[This Transcript is Unedited]
The Department of Health and Human Services
National Committee on Vital and Health Statistics
Subcommittee on Privacy and Confidentiality
March 4, 2005
Hubert H. Humphrey Building
200 Independence Avenue, S.W.
Washington, D.C. 20201
CASET Associates, Ltd.
10201 Lee Highway, suite 160
Fairfax, Virginia 22030
P R O C E E D I N G S [8:05 a.m.]
MR. ROTHSTEIN: — so I’d like to begin, this is the meeting of the Subcommittee on Privacy and Confidentiality of the National Committee on Vital and Health Statistics and I think for the record we need to have everyone introduce themselves so that’s on the record and I don’t think we need any conflict disclosures today. I’m Mark Rothstein, chair of the subcommittee.
MS. FYFFE: I’m Kathleen Fyffe, I work in HHS, the Office of the National Coordinator for Health Information Technology, and I am staff to the Privacy Subcommittee.
DR. HARDING: Richard Harding, University of South Carolina, member of the committee and subcommittee.
MR. BLAIR: I’m Jeff Blair, Medical Records Institute, I’m eavesdropping — which is why I’m sitting next to Richard.
MR. REYNOLDS: Harry Reynolds, Blue Cross and Blue Shield of North Carolina, member of the committee.
MR. HOUSTON: John Houston, University of Pittsburgh Medical Center, member of the subcommittee.
MS. GREENBERG: I just realized I’m Simon Cohn here, actually I’m not, I’m Marjorie Greenberg, NCHS, CDC, and executive secretary to the committee.
MS. WILLIAMSON: Michelle Williamson, NCHS.
MR. ROTHSTEIN: We have a new member of the subcommittee and that’s Paul Tang and I’m assuming that he’ll be here later, maybe he thinks that it’s 8:30. He’s in 305?
The other thing I want to remind everyone is that Kathleen is passing the torch or the baton or something, the mantle, as lead staff —
MR. ROTHSTEIN: — and so Maya Bernstein(?) who is ill today is taking on the position as lead staff.
MR. BLAIR: Now there’s something especially important about Maya and that is she grew up in Albuquerque, New Mexico, she went to high school in Albuquerque, New Mexico.
MS. GREENBERG: I did not know that David Brailer had grown up in a small town in West Virginia where Simon Cohn had been a public health doctor, interesting trivia.
MR. ROTHSTEIN: So let’s go over, if you have at the end of tab one our agenda for the meeting and there are a variety of things we need to discuss. First I know most of you were there, John was not, at our hearing on February 23rd and 24th which was the first of the three on NHIN, I thought the meeting was very successful. We are having a summary prepared by Maya and I don’t know where that is now, so we’re, maybe you’ll get it with any luck next week —
MS. FYFFE: The summary of the February 23 and 24 —
MR. ROTHSTEIN: Correct, so we will distribute that. Good morning, Paul, welcome. Our agenda is, I don’t know if you got your big book, I was saying that a review of the, or summary of our hearing from February 23rd and 24th I hope to get to you by next week and Maya is working on that. Let me just go over the theory, or the thinking —
MS. GREENBERG: Excuse me, I just wanted to ask, I assume this is a high level summary, not based on the transcript or anything?
MR. ROTHSTEIN: Correct.
MS. GREENBERG: Okay, because there still will be minutes, you still won’t have official minutes.
MR. ROTHSTEIN: So this will be a kind of a working summary so that we have in one place some of the ideas so that we can start percolating our own theories and people can add to that summary. And our strategy is to have three hearings, or three sets of hearings, three two day hearings, on NHIN and the first hearing involved experts in privacy and bioethics and consumers. The second hearing, and we’re going to be talking about that, we will hear from providers. And the third hearing is going to be, we’re going from the most general level to the most specific level and the third hearing we’re going to hear from health plans who have already used electronic health records. We’re going to hear from information technology experts who can answer questions about the capacity of various systems to incorporate privacy safeguards that we may consider recommending to the Secretary, and consider sort of practical problems in implementation from a privacy standpoint.
Our goal is to have a letter to the Secretary come up at our September meeting of the full committee, so that’s the schedule. Now we are already lined up for our Chicago hearings on March 30th and 31stand we’re going to talk about the agenda, you can distribute it. And then we have a couple of dates for the third hearing and will depend on Paul’s schedule and Harry’s schedule which one of these two sets of dates we’re going to go with and those dates are May 10th and 11th or June 6th and 7th, I’m sorry, June 7th and 8th. And that will be here in Washington. So depending on what would work, I don’t know if you’ve got your schedule, Paul —
DR. TANG: I do.
MR. ROTHSTEIN: That would be excellent, so if you could figure out —
DR. TANG: What are the two dates again please?
MR. ROTHSTEIN: May 10th and 11th or June 7th and 8th, and then we’re going to see if they work and see if —
MS. GREENBERG: I’m not essential but I know I can’t do May 10th and 11th, I’m looking at the June dates. I do hope to come —
MR. ROTHSTEIN: It says okay under your name for those June dates.
MS. GREENBERG: The June dates? I said we’re okay? Well, then they are. I hope to come to the Chicago meeting also.
MS. FYFFE: Excuse me, have we secured a federal office building?
MS. GREENBERG: No, we cannot secure, we have attempted to secure federal office building, there are no federal space available —
MR. ROTHSTEIN: I’ve been asked not to have this discussion on the transcript so we can talk about that issue later.
DR. TANG: 7th and 8th would work better, June 7 and 8 —
MR. ROTHSTEIN: You would prefer that, okay. So let’s just, waiting for Harry’s and if it’s okay with him then we’re going to go with June 7th and 8th and that will be in Washington.
Okay, you have in front of you a draft for the schedule for the Chicago meeting and —
DR. HARDING: Chicago is what dates again?
MR. ROTHSTEIN: I’m sorry, March 30th and 31st.
DR. HARDING: And it will be —
MR. ROTHSTEIN: Some hotel, I can’t remember the name of the hotel.
MS. FYFFE: Millennium Knickerbocker.
MR. ROTHSTEIN: Okay, so panel one is 90 minutes, we’re going to hear from professional groups. Keep in mind the following, these groups that are listed have not confirmed as I understand it —
MS. FYFFE: That’s correct, they have not, this again is a tentative agenda, I wanted to concert what you all were comfortable with. We have spoken to a few of the organizations informally but we do not have confirmations yet.
MR. ROTHSTEIN: And each of these of course will be asked to speak for 15 minutes and then we’ll have time for discussion at the end of each panel. And I suppose as we go through the list if you’ve got sort of key contacts that you could recommend that would be helpful to us in nailing down these people because it probably takes eight phone calls for each organization to get to the right person.
So panel one, which is clinicians, we’ve got the AMA, the ADA, the ANA, and the American Psychoanalytic Association. Panel two is the American Hospital Association, the Federal of American Hospitals, the American Healthcare Association, and the American Association of Homes and Services for the Aging, so the not for profit nursing homes. We’ll have time from 2:45 to 3:15 for statements from the public and that may prove to be very interesting.
MR. BLAIR: What kind of representation are we able to get now in terms of public comment on privacy issues?
MR. ROTHSTEIN: What do you mean?
MR. BLAIR: I thought that the last time we were struggling with this, like with e-prescribing for example, it was very difficult to find somebody that kind of understood what the privacy concerns were with e-prescribing so I was wondering as you’re going through now, other then kind of the traditional folks that might be involved with privacy law or Georgetown, are we able to get consumers? Get a sense of public opinion in consumers —
MR. ROTHSTEIN: We already had that hearing, Jeff, that was the last hearing, and we did get quite a few consumer people and we can review the agenda. This is the public comment period that anybody can just show up, I hope not just anybody but it is available for public to sign up —
MR. HOUSTON: Do they have to sign up ahead of time?
MR. ROTHSTEIN: No, when they get there.
MR. BLAIR: I apologize, I wasn’t on target with what you were doing.
MS. FYFFE: And again, this meeting will be publicized in the Federal Register as a notice of a public and open meeting and the agenda will be described and specifically we do say that statements from the public will be taken at this particular date.
MR. ROTHSTEIN: Statements. They’re not screened. Panel three, which begins day two, we hear from other providers, the National Association of Chain Drugstores, the large pharmacies, National Community Pharmacists Association, the independents, National Association of Home Care, and I’m wondering whether we could move the American College of Obstetricians and Gynecologists, they really ought to be on a different panel, they should probably, with Family Practice and Emergency Physician, yeah, they should be on the next panel.
DR. TANG: Is there anybody that represents nursing homes?
MR. ROTHSTEIN: The last one on panel two, the last two. And so the question is now that we’ve moved the ACOG to panel four in theory we could have another group in panel three which could include chiropractors, it could include podiatrists, it could be the osteopathic medicine —
MS. FYFFE: The osteopaths, that’s an excellent suggestion if I may say so, they’re engaged in this and in fact they have a committee that is looking at privacy and health IT matters —
MR. ROTHSTEIN: So let’s see if we can —
MS. FYFFE: — get the osteopaths —
MR. ROTHSTEIN: Well, now we have to actually, we can’t put the osteopaths with the pharmacists, they got to be with the physicians.
MS. FYFFE: Right, so they would potentially be moved to panel one on the first day.
MS. WILLIAMSON: So the osteopaths to panel one?
MR. ROTHSTEIN: Well, if it’s the American Osteopathic Association they ought to be with the American Medical Association.
MS. GREENBERG: What about one of the other APAs?
MR. ROTHSTEIN: We could bump the psychoanalytic to —
MS. GREENBERG: What about the American Psychiatric Association or the American Psychological Association? They seem to be more mainstream then the American Psychoanalytic Association.
MS. FYFFE: There’s some particular, well there’s some background about why you’ve got the two —
MR. ROTHSTEIN: They contacted us, they’re very gung ho about testifying —
DR. HARDING: If they are the last bastion of not getting on electric things, that’s their point, and they’re a very small group as opposed to —
MR. ROTHSTEIN: Which is something that we ought to clearly explore with them, I mean how many people do you represent and what percentage —
MS. GREENBERG: I know the American Psychological Association is located in Washington, what about the Psychiatric Association?
DR. HARDING: APA, American Psychiatric is here.
MS. GREENBERG: It’s also here.
DR. HARDING: Most of them are here.
MS. FYFFE: So the suggestion for the American Psychoanalytical Association we should put somewhere on panel three to four, or excuse me, four —
MS. GREENBERG: And to try to get one of the, probably the American Psychiatric Association for panel one, don’t you think?
MR. ROTHSTEIN: And the other group that we wanted to hear from are the infectious disease doctors.
MS. FYFFE: What is the formal name, no there is —
DR. HARDING: Could be American Society of Infectious Disease or something like that, probably here —
MS. FYFFE: I will find out.
MS. GREENBERG: Somebody at NCID would certainly give you a contact, or the National Center for Infectious Diseases —
MR. ROTHSTEIN: There are so many important issues we need to pursue with them, I mean such as —
MS. GREENBERG: It goes both ways. But they are the surveillance people, excuse me but what I’m wondering is a group like the Council on State and Territorial Epidemiology —
MR. ROTHSTEIN: Well, that’s an interesting point, we haven’t been, we hadn’t planned on public health and the question is should we, and if we do maybe that’s a hearing three.
MR. HOUSTON: What’s the theme or the purpose here and what are they going, what are the aspects of the discussion of NHIN that this, what is the privacy component of this —
MR. ROTHSTEIN: Well, you don’t want people discouraged from seeking treatment that might have public health implications if they’re afraid that their records are going to follow them around forever and be accessible to who —
MR. HOUSTON: My point though is I understand there’s privacy issues, they’re going to speak about their need, are they going to speak to, are they going to have a privacy, substantive discussion about privacy —
MS. GREENBERG: I would think they could, I mean they would, yes, I mean it’s a huge issue because on two sides, one is because often some of the most sensitive conditions also have high public health impacts.
MR. HOUSTON: I understand that, I’m just saying it seems like, it almost seems like they’re not a stakeholder on the privacy side because they want the data —
MR. ROTHSTEIN: CST?
MR. HOUSTON: The people that want the data aren’t necessarily the people that have the privacy considerations in the data because it’s sort of the opposite side of their desire for data.
MS. GREENBERG: But we’re privacy and confidentiality though, this subcommittee, and so I think just because they want the data, all the more reason that they have to be concerned about how to maintain the privacy of it and the downside of people being able to opt out, I mean it’s just the flip side of the coin. I hear what you’re saying, I mean they’re not, but the public health are privacy advocates because as Mark said if there is, if people don’t have the trust that they will be kept confidential then they won’t come forward and that creates a greater public health threat —
MR. ROTHSTEIN: Let me make a suggestion and that is if we have our third round of hearings June 7th and 8th we will have ample time between March 31st so the day two of our second hearing and June to plan for and we’re going to have hearing number three. I don’t think the public health people, whoever they might be, fit well in this hearing but we may elect to have a panel of public health people at the third round of hearings and let’s just sort of put that aside and see whether we want to take that up later if that’s okay.
DR. TANG: And could we include homeland defense in that, whatever day that is?
MR. ROTHSTEIN: Yeah, secondary uses.
DR. TANG: The other thought that came to mind is Planned Parenthood, groups like that, which are sort of almost a bit of the safety net providers who people are actually going there partly to keep their records private, that’s another kind of group, it’s almost a privacy safety net so to speak.
MR. ROTHSTEIN: We are hearing from ACOG —
MS. GREENBERG: That raises the whole issue of you’ve got institutional providers but what about like community health centers, they would fit in something what Paul is saying.
DR. TANG: Because this is an outside the system but it’s also adolescence, and that’s a special group and most people have state laws which you can’t actually topple them because there are so many, I mean we have a whole page of them and it would be almost impossible to follow, I mean that’s why I call it a privacy safety net.
MS. GREENBERG: Why are you calling it a privacy safety net? People can kind of go there and be anonymous in a way, but you’ve got community mental health centers, you got community health centers, you got Planned Parenthood, you’ve got outpatient basically —
MR. ROTHSTEIN: We could also ask to hear from the American College of Medical Genetics which is another group of clinicians —
MS. FYFFE: Research community.
MR. ROTHSTEIN: Well, they’re not the researchers, they’re the clinical geneticists, the researchers would be the ASHGE(?).
MS. FYFFE: Actually I’m bringing that up as another topic.
MR. ROTHSTEIN: Oh, I’m sorry —
MS. FYFFE: Do we want to have a panel for the researchers?
MR. ROTHSTEIN: I’m thinking that would be really the third panel, and maybe a fourth, we may need —
MS. GREENBERG: If you’re having health plans on the third panel why are we having these Blue Cross/Blue Shield and AHIP —
MS. WILLIAMSON: It sounds like panel five needs to be on the third hearing.
MR. ROTHSTEIN: It can bump panel five to the third hearing and then make an extra panel of additional providers that we’ve listed. Jeff?
MR. BLAIR: I just sort of want to raise this, not because I’m necessarily advocating it because there’s some concerns about what I’m bringing up, I have concerns about what I’m bringing up. At least one or two of the emails that we received from Sally Scullfield(?) listed —
MR. ROTHSTEIN: If I may suggest, Jeff, we can talk about this offline as opposed on the record —
MR. BLAIR: That is just fine.
MR. ROTHSTEIN: Is that okay?
MR. BLAIR: Yeah, could I modify the topic a little bit and that is some of the privacy advocacy groups that are especially concerned, I don’t know whether or not you wanted to have some of those to testify so that they felt that they’d be heard.
MR. ROTHSTEIN: Who did you have in mind?
MR. BLAIR: Well, I don’t know the names but there’s —
MS. GREENBERG: You’re thinking of consumer groups again?
MR. BLAIR: Yeah, there’s some that were quoted in news articles and stuff like that.
MR. ROTHSTEIN: We can give you a copy of the schedule from last week’s hearing which listed all the consumer —
MR. BLAIR: I’m sorry, I guess I keep forgetting that you really did reach out and you’ve probably already done that.
MS. GREENBERG: Plus by having the public comment and we’ll have that in Washington too.
MR. ROTHSTEIN: So I think everyone has a sense of where we are, it’s not set in stone, we just have a sort of an idea of where we want to go and what the reaction to hearing number two will determine hearing three, or conceivably hearing four. We do have time I think before the September meeting of the full committee to get that worked out.
Let me just talk in very general terms about the questions that we want to pose to the people. Have these been distributed? Okay, these questions were prepared by staff and I have not had a chance to make other revisions to them. As I see the main question that I want to ask everyone to address is the following, at our first round of hearings we heard from consumer groups that they, that many of them would like to limit the contents of their electronic health records to possible exclude certain kinds of information.
MS. GREENBERG: You’re talking about the health record that is —
MR. ROTHSTEIN: Not their personal health record, their official institutional —
MS. FYFFE: To cut out pieces from their electronic health record.
MR. ROTHSTEIN: Right, so let me just finish making this comment. We’ve heard that many consumers are interested in doing that. As a provider what is your opinion of that and specifically what are the kinds of information exclusions that you would be most concerned about, why, are there alternative means of obtaining that information, in other words can you let them yank their HIV status and you can ask them that if it’s relevant to whatever you’re treating them for just to make something up, that sort of thing, how would you react to that, what are the clinical costs of doing that and —
MS. FYFFE: What are the risks —
MR. ROTHSTEIN: — what are the risks of doing that, etc. So Paul, you wanted to —
DR. TANG: It strikes me that this has been addressed by HIPAA and it had to go through its hearings and comment and the way that it ended up is people are allowed to ask for that and to the extent that providers could either comply with that and are willing to follow the data they could agree to that but they weren’t forced to. Would we want, are we intending to change, wouldn’t that be a good baseline to start with?
MR. ROTHSTEIN: Well we would, if we were to recommend let’s say that a consumer has the right to delete certain stuff that would require clearly an amendment of the privacy rule. The privacy rule did not resolve the issue that we are talking about, the privacy rule says as you described that you can request restrictions that don’t have to be granted, but that’s within the confines of a largely paper based system. And if I want to move tomorrow to somewhere else and start my life over again my paper records are not necessarily going to follow me, but an electronic record as its contemplated would follow me. So the privacy interests of individuals under an electronic system in my judgment have not been resolved by the current privacy rule.
DR. TANG: I don’t see that as being paper based at all.
MR. ROTHSTEIN: The privacy rule is not limited to paper based, it exists on top of a system that for the most part is largely paper based.
MR. HOUSTON: I don’t think we should make that assumption regarding the fact that the writers under the privacy rule were typically dealing with a paper record, there are a lot, I can only look at my institution which has had for years an electronic repository of everything that goes on within our organization, so my point is there are institutions even under the privacy rule that dealt with specifically this issue —
MR. ROTHSTEIN: But it’s still largely is not an integrated longitudinal interoperable cradle to grave unified system and so the privacy rule did not address this and in fact one of the frequent criticisms of the privacy rule and something that I want to talk later about in terms of having hearings is specifically this issue, the fact of the matter is that individuals have a right to request restrictions but it’s very, very rarely granted by anybody and in fact many institutions have the policy although I think technically the policy probably violated HIPAA, maybe in an unspoken policy, of never granting exceptions.
MR. HOUSTON: Let me say this, if we’re going to talk about this topic I think it needs to be done in a little bit of a different context because if you asked providers what you’ve asked them, their feelings about exclusions from the record, I think there needs to be at least a separate set of questions that talks about based upon these privacy concerns that we have heard how would you address those privacy concerns in the context of ensuring that the confidentiality of this type of information can in fact be upheld, that we could assure that —
MR. ROTHSTEIN: Excuse me, John, that in my judgment is the wrong question, because that assumes that we what we want to protect is confidentiality, I am asking about privacy —
MR. HOUSTON: Take confidentiality out and put privacy in, how can we respect people’s privacy with regards to their health information knowing that there are certain classes of information for which people have concerns about it being maintained electronically, because I can tell you that providers will say I need all of this information in a comprehensive record so I agree with Paul, if somebody says what are you going to do about it and you can say you can ask for this information to either be restricted or additional restrictions put on the record, or you could even ask for it to be removed from the record and the provider can go back and consider it and either say yes or no. So I think you have to have the companion discussion about knowing that I think most if not all providers would simply say no because of the practical implications for patient care —
MS. FYFFE: No sir, the people in this man’s community here will be protected, some of the psychiatric record.
MR. HOUSTON: I disagree with that —
MR. ROTHSTEIN: Let’s go to Marjorie and then Harry —
MS. GREENBERG: I have to go next door so I’ll just say something. Obviously this is worthy of discussion —
MR. ROTHSTEIN: We can sell tickets to this.
MS. GREENBERG: There are several layers of issues here and the subcommittee wants to explore all of them. One, and you’re making the distinction, maybe this is the distinction you’re making between privacy and confidentiality but one is actually limiting the content of the record, say what certain information people don’t even want in the record, or maintained in a longitudinal electronic record, and I agree with you, I mean I think the privacy rule was developed for here and now with the idea that it provides a foundation for the future and that of course it could evolve like any rule or legislation. So I think it assumed, I mean the whole impetus, the major impetus for really finally doing some, having some kind of privacy foundation in this country was the prospect of electronic health record. So I think they were in the framework in which the privacy rule was developed but the fact is it was developed in an environment that still is largely paper.
So you’ve got the issue of limiting the actual content and then you’ve got another issue of limiting access to content and would you call the first privacy and the second confidentiality?
MR. ROTHSTEIN: Yes. Confidentiality refers to the redisclosure of information that was already disclosed within the confines of a confidential relationship.
MS. GREENBERG: So I mean I think you should explore both, not just, I mean not just the idea of limiting content but also that’s where people would say that I would assume there are consumers who are saying I’m not saying that my record shouldn’t be comprehensive but I should be able to control who has access to differential pieces of information, so I wouldn’t just —
MR. ROTHSTEIN: And my sort of quibble with John was that I thought he was focusing on the latter to the exclusion of the former —
MR. HOUSTON: No, no, no, no, no, no, my point was it sounded like we were going down the road of not even talking about the latter and I think the latter is extremely —
MR. ROTHSTEIN: And of course last week we spent a lot of time talking about that and the hearing before that, the January hearing on disclosures to employers and insurers was all about that.
MR. HOUSTON: But no, no, in the context of these questions and the groups that we’re going to have represented here, I thought that question were to ask these people the questions is appropriate and reasonable.
MR. ROTHSTEIN: I think that’s a very good point, we need both of those issues raised with them. Harry and then Jeff.
MR. REYNOLDS: I guess for the first time, I’m concerned we’re jumping to conclusions, I mean just by the interaction a minute ago, I know what I heard in the hearings and what I’ve heard in e-prescribing, this is really going to be messy just to figure this out. I think there are three subjects, there’s treatment, there’s patient safety, and there’s privacy and confidentiality if you want to put those together because in the end, one thing the privacy rule does it talks about treatment, payment, and health care operations which didn’t really take into consideration all this other stuff we’re talking about, I don’t believe it did, I’m not sure it went that far. We’re already jumping to parsing, letting a person parse that record apart which practically, I mean how you actually ever could do that in reality and really do it one to one with every person in the United States with the way the whole thing works right now, doctor’s offices or anywhere else, so I guess, I hope that we continue to debate the subject and continue to make sure that we keep those things in because at some point I know as we wrote in our letter yesterday, we had patient safety in there and if too much data is left out of a record then patient safety is gone because as soon as you do the whole drug/drug interaction you may have just let a person hurt themselves. So I just hope that as a group we can keep stepping back to the subject —
MR. ROTHSTEIN: Harry, that’s the reason that we wanted, that I feel we need to ask the providers that so we have on the record their statement that if we don’t have information about what meds they’re taking we can’t prescribe safely —
MR. REYNOLDS: Mark, I’m not challenging the hearings, I’m challenging, there was some things said at a meeting, an open meeting yesterday where people are already laying these things out and I’m just saying I just hope the committee —
MR. ROTHSTEIN: You mean our first hearing.
MR. REYNOLDS: No, yesterday’s meeting.
MS. FYFFE: The full committee meeting.
MR. REYNOLDS: So I just want to make sure that we as a group —
MR. ROTHSTEIN: I don’t remember, we’ll talk about that later.
MR. REYNOLDS: I guess my point is there are already people laying out exactly kind of what’s going to happen and I just want to make sure we keep listening because I still feel after all the hearings I’ve been through in e-prescribing, which have been what, 10,000, and everything we’re doing on this, that these three subjects, this difference between treatment which is covered in the privacy law, patient safety which is a big issues, and then this whole thing of privacy and how that works is still, until he hear the hearings I’m not sure exactly how it will ever play out, so that’s all I’m saying, that’s all I wanted to do is just make sure we keep stepping back and not getting into making decisions or designing things or figuring out what’s what yet, that’s all I was asking.
MR. ROTHSTEIN: I think that’s a wonderful point and the nature of the questions that I’m posing, nobody should interpret that as sort of prejudging —
MR. REYNOLDS: But I would like to see if we would be willing to also align one of the questions to this thing of treatment, patient safety, and privacy, because those three things intersect at some point in some way and I’m still struggling with what that way is.
MR. ROTHSTEIN: Thank you. Jeff and then Paul.
MR. BLAIR: My thinking is similar to Harry’s in some ways but with a slightly different set of perspectives, obviously on the standards community our mindset tends to be in terms of how do we improve patient safety and quality and all of that, and then so my normal focus is not on privacy. And then I sort of have to step back when I realize that public concern about privacy might turn out to either limit the acceptance of health care information technology or even block it in worst case. So I’m concern, I’m stating that in terms of where I come from in terms of privacy and also realizing that for the folks that are most severely distrustful and most concerned about privacy issues I wanted to respect them and make sure we hear them because in some ways if we could address their most severe concerns then maybe we could remove public concern to some degree or mitigate it.
Now that I’ve said that, that’s sort of a preface to what I’m about to say. As I’m listening to our discussion if it turns out that as we have hearing and if it turns out that we have to yield to public concern about carving out certain portions of the record because they’re concerned about privacy and confidentiality, if this leads us in that direction then I would have a suggestion for how we might try to deal with it, and it’s a little similar to what Harry said but it’s slightly different. And it’s that, and I’m thinking, and the reason I’m saying this is that it may craft the questions that we ask the people that are testifying to us so we could get a handle on these three perspectives.
One is that if we have to carve things out of the record when it’s in electronic form, there’s technical issues of doing that, not all records can be carved out. Number two, if it’s carved out there’s clinical, and when I say clinical I’m including patient safety and quality issues which may impact patient safety. And then there’s three, which is the legal piece that if a patient chooses and if we recognize that they have a right to not, to provide less then full information to their clinician then from a legal standpoint we may be looking at how do you, if you have a law that winds up saying yes they have that right then maybe marrying that with wording in that law, indicating that for whatever you choose to disclose if that creates a patient safety issue you cannot hold the provider or the institution accountable for what you choose to withhold. So those three dimensions, the legal, the clinical, and the technical, might be ways to deal with this issue if it’s one that leads us to accepting “a right to withhold information”.
MR. ROTHSTEIN: Well, I think that’s valuable, if we go that route we’re going to have to consider other aspects. I imagine that one or more of the groups that we’re going to hear from are going to raise the issue about practice but there is another legal issue as well and that is there are state statutes that require physicians to include in medical records all the information that they heard from the patient and so under this system that we’ve been at least discussing we’d have some interesting questions about the relationship to those —
MR. HOUSTON: I think there’s probably federal laws that could be interpreted in that vein because to the extent that Medicare and Medicaid services are provided and you don’t completely capture the services rendered as part of that medical record you could actually probably put yourself in jeopardy in terms of some type of —
MR. BLAIR: Could I back up a second, if I may amend my comments a little bit, because I was assuming one direction, I guess the first question is whether or not it is necessary to, accepting public opinion and people’s feelings, whether there is this very strong public opinion for carving and withholding information. If there’s not then it makes our life a lot easier so maybe that’s kind of the first part of what you assess is whether or not you have to do that and then if you have to do that then those three dimensions that I mentioned probably would apply.
DR. TANG: I’d like to strongly back what Harry and John and Jeff said in the sense of, well one point is Harry has heard 10,000 testimony, we know what the issues are so we’re not going to learn that much new about the issues, I’d like to work towards solutions as John mentioned, so maybe another strategy, it’s sort of what I proposed with the PHR which is we understand there’s treatment issues, there’s patient safety issues, there’s legal, there’s feasibility issues, could we organize it so that people are addressing those issues and their proposed, well, how should we take care of you for example to the patient, if we cannot have access to all of it and we feel that our medical care, how should we deal with that information, in other words work towards the solution side and force the balance question in a sense. We’ve been accepting responsibility for the balance, how about if we have everybody working on the page of how do we balance this.
MR. ROTHSTEIN: I think that’s an excellent point, maybe something along the lines, tell me if I captured this, if the country were to go the route of allowing limited exclusions what would be the optimum way of doing that for protecting patient safety, optimizing clinical —
DR. TANG: Even that puts words in people’s mouth, let’s understand, so this would be crosscutting, the panels are crosscutting, the issues or the homogenous things and have them figure out well, where is the balance.
And the other piece is we talked about is there strong public opinion, what we hear are strong vocal opinions and I don’t know as well whether there’s strong public opinion when it gets right down to my health or my child or my parents, it’s very hard to assess, even this latest poll, I mean the problem is and David Brailer commented on it, I mean I don’t know what the methods are, I don’t know where the ask it in a rigorous way, in a way that has the checks and balances of different questions, but as physicians we really know what people are willing to give up in terms of when it comes down to their health versus sort of an abstract. I wish I had a great way to assess what people really feel on that but anyway, I want to, I don’t know how but avoid jumping to conclusions based on vocal opinions versus —
MR. HOUSTON: It’s interesting you say that because you bring, this is another vein but there’s an article about people consenting to the use of their data for research purposes, I forget the article was I think out of Canada, a couple years old, and interestingly enough it came back to people didn’t like their data to be used for research purposes without their authorization but when asked they said fine. So it’s sort of along the vein is what is the —
DR. TANG: In the Minnesota example where Minnesota had state laws that said, Mayo for example had to go and re-canvas everybody and whatever the rate was, 90’s plus, 95 percent of the people said yes, so let’s go to where people really are versus where some of the —
MR. ROTHSTEIN: Well, I would just say in passing I think the problem with the survey that was released last week was that privacy was not defined. And I think as many consumers interpret the word privacy it really refers to security, they were worried about hackers getting into the system, or that they would suffer discrimination as a result of that which under our working definition would be a confidentiality issues. And we’re concerned with those two things as well but the third issue about the ability of individuals to retain certain information from disclosure to anyone and we need to explore all those. I’ll let Paul follow-up and then Mary Jo.
DR. TANG: This goes back to the survey, and again they didn’t publish the questions so it’s hard to know, but I could imagine you could ask —
MR. ROTHSTEIN: Well, the questions are available online.
DR. TANG: I’d love to see that, but I can imagine being asked are you concerned about your privacy, which would be like asking do you have a pulse, and then say do you think an EHR would be helpful and you could say, and what would we learn, the question is under, let’s take an example, under the protections offered to you currently in the federal and state statutes and your trust in the health care, whatever, do you think that the balance between the protections offered by your data being in the EHR and the value to you and your health is worth it.
MR. ROTHSTEIN: That’s exactly what they asked and that’s what the split was, 48, 47 percent, that’s exactly what the question was. Mary Jo?
DR. DEERING: I just wanted to follow-up on Paul’s comment and also what Marjorie said before she left. I do agree that the questions you ask for bias will determine the answers that you get so by stating them one way you are going to hear what you expected to hear. And Marjorie reminded us that it’s both the privacy and the confidentiality and one of the things I thought we heard last week was indeed that people are willing to share, I mean just ask us, just ask us and we’ll say yes but ask us first. And if in the spirit of urging a dialogue around solutions we, I think the term carve out, I think that that’s a leading, I think that’s a very limited phrase to any clinician, they can’t help but say of course not, that’s dangerous, whereas if in the spirit of solutions you say, and again, mindful of this aspect of access to as opposed to withholding then perhaps the way to explore it is what are the ways in which there can be differential access to information, is that feasible, because we continue to talk as if the record is monolithic but I think again what we’re also hearing is that when in the future when doctors want to find out something about a patient it will be very specific datasets that they probably want, they’re not going to say okay ship me all of your existing John Doe health record version 5.0, they’re going to say send me his lab test or send me his latest cardio or this or that or the other, so by definition they may be shipping chunks of data as the first of the whole record anyway.
And if that is the case in the future under a system that works well then it makes it much more easier technically to have differing consents and authorizations for different chunks of information. And so that could get you into a more productive dialogue —
MR. ROTHSTEIN: Well, that’s one of the options under the control access approach which is the middle of the three issues that we need to deal with but I think your point about question is well taken and maybe when staff and I work together to reformulate the things that we’re going to ask people to address, maybe it’s best not even to put them in question form or to use specific words and just sort of like outline of issues.
MR. REYNOLDS: That’s where I was trying to go with the idea of subjects and issues rather then specific questions and get their feelings on those subjects, get their feelings on what those subjects mean.
DR. HARDING: You could kind of ask like has, I mean we’re supposed to monitor HIPAA, that’s one of the things that we’re doing, you’d say has HIPAA helped or hindered quality care, treatment, safety, privacy, in your opinion, just to try to get it into that type of a non-prejudicial question.
MR. ROTHSTEIN: And maybe do you see any new privacy issues raised by electronic health records.
DR. HARDING: In your experience.
MR. ROTHSTEIN: Comprehensive system —
DR. HARDING: The one thing that I’d want to ask them is in your opinion who owns the medical record or the information contained therein, just for their opinion because I betcha it’s going to be different then what we’ve heard in a lot of places.
MS. FYFFE: I’m almost afraid to ask that question.
DR. HARDING: I know but might as well get it out on the table because I know a lot of them are still feeling that the own the record.
MR. ROTHSTEIN: So as you can see I’m looking forward to a spirited hearing and follow-up as well, both within the committee and then moving forward to our third and conceivably fourth hearing.
There is life after electronic health records for this subcommittee, just as there was life after the HIPAA compliance date, so we need to be thinking ahead to topics that we want to address in the fall. We have covered last year’s work plan in its entirely, we did cover the issue of third party uses, we’ve covered the issue of electronic health records, we covered medical devices, we covered all the specific HIPAA issues that we raised, and so we need to be thinking about what we’re going to do going forward. In tab nine is a work plan that talk about legacies, this has not been really seriously revised at least since 1999 that I’m aware of and other things get added to it but things don’t seem to be taken off. And so I think that it would be appropriate for us to take a look at that, this is in tab nine under page five where future issues —
DR. TANG: One question on when you said we’ve covered the EHR, in yesterday’s NHII Workgroup and I’m not sure how many were there, it talked about PHRs and the hearing about the PHRs that’s coming up in April, and the topic of privacy is one of the panels came up and one of the questions was is that PHR hearing topic or because of the crosscutting nature is it in this workgroup. Is there a thought about whether PHR privacy and confidentiality per se is that something that we included the scope of these hearings that you’re planning?
MR. ROTHSTEIN: Well, we did talk about, we did have witnesses on PHR last week and it is not something, I mean we can do with the sort of unique non-NHIN issues in PHRs separately but I would not like to add that to the mix at the moment just on self defense grounds because we just have so many other things. And I’ll be happy talk to Simon about whether we should contemplate a joint hearing on that aspect of PHRs. At some point we’re going to have to deal, we keep putting this off on patient identification and —
DR. HARDING: Are we still under Congress to not spend —
MR. ROTHSTEIN: Well, we can’t have a unique patient identifier but patient identification is an issue that we have to deal with —
MR. REYNOLDS: Especially if you talk about a longitudinal electronic medical record, the person has to be the person has to be the person.
MR. ROTHSTEIN: And whether it’s a biometric measure or some other means so we’re going to have to deal with that maybe in a joint Standards and Security/Privacy hearing. Smart cards I think, I mean that’s sort of old technology, 1990s, that’s why this was in here, 1997 or 1998, I think this was from Kathleen Frawley’s regime so I’m happy to delete that. I don’t know what activity at state level linking health information means, anybody know that? Anybody want to resurrect that one? Well, that’s gone. We did discuss, I don’t know that we discussed privacy issues in other federal agencies, well they’re not federal agencies, I mean they’re HHS agencies right, see it’s got even HCVA, I tell you this is a legacy —
MS. FYFFE: Social Security Administration and the Veterans Administration —
MR. BLAIR: Kathleen? [Comment off microphone.]
MS. FYFFE: Social Security Administration —
MR. BLAIR: Is it a separate, I mean is it stand alone?
MS. FYFFE: HEW, after HEW broke out —
MR. ROTHSTEIN: Identifiability, employer access, we just had hearings on that, occupational medicine, I don’t even know what AE(?) health is, anyone know what that is?
DR. DEERING: Maybe that’s a typo for A and then they were just trying to say e-health, especially since it’s tacked on to the end of the line, e-health was very popular —
MR. ROTHSTEIN: I see, e-health. Well, there are two issues that I would like to raise, which are HIPAA issues, and one is the how the notice of privacy practices and acknowledgments are actually used in practice. There are lots of questions that are raised, is the notice too complicated for people to understand, is it, do people read it, is it performing, is it even given to people, many people, myself, were asked to sign an acknowledgement before even, or never given the notice and so I’d like to explore the range of issues of how well the notice and acknowledgement process are working and if they’re not working well then what do we need to do to fix it, so that’s one issue that I have.
And the other, and this relates to the discussion that Paul and I had a minute ago, is the request for alterations and corrections, and how they are, under HIPAA —
MS. FYFFE: Corrections of your medical records.
MR. ROTHSTEIN: Yes.
MR. HOUSTON: You might as well go up into that accounting for disclosures, I’ll tell you why, I think we can count on two hands the number of people that have actually come in and asked, and we spend enormous amounts of time and effort to deal with this yet nobody, nobody ever asks, as far as I know and having asked our HIM department to respond, people just simply aren’t asking. So it’s a great idea, an enormous burden and a lot of work and there’s absolutely no asking, it just doesn’t occur. So you’ll get another hearing where I think HIPAA might be something that HIPAA —
MR. BLAIR: Didn’t LCR create a one page simplified thing for patients so that they can —
MR. HOUSTON: — notice of privacy practices, it’s in addition to rather then separate from.
MR. BLAIR: Didn’t they offer it as optional guidance —
MR. ROTHSTEIN: Well, Sue is here, why don’t you get the official word.
PARTICIPANT: With regard to notice we did in the preamble to the 02 bonds(?) allow, recognize that states could put on this front sheet —
MR. ROTHSTEIN: States or you mean covered entities.
PARTICIPANT: Covered entities, could put on this short highlights page to the notice but that, that was a cover sheet for the notice, you couldn’t just hand out the one pager and make them ask for the notice, you could put it on top of the notice, in the hopes perhaps that if they read anything they might read the top sheet.
MR. HOUSTON: Maybe another page two rather —
MS. FYFFE: It was not a substitute.
PARTICIPANT: We have also recently put a consumer fact sheet, I don’t know if you’re thinking of those.
MR. BLAIR: Is that a one pager?
PARTICIPANT: It’s one page back to back, one summarizes the privacy rule and the other summarizes the individual rights.
MR. HOUSTON: The covered entity still has to describe, the covered entity is required to describe his practices, uses, literally I mean there’s —
MR. BLAIR: Because every time I’ve gone to a doctor’s office I’ve been handed an entire booklet in small type and there’s nothing in there that tells me that there’s basic rights of privacy, there’s nothing in there, and the people when I ask them about it, whether it’s in an emergency room or dermatologist or wherever I go they can’t tell me what it is.
MR. HOUSTON: I think what we’re saying here is that it isn’t effective but the reality is when you read the rule and the requirements in the rule are you can’t get much shorter then about ten pages, if you want to comply in good faith, provide the information that you really should be providing, that’s the problem is that you can’t, you say can you streamline it, I think a lot of people will do streamlining the best that we can and we probably even in our own long notice, some people probably say we’ve taken liberties to oversimplify things and we question all the time, okay, we try and make it as simple as possible, as short as possible, but we sort of gloss over something in terms of brevity and readability and then you come back and you say okay did I really cover that subject enough as to what our —
MR. REYNOLDS: — off John’s point, I think we’ve all seen and I’ve probably saw as big a horror story of privacy the other day when my wife took my mother and father-in-law to the doctor, it’s not working, it’s not understood at the ground level, it’s not being practiced the way the actual person walking in the building could understand what happened to them and what’s going to happen to them. And I think as we extrapolate that on this next subject that we’re having hearings on now which is where we really start making it complicated and understandable, where my record might be, how it’s going to fly around, I think it would be an opportune thing for this committee to make sure we do continue to try to help figure out how to do something about it. I walked into the doctor’s office, they got to the door, the desk, there’s a white line on the floor, you have to stop behind the white line and at the same time you’re standing in line right here behind the white line there’s a nurse talking to this person about their condition and there’s a doctor talking right there, so I’m staying behind the line and can’t see what the person is doing at the desk but I can sure hear what’s wrong with these two people. So I mean it is so impracticality and then you’re handed the book, so here I am with a book trying to figure out what I’m doing, I’m hearing everybody’s issues. And so it’s the kind of thing that I think the reality of it —
MS. FYFFE: I’d like to give a practical example, the assistant living facility that my mother now resides, they’re so careful about what happens to residents who go to the hospital that the other residents in the facility can’t find out any information about their resident friends who are hospitalized and they say I’d like to send them a get well card and the front desk will say well, give me the card and I’ll address it and send it to the hospital.
MR. ROTHSTEIN: Well, I remember we had hearings and the nursing home people testified that they were concerned that they couldn’t put the birthday list on the board and all these sorts of things and it’s not, it’s a health care facility but it’s also a residence and sort of a hybrid.
DR. HARDING: It’s a good topic, notice, we should deal with notice, it’s a joke at the present time, and we ought to have some recommendations for that.
MR. HOUSTON: I think you described yesterday, Susan, the fact that it sounds like we’re at a time it’s sort of right for somebody to think about making changes to the privacy rule, I mean you didn’t say they were going to but it sounded like there was, I mean we’ve been into this for two years, there’s been nothing, no changes whatsoever, and I guess unless we get in front of this one there may be changes without us having considered everything that we possibly should consider.
MR. REYNOLDS: My discussion was not about the rule should evolve, so I’m not challenging the law, it is the actual implementation and people’s understanding, and I know for example we did huge amounts of outreach but it’s just, we’ve got outreach and outreach and outreach and outreach, everybody does, because it’s just —
MR. BLAIR: This is enlightening to me because I think what I’m hearing you say, John, and Mark, is that we are constrained by the law, the law doesn’t give us the flexibility to have a one page simple document and require that that’s the document the patient receives where they can read it and understand it, they have to receive all of this other information which they have no time to read and which is overwhelming. Is that what you’re saying?
MR. ROTHSTEIN: No, the acknowledgement, it doesn’t attest, correct me if I’m wrong, to the fact that you read it, that you received it, so you could have someone acknowledge that they received it and still receive the summary with it.
MR. HOUSTON: You’ve received the notice of privacy practices which the acknowledgement requires.
MR. ROTHSTEIN: What I’m saying is there’s nothing to prevent you from having this layered document which has the simple form in 20 point type attached to the more detailed thing.
MR. BLAIR: So we can do that.
MR. ROTHSTEIN: Sure.
MR. HOUSTON: But what you’re giving out though Jeff is the provider is still forced to give out the entire document, now by the way, the consumer could do everything from pull the sheet off, the simplified notice on the front, or they could take the whole thing and throw it back on the counter where they’re registering and acknowledge it and walk away, or they could walk across the room to the trashcan and throw the whole thing in then, I mean there’s a range of options but the reality is that it’s required to actually be passed by the provider to the patient is a voluminous notice plus a one page cover sheet that describes the notice in less detail, today that’s what the requirement is, I think you have to do both if I’m not mistaken.
PARTICIPANT: It’s not a bad, it is a constant topic of discussion about simplifying the notice, the question is what information are you willing to say the individual does not have a right to receive. What in the notice are the, what’s more important then something else.
MR. LOCALIO: If I were to approach this problem I would do it in the way I’m trained to do it, I would somehow go out and get a sample of notices and acknowledges from out and about, I’d pile them up and I’d look at them and I would evaluate them and I would ask do we have a problem, in other words I would see are they, is there a simple form that leads to a more complex form, is it understandable, is it readable to a person —
MR. ROTHSTEIN: That’s interesting, what I thought you were going to say and what I would contemplate perhaps that we might want to recommend that the department do is actually do some empirical work and find out how many patients at all different sorts of facilities actually read them, have some knowledge of them, find out what their opinions are on them are, do they want more information or less information, was it helpful to them, and so forth.
MR. LOCALIO: I would follow that, that would be my second step but I think it would follow objectively to ask what is the extent of the problem objectively. You’re asking subjectively is there a problem and because of the way that the form is administered and it sounds like you have to do a tough process there but because you can have a piece of paper that in theory works well but the way it’s implemented in practice does not work and that would be a subjective determination, the way the things are implemented. So you can put people under stress and you can give them something in 32 point type that they would understand clearly but because they’re sick and they’re under stress and they’re in a hurry and they’re being pressured they’re not going to remember anything.
That’s why you can give people consent forms and they can sign it and then they say I don’t remember even seeing the thing because the circumstances are such that I would view those problems as separate because you may have the solution that addresses the first problem and that is objectively are the notices and acknowledgements just not comprehensible and yet you have not addressed the problem of what happens in practice subjectively. So I would do that as a two stage process.
And then you have something to base a recommendation on, not on just people’s stories which may be not, may not accurately reflect what is going on. There’s also undoubtedly a lot of variation and there may be certain plans, large organizations that can invest in English majors or high school English teachers to write these things and they’ll be other places that just give them to the attorneys and the attorneys —
MR. ROTHSTEIN: But were they by a form?
MR. LOCALIO: And provided by somebody who has just said this is what you have to provide them. Now I just have to say that this is not just a problem in this setting, it’s a bigger problem, somebody last week gave me the University of Pennsylvania’s summary plan description for under ERISA, totally incomprehensible to me and certain people who we know would think that I might be able to understand this document and that should be, it’s not just characteristic of this arena, it’s characteristic of model relationships with people of unequal training and physician’s authority and power. So I’d approach it empirically and I’m not sure that that’s the mechanism for doing that, whether it’s HHS or whether it’s NCVHS.
MR. ROTHSTEIN: Well, maybe what we can do, I mean thinking ahead to our fall line up which is quite up in the air, maybe we could hear from some experts in methodology who would recommend to us some suggestions for empirical studies, not that we would do it but that we would pass on in our recommendation to the Secretary so that we could have experts on evaluation and so on. So without objection what I will do is I will put together a new work plan, scratching all the old stuff, and adding that we will be taking up the issues of the notice and acknowledgment and request for alterations and accounting for disclosures in the fall. And I will meet with Simon to talk about personal health records and privacy issues, and individual identifications, possibly joint hearings with Standards and Security.
There’s one other issue and this may be beyond our jurisdiction and impossible to deal with but I’ll just tell you my frustration and people who, and I’m sure you always get this too, once people know that you pretend to know something about HIPAA they buttonhole you and give you their own stories. And my mother is a great source of stories, here’s her latest one. She went to the doctor and they moved her from the waiting room to the examining room and the doctor was delayed so she’s sitting there fully dressed in the examining room waiting for the doctor for ten minutes, 20 minutes, a half hour, and she’s claustrophobic. So it was a tiny little room so she opened the door and a nurse comes running along and slams the door shut and my mother opens it and she slams it shut, she said I can’t stand being in here with this door shut. HIPAA requires us to keep the door closed. And so I mean how do we address this sort, maybe we can’t, there’s so much misunderstanding and it’s the all purpose excuse for anything —
MR. HOUSTON: I’m not sure whether that is, I would think some people in their reading of the rule would say you know, one of the precautions that we take to ensure that people can’t oversee information and other people and patients that are moving through our facility, getting tests done or whatever, we think that we should keep the exam rooms closed to minimize these type of disclosures, I could see somebody reasonable deciding that —
MS. FYFFE: That’s reasonably saying that this prevents Mrs. Rothstein from overhearing discussions in other examining rooms.
MR. HOUSTON: Or out in the lab area or whatever. I could really see how people would in fact decide as a reasonable precaution that they would have the doors closed. Now that doesn’t say that it’s a hard and fast rule but I could see why they would say it’s a rule, as a general rule when the patient is in an exam room it should be closed.
MS. FYFFE: Pardon me for saying this, it’s clinic mentality, doctor’s office mentality, but that’s the way they think.
MR. HOUSTON: But I think there’s some people would argue that that is a reasonable way to address, to minimize —
MR. ROTHSTEIN: It might be a reasonable presumption or starting point but when the patient is prepared to waive their rights or, I don’t know, Harry?
MR. REYNOLDS: You mentioned patient identification, Jeff and I in Standards and Security yesterday started making our list of the things we need to do and that is one of the things on our list also.
MR. BLAIR: We keep trying to push it off to you guys but —
MR. REYNOLDS: So your comment of a joint hearing I think —
MR. ROTHSTEIN: Well, we ought to probably get together.
MR. REYNOLDS: It fit nicely in the list we have already made because I think this whole thing about how we really identify the person is going to be an issue over and over again as these records start coming together.
MS. FYFFE: Brace yourselves.
MR. ROTHSTEIN: And we’re going to need some help before we’re even planning that. Mary Jo?
DR. DEERING: Just in the spirit of language again, I know that one of the reasons that the Markle Collaborative does not use the word identification, it just says accurately linking patients.
MR. BLAIR: Well, that’s, Harry, maybe we ought to adopt that phrase, that’s —
DR. DEERING: They thought very carefully about it, accurately linking patients.
MR. BLAIR: Accurately linking patients to their information.
DR. TANG: And there’s a final report actually on that, it’s in the website, and of course that was done as a collaborative and had input so that might be a great starting point.
MR. BLAIR: Thank you, Mary Jo.
MR. ROTHSTEIN: Okay, there was somebody else who wanted —
MR. HOUSTON: [Comment off microphone.]
MR. ROTHSTEIN: Yes, that’s what we’re going to get to right now. You should have a copy of the revised letter —
MR. HOUSTON: Two versions of it, one in black line and one in red line, one no edits, one with edits underlined.
MS. FYFFE: Which letter please?
MR. ROTHSTEIN: This is Dear Secretary Levitt, so here’s the track change version —
MR. HOUSTON: It’s probably the easier one to go from. Do you want me to explain the changes?
MR. ROTHSTEIN: Yeah, please.
MR. HOUSTON: In the first paragraph as a follow-up to Justine Carr’s suggestion that we add some language describing why we asked for testimony on medical equipment we added a sentence and Jeff for your, so you can understand it, let me just read the sentence which is actually in the first paragraph. Because much medical equipment in use today either stores protected health information, PHI, or connects to a network with other systems that store PHI, such medical equipment needs to comply with the security rule, therefore NCVHS held hearings to gather information about an how effective is the security rule on medical devices. That change is again to specifically address Justine’s concern.
We made some minor changes through the first page, at the bottom of the first page in the numbered paragraph two we raised one more substantive change that we made to the last sentence which again I’ll read, it says further, some customers update medical equipment with the latest patches from third party software and operating system suppliers without verifying whether the update affects the safe operation of a medical device for its intended purpose. That was to clarify that the patch wasn’t being released by the medical equipment manufacturer but rather it was the case where somebody had imbedded a Microsoft operating system and they got a patch from Microsoft and tried to install it on the medical equipment without going through the manufacturer.
MR. BLAIR: I’ve got one little thing for consideration, you refer to it as a patch, do you think it would be helpful to refer to it as a software patch, for people that are not IT people?
MR. HOUSTON: We can do that, that’s an easy change.
MR. ROTHSTEIN: Or software update? Would that be more consumer friendly then patch?
MR. HOUSTON: Actually we do talk about software updates at the beginning so I’ll keep it consistent, so I will say software updates, I will just keep it consistent throughout, that’s the easiest thing to do.
On the second page we added to the paragraph where we discussed the FDA and let me read the paragraph here, another witness representing the FDA stated that the FDA’s primary focus has historically been the safe and effective use of medical devices and therefore the FDA has not evaluated security in approving the use of a medical device. The witness further indicated that it is the responsibility of the medical device manufactures to design their devices to enable covered entities to comply with the security rule. Subsequent to the hearings the FDA issues a guidance document titled guidance for industry, cyber security for network medical devices containing off the shelf software.
DR. TANG: Should we be more explicit about when we say security everything thinks of locking their doors and privacy aspects but security here is the denial of use threat, so after the, this saying they only worry about safety and effectiveness, we can add something that says recognizing that security, the safety includes the proper functioning and that denial of use attacks can impair that ability. See what I’m saying?
MR. HOUSTON: There is an assumption, I’m not sure how we would word that —
DR. TANG: And then we’d follow that up in your last added bullet, consistent with the security rule we might put e.g., safety from viruses, in your last bullet, at the very bottom to your page you added a new —
MR. HOUSTON: We just switched the order of them. But actually in the first bullet though we do talk about, can we go back to this and then we’ll, because the other changes that were made specifically to bullet number one would read the stated recommendations, I’ll read the first one because it really is the one we changed, HHS should provide the equipment to bring medical equipment into compliance with the security rule and to otherwise take appropriate steps to make medical equipment secure.
DR. TANG: And maybe there’s the e.g. protection from —
MR. HOUSTON: Maybe that’s where we put it, okay, e.g., protection from viruses —
DR. TANG: Which could disable the proper operation of that equipment. I don’t know that manufacturers actually have that —
MR. HOUSTON: They’re going that route, I can tell it’s a big push, protection from viruses —
DR. TANG: That may disable the proper use of the equipment.
MR. HOUSTON: Or may inhibit the proper use. Okay, I can make these changes, are there others, I think this was really, these changes were intended to address the conversations yesterday, is there something else that I need to add or change here?
DR. TANG: When you say that vendors should self report, I wonder if we also strengthen that and make sure that they address that issue.
MR. ROTHSTEIN: Where are you?
DR. TANG: The bottom bullet.
MR. HOUSTON: Well, in theory if they’re complying with the security rule, that’s part of it. The reason why there was some breakouts separately was there was the pre-HIPAA security rule issues and I guess some of its been sort of laid by the wayside but the self reporting was specific to an initiative through that HIMSS working group that the MDS —
DR. TANG: Which may or may not go I guess, right?
MR. HOUSTON: Well, I think what we’re trying to say is we can’t necessarily sanction that but we can say something like that might be a great, would be a good idea, or even if the veterans decided to self report have their own form.
MR. REYNOLDS: Is it really practical to require a device manufacturer to protect themselves against backflow from the network?
MR. HOUSTON: Well, if you read the FDA guidance I think the FDA is starting to say that those are considerations that they need to make, that safety is not simply, safe and effective use of the equipment is not just that the equipment is sitting in a vacuum, it’s operating effectively and safety, that they do need to take into consideration the fact of cyber security.
MR. REYNOLDS: But if I buy a device as an institution and I install it and I attach it to my device, the medical device manufacturer did not decide my network, did not decide the protection of my network, and did not decide the environment, that seems like to me a pretty significant burden, I think they should work to do that but I’m not sure, with the way networks are right now and the different levels of sophistication, if I put my device here and some virus comes down and gets in it and I’ve got all the protections I knew about but I didn’t know that they hadn’t put the latest patch of Microsoft in and it popped me —
MR. HOUSTON: Well, let me say this, this is an interesting question because I think that obviously device manufacturers have to at least reasonably look at the foreseen risks —
MR. REYNOLDS: I don’t disagree with that.
MR. HOUSTON: And then there’s the unforeseen, but I think one of the real problems that I know I’ve heard of and we heard some of it in our testimony was is that you might have a medical device that is purchased, it stays on the manufacturer’s price list for a couple years, fall off the price list, a couple years later it even falls off the supported, list of supported equipment that’s running a five year old operating system that Microsoft has now come out and said we don’t even support that anymore, now you’ve got a piece of medical equipment that’s out there and there’s nobody who’s really standing up and saying, and I think what we’re trying to say is their support of analysis has to be that on a going forward basis medical equipment manufacturers needs to recognize that that is where, it’s not reasonable to think that a piece of medical equipment is going to get turned over in four or five years, it might be ten years, and that they need to be more diligent —
MR. REYNOLDS: I’m not sure, that’s the whole technology, anything you buy from somebody, they say I’m willing to support it, you can’t be more then two versions behind, if you own it and you’re running two versions behind you took the responsibility, they basically clearly stated in their contract up front with you they’re not going back more then two versions, I mean so I guess, all I’m worried about is, I’m just throwing it out there.
MR. HOUSTON: Why don’t we say this, in the third bullet, HHS should develop guidance to assist medical device manufacturers who provide medical device functionality consistent with the security rule as well as to address reasonable security risks.
MR. ROTHSTEIN: Great. Yes, reasonable always works. We’ll let the courts determine what is reasonable.
MR. HOUSTON: I will make these changes, are we good to go then?
DR. HARDING: It’s a much better letter.
MR. HOUSTON: I appreciate your guidance and support.
MR. ROTHSTEIN: Let me just thank John in advance for his work on this. He will be presenting the letter as well as a summary of our subcommittee meeting this morning during the after lunch session. So if there’s nothing else we are adjourned, thank you.
[Whereupon at 9:42 a.m. the breakout session was adjourned.]