[This Transcript is Unedited]

DEPARTMENT OF HEALTH AND HUMAN SERVICES

NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS

March 3, 2005

Hubert H Humphrey Building
200 Independence Avenue, SW
Washington, D.C.

Proceedings by:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax, Virginia 22030
(703) 352-0091

TABLE OF CONTENTS


P R O C E E D I N G S (9:05 a.m.)

Agenda Item: Call to Order, Welcome and Introductions

DR. COHN: Good morning. I want to call this meeting to order.

This is the first day of two days of meetings of the National Committee on
Vital and Health Statistics. The National Committee is the main public advisory
committee to the U.S. Department of Health and Human Services on national
health information policy.

I am Simon Cohn, the Associate Executive Director for Health Information
Policy for Kaiser Permanente and Chairman of the Committee.

I want to welcome fellow committee members, HHS staff and others here in
person, and I obviously want to welcome those listening in on the internet,
and, as always, I want to remind everyone to speak clearly and into the
microphone.

Now, what we will do this morning is to start with introductions, and we’ll
ask the new members to briefly introduce themselves in the course of these
introductions, and we’ll talk about them more a little later on.

For those on the National Committee, I would ask if you have any conflicts
of interest related to any of the issues coming before us today would you so
please publicly indicate during the introductions?

Marjorie.

MS. GREENBERG: Okay. I’m Marjorie Greenberg from the National Center for
Health Statistics, CDC and Executive Secretary to the Committee.

DR. LUMPKIN: John Lumpkin, Senior Vice President, Robert Wood Johnson
Foundation.

DR. WARREN: Judy Warren, University of Kansas, School of Nursing and a
member of the committee, and I am not aware of any conflicts for today.

MR. REYNOLDS: Harry Reynolds, Blue Cross and Blue Shield of North Carolina,
a member of the committee and no conflicts.

DR. TANG: Paul Tang, Chief Medical Information Officer, Palo Alto Medical
Foundation, Center of Health, a new member of the committee and honored to be
here.

DR. STEINWACHS: I’m Don Steinwachs, Johns Hopkins University, a member of
the committee and no conflicts I am aware of.

DR. CARR: Justine Carr, Health Care Quality, Beth Israel Deaconess Medical
Center, member of the committee, and no conflicts.

MR. HOUSTON: I’m John Houston with the University of Pittsburgh Medical
Center. I am a member of the committee, and I don’t have any conflicts either.

DR. VIGILANTE: Kevin Vigilante, Booz-Allen, Hamilton. No conflicts that I
am aware of.

DR. FITZMAURICE: Michael Fitzmaurice, Agency for Healthcare Research and
Quality, liaison to the National Committee and staff to the Subcommittee on
Standards and Security.

MS. TRUDEL: Karen Trudel, Centers for Medicare and Medicaid Services, staff
to the Subcommittee on Standards and Security.

MS. MC CALL: Carol McCall, Humana, with our Center for Health Metrics. I am
a new member to the committee. Thank you for the invitation. I have no
conflicts that I am aware of.

MS. BEREK: Judith Berek from the Centers for Medicare and Medicaid
Services. I am currently the liaison to the committee. I am retiring on April
30th, and Karen Trudel will take over as liaison.

DR. SCANLON: Bill Scanlon. I am a new member of the committee. I’m with
Health Policy R&D here in Washington, and I am very happy to be here, and I
have no conflicts for today.

MR. HUNGATE: Bob Hungate, Physician Patient Partnerships for Health, member
of the committee and no conflicts.

DR. HUFF: Stan Huff with Intermountain Health Care in Salt Lake City and
the University of Utah, and a member of the committee, and no conflicts for
today. Thanks.

DR. STEINDEL: Steve Steindel, Centers for Disease Control and Prevention,
liaison to the committee.

MR. BLAIR: Jeff Blair, Medical Records Institute, and a member of the
committee, and there’s no conflicts that I am aware of for today.

MR. ROTHSTEIN: Mark Rothstein, University of Louisville, School of
Medicine, member of the committee. No conflicts.

MR. SCANLON: Good morning. I am Jim Scanlon from the Office of the
Assistant Secretary for Planning and Evaluation here in HHS. I am the Executive
Staff Director for the full committee.

MS. FORITO: Michelle Forito(?), Drug Enforcement Administration.

MR. BRUCK: Steve Bruck, PEC Solutions.

DR. DEERING: Mary Jo Deering, National Cancer Institute and lead staff to
the NCVHS workgroup on the NHII.

MS. JACKSON: Debbie Jackson, National Center for Health Statistics,
committee staff.

MS. BERNSTEIN: I’m Maya Bernstein(?) from the Office of the Assistant
Secretary for Planning and Evaluation, and I am also the new privacy lead in
HHS.

MS. WILLIAMSON: Michelle Williamson, National Center for Health Statistics,
CDC.

MS. LUKE: Marilyn Sigmund Luke(?), America’s Health Insurance Plans.

MR. KYLE: Frank Kyle(?), American Dental Association.

MS. FRIEDMAN: Maria Friedman, CMS, lead staff to the Subcommittee on
Standards and Security.

MS. PICKETT: Donna Pickett. National Center for Health Statistics, CDC and
staff to the Subcommittee on Standards and Security.

MS. BOWMAN: Sue Bowman, American Health Information Management Association.

MS. JONES: Kathryn Jones, CDC, National Center for Health Statistics, staff
to the committee.

DR. MAYS: Vickie Mays, University of California, Los Angeles.

MS. LAVIN: Kelly Lavin, American Osteopathic Association.

MS. WATTS: Patricia Watts – Veterans Affairs.

SPEAKER: Maria – National Institutes of Health.

DR. COHN: Okay. Well, thank you for joining us today.

Now, normally, at this moment, we move right into talking about the agenda,
but being the new Chair, I am going to take the prerogative of spending a
couple of minutes just talking about the transition and change. It will not be
the last time we talk about it today or tomorrow.

Obviously, I, first of all, want to comment that I think we all believe
that the achievements of the last several years for the NCVHS have been nothing
short of spectacular, and I really want to thank our previous Chair, John
Lumpkin, for helping make it all possible. I mean, as we think about what has
been going on – the guiding of the initial HIPAA implementation, the visioning
of the NHII, the creation of the first set of recommendations for e-prescribing
that are now part of the proposed rule, which I know Karen will be talking a
little later, as well as letters of great import coming out on quality of
populations – I mean, we have – here, we have really the committee to thank for
all of this. There clearly is a lot to be proud of, and I want to just take a
moment to acknowledge our departing members – John, Vickie – Vickie, I’m not
sure why you are back there, as opposed to at the table. Can we have – Can we
have you sit at the table, please? We’re transitioning. I don’t think we think
you have left the committee yet. Gene, who I don’t think has arrived yet today.
Obviously, you will be missed, and we, obviously want to celebrate your
contributions, obviously, today and this evening.

In addition, we also want to acknowledge Peggy Handrich, who, while not
here, has resigned from the committee, and we, obviously, will miss her. I
think that she has provided a lot of valuable input.

Also, I think I should comment that Aldona Robbins, who has a name tag
here, but isn’t here yet, will be also transitioning off in her role. I think
she is finishing off her term on the Bureau of Scientific Counselors, but I
think this, at least likely, will be her last time representing the bureau –
the board on the committee.

I guess we should also comment about Judy Berek, who has already commented
about her retirement, so congratulations.

So, clearly, this is a time of transition, to put it mildly, but, clearly,
there’s lots more to be done and challenges to face.

You know, we talked about HIPAA. Well, in some ways, the identification of
the initial standards may be the easy part. I think the hard part now is to
work with HHS and the industry to figure out how to maximize the value of the
implementation.

For the NHII, there is an ongoing set of tasks that relate to further
visioning out the NHII as well as identifying – I mean, really solidifying it,
making it real.

For populations in quality, large issues remain, and we’ll be continuing to
come forward relating to information needs for the Twenty-First Century.

Obviously, these are just a few of the challenges before us. I think for
all of us who will continue on after today I have to say that it is truly an
exciting time to be a member of the NCVHS, and we obviously welcome the new
members.

And speaking of that, obviously, we are delighted that Paul Tang and Carol
McCall – McCall – McCall. I apologize. It is 6:00 a.m. in California. So –
(laughter). McCall – and Bill Scanlon, we are obviously delighted that you
could join us and we are looking forward to your active participation.

You are obviously joining an elite group. I think the NCVHS – and I think
we comment about this as well to staff sometimes when we drive them crazy – but
we are really known within the federal government as one of the most productive
and hardest-working federal advisory committees.

As you know, we all have important day jobs. So we don’t do this because we
all have a lot of free time on our hands. The reason we have taken on this
additional responsibility is our commitment to a better healthcare system, a
healthier citizenry, and, really, a better America, and, obviously, at the end
the day, we all have the satisfaction of having our deliberations and
recommendations make a difference, and I think that may be one of the defining
characteristics of this committee. By working hard, we actually typically do
make a difference in terms of the activities of the federal government and the
private sector.

Now, when I was appointed Chair a month ago, the first thing I did was to
talk to each of the committee members, and I really do want to thank you for
taking time to – in your busy schedules – to talk with me about how the
committee was functioning as well as opportunities for improvement; and,
obviously, we talked to the new committee members also to at least begin to
orient you to the workings of the committee.

What I heard from all of you in my discussions was very positive. John, if
I were giving you an evaluation – and I have to say this is sort of
interesting, because John has provided evaluations from my performance in the
last several years – but I did want you to know that we would all be giving you
an outstanding in all categories.

DR. LUMPKIN: And a raise?

DR. COHN: And a raise. That’s right. (Laughter).

You know, John, as you say that, I did notice that there was something
about – that I have always been missing about those evaluations and the final
step, but thank you for pointing that out. (Laughter).

Clearly, the suggestions we heard from the committee members were really
focused on making things better. They were modifications really around really
our central activities to make things more productive, to make things work
better, recognizing that we have limited resources. I am not going to go into
them a lot today. We’ll be talking about them, I think, as they begin to appear
sort of over the next couple of committee meetings related to sort of specific
changes that we’ll likely be making – around the structure and functioning of
some of the committees, but, you know, I think these are, once again, just sort
of changes, not of mission, not really primarily of organization, but really
more along the lines of style and all of this. So we’ll, as I said, be talking
about them. The Executive Subcommittee will be working on them, and we’ll be
talking about them more at future meetings.

And, actually, speaking of the Executive Subcommittee, I think you all have
updated copies of the agenda, but I just want to sort of announce officially
new subcommittee members and members of the Executive Subcommittee.

First of all, we have Don Steinwachs, who is going to be taking over for
Vickie Mays as Chair of the Population Subcommittee, and thank you for being
willing to do that, Don.

DR. STEINWACHS: And those are very big shoes to fill. I’m a little bit
scared about my evaluation, Simon. (laughter).

DR. COHN: Okay. Right.

Now, I have also appointed Jeff Blair and Harry Reynolds as Co-Chair for
the Standards and Security Subcommittee. Want to thank you both for being
willing to do that. I mean, that’s, once again, yet another big task.

Now, they will all be joining the Executive Subcommittee.

Now, as has been the tradition, I will be assuming the chair of the NHII
workgroup, and this is a tradition that started with Don Dettmer(?) and
continued with John Lumpkin, and, obviously, I will take that on, obviously,
with all of your help.

Now, one of the things that I will be doing is to be working closely with
all of the subcommittees and workgroups and the chairs to make sure we are
developing well-articulated, agreed-to goals and work plans that are timely and
relevant, and so you’ll likely see me jumping in out and out of some of the
subcommittee and workgroup meetings over the next couple of days, but I think,
in this transition, it is really a time to reflect on the goals, the work
plans. In some of our cases, we’ll be likely to be holding hearings to get
public and governmental input as we begin to develop these work plans, and,
once again, it’s just a time of reflection and change.

Finally, I do want to tell you how appreciative of the contribution from
both Vickie and John.

Obviously, Vickie is our departing Chair on Populations. Obviously, I want
to thank you for being willing – I mean, the good news – both of them – is
that they are not going to go away very quickly. Vickie, in her case, is going
to remain as a consultant to the committee to help us move forward with the
very important Populations Report, which we’ll begin to hear about today and
we’ll, hopefully, be acting on in June.

I have also asked John to continue as a special consultant and advisor to
the Executive Committee, though I was actually, this morning, mulling about
whether we needed to include the NHII as part of that, but he and I will have
to talk about that, but I think we have all benefitted from his involvement in
the NHII, as well as the NCVHS, over the years, and I, obviously, think that
the committee would be well advised to ask for his continued counsel and
guidance.

Now, there is honestly a lot more that I can say, and probably will as the
day proceeds, but, obviously, we have a full agenda. This was actually taken
out of the first part of our agenda, and so I want to return to the agenda and
just sort of review what we are going to be doing today just so that everyone
is aware of what the schedule is going to look like.

Agenda Item: Review of Agenda

DR. COHN: This morning, we begin with an update from the Department. We’ll
have Jim Scanlon from ASP, Karen Trudel from CMS and Susan McAndrew from OCR
providing an update, and, obviously, thank you for joining us.

Then, we’ll be considering a letter on medical devices. Mark Rothstein will
be bringing that letter forward for discussion and possible action.

After the morning break, we will begin the discussion of the second set of
recommendations on e-prescribing. Jeff Blair and Harry Reynolds will be
bringing that letter forward for discussion.

After lunch, there will be a review of a draft letter coming from the
committee of comments relating to the proposed rule on e-prescribing.

Then there’ll be a brief populations report, which I think, Don, you and
Vickie are going to be sort of reviewing briefly, where we are with that, and
trying to prepare the committee for further action in June. Correct?

Okay. And we’ll spend just a couple of minutes on the 2003-2004 NCVHS
biannual report.

Then, we are pleased to have David Brailer, who is the National Information
Technology Coordinator, joining us for an update on current initiatives and
issues.

Now, from three to five, we break into subcommittee sessions. We will talk
about those rooms later on, but Subcommittee on Populations and Subcommittee on
Standards and Security meeting at the same time. Then at five o’clock, we’ll
have a shortened meeting of the workgroup on the NHII, maybe from probably 5:00
to 5:30 or 5:45.

With that, let’s start into the agenda for the day.

Again, we want to thank our departing members for their major contribution.
John, you in particular. The committee is much better off through your
chairmanship over the last number of years and we want to thank you.

SPEAKER: Here. Here.

MS. GREENBERG: Here. Here.

(Applause).

Agenda Item: Update from the
Department

DR. COHN: Now, with that, Jim, do you want to – (laughter). Sorry, Jim –

MR. SCANLON: Good morning, everyone. Thank you, Simon.

Since we met in – I guess it was last November, obviously, a number of
changes have occurred, both at the Department and with the committee itself,
and let me go through a few of those things and talk a little bit about where
we are with budget planning and some of the data initiatives across all of the
Department.

Karen will talk about where we are with HIPAA, and Susan will talk about
where we are with the HIPAA privacy regulation, so I won’t be dealing with
that.

But, first, I would like to add my own welcome to the new members. I spoke
to most of you in the recruitment process, and we are very pleased, not only
that you could come, but that you could actually make it for this meeting as
well. Actually, the wheels turned fairly quickly once we got to that point. So
we are very happy to have you here.

And, again, I wanted to add my own thanks and appreciation to the members
who are Vickie, John, Gene and Peggy, who are rotating off of the committee,
and I hope, again – as the Secretary always says in his appreciation letter to
members who are retiring, we would like to be able to feel free to call on you
as the need arises in the future, and I think we probably will do that in these
cases as well.

We have actually had a couple of other personnel changes that effect the
committee as well. Well, first of all, I should start at the top, I suppose. We
have a new Secretary here at HHS, Michael Leavitt. Secretary Leavitt comes to
HHS from the Environmental Protection Agency, which he headed for the past
couple of years, and, before that, he was the Governor of Utah for a number of
years, a number of terms; and, actually, by all accounts, he is actually quite
savvy in terms of information policy, information technology, and he is
actually quite interested in moving this whole agenda forward. So Utah, I
think, has had a number of – Stan – was associated with a number of
health-information technology developments, the Utah Health Information
Network, and a number of other very positive and very pioneering efforts in
Utah. So, hopefully, the Secretary will help us push these forward as well.

In my own office, and associated with the committee, I am happy to announce
that we have hired Maya Bernstein as our privacy expert, privacy advisor at
HHS. She is the successor to John Fanning. She’ll be – I didn’t say she
“replaced”, I said- (laughter). Maya.

MS. GREENBERG: Maya’s got a big shoe.

MR. SCANLON: Yes. But Maya, actually, is quite capable in her own right.
Maya is well known at the national and federal level for privacy expertise. She
has been – held senior privacy positions at OMB. She was the privacy advocate
at the Internal Revenue Service – talk about sufficient training for HHS –
(laughter) – and she has had a private consulting practice and a law practice
in information policy and privacy policy. So we are very happy to have Maya
join us here. This is really her second week, and she’ll be transitioning in as
the lead staff for the privacy subcommittee.

A couple of words about our budget, where we are with the various budgets,
because they effect a lot of what we can do, generally. We now have, as you
know, an appropriation for Fiscal Year ‘05, and I’ll talk a little bit
about what that includes.

The President sent his budget up a little more than a month ago, and this
is the ‘06 – Fiscal ‘06 budget, and it actually contains a number of
the health-information technology investments that we had begun earlier, and
let me just mention specifically what they are. There’s a $125-million
investment for health-information technology. Seventy-five million is requested
for the Office of the National Coordinator for Health Information Technology,
David Brailer’s office, and that would include authority for grant and contract
programs as well.

The focus would be to provide strategic direction for the development of a
national interoperable healthcare system to encourage clinicians to collect and
collaborate with international health information technology network.

And, again, the ‘06 budget will continue the $50 million initiative we
began in ‘04 at the ARQ(?), at the Agency for Healthcare Research and
Quality. This is a grant program, demonstration planning and implementation
grants to accelerate the development, adoption and diffusion of interoperable
information technology in a range of healthcare settings. So that is also
included in the ‘06 budget, and the ‘06 budget also includes, I’m
happy to say, a continuation of our $10-million data-standards – again, which
we began in ‘04. This is funding that really allows us to do a number of
the developmental work on a number of data standards in the prescription-drug
area. It provides support for a number of mapping activities that the full
committee has recommended, and this is administered by the Agency for
Healthcare Research and Quality.

Mike, I think we had some good investments last year, and we’ll be looking
at what the ‘05 investments will be, and we’ll be asking for the
committee’s advice there as well.

DR. FITZMAURICE: And thanks to your advice and partnership.

MR. SCANLON: On the population statistics side, I am happy to say that the
budget that was actually enacted for Fiscal Year ‘05 included some good
news for population statistics. It included a $25-million increase for the
National Center for Health Statistics. I think I briefed the committee on this
previously. This was the amount we estimated was needed to sort of maintain and
protect and transform some of the core data systems at NCHS, everything from
vital statistics to the health interview survey, provider surveys and
methodology research. So without that, I am afraid we would be in fairly dire
straits this Fiscal Year. Now, I believe we are on a fairly good footing. I
think Dr. Sondik, tomorrow, will brief the committee on the state of the center
when he comes before the committee.

This particular reinvestment was the Data Council’s highest priority,
recommended, included in the President’s budget and Congress enacted that. So
we are very pleased that everyone saw that as a very high priority, and, even
better, that has continued. It wasn’t a one-year kind of initiative. It
actually continues at that level for Fiscal Year ‘06. So it is a boost
that goes on for NCHS.

Within HHS, this is the time of year – February and March – where the Data
Council does its more or less program review of where we are with the various
surveys and major data systems across HHS. So at our March meeting next week,
we’ll be looking at – across all of the agencies about where, for planning
purposes, the various surveys and major data systems are.

Again, this is just within HHS. We’ll be looking at are there any
enhancements, are there any retrenchments, are there more or less – services,
operations planned for most of our major surveys, but we do want to get a sense
of where we are now that the budgets are clearer and where we are heading in
the next year or two.

The budgets for ‘06, in general, are fairly tight for all federal
agencies, but, in general, it looks like our major statistical activities are
being supported, for the most part, at the current services level, which is
actually quite an accomplishment.

Let me quickly go to a couple of things the Data Council is looking at.
There are four areas that leadership in HHS asked for a departmental kind of a
perspective on, how are we doing in these areas in our data activities and what
kind of gaps are there and what kind of enhancements and collaborative
opportunities do we see in the months ahead.

The first area that we were asked to look at is in the area of
prescription-drug data. This is associated somewhat – largely with the Medicare
Modernization Act, Part D Program, but beyond that as well, we have a working
group looking at what is our current capability for statistics, research and
programmatic data on prescription drugs, and then what are some of the gaps and
what are some of the enhancements that we could move forward on, and we have
actually got a couple of enhancements moving forward in terms of
prescription-drug data collected on surveys. We have some improvements going on
there.

A second area is to look at national health insurance data and related
data, but largely national health insurance status data, and, as you know, a
number of our surveys here at HHS, and one at the Census Bureau, provide more
or less annual estimates of the national health insurance coverage in the
United States, the uninsured population – coverage exists as well. We don’t
always get the same estimates from those surveys, and so we have been – and
this has been known for a long time. They actually measure somewhat different
things when you look at them more closely, but we are looking at can we get a
better understanding and a comparative framework across the surveys? Do we
understand why the variations occur? Do we understand what the measures are,
and are there opportunities for collaborative research in analytical work,
modeling and so on in those areas across our various surveys? And we’ve
actually got a number of good projects that are being considered in those areas
as well.

And in these we include – in these discussions, we include not just the HHS
agencies. We include the Census Bureau, the Treasury, the GAO, the CBO and the
Congressional Research Service and other agencies that use the data and even
collect some of the data.

Two other areas, quickly. We have begun to look at – after looking at the
national-level data estimates for health insurance, we have begun to look at
what capabilities we have for state and local data. The initial focus is on
survey estimates for health insurance data, and, again, we have a little bit of
capability in HHS, and the Census Bureau has some of this capability as well.
We are not as far along there, but we will be looking at what might make sense
for enhancements.

And, then, finally, really, at our December meeting of the Data Council, we
– and, again, this was at the request of HHS leadership – we began to look at
how we measure income and wealth and related data in our major surveys.

In most cases, we are measuring income and wealth as a correlate to
understand health and human services, not to make – HHS doesn’t make estimates
of national income particularly – and how the various surveys compare in their
measures, what the strengths and the weaknesses are, and, clearly, there are a
couple of opportunities there for some enhancements and improvements as well.

So let me stop there and I’ll see if there are any questions.

DR. COHN: Well, actually, I think Sue McAndrew has to leave shortly. So I
think – if it’s okay – can we hold the questions until after Sue has had a
chance to present? Is that okay? Great.

Sue, why don’t we let you go and then we’ll come back to questions?

Agenda Item: HHS Implementation of PL 104-191
Health Insurance Portability and Accountability Act of 1996 Privacy Rule
Compliance Update

MS. MC ANDREW: Thank you very much. I apologize to the committee. I wound
up with a conflict this morning so will have to make this relatively brief.

I did want to let you know that there are three new areas of FAQs that have
gone up on our website recently. The first is a suite of FAQs attempting to
clarify the permitted uses and disclosures of health information in the context
of litigation and what the differences are between requests that come to a
covered entity as a third party and what the permissions are if the covered
entity is itself a party to the litigation. So we have tried to work out those
clarifications, and, last week, Rick Campanelli(?) was down in Florida speaking
to the American Bar Association’s health group and that was one of the things
that was on the agenda for them. So we were quite happy to get that set of FAQs
up.

We also have just recently posted two other FAQs, one on clarifying how
health plans can continue to provide information to the child support
enforcement agencies through the National Medical Support Notices; and the
newest FAQ concerns the permissions surrounding the use of interpreters,
largely language interpreters or interpreters for the hearing impaired, and the
various ways in which those interpretive services can be provided to patients.

This presented us with an interesting crosswalk within – because we had a
chance to merge the privacy side of the office with the civil rights side of
the office because they also do the LEP guidelines and we were able to
crosswalk the two provisions.

On the compliance front, just briefly, we are up to 11,258 complaints and
we have closed 63 percent of those – my rough count this morning. This is
through the end of February. The nature of the complaints and the entities
against who they are filed remains pretty much the same, and so I won’t go back
over that.

I would just also like to say that we have – we enjoyed the hearings that
the NCVHS Privacy and Confidentiality Subcommittee had, which I guess was also
last week. Oh, my God, yes. How time flies. What happened last week? And we are
really – we found those to be very – provided a lot of good information, and we
are looking forward to the hearings in March out in Chicago.

One of the other things that is causing all my calendaring issues is that
we also – there are going to be changes in the privacy team. We are doing a
good bit of hiring, and there will be – we are looking for – looking to put
people in some leadership positions. I believe there was just posted that there
will be an SES position in the office for privacy at the deputy director level.
So there will be changes a-coming for the privacy team.

DR. COHN: Let’s take a minute for questions. Michael.

DR. FITZMAURICE: Yes, I wondered how many cases have been referred to the
Department of Justice for criminal prosecution and have there been any
convictions? I know that there was a case, I guess, in Washington. Somebody
used information for credit cards. That question arose. He pled guilty to the
privacy rule, but they are not sure whether it was a privacy-rule violation
because the person might not have been a covered entity.

I probably am muddling all of this. I wonder if you could make some sense
of how many cases have we referred and have there been any convictions?

MS. MC ANDREW: I didn’t get the most recent count. As of the end of
January, we had referred 170 cases, and, in addition to those referrals, we
also – Justice advised when there are stories – pressure – other events that
come to our attention, so we do informal referrals as well.

With regard to the Washington case, that was – as I understand, that was a
guilty plea which was entered and approved by the judge, and so –

DR. FITZMAURICE: There it is.

MS. MC ANDREW: There it is. Hands going up.

MR. HOUSTON: Any movement on trying to get the statistics we talked about
and will this hiring help us at all?

MS. MC ANDREWS: The hiring is going to help us because there hasn’t been
much movement to date.

DR. COHN: John Paul, good question.

Questions?

Michael, again.

DR. FITZMAURICE: Are there any proposed changes in the privacy rule coming
that we could expect in the next year or year and a half? Is somebody looking
at proposed changes and might you be coming out with something in the next
year, year and a half?

MS. MC ANDREW: We always are looking at changes. I think now that we are up
on our second anniversary, it is time to consider what those issues are and to
look at them in terms of much more experience. In the early – in the first year
and a half or so, it was a little too soon to figure out whether this was just
initial compliance glitch or something that was really troubling with the way
the rule was written. So I think we now have enough experience that we can
begin seriously assessing whether or not additional changes need to be made in
the rule.

DR. TANG: Is there any thought about exploring how this might impact PHRS,
Personal Health Record Systems, particularly when their data is contained in
systems that are owned and operated by a third party that is not a covered
entity?

MS. MC ANDREW: We have been working closely with Dr. Brailer’s people, in
terms of all aspects of the rollout of the electronic health record and the
national health information infrastructure, and, to the extent personal health
records are a part of that, we have been involved in those conversations.

Right now, we are more or less statutorily constrained to the extent those
third parties that are operating personal health record systems are doing so in
connection with – as an outgrowth of a plan. I would expect that there would be
a business-associate relationship between those entities under the rule as
currently structured, and even to the extent they become involved in some sort
of network, I would also expect that there would be a business-associate
arrangement that would protect the information that they hold, to the extent
that they are, right now, independent vendors that are largely dealing directly
with consumers to set up these accounts. Then, to the extent they are getting
the information directly from the consumer, they really are outside of the
rules purview and a statutory change would be needed to change that
relationship.

DR. STEUERLE: Hi, Susan.

I have sort of asked this type of question before, but I am wondering if
there is any progress within HHS – I realize this is not necessarily your
purview necessarily – but over trying to examine a bit more some of the various
costs as well as benefits of the various – not just the specific privacy,
really with the privacy concerns in general and how they play out. I mean, it
plays out – probably play out in one sense with personal health records, but I
can think of a whole range of other issues.

I am just wondering whether there is some systematic way or rigorous way
within the department to try to get at the cost as well as the benefit side of
it, not so much legislative proposals, but at least to outline the extent to
which – what we know or don’t know about how these things are playing out.

MS. MC ANDREW: I suspect that that is more of a Jim question than a me
question, but –

MR. SCANLON: I can answer some. Did you want to say anymore?

I think what we started to do is – and I don’t know how – there is thought
being given to how would you – I’m not sure it costs so much as how would you –
what kind of metrics and measures and data would be needed is the first step,
Gene, I think, to even assess. Obviously, the first two years were focused on
just getting HIPAA simplification and privacy rules in place and getting some
experience with the actual operation.

We actually have some – for our research and evaluation plan, at least
within my office, and this would be an interagency effort.

We have a proposal to begin to look at what measures and metrics and data
would be necessary to go in that direction. So it’s the – it’s not even – it is
the step that would precede that, and we probably will be seeking some advice
from the committee on how do we even conceptualize how you would measure
benefits, costs and progress and indicators.

MS. MC ANDREW: I think teasing costs for this function out of all the other
costs that effect the industry.

DR. COHN: Yes. Yes. Richard is next, but I just had a clarification on your
comment. Is this something that your new staff is going to be taking the lead
on?

MR. SCANLON: Possibly. Possibly.

DR. COHN: Okay. Thank you.

MR. SCANLON: Yes. We are doing our research planning within ASPE – this is
our policy research plans, and so, at the moment, it is a proposal.

DR. COHN: Okay. Great.

Richard, and then Mark.

DR. HARDING: Gene has mentioned that it was a repetitive question, but I,
too, have the same repetitive question, because everywhere I go, when people
find out that I have something to do with HIPAA, they ask me the same question
– that is, providers – and that is around the issue of these 170 cases referred
to Justice are any of them because of omissions of HIPAA regulations?

That is, doctors come up to me, if I don’t have the screen on my television
that is directional or on my computer monitor that is directional, am I going
to jail? And I have been able to kind of comfort them a little bit that
certainly you should have those kind of things, but that isn’t what Justice is
all about right now with HIPAA. Is that still an honest answer?

MS. MC ANDREW: Yes. I mean, first of all, Justice is really only taking
cases and they only have jurisdiction where there has been an impermissible
disclosure. So, to the extent that the screen is not perfectly tilted, that is
more of a safeguard issue, and it’ll take several other things to happen before
it would be even something that would come to the attention of Justice.

DR. HARDING: You would still describe these 170 cases as being rather
egregious?

MS. MC ANDREW: They are quite – they are the most serious types of breaches
of confidentiality.

DR. HARDING: Thank you.

MR. ROTHSTEIN: I just wanted to clarify for some of our new members that
Gene’s question earlier and Jim’s response about the studies that are needed to
measure the costs and effectiveness of HIPAA, the NCVHS already is on record
and has sent a letter to the Secretary recommending that such a system be
established. So we are committed to that as a committee, and I am pleased to
hear from Jim that we are finally going to be moving forward on that.

DR. COHN: Sounds like Gene might have to join another subcommittee.
(Laughter).

Okay. Well, Sue, thank you very much. We appreciate your time, and I know
you’ve got multiple things going on.

MS. MC ANDREW: Thank you, and I apologize for the shortness of the
presentation.

DR. COHN: Oh, no. We appreciate it. Thank you.

Agenda Item: Data Standards, Including Clinical
Data Standards Adoption CHI Update

DR. COHN: Karen, I think I am going to suggest that why don’t we let you go
forward and then we’ll handle questions for both you and Jim sort of together
in discussion for the remaining period.

MS. TRUDEL: That’s fine. Thank you.

Actually, I am going to spend most of my time here providing a little bit
of an overview of the e-prescribing proposed rule, and I’ll start with some
important dates.

The proposed rule was announced by the President and went on display on
January 27th. It was actually published in the Federal Register on
February 4th, which makes the 60-day comment period ending on April
5th.

So I would like to talk a little bit about what is in the proposed rule.

First of all, I would remind you all that the NCVHS had a very specific
role that was set out by the MMA, and, in the regulation, we do talk about the
NCVHS role, the process, the hearings that went on with scores and scores of
stakeholders through the spring and summer of last year, and the regulation
does track very closely with the committee’s recommendations, and as I have
said before, I think that hearing process stands as a model of public-private
consultation and probably sort of a shining example of what a federal advisory
committee is supposed to do and look like.

The MMA does state that standards for electronic prescribing will be pilot
tested before adoption, and that the Secretary is to announce the initial
standards that will be pilot tested by September of this year.

The law also leaves us with a little bit of an escape hatch, because it
talks about an exception for providing – for going straight to adopting final
standards in situations where there is already adequate industry experience
with a standard, and that is a very important concept in this regulation. We
very definitely hung our hats on that big time.

So what this regulation does is that it sets out a number of what we are
calling foundation standards. They are building blocks that will allow us to
enter into an electronic-prescribing environment. They don’t have all the
functionality that we will need, by any means, but they are a very good place
to start and to build on.

The regulation talks about what those foundation standards are. It also
explains our incremental strategy that we are starting with these foundation
standards, that we will layer other functionality on the top, and that,
ultimately, we do not expect to be developing these standards in a vacuum, that
these are not to be a Medicare Part D e-prescribing silo, nor are they intended
to be an e-prescribing stand-alone that never links up with an electronic
health record. So we are standing at the beginning of a road. We know where the
end of the road is, and we are soliciting comments very specifically on our
strategy from getting from Point A to Point B.

The other thing we discuss in fair detail is state preemption. We know that
is a significant issue. A number of presenters have talked to us about the fact
that various state laws and regulations, because of their differences across
the states, can serve as a barrier to e-prescribing on a national basis.

Let me talk a moment about the foundation standards, and there are three of
them.

First of all, obviously, you need a standard to get prescription data to
and from physicians and the pharmacies that they are sending the prescription
to, and, for that, we have proposed the NCPDP SCRIPT standard for a variety of
uses – new prescriptions, refills, changes, cancellations, and there is some
ancillary messaging acknowledgments, et cetera, that are necessary to make
those transactions run smoothly.

We are not proposing the standard right now for the fill-status process
where the pharmacy can tell the physician or the prescriber that the
prescription was not filled, was not picked up. The reason that we did not
propose that was that we found, during the testimony, that nobody felt that
there was adequate industry experience with the use of the SCRIPT in that
context. So that is something that we’ll be reserving for the pilot-test
process.

And I would point out also that the SCRIPT standard is an
already-identified standard under the Consolidated Health Informatics
Initiative. One of the things that the committee recommended was that, to the
extent possible, we stay consistent with CHI and HIPAA standards that are
already in place.

The second foundation standard is for eligibility and benefits inquiries
and responses going between the prescriber and the sponsor – you’ll note, not
the pharmacy and the Part D sponsor – and for this we are proposing the
X12N270/271, which is already a HIPAA transaction and is already in use in the
industry, including any prescribing applications.

And the third foundation standard is for eligibility and – I feel like I am
doing the Academy Awards – (laughter).

SPEAKER: And the winner is –

MS. TRUDEL: And the third nominee is for eligibility and benefits, inquires
and responses between dispensers, pharmacies and Part D sponsors, and, for that
one, we are proposing the NCPDP Telecommunications Standard which is, again,
already adopted under HIPAA as the transaction for the retail pharmacy drug
claim and ancillary messaging. So that one is very definitely in extremely
widespread use throughout the industry.

Now, we hit a kind of a hybrid because we looked at formulary and benefit
information and medication history information, and, again, these are
absolutely critical in that they get information to the point of prescription
so that the physician is aware of any formulary restrictions. They are aware of
any tears in the formulary, and they are aware of not only the medications that
they have prescribed for the patient, but that other physicians may have
prescribed for the patient, which is critical to patient safety.

When we looked, however, at the existing mechanism for communicating that
information back and forth, we found out that, while there was at least one
standard in fairly widespread use – these were proprietary formats in use
developed by RxHub – that they were not accredited by any ANSI-accredited SDO,
and we were not absolutely certain that there were no other candidate standards
out there.

So rather than proposing to adopt these non-ANSI-accredited standards, we
chose to instead propose some criteria that we would use, characteristics that
we would use to adopt or to identify standards for formulary and benefit
information and medication history.

One was that they be accredited by an SDO and also that they permit
interfaces with multiple products and vendors to make sure that they would
work, again, on an industry-wide basis and that we were not building up some
sort of a silo that would prove to not be interoperable at a later time.

We also set out some other criteria, both for formulary and benefits and
for medication history. There’s an awful lot of verbiage on that screen, but
the bottom line is that for formulary and benefits, we wanted a uniform means
to communicate a wide range of formulary and benefit information; that is, that
we did not want the standard to constrain how a plan might structure its
formulary – whether or not it had tears, how it expressed the formulary. We
wanted the standard to be flexible enough that it could take any structure that
was there and communicate it accurately.

For medication history, we wanted, again, a uniform means of requesting and
providing listings of drugs, and we also wanted to make it possible to restrict
the prescriptions to certain time frames, so that you would not necessarily get
back two, three, four or six, eight, 12 months of information, if all you
wanted was the last three.

So we also solicit comments on these criteria, and, again, on what specific
standards, including RxHub, might meet these criteria. So we are open to
potential other candidate standards, although I must say that in the course of
the very detailed testimony that the subcommittee heard, no other potential
standards kind of bubbled up to the surface.

And, again, just sort of a postscript to this, the industry kind of got
where we were going with this very early on, and RxHub volunteered to donate,
essentially, its proprietary format as a basis for a standards development
organization and SDO-accredited product.

They had been working with the National Council on Prescription Drug
Programs and have been working to potentially get those RxHub proprietary
formats for formulary and medication history through the SDO-accreditation
process, which would then meet the one criterion especially that these
proprietary formats did not previously meet.

A word of caution there. This process is still ongoing, and the
subcommittee is committed to continuing to monitor that progress. If the
standards come through the process, however, and they have changed
significantly, there is a need to go back and look to see whether, at that
point, the product that comes out at the final analysis continues to meet the
requirement of adequate industry experience, because the standards, as they now
are, do have adequate industry experience. If they change too much, we may be
back to the drawing board and those standards may wind up being part of the
pilot test and would not go into effect until 2008, 2009, rather than being
part of the Part D program in general coming up in 2006. So that is a critical
one that we are watching very, very closely.

Okay. The first set of standards, as I said, does not represent the full
set of standards necessary for e-prescribing, and that we will – HHS will
identify, as required in the MMA, a set of initial standards to be pilot tested
in 2006; and, again, the committee’s initial recommendation letter from last
September already identified for us a number of potential standards that we do
need to test, and we will be – once that process is finished – then going
through a separate rule-making process to build those new standards on top of
the foundation standards; and, again, we request comments on this incremental
approach.

The state-preemption issue, which, as I said, was rather critical, in the
regulation, we talk about the fact that there could be several ways to do
preemption, one that would only apply to transactions and entities that are
part of an electronic prescription drug program under Part D – in other words,
it would be Medicare Part D limited – or we could apply it to a broader set of
transactions and entities and say we are preempting just about everything for
just about every e-prescribing application.

In the proposed rule, we take that first narrow interpretation and, again,
invite public comments.

Another issue that is discussed in the regulation is the use of the
National Provider Identifier, which is a HIPAA standard to identify both
prescribers and pharmacies that are actually dispensing the prescriptions. We
are in a sort of a time crunch as far as that is concerned, and I’ll talk a
little bit about the NPI later.

In terms of the NPI-enabling regulation, covered entities would not be
required to use their NPIs until 2007. If we were to adopt and implement the
NPI in e-prescribing, it would have to occur initially in 2006, and so we are
asking for comments on the potential impact of accelerating that by a year or
more.

And, again, there was a lot of discussion about the use of standards within
an enterprise. For instance, a staff model HMO that has a pharmacy, the entire
prescription transaction could be taking place within one entity where the
physician who writes the prescription, the pharmacy that dispenses the
medication and the plan itself that is bearing the risk are all part of the
same umbrella organization.

The NCVHS recommendation was to exempt those transactions within an entity
because, in many cases, entities of that sort that have already implemented
e-prescribing have done so with HL-7 standards rather than the ones that we are
recommending.

In the NPRM, we communicate that recommendation, but we note that the
notion of standards within an enterprise is inconsistent with the way HIPAA
administrative simplification treats that issue. Under HIPAA we require that a
standard be used even within an enterprise as long as it meets the definition
of what that HIPAA transaction is. So we are soliciting comments on that issue.

Let me talk a little bit about pilot testing. As I said, the pilot tests
are required in calendar year 2006. We will soon be soliciting applications. We
are working on a Request for Proposals right now, and we expect that we will
provide some criterias to what will be included in the pilots. We will do this
in full and open competition, and, again, the participation in pilots is
completely voluntary.

The structure of the pilots will probably follow, in many ways, the NCVHS
recommendations, and we have already done an analysis of existing e-prescribing
programs that are in operation. That will inform the discussion as well, and,
at the end of the pilot process, we will be required to do a report to Congress
in 2007, and then promulgate final standards no later than April of 2008.

So those subsequent milestones we finish, hopefully, in 2008, and that
completes my presentation on e-prescribing.

Let me talk a little bit about the security compliance deadline that is
coming up on April 20th of this year. I am sure that, again,
security compliance and enforcement, because it is very closely linked to
privacy enforcement, is, again, probably raising the same kinds of concerns
that Richard mentioned earlier among practitioners, and I want to state, again,
very clearly, that the security process, like the privacy process, is complaint
driven. It is not audit driven. We realize that many security complaints may
have a privacy aspect to them and vice versa, and we have been having very
intensive discussions with the Office for Civil Rights to sort out how we are
going to collaborate on processing dual complaints and how we are going to
decide which complaints have privacy or security implications.

We are looking at a one-stop-shopping kind of perspective where the
complainant doesn’t have to work out, well, this is a privacy complaint, so it
should go to CMS or it is a – OCR or it is a security complaint and it should
go to CMS. Wherever the complaint is initially submitted, we will all take a
look at it and the service will happen from the agency that receives the
complaint, but we’ll take care of sorting out who needs to do what, and,
hopefully, that will make the process a little bit smoother.

Also wanted to say that we are in the process of final clearance of a
number of technical materials having to do with security, some frequently-asked
questions that have been cropping up over the last months and some technical
papers on security – a whole series of them – not dissimilar to the ones that
we developed for HIPAA transactions and code sets.

Let me talk a little bit about the NPI as well. The effective date of the
regulation is coming up in May. You remember the effective date of the
regulation was put off so that we could make sure that we were able to assign
NPIs as of that date. So the compliance date is now in May of 2007.

We have selected an enumerator contractor. It is Fox Systems, and so they
are on board. We are working on system testing on the system itself. The
enumerator is there, and we are in the process of planning some fairly
intensive outreach over the next two to three months to make sure that
providers are aware of what the NPI is, what the deadlines are, how you get
one, what does it all mean, et cetera.

And I think that is all I wanted to report, and I would be happy to take
questions.

DR. COHN: Well, Karen, thank you very much, and I would comment that while
we did not choreograph this, at least I don’t think we did, we were wondering
how to give everybody a little bit of a background on e-prescribing. So, thank
you very much.

Questions or comments from the committee? Harry.

MR. REYNOLDS: Karen, security is probably the quietest of the HIPAA
implementations, at least it appears. Are there any areas – well, first,
do you think that – are really moving forward, and, second, are there any
particular areas where the rule that you think are the biggest problems?

MS. TRUDEL: Yes, from the industry surveys that I have been seeing, I
clearly can’t say that 100-percent of covered entities intend to be compliant
by the deadline, but the number is fairly high and it is moving in the right
direction, I think.

I guess the implementation is quiet because a security violation will not
stop cash flow, and because security, from a patient’s perspective, is a little
bit harder to assess than, for instance, did I or did I not receive a notice of
privacy practices. So I think that that kind of contributes to this.

I think, in terms of potential hot spots, that the main one that I see is
just communicating the concept of risk analysis and risk management and making
sure that covered entities, especially the smaller ones, understand what
benefits we have provided to them by the flexibility and the scalability and
the fact that solutions don’t have to be technical and that they don’t have to
be expensive. Those are some of the things that – messages that we are trying
to get across.

DR. COHN: John Paul.

And I should actually comment that since Jim Scanlon missed his chance for
questions, he is fair game, too. (Laughter).

John Paul.

MR. HOUSTON: A couple of comments.

The tech papers that you talked about being made available for the security
role, are any of them going to relate to medical equipment?

MS. TRUDEL: Specifically?

MR. HOUSTON: Yes.

MS. TRUDEL: No, not specifically.

MR. HOUSTON: Okay –

MS. TRUDEL: They are fairly general.

MR. HOUSTON: Okay. Thank you. That is the first question. The second
question, you had talked about the complaint process and how you are going to
manage inflow of complaint. There has been a lot of discussion about JCHO and
its desire to potentially involve itself in assessing organizations’
compliance, the security role or looking at security-related – healthcare
provider.

Is that going to be an avenue for complaints or information coming back to
your organization or would that be separate and distinct and –

MS. TRUDEL: I would see that as being separate.

We have not had any discussions with the joint commission on an official
role for them. We do have some contracted resources, but they would be what we
would use to actually do assessments should we exceed the capabilities of our
own staff resources, and we don’t communicate information to anyone on open
complaint. So we are certainly not going to communicate information to the
commission.

MR. HOUSTON: Right.

MS. TRUDEL: And unless the commission were actually to file a complaint, we
would have no way of knowing that there was any kind of a violation.

MR. HOUSTON: Thank you.

DR. COHN: Okay. Mark, then Jeff, then Mike.

MR. ROTHSTEIN: Thank you.

My comment flows from Jim’s statement, but only indirectly, and I would
like to propose a change in our committee website that I think will make it
easier for committee members and the public to follow what has happened as a
result of the recommendations that we make, and so what I would propose is that
where we list the letters that we send to the Secretary we link to the
responses that the Secretary has given to the letters and put the date of the
response, et cetera, and, if it is easily achievable, link to other things that
have occurred as a followup to our letter. So it may be a guidance document
that was issued by CMS or OCR or FAQs or something.

There are practical limits to the extent to which we can keep updating all
of our letters, but I think, based on, for example, press calls that I get and
inquiries from colleagues, it would be very helpful if we try to do a better
job of documenting what has happened as a result of our recommendations.

MR. HOUSTON: I second that. I think –

DR. COHN: Well, I guess we should ask Jim about that, since we are
directing it towards him. I think – the initial idea seems to be – should be
very doable, I would think.

MR. SCANLON: I certainly think we’ll look into it.

Now, we do publish on the website the responses from the Secretary, but,
you are right, they are not linked, Mark, necessarily, to the incoming, but we
can certainly look at that. Any way to make it more user friendly.

Now, there may be a practical limitation on when we begin linking to
related actions, as a practical matter that may not be –

MR. ROTHSTEIN: Right. I understand.

MR. SCANLON: But, certainly, directly related papers, reports and guidances
and so on, we’ll try to do that. So we’ll look at that.

DR. COHN: I would just say, to follow that one up, I think that, certainly,
the first step sounds very easy. I think the Executive Subcommittee will have
to monitor, discuss that sort of next step, because, conceptually, I think we
all agree, it makes sense, but a lot of times, you know, we influence actions.
We don’t directly –

MR. SCANLON: It’s not a one for one.

DR. COHN: It’s not a one for one, and so I think we just need to be a
little careful, because, in some ways, that is beginning to take credit for
things that we may – (laughter) – may be inappropriate to be taking credit for.

But I think that is an Executive Subcommittee thing and we can sort of
monitor that and report back to you.

Okay. Jeff.

MR. BLAIR: Thank you.

I’m not sure whether this question is most appropriately going to be
addressed by Karen or by Jim, and I’m going to just say a couple of words for
some of the new committee members or folks that may not be familiar with some
of these things.

You know, we went through kind of several years when we were very focused
on the standards as directed by HIPAA, and then we had a few more years where
we were very focused on NCVHS as we got to clinical data standards where the
Consolidated Health Informatics Initiative was kind of the main group that we
worked with, and there’s been a few references now to the emergence of the
Federal Health Architecture, and I was wondering if either of you could help us
understand what role that will be playing and how does it relate to – and,
also, in specific, does it replace CHI? Does it – it compliments CHI or is it
just a next step?

MR. SCANLON: Should I take a crack, Karen?

MS. TRUDEL: If you want.

MR. SCANLON: As usual, Jeff, you ask a very good question. (Laughter).

I think we are planning – we actually talked about this in the Executive
Committee. I think we are planning to – the Federal Health Architecture is an
interagency federal group that includes DOD, VA, a lot of our HHS agencies and
a lot of the other agencies that have – that are involved somehow in the
federal health and public health enterprise, and it is – certainly, OMB looks
on it as kind of an interagency way of coordinating and helping with the
broader issue of coordinating health information technology in the federal
sphere.

It includes the CHI. The CHI is an element within the Federal Health
Architecture.

But I think you are raising the question that we are all sort of beginning
to consider again. I think David Brailer, in a way, alluded to this in one of
the letters to the committee. I think maybe what we – Because the Federal
Health Architecture is now an interagency activity, we may want to have them
come in and brief the full committee on what the scope and the nature and plans
and the deliverables for that whole effort are.

I think David Brailer was actually asking the committee to serve in a
review capacity for recommendations that would be coming out of the FHA.

The CHI is within the FHA – I think I am stating this correctly, Karen –
but the FHA includes other activities as well. It probably will include
architecture kinds of considerations and frameworks and possibly some other
broader things.

So I think the timing is probably right where we want to think about
bringing, maybe, a briefing on the FHA to the full committee, probably, Simon,
at a future meeting.

DR. COHN: Yes.

MS. TRUDEL: And if I can follow up, the FHA’s Program Management Office is
being run from the Office of the National Coordinator.

The CHI is a workgroup under the FHA, and many, many of the same
participants continue to be involved, including CMS, DOD, VA, and so there is
continuity there, but the sense was that, as of this point in time, events have
kind of caught up with us, and it did not make sense to continue to have CHI in
a capacity that was outside the general discussion of a health architecture,
because the standards and the vocabularies are such an integral role in
developing that architecture. So I kind of view it as being a – not a demotion
of CHI, but a very necessary linkage point.

DR. COHN: Yes, and let me also sort of comment.

I have actually already invited the FHA to come and present in June. So
there will be a briefing. I am expecting, based on my initial understanding,
that this will likely generate – I mean, there needs to be a briefing at the
full committee, but I expect that it will be generating some subcommittee
action, in terms of further investigation, hearings, et cetera, but I think it
is too early yet to really say exactly what that will be, but, certainly, is a
– I think the full committee needs a briefing on this, and it is – I think,
from my view, it is CHI and a whole lot more. Clearly, it is an architecture,
not just a set of data standards that deal with domains.

So, anyway, Jeff, does that answer –

MR. BLAIR: Thank you.

DR. COHN: That is at least one level of response.

Now, Mike, you have a question, and I think, after that, we are going to
have to sort of complete this section and then move into our letter.

DR. FITZMAURICE: All right.

DR. COHN: Oh, is there – Oh, I’m sorry. Carol had a question. Okay. You’re
the last one then.

DR. FITZMAURICE: Karen, at the last full meeting, Nathan Koladne(?)
presented to us and gave us a number of HIPAA complaints, number resolved,
percent of Medicare claims that are compliant with the transaction and the code
standards and their implementation guides.

Who is the head of the office now, and do you have those same kind of
statistics that you could give us?

MS. TRUDEL: The directorship of the office is currently vacant and I do
have statistics. I have not brought them with me. I can recall, off the top of
my head, our rate of closing complaints is at about 53 percent, that many of
the complaints we are receiving have to do with either
trading-partner-agreement problems, where one party is alleging that the
provisions of a trading-partner agreement either are counter to HIPAA or there
are situations where inappropriate charges are being made, and, also, many of
the complaints have to do with allegations that compliant transactions were
rejected by a health plan.

Most of the complaints continue to be filed by our own behalf of the
providers, and, in terms of the Medicare percentage of compliant incoming
claims, we are hovering at about 99 percent of compliant incoming transactions.

DR. FITZMAURICE: Well, and could I follow up with a presentation you made
on what dates will physicians be able to request and on what dates will they be
able to receive their National Provider Identifiers?

MS. TRUDEL: It is my understanding that the system go-live date, where NPIs
could be requested, is still somewhere around the end of this coming May.

DR. FITZMAURICE: And they then should be able to receive them in a month or
two after that?

MS. TRUDEL: Well, the process is primarily web based, so depending on any
kind of additional information that might be needed, it would be possible to
get one almost immediately.

DR. FITZMAURICE: Great. Absolutely great.

DR. COHN: John Lumpkin was asking me if he could get a special vanity
number. (Laughter).

DR. LUMPKIN: Like 007.

MS. TRUDEL: We have reserved that for you.

DR. COHN: Carol, please.

MS. MC CALL: Yes, I wanted to ask a question about one of your – I guess
one of your first-runner-up foundation standards from this morning, and it has
to do with the formulary and benefit medication history.

You talked about the fact that no other standard had bubbled up and that
you are monitoring that one closely, and so while I certainly understand –
because of some of the things I have done in my work history – that they need
to be very flexible, and, yet, if they went into pilot, as opposed to
foundation, there could be a material impact on adoption, because it could
significantly enhance the experience of electronic prescribing and all that.

So with that as context, my question is what do you think the likelihood
will be of the significant changes that could come out from the comment period?
What have the comments been to date? And some of this is a little bit of
history for me, being a new member, just trying to understand through this
comment process and soliciting comments back, the likelihood that it would end
up in pilot as opposed to foundation.

MS. TRUDEL: I think there are a couple of different questions kind of
intermixed in there.

The comment process, under the Administrative Procedure Act, goes for, as I
said, 60 days. The comments will – the comment period is up on April
5th.

Traditionally and historically, we receive 98 percent of the comments
within three days of that deadline. As of right now – and I checked yesterday –
we had not received one single comment on this NPIM, and we are already halfway
through the comment process.

So as far as a sense of where the public comment is going, I don’t know.

Let me take another step, though, and say that the SDO process, the process
within the NCPDP, where the members of NCPDP are looking at the RxHub
proprietary formats and trying to turn them into standards, is still ongoing.
So I think that is very, very much up in the air, and, in fact, there is a
meeting in Phoenix this weekend to kind of duke out some of the potential
comments. So I think it is too soon to tell.

DR. COHN: And, Karen, I should comment that many of us in the industry are
still trying to deal with responses to the 45-day CFS notice and other such
things like that. So, yes, you will get comments three days before they are
due, but not that day.

Any other comments, questions?

Okay. Well, we want to thank both – Karen, we are obviously delighted to
have you take on the role of – liaison to – from CMS to the committee. So
welcome.

MS. TRUDEL: Thank you. I am looking forward to it.

DR. COHN: Yes. Now, with that – and, obviously, I want to actually thank
our new members. It is unusual in our first session to have new members
starting to ask questions, and we certainly – I think it speaks well of the new
crop. So good.

Agenda Item: Privacy Letter on Medical
Devices
Action March 4

DR. COHN: Now, what we are going to do now is to turn to a letter for
consideration which Mark Rothstein is going to bring forward.

Now, for our new members in this room, and also our old members, it is
usually the tradition of the committee that what we do is we do a reading and
comment on the first day, then moving to an action the second.

We also, normally, if we are dealing with a letter, we pass it with the
ability to make minor wordsmithing changes, because there’s always wordsmithing
changes.

Now, however, having said that, if a letter really does look pretty good
and everybody is generally in agreement, we do typically reserve the right to
actually move a letter even on the first day, if there’s no disagreement. So we
do have some flexibility on that.

So, Mark, I am passing this over to you, and what would you like to do with
this letter?

MR. ROTHSTEIN: Any objections? That is what I would like to do with the
letter. (Laughter).

The letter is in Tab 3, and I want to just briefly say, for background,
this was a letter that arose out of joint hearings between the Subcommittee on
Standards and Security and the Subcommittee on Privacy and Confidentiality that
were largely the result of John Houston’s work. So we need to acknowledge that.

There are a number of places in the letter that, as I have gone through it,
minor changes need to be made – adding the Secretary’s name, adding some
capitalization, subtracting some capitalizations and so forth – that we will
add before tomorrow’s final version comes through.

Simon, do you suggest that I read the letter for the benefit of the
internet listeners?

DR. COHN: Yes, if you would, that would be useful.

MR. ROTHSTEIN: So the letter, as modified, will read something like this?

“Dear Secretary Leavitt,

“As part of its responsibilities under the Health Insurance
Portability and Accountability Act of 1996, HIPAA, the National Committee on
Vital and Health Statistics, NCVHS, monitors the implementation of the
Administrative Simplification Provisions of HIPAA, including the Security
Standard for Electronic Protected Health Information, Security Rule. The
Subcommittee on Privacy and Confidentiality of the NCVHS held hearings in
Washington, D.C. on November 19, 2004. The hearings were intended to gather
information about the effect of the Security Rule on medical devices.

“At the hearings, we heard testimony from the Veterans Administration,
VA, the Food and Drug Administration, FDA, as well as various manufacturers of
FDA-regulated software and medical devices. We also received written comments
from an individual representing various medical-device-industry groups.

“The witnesses indicated that there are a wide variety of challenges
associated with bringing medical devices into compliance with the Security
Rule, as well as providing effective security. The witnesses’ testimony
centered around two main themes:

“1. While most new and currently produced medical devices are capable
of complying with the Security Rule, much of the medical equipment in use is no
longer manufactured and may not be ungradable by the manufacturer. As a result,
it may not be possible to bring these ‘legacy devices’ into compliance
with the Security Rule.

“2. Many of the medical devices manufactured today contain
commercial-off-the-shelf, COTS, software and operating systems. Because of the
critical nature of the medical equipment, any updates – including those
released by COTS software manufacturers in response to specific security
threats – must be tested to ensure that the updates do not adversely affect the
operation of the medical device. This testing often delays implementing
critical security updates. Further, Manufacturers are concerned that some
customers update medical equipment with the latest patches without first
verifying whether the update affects the safe operation of the medical
device.”

Should I stop here, perhaps, and take comments?

DR. CARR: Justine Carr.

It might be my naivete, but I’m wondering if we might have a statement of
the current state of what is it that is – what are we fixing? In other words,
what is it about medical devices and security? What is the problem

that we are fixing?

MR. ROTHSTEIN: John, do you want to –

DR. CARR: A medical device – how does a medical device link to security?

MR. HOUSTON: I think – I mean, it is buried in the second of the main
themes that was outlined on page 1, which is – well, first of all, the fact
that they have commercial-off-the-shelf software and operating systems embedded
in them and that they must be tested to ensure that the updates do not
adversely affect the operation of the medical device. I mean, it is buried
there. I think maybe we could – If we wanted to, we could push that up into a
paragraph.

MR. ROTHSTEIN: Well, I am hearing Justine’s question to be at a more
general level even. I mean, why is this a HIPAA issue at all and so forth?

DR. CARR: Right. Does a medical device have a patient’s name on it
somewhere? That is the part I am trying to understand. I mean, I kind of know
the answer, but –

MR. ROTHSTEIN: John.

MR. HOUSTON: I mean, we can add a paragraph to discuss that. I think it is
pretty clear that some medical equipment does, in fact, have patient
information, as well as the fact it is – if it resides on a network which is
used by other systems that contain patient information, they may be the source
of some type of malicious attack or vulnerability, which could then impact that
equipment.

DR. CARR: I’m not sure – You know, I guess it depends who the audience is.
Maybe the Secretary knows this, but a lot of people don’t know of the link of a
medical device linking to a particular patient, and I think it would be helpful
to state that that linkage is subject to this kind of scrutiny.

MR. ROTHSTEIN: So as I hear the suggestion, what we need to add to the
letter is some indication that there is PHI in the medical devices or linked
through the medical devices to some other aspect of the medical record in the
hospital or other institution, and that is why it is a HIPAA-security issue. Is
that your question?

DR. CARR: Yes, that would be great.

MR. ROTHSTEIN: Okay. So we will do that for sure.

MS. MC CALL: One thing and this is kind of a clarification of some
examples. There are devices that are implanted that stream information, and it
may not necessarily go straight into an electronic medical record. So it is
actually going, perhaps through open channels, and going into some database
that is not technically part of what is thought of as a medical record. So that
could be another clarification put in.

MR. ROTHSTEIN: Right. John, did you get that?

MR. HOUSTON: Yes.

MR. ROTHSTEIN: Okay.

DR. COHN: Yes, Paul had a comment.

DR. TANG: Yes, actually, there’s a couple of issues, I think.

One is there are devices – all devices, almost, now have both an operating
system and software that operates native to the device, and some of them –
let’s say these smarter devices, smart monitors, actually do have patient
information stored in what might be considered the confines of the box.

The other problem is actually, I think, a little bit more concerning, and
that is that viruses not only can disable networks and things that you normally
associate with computers, they can affect the operation of the software in the
device and literally stop the operation of – let’s say – a monitor, a
ventilator, very important devices. So that is a real challenge. Hopefully, the
challenge is more so in the more contemporary devices so that we can update
those.

One of my questions would be is there a need for doing a risk analysis of
these legacy systems that can’t be upgraded? Is the fact that they can’t be
upgraded also a protection that they aren’t infectable (laughter) infectable by
a virus, but I don’t know the answer to that.

MR. ROTHSTEIN: Well, I do think the recommendations at the end contemplate
that assessment of the legacy devices and the way in which they can or should
be updated.

DR. COHN: Okay. So we’ll hold that thought and see if it gets reflected in
the recommendations.

Mike.

DR. FITZMAURICE: On the last sentence on the first page,
“Manufacturers are concerned that some customers update medical equipment
with the latest patches without first verifying whether the update affects the
safe operation of the medical device.”

I was puzzled because if the manufacturers themselves are the source of the
patches, then they probably know that –

MR. HOUSTON: They’re not the sources.

DR. FITZMAURICE: Right. So that there are other sources.

MR. HOUSTON: Right. There’s an imbedded operating system like Microsoft or
Windows or something of that sort. Often, the provider will actually take that
update and try to install it on the device that is containing that operating
system. Maybe we should clarify.

DR. FITZMAURICE: I would clarify it with – like the latest patches from
sources other than the manufacturer, and, then, at the end, I would append, in
their specific uses, because they can apply it to their device, it could be
fine, but somebody uses the device inappropriately, given that update, it
becomes that person’s or the institution’s responsibility, but they would be
concerned, then, about the use, not in their own manufacturing operations or
the normal use, but somebody else’s use. So at the end, I would put, in their
specific use, just to clarify that as well.

MR. HOUSTON: I’m not sure I understand.

DR. FITZMAURICE: We can talk.

DR. COHN: I think you guys can wordsmith that offline. Anything else in
terms of this first page before we move on?

MR. ROTHSTEIN: Okay. Page 2.

“One witness representing the VA testified that the Security Rule has
been perceived as a barrier to the continued use of certain medical equipment.
Where medical equipment needs to be modified to comply with the Security Rule,
the providers must often wait for the manufacturer to provide the appropriate
updates.

“Another witness representing the FDA stated that the FDA’s primary
focus is the safe and effective use of medical devices. As such, the FDA does
not evaluate security in approving the use of a medical device. The witness
further indicated that it is the responsibility of the medical-device
manufacturers to design their devices to enable Covered Entities to comply with
the Security Rule.

“A number of witnesses recommended that a process be developed to
allow manufacturers to post Security Rule information for their medical
devices. The witnesses cited an initiative by the Healthcare Information
Management and Systems Society, HIMSS, Medical Device Security Workgroup. The
workgroup proposed that the industry adopt the use of a ‘Manufacturers
Disclosure for Medical Device Security’, MDS-2, form. The MDS-2 is a vehicle
for Medical Device Manufacturers to report the capabilities of their medical
devices consistent with the security rule. While there was no consensus whether
the HIMSS MDS-2 form was suitable for use, in concept it appears that this
approach would be of great value to providers.”

I’ll stop here before the recommendations.

DR. VIGILANTE: So am I to interpret the second paragraph to mean that the –
if a device has been approved by the FDA, that changes of this nature do not
materially impact what was considered in approving that device?

MR. ROTHSTEIN: Yes.

DR. VIGILANTE: Okay.

MR. ROTHSTEIN: That was the testimony from the FDA.

MR. HOUSTON: Interestingly enough – and I have it up on my screen now – the
FDA actually issued some guidance regarding medical devices containing
off-the-shelf software, and it just happened at the beginning of February, and
it seems to be slightly conflicting, maybe, or at least inconsistent with that
testimony, and, interestingly enough, it was also – this guidance was provided
by the same person who testified here.

So I am not sure whether – there’s – at least indicating that they have an
interest in ensuring that providers appropriately secure their medical
equipment. So I’m not sure how much of an active role the FDA is going to take
in that regard.

MR. ROTHSTEIN: Well, let me suggest that we take a look at that at our
subcommittee meeting tomorrow morning and report back the new language that we
adopt, and then take whatever credit we want for FDA changing its rule and
claim that it came out of our hearing.

DR. COHN: Did you want to map that on the website? (Laughter).

DR. VIGILANTE: Yes, I think there is a fair amount of anxiety among
manufacturers that if they apply a patch to something that has been previously
approved, are they held liable for operating a device that is different in some
way than the one that was originally approved, and I think that it is correct
that, in most of these cases, that won’t be the case, and I think the FDA has
criteria against which that modification needs to be assessed. However, one
could conceive circumstances in which you would be outside the set of those
criteria. So it might be helpful to actually state those criteria, so it’s
fully understood.

MR. ROTHSTEIN: The criteria based on the new rule from –

DR. VIGILANTE: I believe FDA has a set of criteria against which any
modification would be assessed. I haven’t read them in a while, but there’s
three or four criteria, and as long as you are within the boundaries of those,
then you don’t expose yourself to liability or – by fundamentally changing the
nature of the device as originally approved.

MR. ROTHSTEIN: How about if we take a look at that and incorporate the
suggestions from Kevin into this new paragraph that we are going to draft when
we look at what the new FDA position is? Is that okay?

MR. HOUSTON: Some of the recommendations might also sort of touch upon this
or at least discusses the fact that we think there’s guidance that is required,
and I think, even in that regard, I think that some of that might already be
there by reference point already.

DR. COHN: Well, I’m glad that you’ve been given some wordsmithing
activities here so far, please. (Laughter).

MR. ROTHSTEIN: “Based on the oral and written testimony, NCVHS
recommends the following:

Bullet number one, “HHS should provide guidance to covered entities to
assist in bringing medical equipment into compliance with the Security
Rule.”

Bullet two, “HHS should provide clarification regarding the compliance
obligations of covered entities with non-compliant and non-ungradable legacy
medical devices. A range of options should be considered based on the nature of
the equipment, its replacement cost and life expectancy, the security problems,
and the possibility of protecting the security of PHI through other
means.”

Bullet three, “HHS should consider supporting industry efforts to have
medical-device manufacturers self report the capability of their medical
devices consistent with the Security Rule.”

And bullet number four, “HHS should develop guidance to assist
medical-device manufacturers to provide medical-device functionality consistent
with the Security Rule, as well as address security risks.

“We appreciate the opportunity to offer these comments and
recommendations.

“Sincerely.”

I would make one suggestion myself, having gone through this several times,
is to reverse the order of bullets four and three, because we deal in bullets
one and two with covered entities, and I think that clearly should be first,
and then guidance comes after that, even though it is through manufacturers,
and then the fourth one, which is now number three, the consider supporting the
industry seems to me to be less – sort of farther away from the core mission of
what we normally recommend, and that, I think, logically, should be number
four.

MR. BLAIR: I would support that change.

SPEAKER: So it’s 1, 2, 4, 3.

MR. ROTHSTEIN: Yes, that is what I would suggest.

DR. TANG: Just like the HIPAA privacy rule, one of the main advantages or
the benefits might have been it raised the awareness even of providers about
their obligations and responsibilities.

In this sense, I am wondering what the awareness is of providers on the
potential risk of the security – the disabling of the operation of the device,
and I wonder if there could be a bullet really close to the top about
addressing that. So although it may be contained in how do they comply with the
security rule, maybe we really need to understand the risk assessment of, let’s
say, viruses or broadcasting of PHI from their device, because I don’t know
that providers understand that until they have had their first mishap.

I am going to try to get some more details. We had a virus infect our
network and disabled communication with the monitors, and I want to get some
more details that I might be able to bring tomorrow morning, but it is
something that is going to be just living life in the new world.

MR. ROTHSTEIN: Well, the way we could – I think – capture that in a bullet
recommendation is to recommend that additional education and outreach efforts
be undertaken by the Secretary to inform covered entities of the potential
threats to PHI in medical devices. Is that along the lines of what you are
suggesting?

DR. TANG: I think so. I suspect there’s some in the industry that don’t
know that their devices can be infected and what its impact is to patient care

DR. COHN: Okay.

DR. VIGILANTE: So it’s more than PHI. I think – but if you can imagine the
more integrated your system is the more vulnerable – in the future, when, you
know, both your infusion pumps and your monitors and your ventilators are
controlled by, say, a central dashboard at the ICU, rather than locally, if
something gets infected and they all go down disabled, either by accident or
purposefully, it creates vulnerabilities to patient care, which I think have
been underappreciated rather substantially.

DR. COHN: Yes.

John.

DR. LUMPKIN: Well, I think that there is a bigger issue which we are kind
of mired in because of our perspective on health-information policy, and that
is that as medical device is used and have more innate intelligence, they
become vulnerable, not only to intentional problems, but, by upgrading, you
could, in fact, you know, if the original device was designed such that they
used a loophole in the Window’s operating system and a patch closes that, that
could be a serious complication.

Now, if this were a hip implant and we knew that there were crystalline
defects in that and they are liable to break, there would be a recall or
something done by the FDA, and I think that probably what should be done,
either in a separate communication or sort of as an – saying, this is something
the FDA needs to look at.

These things ought to be tracked. They ought to be monitored, and when
patches come out that potentially disable them, there ought to be notifications
and sent to people who actually own these devices.

DR. COHN: Yes, John Houston, John Paul, and then I think we are going to
need to stop for just a second.

MR. HOUSTON: Okay. I think a lot of what we are talking about, the FDA is
already attempting – I think they are already attempting to do in this most
recent guidance that they have put out.

DR. COHN: Okay.

MR. HOUSTON: I guess my question is is are we recommending something that
the FDA is going to look at and say, February 9th, we put out a
guidance document that was really intended to provide – at least start down
that road.

DR. COHN: Okay.

MR. HOUSTON: So just want to make sure we are not-

DR. COHN: And I’m going to suggest we hold off for just a second. We are
moving to a different item now, and then we’ll come back and dispose of our
comments and figure out what the next steps are.

What we want to do is to shift to a comments from the Assistant Secretary
for Planning and Evaluation. Michael O’Grady, we are happy to have you join us
and thank you for coming.

DR. O’GRADY: Thank you.

DR. COHN: Please.

DR. O’GRADY: I did just want to take a minute to thank everyone, and, in
particular, on behalf of the Secretary and the leadership at HHS, I do want to
express the Department’s really deep thanks and appreciation to the members of
the National Committee on Vital and Health Statistics, and, really, the long
and distinguished history of this committee, I just – like I say, I wanted to
come here and really thank you for the great work that you have done so far.

We have a couple of members who will be leaving and a few who will be
joining, and I just wanted to take a second, and they have – as my friend, Mr.
Scanlon, here – this friend Mr. Scanlon, not the new Mr. Scanlon. (Laughter).
That’s right. Yes, that’s right, but we don’t call them Scanlon One and Two.
(Laughter). We just don’t – we don’t do that, really.

I did want to take a second. There are some certificates here, as well as
an award or – to show the dedication, and I just would like to read the
certificates, if you’ll bear with me for a second.

From HHS, the Office of the Secretary, the Secretary’s Certificate of
Appreciation presented to John R. Lumpkin, M.D., M.P.H, for the dedicated
leadership, service and major contributions to the advancement of the national
health information policy as a member of the National Committee on Vital and
Health Statistics from September 1996 to December 2004, and Chairman from
September 2000 through December 2004, and as Chairman of the National Health
Information Infrastructure Workgroup from June 2000 through December 2004. Dr.
Lumpkin, thank you very much. (Applause).

Is it all right to take the rubber band off or is that – (laughter).

Let’s see. I believe – Is Vickie Mays here as well? Oh, well, then maybe
I’ll read for the people who aren’t, and see if she steps back in.

Again, from the Office of the Secretary, the Secretary’s Certificate of
Appreciation to Jacklyn Lee Adler for dedicated service and major contribution
to the advancement of vital and health statistics systems for the U.S. as the
committee management specialist for the National Committee on Vital and Health
Statistics, February 1985 to February 2005. (Applause).

And to Peggy L. Bartles-Handrich for dedicated service and major
contribution to the advancement of population health statistics, and as a
member of the National Committee on Vital and Health Statistics, October 2002
through December 2004. Thank you. (Applause).

DR. COHN: And Vickie has arrived. Vickie has arrived.

DR. O’GRADY: That’s all right. I just thought if we were going to read the
certificate, it would be better if you were here. (Laughter).

From the Office of the Secretary, Secretary’s Certificate of Appreciation,
Vickie Mays, Ph.D., M.S.P.H., for dedicated service and major contributions to
the advancement of population health statistics and as a member of the National
Committee on Vital and Health Statistics and Chairman – Chairperson of the
Population Subcommittee, October 2001 to December 2004. Thank you very much.
(Applause).

And one last one to Eugene L. Lengerich, B.M.D., for the dedicated service,
major contribution to the advancement of population health statistics and as a
member of the National Committee on Vital and Health Statistics, November 2000
to December 2004. (Applause).

And I do want to point out for you who don’t actually have a copy of this,
it is actually signed by Michael Leavitt, not a lowly Michael O’Grady. It’s a
real – main boss is the one who actually signed it.

Jim, have you already introduced the new members at this point or should we
do that?

MR. SCANLON: Why don’t you do that.

DR. O’GRADY: Okay. All right. Well, I just do want to really thank very
much everyone who is finishing up their turn and wanted to really welcome the
new members of the committee.

Dr. Bill Scanlon, an esteemed scholar, recently of the General Accounting
Office, before that and after that of Georgetown University and any number of
different areas. I think you’ll find Dr. Scanlon is an excellent member and
contribution to this.

Carol McCall from Humana. I have to admit in my checkered career I have had
the interesting career of having an awful lot to do with actuaries over the
years, for a guy who basically worked on the Hill for much of his career, and
Carol is really one of the smartest and most innovative actuaries I have ever
come across, and whether she knows it or not, her thoughts and influence can be
found in any number of provisions of the new Medicare Prescription Drug Act, in
terms of just an innovative way of looking at these very old problems and how
to sort of come up with a new way to deal with them.

And Paul Tang. Paul – Hi, Paul. Welcome very much. I’m afraid you and I –
this is the first time we have met, but I really want to welcome you very much,
and you certainly come very highly recommended, and I’m sure – hopefully,
you’ll enjoy it, and I am sure that your fellow members should really
appreciate your contribution. Thank you very much. (Applause).

DR. COHN: Michael, thank you very much for joining us.

Now, probably, we ought to try to finish up that last item and then take a
break.

I think what we have heard is a variety of – I think, primarily,
wordsmithing with some substantive bullets –

MR. ROTHSTEIN: Well, I think there are several substantive additions that
need to be made that John will get on right away. (Laughter).

DR. COHN: Yes. I do want to comment, obviously, the focus for this effort
is really going to be the privacy subcommittee meeting tomorrow morning –

MR. ROTHSTEIN: Right.

DR. COHN: – and I think this is a timely enough letter that we do need to
have this completed and up to everybody’s satisfaction, though maybe not
perfect, but, hopefully, good enough that people will be willing to pass
tomorrow, and I also am hoping, obviously – I know John had a reputation,
certainly, I have a reputation of having meetings end on time, and so I want to
make sure that we have this letter in a shape tomorrow that we can actually go
through it and pass it in a relatively speedy fashion, lest I’m going to have
to violate my tradition and keep everybody after. So –

MR. ROTHSTEIN: Simon, you’ll have it tomorrow. May have some tomato sauce
on it, but – (laughter) – you’ll have it tomorrow.

DR. COHN: Okay. Well, with that, I think we’ll all work on it and provide
input, and, obviously, thank you all.

John, again, congratulations, and Vickie.

Now, with that, we will take a 15-minute break and reconvene at 11:10.

(Whereupon a break was taken at 10:55 a.m.)

 

 

DR. COHN: Okay. Let me just talk for a minute about the work of the next
hour and 15 minutes and then what will be happening as we move to after lunch
between basically 1:15 and two o’clock.

As you’ll see, we have basically two action items coming forward from the
Subcommittee on Standards and Security. There is a longer letter on
e-prescribing. I think you have the – sort of the final draft on your desk, and
then there’s a shorter letter, once again, from the subcommittee making
comments on the e-prescribing proposed rule that CMS has come out with.

Now, actually, do we have that other letter? The other thing. Okay. So we
have both letters.

What we’ll be doing is discussing both of them, with potential action
coming tomorrow.

Now, I do want to remind everyone that full committee time is – obviously,
we try to minimize actual wordsmithing. It is time for important concepts, if
we are not expressing the ideas, and I think we did a pretty good job of that
with the letter on medical devices.

Obviously, given the length of the first letter, we are not going to start
reading all of the background. Otherwise, we will be here many hours into the
evening.

MR. HOUSTON: I would like to have it read, please. DR. COHN: Thank you,
John. I think I’ll pretend I didn’t hear you on that one.

But what we will do is to start moving into the observations and
recommendations and, obviously, asking all of you who have reviewed the
background – I mean, obviously, time permitting, we will go back and take
comments on the background, but we would really ask – since the background is
primarily factual and sort of sets up the observations and recommendations, if
there are specific points in there, we will either take them from you, after we
have gone through the observations and recommendations, or off line, as we
begin to do further wordsmithing on the letter.

Obviously, as I said, we’ll, hopefully, make it to as far as we can on the
first letter before the lunch break, finishing up whatever is left afterwards,
and then move on to the other letter.

Is everyone okay with that process as we are describing, other than John
Paul? (Laughter). Thank you, John.

MR. HOUSTON: Make one other statement, that I am glad that Paul is now on
the committee, because we have preserved the ratio of lawyers to physicians –
(laughter) – which is a very important.

DR. COHN: Well, with this one, I will hand off the discussions to both
Harry Reynolds and Jeff Blair, please.

Agenda Item: Letter on e-Prescribing Action
March 4

MR. BLAIR: Okay. Harry and I have kind of worked out a little game plan
here, and Simon has, you know, indicated to you, for the most part, our
proceeding here.

For those of you who are new, you probably noticed that in September of
this last year we provided our initial recommendation on e-prescribing
standards, but we didn’t have time to be able to cover all that had been set
forth in the MMA – MMA being Medicare Prescription-Drug Improvement
Modernization Act. So this letter that you have in front of you now is an
effort to focus on some challenging areas.

As Simon indicated, we are assuming that, since you received this letter
before this last weekend, that you will have had a chance to have read it by
now, and, therefore, we will not go through the background section up front. We
could come back on that, but we are assuming that you have at least read that
through.

So Harry is going to begin with the observations and then the
recommendations that address those observations. There’s 10 of them.

The first two observations are focused on e-prescribing. They are a pair.
The first one winds up having observations that focus on current e-signature
issues, electronic-signature issues within electronic prescription networks,
and the second one winds up indicating that not all electronic prescriptions
will go through e-prescribing networks and that there may be greater security
requirements in the future. So they are a pair. So keep that in mind as Harry
reads those through to you.

Then, Observations 3 through 9 are really follow-up or monitoring
observations based on the recommendations of NCVHS last September.

Then Observation 10 winds up being kind of a joint observation and
recommendation that was done with the Privacy Subcommittee on privacy issues
related to e-prescribing.

After Harry and we go through the process of going through all of those –
we’ve got about an hour – okay? – then, if there is time left over, then, we
could entertain any questions or comments on the background section, and if we
don’t have that time, then Margret Amatayakul, are you here?

MS. AMATAYAKUL: Yes.

MR. BLAIR: Okay. Then may I ask if you get those additional – you know,
especially any wordsmithing or editing, commas, punctuation stuff, please get
that to Margret in time for our breakout session at – I guess it’s three
o’clock today.

Okay. Harry, would you like to help us through the observations.

MR. REYNOLDS: As I get started, I think it would be appropriate for the
Standards Committee to thank Simon for his leadership in putting this together,
since this is the morning of thanking everybody for their contributions as they
move forward.

MR. BLAIR: Yes.

MR. REYNOLDS: So we would like to applaud that. (Applause).

Obviously, there must be a problem with the letter or he might have gone
ahead and presented it, but – (laughter). So I’m not sure. Sometimes being new
chair people is not a good thing to do. So we’ll see.

Karen mentioned it was the Academy Awards. I feel like I’m doing a
responsive reading of the Federal Register but hang with us. We’ll get through
this.

Okay. Observation 1, on page 5 of 18. That is the need for coordination
between HHS, DEA and state boards of pharmacy to avoid fragmentation of
e-signature requirements.

E-prescribing offers great value. E-prescribing networks provide end-to-end
security through a series of electronic pass-offs that do not entail any human
intervention. The result of e-prescribing has been improvements in patient
safety through more complete and accurate prescriptions, direct transmission of
prescription to a dispenser where fill status can be monitored and elimination
of the need for the dispenser to decipher and transcribe often illegible,
handwritten facts or paper prescriptions.

E-prescribing transaction processes can support return receipts sent from
dispensers to prescribers that also contribute to identification of potential
fraud and abuse should a prescriber receive receipts for prescriptions not
written.

Pharmacists are responsible by law for ensuring the authenticity and
validity of prescriptions, including e-prescription.

The states and federal government have distinct roles in relation to
e-prescribing. The states regulate paper prescriptions for non-controlled
substances and are branching out into the regulation of electronic
prescriptions for them.

The requirements differ from state to state, which makes it expensive for
vendors to vary their products from location to location, and, in some cases,
makes it difficult to handle e-prescriptions across state lines.

In addition, some states have restrictions on e-prescribing so that
e-prescribing networks do not provide services there.

Let me stop there a moment, so we don’t get way too many paragraphs out
there before there is comment.

Okay. Hearing none, we will continue.

The federal government has a role in e-prescribing through the Drug
Enforcement Administration’s regulation of prescriptions for controlled
substances.

The Controlled Substances Act requires that prescriptions written for
Schedule 2 controlled substances can be delivered to a dispenser in original
form with a wet signature.

Prescriptions for Schedules 3 through 5 substances may be faxed or
communicated orally to the dispenser.

The DEA has not yet made a ruling regarding the requirements for electronic
transmission of prescriptions for controlled substances.

E-prescribing network and software vendors expressed strong concerns that
the DEA will require a PKI solution for controlled substances that are
prescribed electronically. This could take the form of requiring PKI use for
only Schedule 2 substances or PKI use for all controlled substances. Either
way, the industry expressed concerns that this would create a significant cost
burden, which would serve as a barrier to e-prescribing adoption and use.

In addition, the e-prescribing industry testified that the marketplace was
not yet ready for widespread PKI use. As a result, if PKI were required for
e-prescriptions for controlled substances, the near-term response would be for
the industry to continue its current practices which is paper based. This, in
turn, would slow down e-prescribing adoption and use, create a two- or
three-tiered system for e-prescriptions for controlled and non-controlled that
would be expensive and burdensome to implement, and, in the end, deny patients
the safety and quality-of-care benefits afforded by e-prescribing.

Comments?

Finally, the e-prescribing industry strongly believes that PKI is not
necessary, as current methods are adequate for ensuring prescriber
authentication and accuracy and validity of prescription contents.

It is clear that e-prescribing networks provide more security than
traditional fax – traditional paper, fax or phone, which are prone to abuse,
given today’s copier, fax and telephonic technology.

E-prescribing transactions for non-controlled and Schedule 3 through 5
controlled substances currently are conducted in compliance with HIPAA security
regulations and include dispenser validation through callback to the prescriber
for prescriptions written for Schedule 3 through 5 controlled substances.

Today’s e-prescribing networks use several important security features,
including credentialing prescribers and dispensers, trading-partner agreements
to grant access to the networks, and protocols to secure transmission and
provide authentication and integrity to the electronic prescriptions. Testimony
indicated that there is no evidence that these security measures have been
inadequate to secure electronic prescriptions.

Recommended Action 1.1. HHS, DEA and the state boards of pharmacy should
recognize the current e-prescribing network practices that are in compliance
with HIPAA security and authentication requirements as the basis for securing
electronic prescriptions.

These security practices are discussed in the background and illustrated in
Appendix A. In addition, these practices are applied in conjunction with the
dispenser’s responsibility to use their professional judgment in determining
the validity of prescriptions.

Different requirements may be needed for transmission of electronic
prescriptions that do not go through such networks.

Recommended Action 1.2. HHS and DOJ should work together to reconcile
different agency mission requirements in a manner that will address DEA needs
for adequate security of prescriptions for all controlled substances without
seriously impairing the growth of e-prescribing in support of patient safety as
mandated by MMA.

Comments on Observation 1?

MR. ROTHSTEIN: I have a question in the wording of Recommended Action 1.1.
I am trying to focus on what the event is that we want as a result of this, and
you say HHS, DEA should recognize the current e-prescribing networks that are
in compliance. What do you mean by recognize? Certify? Develop standards or
notify?

MR. BLAIR: Could I clarify that?

MR. ROTHSTEIN: Please.

MR. BLAIR: Yes, actually, if you read a little more in the sentence, it is
really recognizing that the e-prescribing networks – and I don’t have it in
front of me, so I can’t have the exact wording – that are in compliance with
HIPAA security and authentication requirements form the basis for e-signatures
for e-prescribing over current e-prescribing networks. So it’s – we have
bounded it. We basically wound up saying that if a prescription – an electronic
prescription – is being sent over those networks and they comply with the
security – the HIPAA security requirements that are there that HHS accept that
that is the basic level, the foundation level and that that is sufficient and
adequate at this time.

And then recommendation. When Harry reads Observation 2, it is going to
wind up saying what if they are not over an e-prescribing network or what if we
determine that there’s more demanding requirements in the future – and I won’t
get ahead of – you know, but that is going to be a different case.

DR. COHN: Mark, is that satisfactory or are you still mulling over it?

MR. ROTHSTEIN: Well, that is a fine rationale, and I am not questioning
that. I just – I don’t know what should recognize mean –

DR. COHN: Okay.

MR. BLAIR: May I say one other piece here, because while Harry was reading
through the observation which explained why we came up with this, I think you
were in a conversation at that time. You may not have heard the observation.

MR. ROTHSTEIN: That is a risk of sitting next to you. (laughter).

MR. BLAIR: So let me give the premise for why we would make such a
recommendation. It is an unusual recommendation. You are right, Mark. It is –
we don’t make very many recommendations like this, and it was basically that we
received testimony from the industry that said that even though the security
procedures that they have in place and authentication procedures they have in
place may not be using the most advanced security technologies, it appears as
if what is being done today – there is no evidence that what is appearing being
used today is inadequate, and the other pieces are that if they were to use the
most advanced technologies, it would be very disruptive and delay the use of
e-prescribing and leave a lot of folks back in the paper mode, and so you might
say this is sort of an acceptance of reality. So, therefore, Recommendation 1
says, HHS should accept this as the basis.

MR. ROTHSTEIN: That would be fine. That is not how it reads.

DR. COHN: Paul, do you have a comment on this or another comment?

DR. TANG: My comment is on the authentication process.

DR. COHN: Okay. Well, Steve, did you have a follow on?-

DR. STEINDEL: I have a follow on this.

I think, Mark, your question seems to revolve around the word, recognize,
and we had a lot of struggle about what word to put in there, and one of our
big problems in this area was normally the committee sends a recommendation to
the Secretary and we can say we recommend that HHS does –

MR. ROTHSTEIN: Right.

DR. STEINDEL: Well, in the e-prescribing world, HHS is just one player.
There is also the Department of Justice through the DEA and the State Boards of
Pharmacy. So they are all involved in the e-prescribing process and all have to
agree that the e-signature process is acceptable, and we struggled with what
word to use. We can’t say that HHS should put out regulations in this area or
anything like that, because, really, they are not the only player. So we used a
word that would convey the acceptance of the process, but not be prescriptive
on how to do it. Does that clarify why that word was chosen?

MR. ROTHSTEIN: Yes, I just think – I understand all that and I have no
expertise in this. I just think how we phrase what the recommendations are is
very important, especially in a big, long document, the very first one out of
the box you read and go, What’s that all about? But, I mean, I accept that.

DR. COHN: But I think you are also asking whether it recognizes the right
verb –

MR. HOUSTON: What are the options –

DR. COHN: Well, I guess –

MS. MC CALL: Or even to clarify, to say, recognized by accepting as a
possible standard as sufficient, recognizing that it may not be setting a
standard.

MR. BLAIR: Well, if we go to solution or as a standard, that was more
definitive than we felt comfortable with.

We wound up saying, as a basis, as a foundation, because there is not
enough information to know whether this is really adequate.

We had industry testimony that seemed to say there is no problem with it
yet, and that is why I indicated that this Observation and Observation 2 are a
pair, and this is basically saying that they should recognize current practices
as a basis, and, then, when we go on to Observation 2, it is going to wind up
saying, when we start to look further, then, more research needs to be done.

MR. REYNOLDS: I would add one other thing, that there’s really – the
structure that we heard is that there is multi- – and we heard from NIST and
everybody else about what is good authentication and security.

We feel that we heard clearly from the industry that they have multilevel
authentication and security, and, further, pharmacists are responsible for the
authenticity of the actual prescription. As we listened to the testimony on the
paper versions, now, where doctors sign all the slips already and then somebody
else fills it out and the other things, there is plenty of down sides to now.

So when you get into the security world, we heard clearly that there is no
single standard – back to your point, Carol. There is no standard out there.
Different than NCPDP, which they handed to us, and these other things that are
going on. So you are into different levels of security, multi-tier
authentication and other things. So that is why we recognized that we would
send it over this way, and then, as the pilots go on and as further discussion,
and you’ll see an Observation 2 goes on, exactly what that needs to be, because
PKI, as we heard it, was really – didn’t look like an ultimate answer at the
time, and there was no standard that you could just pluck out like we did NCPDP
and some of the other things, and so we talked about the multi-tiered and we
talked about – you’ll hear us say in here, a number of times, that the
dispenser is responsible, in the end, in all states, for the authenticity of
the actual prescription. So most of them have set up the network all the way
back to the prescriber. So that is why we termed that exactly like we did.

DR. COHN: John, did you have a help in this one?

DR. LUMPKIN: I hope so.

DR. COHN: Okay. Thank you.

DR. LUMPKIN: From my years as a regulator, one of the things that states
don’t want the federal government to do is to tell them what the standard is,
but they do appreciate it when the federal government identifies what could be
a standard, and so, actually, I think the word, recognize works if you were to
change the – in line 43, to say authentication requirements, as a basis for
securing electronic prescription. So we are giving guidance to them. They can
accept this. They can also accept another standard that they would consider to
equivalent, generally, something home grown, but I think this may deal with the
regulatory environment that we are trying to sort of stick our foot into.

MS. GREENBERG: Changing “the” to “a”.

DR. LUMPKIN: To “a”.

MS. GREENBERG: Um-hum.

DR. COHN: Well, that’s not bad.

MR. REYNOLDS: Margret, did you capture that?

MS. AMATAYAKUL: Yes.

MR. REYNOLDS: Okay.

DR. COHN: Well, that is certainly right minimalistic. Thank you, John.
(Laughter).

MR. BLAIR: Can we say something to the Secretary where you could stay on,
John? (Laughter).

DR. COHN: Okay. Now, Paul, you had a question?

DR. TANG: Yes, and maybe this is helpful with his the/a change.

Compliance with HIPAA security and authentication requirements is still
quite open-ended, because it is mainly addressable, and I am not sure the
comparison with paper is as relevant as we would like to think. One, of course,
if paper was so bad, I’m not sure we want to just be a little bit less so bad,
but the other is the pharmacist. All humans are quite capable of making
judgments on the written signature, which was the standard, or the tone of the
voice order over the telephone. There are ways you can detect – you assess
authenticity. Do they have any of the wherewithal to assess authenticity when
they are just basically getting an electronically-transmitted message from –
let me just hypothesize – a provider that uses a password – a generic password
for the entire office – is that good enough?

So in John’s thought – and I certainly am not for over-regulation either –
but could there be a floor, in terms of what is the authenticity required for
this application? Even passwords alone – having a password rule alone could be
a step in the right direction, although, we, of course, can’t stop the shared
pathway, for example, but to think that anything that goes – that any provider
office, which is how – you know – the superior role is written, could go,
assuming they decide the risk is appropriate, is that good enough for, let’s
say, a controlled substance? I just have that question. It is not the same as
looking in the signature. We don’t have the same equipment. We don’t have the
same –

DR. HUFF: The discussions we had on this were – one is what we are really
trying to say here is they have ultimately the responsibility, and, in fact,
what our discussion was is that what we would hope is that, given the
principles, they would accept that – basically, they would accept the design of
the system as, in fact, secure, so that they didn’t have an individual
responsibility to try and determine each one that came in was there.

Now, the other thing that – just to address – we had also testimony that
said, yes, one out of 100 times I might catch, in the paper world, an error,
but, in fact, because of how chain pharmacies have happened, and the growth of
– we don’t know anymore what a physician’s signature looks like, and, you know,
it is very, very rare that we can authenticate, based on paper or on the
signature or on anything else, and so, you know, we do feel this is better.

Now, the other thing is that – as you point out – we recognize that people
share passwords. I mean, you know, we give out secure ID cards, and then you go
visit the office and there it is on a chain by the computer, so that anybody –
you know, so it is handy for people to – and so, in spite of recognizing that
happens, we still hold the person legally responsible who had that. So whether
it is a valid prescription or not, we are going to hold that person responsible
because they signed documents that said that they would be responsible, in
spite of the fact that they are now sharing their password and doing other
things.

And then, finally, we intentionally didn’t want to be prescriptive here, in
terms of technology. In fact, we felt like, because technology is moving and we
didn’t want to try and designate a particular technology – and especially not a
particular vendor that had to be used in this environment – we tried to leave
it, in fact, according to the spirit of what was being done in HIPAA, so that
these things could change over time, as long as they were meeting the standard
that, in fact, people were authenticated.

So that is kind of the thinking that went into how we got there.

DR. COHN: Paul, is this helpful?

DR. TANG: Yes, I think so.

DR. COHN: Yes, and it is a difficult issue, and we actually struggled – I
mean, I think Stan is right, I mean, that there was a lot of struggle about how
prescriptive to not, and, at the end of the day, we have to reflect back, as we
get into these areas.

You know, HIPAA actually did talk about an electronic-signature standard,
and that was never acted on, because nobody could quite get their arms around
it, and the security rule is really an evaluation standard. It isn’t a standard
like anything else we see. I mean, it says, do a risk analysis and use your
best judgment based on that. It is really – with various addressable aspects,
and we sort of, at the end of the day, had to sort of come back to something
that was a little less specific, as much as we would all like to really pin it
down, I think, such as you are describing. I think I am reflecting the views of
the subcommittee on that.

MR. REYNOLDS: Yes, and I think another thing we heard is there could be as
many as five to six hand-offs from the original doctor submission, and that
there are checkpoints, and that there are multi-level – as I said –
authentications, and then it goes to the hub, and the hub has authentication
and they assure the pharmacist that anybody they sign up that is coming through
has these things in place. So there is an industry out there that self-enforces
its hand-offs, and that has to be to the satisfaction of the dispenser or they
don’t get signed up. The dispenser, in the end, is still in the whole chain and
knows where those things are coming from and whether or not – because it
usually comes through – the last step before the dispenser is their switch that
they have signed up with. So that is the other thing I think we heard from the
industry and felt comfortable that that had been addressed, but, obviously, it
is the most imprecise of our recommendations on what should be done, because it
is a questionable area.

DR. COHN: Other comments?

And I don’t know that we are solving everything, but, hopefully – at least,
I see people nodding their heads. Hopefully, we are – we have obviously made
one change, a the to an a – (laughter) – which actually was very helpful, John.
Thank you. That only took 10 minutes, but we do appreciate that.

Any other comments about these observations?

I guess I should also comment that one of the other pieces we saw that are
probably almost more important than anything else and which we really haven’t
commented, because it is so obvious, is this idea that, Geez, we have HHS and
DEA, and if we don’t get them working together, we are in real trouble, and I
think we were sort of struggling with this, and that becomes a very important
concept that we are trying to bring forward. We don’t want a world where
everybody can do everything for 85 percent of their prescriptions, and, then,
for 15 percent, so much of a hassle they dropped a paper, and so we don’t have
any of the benefits of e-prescribing for any of the narcotics being prescribed
or controlled substances, and we thought that that was a very important concept
that needed to be sort of brought forward and I think is well expressed here.

MR. SCANLON: The other message here is that – I guess I am reading between
the lines – you are recommending against the – what sketches we had of the DEA
proposal that involved PKI plus biometrics plus – it is sort of an
in-between-the-lines –

MR. BLAIR: Could we not make a comment on that? MR. SCANLON: Sure. Between
the lines.

MR. BLAIR: And, actually, when you go to our Observation 2, I think
Observation 2, in some ways, they clarify the missing pieces that we didn’t
address in Observation 1.

MR. REYNOLDS: Ready to move on to Observation 2?

MR. BLAIR: Yes.

MR. REYNOLDS: Observation 2, the need for research to address future
security risks.

Because there may be a greater need to send prescriptions over the open
internet in the future or for enhanced security of prescriptions for Schedule 2
controlled substances, there may be an increased demand for improved
authentication, message integrity and non-repudiation services.

Although PKI and other forms of digital signature are available, testimony
indicated that, currently, these technologies are costly and impair
interoperability for e-prescribing functions. Therefore, it is important to
plan for evaluating feasibility of PKI and other forms of digital signature for
use in e-prescribing as these technologies mature.

Reference information regarding electronic signature, digital signature and
PKI are available from ASTM International and ISO.

Recommendation 2.1. HHS should evaluate emerging technology, such as
biometrics, digital signature and PKI for higher assurance authentication,
message integrity and non-repudiation in a research agenda for e-prescribing
and all other aspects of health information technology.

Reason we pointed out the open internet is much of what we had heard
already was through sometimes VPNs and other protected networks, some of the
stuff that is going on right now. So that is why we moved to this next level of
– so when it really becomes more open, then what else might need to happen?

Okay.

MR. HOUSTON: I have a question. I faintly recollect, remember the
discussion about e-signature as part of the proposed – was it a security rule?
There was e-signature standards. Was it –

MR. BLAIR: No.

DR. COHN: Yes, actually, the HIPAA legislation had it included as scope.

MR. HOUSTON: Okay.

DR. COHN: It was, I think, in a proposed rule. There was some discussion
about e-signature, and then it was pulled for the final rule.

MR. HOUSTON: Right. Right. How much of that overlaps – what was in the
proposed rule actually overlaps this recommendation?

MR. BLAIR: Well, actually, that is a very good question because this is,
apparently, the second time NCVHS and HHS have gone through the process of
struggling to come up with standards for e-signatures, and you can see by these
recommendations that the answers are still not crystal clear.

What helped us this second time around was that there was some experience
with e-signatures within e-prescribing networks that had a certain amount of
security, and that is what enabled us to make recommendation – the Observation
1. Okay?

MR. HOUSTON: Yes.

MR. BLAIR: But the answer was not complete and definitive, and there is not
a definitive standard. So that is why we wound up having Observation 2.

Did that address what you are saying?

MR. HOUSTON: Well, I guess I’m just wondering whether there should be a
renewed discussion about proposed rule – e-signature standards and the proposed
rule, because, I mean, I remember they did deal with – integrity and
non-repudiation and things like that, because – just what they are, and is it
worthwhile – Is this sufficient or should we be looking at maybe trying to see
if somebody wants to dust off those standards, since they were – there was a
lot of thought and effort put into them at one point –

MR. BLAIR: Well, there is nothing – I don’t know what there is to dust off.

MR. SCANLON: There doesn’t seem to be a consensus in the industry on such a
standard.

MR. HOUSTON: Okay.

MR. SCANLON: I don’t know what the basis would be.

DR. COHN: John Paul, I actually am hearing what you are saying and I am
sympathetic. I mean, your general comment is should we relook at this whole
thing in a more – perhaps a more global fashion? This is a specific-use case.

MR. HOUSTON: Right.

DR. COHN: Obviously, we’ve got the NHII coming forward and all of that. I
would remember that not only has the federal government tried this a couple of
times, we actually held hearings a couple of years ago, also, independently,
trying to get things going again, and I think it’s – really, it is going to be
very much use-case driven.

MR. HOUSTON: Okay.

DR. COHN: I think as we move forward with the NHII, I think it is going to
have to be a question – In the same way that as we identify everything, the
question is is how secure are we identifying whatever person or place we are
dealing with within this new world.

So, I mean, I know that it is really part of this letter, but it may be
part of our work plan going forward.

MR. HOUSTON: Okay. That’s good.

DR. COHN: Steve.

DR. STEINDEL: Simon, I do want to point out in this recommendation we
somewhat allude to that we want HHS to broaden the agenda of what they are
looking at with e-signature with our closing remarks on all other aspects of
health information technology. So we do realize that this is not just limited
to e-prescribing, that it will have impact outside of e-prescribing.

DR. COHN: Well said. Now, before we – I mean, we are sort – I mean, this is
really the two recommendations that deal with e-signature. Are we comfortable
with them? I’m actually sort of looking at Carol McCall, who, in our
conversations, has had a lot of pharmacy experience, as well as sort of the
world of electronic signature and all of that. Are you comfortable? Are others
comfortable with what we have done so far?

Okay. Okay. Well, I’m seeing –

MR. REYNOLDS: Okay.

DR. COHN: Yes, Jeff, she nodded her head yes. Okay. Good.

MR. REYNOLDS: Having a quorum of nodded heads –

DR. COHN: Yes. Yes.

MR. REYNOLDS: – we’ll move to the next one, uh? (Laughter).

DR. COHN: Yes, and I would apologize. The Subcommittee on Standards and
Security has worked on this so much, we have a hard time sometimes seeing the
words. You know, when you get to the fifth, sixth, seventh version of a letter,
it is sometimes hard to see them quite as well as people who are freshly
looking at the letter.

Harry.

MR. REYNOLDS: Okay. Moving into the section on observations and
recommendations relative to progress on NCVHS recommendations from the
September 2004 letter.

Observation 3. Formulary and benefit coverage message standard. NCVHS has
monitored the progress of NCPDP as it develops the formulary and benefit
coverage message standard in accordance with NCVHS recommendations from
September 2004.

NCPDP has reported that a formulary and benefit message standard will be
submitted for approval to NCPDP at its March 2005 workgroup meeting, and
pending the balloting process, approval to NCPDP – oh, the NCPDP Board of
Trustees could approve the standard as early as spring 2005.

The formulary and benefit message standard includes formulary status lists,
formulary alternatives lists, benefit coverage lists, benefit copay lists and
cross-reference file, user-recognizable health plan product name who
identifiers use for the formulary, alternative coverage and copay lists.

Recommended Action 3.1. NCVHS will continue to monitor the progress of the
development of the NCPDP formulary and benefit coverage message standard and
will report any further recommendations to HHS based upon this progress.

I would like to make one comment on this one. The industry – throughout our
hearings, the industry truly has stepped up, and where there was an opportunity
for a standards organization to grab something and move it quickly, I think by
just seeing this you can see that it is a different method than some of the
standards situations before that have taken years. They have stepped up and
latched onto these things quite quickly.

MR. BLAIR: Harry, let me add one other aspect to this, because our
recommendation simply said that we would monitor progress. There is something
that it is silent about, and the thing that it is silent about is what we will
do after it is balloted. Okay? And it is – you know, it is our hope that it’ll
be balloted and will wind up being satisfied where we could make further
recommendations.

Keep in mind that there’s two paths that we are looking at, whether we
recommend something as a foundation standard or whether we recommend something
that has to be included in the pilot test beginning January 1, 2006. So the
silence there is because we don’t know what path that’ll take.

MR. REYNOLDS: Observation 4. Medication history messages from payer/PBM to
prescriber.

As noted in the NCVHS recommendation letter of September 2, 2004, NCVHS has
monitored the progress of NCPDP as it develops medication history message
standards.

NCPDP has reported that a standard for medication history messaging was
submitted to the NCPDP and is currently being balloted. Pending the balloting
process, the NCPDP Board of Trustees could approve the standard as early as
late spring 2005.

Recommendation 4.1. NCVHS will continue to monitor the progress of the
development of the NCPDP medication history message standards and report any
further recommendations to HHS, based upon this progress, and I think our
comments a minute ago bear out for this one as it did the previous one.

Observation 5. NCPDP fill status notification standard. The industry does
not have adequate experience with the NCPDP SCRIPT fill status notification
standard to make it a foundation standard for e-prescribing.

NCPDP has developed guidance on implementation and operational matters
relative to consistent utilization by prescribers and dispensers for the fill
status notification transactions.

NCPDP expects that Board of Trustee approval for this guidance will be
provided in April or May of 2005.

Recommended Action 5.1. HHS should include the fill status notification
function of the NCPDP SCRIPT standard in the 2006 pilot tests consistent with
NCVHS recommendations of September 2, 2004.

Observation 6. Structured and codified sig. NCPDP is facilitating the
gathering of data, defining scope and management and drafting operation
assumptions relative to structured and codified sigs, patient instructions. It
is working with Health Level 7 to draft implementation guides and refine data
elements and code sets.

NCPDP expects to release a proposed standard for coding and testing a
structured and codified sig in summer 2005.

NCVHS further notes that standard units of measure identified as a topic
for further consideration in the September 2, 2004, letter is included in the
work of NCPDP and HL7 as they define the structured and codified sig.

Recommendation 6.1. HHS should include evaluation of structured and
codified sigs in the 2006 pilot tests consistent with NCVHS recommendations of
September 2, 2004.

Is my microphone on? (Laughter).

Observation 7. Observation 7.

DR. COHN: It looked like Justine had a comment, please.

SPEAKER: It’s a good thing when –

MR. REYNOLDS: Well – I just wanted to make sure. I’ve never seen it go that
well.

DR. COHN: You notice we get a lot livelier with short letters.

Don.

DR. STEINWACHS: Just a quick one. I missed somewhere, S-I-G stands for –
you have patient instructions, but I couldn’t get that from S-I-G, in my mind.

SPEAKER: It is Latin.

DR. STEINWACHS: Latin?

SPEAKER: Yes.

DR. COHN: Yes, Mike, you helped us with that, didn’t you?

MR. BLAIR: Margret did.

DR. FITZMAURICE: – for signatura, and then that is defined as the
instructions a doctor gives to the patient.

DR. STEINWACHS: Okay. Thank you. Always good to get an education. That’s
why I come here.

DR. STEINDEL: And, Don, it was defined in the September letter.

DR. STEINWACHS: Oh, thank you. Thank you. MR. REYNOLDS: Yes, this is follow
on to that.

So Observation 7, clinical drug terminology, drug labeling, drug listing
and standard codes for orderable items.

NCVHS heard testimony from NLM that several issues are being addressed with
respect to RxNorm. These include maintenance of RxNorm outside of the UMLS
environment, elimination of code changes, development of specific ways to
handle obsolete drugs and frequency of updates, and enhancing and stabilizing
staff support, including liaison to standards development organizations.

NLM is adding NDC codes to RxNorm as they become available from FDA and
starting to link brand names to NDC codes, although, completing this will
depend on availability of information from FDA.

NLM is also planning to include in RxNorm consistent names for orderable
items associated with medications, such as test strips or oral contraceptive
dispensers. They are starting with coverage for items that are reimbursable
under Medicare Part D.

Structured product labels, SPLs, will provide the ingredients and other
information needed for the NLM to create RxNorm codes and map them to NDC.

All of this information will support the ability of NLM to produce the
Daily Med, which is intended to keep the industry current with respect to new
drugs.

NLM expects to start receiving SPLs from the FDA later this year as soon as
the FDA’s drug-listing rule is promulgated.

NLM indicated that the FDA estimates that full implementation of the
drug-listing rule will take several years to complete.

Recommendation 7.1. HHS should include evaluation of RxNorm in the
e-prescribing pilots. The pilots should evaluate the use of RxNorm codes as the
primary identifiers of orderable drugs and prescription messages. This would
assess how well the RxNorm codes can capture the intent of the prescriber and
whether a dispenser can accurately fill the prescription based on the RxNorm
code.

RxNorm should also be evaluated for use where a proprietary code is used
for the orderable drug and the RxNorm code is included in the message to
provide interoperability with other proprietary coding systems from
drug-knowledge data bases.

Recommendation 7.2. HHS should take immediate steps to accelerate the
promulgation and implementation of FDA’s drug listing rule in order to make the
inclusion of RxNorm in the 2006 pilot test as comprehensive as possible. This
is necessary to achieve the patient safety objectives of MMA.

DR. COHN: Justine.

DR. CARR: I might suggest a glossary of abbreviations – (laughter) – in
addition to the glossary of terms; and, also, I guess RxNorm was identified in
the September thing, but is RxNorm defined anywhere? I couldn’t find it in the
earlier –

DR. COHN: Yes, I think that is a good point. We actually have a glossary of
terms in Appendix C, but it sounds like we need to add a couple of things to
it, and I think our Margret is nodding her head in the back. So, I mean, some
of these were defined in the first letter, but I think we need them forwarded
to the second letter.

Now, the other thing I was going to say is – there are probably a couple of
technical changes we’ll be making to this part.

As with anything that we make changes to going forward with the
subcommittee, what we’ll be doing is usually mark up on Word. So, tomorrow,
when you see the letter, it’ll be very obvious to everybody any wordsmithing or
other changes that had been made as a result of these conversations.

MR. REYNOLDS: Observation 8. Prior authorization messages.

NCPDP reported that an industry task group is drafting flows of the
medication prior authorization process and identifying where standards exist
and where there are gaps. It has identified that attachments being developed
for claims may be leveraged and added to in order to be used for prior
authorization.

NCPDP will coordinate with HL7 if there is a need to support an attachment
booklet for the purpose of medication prior-authorization attachments. NCPDP
indicates that additional research is taking place on structuring prior
authorization messages.

Recommended Action 8.1. HHS should support the standards development
organizations – NCPDP, HL7, NASC, X-12 – in their efforts to incorporate
functionality for real-time, prior-authorization messages for medications in
the ASC X-12, N-278 health-care services review standard, and the ASC X-12-N,
275 claims attachment standard.

Recommendation 8.2. HHS should include the evaluation of the interaction of
standards related to the flow of prior authorization in the 2006 e-prescribing
pilot test.

Observation 9. Coordination of prescription message standards.
E-prescribing NPRMs solicited comments on whether Part D plans should be
required to use the standards for e-prescribing transactions within a closed
enterprise; e.g., staff model HMO.

HL7 is commonly used to communicate medication orders within a hospital and
with clinical pharmacies within an enterprise. As indicated in its
recommendations of September 2, 2004, NCVHS believes that coordination of HL7
with NCPDP SCRIPT would create more seamless functionality across healthcare
environments. This would remove a barrier of adoption of electronic medication
ordering and prescribing. HL7 and NCPDP have already begun to map their
standards that support common functions.

Recommended Action 9.1. HHS should recognize the exchange of prescription
messages within the same enterprise as outside the scope of MMA e-prescribing
standards specifications.

Recommended Action 9.2. HHS should require that any prescriber that uses an
HL7 message within an enterprise convert it to NCPDP SCRIPT if the message is
being transmitted through a dispenser outside of the enterprise.

HHS also should require that any retail pharmacy within an enterprise be
able to receive prescription transmittals via NCPCP SCRIPT from outside the
enterprise.

Recommended Action 9.3. HHS should financially support the acceleration of
coordination activities between HL7 and NCPDP for electronic medication
ordering and prescribing.

HHS should also support ongoing maintenance of the HL7 and NCPDP SCRIPT
coordination.

DR. COHN: Okay. I want to stop for just a second, because we are now going
to move back into a – really, a new recommendation. These last ones have really
been sort of follow up of previous recommendations, but I just wanted to stop.
Is everybody sort of comfortable with where we have gone so far?

Okay. The next one, as I said, was done on the basis of hearings by the
Subcommittee on Privacy and Confidentiality and incorporated into the letter.
So please.

MR. REYNOLDS: Observation 10. Privacy issues relative to e-prescribing.

NCVHS Subcommittee on Privacy and Confidentiality held a hearing on privacy
issues related to e-prescribing on November 18, 2004. The subcommittee heard
testimony from industry experts and consumers.

In general, witnesses noted that e-prescribing regulations will require
patient education regarding their rights, patient access to privacy and
security policies and consumer-friendly communications.

Privacy guidance for e-prescribing is provided through applicable state and
federal laws and regulations. For example, it is not clear whether state laws
restricting certain electronic health record communications – e.g., related to
HIV status – without express consent would be preempted by MMA.

Similarly, the federal confidentiality of alcohol and drug abuse patient
records regulations require express consent for the use and disclosure of
alcohol and drug-abuse patient records that are maintained in connection with
the performance of any federally-assisted alcohol and drug-abuse program. Any
e-prescribing regulations must consider these other health records laws.

The main privacy issue that needs to be resolved in an e-prescribing
regulation is what rights consumers should have to limit access to their
prescription records, especially for medications related to sensitive health
matters, such as mental health, substance abuse and HIV AIDS.

The same issue of balancing the privacy interest in consumer control with
the interests of healthcare quality and efficiency is central to the National
Health Information Network, the NHIN.

NCVHS will be holding a series of hearings on privacy and confidentiality
under the NHIN beginning in February 2005.

Recommended Action 10.1. HHS should identify and evaluate any privacy
issues within the context of the HIPAA privacy rule and health records laws
that arise during the 2006 pilot tests of e-prescribing.

Special attention should be placed on issues regarding individuals’ rights
to request restrictions on access to their prescription records.

Recommended Action 10.2. HHS should use experience gained from the
e-prescribing pilot test to develop appropriate actions for handling privacy
issues.

DR. COHN: Carol and then Jeff.

MS. MC CALL: Yes. Were there discussions about linking recommendations for
Observation 10 back to recommendations for Observation 4, which has to do with
medication history messages?

I know that these are to the prescriber, and these are from the payer PBM.
So both of them are recommended to go to pilot. Could you talk about having a
specific recommendation about making sure that those are linked?

If I am a prescriber, for example, and we are going to pilot the sending of
medication history, say of John Paul to me –

SPEAKER: Boy, is John Paul in trouble.

MS. MC CALL: I know it, because, you know, there’s a lot of stuff he
doesn’t want me to know.

MR. HOUSTON: That’s right. (Laughter).

MS. MC CALL: Exactly.

MR. BLAIR: May I reply?

DR. COHN: Yes, Jeff, please.

MR. BLAIR: And, actually, you kind of set me up for the comment I was about
to me.

We were – we did have a fair amount of comments when we were looking at the
provision of medication history messages.

One of the observations that we sort of wanted to connect to 10 was the
fact that we learned that PBMs were filtering some of the sensitive
information, such as medications that might be taken to address HIV, behavioral
health, sexually-transmitted disease. They were literally filtering that out of
the medication history that’s sent to prescribers, and, therefore, the
prescribers would not be receiving all of the medications that the patient was
receiving, and we also heard that they did this based on advise by their
attorneys to be concerned with the privacy issues. Of course, the consequence
in terms of patient safety was not there, but they were getting advice that the
patient had the responsibility to advise the prescriber. So there is a link.

Now, we happen to have articulated these separately, and one of the things
that I wanted to suggest was that in the last paragraph of – maybe I won’t make
my suggestion quite yet, since I responded to your question – very perceptive
question. Did that address it or did you have further questions or is there
some other suggestion you wanted to make?

MS. MC CALL: No, it is whether or not you guys had talked about –

MR. BLAIR: Yes.

MS. MC CALL: – the links – the specific links and need to link those two
items.

MR. BLAIR: Yes, and it kind of leads to the thing that I was about to
suggest, and I lost track, Harry, when you read it. I think when I read the
document earlier, I thought there was, in the observation, one of the last few
sentences referred to – had the word quality in it, but didn’t have the word
patient safety. Are you all able to see where that is?

MR. REYNOLDS: Yes, the sentence starts or the sentence you are talking
about, the same issue of balancing the privacy interest in consumer control
with the interest of healthcare quality and efficiency is central to the NHIN.

MR. BLAIR: May I offer a suggestion that just before the word quality we
insert the words patient safety, so it’s patient safety and quality, so that
that patient safety issue doesn’t get overlooked?

MR. REYNOLDS: The other thing to play off of your question, in Observation
10, it is a – we recommend that it be part of the pilot, and in Observation 4,
we are still awaiting NCPDP to see if they can even set up the standard. At
such time as they create the standard, I think your comment is excellent. I
think that if – at such point we consider recommending this to be part of the
pilot or part of the standards, that it be tightly coupled with how it effects
what is already there. That might be a way to approach it.

MS. MC CALL: That would be great.

DR. COHN: It sounds like we have caught the issue and it sounds like the
answer is maybe the next letter, which will probably be with some of those
other pieces. Does that make sense to you?

MS. MC CALL: Yes, that makes –

DR. COHN: Great. Okay. Other comments? Great.

MR. REYNOLDS: We didn’t plan to read that other long list of – that is just
really a report of individual things that we had considered. I thought we were
just going to focus on the –

DR. COHN: Yes, I think we have a couple of minutes, and I guess what I
would suggest is that maybe we go through – I mean, there’s probably a – under
the Other Standards and Important Related Items, probably the bullet that
relates to clinical decision support might be worthy of reading, and then I
want to – I mean, not completely ignore John Paul’s comment about walking
through the background, because I think it actually is a good comment, though,
with your permission, we are not going to read the whole background.

MR. REYNOLDS: Read clinical decisions?

DR. COHN: I assume that is okay with everyone. Because I think that is –
Otherwise, most of these things are, well, looked at that or we are going to
talk about it or whatever.

MR. REYNOLDS: All right. Very good.

All right. Clinical decision support in e-prescribing.

The report on clinical decision support for e-prescribing prepared by the
joint clinical decision support workgroup, authored by Taish(?) et al,
identifies benefits of clinical decision support, barriers to widespread
adoption of clinical decision support, basic and advanced clinical decision
support features and elements that might be required over time, structure
standards and other enablers required for clinical decision support in
e-prescribing and incentives to accelerate the adoption of clinical decision
support in e-prescribing.

NCVHS notes that the report has several observations and recommendations
that compliment those included in the NCVHS letter of September 2, 2004,
especially with respect to the use of RxNorm to support clinical decision
making in e-prescribing.

DR. COHN: Steve.

DR. STEINDEL: Simon, we probably should put a reference as to where people
could download the report.

DR. COHN: Okay.

MR. BLAIR: Good thinking.

DR. COHN: I think that’s – that will be handled.

And I do just want to comment that there is obviously a couple of
appendixes.

MR. HUNGATE: One other comment. Thank you for that suggestion, Steve,
because I was needing that.

Some place back in here, and I haven’t found the reference, it refers to –
here it is – drug knowledge – It refers to drug-knowledge basis, line 10 on
page 9.

I assume that that relates to the decision to support structure, and as I
saw the drug knowledge basis, I felt I wanted to know a little more about what
was really being referred to there, because I think it does relate to the
decision support, and so I wasn’t sure whether more elucidation of what that
was would be helpful.

DR. WARREN: Would it help, Robert, if we listed the companies that provide
these databases? I mean –

MR. HUNGATE: Some way of –

DR. WARREN: – and we didn’t want to do that.

Simon just made a face.

DR. COHN: Yes.

MR. HUNGATE: I think some description of the function that they serve is –

DR. WARREN: Would that be better in the glossary?

MR. HUNGATE: Maybe. I’m not sure. There was a question in my mind as I saw
that, and it is reinforced by seeing this section. So –

MR. BLAIR: We had them testify and they were covered in – that whole
subject was covered in great detail in the first recommendation letter, but,
nevertheless, I think that what you are suggesting is that – did you want it as
a footnote or in the appendix or –

MR. HUNGATE: I’m not sure. It just struck me that there must be some
linkage between these and making it clearer might help the understanding.

DR. COHN: Hum. Sort of – to figure out how we do that. I mean, kind of
looking – Steve, did you have a comment on –

DR. STEINDEL: I think Bob is not asking a simple – a question that has a
simple solution, and probably would be best to report back to the committee
tomorrow and discuss it at the subcommittee level.

DR. COHN: Okay. We’ll come up with a suggestion tomorrow.

MR. REYNOLDS: Did you want to go back and walk through the background, just
to kind of highlight the categories?

DR. COHN: Yes, the comments about this so far? Okay. Yes, why don’t we just
sort of walk –

MR. REYNOLDS: Highlight the categories?

DR. COHN: Sure, and see if people have comments or suggestions.

DR. STEINWACHS: One of the things that always concerns me is what kind of
information is available for patients about their medications, and I don’t know
whether this comes into the committee’s – when you talk about the drug
knowledge bases, though they are usually for clinicians, not for the patient
side of this, and even such things – simple things as how would you determine
whether or not the prescription was on label or off label if you were a
patient, and so it would be helpful to me if the committee could look at the
patient side of the knowledge, and it is not decision support, then, but it is
information that patients could access so they would better understand what the
drugs are they are being prescribed.

DR. WARREN: I just want to clarify I understand what you are asking of us.
(Laughter).

DR. STEINWACHS: The world. (Laughter).

DR. COHN: I don’t think this is a subcommittee activity, but go ahead.

DR. STEINWACHS: Just trying to point you in a direction here.

DR. WARREN: When we heard these companies testify, most of them do provide
patient-oriented material, but that material is only accessed through the
prescriber, so the prescriber has the material, can then dispense it out to the
patient, but you are asking more than that about patient access to these
knowledge bases, right?

DR. STEINWACHS: Or the suitability of the knowledge bases for the patients
to be able to use, you know, because when you talk about the knowledge bases
here, I think there is a presumption that they may only be useful to a
clinician, and it seems to me the system that we are building out there ought
to have knowledge resources or we ought to be able to talk to whether there are
knowledge resources and how patients could access those so they could get some
understanding, in case the prescriber doesn’t give them the information, in
case – have symptoms 24 hours later and no one to talk to and are trying to
figure out, Well, do I go to the emergency room or do I wait ‘til tomorrow
morning?

DR. COHN: Yes, Don, I actually hear your issue, which I think is a very
legitimate one. Clearly, the drug knowledge bases that currently exist are
primarily there for pharmacists and some physicians who have access to it, but
they really – (laughter). Well, no, I mean, most of these drug-knowledge bases
are really developed for the pharmacist at the point of dispensing.

Now, the issue you are bringing up is, I think, a very important one. I am
sort of thinking, though, as I am listening, that this is really an aspect of
the – sort of the personal-health dimension of the NHII; and I am sort of very
thankful that Mary Jo Deering just walked in –

DR. STEINWACHS: Oh, thank goodness, Mary Jo – (laughter).

DR. COHN: – who is the key staff for that – to that subcommittee, to that
workgroup, and maybe it is something that we should explore in some of those
hearings, because, clearly, the words that come out for the pharmacist – and I
think Paul knows what I am talking about – it doesn’t exactly – you know, it’s
like reading the PDR if you are a patient, which, yes, you can do it, but not
easily.

DR. STEINWACHS: What do you really know?

DR. COHN: Yes, what do you really know?

I mean, Steve, did you have a comment?

DR. STEINDEL: Well, I would just like to point out, we mentioned the FDA’s
work with the Daily Med, and, really, the Daily Med is supposed to provide this
information to the American public, be it individuals, companies, et cetera,
and I think the vision of the FDA is is when the Daily Med system goes into
regular use it will be fulfilling the need that you are talking about here, one
of the vehicles. I mean, private sector can do it as well, but that is one of
the goals of the Daily Med.

MR. HUNGATE: Comment. Observation. That is right for FDA-approved uses. For
off-label uses, it is a pretty big hole in which there is a lot of lacking
information, and it is not clear to me where that is going to come from, nor
how it is going to get filled.

DR. COHN: I think – with the permission of the full committee, I think that
this is an area I think way beyond the scope of the letter, but I think it is
an important part of the work plan for the NCVHS, and probably – knowing that
we are holding hearings, really, on the personal health dimension, I think that
this issue of – I mean, it isn’t just their medical record, it is currently
medication information and all of this stuff, and we probably need to at least
be talking to some people about that – and you’ll see it in a future letter,
but not this one, likely.

DR. STEINWACHS: That’s fine. I just wanted to get it on the agenda.

DR. COHN: No, please, please.

MR. REYNOLDS: Okay. You want to walk through the categories in the –

DR. COHN: Sure. Please.

MR. REYNOLDS: Going back to the beginning of the letter and talking about
the background, the first section is broken into electronic-signature
background, and the first, under Relationship Between Prescribing and Patient
Safety, just basically the fact that there are a lot of prescriptions and there
are adverse drug effects and other opportunities that need to be dealt with,
the role of the government – and we have already spent some time earlier
talking about the DEA, the DOJ, HHS and state board pharmacies, the deal with
that, the role of dispensers to validate prescriptions, we heard significant
testimony on that, and so that section discusses that.

DR. TANG: Let me see if this observation may be correct or incorrect. It
looks like Observation Recommendation 1 transfers some of the role – the
validating role of the dispenser to the prescriber, because we have made it an
addressable HIPAA issue, and it is incorrect. I’m seeing by the – So let me –

DR. HUFF: That wasn’t our intent.

DR. TANG: I know it’s not your intent. Is that a consequence, though, of –

DR. HUFF: No. I think –

DR. COHN: Stan, you need to get your microphone –

DR. HUFF: I mean, the way we were thinking about it is that they have the
ultimate legal responsibility still, and their responsibility, if you will, is
to say, Oh, you know, I understand now how people are being authenticated. I
understand we are using secure private networks. I understand the relationships
that exist between the pharmacies and that they must be registered, and so,
basically, by understanding the system and knowing how the systems are
implemented, they are saying, I agree that that is sufficient evidence that
this is a valid prescription, and that is sort of all we were saying. I’m not
sure how – where you are getting from there to them relinquishing their
responsibility or –

MS. MC CALL: I heard a different question.

DR. HUFF: Okay.

MS. MC CALL: Let me see if I can rephrase it, that with the existence of
HIPAA, and, now, with the coming of electronic prescribing, by definition, does
that defuse backwards the responsibility? Because it is a transaction between
two covered entities which now involves an electronic signature, does the
existence of all these pieces put some of the responsibility and perhaps
liability back to the prescriber, where, in a different process, it rested with
the dispenser?

DR. TANG: Let me give the example. Currently, it is prescribed that you
must have a written – sometimes, you know, a wet signature by the provider,
and, then, it is up to the dispenser to validate whether that is a true
signature.

By saying that we now are going to push the authentication to the
addressable way in which a prescriber authenticates, I think it has actually
moved – first, we have no longer been prescriptive – as we used to say,
handwritten – and I think by using the term addressable, it has actually given
the responsibility for the qualified authentication of this prescription to the
prescriber, and that feels to me different –

MR. BLAIR: Actually, the authentication is the – at least my understanding
of it, and anybody on the subcommittee that feels my interpretation is not
correct – the dispenser is trying to authenticate whether the person who
claimed to write the prescription is, in fact, that person. So it can’t be
something that is transferred to the prescriber, but I think you have picked up
on a valid issue that the dispenser – now that the dispenser is receiving
something by computer in electronic form and not receiving it being handed to
them, necessarily, by the patient, that they might know the patient or they
might recognize the signature, in some ways, there is less of an ability of the
dispenser to authenticate that it is original, and so the system, now, is
trying to assume stronger authentication responsibilities. The system – in this
case, the system is essentially the e-prescribing network.

MS. MC CALL: Although –

DR. TANG: Plus the prescriber’s determination of the risk associated with
their particular –

MS. MC CALL: Right.

DR. TANG: – method, and, as you were saying, Jeff, the dispenser no longer
has the tools that they used to have.

 

MS. MC CALL: Right. Although, two points. One is your example of it used to
be a wet prescription or handwritten, they were more distinct events and
discrete, and, now, it is much more of a flow, but within that context, if
responsibility for authentication rests finally and completely with the
dispenser, that may break that flow –

MR. BLAIR: Yes, we are inheriting – you know, I think it is the state laws
that wind up placing that responsibility on the dispenser, and the
e-prescribing networks, in their attempt to be able to provide greater
authentication among the things that they have been doing. Matter of fact, in
the background section there, when you – it winds up listing, you know, these
things. It winds up indicating that it makes an attempt to certify the
prescribers before they have access to the network, and it has certain data
integrity, you know, that the prescription hasn’t been altered once it is sent.

So I think that your observation is a valid one that things are shifting,
but the state laws haven’t changed yet.

MR. HOUSTON: Well, are you saying that – if I can – that because the
responsibility now or the function of validation is more the function of a
system or software in that system, that a provider might – if you take this to
the most extreme case – might be responsible if he or she selected substandard
software tools to mediate their orders? That is question A, and then B, would
that not be addressed by having standards applied to that industry of what –
minimum standards such software should have?

DR. TANG: I guess – my primary concern is at the literal authentication
method at the prescriber level, because we used to use something that has the
test of time and law, the handwritten signature –

MR. HOUSTON: Yes.

DR. TANG: – or something that each individual gets to decide – i.e.,
addressable – how they want to authenticate people in their office.

MR. HOUSTON: I see.

DR. TANG: And that is taking it completely out of standard of practice from
– now, I am trying to be a lawyer. So you’ll have to correct me on that one,
but – (laughter).

DR. COHN: I think you should have Kevin help you on that one.

DR. TANG: So that is my concern is that we really have placed the onus of
authentication, made it the responsibility of the prescriber, and I would think
a dispenser could be a little bit nervous about that. I am not actually worried
about the software, because that is a business practice that –

MR. BLAIR: Would it be worthwhile to read the section you just touched on,
which is dispenser validation, and maybe that addresses some of Paul’s –

DR. COHN: Yes. Yes. Well, I think Judy has a comment that maybe –

DR. WARREN: One of the things that we tried to do when we heard testimony
was to stay as technology independent as we could, and when you brought up the
fact that the prescriber, now, is being brought into the authentication, they
have always been there. They have had to choose between a pencil and a pen.
They have had to choose between a piece of paper or a piece of paper that has
print on it that says prescription or a piece of paper that has been made so
that it cannot be Xeroxed, because it would lose its validity. Now, all of
those are things that occur in a paper-based world. So the prescriber is
already having to choose a level of paper-based technology in order to ensure
that it really is their signature on there.

And what we are saying, now, is that, now, as we move more into the
electronic technology, there are other ways that we can still do that.

So I am not sure I agree with you that we are asking the prescriber to take
on more responsibility for authentication. It has kind of always sort of been
there, just not as obvious, you know, as what it becomes in an electronic
environment.

DR. COHN: Okay. Steve, maybe you can help?

DR. STEINDEL: Add on to what Judy said. I mean, we heard several times
during this period about the cases where a prescriber would sign 50 scripts in
a pad and leave the pad lying around, which is, you know, very analogous to the
password sitting in the office and also very analogous to what you are talking
about about, you know, how much of the authentification actually exists in the
wet-signature world, because anyone can walk off with that pad and now become
that prescriber.

DR. TANG: I think the scenario you described is illegal. Okay. But –
(laughter). I didn’t mention that, but the scenario of an individual deciding
that a one-character password is sufficient for that practice is not illegal,
and yet it may be unsafe. That is my point. So I think there’s plenty of – I
mean, a signature is, I think, defined in legal – For example, a dot cannot be
a signature, for example, or, I mean, there are precedents for what is a
signature –

DR. WARREN(?): An X can, though.

SPEAKER: A dot can be a signature.

DR. TANG: What?

SPEAKER: An X.

DR. TANG: Yes, but for certain people, right? I mean, you actually – there
is actually – I mean, there’s just a lot of law –

DR. COHN: Okay.

DR. TANG: – behind what a signature is.

DR. COHN: Yes –

DR. TANG: Well, let me pose the other question.

DR. COHN: Yes. Yes, Paul –

DR. TANG: How would law change if a signature was defined as addressable?

SPEAKER: What do you mean?

DR. TANG: The way HIPAA defines it is you do your own risk assessment of
what is meant by authentication, and then you can define it. If I gave you that
– if that was the case for –

DR. HUFF: Over the years, my signature has changed, become much more simple

DR. COHN: Microphone. Yes, Stan and then Carol.

DR. HUFF: This is Stan. (Laughter).

We had the same – I mean there was a strong push and a lot of discussion
about how we could firm this up, and one of – In fact, we went so far as –
there were early suggestions that we put byline, you know, you have to have a
password and a login and it has to be – excuse me, and the password has to have
– be a strong password in there, and then we said, but that could all change.

And, number two, there is no standard we can rely on that states those
things – okay? – so we would – if we started putting that kind of very direct,
specific advice in here, then we become a standards body, and what, in fact, we
want to have happen is if those things are standards, we want those to go to
HL7 or NCPDP or NIST or somebody who can be the owner and keeper of those
standards, and that is why we ended where we are, and sort of, yes, it is
addressable, and if, in fact, somebody did something that – you know – in their
opinion and the way they addressed it, most of us would consider inappropriate,
then the assumption is is that there is going to be a complaint, and then there
are going to be adjustments made in that, because saying that it is addressable
doesn’t mean that anything you want to do is legal forever, just because that
is how you address – I mean, basically, you can be found faulty of – in your
risk assessment and say you didn’t assess the risk right. You’ve got to do
something better and different than what you are doing.

And those are the reasons why we didn’t try and become very prescriptive in
here about – we don’t – it seems inappropriate for – we don’t want to become
HL7 or NCPDP. We really want that – because we are not set up to be able to
modify and change, and we put those kind of things into this kind of document,
then they become immutable in a way that we really don’t want them to become.

DR. COHN: Yes. I see Paul is nodding his head, so that’s probably at least
a good start here.

Carol, and then I’d like to wind this –

MS. MC CALL: Okay. Paul has asked a great question.

DR. COHN: Yes.

MS. MC CALL: And I think that there is a general theme that, as a group, as
a committee, we are going to come across again and again over the next four
years, and this is the general theme that I see, which is that we are talking
about standards, but it quickly evolves into the changing of process, which,
ultimately, will have a very important aspect that is legal.

In this particular case, we have taken an historical process that Judy
described earlier. It has been around for a long time, and a lot of legal
precedent has been set around that. That process was broken apart in different
pieces and responsibilities were very distinct. That process has changed, and
the responsibilities become more – the process becomes much more tightly
coupled, and so as these processes change, and sometimes fundamentally so,
sometimes with new parties coming in – not this one, but maybe on others – that
we need to look to the law to find out what the law says historically about
where the responsibilities have been, so that we can see and explicitly look
for whether or not that needs to be addressed along the way, and that is, I
think, the theme in here, and I think that is the question that you asked, and
I think we need to look at it as we go forward.

DR. COHN: Yes. Carol, well said.

DR. WARREN: One of the things – I mean, and I’m glad Carol brought up the
law, because we did hear testimony about it. We looked at the e-signature law.
So, I mean, there are definitions, and we did refer to that in part of our
preliminary work about what those definitions are for a signature. So that part
is already in law, and, you know, we are – so that may be helpful.

DR. COHN: Yes, you know, I am sitting here struggling with this one. I am
trying to – I am well aware of the issue that you both are bringing up, and I
think that really is – you know – changes in work flow, changes in
responsibility, but the law hasn’t changed. So – but, effectively, you know –
but, on the other hand, people call in prescriptions all the time, and, you
know, whenever I call prescriptions in these days, the pharmacist doesn’t know
who I am, and I have to tell you, I mean, you just never know. So you have to
realize the reality, and, sometimes, you know, you don’t move to a perfect
process. You take two steps forward. You know, you don’t want the – you know –
perfection to be the enemy of the good in this one. So we have to reflect on
that one.

Now, Paul, what I am going to suggest is is that I know the committees that
you are interested in participating in, and given, I think, some of your
concerns, which I don’t think I have an answer for in the large group, I am
going to suggest that you sit in with the Subcommittee on Standards and
Security, as we sort of look through this letter, and see if there’s – I mean,
because I don’t see an obvious way to address your question in here or even how
to frame it. So maybe there are some ways you can help us.

DR. TANG: I think it is as Carol said, which is we just need to be
cognizant.

DR. COHN: Okay. I mean, anything to avoid having to sit through a
subcommittee.

MR. HOUSTON: Still not getting out of Standards and Security. (Laughter).

MR. REYNOLDS: I did want to play off that. We clearly heard testimony that
in all states the dispenser is responsible. So, I mean, we really hammered on
that to make sure we heard that clearly. So, in no way, does this relinquish
them from having that responsibility.

The other thing that we discussed at length with e-prescribing there is
also the possibility of being able to send a message back to the prescriber
that this actually occurred, which will be much more of – They may call
periodically now to check on someone, but if they go as far as sending a
message back each time, if e-prescribing moves to that, then you are actually
confirming that a prescription was written from that particular environment,
which is a much better check than even – anything that is going on right now.

So we really tried to address that, but there is still that emptiness of no
standard, nobody handed us a standard we could use and put in there, and so we
are working through processes where, as you say, in HIPAA, two covered entities
are involved, two covered entities are responsible. The ultimate responsibility
holds here, that any time I pass an electronic record, I gotta know whether or
not it is coming from my place, whether it is valid, and, then, whoever
receives it, whether or not it’s okay.

DR. COHN: Okay. Now, I am going to suggest that – we are running 15 minutes
after a late lunch anyway, and Marjorie, I think, has commented that if we wait
too much longer, we are not going to have lunch, because they won’t have any
upstairs.

Now, I am going to suggest we take about a 45-minute lunch break, so we’ll
start 15 minutes later.

What I want to do is to spend probably the first five minutes or so going
through the remainder of the background here, and then we will move into the
NPRM comments, and that should, hopefully, help us sort of make up for time and
all of that.

So we’ll take a lunch break, come back at 1:30.

(12:45 p.m.)

* * *

(1:41 p.m.)

DR. COHN: Harry, I think that you still have the floor.

What we’ll be doing is going through the remainder of the background
information on the letter on e-prescribing, and then moving into the NPRM
letter, then we’ll move from there to some comments about the population
report, and then, finally, I think a brief comment about the work of the – on
the biannual report, and then the report from David Brailer on his work, and
then we’ll break for subcommittee meetings.

Harry. Harry, closer to the microphone.

MR. REYNOLDS: – and then you get into the e-prescribing networks, and with
some of the discussions that went on earlier, you may want to take a good look
at that e-prescribing networks, because this paragraph, and then the paragraph
under Security and Authentication of the E-Prescribing Networks, gives you a
little more in depth about what we actually heard in testimony and what is
going on and may help you with some of the questions that came up today.

And we talk about and generally describe the e-prescribing process, and if
you notice, on line 46, at the bottom of page 3, we talk about e-signs or we
did mention the things that are going on.

Use of digital signature in e-prescribing. We moved into that, into the
idea of what happens if we go to the open internet. So you might have Step 1,
and then you look at the open internet.

Industry experience with PKI. We pretty much summarized under that one the
information that we had heard, and part of that was a lot of the PKI that is
real successful is point to point, when you get multiple – so many hand-offs,
as you would have in e-prescribing, is where it starts to become a little more
burdensome.

So that was kind of the – Simon, a quick summary of the background.

DR. COHN: Any comments or questions about the remainder of the background
information?

Okay. So we’ll be bringing back a letter from the subcommittee tomorrow,
noting whatever changes for your review and as an action item tomorrow. Great.

Agenda Item: Letter Commenting on CMS
e-Prescribing Proposed Rule Action March 4

DR. COHN: Now, I think the next item for consideration is the letter on the
e-prescribing proposed rule. Harry, it’s yours again.

MR. REYNOLDS: Yes. Jeff, you want to make any comments before we start on
that?

MR. BLAIR: The only comment that I want to make is for those of you who are
looking at this for the first time, this is a unique format for the format of
this letter, like, for example, when you see the background, that isn’t the
background that we created. That is the background section of the proposed rule
for e-prescribing standards, the NPRM. So we are commenting within the format
of the NPRM, and that is why you’ll see the numbers skip. Okay? So, other than
that, I think, Harry, go for it.

MR. REYNOLDS: We’ll actually read this letter, since it is not nearly as
long as the other one.

“The National Committee on Vital and Health Statistics, NCVHS, was
called upon by the Medicare Prescription Drug, Improvement and Modernization
Act of 2003, MMA, to develop recommendations for uniform standards to enable
electronic prescribing – e-prescribing – in ambulatory care. The initial
recommendations were delivered September 2, 2004. The committee is very pleased
to find that these recommendations were helpful in drafting the Medicare
Program E-Prescribing and the Prescription Drug Program Proposed Rule. This
letter includes the NCVHS comments in response to the Proposed Rule in the
response format requested.”

Under “Background,” we had a comment on A, which was Statutory
Basis.

“NCVHS recognizes that the HHS Proposed Rule must be consistent with
the wording in MMA, including the wording, ‘e-prescribing standards apply
only to information regarding Part D eligible individuals enrolled in Part D
plans.’ However, NCVHS also believes that HHS should ensure that e-prescribing
standards are not only appropriate for Medicare Part D users but also
consistent with the standards for all types of prescribers, dispensers and
public and private sector payers. This is necessary to avoid barriers to
interoperability across healthcare domains. To achieve this, e-prescribing
standards for Medicare Part D should also be compatible with those adopted as
HIPAA and CHI standards, and with those recommended in November 2003 by NCVHS
for clinical data terminologies, especially with those pertaining to
RxNorm.”

And I’ll stop there, see if there are any questions on that particular
statement.

Okay. Moving to F under Background.

“Evolution and Implementation of an Electronic Prescription Drug
Program.

“There are lessons learned from HIPAA regarding both the value of
standards and the need for flexibility to respond to industry requirements and
technology changes. There are a number of approaches that could be considered
to provide the industry greater flexibility and ability to advance, while
maintaining standardization of messages and data. For example, CHI has set
precedence for this by adopting a version of its clinical information standards
as a baseline, from which new versions may be adopted by the industry when
ready; even though this process is different from the process required for
standards adopted under HIPAA. HHS should work with the industry in its
rule-making process to determine how best to afford flexibility in keeping
standards in pace with the industry, including standards for HIPAA and
e-prescribing transactions. For example, HHS might consider recognizing new
versions of standards, without a separate regulation – ” and this is key
” – if they are backward compatible.”

“The NCVHS – ” I’m sorry. I’ll stop there. I forgot.

DR. COHN: Comments or questions?

DR. STEINWACHS: Harry, just maybe wonder what a forward compatible one is.
(Laughter).

MR. REYNOLDS: When you all agree ahead of time. (Laughter).

DR. STEINWACHS: Well, how come you didn’t manage that before this?
(Laughter).

MR. REYNOLDS: We are doing the best we – (laughter). John, you had a
question? No, this John had a question.

SPEAKER: Oh, J.P.

MR. HOUSTON: J.P. By the way, after you’re gone, I’m John again.
(Laughter).

SPEAKER: I’m sure he’ll never be just John.

DR. COHN: John Paul, what did you have for lunch? (Laughter).

MR. HOUSTON: Animal crackers. (Laughter).

DR. COHN: Oh, okay.

MR. HOUSTON: They not natural anymore.

The only thing I would – the one sentence towards the bottom of this
paragraph, in keeping – it talks about flexibility in keeping standards in pace
with the industry. Don’t you really mean to say in keeping standards in pace
with the needs or the requirements of industry?

MR. REYNOLDS: Standards in pace with the needs of the industry, rather than
just industry.

DR. COHN: Yes, I think that’s a friendly wordsmithing change. Jeff, you are
comfortable with that?

MR. BLAIR: Yes, sure.

DR. COHN: Okay.

MR. BLAIR: How come I didn’t get the animal crackers?

MR. REYNOLDS: Okay. Under “Provisions,” letter C. “Proposed
Requirements for Part D Plans.

“The NCVHS recommendations relative to e-prescribing standards
adoption within ‘closed’ environments is different from the HIPAA
transaction requirements where the Rule applies to both ‘closed’ and
‘open’ environments. NCVHS observes that HL7 is commonly used to
communicate medication orders within a hospital, and with clinical pharmacies
within an enterprise. However, coordination of the HL7 data elements for order
entry messages with the NCPDP SCRIPT Standard data elements for e-prescribing
messages (which are used to communicate prescriptions to community and retail
pharmacies) would result in functions being more seamless across healthcare
environments. This would remove a major barrier to adoption of electronic
medication ordering and prescribing. HL7 and NCPDP have already begun this
coordination by mapping the data elements in their respective standards that
support common functions. NCVHS believes that HHS should recognize the exchange
of prescription transactions within the same enterprise as outside the scope of
MMA e-prescribing standard specifications. However, HHS should require that
prescription orders sent using HL7 messages within an enterprise be translated
to NCPDP SCRIPT message format if the message is being transmitted to a
dispenser outside of the enterprise. HHS also should require that any retail
pharmacy within an enterprise be able to receive prescription transmittals via
NCPDP SCRIPT from outside the enterprise.”

Focus there is adoption.

DR. COHN: Yes. I actually have a minor wordsmithing change. I am just
wondering whether the word however really should be however or should just be
struck.

MR. REYNOLDS: Um-hum.

DR. COHN: Any other comments?

MR. REYNOLDS: Okay. Under “Proposed Standards, 1. Prescription.”

“NCVHS observes an apparent inconsistency in the description of the
proposed standards to be adopted regarding the Prescription Fill Status
Notification Transaction. On page 50 of the text version of the Proposed Rule,
the Prescription Fill Status Notification Transaction, and its three business
cases, are correctly excluded from the foundation standards. However, on page
53 of the text version of the Proposed Rule it incorrectly states that there is
industry experience with the Fill Status Notification Transaction. The sentence
on page 53 that needs to be corrected is: ‘More specifically, the NCPDP
SCRIPT Standard transactions we propose for adoption have been used extensively
for messaging between prescribers and retail pharmacies for new prescriptions,
prescription refill requests, prescription fill status notifications and
cancellation notifications, as part of the Consolidated Health Informatics,
CHI, Initiative.”

Number 2 under “Proposed Standards,” “NCVHS supports the
adoption of the ASC X12N 270/271 transactions for conducting eligibility and
benefits inquiries between prescribers and Part D sponsors and the NCPDP
Telecommunication Standard for conducting eligibility transactions between
dispensers and Part D sponsors. NCVHS would like to emphasize the importance of
the note within the proposed rule that ‘the level of detail returned on
the 271 by the Part D sponsor must match the level of detail in the inquiry
made by the prescriber in the 270 request, to the extent that the Part D
sponsor’s system is capable of handling this request.’ In addition, the
proposed rule indicated that ‘if standards are updated and newer versions
are developed, HHS would evaluate the changes and consider the necessity of
requiring the adoption of new updates to the standards.’ NCVHS believes the
process of potentially accepting as compliant different versions of the
standards that are backward compatible is critical to keeping the e-prescribing
process current. This should apply to all applicable standards, including, for
instance, the X12 278 Prior Authorization standard and others.

“NCVHS is pleased to provide these comments in support of advancing
the principles and purposes of e-prescribing.”

DR. COHN: Comments or questions? I know it’s after lunch.

Well, I guess the question I would ask for the full committee is, given
that what we have identified are, I think, two wordsmithing changes, which I
think have been accepted, is this something we want to move for adoption today
or ponder over this evening and come back?

John Paul.

MR. HOUSTON: I move for adoption.

SPEAKER: Second.

MR. HOUSTON: When is the period for responding to this one?

DR. COHN: The period for response ends, I think, April – April – something
like that in April. The problem is, of course, is that this is our committee
meeting. Otherwise, we would have taken longer putting this together.

Okay. Is there discussion on this?

Well, all in favor say aye.

(A chorus of ayes).

DR. COHN: Opposed? Abstentions?

Well, it’s passed.

MR. REYNOLDS: The committee thanks you.

SPEAKER: If you mail this quickly, it will be the first comment in.

DR. STEINDEL: I was going to suggest, Simon, you just sign it tomorrow and
hand it to Karen.

DR. COHN: I think she would probably prefer getting it electronically.

Now, before we move – so I think this is actually the business for the
Subcommittee on Standards and Security, at least until our letter – the other
letter coming back tomorrow.

I think that the full committee just needs to be aware that there will be
sort of continuing letters, though not of the length that we have been dealing
with, likely dealing with e-prescribing, probably through the end of the year,
because we may be commenting on pilots further. Certainly, Carol brought up an
issue. As we begin to – for example, as we begin to find out more about how
these standards are moving through NCPDP, we will likely be making comments on
those.

Hopefully, they will look a lot more like the letter that came out of the
Subcommittee on Privacy and Confidentiality. In other words, a one-to-two page
letter with specific comments, as opposed to these longer letters, but I just
want to make sure everybody is aware of all of that.

Now, before we move on to the report from the populations committee on the
Population Report – the Committee on Populations – I actually – it has been
suggested that I – I think, given Judy Berek’s meritorious service on the
committee and really our appreciation of her, what we would like is a motion
and an acceptance for us to put together a letter to the CMS Administrator
thanking her for her service.

SPEAKER: So move.

DR. COHN: Second?

SPEAKER: Yes.

DR. COHN: All in favor.

(A chorus of ayes).

DR. COHN: Opposed? Abstentions?

Okay. Judy, you don’t get to vote. (Laughter).

Okay. With your leave, what we will do – I will work with the staff in
terms of putting together such a letter and we will get one out.

MS. BEREK: Thank you.

DR. COHN: Well, thank you.

Agenda Item: Status of Populations
Report

DR. COHN: Okay. With that, want to move to the Population Report, and Don
and Vickie, I think you are taking the lead on this?

DR. STEINWACHS: It is a pleasure to be here as the new Populations Chair. I
am still a little worried about trying to fill Vickie’s shoes, and she has been
coaching me and trying to help me along, so I want you to know I very much
appreciate this.

We will be, on the Populations Committee, talking more about our agenda for
the future and ways in which the Quality Workgroup and the Populations group
can have a more coordinated agenda, but the major item on the Populations
Committee is to try and bring to culmination the work that Vickie has led in a
Populations Report – and we are hoping to be able to bring the final report to
you in June, and so what I have asked Vickie to do is go through and give you
an overview of the kinds of recommendations, so there can be some feedback, if
the committee feels that there are concerns or issues, and then we can take
that to our committee meeting this afternoon.

Vickie.

DR. MAYS: Thank you.

We are a group that started out with 69 recommendations. Talk about a
learning curve. It’s like I have now learned, but, I don’t know. I feel like
after the last report, in terms of how long that one was, maybe we’re still
okay on that. (Laughter).

So, anyway, what we did, in order to make this more manageable – and let me
just make an acknowledgment first, and that is Populations has, in the past,
often conducted business in conjunction with NCHS, and, in this instance, when
we were working on this report, NCHS was very helpful in the form of Jennifer
Mattins(?), in terms of giving us feedback. So I just want to acknowledge her
work and thank her for all she did to help us to get to the stage that we’re
at. So duly note her work to this.

What we did was, in terms of looking at all those recommendations that we
had, we were trying to think of the best way to organize them, and also to try
and map things, I think, a little bit better with the other subcommittees.

So what we did structurally is that we actually have kind of three
overarching recommendations, and the first is within the context of standards,
you know, and I almost shudder to say that, because it is not standards in the
sense of the technical ways that you talk about it, but, to some extent, it is.

So, in terms of our three overarching recommendations, the first kind of
addresses itself to standards. The second really addresses kind of the
methodological research that we think would be helpful and necessary in order
to help the collection of data on race and ethnicity, and then the third is
actually to talk about the infrastructure in terms of health statistics and the
kinds of things that the Department would be able to do to increase the
collection of data on race and ethnicity as well as improve its dissemination
of the findings. So we organized it that way.

What I would like to do, if I think we have enough time, is at least to go
through the first, which is the standards, because this is where, in
particular, we would like to get some – we want feedback on the whole thing,
but, in particular, this maps onto the committee’s agenda, so, if possible, I
think we have enough time to be able to go through the first set, and then
we’ll ask you, please send Don emails about any additional things that you see.

We may come forth with – after we meet with the subcommittee, a couple of
additional recommendations that will go in here, but, for now, this is probably
the body that we will bring back in June.

Under the first set of recommendations, the overarching recommendation is
HHS should improve the coordination of efforts to collect data on race and
ethnicity by developing standards for assessing race and ethnicity. These
efforts should take place within HHS as well as through partnerships with
federal, state and other entities that collect data on race and ethnicity.

The first one that we talk about is the NCVHS acknowledges the leadership
role the Department is playing to develop standards on collecting racial,
ethnic and primary-language data under HIPAA and strongly urges the Department
to summarize its business case for racial, ethnic and primary-language data for
healthcare performance measurement and to accelerate its efforts to modify
HIPAA standards to simplify the reporting of data on race and ethnicity.

In addition, the Department is urged to work with healthcare-sector
professional associations to encourage adoptions of an industry-wide
data-collection standard for assessing race and ethnicity.

So, again, I think that probably is something that we may want to hear from
some of our colleagues on.

DR. COHN: Okay. Vickie, can we ask questions as you go along?

DR. MAYS: Oh, sure.

DR. COHN: Okay. Well, Marjorie, I’ll let you start.

MS. GREENBERG: I appreciate it. I got these yesterday, so I had a chance to
look at them.

DR. MAYS: That’s fine.

MS. GREENBERG: I just needed some clarification on what was intended by
standards for assessing race and ethnicity. Are you talking about standards for
collecting race and ethnicity or standards for assessing disparities or – I
just –

DR. MAYS: Standards for collecting.

MS. GREENBERG: – didn’t understand what you meant by that.

DR. MAYS: Standards for collecting.

MS. GREENBERG: Collecting.

DR. MAYS: Yes.

MS. GREENBERG: Well, then, I think that is the word that should be used.

DR. MAYS: Okay. Thank you.

Simon, did you have your hand up?

DR. COHN: No, I think Marjorie – I did not need to follow up. Thank you.

DR. MAYS: Two, states should explicitly – should be explicitly encouraged
to collect race and ethnicity data on the Medicaid or state equivalent
enrollment form and to share that information with managed-care organizations,
MCOs, to enable them to produce state-required reports along these dimensions.

The committee also recommends that CMS require state Medicaid agencies to
ensure that enrollment data are, at a minimum, linkable to encounter data and
encourages each state to perform this linkage in a manner that is consistent
with standards regarding the electronic transfer of data and with
confidentiality and private practices and procedures.

Okay. Three. HHS should contribute to the creation of an interconnected
Indian health network for the 300-widely disbursed healthcare sites to
standardize systems and protocols for collecting race and ethnicity data at all
locations and to more effectively collaborate and pull data, expertise and
resources.

Information systems comparable to those developed in other federal
healthcare systems, such as the Department of Defense and Department of
Veterans Affairs, should be adapted for the Indian Health Service.

HHS should support national data networks that are both urban- and
reservation-based for American Indians and Alaska natives that use compatible
data collection methodology.

Four.

DR. COHN: Vickie, I’m sorry. I just had a question here. This has to do
with the Indian health system. Explain to me a little more about this. I mean,
obviously, I don’t have the four chapters before it that, I am sure, explain
what this is, but the Indian Health Service –

DR. MAYS: Indian Health Service.

DR. COHN: – uses, effectively, the VA system for at least –

DR. MAYS: It doesn’t. That is what we are actually suggesting.

DR. COHN: Oh, okay.

DR. MAYS: We heard testimony that, quite frequently, within the Indian
Health Service that the infrastructure, in terms of – I mean, they even fussed
at us a little bit about sending things by email, because of the lack of
computers, et cetera, but what has happened is that different clinics within
the Indian Health Service will have different packages that it uses to capture
information, and there is a difficulty of communicating across the various
systems. So it takes a lot of effort, for example, to get some of the data that
we do have on American Indians, and part of that is that there isn’t
necessarily a coordination of the kind of software that is used, where, for
example, some data is drawn from, whether it is at a visit, whether it is, you
know, in other places, during the encounter.

So part of what we are recommending is that if HHS would try and help them
to develop a coordinated system where data could be systematized, where there
are similar methods for collecting the data, as well as the ability to kind of
– you know, we talk about kind of interoperability, that there is the ability
to share the data across all those systems.

DR. COHN: Richard.

DR. HARDING: I apologize for going back to something but I just have a
question about number two, the first sentence, the words, states should be –
quote – “explicitly encouraged.” I’m sure that you all thought that
through as to what that word should be, but, you know, coming from a place
where we get lots of encouragement, but not any –

DR. MAYS: Not money. (Laughter).

DR. HARDING: You know. You know. Is there another word or something like
incentivized or something that would imply that there’s something in it for
them, other than to be encouraged to do it, because we get encouraged to do
just so many things in states without any resources and so forth. I just wonder
if there is another word.

DR. MAYS: Let us – Yes, I was going to say let us discuss that.

DR. HARDING: Thank you.

DR. MAYS: Unfunded mandate.

DR. SCANLON: Could I just add something about whether – with respect to the
Indian Health Service – that you heard that this would be a feasible goal in
terms of trying to be uniform across these 300 sites.

Comparing them to the VA – and I know that the VA has put an incredible
effort in trying to create sort of national uniformity and – though, many
times, when at Yale(?) we have looked in the VA we found that there wasn’t
national uniformity, and – you know, even within a VISN you could find
differences among the different medical centers, and so this seems like it is
an admirable goal, but needs to be part of a much bigger objective, which is to
try and create some national policies, and I am wondering if they in place to
facilitate this or not.

DR. MAYS: I think what we can consider is whether or not – I mean, I think
this is a very important goal here, and maybe we might be able to state it a
little differently as to put the things in place to make this happen, but I
think the problem that we faced when we had our hearing is the extent to which
the ability to be able to look at their own health issues is severely
compromised for this reason.

The most data – the reason you see so many papers out about rates of cancer
is because of the SEER Program, and they were using that as an example of a
program that has been able to collect data on race and ethnicity and then to be
able to look at it across various geographic regions, and that was, you know,
what they were asking for is something that could be done in terms of the
Indian Health Service.

So we can revisit – I think – You know, I understand what you are saying,
and I think the revisiting is maybe to make it a step on the process of
ensuring that this can get done.

DR. HUFF: Recommendation 3 seems like it is out of context in that it has
to do with race and ethnicity data, but it has to do with a much more global
issue, basically saying that the Indian Health Service’s information systems
are inadequate and incompatible, and I wonder if that should be its own
recommendation in its own section somehow, so that it – I think it could get
lost sort of in here with the other recommendations about race and ethnicity,
and I think it is a bigger issue that maybe deserves more treatment, you know,
in a recommendation of its own.

DR. MAYS: Okay.

DR. COHN: Okay. Mike, and then Kevin.

DR. FITZMAURICE: In the federal government, we are kind of bound by how OMB
tells us to collect race and ethnicity data. They have a framework, and as I
looked through the report, I don’t see any comments about that framework, or
just looking at the recommendations in Chapter 5. Does the report find
sufficient this framework for collecting the data, and your point is that not
enough is being collected to improve quality of care, patient safety and other
uses, that it is not enough is being collected as opposed to the framework
needs to be improved?

DR. MAYS: There is a section earlier in the report that talks about the OMB
guidance, and, to some extent, at the national level, part of what occurs in
the collection of the data is that there are a set of guidance. Federal
agencies, you know, adhere to that guidance. So that is not the problem.

It is somewhat tricky in terms of some of the collection of the data, and
that is a little bit of why we are saying, for example, it would be great to
have methodological research. It is great to understand that, for example,
people may change their identity, you know. There’s a fluidness there. There is
an issue of how do you ask these questions. There is the issue of training
people so that, as you ask the questions you have a sense of the answer, like
when we had the presentation by Suzanne Heurtin-Roberts. Let’s just say, for
example, someone comes in and they say, I am Creole. If you don’t know the
translation of where that goes or you don’t understand kind of what the
category is, then you may end up misclassifying the person. So there are, I
think, some areas that still need training. There are some areas that we do
need to talk about, and then we also have to understand in the collection of
this data of race and ethnicity a little bit about how to use it.

DR. FITZMAURICE: Thank you.

DR. MAYS: And that is kind of the foreground of the report.

DR. COHN: Kevin, you had a comment, question?

DR. VIGILANTE: Actually, I think it may have been covered already. I’m not
sure, but it goes back to your comment about VA VISA. Yes, on the one hand, you
know, the VA VistA has been modified significantly in the Indian Health
Service. There is a lot of variability. They have had to add pediatric modules
and billing systems and changed it in other ways, but it still, for the most
part, is, as I understand it, the foundation system for Indian Health Service.

So I think when we say systems comparable to those developed in other
federal healthcare systems, such as Department of Defense and the Department of
Veterans – I would say it is comparable. Although, in terms of its foundational
structure, there is a lot of variability in it

that prevent it from being used in the ways you have already cited.

DR. MAYS: Thank you.

DR. COHN: Yes, Kevin, thank you.

Mark, did you –

DR. MAYS: That is a good point.

DR. COHN: And, actually, I guess before we move on – I’m sure Mark has
another issue – I just came away feeling like we need a little bit of fact
checking to figure out how exactly to express this one.

DR. MAYS: Yes.

DR. COHN: And, obviously, the Subcommittee on Populations can just sort of
check that.

MR. ROTHSTEIN: In the first line in number 5, the federal agencies, from
the parenthetical, I assume you are referring to HHS agencies and if that is
the case, then we might want to do more than encourage, and we could say, HHS
should direct appropriate agencies, and then the parenthetical to, blah, blah,
blah.

MR. SCANLON: I guess I would go one step further. These agencies are HHS.

MR. ROTHSTEIN: Yes.

MR. SCANLON: So why don’t we just say HHS agencies should hold –

MR. ROTHSTEIN: Well, either one, yes.

DR. MAYS: Okay.

DR. COHN: Marjorie, I think I am going to let you continue.

I just want to remind everyone this is not coming forward to a vote today.
We don’t have the first five chapters. This is just the rough recommendations.
I think we all have a tendency to want to get this right the first time, and
I’m sure –

DR. STEINWACHS: We’d welcome a vote now and just move on – (laughter).

DR. COHN: That’s right.

I just want to keep that in mind in terms of your comments. Well said, Don.

DR. MAYS: Okay. I think I left off at 4. American Indian and Alaskan Native
tribe entities and minority community-based organizations, CBOs, should be
consulted regarding any HHS or agency plans that involve standardizing the
collection and use of race and ethnicity data.

HHS should consider adopting the consultation model used by the Bureau of
the Census in explaining Census 2000. The Department should undertake similar
consultations with Puerto Rico, the Virgin Islands and the Pacific insular
areas.

MR. SCANLON: Vickie, again, I hope you make this – you probably make it
clearer in the narrative, but it almost sounds as if there was no standard now
for collecting race and ethnicity data, and, of course, there is.

DR. MAYS: Yes.

MR. SCANLON: Do you mean further standards or further detail or –

DR. MAYS: It’s more further detail.

MR. SCANLON: Additional?

Maybe we should say that involve additional standardization or further
standardizing. Because we – I am sort of assuming that we are starting with the
race-ethnicity standard we have –

DR. MAYS: Yes.

MR. SCANLON: – defined by OMB. We have no other choice.

DR. MAYS: I think that that is probably – we had a lead-in paragraph and we
took it out. So I think – I now have a clear sense of what the lead-in
paragraph should be. We had taken out what was there. So, now, I know exactly –

MR. SCANLON: Within any of the major categories

if HHS wanted to standardize the sub-population groups –

DR. MAYS: Exactly.

MR. SCANLON: – that is where the standards would –

DR. MAYS: Okay. So okay.

Five. HHS should direct – wait – should – HHS agencies should hold
national, state and ethnic racial-group conferences that focus on collecting,
analyzing and disseminating data on racial and ethnic group health status,
health behaviors and health disparities.

These conferences can play a role in enhancing coordination and improve the
development of standards around collecting race and ethnicity data.

So I want to stop there, in terms of – because we actually don’t have the
time to read them all, but those are the ones that I – You look quizzical. I
didn’t think we did. Oh, okay. I was like, we do? I didn’t think so. I was
trying to keep to my 15 minutes, and to suggest the second overarching
recommendation really is on kind of the methodological research, and so we
welcome – you know – any thoughts or inputs into that, as well as the last,
which is the infrastructure, and the infrastructure always becomes one where,
you know, it is kind of a bit of a cost. So, you know, we want people to look,
because it is asking people to do things – and many of these are things we have
talked about before, like having additional data centers, et cetera, but these
do involve some costs. So we would welcome your looking at them and thinking
about them and giving us some feedback, because this is the gist of the
recommendations that we’ll be bringing forth.

The subcommittee, in its meeting this afternoon, will be looking at these
as well as a few others that kind of – and some of the cuts were left out that
might get put back in.

DR. COHN: And cuts that got left out that might be put back in, are they
recommendations or are they background material?

DR. MAYS: No, no, no. The background material, we will do once we settle
upon all the recommendations. There are a couple of recommendations the broader
committee hasn’t had a chance to discuss. So we just want to make sure that
this subcommittee itself is fine with what is here and what was cut. So that is
to give them the opportunity to opine on some of the things that were cut.

DR. COHN: Okay. Comments from the full committee?

I looked at this late last night, and I actually thought that these – and
it is good not to see 69 recommendations or 83 or whatever, so I want to thank
you for that. (Laughter).

DR. MAYS: We thank ourselves for that.

DR. COHN: Thank yourselves for that.

DR. MAYS: We are not killing ourselves over that.

DR. COHN: Yes, I would also just congratulate you on – some of these that
we have looked at, they actually look like that they are actionable. You can
sort of tell, which is, of course, I think the mark of a good recommendation.

Actually, just generally comment that I think what we are seeking sort of
as we move forward is making sure that when we come forward with something that
it is specific enough that an agency would know what to do with it when they
got it as a recommendation. To me, that is a mark of a good, well-thought-out
recommendation, that they don’t have to go out and study something for a year
to figure out what to do with that recommendation. So I think we are making
great strides.

Now, the only question I would have, and this is something I don’t know
because I am not part of your subcommittee, though –

DR. STEINWACHS: You could join us. (Laughter).

DR. COHN: I know. I know. And I could sit in for some of it today, which I
probably will.

Is just to reflect, as you go through this, to make sure that this is –
that these recommendations are sufficient to get us where we think we need to
go, and that would really be the only question I would have, and they may very
well be, but I would just have you all reflect on that that there isn’t
something obvious or something big that needs to be stated here somewhere.

But, generally, I think it all looks pretty good.

DR. MAYS: Yes, I think there are a couple that we do need to discuss about
potentially putting back in that, you know, I think – that I think, you know,
there’s one that I do think is big, and that is the notion of the – we had
talked before about the surveys, about doing – having small-group surveys that
periodically are done to ensure that the populations that we aren’t able in
national surveys to get data on that we figure out some kind of collection
procedure to be able to do that. So that is one of the ones we have to discuss.

DR. COHN: Okay. Any other comments on this one?

Okay. Now, what we are going to do with the remainder of time – and,
Vickie, I apologize if I was looking at you cross-eyed, I was, I think, it’s my
after-lunch – you know – sort of fading out here, but, actually, we actually
could have given you a couple of more minutes if you had needed –

DR. MAYS: Okay. I was trying to do my 15 –

DR. COHN: No, you did very well, and I think we’ll be seeing this back next
meeting also.

What we are going to do with the remaining time is, obviously, one, we are
going to just talk briefly about the biannual report and what the status is of
that, and then I want to – Actually, let me just talk for a minute or two, and
then we’ll get into the biannual report, because I think it is probably the way
to do it, and then we can – then, by that time, I think, David Brailer will be
joining us for a conversation for a couple of minutes, and, then, of course,
we’ll break up into workgroups.

Obviously, this morning – and, once again, I am not going to – you probably
will hear from me again and again today about various issues, but this morning,
I tried to keep my comments very brief in terms of things that I heard from the
full committee, in terms of all the conversations I had, knowing that, first of
all, it was a little after 6:00 a.m. California time, but, even beyond that,
that we had a very packed agenda this morning.

There were a couple of things that I neglected to say, which I just sort of
want to comment about. I mean, really, one of them is just sort of the
reflection in which something – I just want to apologize for admitting is this
is a recommendation of our staff and our staff support. I think that I heard
from all of you, and, certainly, I recognize, you know, without Jim or
Marjorie, Marietta, Debbie Jackson, Maria, the list goes on and on – I mean,
once again, I can’t remember everybody – Kathryn –

SPEAKER: Where is everybody?

DR. COHN: Mess it up here.

You know, we are not going to be successful in our work. We really rely on
them. I see one of the main roles, my role going forward, as well as the role
of the chairs of the subcommittees is sort of the care and feeding of the
staff. I mean, I commented that we have full-time jobs. To my knowledge, I
think they all have full-time jobs on the side, too, and this is something they
do above and beyond their work, because of their dedication and belief that we
really do make a difference.

Certainly, one of the things that I am pondering about – I mean,
recognizing we have been – I mean, we have all been – in all of our
subcommittees and workgroups about how to do things most effectively, but one
of the things that I am sort of struck with is is that every time we produce a
major report or a major letter, and the new members now are seeing, well, you
have two-page letters, we have 18-page letters and we have 39-page reports –
49-page reports, and probably even longer if we allowed ourselves with, but is
to make sure that every time we have to do one of these things it is not a
Herculean effort that causes everybody to just sort of get ground down in the
process.

I think, from my view, we need to be very thoughtful about using
consultants sometimes to help, and, indeed, one of the things we are going to
need to really think about is how to most effectively use them going forward to
sort of help keep our staff healthy, happy and being able to be supportive of
us.

It, obviously, is going to take work on our part to make sure that we size
the tasks well. Certainly, staff can work a lot better on a short report or a
couple-of-page letter. An 18-page letter – you know the Subcommittee on
Standards and Security had actually pulled in a consultant full time to help us
with that, and, certainly, when we get to a longer one, clearly, you need
dedicated consulting resources to help us, but it’s one of those things of
pulling in the consultants early to help the staff, knowing that, once again,
like us, you know, they’ve got 40-hour–plus jobs and weekend work and
everything else, because of their commitment, and the fact they’re good. We
want them to – we want to have the best and the brightest.

So take a moment and acknowledge our staff, knowing I haven’t gotten
everybody’s names’ here, but I think we should all applaud them. (applause).

MS. GREENBERG: I would just say it has been, over the years – since 1949,
probably, but I can’t quite remember back that far – but a very good
partnership, and I think you’ve put it that way once, John, and I thank you for
your kind remarks, but, you know, we also look for continuous quality
improvement; but it is a good partnership, and I think that is the nice thing
about the committee.

DR. COHN: Right.

MR. SCANLON: I have been accused of having about half of HHS staff working
for the committee and it is the same 18 or so. (Laughter).

DR. STEINWACHS: Only half, Jim? Only half?

MR. SCANLON: Only half. (Laughter).

MS. GREENBERG: The good ones.

DR. COHN: Yes.

SPEAKER: Just the good ones.

DR. COHN: Yes.

Well, I just – once again, one of the things that the Executive
Subcommittee, I think, is going to do over the next period is really looking at
how to make the workload – how to make it work better for everybody, because I
know how hard Vickie is working on this population report. I know how hard
Harry and Jeff and Maria and Simon worked on both the first and second list of
e-prescribing recommendations, as well as the other subcommittee staff; and, as
I said, I think we are being called upon to do more and more high-quality work
and give better advice to the Secretary. So, obviously, we want it to be
timely. We want it to be relevant. We want to be able to survive the process
and thrive in all of this stuff. So – this will be something I said – once
again, I heard from all of you. We will certainly be reflecting as we sort of
move forward.

Now, the other thing – once again, and I hadn’t really commented on this –
was one of the things I heard from all of you – and, actually, it was my good
idea going in, and so I asked all of you and you – said, you said, Well – that
is okay – was – you know, sometimes, the Chair comes in with opinions and all
of that – has been the issue of empowerment.

I mean, there are 18 of us. We want to make sure that everybody is as
productive and contributes as much as possible to the full committee, and so we
are, obviously, looking to – you know – the new members, we want to encourage
to be as active as you feel comfortable being. The old members, we would say,
Geez, if you are not as active as you think you should be, hey, let’s get you
more active and more involved.

DR. STEINWACHS: Do they have pills to help with that?

DR. COHN: What?

DR. STEINWACHS: Do they have pills to help with that?

DR. COHN: No.

SPEAKER: Stimulant –

DR. COHN: Stimulant. (Laughter).

But – and so we’ll be having conversations with that. I mean, some of it
may involve people moving from one committee – some committee to another or a
workgroup if their interests are more aligned with one place or another, and
this is really, once again, with the transition, the time to think about that.

The other piece, though, which I thought was important, and I – it is not
something that I can, myself, make happen, but it is a conversation with the
subcommittee chairs, is this idea of having virtually every – and this is not
absolutely – but we want the workgroups and the subcommittees to consider
having vice chairs as much as possible.

Now, I am not going to ask the Standards Subcommittee to have that, because
they have cochairs, but in other environments, I think, where it makes sense,
you should consider having a vice chair. I think it helps spread the workload,
helps spread the leadership and responsibility. I guess out of my own
experience, having Jeff as my Vice Chair for many years on Standards and
Security, I thought worked very, very well, and so, once again, hopefully, what
we are going to be doing is just getting a lot more – everybody sort of
involved in one way or another, in terms of not just the work and coming to the
meetings, but also in terms of leadership, the goal setting and all of this.

So, anyway, this is not something I can do alone. I am going to be looking
to the Executive Subcommittee to sort of help figure out how to do this. I am
not asking any of the chairs to appoint vice chairs during the session coming
up today or probably not – and maybe not for the next three to six months, but
will be, I think, moving sort of in a stepwise fashion towards that.

Marjorie, do you have a question? It looks like you have a comment.

MS. GREENBERG: I just realized that I didn’t want to let people – when you
were talking about pepping people up a little bit or Don was talking about
that, I realized that I needed to tell you something about the dinner tonight,
and I didn’t want everyone to disperse before I did.

DR. LUMPKIN: Dinner? Tonight?

MS. GREENBERG: As you know, we are going to Maggiano’s. I think most of you
are coming, and that is great, and if you have not told anybody that you want
to come and still want to come, please check with Debbie Jackson. I think we
might be able to squeeze in a few more, if possible

DR. COHN: I think we need to give John more responsibilities anyway.
(Laughter).

(Dinner plans discussed.)

Speaker: The meeting is five to six, NHII, right?

DR. COHN: Yes, it is going to be – I mean, we haven’t gotten into sort of
talking about the meetings, but obviously, the Subcommittee on Standards and
Security will be meeting here from three to five, then that room will be taken
over by the Workgroup on NHII. That will be an abbreviated meeting, only
because those of you who know Washington know it is going to take a little
longer than half and hour to make it up to Friendship Heights, at least in my
experience. So this will be probably a 45-minute meeting, something along that
line, 30-to-45 minutes.

The Subcommittee on Populations meets in 305, which is downstairs.

Now, I didn’t mean to have us get into all this stuff, but I think it is
important that everybody sort of know what the plan is. So, Marjorie, thank
you.

MS. GREENBERG: And the dinner, we have a private room. So it’s upstairs.

DR. COHN: Yes.

MS. GREENBERG: You can either take the elevator or walk.

And, then, tomorrow morning, both of the subcommittees or workgroups are
meeting on the third floor.

DR. COHN: Oh.

MS. GREENBERG: 325-A, Privacy and Confidentiality, and 305-A, Workgroup on
Quality.

DR. COHN: Yes, and I think Bob would remind you that he is starting at
8:30. Whereas, Mark is starting at 8.

SPEAKER: That is because Bob heads up a Quality Workgroup, and, you know,
they take these quality-of-life –

SPEAKER: Rather than quantity –

DR. COHN: Exactly.

DR. COHN: I think after that letter revision, I think he is going to need
to start at eight o’clock, actually. (Laughter).

Now, let me, however, get back to the agenda here, and let’s talk about
just a couple of things.

Agenda Item: 2003-2004 Annual Report –
Update

DR. COHN: One is that we obviously just wanted to comment just relatively
briefly about the 2003-2004 annual report, and I’ll say a couple of things and
I’ll ask Marjorie to primarily chime in, but this is the NCVHS update.

We, I think, have been collecting research proposals coming out of the
various reports, subcommittees, workgroups, in terms of their reports that we
are intending to add to that.

What we are doing, primarily, is doing sort of a literature search looking
at all the various things that we maybe have recommended, just so that, I
think, HHS and others can sort of see a potential research agenda coming
together.

Did you have other comments that you would like to make about this one?

MS. GREENBERG: About the annual report?

DR. COHN: Yes.

MS. GREENBERG: Yes.

This actually is a biannual report. I mean, the committee has – just for
the new members – has always – well, a very long time – maybe from the
beginning – has always done an annual report. Bill remembers that probably – on
which we report on the work of the subcommittees, et cetera.

In the last several years, we have been tending to do more biannual
reports, rather than annual reports, and then we also – partly because since
1996 and the HIPAA legislation, there’s an annual report to Congress on HIPAA
and all its provisions. So that has not substituted, but been another annual
responsibility.

What we had talked about doing at the Executive Subcommittee meeting last
summer, I think it was, was to try to pull together the recommendations that
have been made by the subcommittees and workgroups for future research and put
them all in one place in this report – maybe in a section or an appendix –
because our sense was that these are more long-range types of recommendations,
and they don’t tend to get acted on really quickly, and they can kind of fall
off the radar screen, as it were, because they may require – probably do
require – additional resources, et cetera. So we wanted to kind of highlight
those, and we have been working with the subcommittees to identify what those
are.

We had also talked at that meeting – and, this, I guess, will be further
discussed by the Executive Subcommittee – about thinking more about the
research implications of a lot of the other recommendations that have been made
over the last – since 2000, because there are many more of those than there are
just strictly recommendations for research, and that would be for the future.
That would not be incorporated into this 2003-2004 report.

We did approve an outline for the 2003-2004 report at the last meting, and
I apologize, I don’t think we put it in the agenda book, but we can send it to
the new members. We have a writer who has been our writer for many years, Susan
Kanaan, who is working on that with us. She will be interviewing the
subcommittee chairs, and, of course, Dr. Cohn, because we’ll be doing a
forward, as well, to the report, and so – and she may be calling subcommittee
lead staff as well. So, please, give her a little bit of time when she calls
you. She has all the written documentation, but she might want to talk to you
about some specific areas.

So our plan is to get this draft report out to you before – at least a few
weeks before the June meeting. Well, actually, we’ll send it through the
Executive Subcommittee earlier than that, and it will be vetted through them,
and then it will go to the full committee, and the goal is to have it approved
at the June meeting, so that we can transmit it to the Department, and we’ll
publish it, et cetera.

Any questions about that?

I don’t know how many of you remember Car White(?) or know Car White, very
distinguished former Chair of the Committee. Both of you are a long line of
distinguished Chairs, and Dr. White, who is retired from Johns Hopkins, of
course, he is now at – he has a collection at the University of Virginia
Library, and I was tickled to find out that his collection includes every
annual report of the National Committee, So we do live at UVA. (Laughter).

SPEAKER: Hear. Hear.

DR. COHN: Mark, do you have a comment?

MR. ROTHSTEIN: No. (Laughter).

DR. COHN: Now, speaking of reports, I was actually – you know, one of the
great joys of being a former Subcommittee Chair is is that you get to reflect
on work that needs to be done by the current Subcommittee Chairs.

MS. GREENBERG: Did I suggest that to you?

DR. COHN: No, no – (laughter). I’m sure John felt that way when he moved
from –

MS. GREENBERG: – the HIPAA report.

DR. COHN: Yes, did you write down the HIPAA report? Okay. All good minds
think alike.

Well, we have, as part of our rechartering under HIPAA, back in 1996, the
committee is responsible for producing an annual report to Congress and HHS on
administrative simplification and the status and – you know – status of that
activity.

In the first couple of years, it would only be Standards and Security
Subcommittee that was writing for that report. Obviously, in more recent years,
it has been really a combined effort between Standards and Security and Privacy
and Confidentiality, and, of course, this year – I mean, we’ll have to figure
out when the year ends, but part of – yes, yes, but I think we may, you know,
given that we are going to be putting security in this year, we might want to
very much think about – and I am looking at John Paul – and, John, we will
continue to use your middle name –

MR. HOUSTON: That’s John Houston.

DR. COHN: John Houston. Okay. (Laughter).

Thinking that we may time this in such a way that we can, obviously,
comment on the implementation of the security rule and all that as part of
this, and, clearly, there’s been a lot of, I think, other important pieces
going on, but I would just sort of remind subcommittee chairs, that, on top of
everything else, there is the opportunity to reflect a little bit about how the
HIPAA implementation is going on.

MR. SCANLON: I think since e-prescribing was such a big part of this year
that Harry and Jeff should take the first shot at the – doing the report.
Nobody is laughing. (Laughter).

Simon.

DR. COHN: Yes. I’m sorry.

MR. SCANLON: I think what we can do is to get started – remember, the last
annual report on HIPAA implementation actually turned out to cover a two-year
period, because whenever we thought we were finished, it would be another
milestone and we wanted to say, oh, let’s see how that goes as well.

We are actually coming at this on stability, at the moment. So what we can
do is have the staff pull together the factual developments and what we can on
where we are with HIPAA, and, then, the committee – then, the committee can
reflect on what issues it wants to raise in terms of how things are going and
what to look forward to.

We did shorten the report considerably, which I think probably makes a lot
of sense at this point. Rather than a full 50-page report, I think we sort of
did a – what? – a sort of a letter, half-a-dozen pages or so, where we got the
bulk of the information, and then a more detailed report for those that want to
look at all the details.

So I think, with your permission, we’ll go ahead and get the staff pulling
together at least the factual basis, and then the various subcommittees can –
how they want to interpret it or what they want it to look like.

MS. GREENBERG: And, Jim, what should we shoot for? Approval by June or by
September?

MR. SCANLON: Let’s see. The only other major milestone we have now will be
the security rule kicking in in April. I don’t know how much experience we
would have by June with that. Should we aim for September and at least see how
the early months of security go?

MS. GREENBERG: Well, there might be some NPRMs, too, I guess. I don’t know.
What would you recommend?

MR. SCANLON: Well, we do have one –

MS. GREENBERG: Maria?

MS. FRIEDMAN: This is Maria Friedman from CMS, and I would vote strongly
for another letter report. I think, on timing, we should give the security rule
a few months to kick in.

However, I’m not sure how long the time frame is when we need to get the
report written, but I think some experience with security is a good thing, and
the content for the other areas, at this point, is largely statistical – number
of complaints submitted, ones that are open/closed and all things like that –
and some of the other accomplishments the agencies have done in dealing with
the issues.

DR. COHN: I think Jeff and Steve.

DR. STEINDEL: Maria, if the security rule is introduced in April, will we
actually have time between April and September to have any real experience with
implementation that we can get into the record?

MS. FRIEDMAN: Don’t know. I think we ought to allow some time. If there is
not sufficient experience or very much at that point, you can certainly address
it the following year –

DR. STEINDEL: That is the way I would like to approach it. I think we
should keep the September date, but –

MS. FRIEDMAN: I think we are bound to mention it, because it is a very
important date and it is a very important set of activities.

MR. HOUSTON: We do have the luxury to put in what we want to say about
security, go through the review, and if something big comes up in the middle of
a review that really warrants discussion, we can put it in, I think, towards
the end. I mean –

DR. COHN: Jeff has been patiently waiting to make a comment. Please.

MR. BLAIR: Donka shane.

A number of years ago, things were more straightforward when we were doing
this report, because it was clear that things were directed from HIPAA to the
NCVHS to do things.

Things evolved, and we had the PMRI report. Then, we had the PMRI
message-format standards, and then we had – we moved into PMRI terminology
standards, which became clinical data standards, which became consolidated
health informatics – and I don’t even know whether that is considered HIPAA
anymore – and then to make it more interesting, we have the MMA with the
e-prescribing, and while that probably isn’t HIPAA, I wonder if it is useful to
omit that from the report to Congress, because all these standards really have
to be interoperable. So how will we handle that evolution?

DR. COHN: Sounds like Jim has an answer.

Actually, I have some thoughts, too, but, Jim –

MR. SCANLON: It’s very true, Jeff, this area has evolved very significantly
since 1996 when we thought HIPAA would be easy – it’s true – and all we had to
do was adopt the industry standards.

This is a formal – the HIPAA report is a formal report to Congress, and
they generally don’t go away unless the Congress specifically deletes it from
reauthorizations.

On the other hand, I would hate to see that particular report as a vehicle
in the place where all of these other issues get raised. It is just not a very
suitable – it was meant to be a very specific kind of a requirement. So either
– in the annual report someway, perhaps, we can integrate all of the
information.

I do think we normally try to include in the report to Congress, though, on
HIPAA at least a glimpse of the broader framework of which HIPAA is a part,
that we don’t go into – we don’t – you know, we don’t provide milestones or
detailed reports there.

So my own recommendation would be that we keep to the original intent of
Congress, which was a report on HIPAA implementation. It is much – now that
privacy is in full implementation, security will be coming up. We have one or
two more of the standards – claims attachments, for example – to make it into
regulations. There’s still plenty to include just on the HIPAA focus alone, but
I do think we have to at least allude to the broader context and the work of
the committee on these broader fronts.

MR. BLAIR: Thank you.

DR. COHN: Yes. Do others – I have a comment on this one, but I am curious
if others –

MR. REYNOLDS: Yes, I think it would be good to point out in the HIPAA
report that the privacy, security and some of the transactions – still continue
to be foundation standards, as we are looking at the new things that are coming
along. So they didn’t just play on their initial implementation what they were
focused on. Looks like they are going to be good, solid base standards going
forward. That may be a way to tie it in without getting into the specifics of
the other things that it did, whether it’s an electronic medical record or the
PHR or e-prescribing or anything else, but just to point out that they still
continue to be held in good stead as base standards going forward.

DR. COHN: I think your comments are sort of aligned with how I tend to
think of this one. When I talk about all this stuff, I talk about the HIPAA
sort of as Phase 1, and then the clinical data standards as sort of Phase 2,
all moving up towards the NHII, which is really how they all – I mean, that is
how I think how we all anticipated that they would be fitting together.

But I agree with Jim. I mean, one could easily spend three-quarters of it
talking about e-prescribing, CHI recommendations, maybe in Federal Health
Architecture, but I think, in reality, what you want to do is you want to focus
primarily on the Phase 1, recognizing, I still think, everything I have heard
so far – and I’m looking at Carol, because I think she is sort of agreeing with
me on this one.

I think – so far that there’s room for optimization of the HIPAA
implementation. I don’t think we are quite – this is not, in my view, a steady
state or a done deal or everything is wonderful and whatever. I think we have
implemented. Now, as I described, the harder part is really working with
everybody to make sure that this really drives the value that we had all
envisioned back in the mid-90s, and I think there is the opportunity – I know
it is something the Standards and Security Subcommittee is going to be looking
at, and it may be that that can begin to provide some of the help in terms of
helping the report making sort of a conceptual leap from just this percentage
that has been implemented, but more that people are beginning to show business
value. Just a thought.

Carol, did you have a comment?

MS. MC CALL: Yes, a comment, and I guess the next couple of days I’ll
exercise my rights as a new-be to ask a basic question, because I like the term
– I think, that Jeff used the term evolution. There is a true evolution taking
place, and so my basic question is around this report and – which originated
around HIPAA, and, yet, as we evolve forward and as all things evolve forward,
HIPAA – as you said, we have used the term foundation – becomes a foundation,
but I think it is important to talk about the context and use whatever that
vehicle is to introduce what the important topics are to know about, and what I
don’t know, the question is are there other vehicles besides this report to
help frame what the news should be?

It kind of reminds me of the state that says, I know what you asked me
about, and I will tell you about that, but then I know what you should have
asked me about, and I want to tell you about that, too, and so I don’t know
enough about the various opportunities that we have in a formal way to give an
update about the important news of the day and the important context to be
considered. If this were the only vehicle, I might have a different answer than
if there were others.

DR. COHN: Yes, and this is certainly not the only vehicle, but it is an
important vehicle. So I think your thoughts are well taken, in terms of the
framing of the whole discussion.

MS. GREENBERG: I might say this is the only report specifically required by
Congress to them. Although, it also goes to the Department, but we always send
the annual report to Congress as well. That is certainly a vehicle, and, then,
there are others as well, but this is the only report in which we report
directly – have been asked to report directly to Congress.

DR. COHN: Well, now, with that, I am going to – I mean, first of all, I
want to thank everybody’s input. I think we will aim toward September with,
hopefully, a rough draft in June for us to look at and comment on.

Agenda Item: National Health Information
Technology Update

DR. COHN: I think, with that, we are happy David Brailer has arrived,
National Coordinator for Health Information Technology. We actually have a
place for you in front, if you would like to join us.

David, welcome.

DR. BRAILER: Thank you.

Okay. Well, thank you all for having me back in our regular exploration of
the role of health information technology.

Before I start, I would like to extend my personal thanks to John Lumpkin
for his period of service as now your former chair. I knew John had been chair
of NCVHS for a long time when I asked him to join me for a cup of coffee, and
he said that would be fine, but we would have to publish the agenda of our
meeting two weeks in advance. (Laughter).

I am very glad to have Simon take the lead. Some of you may not know that
Simon and I go way back. He was a Public Health Service physician in a very
small town in West Virginia where I grew up, and while we didn’t meet then, we
share very many common experiences with that small county. So it’s good to have
someone that understands what real America is like in the leadership role, not
that John doesn’t.

Well, you have, mercifully, only given me a few minutes to update you,
which was a hint to be brief and to the point, and so I will do that. I am
going to talk about four activities – our alignment with other groups, in
addition to our growing work with NCVHS; the National Health Information
Network RFI process that is underway; our strategic plan; and, then, Federal
Health Architecture, which follows on the letter that I sent to you in January.

So, first, our alignment with other groups. As you know, the Commission for
Systemic Interoperability is now underway, and they have had, I think, two
meetings, and they are working in a very complimentary manner to what we are
doing. I think they are exploring a variety of areas around consumer aspects
and standardization that we found to be particularly challenging issues, given
the broad array and diversity of opinions and the lack of clarity about what
even the issues are, and so I just wanted you to know that we really welcome
that group. We are working closely with them, and we certainly are quite
supportive of their agenda and are looking forward to their report, which is
due in just a few months, in October.

Secondly, we have had the privilege of working with a private-sector group
which some of you may have heard of called the Certification Commission for
Health Information Technology, and this group is a group of private-sector
leaders that have come together to try to develop specifications for what is a
minimally-featured electronic health record, including privacy features,
security features, interoperability features, in terms of e-standards, and
decision-support functions that would be deemed a bundle of features that would
constitute what any reasonable buyer would want, and I think this is important
work, and we have been watching this, so we have two ex-officio seats, one from
my office and one from CMS. We expect to see more participation there, and they
have a variety of workgroups underway that have a number of federal employees
and federal leaders on, really trying to wrestle with this question of where is
the line drawn. It is going to be very necessary for future incentives or
anything else that might happen around electronic health record.

So, secondly, we have, as you know, now received all of the responses to
the RFI that we put out for the Nationwide Health Information Network, and just
to give you a word on that idea, we are trying to define what is it that is
needed to be able to allow functional or active interoperability between
electronic health records. If they are standards compliant, there has to be
infrastructure that ties them together, so that information can flow in a
secure and seamless manner and can be controlled by the patient and others, in
terms of who sees it and who does not. This is not random chance or
happenstance that allows this to occur. It’s an investment in infrastructure,
and this RFI was intended to ask the questions about where does the money come
from? How is it operated? Who operates it? What are the technology issues?
Where are the gaps? What is it that needs to be developed? What do we have in
place? What are the implications for the consumer, for the provider or other
stakeholders? How does this fit within our scheme of what we are doing with
standards and other things? Numerous questions. You can download them from our
website or I’m sure some of you may have seen them, but we received a number of
responses.

We received 540 responses from organizations and groups of organizations,
and we received another 500-plus from individual people, including privacy
advocates or, for example, one that I was just looking at this morning, which
was the story of – from the parents of a child, an 11-year-old, active, healthy
child, who was playing soccer, cut his ankle, had an infection in the ankle
that had to have an IND – that is an incision and drainage, for those of you
that didn’t spend part of your life in medical school or don’t have an
11-year-old – (laughter) – and that child had a bleeding diathesis that was
reported in its personal health record and electronic medical record, and the
surgery center did not have this information available, and the child bled to
death, and this parent wanted everyone to know about what interoperability
meant in a very real way in people’s lives, and so we went from very large
industry companies to very real experiences about having information and what
it means, and we are now pouring through those responses.

We have assembled a federal task group that has about 150 federal employees
on it spending a significant chunk of their time – I think a number of people
here are doing this in your spare time. I know things are very busy, but this
is a real treasure trove of information that helps us understand how to guide
policies and what the actions of the federal government should be and how it is
that this challenge that the President gave us comes to exist, and so we are
compiling and creating a meta-analysis of those responses, so we can understand
the types of responses and what they mean, and then we’ll be releasing that
internally first and then externally, so there can be a debate about what does
this mean and where do we go from here, and what are the issues.

And so this is a very important thing that I think has had numerous
contributions from federal agencies, but, also, I think, it has contributed to
people’s thinking about how does this compare to what we might be planning in
an agency or another effort. So this is an important effort underway, and, to
our knowledge, 22 of the respondents have publicly released their responses,
and they are available from a variety of sites. I think HIMSS was compiling a
list of all the publicly-released responses. So we’ll be doing more with this.

Now, following from this, as you know, last year, we released the framework
for strategic action that took the President’s overall vision and unbundled it
into a series of specific goals and strategy, and we are now working actively –
the RFI is one part of this, but we have a variety of activities going on
otherwise to define not just the big goals and strategies, but the who, what
and when components, so this framework can become a full strategic plan.

We were charged by Executive Order 13335 to maintain, release and advance a
strategic plan, and we have had now seven months, and, by the time we release,
short of a year of numerous public reviews. We have seen more than 300 meetings
and conferences that have discussed and reported on the strategic framework. We
have had numerous letters and forms of communication to us giving us feedback
and thoughts, policy statements from groups representing providers, consumers,
health plans and others, and we feel now that that can be mixed with the
significant internal dialogue within federal agencies about this to be able to
make more definitive statements about how we’ll move forward. So that is
underway, but we do expect to address four specific issues.

One is the adoption gap, which, as you know, results from large hospitals
and physicians being in a position to put in place electronic health records
and small offices of doctors or hospitals being unable, and the Commonwealth
Fund that recently reported that – the Commonwealth Fund Report that showed
that large physician offices, with more than 50 physicians, have a 60-percent
chance of having these technologies or being very close to full implementation,
and small offices of less than 10 physicians have around a 12- to 15-percent
chance. So there’s a four-to-one gap that we think is quite significant that
needs to be addressed.

Secondly, technical harmonization. I have been having a variety of meetings
with standards organizations and face the conundrum of – we have numerous
standards-development activities underway, which represent, I think, one of the
great accomplishments in healthcare in terms of the ability to have
consensus-based dialogue about how is it that we represent syntax or we have
transmitted or we allow interchange to occur, but I think it is fair to say
that we don’t have a macro process that ties those organizational processes
together into one or a finite set of tasks, so that we can understand how we
develop the overall profiles that cross different standards-development
activities. So we are looking at how we can do that, and I think that that
shows promise for being able to develop a much clearer release process over
time.

Thirdly is business-process harmonization. I think one of the most
substantial things that we face in interoperability is that numerous hospitals,
doctors or other participants can be HIPAA compliant, yet non-interoperable
with others, because of their security policies or access or authentication or
authorization policies, informed-consent policies; and states, obviously, with
preempting can set various different levels, and so these business-process
variations, I think, are quite significant.

An example could be one organization could say that only a password is
required to get access to their information. Another could say that a biometric
device must report, your thumb scanner, retinal scanner, whatever other body
component you want to represent you with, but the point is that we – to allow
that information to be exchanged, either the security organization has to raise
their level of security, which is costly, or somehow the high-security
organization needs to lower their level of security, which perhaps is risky to
them, given their policies or there needs to be a trusted broker in the middle,
and we are really trying to understand how that can happen, but this, to me,
emerges as one of the most substantial barriers to interoperability, because I
think the technical issues can be resolved and have been resolved in other
industries and even in healthcare.

And, of course, we want to speak to privacy and we want to understand what
is happening with your hearings and continue to listen and watch that and to
summarize a variety of our own dialogues that have been held in various
settings.

So this should be forthcoming. We are targeting this for this calendar
year. I don’t have a firm date yet, because it is the result of a series of
deliberations, rather than the deliberations serving a date, but I think it is
very important that we do have clarity with what needs to be done and how we
need to be able to do that.

Finally, I sent a letter to you describing what we are doing with Federal
Health Architectures. You know, this is the vehicle by which the federal
government aligns information tasks in the health line of business, and the
challenge of this has been to develop standards and business processes and
contracts and various other implementations, so that we can have a more
harmonized set of federal information systems.

This is important because it is not just living in an island in the federal
government. This translates into how information is reported for public-health
purposes, how information is reported for bioterrorism purposes, how
information is reported for quality monitoring for clinical trials or for
market-based adverse-events around drugs, and the Federal Health Architecture
has worked for several years to try to develop plans for alignment, but we are
scaling up and escalating those activities, and we are asking for your
commentary and review and input on how we can integrate this more directly with
what is happening in the private sector and how we can make this activity a
more meaningful state-of-the-art activity, given the planning and management
techniques that are available.

In the end, it is our goal to use this to streamline what it is the federal
government does, not just for short-term budget savings, but so that we are not
imposing new costs or burden on the private sector as each individual agency
fulfills its programmatic purpose by asking for data on a one-up basis from the
private sector – not that that would ever happen.

So this is where we are right now. It is a very busy time, but I think we
enjoy not only the continued support of the President, but, now, Secretary
Leavitt, who has been a wonderful contribution to the Department, and, already,
his very positive leadership is being seen, and so I will ask you to stay
tuned, and I would be happy to answer your questions in the time that I have
remaining.

Thank you, Simon.

DR. COHN: David, thank you.

Comments or questions?

DR. STEINWACHS: David, you briefly sort of mentioned the challenges about
having consumers exert control over their parts of the National Health
Information Infrastructure. Is there a process that you are particularly
undertaking trying to engage consumer groups and bring them together with the
professional groups or – I’m sure you are hearing a lot from consumers around
these issues.

DR. BRAILER: We are, and there are really – right now, Don, there are three
classes of activities, but I don’t think they were intentional. They just kind
of self clustered.

First, in many of the regional initiatives around the United States, I
would say the overwhelming share of them have consumers involved, and when
asked – even though we have no definitive policy position, our sense is
consumers should be a meaningful stakeholder being there, and so I know that
there is a great deal of dialogue.

A number of regional projects have submitted responses to the RFI and told
us about how consumers are involved and what the issues are that they raise,
and it is not surprising that they don’t see the world in the same way that the
provider or the plan does and that in many of the projects they have reported
that the consumers are looking for a true person-centric approach to this that
would not be unlike Google or other things that allow information and process
to surround the person, as opposed to the other way. So that is one.

Two, we do have a number of consumer groups who have reported to us their
concerns through the RFI, and it has kind of become the common pathway by which
a lot of people have given us feedback on, frankly, a wide variety of issues
that go even beyond the specific questions, and we are still compiling that. I
wouldn’t have any way of really reporting to you anything meaningful, but
there’s clearly a signal coming through that this is on the radar screen of
most consumer groups. They see both risks and benefits, and they are trying to
make sure that our actions unlock the benefits in a way that don’t create
either the risks or the perception of the risks.

And, thirdly, there are a variety of conferences and meetings that we have
been participating in that are organized around the consumer front where this
might be one of many issues, and, there, we are really listening to hear where
the dissonant messages are, but, you know, I think if I could characterize the
overall message I hear it is the issue of data control and ownership, although
I personally don’t know how to use the word ownership here, because I don’t
think it means the same thing to every person, but I think therein lies the
question of where do we go. It is a question that goes far beyond privacy. I
think it has more to do with autonomy and trust, and, you know, I think they
are asking, over time, for definitions. I consider that to be kind of one of
the real social-policy questions that we are going to come up against, but,
right now, we have very positive engagement from the consumer groups, who see
adverse events and see the use of funds for things that are wasteful versus
things that could be beneficial and really want to exert choice and have
information to help them pick treatments and doctors and hospitals. So it has
been a very positive experience so far for us. Thanks.

DR. STEINWACHS: Thanks, David.

DR. COHN: Yes, David, I was just going to ask – I actually thought Don was
going to ask. He is our new Chair of the Subcommittee on Populations, and I’m
sure that he was interested in the second bullet in your letter talking about
the population dimension and –

DR. STEINWACHS: See, Simon, I relied upon you to cover for me. See?
(Laughter).

DR. COHN: Well, I knew you would be interested. Yes.

So we are just curious if you had any thoughts about that or any comments.

DR. BRAILER: Well, you know, to be candid, I think one of the reasons we
include this in the letter is because this is one of those other areas which is
quite poorly defined, and we don’t think that we are in a position to provide
the definition for that; but, clearly, the concern here is that, as we move
into a point-of-care – an age of modern point-of-care information technology,
where clinicians have – at their fingertips to do the things that we want
clinicians to do and consumers have them, the natural question becomes how do
we make use of this information to change how we view the monitoring and the
correction of public-health deficits.

I have no doubt that we’ll find a whole new set of issues and a whole new
set of lever arms to make change, and I find this to be one of the really
important, long-term agendas that is only beginning to be grappled with, and so
we are hoping that you can provide clarity and some definition, if not, you
know, a roadmap, at least a set of the key questions that should be addressed,
because, as we go through this period over the next few years – and I mean we
as an industry and not we as in government – we have opportunities to do the
right thing in terms of setting up the infrastructure to advance population
health monitoring and improvement or we could be agnostic to it and just let it
fend for itself, and I am hoping that those issues come to the table.

I was very happy to see a number of population health organizations and
advocates, again, respond to the RFI and raise those questions. So I am not
signaling a deficit in the responses. It is really more this is a chance for
important dialogue, then I think now is the time, because I do believe over the
next couple of years that decisions will be made that will potentially
foreclose options that are unknown. So I hope that we can have more dialogue
about that. We certainly would welcome your feedback and reports.

MR. HOUSTON: You indicated that the RFI, the input from the RFI was going
to make its way into some type of document. What is the intent of that and what
is the time frame and –

DR. BRAILER: Well, let me tell you the reason for that. You know, we could
have asked these – put these questions out and worked with NCVHS to have people
come and give testimony.

Now, I calculated, based on the number of pages of responses that we got
you would have about 9,000 hours of testimony and plus there was a second
issue, which I want to highlight in addition to just the time burden, and that
is that we felt like one of the mistakes that we could make was to allow public
posturing to take place for real disclosure deficits, and my point is not to
say that what happens here is public posturing, but when we have companies that
build security technologies or other technologies, we don’t want brochure ware.
We want to know what they can do, and many of our responses have asked for
trade-secret protection, which is a quid pro quo of a full disclosure of what
they can do.

As we try to assess the technical gaps that we face, I think it is very
important that we understand whether or not we are building off the shelf or if
we really have to go back out and do fundamental R&D to solve these
problems, and we did allow trade-secret protection in this process. That is why
we called it an RFI, as opposed to a variety of other mechanisms.

Now, the quid pro quo is, given that we have to give those protections to
individual responses, we don’t want that to coop public debate about these
important issues that would happen if testimony came here. So we announced when
we announced the RFI that we would release a public summary that is not showing
individual responses, but compiling them. So you’ll know that 17 responses said
largely the same thing about security. Four said this. Three said this, but you
won’t really know who it is, unless that group chooses to disclose.

The timing for that is – I’ll answer it in a sequential method. We are now
going through the compilation. It is incredibly tedious, and we want to make
sure that we really understand not just the answer, but the meaning of the
answer, and it is taking a lot of dialogue as we kind of filter through that.

When that is done, this will be released internally to make sure that there
is agreement that our summary is a true and accurate summary of what happens in
these responses, and then it will be put out. I can’t give you a date, but it
is urgent that we get that out.

And when that happens, we will then start a second process of an analysis.
What I am describing now is just a summary. We are not commenting. We are not
polling. We are not comparing, simply summarizing. That analysis will begin as
we start trying to compile down to what are the modalities and what are the
actions of government that are necessary here, and we hope that that analysis
will coincide with public debate, so we can have convergence on, Well, what
should we do about this? What is the parts list? How do we deal with it? Who
does it? What is the role of the various players?

So, you know, our hope is that that happens certainly by summer of 2005,
because of the urgency of the topic.

The urgency of the topic, I’ll just say as an aside, is that we are seeing
already reports of significant uptake of electronic health records as a result
of the warming climate on this topic – and largely by very large organizations,
I might add – but every electronic health record that is adopted is, I think,
almost by definition, not interoperable, and we want to make sure that we don’t
wait and miss an opportunity that I think will present us once, which is now,
and that is why we feel significant urgency on defining the interoperability
questions right up front.

DR. COHN: Jeff and then Harry, and then we’ll wrap up.

MR. BLAIR: First of all, I would really like to say how pleased I was in
the initial report you have shared with us and that I have been able to read
through the on-line publications, as you have made presentations to other
groups, in terms of what you have been able to glean out of the RFI process and
the priorities and, you know. It really answers a lot of the issues that I felt
needed to be addressed. So it really made me feel very comfortable with all
that you are getting out of this. So I want to extend my personal compliments
on that.

DR. BRAILER: Great. Thank you. On behalf of the whole team working on it,
thank you.

MR. BLAIR: There’s one thing that I think you are probably familiar with
and I was wondering if you had any thoughts or reactions on it. There was a
survey just recently about the percentages of Americans that were concerned
about privacy, and, apparently, it was juxtaposed to whether or not they felt
that the benefits of electronic health records or personal health records
exceeded their concerns about privacy, and if you had seen this, I was
wondering, you know, if you had any thoughts about what we could do to move
public opinion where they could understand two things.

Number one, the benefits of electronic health records and personal health
records, but, number two, I’m not sure that the public is entirely aware of the
things that have been done to protect the privacy with privacy regs and all,
and I was wondering if those were two areas where you were thinking they might
fold into your plans.

DR. BRAILER: First, I am aware of that study, and I know that testimony was
given here recently about it, and there’s a great deal of discussion about it,
and I am not sure that I have anything to add to the discussion that was
raised.

I did have some questions about the actual survey itself, in that I am not
sure that we can draw meaningful conclusions from one survey done at one point
in time with one methodology, as opposed to surveys with multiple different
types of questions where the overall interpretation of them is what the
American public believes, but taking that study at face value, I think whether
or not those numbers are exactly right or not, I think it is very clear that
Americans do have concerns about privacy of their health information. This has
been a consistent finding of numerous studies going back as far as I know,
which – the first I saw was over 10 years ago, and I think there’s a growing –
and the most interesting part to me is a growing awareness that electronic
systems can do something that helps Americans, and when I looked at that study,
I saw, boy, that is a pretty large share of people to think electronic health
records are really beneficial, such that there’s a horse race going on between
these issues in the minds of most people, and I think that is a remarkable
testament to how people are able to see that when their doctor uses a computer
– and I admit it is a relatively rough test – that something good can happen
for them. They do see the electronic health record as something that is in the
realm of therapeutic for them, in terms of improving health status. So I
thought that was really a remarkable movement on the positive side towards
that.

I think the question about privacy, to some degree, reflects the climate of
the time, and I think it represents a great deal of uncertainty about what it
is that will be done, and it is that survey and others that have caused us to
make sure that we have a significant set of activities going on to understand
and define what those issues are and how to plumb them.

I think one of the most difficult ones is how is it that we define for the
American public what the relative privacy risks are of the electronic health
record compared to the paper record, and I think, you know, HIPAA
notwithstanding and the rules and the great investment that many providers have
made in America to ensure that records are private, I don’t think anyone can
differentially argue that paper is more protectable than electronic
information. If that is the case, then we would not see the security
apparatuses we have for various other things moving away from paper for that
reason, and I think any person that goes to a clinic where there is an
electronic health record and sees that, for example, the front office clerk can
only see the demographics of the patient and the insurance information and
don’t even know what else is there, let alone being able to see it or see how
information can be logged, so that when someone does view information, we can
keep track of that and act on that. It really, I think, raises this question of
that is not even possible in the paper world, let alone feasible.

And so I think, you know, ultimately, there are two debates that are going
on, and I think we are beginning to see it. One is the relative privacy of
paper versus electronics, and the relative tradeoff of privacy versus quality
and access in the benefits of the electronic health record.

So, to me, the question is how do we frame that debate so it is positive?
How do we make sure that we minimize any concern or reality of privacy risk and
how do we make sure that the public sees and does realize finally the benefits?

One of the reasons that we have been watching the Certification Commission
is because there is a significant degree of variability in the security
practices of electronic health records, as are there variability in the use of
decision support, which are what constitutes most of the value, and we think
that it is – there is a benefit towards having a minimum feature – a minimum
set of features so those can be realized.

So this is really, I think, probably one of the most important discussions
that is happening over time, and I think that we see the beginnings of a very
healthy debate about this topic, about how we move forward. So I was glad to
see that opening salvo in this whole discussion.

MR. BLAIR: Thank you.

DR. COHN: Final question, Harry?

MR. REYNOLDS: No, my question was answered.

DR. COHN: Your question was answered. Okay.

Well, David, we want to thank you for joining us. I think, as we had
discussed, obviously, we are anxious to obviously consider and work on the
issues that you had described, and, certainly, from my view, the Federal Health
Architecture is an important issue. The full committee will begin to talk about
it in June. We may begin to have conversations within the subcommittee level
before that.

The issues of the – I think you described it as technical harmonization and
FHA are, to me, a very closely-connected group and are something that I know
that the committees have a lot of experiences working around, and, hopefully,
we should be able to provide you some assistance and maybe some advice about.

DR. BRAILER: That is very helpful. I welcome it. Thank you all very much.

DR. COHN: David, thank you.

Okay. Now, we are running a little bit late. We do apologize. We’ll give
everybody like a five-minute stretch break, and 3:30 the subcommittees will
reconvene. Populations will be downstairs. Standards and Security will be here.

Five o’clock is the NHII Workgroup.

Remember, tomorrow morning, workgroups – Workgroup on Quality starts at
8:30. Subcommittee on Privacy and Confidentiality starts at eight o’clock. The
full committee reconvenes at 10 a.m., I believe, back in this room. Is that
correct? Okay.

So, thank you. We will adjourn this meeting, and we will see you this
evening.

(Whereupon, the Full Committee adjourned at 3:23 p.m. to reconvene the
following morning.)