like we
think everything is about privacy and here is why it is foundational. People
literally won’t come in the office and give you the data. In terms of all the
good uses whether it is research or any other good use all of these companies
many of them are for profit corporations. They may be doing something good and
they may not. The ethics for researches always require consent before the use
of data. It is in treaties from following World War II. You can’t do things
with people and their health information without their consent.

Allen Weston for the Institute of Medicine did a survey specifically about
how the public felt about research use of data. Guess what the percentage was
of people who would agree to let researchers use their data unfettered access,
the public? One percent. Only one percent. The public is very interested in
research but they just want to be asked. They want to know. The people that are
the most sensitive about having their data taken are minorities, vulnerable
populations, and people with chronic illnesses who know that their data gets
lost. The public is very supportive of good uses and there is really no reason
particularly with electronic consent being so easy to not go ahead and get it.

The other thing about electronic technology is like you can see from that
-– and even that’s a model for that consent form. Consent forms could be
far broader than that, far more detailed than that. According to law and our
rights we as individuals each get to decide what we want to share. Somebody
might want to give away the ship and other people might be paranoid and not
want to say much of anything. The point is we don’t need with technology to do
one size fits all anymore and that is why I wanted you to literally see how
things can be segmented. There might be somebody that wants all that
information to go to a researcher and there might be somebody who is thinking.
No, you know. What if the researcher’s laptop gets lost and then my kids can’t
a job. We all have different assessments of risks and we all should be able to
make different choices and that is what smart technology would allow.

DR. FRANCIS: Other comments? Paul or Sally?

DR. TANG: I just want to thank the panel for really doing an excellent job.
I think many years ago now this group said that the best way to protect the
information is to have the protection follow the data and I think a lot of you
have said precisely that and articulated all the reasons why that should be

One of the other things I heard well articulated was the fact that HIPAA was
written clearly before the Model T to use that analogy, but also before the
interstate and all of a sudden we are building the national interstate for
electronic information and we don’t have the rules. The recovery act does have
the study that Deven alluded to that is coming up in six months now almost. We
really should think about rules and potentially legislation that specifically
covers this new group of users who are really entitled to this information that
can make use of the information for their health and well being. That may be
something we need to focus in on especially with the study that is called by.

DR. GELLMAN: Can I respond a little bit? You talked about having protections
follow the data. One of the problems that we face in the United States as
opposed to many other countries in the world we don’t have a general privacy
law that applies to everybody so when data goes out from under HIPAA it either
falls under the bailiwick of another privacy law or more likely it falls under
no privacy law at all.

This committee and no one else that I can think of, is going to solve that
problem and create some kind of a general privacy law that is going to deal
with that so we have to accept what we have, but it’s a killing problem because
information necessarily moves from here to there and it falls into and out of
the jurisdiction of various players and various laws and it is an impossible
situation. Unfortunately there is nothing to do about it except recognize it to
some extent and the notion of having protections follow data with data going to
all of these different institutions. I think the alcohol and drug abuse rules
are a good example. They are impossible for anyone who is not a substance abuse
clinic to really deal with it.

If you are not prepared to accept that data and understand what the rules
are and in my very limited experience in providing some advice to some of them
in a different context of privacy a lot of them don’t know what the rules are
themselves. There is a real problem with the rules. They are very complicated.
They are very hard. It is the best set of privacy rules that you can find
anywhere, but they are impossible to administer. Well, that’s too strong. They
are very difficult to administer and they are very difficult and probably
impossible for a third party to administer to get a bunch of data with a note
on it that says these are subject to all these rules. No one knows what to do
with those. You’ve got to find a way to deal with things that reflect the real
world because people who are given a set of totally unreasonable and impossible
to follow rules will ignore them.

I can cite you a whole bunch of privacy laws that have worked that way
including laws that apply to the federal government that they just can’t deal
with and so they just ignore them and nothing happens.

DR. TANG: I think I agree with you. It was a while ago. That is what gives
me some angst about basing it on consent because I am very nervous. Chris
mentioned this earlier. There are a lot of people that are offered to have you
sign or click on this consent before you even know what the product itself and
what is going to happen to your data.

DR. PEEL: Those are illegal. Informed consent you have to know what it
really means. Most of the consents that are out there today are not legal and
they are not ethical. Consumers and others are going to ban together and
probably sue these people that bury them in terms of agreement and so on. Those
are not legal consents. We are accustomed to these things that are awful like
you are talking about.

DR. TANG: But it takes quite a bit of effort to get informed consent as we
do in research. I don’t know how you are going to do that on the web. I almost
look at it when the context that made me think about this again is the
practicality. How can we protect folks when it is such a complicated issue and
it is so hard to understand no matter how hard you try? It just seems like
there should be some things that aren’t allowed. That is the “having the
protection follow the data” or supersede data. Well, your example and you
used an example of HealthVault. Even if you applied all those things, it seems
like you have essentially asked them to sign this site unseen basically because
they are predicting all the third parties that are going to be out there and
what they will or will not do as part of this “free service” because
there aren’t many free services that last very long.

DR. GELLMAN: One of the answers here and you have to recognize this is you
can’t protect people against themselves. People are going to click on boxes.
People are going to give consent to things. You have no idea with what you have
consented to for a lot of things that you have done and you are a smart
competent person and you are not ill. You are not waiting for treatment. You
are not in pain. There is just a limit to what you can do and you can’t expect
a privacy regime to protect everybody a hundred percent of the time. It’s the
old you can solve 80 percent of the problem easily and the last 20 percent will
kill you. That is what you are faced here. There is a limit to what you can get
out of any system no matter it is and no matter what your intention is.

DR. PEEL: Well Paul, I would say that clearly consent even that one that I
showed that there is going to take a lot of education. For example, we can
picture interactive modules that say that if you make this choice this would be
the implication. There are some other companies; for example, Private Access
offers all levels of segmentation and holding back certain data in regard to
being able to potentially to offer yourself to be in a research project. They
have a number of teaching tools so there is going to be teaching tools, for
example, they will have four different people who filled out their consents
about which information for them, about them, or their child they want to go to
researchers to try to further the study of a particular genetic condition. They
have someone who explains why their choices were very strict and someone who
they know in their genetic defect community who is very private about it and
they explain their choices. Yes, there is going to be tremendous amount of
education about these kinds of tools where you know the implication of what
they mean. Yes, the industry is all saying we can’t do it. The reason is they
don’t want to do it. They don’t want to have to ask and it isn’t just PHRs,
Bob, that are making money with data and doing things with data. It has been
EHRs. It has been websites. It is the whole thing. There is going to have to be
tremendous education.

DR. FRANCIS: I know Sallie has a question and I think also Sarah.

MR. DEBRONKART: I want to make sure that we don’t overlook a different
aspect of this. My own personal feeling for people who read my original blog
post on this whole subject is that when Google Health first came out, what I
posted about it was actually it was a slam on their don’t be evil slogan. I
said don’t be stupid. I didn’t trust Google with my data any farther than I
could throw them. I saw how they caved into the government of China. I saw what
happened when a Seanet reporter googled Eric Schmidt, the CEO of Google, and
published what she found about him in 30 minutes. He went ape. He cut them off
for a year from any interviews with Google personnel.

I am I think no fool when it comes to privacy concerns and I also had an
episode a long time ago where something I said during an interview became sort
of the lead of the article that appeared in the magazine and was used against
me for a long time. It was nuts and of course I had no recourse on that. I am
not naïve about the risks here. But meanwhile while we are talking about
and I don’t want to overdo this highway metaphor, but while we are talking
about things like divided highways and safe on ramps and jersey barriers and
rumble strips on the side of the road to keep things right. I don’t want to
overlook the fact that there is poison in the data frequently and that the
immediacy of this.

My punch line here is please whatever else we do mandate that we be allowed
to see our data and correct it. In rough terms I am no expert on this but in
rough terms there are a thousand people in the US today who will get a cancer
diagnosis and they will face that holy crap what do I do now and wanting to get
engaged. The analogy that I have is that bad data getting into the pipeline is
like bad gas in the early days in gasoline pipelines. Bad gas can do bad things
to your Model T. We evolved ways to protect and guard how things get into the
pipeline and spot check and so on.

My point here is we could spend gazillions of dollars on processes and
technology to try to clean up the data but the quickest path to quality
improvement is to let us look at our own freaking record. It is easy. It costs
next to nothing so just please whatever else we do while we are working on the
privacy concerns mandate that patients be able to see their data. Thank you.

MS. MILAM: We have heard a variety of comments about appropriate uses of
data and the importance of consent and choice and how difficult informed
consent can be on the Internet. I would like to hear your reactions to the
Health 2.0 movement and websites like PatientsLikeMe where information with
consent can be used for other downstream purposes. It is their argument I think
that it is a way of making the service, the website, whatever available to the
public. I would be interested in your reactions and is there a sweet spot? What
should be taken off the table? What is reasonable for a consumer to understand
and to be given choice around?

MS. FOX: I will go first. PatientsLikeMe is an example of what can happen if
consumers build their own tool. They are frankly ahead of you guys in terms of
consumers just saying we are going to do this for ourselves. This is what we
want and it is a certain teeny group who are activated essentially and have the
technology, have the personal activation, have the knowledge, found a home in
PatientsLikeMe and are just going ahead and doing this. We have seen this kind
of adoption of technology in all sorts of ways. A caution that I would have
about surveys related to privacy is that we found early on whether you go back
to the ‘90s before the Pew Research Center started doing our surveys, or
even in the early years of the Pew Internet Project, we found that there was
also high anxiety around eCommerce because very few people were doing it. It
completely changes once you buy something online. The first time that you enter
your credit card and you buy something online — I should use the past tense
because I bet everybody here has bought something online, your attitude really
changes about eCommerce. When you see these studies that show that we are at
about three percent uptake for PHRs, but there is extreme anxiety, I think back
to the eCommerce phase of the ‘90s in the early 2000s. So be careful about
this speculation because the reality is that people are going to build their
own tools like PatientsLikeMe and they really are the sentinel.

They are the forerunner but there is a possibility for more and more of
this. If you like it you can create legislation that encourages that sort of
thing and if you don’t like it you can create legislation that discourages that
sort of thing, but this is the reality. Again, this is the reality of the facts
on the ground.

MR. DEBRONKART: Interesting, in the early days of eCommerce there were
scummy pirate websites and reputation has become everything. You don’t go to
–- smart people don’t. Thinking ahead in my prepared statement I
mentioned. I said regulate now for what people will be doing in 2020. Bob
Coffield said 20 to 50 years out. My daughter is 25 years old. She got married
a week ago. The wedding pictures are up on Facebook and dad being a friend got
to see the whole thing. In the midst of the wonderful, romantic, sentimental
wedding pictures they mixed in the after party pictures that dad didn’t know
about, but other friends wanted to see them and my daughter said I’m not going
to make them public because I have students who are my friends on my Facebook
and I don’t want them to see everything. There is a different sense of
willingness to share among the next generation that is coming up.

DR. MCGRAW: Sallie, I think that you asked the question that is the most
weighty on my own mind as we start to grapple with this issue and I don’t think
I have an answer yet because I tend to be more in Bob’s camp where I would want
to say certain uses are prohibited because of the limits of consent. At the
same time though I look at a site like PatientsLikeMe, which is absolutely up
front with people about how they use their data in an incredibly clear way. We
had our computer scientists actually dive in and look behind the panels and she
is like this is a really great site because one their policies are amazingly
clear. People know that if they participate and whatever they share is going to
get sold period and they are absolutely up front about this in ways that most
private policies are not, which is part of the problem and maybe one possible
solution but that’s hard to do. You must be clear. The HIPAA privacy notice is
supposed to be written in plain English but still there are lots of people who
are confused about it. It is difficult to get there.

We are going to try to look at that question, but I can’t say today that I
know where we will come out because I do think that there should be limits. I’m
not quite sure what those are yet and on the marketing piece in particular I
think it is hard, again, because if you look at a site like PatientsLikeMe
which patients in quite dire straights find incredibly valuable and they say it
is okay with me if my data is sold if it gets me entry into this community that
has helped me so much. What do you do about that?

DR. PEEL: The other side of that is and I think they have gotten a lot of
criticism for the fact that they sell their data. The founder was presenting
this at a conference I was at once and all of the technical people in the room
said jeez can’t you find some other way to pay for the infrastructure? The
point really is it offers wonderful tools. If somebody offered those same
wonderful tools and it cost you $5 a month and your data didn’t get sold, there
are a lot of people that would make that choice. I actually agree with Bob and
Deven. There are some things that ought to be prohibited certainly, but if you
have the control upfront then you are going to get a lot less misuse down the
line. Even some of the people on 23andMe if they are extremists and if you are
really worried about dying, privacy of course goes out the window. You want to
find out everything you can.

The other thing that people that are thinking that they have a really
threatening illness are also worried about might be well, what if it turns out
when we have all our genomes matched that there is genetic vulnerability and so
what I reveal today may hurt my children or grandchildren. These are the kind
of risks that need to be discussed upfront now that information is everything.
If it is everywhere it can affect more than just you. That’s the problem of
course with genetic information.

DR. FRANCIS: Harry and Maya and Sarah.

MR. REYNOLDS: In a lot of the other things that we have implemented and we
recommended as long as there has been legislation and then there have been
standards. Dr. Peel, for example, the thing you put up there if philosophically
somebody pitched that as a standard. In other words there are no standards
development organizations that a lot of us have had our discussions pluses and
minuses with as we went through HIPAA and some of the other things. So they
have their pluses and they have their minuses. As the statements are that
nobody wants to do it, nobody has laid out what it looks like. I think there is
a lot of discussion and I think there is a general discussion of the subject,
for example, just taking those 50. In the other processes those 50 might have
been put on the board in front of a very diverse group of people, would have
been debated as to whether one goes, 50 go, 25 go. That is how you come up with
all the formats of HIPAA. That is how you come up with everything else. What
data do you need and so on. Then you put legislation around it to say if you do

What I am struggling with is I sit through a lot of these and those of us
that do implement things want to get a hold of something that somebody says
this is what to do. As soon as you say that which is with everything else we
do, some people are for it. Some people are against it, but the point is right
now it is a little bit like a cloud because the discussions by everybody are
realistic and you look at the cloud and go that is good but you can’t pull it
down, sit it in a room, and have it up on the board and saying this is what
good consent looks like. These are the fields. This is the information. This is
how it needs to be done. This is readable. This is actionable and oh by the way
we ought to pass this legislation and make sure that that’s part of everything
we do. That is the real struggle that I continue to have. Any comments would be
wonderful on it because otherwise we would just continue to discuss it in
emotions and emotions are not negative. They are good emotions.

DR. PEEL: That is a really key point. You know the cloud thing versus the
one to one and the reason that this thing can work is the patient is disclosing
the data either to one person or one facility and then they get to keep it but
they don’t reuse it. It is very much a one to one situation, which is really
what people -– they want to know. Who am I giving my data to and for what
purpose? That is exactly the problem with these cloud deals where you –-
like the State of New York has developed -– I forget what they call it. An
affirmative consent where you dump your data into some kind of a cloud and all
of the stakeholders in the RHIO and New York can do whatever they want with the
data and you never know. They talk about it as they were developing that and
some of the documents that I read that they want to get away from the one to
one consents, but if we don’t have them then I think it is really impossible to
be certain that your data is not misused.

Maybe we can develop penalties for misuse but who is going to catch the
misuse. We finally got in our audit trails for disclosure so we can actually
see where all of our data goes. People don’t know. That will begin to bring
some attention to this. We have data streaming everywhere and you are right.
That kind of a robust consent I guess can’t really be implemented in a cloud.
In other words whoever wants your data among those stakeholders would have to
come to you and say well I want to know these things about you and you would
have to give consent.

DR. FRANCIS: I’m going to ask and Mr. Gellman also wants to comment because
we are beginning to run a little short on time even though I’m going to go
about 10 or 15 minutes over.

DR. GELLMAN: I just wanted to say that I think one of the answers to your
question is political. We have a political process that makes choices and
choices get made within the limits of the politics. That actually provides what
turned out to be useful constraints. There are some ideas that may agree
theoretically would be wonderful but they are impossible to implement or they
just don’t get support and that’s how you make decisions. When you have hard
choices, you got to exercise political judgments as well as other kinds of
judgments in framing the choices and trying to find compromises and trying to
find middle ground and what have you, but ultimately those kinds of choices are
political in terms of what you can do. If you want to talk about where the
limits of legislation, well I would argue that PHRs are different than all the
other kinds of health records that we can identify outside the HIPAA framework
because we are taking directly out of HIPAA controlled rules records and we are
putting them one to one and that is why they should be. Should we also cover
their health records that your gym has? Well, maybe that’s a different kind of
thing and maybe the answer is we ought to do it but we can start to draw some
lines and if those lines attract political support then you get a solution. If
you don’t then you stay where you are until the political solutions become

DR. FRANCIS: I have seen interest in asking questions from John, from Maya,
from Sarah, Paul. Anyone else?

MR. HOUSTON: This is for Susannah. Has your organization ever tried to
survey the individuals as to their attitudes regarding what is acceptable
privacy or acceptable levels of privacy or how far are they willing to go? I
think people are long for opinion and short on attention. I would be interested
in understanding whether you had thought about that issue?

MS. FOX: We have not done survey work around what is acceptable in terms of
health information, in terms of disclosure. What we tend to do is ask people
about their behaviors online and then draw from that. You know sort of
indications of what decisions they are making. We had a report about a year ago
called Digital Footprints. You mentioned footprints online. This was again not
related to health information but related to personal information and we asked
people first just to benchmark how many people have searched for their own name
online. I can’t remember exactly –-

MS. BERNSTEIN: It’s called an ego Google.

MS. FOX: Yes, exactly. Vanity search is what – because I tried to avoid
the brand names but vanity search. But it’s actually more than vanity search
because of course it has implications for what comes up first and whether you
are going to get a job or whether that person is going to go out with you
frankly which is the concern of a lot of people.

In any case what we have found is that most people are not checking their
digital footprints online. It is those of us in the room who have a big media
footprint who care about what we look like online. Most people are not looking
in the mirror when it comes to the results in their search engine. People have
this idea of it is so fun to participate that they are not thinking about the
privacy implications. It is so fun to put the wedding pictures on Facebook. It
is so fun to blog or they don’t have a choice. There is that situation as well
where an employer requires you to have your name and your personal information
on the company website. What was surprising was to find how few people are
checking up on themselves and essentially looking in the digital mirror. By
that I think we can start to look at what choices people might make when it
comes to health information. It is of course different from the clubs that you
join or the hobbies that you pursue. People might be stricter about that, but
again we have a new generation coming up who really believes that they have
greater control.

I will close with, I interviewed a private investigator about this because I
was curious to see what she thought. She said that boomers are the easiest to
track down because they are most likely to live in the same place for a long
time. They are most likely to be listed in the phone book. They are most likely
to have a landline. People in generation Y, the millennials, are really hard to
find. They are cell phone only. They move around a lot. They use lots of
different names and different identities. They are very difficult to find. The
millennials feel like they are exerting the controls that they need to over the
different aspects of their lives. Whether they are right or not, I’m not going
to say. They feel they have those controls. They want the controls but the
boomers are actually the easiest to find. So watch out.

MS. BERNSTEIN: Thank you. I really appreciate all the work you had to put in
the time to prepare such great testimony for all of us so thank you very much
for being here. Maybe I’m going back a little bit to something we talked about
earlier, but Dr. Peel testified with conviction both in her written and her
oral testimony that lack of privacy is causing suffering and death. On May
20th we heard Jamie Heywood of PatientsLikeMe, testify that privacy
is the very thing that is causing his constituents to die faster because it
prevents data for being used to find a cure or at least slows things down. I am
curious to hear how our other panelists, in particular, Dave, think where you
come down on this. In your testimony you mentioned that you gave out your
password to particular people presumably and you have obviously been very open
about your personal experience.

What struck me about some of the conversation about consent and about your
experience is that there seems to be a huge burden on the patients to deal with
this stuff. You know I’m just looking at the list of check boxes or whatever
and thinking that is an incredible burden to understand what is going on, to be
educated, to have information, and to like make a billion little decisions
which a lot of people just don’t want to make.

So I am wondering kind of where you come down on that and what your
experience has been or what it will lead you to go with on the privacy thing
and on the consent thing and then perhaps other panelists want to comment.

MR. DEBRONKART: You mean on the 50 questions specifically?

MS. BERNSTEIN: No, I just mean on the idea that privacy in particular that
having medical records privacy or PHR privacy. Is it more like something you
want or more like you are willing to disclose because your treatment required
you to get a cure faster. I mean essentially PatientsLikeMe is trying to get
faster cures.

MR. DEBRONKART: It is a great question. If life is going along routinely and
I am speaking only from my personal perspective. I don’t have a body of
research behind me. If life is going along routinely and there something that
you may not want other people to get their hands on, you may whether it is a
psyche diagnosis or I don’t know an AIDS test or who knows what then you may
feel differently about it. There is a shift that happens when you move into the
world where your life is at stake and the doctors are out of ideas.

The first blog post I wrote that ever really got any attention in my year
and a half now of trying to learn about all of this was about the subject of
what is called evidence-based medicine and it is a complex subject with a lot
of discipline around it. But what I wrote was at the frontiers of medical
knowledge where lives are at stake and the doctors have no answers, what do you

Similarly in the case of a disease like mine stage IV kidney cancer is
normally fatal. There is only treatment that produces something that looks like
a cure and it usually doesn’t work. In my case it did. In the case of the
Heywoods they started that company because the medical industry had failed to
get the job done. One of the ways that we can help –- I’m sure it goes
without saying but sometimes when we get wrapped up in all the details of these
complexities it can be hard to lose track of what our purpose was in the first
place. Helping patients do better in life – in mean if we didn’t need to
do that we could just ditch the whole healthcare thing and save a lot of money.
Seriously we could work on better golf courses.

One of the ways that we can advance better healthcare for everyone is by not
impeding the ability of people to share their data when they are saying as my
grandfather said 40 years ago, for God’s sake do something. The e-Patient’s
white paper on e-Patients.net talks about patients. One guy in particular I
don’t know his name but there is a syndrome called GIST, gastrointestinal
something or other tumor. The doctors are out of ideas and over a period of
several years he pulled together enough stuff to come up with a treatment that
worked. There is a high school diploma. There is a whole chapter in that white
paper on e-Patients as researchers. Then there is the lethal lag time. The fact
that research has been completed can take years before it reaches desperate

I guess my point is it’s a different world when the doctors are out of ideas
and whatever we do we ought to not impede people’s attempts to save themselves.

DR. PEEL: You all would really like to hear from the founder of Private
Access who has a son with a genetic problem. His whole point is to do exactly
what you say is to bring together a community of people that want to facilitate
research and he does it with his son and he built this amazing privacy and
consent mechanism to facilitate research. I think that’s a false opposition
that privacy is keeping researchers from getting information. Technology tools
can enhance the way to reach for researchers and patients to connect. Privacy
can be respected at the same time. It is a false opposition. Privacy isn’t
keeping us from getting the research and technology could actually connect
people together. I actually sent you the wrong version of my remarks because I
was so confused but I was talking a little bit about private access in there
and some of the other consent mechanisms, but there are people that are trying
to solve that problem in a way that gets these communities connected. It’s not
privacy that has been the obstacle. It is difficult to connect and technology
allows us to connect in ways we never could.

DR. FRANCIS: Did you have a question?

DR. GELLMAN: The question does privacy concerns keep people from getting
treatment and lead to bad outcomes? I have seen some evidence of this. There is
clearly evidence that kids are worried about can they get trouble with their
parents and not find out? There is evidence of people seeking psychiatric
treatment. I have never seen anyone do a study on before HIPAA or afterwards
that looked at the health privacy law in a state and compare that to outcomes
in the state and whether a state with better privacy laws had better health
outcomes. It would be a very difficult study to do and I would be shocked if it
found a difference.

One of the problems that we face in this area is you can change the law all
you want. People aren’t going to believe you. You tell that 12 year old and
that the law protects you. They may not believe you or they may not understand
the law. There are just some things that just aren’t subject to control. There
are lots of reasons to lie to your doctor. There are lots of reasons not to go
to a doctor. Privacy may be one of them. There are lots more reasons. I don’t
know how you separate all of that out. I think that there clearly are privacy
consequences. I’m sorry there are other consequences in terms of cost. If you
say to people that do fraud control in the healthcare system, which is a big
problem, you are going to limit their access unreasonably whenever that happens
to mean. Then the answer is well healthcare costs will go up. Fewer people will
get healthcare and therefore you have worse outcomes and you can do the same
thing with public health or research. These are the tough tradeoffs that exist
and can’t be dismissed. They are there and they have to be dealt with.

DR. FRANCIS: Sarah, you had a question.

MS. WATTENBERG: Can I just make a comment. I just have to go on record as a
subject matter expert – part two. I just have a couple of comments. One is
I think it is a lot easier than HIPAA. It is a pretty easy federal law because
it is largely consent driven but it is not well known and that makes things

One thing I also just want to say and I will just disclose that NDIIC
product that you are talking about actually is partially funded by SAMHSA and
we have talked about it a lot here and the potential for consent technology.
Just what I want to reiterate is that because somebody had said you couldn’t
really implement consent. It is very hard. It is difficult. It is impossible. I
guess I just want to point out that that’s not true. NDIIC has done it for many
years. Just to say not to here there in terms of making any policy statement
about larger application of it, but part of what SAMHSA is doing is actually
networking on even more sophisticated consent-driven technologies.

DR. GELLMAN: I think that it may be possible and I think it is probably
necessary to use consent in some places, but I look at this statement, this
consent model. It’s a long thing. I don’t know how much time and effort and
money it takes to educate patients about that. It is not intuitively obvious
what all the categories mean. I love the fact that in there there is one check
box for laboratory results. I can consent to the disclosure of my laboratory
results with one check box. How many lab results do people have? I have a lot
of concerns about that. I may have 10 different healthcare providers. The
family may have 10, 20, 30 healthcare providers. One provider can see one
result. One can’t see another. It is very complicated to do. It is
theoretically possible. The smart educated patients with a lot of time and
money willing to do it, but the average patient is not capable of making a lot
of these decisions. I think we probably have to accommodate those who are, but
those who aren’t we have to find another way to do it.

DR. PEEL: Well, we set some defaults. We provide models. Certainly everyone
is not going to want to go through everything and they can do that, but the
ones that wish to really have the right ethically and under the law to be able
to do that. We really have the rights as individuals to negotiate our privacy
as far as health information goes, which is different than any other area of
commerce. We can’t negotiate with banks or phone companies, but we absolutely
do have those rights with doctors. There are going to be ways to fix this.
There will be defaults for – defaults are examples that people can check.
Well, I want to do it like the American Diabetes Association thinks I should
set my consents. There will be ways to do this. I appreciate you saying that
these consents have worked in the substance abuse field for years and they
have. They have been very effective.

DR. FRANCIS: I want to thank everyone for an enormously rich morning both
the panelists in this session and the panelists in the earlier session. I want
very much to thank our staff also for putting together these amazing hearings.
I am told that no one has signed up for the public comment at 1:30. Is that
correct? We are going to adjourn now until 1:45. That would an hour for lunch
and the committee will then come back to talk about next steps. Thank you.

(Luncheon recess taken at 12:45 p.m.)


Agenda Item: Discussion

MR. HOUSTON: I think probably what we want to do and I apologize because my
laptop doesn’t have any juice to it. Do we have a printout of what we sent
around? Remember the document we sent around for people to comment on.

DR. FRANCIS: I take it we should be back on the net and so why don’t we
formally restart our hearings of the privacy and security subcommittee. John
Houston is going to be chairing this afternoon’s session and we are going to be
discussing a work plan. I should say that Marjorie Greenberg will not be able
to join us until about 3:30. I spoke with her before the break and she
indicated that we do have support for minutes to be done and a writer if we
want to do an analytic summary of what has gone on in the hearings. At a
minimum we will have the technical and other in addition to all of us here
support to produce an analytic summary of what we have heard and I think we
will take as an assumption that we are going to do that.

MR. HOUSTON: What do people want as an output of this? I mean an analytic
summary I guess. In one sense we heard a lot of interesting testimony and it
was sort of all over the map everything from privacy and security related
discussions of EHRs to privacy and security stuff to PHRs to general discussion
about PHRs. It sort of ran the gamut. I guess the question is do we –-
obviously the charge of this subcommittee and the purpose of these hearings was
to discuss privacy and security in PHRs specifically. I also get the sense from
the discussion before that we really need to try to get if we are going to make
recommendations which I am assuming we are, we need to try to get those in the
final form late fall at the latest. I think we have heard a lot here that leads
me to believe that we can come to some consensus both based upon what we have
heard and I think our own opinions as to some of the things that need to be

The question is how much depth and how much detail do we go into these
recommendations and what would be most meaningful as HHS I guess has to come up
with their privacy and security recommendations with regards to PHRs. The
question is goes back to and when the list gets recirculated in a second in
talking about what should be in that and what the format should be.

DR. FRANCIS: Well, in terms of an analytic summary all I was saying I was
not proposing we do only that but I think several people thought it would just
that this set of hearings is a very rich source of information for people and
that we shouldn’t let that get lost. I guess the first question is if we
proceed on that front does that seem okay to people as just something that we
could use as a document to spring off of and perhaps have in a form that other
people can use.

MR. HOUSTON: We don’t typically do that, do we? I mean we did it for the
meaningful use simply because of the fact that that’s what we were asked to do.
Is it going to detract from us trying to get the recommendation?

DR. FRANCIS: I don’t think so. I think Marjorie was telling us we have the
resources to do that and more.

DR. TANG: I don’t know that we need to do anything more than we usually do
or the kind that was provided you know like the minutes of the last base
meeting for the full committee. I don’t see any pressing need to do anything
more than we normally do.

DR. FRANCIS: So we will have the minutes prepared and people can look at it.

DR. TANG: — provided written testimony as well as their slides and I think
it captured –

MR. REYNOLDS: If you think you are going to come out with some kind of
significant document with observations and recommendations out of this,
beginning to pull together preface for that and/or what the observations might
be, I could vote for just to have somebody pull together what we heard already.
The reason I am worried about it I’m not sure we want to -– we may have
the money right now but I’m not sure we want to set a precedent for every
committee that has something and goes and gets a writer and then we do
something and then we come back because I don’t want the writer to be in any
way – in other words, we will just use the last example. What is present
during the hearings so she can begin pulling it together. Any writer now and
understand. One of those would be either Susan or I would think Margaret.

DR. FRANCIS: This is the person up in Boston does the minutes?

MR. REYNOLDS: You weren’t talking about minutes. You were talking an
analytical summary.

DR. FRANCIS: What Marjorie said to me was that she is doing the minutes and
the first session minutes are just ready now. She will be doing the minutes for
this session and if we wanted her to do some writing based on the minutes that
is a kind of summary we could do that.

MR. REYNOLDS: I would like to make sure we understood more about what our
observations and thinking is before we would do that so we don’t just do that
and then go back and start again.

MR. HOUSTON: Here is the other concern I have is that again if we decided to
do -– made sense to do analytical summary. Seeing what we went through on
the meaningful use summary and the like. We spent a lot of time just doing that
summary. I think if we want to have meaningful recommendations I think it is
going to take some more care because we heard a lot. I think there is a lot of
-– I’m sure there will be a lot of discussion around what needs to be in
these recommendations and how we frame them and how much detail we get into
them. I think it is great conversation. Don’t get me wrong. I wish the whole
committee could hear a lot of it because I think they would have probably said
that’s neat stuff and that’s good to hear. I like the messages that came out of

With that said we actually have copies now of the document that was sent out
after the last testimony of the last hearings. I guess maybe the first thing we
could do – it was the thing that you sent out Maya. I thought maybe you
had your laptop with you. I’m sorry. We just got copies made. Do you want a

MS. BERNSTEIN: Are we going to play with it?

MR. HOUSTON: I was hoping we would because I thought the first thing we
might want to do is look it over and say – you were the one that sent
this. You don’t have your access to email.

MS. BERNSTEIN: I know what you are talking about. I’m just asking whether I
have access to it where I am sitting right now or can I get it. Janine is
looking at me thinking about it.

PARTICIPANT: I would have it because you sent it to me. I could go upstairs
and –

MR. HOUSTON: Are you on the original distribution? That would be great.

MS. BERNSTEIN: Can I just ask? Maybe it’s reviewing the bidding. I’m sorry.
I was a couple of minutes late. Tomorrow you have agreed to make some
presentation at the full committee meeting about what we are doing. Is that
based on this document we are about to talk about?

MR. HOUSTON: I think it should be.

MS. BERNSTEIN: So that should be our first priority that is happening

MR. HOUSTON: What I would like to do here I think is we should look this
document over and say did we hear anything today that adds to changes and
modifies what is in this document to begin with and then we can use this as the
basis I think, then for moving forward.

DR. FRANCIS: Why don’t we just start? We could just read the process because
that we are not going to be editing and see whether anybody is worried about
any of this. It says we need to involve the full committee, inviting to
conference calls, et cetera. I take it that is uncontroversial. Full minutes.
We said okay to that. Heads up about the topics. That is the report tomorrow.
Then we are going to try to have a full draft of recommendations by September
so that any final action on recommendations can be done in November. That is
just the work plan process.

Then we are going to focus on PHR’s security and privacy with a filter on
what might be relevant to EHRs and with an aim of making information available
that might be relevant to others so that is the analytic summary point
question. Maybe we ought to just say right now we are going to focus on any
recommendations we think we can agree to about security and privacy and PHRs.

MS. BERNSTEIN: Was the question earlier whether we thought we needed both
the minutes, which we are getting, in addition to an analytic summary because
we already have a transcript then we have all the testimony.

MR. HOUSTON: Here is the concern that I just raised is that if we want to
get things out by late fall, I don’t know if we have the capacity to do the
analytic summary because it takes cycles away from the other. If we think we
are making great progress I guess we can always decide to do an analytic
summary but I think for now we have to say the first party should be –

MS. BERNSTEIN: I tend to agree with that given the history of how we sort of
grappled with the kinds of issues that this particular subcommittee comes up
against and how much time it takes and the difficulty in just -– you guys
are all very busy people and getting people on the phone at the same time is
quite challenging.

MR. HOUSTON: All right we are going to scrap on the process issues list the
very last one as Leslie said which starts with also with aim of making.

DR. FRANCIS: Could I just put in a plug though for the following which is
the idea that there may be an issue about which we have very good ideas about
where the disputes lie or what the considerations are on both sides, but we are
not sure how it ought to be resolved. I think we could still make the
contribution by outlining the issue even if we don’t have a final
recommendation. That is what I want to make sure we leave on the table.

MS. BERNSTEIN: I think we have done that actually in previous reports where
we said somebody should be making a choice in this area where we said we
weren’t ready to – we did that I think in the June –

MR. HOUSTON: We should try to move the balls far forward as we can and then
leave it out there where either we can’t or there is some requirement for CMS
more broadly to do so.

The next thing is under the themes. There were really seven different themes
of information we heard. They want general framework, definitions, security and
standards, privacy, consumer interface, accountability, and enforcement and
tools. Are there any other broad themes that we want to add to that list before
we go into the details on each one of those themes?

MR. REYNOLDS: How does today play into these?

MR. HOUSTON: Is there anything else we want to add to that list from today’s
testimony? We could subtract as well. You are right. That’s a good point. We
could either add to or subtract –-

MS. BERNSTEIN: It’s a pretty daunting list. Somebody pointed out I think in
email traffic that it’s –-

MR. HOUSTON: Maybe what we need to do is let’s add to the list of what we
heard today and then we can go through it and say okay what falls off the list
in the greater scheme of things. Let’s take today’s testimony and say okay what
else needs to be added to this sort of wish list because that’s what it was.
There was no attempt to refine this list other than get it out on the table. So
let’s do that quickly and then from there we can say okay now it starts to fall

MR. REYNOLDS: I guess my feeling is more and more as I personally listen I
can’t not make consent a theme.

MR. HOUSTON: Well, that’s good then.


MR. REYNOLDS: No, it’s buried under something. I am talking about –-
because to me that continues to be lynchpin from everything especially we heard
in the second panel. That if we don’t figure a way to get that right, we don’t
make recommendations on that. That’s not understood.

MR. HOUSTON: Let me just cut you off because let’s assume that it is a theme
now then we can go into discussion. Do we want to go into a discussion now of
what goes? Let’s see if we can get all these different themes on the table then
we can go into a discussion of that as a topic area. Are there other themes
that sort of percolated up here that we might want to add to this list?

DR. FRANCIS: This goes probably under, possibly under consumer interface,
but a point that didn’t come up before was not just access but ability to
correct. I thought we had something about that. It seems to have dropped out. I
thought we had put it in there in the earlier version but I don’t see it.

DR. CHAPPER: It is actually masking corrections under –

DR. FRANCIS: Oh correcting, yes. That was a bigger theme today than we had

MR. HOUSTON: So we want to add that as a ninth –- we can take out
privacy -– again, what I want to do right now is make major themes here.
So if we are missing something as a major theme we can delve into each one of
these themes.

MR. REYNOLDS: Which one are we recommending we have?

DR. FRANCIS: I wasn’t necessarily recommending that it be a huge major theme
but it is an issue that got more emphasis today than it did. Not just
correcting by patients but the whole adequacy and accuracy of the data in a
PHR. So maybe that is a separate theme, the problem of accuracy.

MS. WATTENBERG: That was such a huge issue last time. That whole issue about
accuracy and that is funny that we didn’t even get here.

MR. HOUSTON: Do we say accuracy and completeness? Is that what we are
talking about here? Is that the major theme?

MS. WATTENBERG: Yes, I think accurate and completeness but with the piece
that consumers –

MR. HOUSTON: Paul, it looks like you want to say something.

DR. TANG: I would add usefulness. I’m not sure -– before you can assess
the value.

MS. BERNSTEIN: Can you tell me where you are so I can I just catch up over

MR. HOUSTON: Down there number seven. We pull out consent out of number four
and we put under a number seven a new number eight called consent just as a new
category. And then after that under nine we have another theme called accuracy,
completeness, and usefulness.

MS. BERNSTEIN: We actually have utility under consumer —

DR. TANG: I wonder if we could relabel number five unless you want to do
this later.

MR. HOUSTON: Sarah, that’s different by the way.

MS. BERNSTEIN: I think of accuracy, completeness, usefulness as a sort of
data quality standard essentially or a data management. Not tools so much. I
don’t know. We could put standards up here above. That’s not what we usually
mean by standards.

MR. HOUSTON: It says utility for users. I look at that if it is under
consumer interface, I am thinking of that as on the consumer side. What I heard
I thought was accuracy, completeness, usefulness on the clinical side, which
are two different themes you know. Utility to a patient versus utility to a

MS. BERNSTEIN: We are talking about PHRs now, right?

MR. HOUSTON: No, but to the extent that somebody allows access to a PHR. The
clinical utility is important to a physician. It is what the patient versus the
clinician sees. They both have an angle to a different view on the things.

MS. MILAM: What about a theme of the importance of maintaining an
environment where innovation and creativity can continue at the same pace.

MR. HOUSTON: Is that privacy?

MS. MILAM: I don’t know if it is privacy. I keep going back to
PatientsLikeMe. That was a good example.

MR. HOUSTON: But we need to focus on the private –

DR. FRANCIS: I think we ought to have a section if we are doing a report on
this about some of the basic values and it seems to me that is a basic value
that cuts across.

MR. HOUSTON: Why don’t we make an overview where we talk about the values of
PHRs and use that to sort of open it up. I hate to be really laser focused here
but if you look at the ARA and what it says needs to occur, there needs to be
recommendations regarding privacy and security of PHRs. I think we want to be
very focused on helping make recommendations in that respect. I just don’t want
to get off track.

DR. FRANCIS: No, but when we do a summary about what are those
recommendations going to be like we are going to have to address the question
of whether privacy protection is in some way a block to innovation and we are
going to have to think about – we are going to have to say that is an
issue on the table and we are going to have to address the point that was made
that it is not necessarily dichotomous.

MR. HOUSTON: But do we put that in an overview to frame it?

DR. FRANCIS: Yes, I think we do.

MR. REYNOLDS: It’s another question.

MR. HOUSTON: Maya or somebody was going to say something? No.

DR. FRANCIS: I think the other thing we put in an overview is the remarkable
variety – you know what we learned about the remarkable variety and the
lack of a current framework because it seems to me that the first point need to
establish a privacy and security framework for PHRs and the question is then
should it be one that applies to all types? That is a really hard question
because that goes back to Sallie’s question about should there be some that are
beyond – should there be different –

MR. HOUSTON: Why don’t we say that this is part of an overview. We can
describe what we heard in terms of not only what is existent today but also
where things are going. The medical social network with PatientsLikeMe. Is

MR. REYNOLDS: And also the stuff we heard about so many people going
electronic and living their lives electronic.

MR. HOUSTON: Absolutely. I think some of that Pew research. I think that
would be helpful as part of an overview to frame all of this so we can talk
about the short view and the long view.

MR. REYNOLDS: I am struggling a little bit –- I like the overview idea.
I struggle with the words general framework. I would rather us consider
government because I think at some point and that’s part of what we were
discussing. At some point somebody has to step up. A framework is just a
document. Nobody has to move on it. Governance says how can we truly believe
–- you used the term a lot, John. How do we truly believe that these PHRs
ought to be governed whether it is current legislation plus some other things
that are going on, plus somebody does this, plus a framework? Pick three things
out of a framework. But if there is not some governance –

MR. HOUSTON: You raise a good point.

DR. FRANCIS: That’s crucial.

MR. REYNOLDS: I would like that to be one of the – not general
framework because that just continues the mushy talk I think. Those are great
recommendations so I am not saying any of the frameworks are mushy, but if you
don’t decide what you are going to do with that framework then all you have is
a banner.

DR. FRANCIS: Well, we do need a background.

MR. REYNOLDS: No, not a background.

DR. FRANCIS: Well, we need a background first.

MR. REYNOLDS: I agree with that. I just think if we don’t start putting some
stakes in the ground – governance needs to –

MR. HOUSTON: I think it even goes further than that. Governance and
stewardship. I think it was Dr. Peel. You look at all these consents and this
ability of this consent to go with authorizations to go along with the data.
This assumes that there is something out there that allows that to occur and
that doesn’t exist today.

MR. REYNOLDS: Some of you weren’t at the meaningful use hearing. You
remember the discussion by some people from the Medicaid environment in the
Southwest where they discussed that they would capture the data and they would
use share the data and they would be the stewards. As we move more and more to
this, John to your point. If people declare themselves as a steward, does that
change the government or should we be looking more and more at these government
programs. They were very clear that they will have the data, they will share
the data, and they will commit to everybody covered that they are the stewards
of the data. Well, that’s a governance model that immediately goes into place
and may or may not have something that is underpinned up against that is truly
the governance of how we think this data should be going.

DR. FRANCIS: When you say governance and just help me on this. I think of
several things. One thing I think of is standards. So what are the rules?
Another thing I think of is who makes sure the rules are being followed?

MR. REYNOLDS: It is legislation. It is rules. It is oversight. In other
words a good example is the privacy law is governance. See that overseas that
it is being dealt with and people can actually in fact file complaints. Now
tell me where in PHRs that any of us have that –

DR. FRANCIS: So we should call six instead of accountability and

MR. HOUSTON: We might merge six and one.

DR. FRANCIS: Well, I don’t know. That is a piece of governance.

MR. REYNOLDS: General framework is a piece. What is a piece of governance?

DR. FRANCIS: Accountability and enforcement.

MR. HOUSTON: Six should be a part of one. That’s what I am saying.

MR. REYNOLDS: Yes, I don’t have a problem with that.

MR. HOUSTON: If you take six and roll it under one, I think is what Harry is
-– we can make subtopic areas I think. Number one would be governance and
stewardship and then underneath that we would start to lay out.

DR. FRANCIS: So we got overview and –-

MR. HOUSTON: And then you get into this theme.

MR. REYNOLDS: A lot of the current framework stuff can move up to overview.

DR. FRANCIS: Right. What is going on currently is the overview and some of
the basic values like the need to preserve flexibility and innovation and so

MR. HOUSTON: Then you have governance and stewardship under which
accountability and enforcement would be one of those things is what I am

MS. MILAM: I see governance and enforcement as entirely separate things.
When Harry was first talking about governance a light bulb went off for me
about how different governance structures might be utilized to – if
somebody were require a certain level of governance that was flexible that met
the needs of all of the different approaches, it seems like through governance
that would be a way to maintain the innovation or accelerate it but allows for
accountability and then appropriate enforcement. I wonder how we could use
different governance frameworks to make that happen with the different types of

MR. HOUSTON: My thought is that I think you could argue that enforcement is
a natural outgrowth of governance. I’m just trying to think of a way to
simplify it or keep it. I don’t know.

MS. MILAM: To me governance implies self-governance. With your stakeholders
it is the process that you set up to govern your organization or your project
or whatever it is. Enforcement is an outside organization that may sanction you
if you don’t follow the rules correctly or it may take other actions. I guess I
see them as two separate but important components.

MR. REYNOLDS: What I meant by governance was the legislation, the standards,
et cetera that exist that can be enforced. That is where I was going with it
because I really struggle that there is any law right now or there is any true
jurisdiction that holds PHRs right now and any kind of way to make it.

MR. HOUSTON: I guess arguably all of this is statutory framework or a lot of
it is. It sounds like you are saying is that first you have this statutory
framework and enforcement and then you have the governance that complies with
the framework is statutory.

MS. MILAM: I guess when Harry mentioned governance I was wondering if there
is a way through statute or regulation to require a certain level of governance
that would take care and help to manage all of the difference variabilities and
types of PHR applications. I am wondering if that might be the key to the
entire thing, but then you have enforcement outside.

MR. REYNOLDS: And again somebody else might know a better term of art. We
have to come up with something that says or either has to be some kind of a
law, some kind of a something that this is underpinned under and then we can
call whatever other word we come up with. I am making that part of governance
right now because it doesn’t exist so neither is there overall governance nor
is there individual company governance nor is there departmental governance nor
is there governance in any way. I think it is the whole thing. Whatever the
word becomes I don’t want to lose the fact that it is multi-dimensional and
that’s where we are both going. We are saying the same thing. So I don’t care
what word. If you don’t use my governance word, I don’t care but I know we’ve
got to have something up there that you are going against whether it’s the
privacy rule, whether it’s the HIPAA law, whether it’s these other things. At
least you got something to go to even if you don’t like what it is at least you
got something. But right now with PHRs I don’t see.

MR. HOUSTON: I think what Sallie is saying is that the statute will cause
people to put the governance in place in order to do what needs to be done. I
guess if you said number one was I hate to go back to the word framework, but
statutory framework, governance, and stewardship is a topical. Then you can
link those all together. One is on the back of the next one, which is on the
back of the next. Or maybe statutory framework and governance and stewardship
are sort of part of that.

DR. FRANCIS: So an open question is going to be whether we are going to want
to be recommending a new statute.

MS. BERNSTEIN: That would be my question. Given this discussion that’s where
it sounds like everybody is talking about. There is an assumption.

MR. HOUSTON: I’ll tell you what to Paul’s point because we are getting down
into the details a little bit. Let me just step back for a second. Do we have
any other major themes that we need to be incorporated or split out or combined
out of this list? Right now I have on this list is statutory framework and
governance, definitions, security and standards, privacy –- let me get to
the end. No, this is just the list: privacy, consumer interface, accountability
and enforcement, tools, consent, and then accuracy, completeness, and

MR. REYNOLDS: I would like to change three.

MR. HOUSTON: Number three is security and standards.

MR. REYNOLDS: Are the standards you are talking about related to security or
are the standards you are talking about related to the structure of the

MR. HOUSTON: I think the former.

MR. REYNOLDS: You know the 50 things that Dr. Peel brought up.

PARTICIPANT: There is a list here.

DR. FRANCIS: It’s mucky. I think there should be a separate thing on

MR. REYNOLDS: They don’t usually go together.

MR. HOUSTON: I think that the way that they do come together is right now
you could go out into the industry and find out there is NIST and there are
other things that describe, which are standards, which describe security that
should be implemented.

MR. REYNOLDS: Those are security standards.

MR. HOUSTON: I understand.

MR. REYNOLDS: When you put the and I think there is a set of standards that
need to be in place. That is all I’m –-

MR. HOUSTON: Then number three should be –- maybe what we should say is
privacy and security standards to avoid the thought that standards are separate
and independently talk about standards. All right. So number three will be
privacy and security standards to make it clear that we are talking
specifically to those types of standards.

DR. FRANCIS: And that we’re not going to talk about standards for
interoperability or standards. Presumably something that I wanted to know
whether people wanted to take off the table was the question of whether we are
going to have anything to say about certification.

MS. BERNSTEIN: Do you want to take interoperability off the list? Is that
what you are saying?

DR. FRANCIS: Well, I don’t know. One of the issues we face is whether we are
going to focus specifically on security and privacy or whether we are going to
say things more generally about PHRs. One of the things more generally that a
lot of people said is that it is really great if they all kind of look the same
with respect to data dumping into them. But I don’t know whether we are going
to want to – does this subcommittee have anything to say about that issue?

DR. TANG: I thought we did –- privacy.

DR. FRANCIS: I thought we did too. We made a list.

PARTICIPANT: What did Paul say?

DR. TANG: I thought this was convened to deal with the privacy issues and
security and that actually preceded the recovery act and so it happens that it
dovetails with the need to comment on the protection of PHR data. –-
entities particular.

MR. REYNOLDS: I would recommend that certification -– if we mention
certification you need to have all the other things first before you can decide
what you are going to certify. We don’t know what the regulations are. We don’t
know what the standards are. We don’t know anything else then how are you going
to go through and –-

MR. HOUSTON: The buts of that would be is if we come up with recommendations
with regards to privacy and security and believe that in the context of privacy
and security there needs to be some type of privacy and security certification
capability. Would that be within –-


MR. HOUSTON: So we could say that.

MR. REYNOLDS: It is part of governance. A good example right now is EHR is
one of the significant governance issues in EHRs is if you are not certified,
you don’t get to pass go and get your $200. You are kind of shut down. Nobody
is going to be picking you.

MR. HOUSTON: So therefore one of the recommendations under governance may be
that there should be some type of privacy and security certification criteria
established potentially as being the recommendation or that would be one of the
things that the government, HHS should consider as a recommendation.

MR. REYNOLDS: Then, Paul, that could be picked up by the maybe the standards
committee of ONC as it moves it into implementation on the NHI.

DR. TANG: I have lost the organizing framework for this –- I mean are
you talking about recommendation? Are you asking for recommendations?

MR. HOUSTON: No, we are chunking right now. I guess the question came up was
this in scope or out of scope and all I am trying to do is argue for the fact
that based upon how we limit what we are talking about. It could be in scope. I
am not talking about recommendations yet because we still may take it off the
table. I am just trying to decide whether something is in scope or out of scope
for discussion. What I am hearing I guess is that it is in scope and for
something we should discuss and consider. I think we then need to get to what
we are going to consider under each one of these categories. All I am trying to
do frankly I mean going back to this. I keep trying to make sure we got at a
high level the different themes and we have eight or nine themes right now is
what we have. It sounds to me since we keep drilling back down into the detail
we’ve probably got the major themes covered and now what we need to do is to
decide thematically what is in the scope based upon the list that we provided.
So now we can start to go down theme by theme and decide what should be part of

MR. REYNOLDS: One other comment back to one of Sallie’s and it doesn’t
change it but it might go into the overview up front is we are using journey a
lot with meaningful use and some of these other things making sure with
Sallie’s innovation comment and everything that we are using journey along this
too. Whatever is there now and then if something else comes and as innovation
continues to go, whatever process is set up is going to have to continue to be
reworked not reworked necessarily, but adjusted based on the changing of –

DR. FRANCIS: That should definitely be one of the overarching points that is
made at the beginning. At the end of the morning panel there was some
discussion about the HIPAA framework. A number of people who testified today
seemed to agree that for security purposes the HIPAA framework was just fine,
but there is a lot more disagreement on privacy. It seems to me -– I don’t
know whether this is a question we ought to be addressing first or later, but
one of the big choice points is going to be what we see as the relation between
what we are doing and HIPAA.

MR. HOUSTON: That sort of leads to a more general point underneath all of
these different areas. What do we need to add? I mean I see that neither of
those subjects is really there.

DR. FRANCIS: That’s there.

MR. HOUSTON: What one is there?

DR. FRANCIS: It is right here.

MR. HOUSTON: I was looking under four. Okay. I’m sorry.

DR. FRANCIS: It was put initially right at the front because it was thought
of as kind of a basic initial choice point that we had to wrestle with.

MR. HOUSTON: I think we heard today regarding privacy was that HIPAA was
wholly unsuited for it simply because HIPAA immediately says that purposes
related to treatment payment and healthcare operations are things that don’t
require any type of authorization or consent. That in and of itself was
fundamentally at odds with cost of PHR and privacy.

DR. TANG: Maybe now you are transitioning into maybe start with observations
and then we will get to conclusions and the recommendations. So the observation
that I might frame with what you just say is the status quo is not good enough.
The things that could apply but don’t improved like the HIPAA privacy rule,
which doesn’t because context wise it was written before PHRs before any
network information. There were a number of reasons they articulate why it
applies to the use of this information by the healthcare team and really didn’t
even address the patients. So that might be. One observation is status quo is
not good enough.

MR. HOUSTON: Yes, but I think we can chunk the -– I mean we can put
these in a different standards. We have different themes. Let’s add them to the
specific thematic area is where we want to try to emphasize. Obviously on the
privacy side.

DR. TANG: I guess I am trying to reorganize it. The thematic areas are all
over the place in terms of even what kind of an animal is it. I am trying to
write the report essentially. If our observation is it isn’t there then there
must be something to do.

MR. HOUSTON: I understand your point. We can still put these observations
under each thematic area and we can decide later whether it warrants
reconstruction but I think we want to stick with these different themes and if
something is relevant let’s put it under the thematic area and from that we can
refine those lists. I don’t want to rewrite this and reorganize it. I really

MS. BERNSTEIN: We’re going to end up doing that.

MR. HOUSTON: For the purpose of discussion trying to come up with themes for
what we believe needs to be in the report I think this works. We can decide
each theme and then reconstruction we write the report is something different I

DR. FRANCIS: The question is I think it is a jumping off point at the
beginning about how we frame this about whether what we want to be doing is
proposing some add ons to HIPAA or whether what we want to be doing in the
privacy area is saying what Paul just said which is that HIPAA is not good
enough. It is misconceived.

MS. BERNSTEIN: When we say HIPAA is not good enough do we mean scrap HIPAA
and start over? Do we need to add on to HIPAA? Do we mean expand HIPAA? Do we
mean HIPAA minus TPO?

MR. HOUSTON: But that’s the point. That is why I say if you break it down by
themes. If HIPAA is not good enough for privacy of PHRs, describe exactly why
it’s not good enough and I think that we all agree that was a very strong
recommendation we heard from testimony over the last number of days of
testimony. I don’t have any problem writing that down.

MS. BERNSTEIN: I am just trying to remember on the first two days whether
anyone particularly disagreed with that. In previous hearings we have heard if
I have to deal with more than one regulatory –

MR. HOUSTON: I think that is another issue. I think HIPAA not being good
enough for PHRs not be applicable is one thing. The second thing is should
there be a single standard. That is totally a different recommendation. They
are related so far as but it’s separate. That is one of the things that came
out clearly too is that people are looking for a common, consistent standard
for PHRs. But I think what I heard at least was that as it relates specifically
to PHRs and privacy and security is that there needed to be a consistent
regulatory framework that was inclusive of all PHR vendors, all PHR providers
whether those people are governed by HIPAA today or not. There needed to be a
good definition of a PHR so that we could ensure that everybody that needed to
be included in this under this regulatory framework is actually included under
that regulatory framework.

MR. REYNOLDS: I think when we say HIPAA in this environment there is a HIPAA
privacy and there is a regular HIPAA. There are two things. Short of deciding
policy give us some insight on what you have heard, what you are formulating in
your head as to what you heard not necessarily recommendations and I’m not
asking you to go somewhere you don’t want to go. I would just love to have some
input from you on – you know you have heard all the testimony. You have
heard it clearly. You know what exists now. You know what you are facing as it
exists now. Any comments you can give would be I think really helpful as we
move to this next step. Any time we start using the words add on to HIPAA
whatever piece of HIPAA or this or that or something new it obviously drags a
whole lot of people into play.

MS. MCANDREW: First I would generally refer you to back to the paper we did
back in December 2008 and rolled out in conjunction with ONC privacy and
security principles for essentially EHRs was part of that. We did a separate
white paper larger than a set of FAQs, but about HIPAA today and personal
health records and how HIPAA might or might not apply to personal health
records and in particular what aspects of that might apply in the area where
they were not HIPAA covered entities or business associates.

MR. REYNOLDS: When you say we you are referencing OCR?

MS. MCANDREW: OCR the department.

MR. REYNOLDS: No, the reason I am saying that is people on the Internet the
word we is the term of art. I want to make sure they understand whom you are
speaking for.

MS. MCANDREW: We not you.

MR. REYNOLDS: Thank you very much. You are part of we but you can be you

MS. MCANDREW: I can be me now. I would say that clearly that was a first
step in terms of trying to provide some HIPAA context for these transactions
that are going forward. I think we recognize that the uses and disclosure
permissions that are the basic framework of HIPAA were not designed to apply in
a set of records where the patient was in control or a set of records that
really were designed for the patient’s own use as opposed to the provider of
the health plan’s use.

We have said so far is that clearly in setting up these personal health
records particularly where a covered entity is itself establishing a PHR in a
tethered or sponsored environment that they are free to make promises to the
individual in the way that CMS and others have claimed that they have which is
here we are giving you a copy of your data in our system or some version of
that and it is yours and we will not access it. We will keep our copy in our
EHR or our electronic files and that we will use in accordance with HIPAA or
whatever guidance, but here is a copy for you. Even though we may have
authority to have different access rules we are foregoing our rights with
respect to that and we promise you we will not use it.

I think from our perspective the HIPAA rules are permissions to use and
disclose and the covered entity always has the ability to say no even though I
have the permission I will not exercise it. That is kind of the framework.
Clearly it is not the kind of guarantee or requirement that some may be looking
for but it is a way of using HIPAA in its current format to govern this
different set of rules.

MR. REYNOLDS: Assuming a covered entity is involved.

MS. MCANDREW: Assuming a covered entity is involved. I think from our
perspective and this is what we are looking for the study under the high tech
act to do is what would be the legal hook without legislation of any kind of
governance set of requirements.

MR. HOUSTON: Let me ask a question. When I look at the high tech act I
thought that what Congress was asking was for HHS to make recommendations as to
privacy and security of PHRs. The implication of that would be that you could
make a recommendation to Congress to say you need to have legislation to
support these principles. Correct?

MS. MCANDREW: Yes. You certainly could make that recommendation to Congress.
The department in conjunction with the Federal Trade Commission. The report
calls for recommendations to Congress about governance of these entities in the
future and whether HHS, FTC, or some other entity would be the most proper
entity to provide that governance. My hesitancy is only one can recommend to
Congress and Congress will do what Congress will do.

MR. HOUSTON: But in this particular case unlike when you are making a blind
recommendation to Congress and unsolicited it sounds like there is a
solicitation being made. I guess the implication is if asking in providing your
recommendation in response to an ask, is it more likely that Congress may again
assuming it is thoughtful and reasonable more likely to act?

MS. MCANDREW: Reading congressional tealeaves is an art. I have never been
particularly successful at it.

DR. FRANCIS: Could I ask you a slightly different question?

MS. BERNSTEIN: They are not more or less likely to act just because they
asked for something in particular. It won’t be the same Congress by the time it
comes in and also part of it is the Congress has sort of once they have spent a
lot of time even though it was condensed in this case to act in a particular
area and the fact that they asked for a report usually is a punt that they
weren’t ready to act on something, but they have already taken a lot of action
in this area and are not likely to revisit it very soon thereafter.

DR. FRANCIS: Could I ask a question like this about whether the following
model is a possible model that you are thinking about? There are of course
going to be some PHRs, which have no information from a covered entity, but
suppose a PHR gets information from a covered entity. One possible way to think
about this would be to ask if a covered entity gives information to a PHR, what
should be the standards and should those standards be at a minimum the HIPAA
standards or something more? Now I take it there is at least a possibility that
one could try to do something like that without legislation.

MR. HOUSTON: I will tell you why it falls for two reasons respectively is
that I think the one thing that came up today very clearly was is that if you
apply the HIPAA standards to information going to a PHR, HIPAA doesn’t put any
authorization requirement in place related to treatment which would then would
have to be something you have to change.

DR. FRANCIS: So we have to do something more. I was just thinking scope
first whether the way to get a hook was to say we’re not going to do anything
about if Leslie goes online and sticks information in. We’re only going to be
saying we’re going to propose a governance structure if information comes out
of a covered entity.

MR. HOUSTON: The second point I want to make though is that all of these not
all of them but the major players in the PHR space are very careful to say I’m
going to get a patient authorization. I am not a covered entity. I am not a
business associate. It would be akin to a patient typing in their data and all
they are really trying to position themselves to say we are going to facilitate
that by take a feed as soon as you authorize us, but boy we are still separate.

DR. FRANCIS: What I am trying to say is we could cut through that. That is
the question I wanted to have on the table. The way we could cut through that
is we could say we need to rethink what an authorization means in that context.

MS. MCANDREW: Clearly we may wind up having to rethink what an authorization
means in the context where a patient wants their information exported into a
PHR particularly whether it is a stand-alone PHR even the covered entity’s own
PHR but that is more portable than most tethered PHRs are today. What does it
really mean for the individual to authorize the release of information into a
PHR or to authorize the covered entity or the PHR to release the information to

MR. HOUSTON: But if we go the route that you are talking about, Leslie, I
guess that is almost statutory in nature as well. I am just questioning if you
are already going to open –

DR. FRANCIS: I wasn’t sure. I mean I was just asking as a question. It is a
whole different ball of wax to recommend a statutory change than it is to
recommend a regulatory change.

MS. MCANDREW: Clearly there is a gray area in terms of what to do with a
business associate definition and what it takes to become a business associate.
There are a lot of politics about moving that line would not necessarily say
yes or no about the wisdom of doing so. It is a possibility. There are other
hooks in terms of trying to –- I mean there has been conversations about
whether some of these entities and even PHR vendors may turn into the thing
that Maya never or someone never understood healthcare clearinghouses and
whether in some translational way one could create a new standard where
personal health record vendor would wind up becoming a covered entity by
redefinition of what is a healthcare clearinghouse. I mean these are things
that one can play with at the margins. The basic question I think still comes
back to at the end of the day you really don’t want most of these entities to
function like a covered entity or what we require covered entity to do today.
So what do you want them to do?

MR. HOUSTON: Harry, you wanted to say something?

MR. REYNOLDS: I think rather than design it right now I think obviously with
the fact that they have a study coming up at the end of year I think it is
really important that we get this document out. That rather than saying whether
it is legislation or what it is, what are the holes, what are the gaps, what do
we recommend that those need to be filled? That we put that stuff forward so
that it could be picked up as part of the study. It could be picked by this
next wave to take that and put it in there. That is what we have always tried
to be ahead enough that as people were doing things that actually had
responsibility to someone to do it to make something happen that our work would
be available and be able to be pulled off and insert it in there.

MR. HOUSTON: So therefore we are back to sort of the original recommendation
which is there needs to be an overarching single governance. I’m not even sure
what term it is to use. Something that uniformally guides PHRs on what their
obligations are. I don’t want to say just regulatory framework or statutory
framework because we’re not even sure what that is but we need to make
recommendation that they need to be governed by some common thing I should say.
As long as you are a PHR by definition this is going to apply to you whether it
be regulatory, statutory, whatever and that you can’t get around it and it
needs to be common. That is what I heard and I think what everybody saying is
that common thing needs to exist.

MR. REYNOLDS: And that takes you away from the whole covered entity thing,
which I thought Sue did it perfectly. It is the anti-lightning rod as far as

MS. BERNSTEIN: But I think just saying that would be saying something major
to say that all PHRs should be covered by the same set of standards and rules.
One might make the argument, for example, that PHRs could use their privacy
policies that differ as a kind of marketing tool. I give you this kind of
privacy if you like our model. Come with us. Somebody else says we have a
competing model. It is better and I’m going to advertise that it is better
because we have these different features. You know PatientsLikeMe if they
turned out to be defined as a PHR it is a wholly different thing. It is not
clear whether something like that could fall under a definition of a PHR. I
really don’t know. I’m not making any opinion about them. I am just saying it
is possible for a social network thing like that which wasn’t contemplated to
be defined as a PHR, but they have a completely different model of what privacy
should be and what it is for. Some might argue that we should let a thousand
flowers bloom in the market place and different people will like to have
different kinds of models of privacy and that would be good. What you are
saying now is something very different than that which is also totally
legitimate that we need to have some uniform set of –

MR. HOUSTON: We heard uniformity as being an ask of us.

MS. BERNSTEIN: I don’t think we heard that from the first few panels.

MR. HOUSTON: We heard it from a number of people. I have mixed emotions
about this. To me PHRs run like EHRs in so far as somebody doesn’t have to sign
up for a PHR so there is a very strong argument that there is this consumer
choice. They can decide whether they want to participate or not and they can
look at the privacy policies and decide whether they are though many will not
as we have also heard and make a decision and hopefully an informed decision
whether these privacy policies are to their liking or sufficient to their needs
and then decide whether to do this PHR.

I guess the question then really is to take a step back and I agree, Maya,
is if there is going to be regulation around PHRs. I am going to use regulation
as being very broad. If there is going to be some type of regulation broadly
speaking what should it be and how it would be applied? And again I agree with
your point, which is should it be a common, consistent for that everybody has
to comply with. No ifs, no ands, no buts. Like HIPAA with respect to EHRs and
providers and payors and all that or should we simply let market principles
govern and the fact that if your privacy terms are so bad or so onerous and you
get enough bad PR over doing stupid things, releasing data inappropriately, and
mining data and all that, will the market frankly push you out of the market?

MS. BERNSTEIN: The Federal Trade Commission might come after you as being
either an unfair or deceptive trade practice.

MR. HOUSTON: As well. Correct.

MS. BERNSTEIN: There already exists that framework but it is very loose. It
doesn’t require you to have a privacy policy and if you have one it doesn’t
require it to be any good. It does require it not to be deceptive which could
possibly mean if you don’t have a privacy policy it’s deceptive. It’s not clear
how they are going to apply their authorities.

DR. FRANCIS: You could have a common framework that for example said
everybody has to be transparent. Everybody has to be fully whatever their basic
whatever our position about a four. If they don’t have a privacy policy they
are going to have to be transparent about the fact that they don’t have a
privacy policy and that they might use your data in any way.

MR. HOUSTON: Sallie, do you want to say something?

MS. MILAM: I want to ask a question. Didn’t Markle just issue a framework
for PHRs where they worked through all the elements? Would that be useful to us
in our discussions?

MS. BERNSTEIN: They talked about it. That is what they were talking about in
part of the first –

MS. MILAM: Would that be a starting point?

MR. HOUSTON: I guess we can look at it. I don’t know if we want to make a
recommendation where we reference Markle, do we?

MS. BERNSTEIN: It is one model I would say. There are people who don’t agree
that that is the model.

MR. REYNOLDS: The whole reason we did the themes was to say these were the
things we want to talk about. Now we can use any existing document including
what Sue brought up earlier about whether they have to make the points in those
categories and in those functions so whether it is the Markle or whether it is
some documentation that has already come out moving forward to HIPAA privacy
and some other things. I think we can deal with any of those.

MR. HOUSTON: Going back to what you said. I guess we could go back and say
what is the theme? What is this theme? We are sort of going side ways here
because we are arguing all sides here, which are good for discussion purposes,
but what can we say? What should we try to say here? Leslie puts a proposal on
the table that there needs to be a transparent set of policies that any PHR
must provide to its consumers.

DR. FRANCIS: But that seems to be something that even PatientsLikeMe agree
with that. They are fully transparent.

MR. REYNOLDS: I got a comment. I think we are making some real clear
statements on what people are or are not. Some of the testifiers if some of us
had lunch with them afterwards don’t assume everybody’s got this figure out.

MR. HOUSTON: We don’t and they don’t.

MR. REYNOLDS: No, I am saying but there are very some strong statements
about somebody’s totally transparent or this and that. There is significant
naivety across the entire environment on these things. We reference certain
ones as got it all figured out and I heard that in the testimony this morning
and I just heard a statement and I think, John, you would agree. You said at
lunch with me that day. There are people who testify in here and use the right
words but if pushed to the next level down about what is really there holding –
supporting this stuff. Take a deep breath guys. Let’s don’t fall into that. It
takes a very sophisticated discussion to understand how deep somebody really
goes and what they are or are not doing with that data. What that data does or
doesn’t mean and John and I had a perfect example of that after the last
hearing. Just know that.

DR. FRANCIS: Could I just ask you as a question? Do you disagree with the
idea that we should recommend transparency?

MR. REYNOLDS: No, I am saying we are making low end statements about some
entities do or don’t have it covered and they do this perfectly right. Remember
if the gentleman made it perfectly clear today when people are at the end of
life and have some other things going on what they are willing to do or not do
is one thing and whether or not all the right protections are in there or not
you better ask the people a whole lot more questions than we are having time to
do in a five-minute discussion and three minutes to follow. Let’s don’t
philosophically be – let undertow pull us into this thing like we are
hearing all this and everybody wants to run to the next answer. Nobody is
completely sophisticated in this yet.

MR. HOUSTON: Even if somebody was there is enough variance out there and
enough people that don’t have it figured out, but frankly probably don’t want
it figured out that I think it is important to go back to what Leslie proposed
which is whether there be a single standard or multiple standards what has to
occur is that these PHR providers must be transparent as to their privacy and
security. I think may be a good way to frame as what Leslie said which is they
have to be a hundred percent transparent on privacy and security principles
within their products. A great example is that HIPAA doesn’t say what you need
to put your notice in privacy practice but HIPAA tells you you better have a
notice of privacy practice and it needs to be informative as to what your
privacy principles are for a covered entity. The same thing I guess you could
argue would apply to PHR vendors. There needs to be by example a notice of
privacy practices which completely describes your use of the data, how you are
going to protect the data, what it is going to be used for, how it is going to
be provisioned, whatever you want to say.

MS. BERNSTEIN: Would you be satisfied with that?

DR. FRANCIS: Well, that’s a different question. I was trying something for
openers that I thought would go down easily.

MR. HOUSTON: You are speaking both sides now. I don’t mean that negatively
because earlier what you said which I thought was very important was is you
have so many different types of PHRs out there that serve so many purposes that
what’s right for one may be wrong for another. PatientsLikeMe could absolutely
get clobbered by very onerous terms as to privacy when they have a model that
is based in a large measure on a certain amount of openness. Not that they have
it all figured out. The question is but what’s most important is that the
patient has the ability to knowingly go in and say what principles are applied
to the sites. Sarah, do you want to say something?

MS. WATTENBERG: I guess my first question is, Harry, so was your point that
just using the rubric of transparency wasn’t specific enough or concrete
enough. Was that your point?

MR. REYNOLDS: No. Selecting who is magically transparent.

MS. WATTENBERG: It wasn’t about the broad construct.

DR. FRANCIS: All I meant to say was that I didn’t think any testifier said
it would be a good idea not to be transparent. I think they all professed to
think that transparency was a good thing.

MR. REYNOLDS: All I am doing is we referenced certain entities. For example,
there was an entity reference this morning that they have all this stuff set
together where there is also 350 vendors writing against that as fast as they
can write to be able to use that data and information anyway that they can. We
got to spend a lot of time talking to a lot of people as to whether you know
what is going on. We need to stay with our principles. We need to stay with our
structure. We need to stay with our flow. We need to stay with what we heard.

MS. WATTENBERG: The one thing I just really want to say was that it seems to
me that we are taking as an assumption that there is this huge variety in
personal health records and that whatever we say needs to kind of apply to all
of them and yet some of what I am hearing are things that I don’t think comport
with the definition of PHRs.

MR. REYNOLDS: Give me an example.

MS. WATTENBERG: Well, like PatientsLikeMe. If you look at –- I can’t
remember which definition it is at this point, but I think it was raised that
it was a recommendation from the consumer empowerment work group last year that
to just agree. If you are going on to a medical, social, media website that
says here’s what we do, that is different than a PHR that is interoperable with
an HER that gets downloads that you are using the consumer functionality. It is
not you putting in your blood pressure. It is not you using it as a tracking
mechanism for medications. It has this completely other intention and so to
attempt to apply principles to that type of site and assume that -– I do
think that when you define privacy and security you can’t get away from
defining some boundaries around which is in and out of and called a PHR because
I don’t think you can just assume that one thing will apply to this multi-array
of models.

MR. HOUSTON: I think we need to assume that there is going to be so
permutations on what a PHR is that – I don’t there is a –

MS. WATTENBERG: As long as it doesn’t fall outside the definition of what a
PHR is.

MR. HOUSTON: I think there is going to be a lot of variation. By the way
that is one of the things we need to thematically do is decide what is a PHR.

MS. WATTENBERG: That is what I am saying.

MR. HOUSTON: It is on the table as being something we need to decide upon.

MS. WATTENBERG: I am just saying that we are discussing all of these
principles as though we are not going to make a decision about what is or isn’t
a PHR. We could go in circles about this.

MR. HOUSTON: Well, I think we have to. I think we are going to have to help
at least raise -– we need to as part again in a definition section here at
least raise the issue that PHRs need to be very clearly defined. I think that
is a given. That’s a recommendation. I suspect as a recommendation. PHRs need
to be clearly defined. I forget who today actually posted one definition. I
think it may have been Deven posted that.

MS. BERNSTEIN: From ARRA. There is some definition in there.

MR. HOUSTON: That should be adopted I think was the recommendation that was
made. I don’t know if we go that far or whether we have to stick by it because
it is what it is. I’m going to see if I can find that because –

MS. BERNSTEIN: It’s got a lot of problems.

DR. FRANCIS: One of the things we could do is sort out categories without
necessarily saying this is the only kind of PHR. There are some items that are
completely siloed that are maintained by the patient for the patient. We’ve got
that nice list that was in the little introductory statement.

MR. HOUSTON: By the way they weren’t defining what a PHR was. Weren’t they
defining what privacy was? That’s what the question was this morning.

MS. BERNSTEIN: In Deborah Peel’s testimony she quoted the NCVHS letter from
June 2006 which in its introductory remarks said something about privacy but I
think the way she used it was not fully flushed out. The first thing we said
after that was that we need to be limited about what kind of rights there are.

MR. HOUSTON: I think they have ARRA privacy stuff with them.

MS. MCANDREW: There is a definition of both PHR maybe it’s PHR vendor, I’m
not sure, and EHR for the privacy and security subtitles.

MR. HOUSTON: Does anybody have a copy of the privacy record?

MS. MILAM: But you know the eHealth Alliance had that whole committee that
dealt with defining all these terms over the past year for ONC. What are we
doing with that space?

MR. HOUSTON: Well, the question is we could look at their definitions and
decide whether it is adequate because what we may find is – but you are on
the Internet, good.

DR. FRANCIS: We can take the definition also and say that there are
subcategories within that definition because as I recall the language of that
it is maintained by or for or something like by or on behalf of and that is
crucially different right from the get go whether it is the patient themselves
doing it or whether it is maintained on behalf of.

MR. HOUSTON: By the way the definition that is in this stimulus bill is the
term personal health record means an electronic record of PHR identifiable
health information as defined in Section 130407F2 on an individual that can be
drawn from multiple sources and that is managed, shared, and controlled by or
primarily for the individual.

DR. FRANCIS: By or primarily for. That is crucial.

MR. HOUSTON: Unfortunately that could be an EHR for all that matters.

DR. FRANCIS: That can be anything.

MR. HOUSTON: Fundamentally that’s just to me is not necessarily an adequate
definition. I’m going to look up what F2 is real quick. F2 says PHR
identifiable health information. The term PHR identifiable health information
means individually identifiable health information as defined in Section 1171-6
of the Social Security Act and includes with respect to an individual
information that is provided by or on behalf of the individual and that
identifies the individual or with respect to which there is a reasonable basis
to believe that the information can be used to identify the individual.

DR. FRANCIS: So essentially any identifiable health information.

MR. HOUSTON: I don’t think it gives us a lot of guidance if you are trying
to decide what really is a PHR and what falls within and outside the scope
because you can drive a truck through that one.

MS. MCANDREW: I think the tension there is going to be the absolute
necessity particularly if you are looking for some uniform or universal set of
principles to apply to a PHR in having it defined. At the same time it is going
to fight against Sallie’s point earlier about preserving innovation because the
push back you always get is that if you say this is a PHR well you know five
years from now it may look like something totally different.

MR. HOUSTON: That is why we wanted the futurists in the room were to talk
about that. I want to make one comment. By the way we are supposed to have a
break at three. Since Harry has to leave at 3:30, I figure we would run at
least 3:30 and then break at 3:30.

The point is what we heard today is that even though we don’t want to stifle
innovation and there is going to be a lot of changes to what PHRs look like. We
also I think we heard at least today the fact that people are saying we got to
have some type of common regulation or something, some type of common
understanding so that even it is simply as transparency as what we ultimately
say we should have. There’s got to be something because otherwise what we have
now is a lack of transparency, a lack of consistency.

A lot of people being concerned that the practices of these PHR vendors
aren’t necessarily in the best interest of the patient and yet the patient
doesn’t necessarily even know that. That is a concern I thought I heard.

DR. FRANCIS: Can I try just what we take to be a summary of something I
think we have achieved which is we are going to have to have some account of
different types of PHRs. That is something we are going to need to have. We are
also going to have to have -– that we are going to say for all of them
transparency is necessary. That is a basic that you have to have transparency
whatever. Now I would also want to say that I think we have a lot to say about
what transparency means and that click through isn’t transparency, but I don’t
know whether people want to go there.

MR. REYNOLDS: My comment kind of plays off that a little bit. Individuals
who have a PHR also can at times have a contract with others. So one of the
examples out of the testimony I’ll just use it as an example of my own
industry. Somebody said they could onto the website and that PHR said that they
would sell data to people but people could not use that against them. On the
other hand that same person whose PHR it was at a contract with that payor and
when they signed up for insurance said they didn’t have a particular situation.
The data was sold to the payor by the website one of the ones that testified to
us and they said well that can’t be used against them. If I have a contract
with somebody that says they didn’t lie and now I buy data from somebody that
says they did lie. I guess when say transparency, Leslie, along with everything
else we are doing, this is a very intricate dance that we are all doing. The
same thing, if I or Paul either agree or disagree, if somebody comes into
Paul’s office and says they have given him the information for him to treat him
and he ends up doing something and there is a significant drug interaction and
the person dies, he would want the right I would assume to subpoena a PHR if
they had one to prove that they knew about, didn’t tell him, and have a nice

I think we need to make sure as we go through this that we can’t let the
person come in naively and act like this data doesn’t flow and you are not held
accountable for all sides of it. That is one of the naiveties I am really
worried about because everybody in this health environment is doing business
with each other and lots of different ways and to say transparency or here’s
all it does.

DR. FRANCIS: Harry, can I just follow up on that and ask you would you be
okay with saying that one of the issues that a patient has to understand is
what the position would be about the person maintaining or the entity
maintaining the record about how they will respond to a subpoena. If I think I
am writing it in my diary and I think my diary isn’t subject to subpoena, it is
going to be really different.

MR. REYNOLDS: I don’t want to go quite that far. I’m just making a statement
that making sure somehow and again this is this whole evolution. I don’t know
how we help people understand but it is really important in the end when all
this flows up that at some point there is accountability.

MR. HOUSTON: Well it is interesting because part of what we heard today too
is that even when you try to spoon feed people some people just don’t want to
– they are not going to eat no matter how simple you make it for them and
that’s part of the problem. I think to ask one question though. I think Paul
hasn’t really said much for a while. I want to make sure he is not feeling
alienated here and if he has any thoughts that he wants to get out on the table

DR. TANG: My only thought here is that I don’t feel that we are being very
productive in outlining that here are the steps that will lead us to our report
and its recommendations in a justified way. If we go from the status quo is not
enough and then you look at the instruments and we did make this comment but it
is nice to just build up a story that we said the provisions in HIPAA do not
apply to PHR data so we have to dispense with that.

Then you go to the next things. You look at regs and legislation. Well what
are the attributes of those things that we would like to see? You can draw in
testimony and one is transparency. Well Harry says you know what just like most
things even talking about transparency is not transparent enough and that we
really have to understand first what is the usefulness to the consumer. You
start with what do you want out of the thing. What does anybody want on behalf
on the consumer and then see what are the pinpoints. What things should they be
aware of? Can we protect those things against which would be harmful to them
and then sort of drill down in an organized way and get to where we need to go
and then find out who the actors are in that.

MR. HOUSTON: I agree with Paul’s point. We have been talking around this.
Let’s go to the step that Paul just talked about now. What are our
recommendations? At a high level what are we really thinking or achieving? We
talked about transparencies being important.

DR. TANG: We talked about transparency. This morning we talked about
consent. We have talked about protection following the data. In each of these
cases someone has pointed out well you know it may be a bit naïve to think
you can actually do that. So one of the conclusions might be that you have to
prevent certain things from happening. Just like you have anti-discrimination
laws you have to say instead of regulating how ideas flow from one person’s
head to another and what actions they take you just have to say we are going
–- proscribes discrimination.

MS. BERNSTEIN: That is sort of like on the model of the GINA law, which just
passed, the Genetic Information Nondiscrimination Act. In part it has a privacy
piece but what it says is if you have genetic information you can’t use it for
certain purposes. So it kind of assumes that information is going to flow
around and that an insurance company might actually -– it makes some
regulation about they can ask for, but assuming an insurance company has
genetic information or family history or whatever they can’t use it to
underwrite. That is a different way of looking at –- it’s not really a
privacy bill. It is a nondiscrimination bill.

DR. TANG: This is so different from buying any other product or service. As
you walk up to a carwash and you get your carwash and nothing else happens to
your car. If it does get scratched they take care of it because it’s not
supposed to happen. If you go buy a consumer good, you are getting that. It
says exactly what it does. They have a product liability. It just does what you
expect it to do. That is more transparent. When we are talking about the
information we have allowed, society has allowed because of the lack of laws
and regs other things you wouldn’t even dream of happening to what you gave up.
Most cases you give up money. That is ultimately liquid. You can get back
money. It is the same thing. Here you have given up something very personal and
without any idea what is going to happen to it that is irrecoverable. That is
what places us in a whole different domain.

MR. HOUSTON: So what’s the recommendation?

DR. TANG: I think we are going to have to say certain things are not
allowed, for example, when you allow information to get placed into a
“PHR” that is an electronic repository that holds your health
information for you. That’s the end of the story.

DR. FRANCIS: So they can’t sell it.

DR. TANG: All I am saying is the minute you say except then you are going to
have to chase that forever.

MR. HOUSTON: Paul, what happens if – let’s just take a drug company X
that has a great therapy for something and they say upfront very transparently
this PHR is to help us do research on our product and we are going to be using
this data. Let’s see if we can make it even more. We are going to be using this
data in order to better form our pharmacy network to serve you better and so we
are going to look at your drug usage patterns so that we can help or let’s say
it is Walgreen’s or one of those. This PHR you use and all this stuff and we
are going to look at your drug usage patterns and where you buy drugs from or
whatever and we are going to use that to make Walgreen’s a better place for you
to shop. By the way we are going to sell some of this data to our drug
manufacturers to help them -– you know what I am saying. What happens if
someone says really upfront that that’s what they want to do and that they are
going to give you this PHR?

DR. TANG: I understand. Let’s start simple first because I don’t even think
we have the simple problems solved which is if somebody is going to say I would
like your data to do a drug trial just like any other federally funded drug
trial, it is to study X against X. Tell me that. I will do it and I may ask for
whatever it is. But this broad thing that you can do anything with this asset
that is so personal it is a different world.

MR. HOUSTON: So you are really going back to this whole idea of true
informed consent.

DR. TANG: No. In some sense yes but I want to simplify it because I think we
cannot provide true informed consent in any practical way to what is being done
with data right now which is it goes everywhere, anywhere, in all time in the
future and that is a possibility. We have to consider that is just not legal

DR. FRANCIS: So what you are saying as I understand you is there should be
some prohibited uses or at least some types of PHRs. Let me back off and

MR. HOUSTON: Harry has to go in five minutes so I want to give Harry the

DR. TANG: So I guess what I am trying to say is there are certain things no
one in this country should be able to do like discrimination. That is model A.
Model B is you get what you pay for. You get what you bought which is I want a
PHR, a repository for my health information — that’s it. If someone wants to
sell me something else to do with that, they are going to have to sell me
something else to do with it. So it is very straightforward. There are things
that you literally cannot do and there are just basic straightforward.

MR. HOUSTON: Unless they get your expressed authorization let’s just say
literally a pop up that says we would like to use your data for these purposes
in the future. Will you agree to that and if you say no.

DR. TANG: I understand what I’m going to say is you are going to have to
stretch it out but it is sort of one purpose at a time.

MR. HOUSTON: Let me just cut the conversation off because Harry I know you
need to leave soon. I want to give you the opportunity to give us your wisdom
and guidance.

MR. REYNOLDS: We have gone all over the place but this is not a subject that
is easily pinned down. I am on the standards committee and you talk a little
different than you can with this. I think the other thing is this is probably
as intense a conversation that goes on anywhere in this group. I appreciate
that. What I had assumed and the reason I was comfortable bouncing around is
that you guys as the chair will at some point with Maya take what you have
heard and take exactly what we have all said and I think Paul summarized the
well. Take that and put into something for us. That is why I was willing to
play along because as far as I am concerned you two and Maya have the
assignment to come up with a document for us on what we are saying.

MR. HOUSTON: I would rather this committee really have a lot of meeting of
the minds.

MR. REYNOLDS: Which is why I am very pleased with the – I was saying as
I said again, I am very pleased with the conversation but I am expecting you
guys to turn it into something based on what you have heard from. We are just
helping you come up with the things and some of them were staying high and some
of them were low.

DR. FRANCIS: Let me ask you this though. Are there kinds of recommendations
that you would not want to see us?

MR. REYNOLDS: I think the hardest thing for us is going to be and again
we’ve got two other committees that are similar to us that we are trying to
figure out how we play with them. The other thing is this subject is a far
reaching subject throughout the government and its organizations and I think as
we formulate things making sure that we give people the option that if we
recommend something there are many ways to approach it is ultimately important
in this subject because one of the questions I was going to ask earlier, does
anybody on the committee think we should just stop everything that is going on
out there in health IT and everything else right now? Well some people are
saying yes. Some are saying no.

But the interesting point that it makes is and we have said it many times, I
know I have, this is going 150, 1000, 2000, 5000 miles an hour out there right
now and we need to get some things in place to at least allow –- so if you
say the word wild west on some of these that was fine. There were still
sheriffs and there were still things and you still locked up the real bad
people. We need to make sure that we are purposeful in helping it move forward
but we are purposeful in helping it figure out how to move forward. I think if
we do that in a good way that we are not locking anything down and that we are
not putting any of the organizations that we deal with in such a position that
what we do say can and could and will be used against them or anybody else as
they are trying to move their progress forward because there are so many lanes
in the super highway right now. Just be careful we don’t put orange cones in
every lane and stop something. I think that is the only guidance. We got lots
of stuff going on with lots of committees converging in the middle. That is the
thing I would like you guys to really keep an eye on as you are coming up with
this and we seek the appropriate guidance it is not clear to those of us in
leadership right now exactly all of the clear paths to doing things. Yes, we
have a charter and we can do what we do, but on the other hand let’s don’t run
off a cliff anywhere.

MR. HOUSTON: Do you want to speak before Harry leaves?

MS. GREENBERG: Well I just want to say I’m sorry I couldn’t be here after
lunch but my staff was presenting a web seminar and I really had to be there
and so you may have already covered this, but as I was talking with Leslie we
do have someone working on minutes and she is somebody we have worked with in
the past. We have the potential to engage her to work with you on something
beyond the minutes if you want.

MS. BERNSTEIN: We need more time to spend on the kind of discussion we are
having here.

MR. HOUSTON: We were going to take a break. We can discuss with you exactly
what we decided.

MS. GREENBERG: Okay, that’s fine. The other thing we were talking about and
that might be part of it too is even if you are not ready to come out with
recommendations it could definitely be something to be said for at least
getting it all some findings.

DR. FRANCIS: Figuring out what the issues are.

MR. HOUSTON: We were going to do the issues. There was some thought about
doing a summary of the testimony. We decided against that because we thought
that we needed to focus on findings and recommendations because there was some
question about – what was it called?

MS. GREENBERG: You don’t want the minutes now?

DR. FRANCIS: They want the minutes but what they don’t want is something
like an analytic summary. I find myself going back and forth having listen to
what Harry just said wondering whether that is a wise decision because I think
there is going to be some points on which what we have to contribute is really

MR. HOUSTON: If the analytic summary is simply for an internal digestion
that would be one thing. I think the analytic summary was for publication or
for –

MS. BERNSTEIN: If we have to spend a lot of time clearing it I think that
was the concern I heard was that we would be spending our time clearing that
document and not really grappling with the issues that would get us to

DR. FRANCIS: That was the concern that was raised. I have two minds about it
because I think there are going to be some areas where we –-

MS. BERNSTEIN: Do we have to decide it right now?

MR. HOUSTON: No, I just want to explain to Marjorie what our thoughts were.
Why don’t we do this? It is now 3:30. We do need to take a break. Why don’t we
reconvene here in about 15 minutes?

DR. FRANCIS: See if there is anything else that might look like it is a
consensus recommendation.

MR. HOUSTON: Thank you.


MR. HOUSTON: I think we have sort of a good summary at the end and I
actually liked where Paul was going with some of his thoughts. I think what we
need to do is for the sake of tomorrow – we don’t necessarily need to have
recommendations but I think we do need to have some idea of findings or at
least first level thoughts on what we think to be issues that we can then
formulate into recommendations. What I heard from Paul was really four things
right now that are sort of core that we are hearing and maybe some of this is
morphed out from what Leslie said which is there does need to be this sense of
transparency without necessarily making everybody fit into one schema for PHRs.
We know that that’s not applicable but we do need to have some high level
transparency that allows consumers to be able to make the opportunity to make
informed decisions. Whether they decide to or not is another thing.

There needs to be some type of simplified consent or authorization
capabilities such that the consumer again has the ability to if they so choose
to can consent to uses. I think the other thing that Paul said was is that
there also needs to be this out of the box use which when you sign up for is
what you are signing up for and not something else necessarily. I think we are
going to need to talk about the fact that reality may be that there has to be a
good way to allow uses to transition but in a transparent manner to patients.

The other concept was this idea of protection following data. What happens
if information that you disclose under one premise gets redisclosed? Does the
protection or the does the authorization drop at the time it gets redisclosed?
I think that was one of your concerns, Paul, is how do you ensure that the
patient’s wishes or the patient’s authorization follow the data and that we
don’t end up finding that uses outside of authorization occur simply.

The fifth one was enforcement and this idea that nondiscrimination –
you know this idea that there should be this range of nonpermitted uses. Things
that thou shalt never occur. I think I tried to capture what you said. I know
there was a lot of discussion.

DR. TANG: Let me boil it down to two which is the same two. I have different
conclusions from some of the things you said. So the two are there are certain
uses of data that are proscribed and one example is discrimination. Let’s say
discriminatory practice based on data. The second was sort of a combination. We
listed some attributes we would like to see in privacy of protection. One was
transparency. Another was consent. A third is protections following data. But
at the same time we heard that in a sense it is difficult to define each of
these and perhaps impractical to implement; therefore, an alternative
suggestion is to have a what you see is what you get kind of policy.

MR. HOUSTON: Where is the transparency?

DR. TANG: Pardon me?

MR. HOUSTON: Isn’t that transparency?

DR. TANG: Here is an example. To go back to the carwash. You gave up the
keys to your car. You have your car washed. You expect after paying X amount of
dollars and X amount of time you will get a clean car back. The analogy to what
is happening with your information is you give up your keys and you pay for
your carwash and you didn’t expect them to go and rob a bank using it and to go
commit a crime and put a thousand miles and still get a clean car, which is
what you thought you were buying. And the reason that happened is because it
takes all this money and it takes all this time, but in electronic world it
doesn’t take much at all to do all these other unintended, undesirable.

MR. HOUSTON: But isn’t that sort of out of the box you use only?

DR. TANG: Yes it is. But you said other things – yes it is. The
differences of saying even though we wanted some of these other attributes it
doesn’t take away from one of those attributes. It is almost a conclusion from
we actually can’t implement those other ideal –

MR. HOUSTON: Like what?

DR. TANG: Like Henry’s example of transparency. There was an example how
about it. Well here was the ultimate of transparency because they sell the
data. Is that all you need to know is that they sell the data? That is Harry’s
point. So therefore even if they are transparent, they are transparent to a
certain extent. You didn’t imagine they would sell the data and it would be
used for the following other things that can come back to hurt you. So he was
saying there are limits to the definition of transparency in the sense you
could be described to being very transparent because you out and out right
admit that they sell data. They did not explain how the data is used so his
claim well gosh even though it seemed transparent you really weren’t
transparent to all the secondary uses. Going back to the carwash you are
transparent that we take your car for five hours and we deliver it to you
clean, but you should have also said and this is what we are going to do with
it when we have possession of it for five hours.

MS. BERNSTEIN: But PatientsLikeMe actually does tell you those things. That
is part of their transparency.

MR. HOUSTON: My point too is I think we are sort of arguing the same thing.
How transparent is how transparent?

DR. TANG: Well help employ these transparencies.

MR. HOUSTON: Exactly. I don’t have a disagreement with you and I think I was
trying to convey just that. It sounds like if you distill all this down it
really sounds to me like really trying to hone in on that whole concept of true
transparency which doesn’t leave the user not knowing or misunderstanding the
potential uses –

DR. TANG: That is the new insight I think I’ve gotten from the testimony is
compelling reasons why just having these attributes is not good enough because
it is so hard to be totally transparent in ways. In our old world in the
concrete physical objects world you understood what this thing was going to do
both you and the vendor of this thing were clear. In the new world of
information there is such a mismatch between what the consumer who is about to
make this transaction expects and anticipates and what the supplier expects and
intends to do. I’m just proposing one of the ways to get around this is instead
of trying to reach – what point font do you have to say and is it the
fourth person who gets access to the data. Instead of doing that maybe you go
do exactly the opposite saying what you see is what you get.

MR. HOUSTON: Let’s say what the outcome is. If you say transparency in terms
of outcomes and what I mean by that is let’s just say we say that part of the
transparency is your data – I’m acting as the PHR vendor now. Your data
will not be sold or provided to any third party for their use. So the outcome
is that. I understand your point but I think what I hear and excuse me for
being blunt about this. It is sort of like you are sort of overlaying this
cynicism as to the fact that these vendors aren’t going to be transparent. That
is what I read into what you said. Is that what you mean?

DR. TANG: What you see is what you get.

DR. CHAPPER: Give us what that means.

DR. TANG: If I were to buy a thing called a PHR from a company called a PHR
vendor, I would expect it to do the following things. Be an electronic
repository so I can deposit my health information and do things that I want to
do with it and also worry about what you might find valuable financially to do
with my data. You automatically see that this is going to happen when you say
cynicism because these things are offered free.

DR. FRANCIS: All that settles to me like what you just said is you want to
prohibit people from marketing the information that’s in a PHR. I want to know
how to translate that into a practical recommendation what you just said.

DR. TANG: If you put on the market a PHR that I expect there to be some
cost. I expect it to be an electronic repository for my health data and I
expect there to be some cost to me. Just like any other commodity I buy and
that’s the end of the story. I would expect it that to be the end of the story.
Now you offer me now another repository and you say this is a way to
participate in our clinical trial measuring the effectiveness of information A
compared to no information or information B. You say okay I would like to
participate in that. I will give up something I have in return for
participating in that and you go on and on. That is what I mean by what you see
is what you get.

DR. FRANCIS: Isn’t that just transparency by another name because isn’t what
you are really saying is you need to tell the consumer each time what they are
giving up.

DR. TANG: What Harry was trying to put forth is it is in his mind he found
the very prototype of – the example that was listed as a prototype in fact
wasn’t transparent in his world because of what he found out afterwards.

MR. HOUSTON: That is a failing of that particular PHR. I think what you are
expressing is the fact that we need to prevent that type of conduct.

DR. TANG: The next thing was could you actually do that? Is it feasible or
practical to do that? You would say well isn’t that just transparency? Well you
would say okay tell me what you are going to do. That is transparency. Should I
also tell you what they are going to do and who they sell your data to?

MR. HOUSTON: But that’s part of the transparency.

DR. TANG: And then what about who they sell the data to. That is where the
practicality goes in. They all derive benefit, these secondary folks derive
benefit and the primary person who got your data and transmitted it for
financial gain.

MR. HOUSTON: I am trying to think of ways because it sounds like what you
are really saying is thou shalt never make a PHR because there’s this
possibility. Here me out. I am thinking okay then what there has to be is a set
of agreements in place so that that party that gets the data for some purpose
the patient or consumer agrees to also has to agree to terms that say that you
cannot redistribute, resell, or otherwise use the data other than for the
purpose for which it was authorized.

DR. TANG: That’s the essence of the proposal.

MR. HOUSTON: But I think the transparency component is that I think we are
talking about is that what we need to say is just that. My only concern is what
you see what you get. People aren’t going to want to continue to subscribe to
new PHRs over and over that have a single use purpose. They may to some degree
but not generally. What is wrong with if your PHR vendor comes up with a banner
and say are you willing allow your pop up? Are you willing for us to provide
your data to Walgreen’s to improve your prescribing experience with them? And
you can say no or yes.

DR. TANG: In this particular model and I’m not saying this is the right one
but in this model you are allowed that pop up because it’s a what you see what
you get rule.

MR. HOUSTON: That is what I was talking about before. It is really expressly
what the –- I get that then.

MS. BERNSTEIN: I mean what you just described is incredibly vague and he is
saying that’s what you see is what you get. What does it mean to improve
prescribing experience?

MR. HOUSTON: If I am the attorney doing that I am probably spending the
number of hours drafting the pop up with all the disclosures that need to be in
there to say exactly what is going to happen.

MS. BERNSTEIN: As far as I can tell we are just talking about the level of
granularity of the notice.

MR. HOUSTON: I think granularity and having the patient. That comes back to
the issue. This comes back to what is true transparency and true transparency
has to be that the consumer in all cases understands completely or isn’t going
to necessarily understand, but they are given information in a manner that
would allow them to completely understand how their information will be used in
a user friendly and a clear manner. If the consumer decides to blast past that
pop up because they just don’t care, we are never going to prevent that. But
what we can do is dictate that that transparency includes just that. It has to
be clear. It has to be concise.

MS. BERNSTEIN: Earlier I heard that I think maybe it was Leslie that said a
click through policy is not good enough. That there should be some limits on
what you can actually do with the data. It is not good enough just to tell
people what you are doing with the data even if you do it in plain language.

DR. TANG: So principle one is there are certain things that you cannot do
that are illegal to do.

DR. FRANCIS: So let’s talk about what some of those should be. What are some
things that a PHR vendor should not do?

MR. HOUSTON: I don’t know if there is ever that case. What I think has to
occur is that the PHR vendor – first of all I think there are two

DR. FRANCIS: I was just asking. If Paul is going to go that road, I want to
know what those things are.

MR. HOUSTON: But I think there are two instances. When you initially
subscribe to a PHR and it tells you clearly what you are subscribing to, you
have to decide whether you are going to go forward or not. Afterwards if the
vendor changes its terms you should have the right to say no. I want to
continue to contribute to your PHR because I like your PHR but these other uses
no. They should be things that I shouldn’t be compelled then after the fact to
agree to because I am already subscribing to your PHR and it might be
burdensome for me to leave your PHR and go to another one. The consumer has to
have some control over being coerced into future use I guess is my thought.

DR. FRANCIS: That is a really important point about what we ought to say
about changes in privacy practices. We heard some testimony on that and how
once people have invested in a PHR. Is that a recommendation that there
shouldn’t be changes in privacy practices once people have put a considerable
amount of effort into a PHR?

MS. MILAM: Maybe within a certain realm again. We don’t want to stifle
innovation or stifle things that generally most people would say would be
positive, but may be we want to put some limitations around informed consent
and how far reaching those changes can be.

DR. TANG: And the reason for trying to continue to use this analogy because
I am having trouble figuring out how we would address the concern. Why these
seem to be new concerns with a new problem. Why don’t you just say what you
don’t want? Go back to carwash because it is so simple.

MR. HOUSTON: It’s too simple.

DR. TANG: No, I don’t know that it is that simple. You expect that there
will be a human driver that is going to take it from point A to the beginning
of the carwash and it will emerge and somebody will drive it to a place where
you pick up your car. That’s in your frame of reference of what you expect to
have happen in order to “get your car washed.” You could say that you
are also giving up control of your car for let’s say 20 minutes. You did not
expect to have to say but please don’t go out and rob a bank.

MR. HOUSTON: What I can say is the only thing I am allowing you to do is the
other guy drive up to the carwash and drive it through it and deliver it back
to me.

DR. TANG: I am trying to figure out how to say that in this new world
because I can’t possibly say all the things that I don’t want to have happen
that I couldn’t imagine that you would need to do.

DR. FRANCIS: Let me try to help that, okay? It seems to me that there are
some common things that consumers don’t think will happen with their PHRs. Now
if we could identify a few of those then we would have some things that we want
to be really sure either people don’t do or people don’t do without consumers
having expressly authorized. One of the ones that I think should be really at
least on the table to think about is marketing because that is something that
has come up a bunch of times. Am I wrong in that? Is that a way to carry the
analogy along?

MR. HOUSTON: I am concerned about using marketing.

DR. FRANCIS: Marketing may not be the right one, but as a way to carry out
the analogy that you are running about cars for us to try to –- we don’t
want the perfect to be the enemy of the decent. We are here trying to do decent
rules. Shouldn’t we be trying to anticipate some common forms of bad behavior?
Frankly with the carwash a common form of bad behavior might be stealing the
CDs out of the whatever. Shouldn’t we be trying to anticipate a few kinds of
bad behavior that we want to be especially sure either that people know about
or that if they don’t know about it doesn’t happen or if they can’t tell them
about it. I actually think marketing is one consumers can understand really
well and you can tell them about it.

MR. HOUSTON: Here is where I disagree. I will disagree both in the carwash
analogy. If I go in the beginning of the carwash and I see this young man there
and I say hey I got some CDs I’m not listening to anymore. If you want any of
them, just take them when you leave when you are done with the car. They may
say great. They look through them. I like that artist. I’m going to go take it
and I have given you my consent to do that. So when I notice the CDs missing I
am not surprised.

Now the analogy is if I sign up for a PHR and let’s just say it is a
diabetes PHR and it says it is part of me signing up for the diabetes PHR that
part of the service is that we are going to provide your data to third parties
potentially by sale or otherwise and you are going to receive information and
valuable materials on new products and services that might be of interest to
you. Well that’s great. I want that. I want to know about the new glucometer
and whatever else that is out there. As long as I know that the fact that
that’s all that –- you were talking in terms of exclusions which bothers
me because I think almost anything is fair game as long as you have true and
complete and honest transparency.

DR. FRANCIS: Marketing was something that all I wanted to do was flag it for
transparency and I also wanted to say that I think that that is something that
consumers understand what it is to be transparent about it. I think there are
some areas where consumers might not understand so readily that we might want
to be thinking about like subpoenas.

MS. BERNSTEIN: Just to extend the marketing thing is that what people don’t
understand about marketing is most people don’t care. They might not like junk
mail. They might like phone calls. Either they can hang up, they can throw it
out. What they don’t understand is that their marketing information once it
gets into the private sector somewhere it can be bought and sold by an
insurance company who can then use it to discriminate it against them in
underwriting and that’s legal if it’s not genetic.

MR. HOUSTON: But that’s what has to be transparent the fact that it can’t.
That’s my point. You are complaining about the potential use and I am saying
that is what we have to avoid is the potential use.

DR. TANG: Is it practical to think of all these uses that we don’t even know
about and we are far more informed than most.

MR. HOUSTON: Let’s just make the point here. If I say that the only thing
you are permitted to do is X, Y, and Z then if somebody goes off to do A, B,
and C because we never talked about it. We say well wait. All I told you was X,
Y, and Z. I didn’t tell you that I’m going to do X, Y, and Z and I said nothing

DR. TANG: That would be what you see is what you get.

MS. BERNSTEIN: What we have to do is anticipate the kinds of adverse
decisions that might be made against consumers based on their information and
their PHRs and what I am hearing is you would like to say those should be
prohibited. In this committee has actually said something like that in previous
letter. We had a discussion about what did Mark call it? Compelled
authorizations but he talked about – but it was in the context. It was
context sensitive. What was that language in the 2006 letter? That said
basically if you know the bank wants to get your information or whatever.

MR. HOUSTON: I think that was lumping under compelled authorization.

MS. BERNSTEIN: Well, you don’t have to get a mortgage, right?

MR. HOUSTON: If you want the mortgage you got to sign this.

MS. BERNSTEIN: And that the information could be used like that in ways that
can harm you. That is the kind of thing I think -– there are people who
are private but what most people care about is things that can harm them.
Preventing me from getting a job, preventing me from getting a mortgage or a
car loan and in some cases there might be something embarrassment or harm to my
reputation, but most of the time it is something that –

MR. HOUSTON: This is where I disagreed with Mark. I still disagree with Mark
which is that if my choice is to provide the information or not get the
mortgage and that information is relevant to me not getting the mortgage and
the mortgage company has -– if it is relevant to their determination
–- let’s not use mortgage company, health insurance company, life
insurance. They want to know whether I smoke. Okay there is an actuarial basis
in whether I smoke or not and how long I am willing to live. They have every
right I think if you want to get insurance, fine. I have to disclose whether I
smoke or not because it is relevant to their pricing and it is relevant to
their risk profiles. They do that all the time. Probably talk to Carol McCall.
She is an actuary. She can tell you all about what they do. The point being is
that compelled authorizations -– I mean I can understand if there is
something being compelled and there is no rational basis between what I am
being asked to provide.

MS. BERNSTEIN: That’s what the discussion was in the letter.

DR. FRANCIS: Let’s back up for a minute, John. I hope I haven’t made you
sick. Let’s back up for a minute and think about the following. If I go to my
doctor for help with my smoking problem and then I am asked to disclose my
medical records for purposes of getting life insurance, which I will be. That
is within my realm of expectations that what I have talked to my doctor about
is going to be turned over to the life insurance company.

MS. BERNSTEIN: But you are a very sophisticated person.

DR. FRANCIS: I know I have to disclose my medical records. But suppose I do
two things. One is I go see my doctor and there is a medical record about my
smoking. The other is that I keep a diary at night about my struggles with
stopping smoking. I don’t expect that the insurance company is going to come
into my bedroom and get my diary. I do expect that if I am asked as a condition
of getting life insurance to turn over my medical records that my medical
records are going to go. Here is the question. Suppose what I have done is keep
my diary online and where is it. I think that it is going to be very hard to
get consensus on anything more than just the idea that if my PHR is going to be
treated like my doctor’s record and be turned over to the life insurance
company rather than be treated like my diary and not, I need to know that
before I start writing my dear medical record letters.

DR. TANG: As you know there are a lot of health plans that offer PHRs. Some
of those health plans use it for underwriting and for premium setting. Those
are the kinds of things that are just not in the realm of expectation by the

MR. HOUSTON: To me that is a matter of transparency and I think that the
health plan in that particular case should be saying this is one of our uses of
your data will be transparency though we will not be using your identifiable
data. We will just say by example. I think that needs to be part of
transparency. I am absolutely convinced it does. There is a difference. I said
this to Dr. Peel. I said there is a difference between EHRs and PHRs and the
level of control and level of autonomy you should have with regards to your
PHR. I think it is much higher if not absolutely unless you provide an
authorization. But I think in the case of a health plan they got to say this is
what we are using it for. You have to have the ability to say I don’t feel
comfortable in doing underwriting using my data.

DR. FRANCIS: Underwriting. There are two different things here whether they
are trying to figure out the overall community rated group risk, which is one
thing versus my individual risk. It seems to me that people need to know. So
now we’ve got one category was whether it is going to be used for marketing.
Another category is whether it is going to be used to price individual
insurance or make any kind of eligibility decisions. People need to know that.

MR. HOUSTON: It all comes back to transparency. I think it all comes back to
is as long as you know and knowingly have the ability to make a decision that
you can decide whether it is a value to you. It is a balance of value versus
what you give up versus what you get.

MS. GREENBERG: I agree with that but at the same time -– I mean I don’t
think it is all just about consent. I am trying to take the – and
transparency. Those are important pieces. I am trying to take the patient or
the person-centered view that the committee agreed would drive their work this
year. From what I have heard both in these hearings and also in other settings
these personal health records potentially could be really helpful to people.
They can be very helpful also to caregivers in this multi-generational society.
Parents with children and children with elderly parents all that. They could
have aspects of a public good. They could really be beneficial to people in
people’s health status and peace of mind and all sorts of things, convenience.
There are a lot of potential here, but they are very unregulated and for them
to really be helpful like in all these ways they really can’t just be something
kept by the patient and the patient keys in whatever information he or she his
hands on. They do need to get feeds from other clinicians, possibly from
insurers, wherever they can get the data. You know from reading his blog, Dave,
or reading the articles you get the impression that the whole thing is just
claims data is garbage and we shouldn’t we even deal with that. That’s not at
all what he said in his testimony. He said it was very important to get that
claims data to see what is right in it and what’s wrong in it and to understand
it. There is a lot of useful information there potentially or if it really is
wrong to deal with that. Not just forget it. I found his actual written
testimony for today very thoughtful.

Somehow Bob Gellman, bless him, he raised my consciousness of this issue
that if you – I made a few premises. One is personal health records can be
very helpful to people for population health, for personal health, what have
you, or for their health and preventive type things, everything.

The second point is utility increases by getting information from other
sources. Then you have this third point here that those other sources are
covered by HIPAA. As inadequate as HIPAA may be, claims data is covered by
HIPAA and electronic health records are covered at least by HIPAA and maybe
more, and yet when those other sources of data get into the personal health
record it is a free for all. That to me has just got to be addressed. That to
me is an unacceptable public policy outcome.

DR. FRANCIS: So here’s the question then. How should we address what
applies, what rules, what governance, whatever applies when HIPAA covered
information moves into a PHR?

MS. GREENBERG: At a minimum it can’t be less secure. It seems to me if that
HIPAA covered information goes into your PHR for it then to be accessible in
ways that the original source wasn’t doesn’t seem right unless you make it

DR. FRANCIS: So you are saying all the HIPAA guarantees apply?

DR. TANG: How is it possible for the person who you requested to send it out
to still control what’s going on? How is that possible?

MS. GREENBERG: How is what possible?

DR. TANG: The covered entity was requested by the patient to send
information away. Why are you saying that and somehow that information can be
held at the same level as HIPAA?

MS. BERNSTEIN: — information has certain responsibilities to keep it at the
same level.

DR. TANG: They don’t now.

MS. BERNSTEIN: She is saying it should be.

MS. GREENBERG: What I am saying that it is not appropriate.

MR. HOUSTON: I disagree. I understand your point but let me voice my

MS. GREENBERG: That is a minimum area where regulation or something is

MR. HOUSTON: But here’s the but. If that data is transferred without my
authorization, I can understand that. The but is if that data is transferred to
some PHR like a Google let’s just say from my provider. Part of that whole
transfer process is me authorizing, giving the express authorization to
transfer that data to Google and that could be that authorization could be
based upon me agreeing to Google’s terms, which vary the protections, which are
provided. I will give you a great example of how this would differ. I have a
wristband that I wear when I bicycle and it has my name on it and everything.
It has a website with a little link that if somebody needs data about me they
can go to this website because in theory if I get smacked by a car and I’m
unconscious I want somebody to figure out what the hell is wrong with me and if
I’m on any meds and stuff.

The point being is that I would love it if they downloaded my data to this
website. They don’t do it today but in the future if they did. Now the security
on this website by all measurable standards is pretty lax because all they do
is they give you a website and a number which is on that wristband to get to my
data. I have made the value judgment when I cycle that if I get smacked by a
car, I want somebody to read that wristband and say I’m going to that site. I’m
going to find out what’s up with Johnny. I don’t care the fact that that is a
single form of authentication that in theory could be very easily cracked
because I find it so important to me that that data be accessible if I needed
to be, and if I have the opportunity to have my EHR in my hospital where I go
to and my physician’s office download all of my data to this website which I
would love for them to be able to do, I would do that in a second. I have made
the value judgment that their security though very poor comparatively I am
willing to accept because that is the best security that they can have in that
type of a context because that is the only way they can make that information
available as quickly as I might need it.

It’s my decision. That’s my point. I agree. My point is the standard need to
be is that the data is being transferred without authorization. Yes, there
needs to be an agreement to uphold a certain standard of conduct that is
consistent with what HIPAA requires and all that. What I thought she was saying
though is any PHR. Again, we are talking about PHRs here. Any transfer of PHR
data can’t be held to the HIPAA standard because as long as there is an
authorization, that authorization I think reasonably so needs to dictate and
that authorization may absolutely change the level of commitment and privacy
and security that that data has been handled under.

MS. GREENBERG: I mean it’s true. A person should be able to agree to
anything if they are fully informed.

DR. FRANCIS: Maybe put it this way. People have come to expect that HIPAA
gives them some privacy protections. If HIPAA isn’t going to apply when info
goes into a PHR from a covered entity people have to be told in a really clear
way that they no longer have the advantages of HIPAA.

MR. HOUSTON: Right and to Paul’s point which is even further is here are the
enumerated purposes for which this data can be used for and nothing else.

DR. TANG: I am happy after that and nothing else.

MS. GREENBERG: I think most people have no idea about this. That is the
problem. If people are fully informed they can make what decisions they want
and I am assuming this being America that in the marketplace there will be
different products and some will protect you better than others and if that is
important to you, you will select those. People are clueless.

MR. HOUSTON: This comes back to the common theme of transparency. True
transparency. By the way, Sallie, don’t raise your hand. Just start talking
when you have something to say because you will never get a word in edge wise
around here.

MS. MILAM: I was just thinking building on what Leslie was saying I wouldn’t
look at exactly –- I would reframe it differently not whether the data is
coming from a HIPAA covered entity but whether it is a tethered PHR. When we
heard the term tethered at the last hearing, tethered meant that it was
connected or on behalf sponsored by a covered entity. They would probably be a
business associated, but the nontethered is that whole space that sort of grown
up recently where consumers are actively managing their own lives in a variety
of ways. One is their health information and they would have control over it.
When you look at a lot of the HIPAA rules, patients for the most part are out
of control. The health system goes on outside of them and HIPAA is I think in
there to put some controls on patient flow of data. With a nontethered PHR the
patient is in control and can make decisions about how they want their data
used and it may come from covered entities or the data may not come from
covered entities.

MR. HOUSTON: I agree with that. It all comes down to transparency in
patients, the ability of the patient to decide how they choose. That’s really
what you are saying.

DR. FRANCIS: Let me just try this out though. I want to be sure I understand
it. If it is a tethered PHR it ought to be managed like a business associate
and that of course you can always authorize, but if it is a tethered PHR the
background assumption is that it’s got to be managed however business
associates are managed.

MS. GREENBERG: — somebody else other than the covered entity is managing

MS. MILAM: If it is tethered I think you still have the question -– I
mean I don’t know that HIPAA answers whether you need op in or opt out or a
PHR. I don’t know that HIPAA and Sue or Mike, can you all speak up? I don’t
recall. Does HIPAA require authorization for disclosure by a health plan or a
provider to a PHR?

MR. HOUSTON: No, I think the thought is that if you are tethered then
basically that covered entity is providing that service as part of their
covered entity function. You would never go to the PHR unless you are opting
and you have decided to go to the PHR and use it.

MS. MILAM: But you still have the argument that your data shouldn’t go there
unless you –-

MS. MCANDREW: I mean the question with the tethered PHRs is that
theoretically under HIPAA the covered entity who is offering this product still
has all of the covered entity permissions to use and to disclose the data
without individual authorization. Essentially what we have said in December is
while yes that is true but remember a personal health record assumption is that
this is something you are offering the patient and the assumption is the
patient will be in control of that data not the covered entity so HIPAA would
allow that the covered entity could in offering the PHR also guaranteed to the
individual that they will forego their permissions under HIPAA so that they
will not be using and disclosing what’s in the PHR for all of these other
purposes where HIPAA gives them the permission to do so. They will simply
decide not to use that.

PARTICIPANT: It would offer higher than HIPAA protection.

MS. MCANDREW: And the question then becomes too one is that it is not a
requirement and that required as offering a PHR to make those promises and to
the conversation that Paul and I were having in terms of the relationship of a
tethered PHR, the underlying medical record and HIPAA would say –- I mean
our vision in this paper was that the covered entity would still have the same
HIPAA permissions with respect to what’s in the electronic health record as
distinct from what’s in the personal health record even if it’s the same data.

PARTICIPANT: Well, in some cases it is the same information.

MS. MCANDREW: It’s always going to be the same information. That’s the whole
purpose of having the PHR but it’s not a copy of the information.

PARTICIPANT: No, but the PHR could have some consumer –

MR. HOUSTON: That’s always the 24,000-dollar question. How does a covered
entity manage patient provided data? Unless you are getting a separate
authorization that would hold them to a different standard for that patient
provided data, as soon as that data is commingled in some fashion in with the
data that the covered entity collects for treatment purposes and otherwise,
payment purposes. As soon as that occurs they are compelled to comply with the
same standards under HIPAA. Unless the patient was otherwise authorized, that
data has to be managed to the same level of –

MS. BERNSTEIN: There are certain limits in HIPAA but there are not very
many. There are many exceptions for where you can use and disclose data. There
are very few exceptions all discretionary. There are some compelled disclosures
under law and HIPAA permits you to comply with those, but otherwise all of
those other things that are allowed to be used and disclosed are just
discretionary. You could promise your patients that you are not going to do
that. That’s all.

MR. HOUSTON: You are right. It would be an additional terms of use consent,
whatever you want to call it, or limitation.

MS. BERNSTEIN: No, it would be as part of your notice we are not going to do
the following things. HIPAA allows us to do the following things. We are
promising you we are not going to use those disclosures.

MR. HOUSTON: Typically it wouldn’t be part of the notice. They would
probably part of the terms they use of a PHR which would describe additional
rights and obligations.

MS. BERNSTEIN: Is that not a notice?

MR. HOUSTON: When I hear notice, I think notice of privacy practice.

MS. BERNSTEIN: Where you put it – who cares. As long as the purpose as long
as the patient gets the information they need to make an informed choice.

MR. HOUSTON: The ball comes back to transparency. We are always coming back
to the same concept.

MS. BERNSTEIN: We keep coming back to it but the larger question that’s also
floating around is is transparency enough. We have this argument about how much
is it paternalistic to actually require certain kinds of regulations that
minimum as Paul put it. Certain things that are prohibited practices. How much
is it okay if we just tell people what we are doing in a clear and transparent
way? Those are two different approaches. They could be combined together

MR. HOUSTON: My two cents and what I think I have heard is that transparency
has to be enough because there is a lot of novel uses that we may not even
think about which if you become too descriptive here, you could end up
frustrating or not allowing to occur.

MS. BERNSTEIN: So you don’t think there should be any prohibitive uses?

MR. HOUSTON: Hold on. Remember we are talking about a difference between
PHRs and EHRs. I mean people are compelled to – they go to a provider to
get services and their data ends up in an EHR they don’t have any choice and
therefore I think that’s why HIPAA exists because it does set the standards for
use and the like whereas a PHR, again, the consumer ultimately has a choice
whether to subscribe or not and what I think we keep saying here is that as
long as we are entirely transparent and above board as to what did the uses of
this data is going to be in the PHR. The patient’s ultimate right is to decide
not to subscribe if they don’t think they could afford to comply or they like
the terms or they don’t.

MS. WATTENBERG: John, I want to challenge you on something from what Sallie
said actually which is that if my physician, healthcare provider, or my
insurance company, my covered entity offers me a PHR, my expectations are going
to be that that’s kind of like an extension of the medical services I am being
given. I am going to think about it really differently than if I go to
PatientsLikeMe. Sallie’s point about tethered/untethered I think really
matters. While I agree with you that transparency is crucial across the board,
I think picking up on Sallie’s point to suggest that at a minimum for tethered
PHRs the HIPAA protections that are currently in place for a covered entity
ought to apply. And of course that does allow me to authorize but that the
default position is if it is tethered, we are within HIPAA.

MR. HOUSTON: But that doesn’t work completely.

PARTICIPANT: Isn’t that the case?

PARTICIPANT: There’s no other way to do it.

MR. HOUSTON: Hold on. But there’s always a differentiation between the data
that is contributed by the patient and the data is –

MS. WATTENBERG: Can I just say something from a consumer perspective?

MR. HOUSTON: Well, Amy I think was going to say something first.

DR. CHAPPER: Well, I guess I think of the tethered one, for example, the
testimony today that Chris and Seth gave. That is a tethered PHR through
Medicare; therefore, it is our business associate HIPAA applies privacy act as

DR. TANG: That’s not tethered.

MR. HOUSTON: It is claims based.

DR. TANG: They export data to this PHR vendor who hosts it. So it is
sponsored by CMS but it’s not tethered. Tethered is one and the same.

MS. WATTENBERG: This is my point exactly is that –-

MS. GREENBERG: You are saying it could only be tethered if Medicare had an
electronic health record.

MS. WATTENBERG: Guys, can I just say something? This is the whole point. If
you are a consumer, this is a very high level, ivory tower, and well-informed
intellectual conversation. If you are a consumer, if it’s tethered, it it’s
not, if it’s sponsored, if it’s part of the EHR or not or you just get a
picture of it or it’s really there or it’s not really there, they don’t get it.
When a consumer says when somebody offers a PHR, the consumer thinks it’s a
personal health record. They don’t think it is the same as the EHR. They don’t
even know what their HIPAA protections are so they don’t make any assumption
that they are going to get the same level of protections that they get under
HIPAA. What they think is that this is my personal health record and if you
base all of this based on presumptions that they know more than they do it is
going to be a nightmare.

MR. HOUSTON: I agree with that point. I want to make a point about what
Leslie has said. If a provider provides a PHR even though the patient always
has the right to opt in or opt out of using that PHR and the standard of care
that that provider still has to provide doesn’t change. They still have a
standard of care to comply with. It becomes a convenience to PHR to the
patient. It might allow them to make appointments better, get prescription
refills, see test data faster, things like that, interact with their physician
online. There is still a standard of care that the provider has to comply with
independent of using a PHR. I think we are talking about nuances here. I agree
to the extent that data from an EHR populates a PHR provided by a provider
absolutely is subject to HIPAA. The but to it is that if the patient is
contributing data, it very well might be there is a different standard that is
applied in some way, shape, or form or that there might be that the provider
may have additional terms that they ask the patient to comply with in order for
the patient to agree. They very well could be marketing related. I don’t know
if providers typically do that. They might be doing other types of quality
research stuff like that. If the authorizations say that this is the type of
activity that is going to occur I think then that’s what the patients signed up
for and I’ll give you a great example. We have a PHR in our facility.

MS. BERNSTEIN: You just said the exact opposite thing about five minutes
ago. You said once a data is commingled with patient provided data it should be
covered by the same HIPAA standards.

MR. HOUSTON: If it is commingled in the database it becomes part of.

MS. BERNSTEIN: From a patient point of view the patient has no idea whether
it is commingled in the database or not and doesn’t care. They put it in and
they look at it together.

MR. HOUSTON: But there might be things that a patient will be asked to do
like quality research. When people are developing PHRs often the first couple
hundred patients end up being the guinea pigs and there is all sorts of
comparative research that is done and data. I’m just saying if a patient signs
up to be part of that group and is transparent.

MS. WATTENGBERG: You know it’s a nomenclature issue. This whole thing gets
back to what is really a PHR versus what is an EHR that a provider is giving
access to versus what is a claims database that CMS is giving access to and
that’s why I really think that this definition of a PHR is critical because
it’s not accessed to an HER. It’s not accessed to the claims. It is a unique
and totally different entity and it’s also not what any commercial vendor wants
to call a PHR because they want to sell something that aggregates your data.
That is against something different. That is something that aggregates your
data. It doesn’t mean it is your personal health record. I think that there is
going to be this ongoing clash of policy and ability to pragmatically handle
this beast if you don’t acknowledge that the variability. It’s not variability.
They are completely different things.

MS. BERNSTEIN: It’s a quarter to five and we need to get out of here and let
the staff go at five o’clock as I understand. That’s the schedule, right? Five
o’clock. I just want to make sure that we have whatever administrative things
we want to do. I know Janine was circulating a list so that we could set up
while we are actually all in the same room, a series of telephone conferences
over the summer. Do the co-chairs have everything that they need for tomorrow?
Are there any other administrative things that you want to do? Are you

DR. FRANCIS: We can give an outline and we can indicate that a very open
question is how far if at all beyond transparency we are going to be –-

MR. HOUSTON: We are going to use Paul’s name. You are part of the
subcommittee, Paul, you don’t get that choice.

MS. BERNSTEIN: — of the kinds of fair information principles that privacy
people normally talk about. Transparency is like one of about eight.

DR. FRANCIS: I know. We haven’t been able to get beyond that.

MS. BERNSTEIN: Well, just say it is my opinion that it would be unwise to
stop at just transparency.

MR. HOUSTON: We have some other key concepts that we talked through that I
think –-

DR. FRANCIS: It sounds to me given what John and I have been saying that if
the two of us start working up something, we’re not exactly on the same page
and if we turn out to agree on something –-

MS. BERNSTEIN: Can I just ask what is the plan for work over the summer?
After tomorrow what’s the plan for work over the summer?

DR. FRANCIS: First we will get the minutes. We will do a distilled version
of the minutes with the help that will not be for public consumption, just for
our own help. We will continue with the work plan that we had as amended from
Harry and in particular additional and the division kinds of things and the
plan is to have a draft letter by September. In some cases what the draft
letter will do is identify choice points and issues on both sides of the choice
point rather than necessarily a final recommendation.

MS. BERNSTEIN: Don’t say choice point.

MS. GREENBERG: You’re not planning on having any meetings between now and

DR. FRANCIS: We’re not planning meetings. We are planning lots of phone

MS. BERNSTEIN: Well, as many as we can actually schedule because if you look
at the matrix that Janine is putting together for us, it looks pretty hairy.
While we have everybody except Walter in the room and Harry I guess now is
gone. There are some dates where only one member of the committee has said no,
but everybody else has said that they can do it and so I would like to ask
people to go revisit their schedule and find out on those days if it really is
movable or –-

MR. HOUSTON: Can I suggest if we have a –- what is the total number of
committee members here? Subcommittee members? Five. Walter, Paul, Sallie, six.
Let’s just say we have –

MS. BERNSTEIN: They will be in the room tomorrow.

MR. HOUSTON: What if we say a quorum plus one is enough to hold a meeting.
That’s four out of six people. Is that sufficient? I am assuming not everybody
is going to miss every meeting, the same person.

PARTICIPANT: You mean a conference call?

MR. HOUSTON: A conference call I mean. A quorum plus one. If we could get at
least four out of six. Is everyone comfortable at least for an individual
meeting that that would be sufficient?

MS. BERNSTEIN: We have some dates now where there are five. If we can get
six I am happy to get six.

MR. HOUSTON: As a base commitment if we got four people out of six at least
that’s enough to hold the meeting. Paul and Sallie, are you okay with that?

MS. BERNSTEIN: Hopefully Harry and Walter will be okay with that.

MR. HOUSTON: We will talk to Walter and to Harry tomorrow and if they say
yes to that then I think what we should then do is move with that concept.

MS. BERNSTEIN: I’m not asking you to nail down but I mean do you have
–- I mean, Janine, what is the first date that it looks like we can even
meet based on four out of six?

JANINE: The first date is July 17th. Hoping that John and Sallie
have some flexibility with that. The next date after that will be July
21st then August 5th or August 18th.

MR. HOUSTON: Do we have any where there is four out of six rather than five
out of six or is that four out of six?

MS. CHRISTIANI: That’s it.

MS. BERNSTEIN: That’s only if that’s four dates.

PARTICIPANT: That’s four not five, right, or is that five?

PARTICIPANT: No, four people out of six.

DR. FRANCIS: We don’t have any that are five out of six.


PARTICIPANT: Yes we do. We have a couple where there is only one person
missing, right?

MS. CHRISTIANI: That’s part of the four dates that I named.

MS. BERNSTEIN: There are dates when we have five out of six but those are
all of the ones where we have at least four people of the members?


MR. HOUSTON: I’ll tell you if we can’t have any more meetings than that, I
think what we are going to have to do is ask people to be very responsive and
for writing comments back on written documents and hope that some of that helps
bridge the gap.

DR. FRANCIS: And also imagine that we will do some of the meeting with John
calling people individually or me calling people individually or John and

MR. HOUSTON: Leslie and I will always Paul together.

DR. FRANCIS: It’s not going to be that hard to get John and me together with
a conference call with one other committee meeting. We will do a fair amount of

MS. BERNSTEIN: Do you want to make an estimate of when you might have a
draft for everyone to throw stones at.

DR. FRANCIS: The first thing we want to do is write the background part. My
thought would be as soon as we have the minutes we will get going on the
background part. We could probably start writing that now.

MR. HOUSTON: We also want to have the principles or the key, thematic,
bullet-point format.

DR. FRANCIS: Let’s see the first meeting is the 17th of July. How
about John and I commit to having at least a week beforehand, the background
and the guiding principles around to people.

MS. BERNSTEIN: Oh so Marjorie has left the room. Does any of the staff know
when we might have the minutes for the last meeting and/or the current meeting?

MS. CHRISTIANI: Materials were sent to the writer so she is beginning to
work on them so it will be about two and a half weeks before we receive the
first draft from –

MS. BERNSTEIN: From the last set. Okay. And it will take at least two weeks
to get the transcript of today and then to get it to her it will be four weeks
then. She won’t even get the summary until the earliest, a week before that

MR. HOUSTON: Well we’re going to try doing the principal stuff with this. We
will have stuff to circulate.

MS. BERNSTEIN: We do have the transcript already from the last meeting

MR. HOUSTON: The most important thing is going to be the principles we are
going to use to develop the recommendation. If that comes first we will get it
out as soon as possible.

MS. BERNSTEIN: I’m just trying to figure out what else you might want and
whether we can get it to you in a timely way for you to do what you want to do.

MR. HOUSTON: What do you think, Harry?

MR. REYNOLDS: Hopefully we’ll pass where you were when I left.

MR. HOUSTON: Not one single inch. If we look at the end goal, which is
getting a letter out in the fall, I think to see that letter we need to have
what are the principles and the recommendations.

MS. BERNSTEIN: And I do think it really helps people to have a document even
if they are just going to throw stones at it to something to focus their energy
or thoughts.

MR. HOUSTON: That’s what I’m talking about. In both points format what are
the recommendations going to be, put that together the principles and
recommendations. That way we can get that out and people can throw stones at
that. I would hope getting that out by the end of June and then from that we
can start to solicit input and then when we get together in July by conference
call we can hopefully push that forward. Ultimately we got to put that in a
format that by the September meeting we have something we can present.
Principle as well as –-

DR. TANG: You are going from today’s discussion to a list of recommendations
that you come up from.

DR. FRANCIS: At least a partial list, yes.

MR. HOUSTON: Because Paul what we want people to do is respond to them. I
think we heard good input.

MS. BERNSTEIN: That’s what we did last time. Mark would make a draft and he
would put out whatever recommendations we’ve got and we worked on it.

MR. HOUSTON: We have to have this out by late fall at the latest. I’m just
trying to work backwards and say we don’t have luxury of a lot time. We are
hearing a lot of good feedback. I think we have more consensus than we might
think. I think what we need to do is put in a form that people can respond to
and get comments and concerns out on the table early and then we will work
around it.

DR. FRANCIS: I think we have identified what the sore spots are. I hope
everybody is okay with even if we don’t have agreement about the sore spots
unnecessarily identifying them as such and outlining what the concerns are,
what the tensions are is a crucial thing to do. That’s not so hard.

MR. HOUSTON: I would remind people one thing. We may not come to consensus
on everything. I think what we need to do as a subcommittee in good faith comes
up with what we all as a group say we can live with realizing there might be
some give and take. We might have to rephrase things to be less concrete so
that it’s more inconclusive. I think we are closer than we think we are. I
really do. Again, Leslie and I will work on the recommendations and the key
themes and things like that and try to get that out for people to start to
shoot holes. I would ask one thing too is if you don’t agree with something,
come up with something as an alternative. Propose something that is an
alternate that we can equally consider rather than somebody saying no I don’t
agree with it. We do need to get the difference of opinions and try to meld it
into something that everybody can agree to.

DR. FRANCIS: And along those lines if there are topics or recommendations we
didn’t get to, send them to us. Well we are all going to be together for the
next couple of days. I think we should be talking. I intend to go to dinner
tonight and do some talking. I hope others will too.

MR. HOUSTON: With that said, I think we’re at five o’clock, which is the
bewitching hour. With that this meeting is adjourned.

(Whereupon, the meeting adjourned at 5:00 p.m.)