[This Transcript is Unedited]

Department of Health and Human Services

National Committee on Vital and Health Statistics

Subcommittee on Standards and Security

May 1, 2007

Hubert H. Humphrey Building
Room 705A
200 Independence Avenue, SW
Washington, D.C. 20201

Proceedings By:
CASET Associates, Ltd.
10201 Lee Highway, Suite 180
Fairfax, Virginia 22030
(703) 352-0091

PARTICIPANTS:

Subcommittee Members:

  • Jeffrey S. Blair, Co-Chairman
  • Harry Reynolds, Co-Chairman
  • Justine Carr, M.D.
  • Simon P. Cohn, M.D.
  • J. Marc Overhage, M.D.
  • Judith Warren, Ph.D.

TABLE OF CONTENTS

P R O C E E D I N G S [9:00 a.m.]

Agenda Item: Call to Order, Welcome and Introductions

MR. REYNOLDS: Okay good morning. I would like to welcome everybody to the
meeting of the Standards and Security Subcommittee of the National Committee on
Vital and Health Statistics. NCVHS is a primary health policy advisory
committee of Health and Human services. I would like to remind everyone that
this meeting is being recorded and being heard over the Internet. I also ask
everyone to please put your cell phones on mute, and for those of you around
the table if you put a blackberry or a laptop near the microphone, that’s
the clicking we’ll hear, if we could keep an eye on that. Also for members
of the committee staff and anybody testifying, please speak into the microphone
to allow all involved to hear. I am Harry Reynolds from Blue Cross Blue Shield
of North Carolina and co-chair of the subcommittee along with Jeff Blair. I
will now ask each member of the committee and staff to introduce themselves as
well as those in the audience, and the members to state whether they have any
conflicts of interest in today’s hearing. I have no conflicts.

Jeffery?

MR. BLAIR: I am Jeff Blair, Director of Health Informatics at Lovelace
Clinic Foundation. I am not aware of any conflicts. Justine?

DR. CARR: Justine Carr, Beth Israel Deaconess Medical Center, member of the
committee, and no conflicts.

MR. FITZMAURICE: Michael Fitzmaurice, Agency for Healthcare Research and
Quality, liaison to the national committee, staff to the subcommittee on
Standards and Security.

DR. COHN: This is Simon Cohn. I am Associate Executive Director for Health
Information Policy for Kaiser Permanente, chair of the committee, and member of
the subcommittee. No conflicts.

DR. WARREN: Judy Warren, University of Kansas School of Nursing, and member
of the subcommittee. No conflicts.

MS. BUENNING: Denise Buenning, Centers for Medicare and Medicaid Services,
lead staff to the subcommittee.

(Introductions around the room.)

MR. REYNOLDS: Okay let us just quickly look through the agenda this
morning. We are going to be talking about the HIPAA process streamlining
letter, and then Nancy Spector and Lynne Gilbertson are giving us the annual
DSMO report, and then after the break we’ll go through our e-Prescribing
Pilots Report, which is always good for us since we spent so much time in that
in the past. It’s good to get a refresher on where that’s going.
After lunch, an update on NPI and a discussion of the Contingency Guidance, and
then after the break a discussion and update and review of the guidance for the
security rigs. So, that would be our full day we have in front of us.

With that, I am going to ask — we’ve gone through

this letter a number of times, had a number of conference calls, and other
things discussing it. So, I am going to ask Denise to read through this, a
paragraph at a time. Purpose today is to approve this letter, and if anybody
has any significant changes, we would work on those and definitely settle this
tomorrow. We need to have this letter ready to go on to the executive committee
and then on to full committee when we meet in June. We’ll proceed from
there. Denise if you would please read the letter.

Agenda Item: Discussion of the HIPAA Process
Streamlining Letter

MS. BUENNING: Thank you, Harry. This letter is addressed to the Honorable
Michael O. Leavitt, Secretary, U.S. Department of Health and Human Services,
Washington DC. Dear Secretary Leavitt, The National Committee on Vital and
Health Statistics (NCVHS) is responsible for monitoring the implementation of
standard transactions, code sets, and identifiers adopted pursuant to the
Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Section 1174 of the act permits the Secretary to make modifications to any
established standard after the first year, but not more frequently than every
12 months. It permits the secretary to modify an initial standard at any time
during the first year of adoption, if it is determined that the modification is
necessary to permit compliance with the standard.

During the past several years, NCVHS has observed, and the industry has
testified that the time required to update and receive federal approval of new
versions of HIPAA transaction standards may take five or more years. The
current process includes the following steps: 1) Development of new versions of
health care information system standards by ANSI-accredited standards
development organizations (estimated time: 1.5-2.5 years). 2) ANSI
certification that a new version was developed in accordance with ANSI
consensu-based process (estimated time: 0.75-1 year). 3) Review and approval of
updates in open public forums such as NCVHS (estimated time: 0.5-1.5 years). 4)
Initiation of process of promulgation through federal government’s Notice
of Proposed Rulemaking (NPRM) process, including publication in the Federal
Register with a 90-day window for written public comment and publication of a
final rule (estimated time: 2.5-7+years).

MR. REYNOLDS: You should stop there for just a second. Does anybody have
any questions or concerns or issues with anything so far? Okay, please
continue.

MS. BUENNING: The resultant minimum five year timeline is inconsistent with
the objective of accelerating the development, review, and adoption of health
care information standards to improve health care quality and patient safety,
and reduce health care costs. Further, the protracted timeline may result in
unanticipated consequences including the development of interim proprietary
solutions, which undermine the goal of interoperability.

On September 26, 2006, the NCVHS Subcommittee on Standards and Security
hear testimony from Health Level 7, ASC X12N, and NCPDP—the three
Standards Development Organization (SDO) members of the HIPAA Designated
Standards Maintenance Organizations’ (DSMO) Steering Committee. DSMOs are
organizations designated by the HIPAA regulations to coordinate the process of
updating HIPAA transaction standards. The DSMO representatives presented a
proposal to streamline the HIPAA process for approving new versions of existing
transaction standards, while maintaining the essential opportunities for all
sectors of the health care delivery system to review and comment on the
standards. They observed that, based on the industry experience, the time from
SDO approval to implementation is the major delay in the process. Their
estimates suggest that from the time a health care organization requests
changes to “HIPAA adopted” implementation specification, whether
through the DSMO Change Request System or via the SDO’s data maintenance
process, the minimum time to implementation is five years. Examples cited
included: An NPRM for “claims attachments standards” under HIPAA was
drafted in 1998, and finally published in late 2005. An NPRM expected to obtain
public comments re: issues in the pharmacy industry for billing of supplies and
professional pharmacy services first identified in 2001 had yet to be
published.

MR REYNOLDS: Stop right there for a second. Any questions or comments? I
have one. In the end of the last paragraph that you read, why have we bolded
five years rather than just have it as a…?

MS. BUENNING: That was included in the drafts as we progressed. I think
that was intended for emphasis.

MR. REYNOLDS: I do not see any— I mean we talk about the five years
earlier and I am not sure it’s pointed out there. Does anybody on the
committee have a problem with that?

DR. CARR: I have a question here. I am just trying to relate. The sentence
says “based on industry experience” at the top of page two. “The
time from SDO approval to implementation is the major delay in the
process”, and I wonder if we can relate that back to which steps we were
talking about. Does that mean steps two, three, and four? Or which step?

MR. BLAIR: After the SDO has approved the particular update to a standard,
and after it’s been approved by ANSI, and after it has gone through NCVHS
reviews. From that point until the time when HHS has accepted it. That’s
the area where there could be tremendous variations.

DR. CARR: So that is step four?

MR. BLAIR: That is step four.

DR. CARR: I would just, since we’ve outlined the process on step
one—I mean page one—

MR. REYNOLDS: If we take what Jeff said, that is item four. In other
words—

DR. CARR: Yes. Right. I am just saying the outline on the front is very
helpful in structuring what we’re talking about and it would just be
helpful to now redirect back to—here’s where the delay is, it’s
called step four on page one.

MS. BUENNING: So Justine are you suggesting then that after the work
implementation in that sentence, we put in parenthesis “Step 4”?

DR. CARR: Yes, wherever. Yes, that’s fine.

MR. REYNOLDS: Is everybody okay with referencing which of the four steps
this deals with?

DR. WARREN: I guess I have no problems with it. I am just looking at how
many times and how many places do we need to say the same thing? I guess my
problem is we have laid out the issues where the delay is, and now we’re
talking about the implications of that. So I do not see that we need to refer
people back to the previous page. I am fine if we want to put a parenthetic to
refer them back to page one, step four. It’s only like two paragraphs
previous. It is a style issue.

MR. BLAIR: It sounds like not everybody needed it for clarification, but
some people did. Maybe it’s slightly redundant for some folks, on the
other hand it’s clarifying for others. My inclination would be to accept
it for clarification.

MR. REYNOLDS: Any other comment on that? Let’s put it in and then
we’ll read it again. We’ll look at it and make sure it does not
hinder the flow at all. All right Denise, if you would continue please?

MS. BUENNING: Compounding the problem of the protracted timeline is the
lack of predictability surrounding the timing of the process. The lack of
predictability has led many health care delivery systems and vendors to develop
proprietary solutions which can solve problems in a timely manner, but which
undermine interoperability. This dysfunction may not be visible until there is
a need to share health care information at a regional or national level.

MR. REYNOLDS: Let us stop there for a second. Mark, one thing—We have
a life size picture over here we should put in a chair so that I remember that
you’re on the phone. Do you have any comments up until now? If you do,
through the rest of the hearing please just speak up that you have a question,
and then I will get to you at the appropriate time.

DR. OVERHAGE: Well I am not shy.

MR. REYNOLDS: Okay, thank you.

MS. BUENNING: ON January 25, 2007, in response to the subcommittee
feedback, the here SDOs presented the updated proposal to streamline the health
care standards development review and approval process, which is enclosed with
this letter. The updated proposal retains many existing process but offers a
more efficient approach to several key areas where problems exist. The essence
of these changes is that they encourage all interested parties in health care
(including payers, providers, and vendors) to participate in the development of
the standards at the SDO level by announcing SDO meetings in the Federal
Register, shortening the time for NCVHS review and approval, and significantly
shortening the time for the NPRM process. If accepted, this streamlined process
could potentially cut three years or more from the current standards adoption
process. Opportunities for input and participation are not eliminated, but the
proposal encourages the expansion of the open public participation in the
standards development process at the SDO level in a manner that would enable
modification of the NPRM process and thereby minimize redundancy. The proposal
also helps to make the process more predictable. At the January meeting, the
Subcommittee considered this updated proposal and heard reactions to it from
healthcare providers, payers, vendors and clearinghouses representing entities
covered by HIPAA, and those supporting these entities. None was apposed to the
proposal. However, testimony from representatives of the pharmaceutical
industry expressed the desire that written testimony to HHS would still be
permitted within the new proposal framework.

NCVHS endorses the proposal to streamline the HIPAA transaction process and
recommends the HHS consider its adoption. As a precursor to adoption, NCVHS
recommends that the proposal be evaluated by HHS legal counsel to determine how
it could best be implemented in a manner that is consistent with Administrative
Procedures Act. Sincerely, Simon Cohn, Chairman, National committee on Vital
and Health Statistics.

MR. REYNOLDS: Anybody have comments? Michael?

MR. FITZMAURICE: A couple of suggestions since this is our final look
through. I would, in this paragraph beginning “On January 25, 2007”
on page two, I would put in italics the Federal Register since that is a
publication, and on the last sentence, I would take out the word
“would” so that it reads “However, testimony from
representatives of the pharmaceutical industry expressed the desire that
written testimony to HHS still be permitted within the new proposal framework.

DR. WARREN: You just put pharmaceutical industry in there. It is much more
than just them.

MR. BLAIR: I think went back and it turned out that it was only individuals
from the pharmaceutical industry.

DR. COHN: I guess I am just—I guess I do not know what written
testimony the HHS means in terms of the process. I heard a wide variety of
people wanting to make sure that there was the opportunity for written comment
on things going forward. I do not know if that’s what we’re talking
about or something different, which I think is very different than written
testimony to HHS. That was, I think, really far beyond pharmaceutical industry
representatives. So I do not know. Is this the same thing we’re
referencing? Or is it something different?

MR. FITZMAURICE: What I remember hearing was that it was comment that they
still want to be able to make written comment to what was proposed. So, I think
you’re right Simon.

MR. REYNOLDS: Written comment as part of the process rather than saying to
HHS?

MS. BUENNING: I thought the issues was taking out the word testimonial and
using comment instead. However, testimony from representatives of the
pharmaceutical industry express the desire that written comments to HHS still
be permitted.

MR. FITZMAURICE: I would put “and others” after pharmaceutical
industry.

DR. WARREN: I think we need to look at the rolls that the people from the
pharmaceutical industry play because many of them were speaking on behalf of
WEDI or DSMO which is more than pharmaceutical.

MS. BUENNING: If you want to broaden the scope then, are you making the
recommendation that take out the word pharmaceutical and just say industry
representatives?

MR. BLAIR: If we do say industry representatives, I think we should say
some industry representatives.

MS. BUENNING: Testimony from some industry representatives.

DR. COHN: My memory was many, actually. Maybe I am mistaken.

MS. GREENSBERG: I guess, you know, go back to the transcripts, and perhaps
you did it sounds like. I am sure I’ve heard more than one. I think some
would be fine. I think comments would also be preferable. The additional issue
I have though is that, written comments could still be permitted, but of course
you could always send written comments on anything. I mean, there is no
circumstance under which a letter would arrive and be returned to the sender.
So, I think that somehow there’s something about that turn of
phrase—I think it’s not just that written com—because you can
always send written comments. They wanted that as part of the process. There
are two issues. With an NPRM, that’s the part that isn’t completely
clear to me as to what was being requested. But with an NPRM, written comments
do not get individual responses, but a final rule does comment— It does
reflect on the written comment, and so there’s—It’s not that the
written comments are received, but they have to be taken into account. You can
still go ahead in contrary to the written comments, but you need to comment on
them as it were. The question is whether that part of the process is
still—People still feel the need for. Now, I realize that that could
eliminate or at least reduce the value of the timeliness of the process if you
still have to go and get written comments and then you have to review them, you
have to comment on them. And maybe the testimony is clear on that and can be
straightened out. The idea—The thing that HHS would still be permitted
indicates that there is a circumstance that written comments are not permitted,
and that just does not make sense to me.

MR. REYNOLDS: Michael?

MR. FITZMAURICE: I think the question might be in order to streamline the
process, could the public submit written comments and be obliged if they want
to have a say, submit written comments to the SDO process before it gets to the
department. And so as far as the department’s consideration, it might
consider that the comments have already come in, but they came in to the DSMO
that thereby shortening the process. I do not know that that’s legal or
not. That’s why if I wanted to have legal review in the office of the
secretary as part of our recommendation

MS. GREENBERG: I think people actually send written comments to the
department. They didn’t want all of their comments to have to be to SDO.
That of course there was the opportunity though to comments to NCVHS. You know
it’s like, the opportunities.

MR. FITZMAURICE: We wouldn’t turn anyone down, I do not think.

DR. CARR: With apologies to Judy, again in my concrete structured diagram
the sentence approach, I would like to suggest that on the last paragraph on
page two, that we do more of a crosswalk to what the interventions are and
where they will change the process. So, toward that end, there is a sentence
that begins “the essence of these changes is that they
encourage”—and here I would add they “encourage earlier
participation of all interested parties in healthcare in the development of the
standards at the SDO level by announcing SDO meeting in the Federal Register
(step 1) and then continuing on to say shortening the time for NCVHS (step 3)
and then approval and significantly shortening the time for NPRM process (step
4)”.

MR. REYNOLDS: That’s very good.

DR. CARR: The sentence begins “The essence of these changes is that
they encourage earlier participation of all interested parties in health care
including payers, providers, and vendors. In the development of the standards
at the SDO level by announcing SDO meetings in the Federal Register (Step 1),
shortening the time for NCVHS review (Step 3), significantly shortening the
time for NPRM process (step 4). I am trying to do the crosswalk. Did I miss
something in ANSI? Are we proposing ANSI certification—

MR. FITZMAURICE: Step two remains unchanged, really.

DR. CARR: Yes, that’s the point I am trying to make.

DR. COHN: Well maybe this just goes along with my fresh eye after not
looking at this for a little while. I was wondering where the DSMOs fit into
the process, only because I thought that they were part of the process here,
but I do not see them listed so I just wasn’t sure whether there—but
I think they are somewhat different than any of the one, two, three, and four.
I do not know if or how we want to recognize that. I guess the other questions
I had were, and this is maybe my confusion. Did the three standards of
organizations that composed the members of the DSMO present this as an
independent proposal or was this something that was being brought forward by
the DSMO representing all of the members of the DSMOs? Only because of the way
it is written here. Because this sounds like it was just being brought forward
by the three standards development organizations. You probably aught to get
that clarified, it’s unclear if you read it. The final comment have, and
this is just—and I do not know where to put it but we dive deeply very
quickly in this letter. I just want to remind everybody that what I think
we’re talking about is a predictable and timely process in that
that’s really what we’re all striving for. The quoting from the
section, I think, was the intent to develop that. Somehow, we almost say it but
do not ever say that that’s the intent of what we’re really talking
about, so we may want to put a sentence in there. I think that a little of
wordsmithing unless somebody disagrees that that’s the intent of this
whole letter.

MR. BLAIR: Although I may say it’s a more predictable way. It will
never be completely predictable.

MS. GREENSBERG: I just had a suggestion for this last sentence that might
kind of give us a little regal room. “However, testimony from some
representatives of the health industry expressed the desire that the
opportunity to submit written comments to HHS would still be part of the
process. Exactly how they would present this process we can leave open for
further review. Does that–?

MR. REYNOLDS: I believe that was the intent in what we heard. Lynne?

MS. GILBERTSON: In answer to Simon’s question, these were the three
SDOs. This was not a testimony from the DSMO. So that really should be one of
the clarifications we submit and the other—from the testimony in the last
sentence that is being discussed, from what I recall the testifiers were
discussing they want to be able to still submit policy comments to HHS. They
recognize that technical comments could be sent in at the SDO processes, but
they wanted to be able to submit policy questions related to the NPRM at some
point of the process.

MS. GREENSBERG: I would have to say one person’s technical is another
person’s policy.

MR. BLAIR: My recollection was, and I am not sure this is correct, but my
recollection was that there was encouragement in the discussion that as much as
possible technical in policy suggestions be included because a lot of the
policy pieces, I guess that blurs, and maybe I wasn’t clear on this, but
in terms of business practices that there was an effort to encourage that to be
included within the standard’s development process because what I am
worried about actually happening. Maybe we can clarify that because I am a
little concerned that if we start to carve out a separate roll for comments at
the HHS level rather than maintain the encouragement of both technical and
policy issues or business practice issues at the SDO level. That is the intent
is to encourage the involvement at the SDO level. So, maybe you have a thought
on that Lynne or Marjorie or someone else?

MR. REYNOLDS: Let me make a comment before we ask that. So are we saying
that we want to put in here that there will be comments available throughout
the process or comments after the process?

MR. BLAIR: I think the wording we picked to try to accommodate that was
that some representatives indicated that they wanted the ability to create
comments but that it would be within the proposed framework that it’s
going for which says—throughout the process.

MS. GREENSBERG: I had changed that wording and you are right. You should
keep that.

MR. REYNOLDS: Okay so the process is what we’re talking about.

MS. GREENBERG: What I—The way I read this is that you are faithfully
reporting that some representatives—industry representatives made a state
of this. I do not think you go so far as to endorse it—I mean, to agree
with it or to support it.

MR. REYNOLDS: Unless we choose to.

MS. GREENSBERG: And you can, but that way it is framed now is more a
reporting of what you heard than saying, and we support this.

MR. BLAIR: It is so ambiguous that it is really hard to know. If their
suggestion that they just wanted the ability to provide written comment, I do
not think there is any problem with that. The concern was whether they wanted
to continue making written comments at the HHS level and if that is done in a
manner where it extends the timeframe at the HHS level, if they wait until then
rather than try to bring those issues forward, especially business practice
issues forward during the SDO process, then it unravels the objective of the
streamlining process. So that—I think that they need to have the right to
make written comment maybe wherever they wish to, but I think the intent of the
streamlining process is we encourage them to do it during the SDO level.

MR. REYNOLDS: Michael?

MR. FITZMAURICE: It is possible that it could be streamlined and get most
of the issues, maybe all of the issues settled through this streamline process
at the SDO level. It comes up in NCVHS, looks at it, here’s testimony,
says they have it pretty well, goes to the secretary, and the secretary says
yes it looks like it is pretty final so let me put out a final rule “with
comment”. So, you bypass the NPRM part of it if you think that it has
widespread public review and comment, but you still provide the opportunity to
give comment to the secretary, and since these things do not go into affect for
at least six months after they get published as final, maybe longer. There is
time to consider those comments and see if there is anything so important that
the final rule aught to be changed, so you can put out a final rule “with
comment”. Unless the comments are very strong and convincing, the
effective date is still the effective date.

MR. REYNOLDS: Which kind of gets to both things that we heard. One, we want
to streamline process, but other people still want to have the right to
comment. In the current NPRM process, they feel there is more of an open
comment period. Is that what, Simon—

DR. COHN: I am actually intrigued by what Michael is talking about. That
the proposal from the three SDOs, obviously, had the initial intent of
legislative remedy, and obviously we’re trying to figure out what can fit
in to current non-regulatory processes. I am embarrassed that I do not know
enough about final rule with comment and exactly what that means. It sounds
intriguing as one way to help streamline the process. We never dealt with that
particular methodology before. Can you describe any of the aspects of that? Is
that something that should be represented as a tool?

MR. FITZMAURICE: Well it’s something I would leave to the judgment to
the secretary, given our recommendation that we’ve strongly looked at this
process and have the lawyers look at it. But the secretary can look at
something and say, you know, we’ve received a lot of public input already
and I judge that most all the public input that I can imagine has been
received, I am going to skip the NPRM and put out a final rule “with
comment”. So barring any comments that come in that were not anticipated
that are such an importance that there should be changes. The date that is put
in the final rule “with comment”.

MS. GILBERTSON: And part of that has to go with the steps that are part of
the APA, the procedures act, and if the steps have been met, and they can skip
down to the final rule that is perfectly possible as a step. We did not want to
tell HHS how to go through, resolve the steps of the APA, but that is one of
the options that could be invoked.

MR. REYNOLDS: How does the committee feel about Michael’s approach.
Let us not go with the words yet, let us go with the approach. Which is to
mention that this process— We agree with this process and that at the end of
this process there will be put out “with comment” allowing others who
have shown an interest to make any further comments if necessary. I am not
trying to wordsmith it, that’s for sure. I am trying to play off of his
comment only to understand whereas a committee, we want to recognize this. If
it’s like it is now, it’s part of the process. It just says comments
to HHS. There is nowhere is that? Is it at the beginning? Is that the end? Is
that the middle? Where is that? Whereas Michael, structure at least, says go
through the process as was proposed and if somebody felt that they were not
aware, did not get their just due and did not get their comment heard, then
when that rule comes out “with comment” they would have the
opportunity to do that. Some people were concerned the NPRM going away because
all of the public comment goes away.

MR. BLAIR: I felt as if Michael struck a compromise whereby it encourages
comments during the SDO level. It still allows comments at the later levels,
but the impact of the comments at the last minute is clearly reduced and
that’s the intent of what we wanted to achieve.

MR. FITZMAURICE: I would have our wording such that the Secretary is made
aware that we are aware of this possible avenue, but it still remains the
Secretary’s discretion whether he or she wants to go through NPRM process
and then show final rule. So there is still a secretarial judgment and enough
evidence has been submitted.

MR. REYNOLDS: And I like that rather than being overly prescriptive.
That’s exactly how it will occur. Judy.

DR. WARREN: Do you think that this approach will add anymore time to what
has been proposed in proposal?

MR. FITZMAURICE: I think if we propose that all of the comments come into
the SDOs and nothing comes into HHS that we see it raises a concern among the
testifiers. This is a way of possibly shortening it if the secretary judges
that it can be shortened, and yet having people have their say and then
weighing that say before the effective date or the compliance date goes into
affect.

DR. WARREN: Then I need to ask a question because somehow I am not
processing this. If we have comments coming in at the end, how is that
different from the NPRM process?

MR. FITZMAURICE: With the NPRM Process you put out your tribalum(?), you
get a lot of public comments, you address them, and then you put out a final
with no comments. In this case, you’re bypassing the NPRM and putting out
final rule with the ability for the public to make comments, and then you judge
whether or not the final rule stays final, which it probably would unless there
are some comments that were not considered beforehand and you think they were
important enough to go back and withdrawal the final rule and reissue one.

DR. CARR: I am just trying to do the math on how much shorter it will be
after these recommendations go. If I look again at the four steps, the first
step development of the new versions by the SDOs currently takes 1.5 to 2.5
years. So, we are saying seek more input early on, and would we assume that it
would still take 1.5 to 2.5 years given that more comments so it would be
there? So, that would be one question. Second, ANSI certification looks to be a
year and we have not made any recommendations on that. Third is NCVHS is 0.5 to
1.5 years and we’re recommending that that be shorter so maybe 0.5, and
then initiation of the process through NPRM and that’s 2.5 to 7 years and
we’re making—if we were to suggest final rule instead of NPRM, how
long would that take? In other words we’re concerned that it takes five
years, but I am trying to make sure that our revised process does not take five
years.

Mr. BLAIR: Michael, with your recommendation, how much time would you
estimate for that last, the fourth step?

MR. FITZMAURICE: I’ve never made any money in the government by
estimating the time it would take to do anything. What I would say is that it
provides a pathway to shortening the time, and given the will of the secretary,
the will of the agencies that would have to review this final rule and also the
will of the OMB, it could take a very short time or longer than a very short
time. And I will stand by that.

MR. REYNOLDS: Lynne, did you have a comment?

MS. GILBERTSON: In the proposal that we submitted to the committee, we had
the current timeframe and a proposed timeframe and the savings could be yours
because NPRMs take a very, very long time to see the light of day usually. So,
your in a factor of years. The other thing to point out is that step one and
step two happen concurrently. When the SDO is bringing forth standards,
they’re going through their ANSI processes at that same time.

MR. REYNOLDS: To me, as I sit and listen, it appears that we obviously have
heard the process and we understand we agree with the process. We have this
issue about comment. So, we have a number of options. First, we can just accept
the process and just note that we heard testimony on the other end and let that
be. Or second, we can endorse the fact that there need to be comments
throughout, and then finally we get into a situation where we endorse the
process but still leave it in the end, entirely an open capability for people
to submit comments using the philosophy that Michael had.

So, the committee, I think, has to decide between those three structures,
not the words yet, between those three structures as to what message we want to
send forward or what we are actually concurring — either referencing or
concurring. That’s what it sounds like to me.

Dr. COHN: I guess I am listening to you, maybe thinking about it in a
slightly perpendicular fashion, which at this hour of the morning is a good way
to be thinking. Another question is also level of specificity. Are we being
specific about x in terms of the nature of the comment period and x maybe be
the proposal of the standards organizations or from Michael or from someone
else, or are we staying on a little higher level where we are based on our
testimony will we be encouraging the Secretary to investigate ways to both
streamline the process as well as ensuring maximal input from the industry as
things move forward?

I am not making the statement here, it’s more I am just bringing up
the question or at least another way to think about this.

MR. REYNOLDS: That’s a great question. Okay, comments from the
committee? I see some of you sitting back. You cannot sit back yet. Judy?

DR. WARREN: Back to the style issue that I raised previously. I think with
some of the changes, we do need to put in parenthesis what step we’re
referring to because then you can get lost pretty easily, especially in the
paragraph of January 25th.

MR. REYNOLDS: Okay let us deal with—I put a couple structures on the
table. Simon I thought I would ask an even better question which is level that
we want to discuss. We need to do that because what I would recommend is if we
can settle on that what message we are trying to craft. Then I would like to
maybe have it taken offline, Denise, and we could start working with some
wording and maybe bring it back before we adjourn today and see what everybody
thinks about that message as long as we understand the message we’re
trying to get to in the end here and the level. Work it, bring it back, and
discuss it and then discuss it tomorrow if we have to so we can get this thing
adjudicated.

I am not saying that in a way to be too forceful, but we’ve dealt with
this letter now. I think we’ve got one subject that we’re struggling
with. Again, time and distance is making us look at this. I think what
we’re looking at is a good thing. I think the way we’re thinking
about it is a good thing. I would like some feelings.

MR. BLAIR: I just didn’t know whether we gave you an answer to your
question of do we want to report accurately—

MR. REYNOLDS: No. That was not my question. We do want to report
accurately.

MR. BLAIR: Let me finish the sentence. Do we want to report accurately what
the industry requested in terms of opportunities to comment or do we want to
endorse their request and if I might indicate that I think it’s sort of
half way in between. I think we want to recognize that that request is a
reasonable request if it’s done in a reasonable way. Sometimes, we have
had situations where certain sectors of the industry have waited until the last
minute, and I think that part of the streamlining process is to recognize they
have a right to do this at any time. I think that somehow we want to balance
with whatever we could do to encourage that if they make comments, they do it
early in the process rather than the last minute.

DR. CARR: I just want to make sure I understand the combination of your
question and Simon’s. So Simon is saying, are we structuring at a micro or
a macro level, and your question is are we summarizing what we heard or
endorsing what we heard.

MR. REYNOLDS: That is correct.

DR. CARR: I mean, I think that this—It is important that we endorse
either that we—I think that we should make a recommendation and we
should—this is a complex area. We’ve assimilated a lot of exceptional
thought process about it, and I think we should go ahead and endorse what we
believe to be good. I think that being macro might prolong this process of our
thinking. I am sort of inclined to be very specific, prescriptive, and backed
up from what we heard and from whom we’ve heard.

MR. REYNOLDS: And what might that sound like?

DR. CARR: That here is the steps, here is the way we can shorten them and
that includes Michael’s idea about the—instead of an NPRM process,
the final rule with the comments. I think the responsibility for us is to say,
the process right now can go up to 7.5 years. On average, it is 5 years.
We’re going to take a half of a year out of here, and a one year out of
here, and our goal is that it would just be no more than a three year process
or less.

MR. FITZMAURICE: I just want to say I agree with Jeff that this is America
and people have the right to make comments at any time. I would hope that the
weight of public expectation is about this new process and the resulting
oversight and the visibility of NCVHS is looking at this. I would encourage
those segments of the industry who would be reluctant to come in and accept at
the last moment. I hope it would encourage them to participate fully and up
front with issues that they have so that it is a good process. It might be a
little embarrassing to come in at the very end and say, well you know this
needs more study. Well, everything we do in life needs more study, but we have
to take action before we all die.

MR. REYNOLDS: So plan off of Justine’s comment?

MR. FITZMAURICE: I support what Justine said and I support what Jeff said
as a humble staff member of the committee.

MR. BLAIR: I might even have a suggestion for some additional wording to
that last sentence where we can make the statement accurately that some members
of the industry requested that they be permitted to make comments at any time
in the process, and if we have that statement, we can also make a statement
that the NCF believes that this right should be protected, however the new
process should do everything possible to encourage comments during the SDO
level.

MR. REYNOLDS: Who is NCF?

MR. BLAIR: NCVHS. Did I not say that?

MR. REYNOLDS: You said NCF.

MR. BLAIR: I am getting too old.

MR. REYNOLDS: No that’s fine. We were making sure we heard testimony
from them before we put it in—That wasn’t ringing a bell.

DR. COHN: I am obviously seeing here wordsmithing and some people have
noted that my handwriting is—there’s a reason I have gotten an
electronic— I am not sure whether we need to decide today if this may be a
preparatory to a final conversation tomorrow. I am trying to find the right
level of about how to move this thing forward because I think we’re
all—I mean, I guess I am coming back to timely, predictable,
streamline—I think we’re all in favor of it. We obviously can spend
tremendous amounts of time being in the details or we let the department deal
with the details. So, I am sort of wondering whether something around the idea
of endorsing the spirit and intent of the proposal and asking the department to
investigate how the proposal can be integrated into the HIPAA update process
which is really what we’re talking about to ensure predictable and timely
process while at the same time maximizing opportunities for public industry
comment.

MR. REYNOLDS: You want to say maximizing?

DR. COHN: That’s what I said—I am just trying to figure out the
right level of things are.

MR. REYNOLDS: Let me tell you why I like maximize. We adjudicate these
situations one at a time, but we hear a lot of testimony. If you look further
down our agenda when we’re going to be talking about NPI, and we heard
testimony about people having trouble even communicating what their own people
in their own industry and trying to get to everyone and trying to talk to
everyone and trying to communicate to everyone. I cannot let that go in my head
that if we do not allow using your term maximum comment, agree to a process,
but allow comments along the way, we still have not grouped up as an entire
group to communicate well to the whole sector. We have people that are here
with us a lot and some of us do this in our day job and other things going on,
but there is a whole industry out there that we are all struggling and
we’ve heard testimony over and over again to communicate to. So, in
streamlining the process, we still need to encourage those doors because if you
look at the things we’re going to judicet later today, there are people
waiting till the last minute. There are people looking at the last minute.
It’s not because they’re necessarily not involved. It’s because
the ability to communicate these complex changes, these complex situations that
we’re dealing with is a struggle—we spend their days at that, let
alone those that are going to affected by it in their day to day lives and do
not have the resource, the time, or really the conduit right now to get that
information. I cannot let the other testimony we hear on these other subjects
go. So, I think what you said gets to that and the word maximum allows—to
make sure that the secretary hears that we do feel that communication is still
a real big part of this in every way that communication can be gotten. Through
the process or whatever we can do is a good thing. I like your wording, but I
wanted you to understand why that I do because this other stuff that is going
on that we are going to be dealing with today and every other time and any
other assignments we get. The industry does not communicate with itself well
enough yet to just make only one way happen and then you know that’s all.

MR. FITZMAURICE: I like what Simon said and I would offer a sentence that
might find its way in there somewhere. The sentence would be: with sufficient
input from the public to the SDOs through this proposed streamline process. The
secretary could consider issuing a final rule with comment rather than an NPRM.
Just provide information that we know that there is an avenue and secretary
would like you to consider it.

MR. REYNOLDS: Mark, do you have anything to say?

DR. OVERHAGE: I like the direction of trying to set up the goals and how we
can get there. I think that really helps people understand what we’re
trying to accomplish and helps lay out the plans. I think that’s the right
direction.

MR. REYNOLDS: Okay, let us—

DR. COHN: I guess the question is, Michael explain to me what that
additional comment gets us.

MR. FITZMAURICE: You mean the for or with comment? What that additional
comment gets us?

DR. COHN: Yes, I am just trying to think in my own mind of—

MR. FITZMAURICE: All right first of all it get us compliance with the
administrative procedures act. Secondly, it gives the public the right to
comment even after the last moment. If the comment is witty enough, the
secretary can make another judgment about the final rule. Thirdly, if there is
sufficient public input to the SDOs, that’s where all these changes can
take place and the SDO can give the technical solution to the public’s
problems. So we want to encourage them to come into the SDOs as quickly and as
often as we can. That’s what I think it gives us.

DR. COHN: I am not against the concept, I am just sort of wondering whether
it’s more along the lines of as part of this evaluation, the
administration should also explore the applicability of the use of what
you’re describing.

MR. REYNOLDS: I think if we added that, your comment to your previous
sentence then I think we might have it. I am a little bit where you’re
coming from. Michael, yours might sound a little too prescriptive. I think
Simon’s most recent comment opens the door and shows that we are aware of
it and mentions it but does not necessarily recommend it.

MR. BLAIR: Simon, I am fine with the sentence that you suggested except
there was one piece that was left out of the sentence, and whether it’s
addressed either in Michael’s suggestion or some other way, and that is,
the piece that was left out of it was encouraging comment during the SDO level.
As long as we have that phrase in there, either in another sentence afterward
or within the sentence, then I would feel perfectly comfortable with what you
were suggesting.

MS. TRUDEL: I am trying to find a little bit of middle ground in terms of
specificity, and it might be rather than specifying with final comment, just
that the secretary should investigate all appropriate options under the
administrative procedure act to streamline the time involved in the regulatory
part of the process. In some cases, if there really is something controversial,
a final would comment actually adds time because you get all your comments at
the time. Then you have to start over again with an NPRM. So, there are times
when that is not a good option.

DR. COHN: I think Jeff’s comment is clearly something we would want to
emphasize to the secretary also in terms of it. I think we sort of say it here
or at the end about whatever we’re doing, I think the intent—somebody
should find all ways to ensure that the industry is providing input in as early
a time into the process as possible. I think that’s an important
philosophical piece that we probably want to emphasize.

MR. REYNOLDS: By not commenting, I had assumed that he agreed. That had
been part of our discussion all along. I think it’s a good logical
addition and I assumed that it would be included.

All right, let’s do this. I would like to recommend that we maybe have
Denise and maybe Karen and we’ll work on a few sentences and later this
afternoon we’ll bring them back and talk about this part again because we
didn’t hear any major discussion on the rest of it. Justine, you made a
comment on January 25th. So, if you have any
comments—let’s come back this afternoon before we adjourn, we’ll
talk about these sentences, we’ll know what we need to do and then we can
move forward tomorrow. Thank you for the discussion. I think it’s exactly
what we needed to do. Lynne, did you have any other comments? Thank you for
joining us for clarification. With that, we’ll move on to our next agenda.

Agenda Item: DSMO Annual Report Presentation

MR. REYNOLDS: As part of our responsibilities we need to hear the annual
DSMO report. Is Nancy Spector still here? Okay. Lynne you were listed here too.
She’s back.

DR. COHN: I guess I should just make a comment since Nancy is presenting. I
am not sure whether I am a member of NUCC at this point or not. I am on the
distribution list. I thought I had left about a year and a half ago, but I just
wanted—as a public comment, I have been a member of the NUCC. I just
wanted everyone know. I guess I am a non-active member then.

MR. REYNOLDS: Simon, your pronouncement does not worry us that you would
have any conflicts. With the level you appear to be involved, I think
we’re safe. But we are glad we straightened that out.

Okay, Nancy, you have the floor.

MS. SPECTOR: Good morning, I am Nancy Spector, Director of Electronic
Medical Systems at the American Medical Association, and chair of the National
Uniform Claim Committee. I served as the 2006 chair of the DSMO Steering
committee and I would like to thank the subcommittee for inviting me here today
to present the DSMOs 2006 Annual Report. Their report has been provided to you
so I will focus on the DSMO activities that are outlined in it. The DSMO
Steering Committee continued its routine work since the previous report dated
February 2006. Due to the timing of the annual reports, the reporting periods
have varied in length. This report covers the 15-month period of monthly
batches from October 2006 through December 2006. On Tale 1 on page 2 of the
report is an overview of the change requests in each monthly batch. A total of
27 requests were submitted. Ten requests were withdrawn by the submitter prior
to DSMO review. Three requests were withdrawn by the administrator, and for
clarification the administrator is the website administrator and requests are
withdrawn by the administrator when they are identified as a test or erroneous
request.

Table 2 on page 3 of the report is an overview of the change request by
each report period. During the current report period, 26 requests were
submitted, which is an average of 1.8 requests per month. A total number of
requests completed through the DSMO process was 14, for a monthly average of
0.9. There were no appeals handled during the report period.

 

The monthly average, as you can see, of change requests, both received and
completed, has decreased significantly since the first DSMO annual report. The
decline in requests has two potential causes. First, the current HIPAA
standards have been in place since August 17th of 2000, so one could
assume that the necessary immediate changes needed for the standard have been
addressed within the seven-year period.

The second potential cause of the decrease in DSMO change request is the
shift in requests being submitted directly to the standards development
organizations. The SDOs are tracking changes made based on DSMO change requests
and producing a summary of all changes made to an implementation guide, which
is included in the final work product. As newer versions of HIPAA adopted
implementation guides are brought forward, the DSMOs are paying specific
attention to those changes in the guides that did not go through the DSMO
approval process.

Table 3 on page 4 of the report provides more specific detail on the
disposition of the completed change requests. Two of the change requests
resulted in “maintenance”, which is category C. The Maintenance
category indicates that the change requests do not impact the implementation of
the transaction and require no further DSMO action. Fine change requests
resulted in “no change” (category D). The No Change category means
that the request is already accommodated in the implementation guide or a
future version or further investigation may be needed prior to approving the
request. The remaining seven change requests were recommendations for the
adoption of new or modified HIPAA standards which is category I. The actual
change request for this report period are in the Appendix, which begins on page
7, and along with additional information on the definitions for each category
and a sample change request.

For other activities that took place in 2006, the DSMO began reviewing
change requests for upgrading to the next version of the HIPAA adopted
standards. In April 2006, I presented testimony to the subcommittee on the
forecasted timetable for the DSMO to bring forward X12’s 005010 versions
of the currently adopted HIPAA 004010 standards. The testimony outlined the
anticipated dates for when X12 would be submitting a change request for each of
the transactions. It was noted that the dates presented were subject to change
based on X12’s finalization of the 005010 Technical Report 3s, formerly
known as the implementation guides. The testimony also gave an update on the
previously submitted change requests to adopt version 004050 of the Payment of
a Health Care Claim or 835. At that time, X12 was considering withdrawing that
request and submitting a change request for adopting version 005010, which was
later done.

Between August and November 2006, X12 submitted change requests for a
version upgrade from 004010 to 005010 for the following transactions: Payment
of a Health Care Claim (835), Health Care Claim: Institutional (8371), Health
Care Claim: Professional (837P), Health Care Claim: Dental (837D), Claim Status
Request and Response (276/277), Referrals (278), and Enrollment in a Health
Plan (834).

The individual DSMOs completed their reviews of these requests and the DSMO
Steering committee completed their review of the responses at their January and
March 2007 meetings. All seven change requests were approved by the DSMO.

In addition, the cost/benefit impact analysis for each transaction being
completed by WEDI will be forwarded to NCVHS for its review and consideration.
The work is currently underway on the surveys and analyses for each of these
transactions.

In conjunction with our work on upgrading to the next version of HIPAA
adopted standards, the DSMO has continued to work on a modified process through
which adopted HIPAA standards can be updated. In December 2005, the SDOs (HL7,
NCPDP, and X12) presented testimony to the subcommittee on the SDO perspective
of updating to HIPAA standards.

Following the testimony, the SDOs worked together on a proposal for
modifying the HIPAA adoption process. The SDOs shared their work with both the
DSMO and WEDI during its development and incorporated feedback received. In
October 2006, the SDOs presented testimony again to the subcommittee on their
proposal titled: Proposal for the Modification of the HIPAA Transaction
Implementation Specifications Adoption Process.

In January 2007, representatives from the SDOs presented an overview of the
proposal and the subcommittee heard testimony from several organizations on
their reaction to it. At this time the proposal is under consideration by the
subcommittee as you were discussing this morning.

In addition to its own work on streamlining the modification process, the
DSMO followed the activities surrounding H.R. 4157, the Health Information
Technology Promotion Act of 2006. The bill included provisions for
coordination, planning, and interoperability of health information technology,
transaction standards, codes, and information, and promoting the use of using
health information technology to better coordinate health care. Section 201 of
the bill called for procedures to ensure timely updating of standards that
enable electronic changes. The SDOs proposal to modify the HIPAA adoption
process and H.R. 4157 were developed with similar time frames and were
compatible. The DSMO also continues to await the NPRM from CMS on modifications
and emergency processes for he HIPAA adoption process. The NPRM was previously
reported as being expected to be released in 2007. As reported in prior annual
reports, the DSMO provided input to CMS on these topics in 2004 and 2005.

Looking ahead for 2007, the DSMO will continue to process change requests
as submitted. The change requests are anticipated to include the remaining X12
transactions for modifications from 004010 to 005010.

The DSMO will continue to coordinate with WEDI on the cost/benefit impact
analyses for each transaction being put forward for modification or adoption.
The SDOs will also continue to collaborate with the subcommittee on their work
developing a streamline process for the adoption of modified HIPAA standards
and the SDOs will be available to present any further clarifying information on
it’s proposal to the subcommittee.

When the NPRM on modifications and emergency processes for HIPAA adoptions
is released, the DSMO will review and make any necessary changes to its current
change review process to meet any new requirements of the final regulation.

Finally, the DSMO will continue its work overall in assisting NCVHS and HHS
on any matters related to HIPAA standards.

This report is a summary of the completed activities from 2006 and the
ongoing efforts that will be subject of future reports at the NCVHS meetings.
The DSMO, as a collaborative organization, continues to demonstrate its ability
to merge both the business and technical perspectives of the transaction
standards as well as the emergency change and modification processes. The DSMO
remains well positioned to assist the NCVHS and HHS in recommending changes to
the HIPAA adopted standards or new HIPAA standards not yet adopted.

The DSMO hopes that you have our report to be helpful to you related to the
issues that it has covered. We look forward to continuing to work with you, and
I would like to thank you again for the opportunity to present here today and I
will be happy to answer any of your questions.

MR. Reynolds: Okay, thank you for your comprehensive report. Any comments?

MR. FITZMAURICE: Just maybe three questions of Nancy. The first one would
be: how many changes to the original HIPAA Transactions and their
implementation guides have been submitted by the DSMOs to NCVHS? The second
question would be: how many have resulted in changes to the relevant HIPAA
standards, and thirdly, how many are still pending action by the government?

MS. SPECTOR: So first, how many have been submitted—

MR. FITZMAURICE: Are there like one or two or…

MS. SPECTOR: Well, Michael the second piece of the testimony, which is the
status, which is this chart. That will probably answer some of the questions of
what has been submitted and where they stand.

MR. FITZMAURICE: Oh, it is a separate document?

MS. SPECTOR: Yes. My question was going to be what timeframe are you
interested in?

MR. FITZMAURICE: The DSMOs were started in 2000, right? So here we are in
2007. That timeframe. Have we processed very many of them?

MS. SPECTOR: Actually, page 3 of the report does give an overview of all
the change requests that have been submitted and by going back to the initial
point, going back to the first change request that came in, and so you can see
here the fourth row down, lists the total completed DSMO review. So you can see
here how many have made it through the DSMO review process. I do not have in
front of me or on hand how many have been submitted through NCVHS from that
total number.

MR. FITZMAURICE: What is the total number? I do not have the table in front
of me. Is it table 3?

MS. SPECTOR: Table 2.

MR. FITZMAURICE: Okay. So I am looking at 143 total submitted. Total
completed as DSMO reviews one hundred two—

MS. SPECTOR: One hundred seventeen—

MR. FITZMAURICE: Roughly 250 if I have it all correct have been completed
DSMO review. Have those been sent to the government for some kind of
consideration?

MS. SPECTOR: In each of the annual reports, there has been a recommendation
if there were any particular actions. I am trying to think. A couple of years
ago we did bring forth…Hmm… I do not think anything has resulted in
an NPRM though.

MR. FITZMAURICE: So my second question was how many of these changes have
resulted in changes to the relevant HIPAA standards. The answer would be zero?

MS. SPECTOR: You wouldn’t go back and change the HIPAA standards that
were named except through the addenda that was released in X12. That would have
been the first year’s worth of fast track changes. Those were incorporated
where they could be.

MR. FITZMAURICE: So maybe that 82?

MS. SPECTOR: Actually, if you switch to page 4 of the report, table 3, this
shows the disposition of each of the requests in the different report period.
Here you can see B is—It breaks up how each of the change requests were
categorized. So you can see, just for example, the maintenance is cost items
that do not impact the implementation of a transaction and require no further
DSMO action. The “no change” category indicates that the guide
already meets the needs of the request or it will be accommodated in a future
version of the guide. So you can see how various change requests were
categorized into those. Then the modifications category is classified as
additions or deletions of data elements, internal core value, five segments,
loops, and changes in usage. These are all changes that will need to be
accommodated in a future version of the standard. So you can see how many of
those—how many of the change requests over the time periods have fallen
into that category.

MR. FITZMAURICE: So you are saying that some of these changes have resulted
in changes to the relevant HIPAA standards.

MS. SPECTOR: They’ve resulted in changes to the guide. So, a future
version of the guide—and I do not have all of this off the top of my head,
but my understanding is that these changes that were flagged as needed for
future versions most likely have been addressed in the versions that have come
since 004010, so 005010 which is now coming through the change request process
to be the next adopted version would accommodate these change requests.

MR. FITZMAURICE: So what I am getting at is, is there any backlog by the
government or is the government still waiting for some things in order to take
any action on the HIPAA standards?

MS. SPECTOR: It is my understanding what would be pending would be adopting
the 005010 and the new NCPDP versions. That would accommodate all of these
change requests that have been made that required a change.

MR. FITZMAURICE: So, I guess to cut to the chase, if they’re imbedded
in the 005010, how long has it been since the government had a draft 005010
from the industry and then what is the time then the government has taken so
far to review that and to consider coming out with an NPRM?

MS. SPECTOR: The process is that we receive reports from DSMOs to consider
new versions of the standards. So, HHS is not received anything, we would be
the first ones to my knowledge receiving recommendations.

MR. FITZMAURICE: So the point is there is not this big backlog and the
length of time hasn’t started yet for the government.

MS. GILBERTSON: I am sort of — to my view depends on your definition
of a backlog. The DSMOs have made recommendations for changes, which have never
been acted on.

MR. FITZMAURICE: By NCVHS you’re—

MS. GILBERTSON: And indeed what we’re seeing is that all of these are
now being, at least as I understand this, fumbled into the 005010 which of
course is a subject for testimony.

MS. SPECTOR: The DSMO change request from a few years ago which was in the
recommendation letter dealing with billing of supplies and professional
pharmacy services. That’s a backlog item. It has gone all the way through
the committee, gone to HHS as a recommendation letter, and there is no NPRM on
that. Not a DSMO change request, but another item is the emergency change
process, which is still backlog waiting for an NPRM. Past that, if the DSMO
change requests that came in were not part of the fast track in the early
2000’s, every other change request that has been processed is in a future
guide. Does that make sense?

MR. FITZMAURICE: It seems to make sense, but it is also painting a picture
that things take longer in the government. The government may not have all the
information it needs to take action. I am just trying to sort that out as to
what could be streamlined and who is waiting on what. I am just not sure.

MS. SPECTOR: Right, well in part of what will now start is based on some of
the information I am going to be giving you in a moment. That’s when the
clock starts ticking, if you want, because there is the actual requests are
coming forward now to the committee which would then go to HHS which would then
start the APA process. So, that’s when we really do not want to wait five
to seven to ten years.

MR. FITZMAURICE: So we really have a chance in front of us to do right and
to do fast? Okay, thank you very much.

MR. REYNOLDS: Simon, did you have a comment? Okay let me ask a question
before we go on. This chart. We have not covered this chart yet? Oh, well good.
I will like to make one comment. Jeff had me covered earlier, but I would like
to make one comment. We had planned for tomorrow to open our discussions on
005010. I think we are going to hear now that the process is still underway to
get it ready to come to us. Okay? So, Simon, back to your earlier point. We
were scheduled tomorrow to begin that, but I think we’ll hear more. I am
saying we will not have discussion on 005010 then. That was pulled from the
agenda. Lynne?

MS. GILBERTSON: All right, I am Lynne Gilbertson, the DSMO secretary and
reporting to you a status of the change requests that have been brought forward
that are related to a recommendation for a new or adopted HIPAA standard. So
now we have got some real action items to move forward on based on the industry
process. These are included in your report from Nancy, the big thick report,
except for a couple that we have just finished processing hot off the press.
These are changes that the DSMO have gone through their process and recommended
that need to be brought to NCVHS, which is what I am doing today, and then the
next steps will start.

As I just go through the chart, the change requests that have come forward
are the X12 005010 835, which has—

MR. REYNOLDS: Lynne, can I interrupt you? You say they have come through
your process. This is the first time they were coming to us?

MS. GILBERTSON: Correct. So if you read row one of the table, change
request 1042, this is for the 835 to move from the 004010 A1 to move to the
005010. It’s status, it has been published by the SDO. It has completed
the DSMO process. A survey has been created working with WEDI. The survey was
executed by WEDI, and we are now the checkmark of the DSMO requests brought to
NCVHS. So, this is the formal request to ask for the 835 005010 to be brought
through the HIPAA process. Okay?

Where some of the checkmarks do not exist, this is just us trying to keep
track of where things are. This survey has been executed by WEDI. The report is
not prepared yet. That would be something you would address with WEDI. We were
just trying to keep track of what we knew of the major steps to be. We would
assume that this survey would be brought forward to NCVHS at a time convenient
and a recommendation created by NCVHS to HHS and then according to the process
we’re under right now, the NPRM published. So you can see four of those
boxes are left open because they have not been executed yet. Does that make
sense before I go on through the chart? No. Okay.

MR. REYNOLDS: It does not make sense to me. We are getting a
recommendation, we had tried to set up testimony to explain the 005010 to us
and talk through it and that was told. I guess I am struggling as the chair a
little bit that we couldn’t get the presentation on what 005010 was but we
are getting recommendations that say do the 005010 and so I guess our next step
is when will the industry be able to come in and talk to us about—in other
words, there is a recommendation on the table and these recommendations if you
read this long, lengthy wording here, that is pretty detailed.

MS. GILBERTSON: From what I understand, there was a lot of miscommunication
about what—The DSMO hadn’t even brought their recommendation forward
yet, so the DSMO would not present on the X12 005010 or on the NCPDP standards.
There was some kind of miscommunication of what was supposed to be prepared for
the committee, what kind of detail and no one wanted to read the 005010 guides
so they were not quite sure what it was being requested to prepare. One of the
recommendations is that the SDOs and the industry come back for testimony to
actually discuss the use of the new guides and their interpretation.

MR. REYNOLDS: The recommendation part of this document?

MS. GILBERTSON: Yes. All right. So as you travel down the rows, these are
the different guides that have been requested to come forward. The next change
request is for the X12 837 institutional and professional and dental. You can
see by the checkmarks, they are in various degrees. All of these are actually
in the same mode of having a survey executed by WEDI. The request is being
brought forward.

The 276/277 which is the claim status request and

response is change request 1051. The survey has been created, but at this
point it has not been executed.

Page two, the 278, which is the request to review, and the response. We
brought forward that. A survey has not been created from what I understand,
yet.

Number 1054 is the 837 request, which is the benefit enrollment and
maintenance.

Number 1055, switching gears, is a request to move the NCPDP 5.1 standard
forward to the D.0 and its batch standard to go with it. The update on 1055
under the “Completed DSMO Process” that has now been completed. We
just finished last week or the week before. So that has been done and the
recommendation is being brought forward to NCVHS.

Number 1057 on page 3 is a new standard brought forward. This is one of
our—we get to walk through the new process rather than a modification do
existing. I am not so sure we want to be the guinea pig, but we will try it.
This is for a Medicaid subrogation standard implantation guide. This also,
under the column “Completed DSMO Process” this was completed last
month as well, in April. That has a checkmark. I am sorry?

MR. BLAIR: Lynne, did you say that this is a new standard or that it is a
new guide for the standard? I just want to make sure I understand.

MS. GILBERTSON: Well, it is a new—It is new to be named under HIPAA.

MR. BLAIR: It is a new transaction? It is a new transaction standard?

MS. GILBERTSON: New to HIPAA, yes.

MR. REYNOLDS: It is version 3.0, so it is not new, but it is new to HIPAA.

MS. GILBERTSON: Correct. I am not hesitating because I do not want to be
confusing.

MR. FITZMAURICE: Lynne, is this the transaction between, let us say the
Medicaid state payer and a third party that Medicaid is chasing to get paid
something that that other third party was supposed to be covering?

MS. GILBERTSON: Yes. That is correct. It is the pay and chaser. The payer
of last resort. Yes. Okay. On 1060 005010 guide of the 820 for payroll deducted
in other group premium payment.

Number 1062 is the 005010 270/271 for health care eligibility benefit
inquiry and response. These last two have just come forwards, so we wanted to
give you that as a status. The DSMO will adjudicate 1060 in June and 1062 in
July. They are not being brought forward as recommendations at this point
because they’re not done yet.

If you turn to page 4, these are the requests from the DSMO. Change
requests checked “DSMO requests brought to NCVHS” in those columns
are ready to move through NCVHS and HHS to adoption for X12 and NCPDP TR3s or
imp guides, whichever they refer to them as. The request is based on the Change
Request Recommendation. This request is not based on the release of a survey or
as a result of a survey nor industry rollout as these are outside the DSMO
role.

We recommend hearings to determine how the industry prepares and recommends
adoption of next versions. For example, do they want a bundled rollout approach
verses all transactions implemented on the same date?

We recommend if WEDI is still willing to provide survey information and
industry perspective to NCVHS as we have discussed in the past.

We request the SDO streamlining process begin immediately, and we request
the modification rule be immediately published with outstanding items.

Those are some of our status list of things that we would like to request
be completed. That is all. I realize there are lots of things to think about in
here, but we wanted to provide you with status so that we could then move
forward for the rest of the year.

MR. REYNOLDS: Okay a streamlining the process going forward. One of the
reasons we had set up a discussion on 005010 today was to get us up to speed on
005010 because there is one thing about checking a column here that you are
bringing it to us, but us being in context as to what it is—in other
words, the first hearing, in my opinion we’re going to have after this. If
our goal was to streamline a process is to get all of us up to speed on the 845
or number of changes. What is this really doing to what is already going on out
there? Then your recommendation which is to talk about how the industry
prepares, so once we come up to speed again on 005010, then I think we can
start hearing from the industry, how to do it, what to do, and so on is at
least key to me because these things are—you just said, a 0.0. Good. To
us, we are still back on so if you had a claims transaction, what is this new
version going to do to it, and what does that mean to everyone. Then, when you
start talking about implementation which is what you recommend here under 2, we
would be in a much better position to begin to make recommendations going
forward to HHS with or without a survey or with or without anything. So,
that’s our goal. I guess since we talked about the SDO process, I would
like to make sure that for this committee, especially with the details of these
things that we have concurrently with everything else going on, we have a
warm-up period to learn the subject again. Although we hear that 005010 is a
number that has been out there, but now the reality of 005010 is what we have
to at least have a sense of before I think we start out. That will be a good
way to keep the process going faster.

MS. GILBERTSON: I would request that not only the 005010 but
perhaps—what the committee would like to hear, I mean, you do not want a
50 page change log of what on between NCPDP 5.1 and D.0 or 004010 and 0005010.
So what is it that the organizations can provide to the committee that would be
helpful at a high enough level and invitation to those organizations to come to
a future session.

MR. REYNOLDS: Well minimally an executive level type discussion about what
is the difference between a claim in 004010 and a claim in 005010 and what that
might effect people or the same thing with—because again there is 845
changes. Are they minimal? Are they—which ones are the biggest? Which ones
make the most impact? What might they do to the industry? In other words, help
us understand how we can start building a structure and an understanding to
recommend to the secretary and others what we need to do with what we have, and
then we can take your specific recommendation and say yes. That is what I would
like to make sure we do.

MS. Trudel: Would it be possible to use some of our planning time tomorrow
to craft a plan for moving forward or how we would want to hear and to look and
how we would want these presentations to look and at what level we would need
them at, and then staff can after that go back and liaison with the DSMOs and
standards script and WEDI and try to pull that information together so that we
have a plan and a timeframe.

MR. REYNOLDS: Yes, I would very much like that because we are pretty action
oriented committee and Lynne already put the check in our box. So back to
Michael’s earlier point. Those checks gave us a backlog, Michael as far as
what we have to do, and that is why we try to jump ahead of it, but now we will
catch up as quickly as possible.

DR. COHN: Actually Karen stole some of my thunder, which was obviously a
plan. I did want to just observe that obviously there is a conversation about
the 005010. This is more than the 005010, and if I were Lynne, I might observe
that are pharmacist who consider the NCPDP changes to be every bit as important
and probably more important than the 005010 so we need to be—I mean, part
of the question is all together or somehow self-belonged. We really are looking
at a major upgrade sort of throughout the stand of all of the standards at this
point. At least that is what is coming forward from the DSMOs. That is correct.

MR. REYNOLDS: I am sorry. I was not excluding that. I was just using one as
an example. Thank you.

MS. GILBERTSON: The actual requests for the executive summary of changes
from the SDOs can provide that level of detail. The DSMO recognized—I
mean, we are only one step in the process of the change request has come
forward, we are following the process of the due diligence and then the
recommendation, but industry surveys, industry readiness, industry input, even
things related to recommendations that came in from HIPAA one of let’s not
do this again in the future kind of recommendations need to be looked at and
determined what is the industry if the industry can have at least a voice,
maybe two or three voices? What is it they want going forward? The SDOs have
completed the work, and the membership have made the recommendations to bring
the standards forward, but now we need industry involvement.

MR. REYNOLDS: We are more than prepared to—We understand who we need
to talk to. We need to learn first. In the future, if there is any uncertainty
on items, I would appreciate one of the chairs, co-chairs being contacted if
necessary to do that. Jeffery you had a comment?

MR. BLAIR: Lynne you have testified to us frequently. You have prepared
packages and educated us many times before and you have been very helpful. You
really understand your needs really well, and this seems to be an array of
updates and some new standards that I am wondering is there anything that we
need to understand in terms of crafting about how we learn about this that is
different than the others and the other times where we have gone through this
process?

MS. GILBERTSON: One of my favorite expressions is “the wisdom of
Solomon and the patience of Job” because the standards are prepared,
changes come forward, business needs are beginning to be met because people can
see here is how I do it in the new standard, but now we have the implementation
questions and how to get a voice or two from the industry from what makes sense
to move forward and do you make the same mistakes if they were mistakes in
HIPAA 1 as you do in HIPAA 2 because that is the way it is just going to
proceed. You cannot make everybody happy. Implementing, if you stagger, rollout
some people are not going to be happy. If you throw it all on one date, some
people are not going to be happy. That’s the part I am not real sure what
the industry, if there is such thing, has a voice as what they want. Everybody
wants change and nobody wants to change. So, how do you find that out from
testimony as what are things that were actually not done as well as they could
have in the first round of HIPAA that we can fix, and what are things that we
just have to stop grumbling and move forward kind of action. So that is
something that is going to be interesting to sort of tease out of testimony,
and it may be by asking direct questions, asking people to submit responses
ahead of time that you can look at, definitely working with WEDI and what they
are trying to do with outreach to the industry and get these surveys. One of
the things we are struggling with too now is you do a survey now in 2007 and
one of the questions is: when can we start implementing these transactions?

In the pharmacy industry we have a lot of “changes” because of
Medicare part D.

MR. BLAIR: Harry had made the suggestion that we probably need an executive
overview and I—let me echo that because there is so many aspects of this.
I think we are a little bit overwhelmed by trying to figure out how to put
together in order to figure out the most efficient way to receive the proper
testimony. I think that Simon and Karen had suggested that we take the plan in
meeting to sort this out.

MR. REYNOLDS: We will touch more on this tomorrow. We are running a little
bit behind, I would like to thank both of you for what you submitted and we
will talk about this again, obviously, tomorrow. We will take a 15-minute break
and start back at eleven o’clock. Thank you.

[The meeting has adjourned for a break.]

Agenda Item: e-Prescribing Pilots Report

MR. REYNOLDS: Okay, we have got a group of presenters and we need to
move somebody over to the other side of the table. We will go with one person
per chair. The subject is our e-Prescribing Pilots Report. Do you want to just
go in the order that you are listed on the agenda, or is there some prescribed
order? We will leave the five of you to do the prescribed order. How’s
that?

DR. WHITE: That sounds perfect. Let me introduce myself to the group. My
name is Jon White. We are here today to discuss the MMA mandated electronic
prescribing standards pilots projects and evaluation and subsequent report to
congress. We have quite a group assembled here to talk to you about that today.
What arrived, the past two years have been amazing. We are—today is
Mayday, but most appropriate because literally its two years to the day when we
got a call from CMS saying, hey so can we talk to you about the pilot projects,
and talking turned into doing. It has been a—for what we at AHRQ are used
to as far as research and development, a fairly rapid cycle. I think there have
been in addition to the subject specific discussion, I think there is a
wonderful discussion to be had about some of the pros and cons of he process
that happened. So I am looking forward to having a discussion with you about
that today.

What you are going to hear from our powatears and our evaluators, I want
you to hear knowing that I feel pride tempered with humility. A lot of folks
have invested a lot of blood, sweat, tears, and hair follicles into what we
have done here. I think that there is a lot of work to be proud of, and I think
there is a lot more work yet ahead of us. I am looking forward to a fairly
robust discussion of that.

As the group that started a lot of this work, and congress notwithstanding,
I really invite your reflections, and I know we only have an hour to discuss
this. We will try to do this relatively rapidly, but I am really hoping to get
some thoughtful reflections from you all kind of end to end views of this
process, and what you think worked well and what you didn’t and what you
might recommend for the future. There are so many people to thank today. I am
not going to be able to actually get to everybody, but what I would like to do
is this: if in some way you are involved with these projects, I would like you
to stand here in the room. In essence, there are about five you that did not
stand.

MR. REYNOLDS: Some of us are tired.

DR. WHITE: The point is that there are an extraordinary spectrum of
individuals, institutions, stake holders that were represented through these
processes. I am not going to go painfully into detail about that now, but it
just represents a fairly broad swath of work so I want to thank everybody that
has been involved with that.

Who you are going to hear today does not represent the entirety of the
piloters. There was simply not enough time to do that. In woo of that, we have
selected Doug Bell who is going to present to you first. Doug was selected
because although all the pilots focused on the standards. We kind of
unanimously felt that the RAN project really did the best job of focusing on
the standards and is one sample but you will hear more about the group’s
discussion of the standards. Next, you will hear from Mike Bordelon and Shelly
Grace who are involved with what we kind of refer to as the long-term care
project. They were different than everybody else but had some real significant
findings related to electronic prescribing and particularly in the long-term
care setting, which I think are quite exciting. Representing the entire
evaluation team from the national resource center is Chelle Wooley. She is here
and is a shining example of what represents many different individuals who are
involved with this. Finally, I will take the floor for a brief period of time
and give you what I think are some observations related to what I think I have
seem come out of the work, and then we would invite your reflections back on
that. Before everybody starts, I just want to make it absolutely clear that
CMS, although I am standing here talking to you as the prime
instigator—no, our absolute partner funder soul mates in this and we are
grateful for everybody’s efforts at CMS to make this move forward. There
was significant mountain moving to make this happen. I have enjoyed every step
of the way. With that, I will turn you over to the very capable Dr. Bell.

DR. BELL: I would like to thank the committee for inviting me here, and
Jon, very much. What I wanted to do is just to go through each of the six
initial standards that we were charged with evaluating and show you some of the
results that I think would provide some depth to what is in the report that you
already have from Secretary Leavitt. I think if you look at that report, there
is one or two paragraphs of analysis on each standard that is really a great
distillation. I have a tremendous amount of information. I would commend the
report to you and commend the secretaries and the secretary’s office and
Newark for distilling a tremendous amount if information.

With that, I am just going to skate through. I have 20 slides here. I am
going to go kind of fast in the interest of time. First, just show you really
quickly our coalition, and I can really only speak in detail to our own
results. The New Jersey e-Prescribing Action Coalition is a group we put
together for purposes of this pilot study that involved Horizon Blue Cross and
Blue Shield and Care Mark among health plans and payers. We had the
e-Prescribing vendors iScribe in all SCRIPT. We had both RxHub and SureScripts
involved and then for the evaluation, ran the consulting firm point-of-care
partners and UMDNJ. The physician participants were all participating in a
preexisting e-Prescribing program that Horizon Blue Cross Blue Shield had
started that actually installed, paid for installation and also paid an
honorarium for physicians to use it. They had targeted 1,000 physicians. I just
also wanted to mention to our conceptual model, and just to keep in mind
thinking about how an information standard, which is a very low level thing can
project effects on health care outcomes ultimately, but it is important to
think about the steps by which that could happen. The structure of the standard
has to some how change the information that is displayed in the encounter. That
has to change work process and then it is only that in turn the changes
outcomes.

This slide shows each of the six standards and the methods, which we use to
evaluate these. I am not going to go through all of these different methods. We
tried to tailor the evaluation of each standard for its level of current
adoption. I just bolded a few of the things that I want to show you today. For
the two standards that are really commonly in use already within our coalition,
which is the medication history. I want to focus today on the expert panel
results and claims data analysis and results from our web survey of physicians.
For the Fill Status notification standard, that was not in use. We conducted
focus groups among prescribers to look at how they would use the information
that they get through fill status in a way that would be different than what
they do—what the currently have available for medication history. I will
also show you some extra panel results. For Prior Authorization, we built a
working prototype of a Prior Authorization system for Horizon Drugs and I am
going to focus especially on this sort of information level results that we
have looking at the HL7 claims attachment, which is really the heart of where
the clinical information is carried in the proposed Prior Authorization
standards. I will look at how that compared with the forms that we had to deal
with for Horizon. Then, we will talk about Rx Norm and the lab mapping analysis
that we did and then the lab analysis that we did of the structured and
codified SIG standard. So those are the six standards.

Diving right in: Medication history—

DR. OVERHAGE: Before you launch too far into it, one thing I hope that you
comment on as you go forward is when you have expert panel review, one of the
things we find in these standards are that the content turns out to be much
more of a barrier than the structure. One of the challenges with expert panel
review is that you are sort of looking at a “idealized” case in terms
of content. I hope you will be able to comment as you go through on the
limitations that you might have encountered in the evaluation in the situations
where you had to rely on expert panel.

DR. WHITE: Doug has about five or six minutes left to present. That might
be something that we would want him to comment more in the question answer
period, but he might not necessarily want to take to much time during his
presentation.

DR. BELL: Yes, Mark, I am sorry you do not have my slides actually. I will
try to get those to you as soon as possible. The expert panel very much talked
about the content, and not just the structure. We thought that the content and
the current functioning of the system really is not even just the standard and
the content, it is how well the system is linked up and functioning. That was
all discussed by members of the panel. I do not have a slide about who is on
the panel, but we had thirteen organizations that represented different points
in the transactions so point of care vendors, the backend PBMs and the switches
are Sub and SureScripts that we are passing information. So, we considered the
organization to e the unit of participation on the panel so it wasn’t
individual people. So just really quickly, highlighting a few of the issues for
medication history that the expert panel brought up. There were technical
problems that hindered its—especially that hindered reconciliation of
medication history data that the pox are pulling in with the existing
prescriptions. The key thing for being able to use medication history is that
the downloaded data from the PBM for instance has to be reconciled with the
prescriptions that have been generated out of the system. That is a difficult
process because many of the fields in the standard are optional. They are often
left empty in the medication history. So, things like the prescriber ID, the
SIG, the quantity dispense, the pharmacy that dispensed it- we are often left
empty, and this added to the challenge. Also, NDC Codes were pure drug
identifiers and often the NDC Code could not be mapped to the internal code
that the POX used because of the noise and the—you may be familiar with
it, it exists in NDC Codes. Also, patient IDs had to be retrieved from the
270-271 eligibility transaction, and that transaction often fails because
people just are not in RxHubs master patient index, although that is growing.
The net result was that some vendors have given up on trying to reconcile
medication history with their internal data, and that means they really drive
alerts only from their internal data and they are not using medication history
in the way that it could be. All panelists enthusiastically supported Rx Norm
as an important improvement on NDC Codes for medication history.

We also conducted a prescriber survey of 411 physicians. In the end the
respondents were 139 e-Prescribers and 89 non-E-prescribers who we recruited
from the waiting list, but they had not yet turned on e-Prescribing. Just a few
results, we asked them to rate the information that they have about medication
history, and I am just showing you the percent that agree or strongly agree to
the following to the following statements. They said the information I have
about medication history enables identifying clinically important drug
interactions. E-prescribers did agree to that more. 83% said that medication
history helps versus 67%. 68% said it prevents callbacks for safety problems
versus 54%. Of course these people, for the non-E-prescribers, the information
they have is just whatever is in their chart. So, we wanted to set up a
comparison that way. So, there was a statistically significant difference
there, but there is no difference in identifying medications from other
physicians, which is really what you would expect medication history to really
help with. Actually, if you go on to the other finding I have up here, only 37%
of the E-prescribers said that they were familiar with how to get out the
medication history data in their system. Often, this feature to review the
medication history that was downloaded from the PBM was buried to some extent
inside the system, and only 37% of people said that they were familiar with how
to get that information, and then only 16% of those said that they used it
often or very often. Only 39% of those said that the data is complete for most
patients. They also didn’t think—Those who did know how to get to it
thought it wasn’t complete.

We think what is going on in these other questions is that people see the
medication history that they have prescribed and they do not really distinguish
that very well with the downloaded medication history. So at least the
medication history that they have prescribed, they do see as providing some
benefits. So that is the prescriber survey. Three minutes? Okay. I will just
really have to go very fast.

We found technical issues with the Formulary and Benefit standard from the
expert panel as well. Again, NDC Codes were an issue. Plan identifiers were an
issue, and a big issue was the plan level coverage was not the same as group or
patient level coverage so for Horizon, they only publish one formulary through
formulary benefit standard, but actually there are a hundred or variations on
that for different groups within Horizon. Another issue is that the different
compliments are used to different extents. The formulary status list is used
very widely, and I am showing you the number of downloads per month that are
sub-serves. The alternatives list the coverage limitations and what I think is
one of the most important is the co-pay list which will give you the most
specific information that the physician aught to have is rarely used.

I am going to skip this except for to say that in the prescriber survey, we
really didn’t see that they had any perceived effect of the Formulary and
Benefit standard. This information was not giving them—they didn’t
perceive that it was saving them time or reducing callbacks. When they
rated—for among the e-prescribers we asked them, how much does the drug
coverage information help you in these different ways? In general, there was a
lot of neutrality and some degree of disagreement about whether it helps manage
patient’s costs, reduce the need to change prescriptions, reduces calls,
saves time, etc.

One other thing, for Formulary and Benefit is we did analyze claims to see
whether there appeared to be any shift toward more generic drug use or toward
more on formulary versus off formulary drug use, and we have about three
million prescription claims from E-prescribers and controls, which are
basically all of the non-E-prescribers who are Horizon providers with not the
same inclusion criteria. I am not going to go through this in any detail except
for to say that we focused in particular on new ace inhibitors starts to look
for generic—whether e-Prescribing had influenced generic use. Throughout
the period we were looking from 2003 to 2006. There were generic and brand
options available in the ace inhibitor category.

We found that if you looked from pre to post activation among high users of
the e-Prescribing system, there was a jump in their generic drug use for new
ace inhibitors with an odds ratio of 2.3, but that only applied to 20% of
prescribers who were in this high use category. For those who are medium users
or low users, which we defined as up to 50 electronic prescriptions per month
for Horizon patients. There was not a significant jump, although there was a
strong overall secular trend toward greater generic use. I guess I am seeing
some frowns, but I have very little time left so I will—

MR. REYNOLDS: We are willing to spend a little more time with you. This is
a big deal. You have done a lot of great work. If there are things you need,
please point them out as we go along, but we would really like to hear from
you.

DR. COHN: A real quick question based on your stratification there. We are
all trying how 50 users a month is a high user, and a medium user can be
categorized as 12 to 50, which seems to me to be a low user. I just wondered.

DR. BELL: It is a fairly low user, but unfortunately we didn’t have,
and we are actually trying to still get better data on this. All we had was the
absolute count of electronic prescriptions per month. We didn’t have the
ideal—at least on a month by month basis of the total number of claims so
we are going back to look at that. It has been difficult even in their own
analyses Horizon and Caremark to link an E-prescription from the system to a
claim, and so they have been hesitant to report out what the percentage is. We
have figured out ways of doing that, but basically the people in this group
were almost all above 20% it looks like in the greater than 50 group. Almost
all but 20% of their prescriptions being written electronically, which is still
not a very high number. That means that probably 80% of the physicians were
writing south of 30% of their prescriptions anyways through the system. The
bottom line is there is a lot of paper prescribing still continuing and some
people install the system and never use it at all. There is a pretty good
proportion of that within the users that we have.

DR. WARREN: Yes, implicitly the e-Prescribing physicians, a lot of them
still used paper even when they were in this trial?

DR. BELL: Correct.

DR. WARREN: You do not know what percentage or why they chose to
E-prescribe and why they chose to do paper?

DR. BELL: We have some survey results on that actually. It’s a great
segue because we did ask them. I think they did significantly over-reported if
you look at the actual data versus what they said in the survey, but here is
what they said in the survey. We asked, to what extent do you use the
prescribing system? We gave them three options. These are the two participating
vendors. They said—so iScribe users, 48% said I use the system to write
all of my prescriptions except for schedule 2 which they cannot. 40% said I use
the system to write some prescription, and 12% said I no longer use the system.
For AllScripts it was actually a little bit shifted toward some use. The
AllScripts group was quite a bit smaller. When we asked in followup, does your
staff use—because we found the pattern in our site visits that the
physicians sometimes the physicians stopped using it but the staff would still
use the system to transmit prescriptions, which of course circumvent some of
the alerting. Nobody admitted to having their staff use the system. Some of the
nonusers did. We asked them why do they continue using paper prescriptions and
here were the ratings they gave to each of these possible reasons. This is just
the percentage. Patients not being in the PDA, cannot use the PDA because of
technical problems, I get too busy were the top reasons. Pharmacies do not
reliably receive and process the prescriptions, system interfered with my
established office work flow- there was some agreement to that, the system
takes too much of my time, the system takes too much of my staff’s time
was actually less of a deal. We had more questions than that, but these are
probably the key ones. That is all I was going to say about formulary benefit
medication history.

On Fill Status, our expert panel brought up several issues. I guess this is
just a technical issue that I put up here. The script reference number is
really important to being able to reconcile again the data that you would pull
in. This is data on a specific prescription that comes back. There aught to be
a script reference number so you can reference that data back to the original
prescription. Sometimes it is an optional field. For the few that had tried
this, that was an issue that it comes back missing sometimes. The bigger issue
was that there was no marketplace demand. People said things that even if a
physician wants it, who is going to pay for it? The burden of handling a
patient opt-in or opt-out could be significant. It seemed like that would be an
important thing for patients to say, no I do not want data to come back on
whether the medication is filled or not, but one panelist said the process of
setting up and maintaining the opt-in and opt-out indicator would be
significant. Numerous interfacing systems would need to change. Another
panelist did say that something could be designed for it, and I think that
having a patient opt-in or opt-out of this is probably something on which we
should do more research. Another issue thought that the panelists raised is
that if you have this opt-in or opt-out, you may not be able to rely on getting
either a dispensed message or a not dispensed message. As you may know, the
Fill Status has each of those options so the idea would be that after a certain
amount of time is elapsed when you sent a prescription, you would get back a
not dispensed message if it had never been filled. One panelist said if
patients are opting in or opting out, then if the physician does not get a fill
response, what does that physician know? Well maybe the patient opted out. They
cannot really determine that it was filled, and they cannot determine
wasn’t filled. There are some logistical and logical problems with Fill
Status.

Now in the focus groups we did with providers, these were all AllScripts
users and we presented storyboard prototypes that showed them what could be
done with Fill Status that they couldn’t do with medication history in
terms of adherence alerting. So basically alerting when a patient hasn’t
picked something up or there may be an adherence problem. The providers had
some significant concerns. Basically, these alerts imply the need for some kind
of telephone followup because you would be getting them back in real time after
some amount of time it elapsed, and this implied that there would be some new
and probably unpaid work for physicians and staff in doing what these adherence
problems as they crop up. They were also concerned—some of them were
concerned about medical legal liability that could occur for nonadherence. So,
if the patient had a heart attack and they were not taking their medications
there would potentially be evidence in the chart or evidence that a transaction
had been sent back telling the doctor that there had been nonadherence and they
would be in trouble. There were possible mitigating factors that could make
Fill Status work better. If the prescriber could control which medications are
alerted and how long we need to elapse, that was something that might help if
it could be a small subset of really important medications. If those alerts
could be delivered during an actual followup visit then there would be a
mechanism where a telephone call wouldn’t actually be required. That might
be more acceptable. Of course, if you do wait for a followup visit medication
history might be able to substitute for Fill Status transactions because the
medication history is typically downloaded right before a patient’s
scheduled visit, so you might be able to do some of the same information with
that other transaction. That’s what we had on Fill Status.

Jus to move right along, Prior Authorization. In our surveys and site
visits, we found a strong demand for electronic Prior Authorization and the
processed improvements that could potentially come. 91% of surveys of physician
surveys agreed or strongly agreed that the PA process is frustrating for them
and for their patients. People said things like I hate Prior Authorization
because of the time they take. Interesting that they also admitted readily that
they stretched the truth in order to get Prior Authorization. They said things
would basically have to say what the insurance people want to hear, and another
person said I frequently lie, yell, or scream to get the drugs authorized. But
when we looked at the data elements that had sort of been prescribed in the HL7
PA attachment and compared that with the data that we needed to collect to
accomplish Prior Authorization for Horizon, there was very little
correspondence. I will not go into any detail on that, but even most of the
drugs, I believe only 2 out of the 7 drugs that HL7 had worked out PA data
elements for had required Horizon Prior Authorization and Horizon of course
required Prior Authorization for many drugs that the HL7 had not anticipated,
so there is very little overlap even at that level. Then even when you looked
within those drugs or the data elements, there was not a lot of correspondence.
One of the points I wanted to make though was that Horizon and Caremark were
very interested in the wording of the PA questions and that really, to my mind,
means the wording of how you collect questions from a physician anyway
influences the meaning of the data, but HL7’s approach was that they were
not prescribing the wording of the questions, that they were collecting these
sort of abstract data elements and it was up to the vendors to decide how they
wanted to word questions to collect those data elements, so that was a mismatch
right there. There are also some issues with ICD9 codes being inadequate. We
did develop a working prototype module both within AllScripts and iScribe and
we did role that out. There were eight to ten weeks for physicians to use it
and there was very little use, which we had talked more about. We have very
little evidence from actual use.

Moving on to Rx Norm. We did a lab study where First DataBank, Medisven,
and us each independently took a large sample of prescriptions and new
prescriptions and renewals and try to map them to Rx Norm SCDs. There should be
one SCD for each drug concept, one Symantec clinical drug. That is the idea of
Rx Norm really is to have one unique identifier for each clinical drug concept
that you would prescribe. So here is how it turns out. We look for how many
prescriptions will have no match. Basically, we exclude device prescriptions
because that is explicitly outside the scope of Rx Norm. We had 9,700
non-device new prescriptions and 10,000 non-device renewal requests, and out of
those only 1.5% of the news and 0.5% of the renewal requests had no matching
SCD that any of the three independent matches could find, basically. Most
actually had an SCD found by three out of three matching attempts. 91-97%
basically had three out of three matches found. So Rx Norm was relatively
complete although not absolutely complete. If you looked at what was missing
from Rx Norm, 93% of the drug concepts that we are missing from Rx Norm were
multivitamins, bowel preps, or drugs packaged in a drug delivery device. I will
just mention that this drug delivery device thing is being include now in Rx
Norm. We also looked at mismatches because it is important to have agreement of
course if independent companies were to use Rx Norm and we found basically a
mismatch rate around 5%. Around 5% of the time, when you took the same
prescription two different companies got two different SCDs basically. We try
to drill them. What are the root causes of that? Basically 20% of the time,
there were two SCDs in Rx Norm. There were actually synonyms. It should have
been eliminated essentially because the idea in Rx Norm is that one concept
identifier. 20% of the time, those had already been identified, and at least
one of the vendors was using an outdated version of Rx Norm. There were another
30% where the synonymy had not yet been recognized when we went over it with
the National Library of Medicine. They flagged those right away and they are
putting in place a process for people to identify synonymy and bring it to
their attention. Then the rest of them were just outright errors in the mapping
from the NDC Code to the SCD where basically erroneous NDC Codes are still
floating around out there from previous versions. If you look at the NDC Codes
that different sources have and that the FDA has. They do not always match up.
There are errors out there. Rx Norm cannot really do anything about that. That
is what I have on Rx Norm.

Finally, structuring codified SIG. We took a sample of 43 SIGs that we
selected from 10,000 SIGs that we had. We selected these purposefully to try to
represent the breadth of what we need to be represented in the SIGS. SIGS have
this notion of repeats. So, out of the 42, only 15 had no repeats, and the
repeats make it much more complicated. So we drilled in on the SIGs that
didn’t have a repeat. A repeat would be if you have a prescription, say
for Zithromax that you say two pills today and then one pill a day—That
gets represented in a SIG standard is two separate repeats of the whole
sequence. We just drilled in on those that did not have more than one repeat.
There was very poor agreement among those 15. These are the 13 segments of the
SIG standard. Out of—We had 3 reviewers for each one, so if all 3 agreed
on a particular prescription’s SIG, the count is here. If 2 out of the 3
agreed it is here, and of none of the three agreed if they all three were
different it is here. Basically, for this repeating SIG is not applicable, so I
left that blank. For the dose segment, out of the 15 SIGs, only 3 of those SIGs
were represented in the same way by all 3 reviewers. Ten had only 2 reviewers
in agreement and two of those SIGS had no reviewers in agreement. You can kind
of just look down at the rest of these segments and see how little agreement
there was within each segment in the way that these 3 reviewers—these 3
reviewers were all people who had been involved, at least to some extent, in
the standard development although some more than others. One of the reviewers
we considered to be our gold standard reviewer and the other two were not the
gold standard. There was still very little agreement within any of these
segments on how it should be used. For the other 27, if you just looked at how
many repeats people use, there wasn’t even very much agreement on that. It
was from one to six iterations and it did very widely. That is all I will say
about SIG.

Just in conclusion very quickly, for medication history and for formulary
benefit, the standards are technically adequate. There are a lot of fields and
ways to use it that work, but in general they are falling short of their
promise because of the implementation primarily. For Fill Status there are
significant concerns raised, not so much with the technical side, but with the
value. It may have promise for focused uses for specific adherence programs for
instance. For Prior Authorization, more research is really needed on how to
represent the data that one needs to make a PA decision. For Rx Norm, here is a
strong need to have Rx Norm available, and it seems to hold significant promise
and there seems to be a path forward for NOM to complete it really and get that
last 1.5% done. For SIG, we found that it was difficult to use consistently and
our suggestion that somehow the standard be simplified. So that is it.

DR. WHITE: I am going to suggest two things. One, that we hold questions
till the end. Two, I want to ask Harry for a time check. It is eleven
forty-five.

MR. REYNOLDS: You have thirty minutes.

DR. WHITE: Thirty minutes. So we have two presentations remaining and then
questions for the group. I just want to observe, by the way, that synonymy is
illegal in most states except for New Jersey and Los Angeles. With that, we
will turn to our colleagues from the Long-Term Care project.

MR. BORDELON: As Shelley is bringing this up, a little quick introduction
for both of us. My name is Mike Bordelon. I was the original principal
investigator for this project. I left Achieve Health Care, which is the company
that we were doing the project through in October, but stayed involved with the
project and Shelley took over as the principal investigator. I think we are
officially co-pi’s or I am the co-pi and she is the pi or something like
that, but basically we collaborated together to get the project done. I know we
are short on time, but I want to do a quick note on just all the people that
made this happen. CMS, NCVHS, Evaluation contractors, the additional money we
got from the ASCP Foundation to study Prior Authorization. That was a huge biz
for the project. NCPDP and their continual drive and excellence around getting
these standards getting moved through the whole process.

A quick review of what happened last year. It was a real whirlwind for us.
You have to remember we started with nothing. There was no infrastructure in
place. There had never been a standard space to e-Prescribing implementation in
Long-Term Care before. We first of all had to figure out what the heck these
e-Prescribing standards were all about and then put together a study with
providers and pharmacies and vendors and everybody to get all this built and
studied in a pretty short period of time. I think the project was pretty
successful in validating the e-Prescribing standards with how well they work in
the LTC setting. Some of them are similar to Dr. Bell’s analysis worked
well. Some of them still have opportunities for improvement. We personally
believe that long-term care is a very important area of study for e-Prescribing
as a huge opportunity for savings in the health care industry by applying
Long-Term standards and the ability to study this in Long-Term Care last year
is a great way for us to be able to show the impact that this is going to have.

One other little comment here, we didn’t study all of the standards.
Last year, it was mostly time and financial constraints. We did study scripts,
Formulary Benefits, the Telecom Standard, Fill Status, Electronic Prior
Authorization, but we did not study medication history, Rx Norm or codified
SIG. The things that we did study, they were full implementations in the real
world environment with real users using them. We didn’t do any laboratory
tests. I think that was real testament to the bullheadedness of the team to
push the development work all the way out into the field, get it implemented so
that we could really study it in a live environment.

MS. GRACE: And one note I want to make, because of the time constraints, we
have actually provided you with a little bit more lengthy presentation that
contains some information, and what we put together is just a truncated version
because of time. The slides do not exactly match what you have on your paper.

MR. BORDELON: An important note about this project is that we, even before
we implemented we knew that some of the standards were not going to survive
through Long-Term Care, specifically SCRIPT 8.1 needed some work. At the time,
I was the task group leader for the Long-Term Care e-Prescribing group at NCPDP
and we pushed four new derfs through the process and those are all in varying
stages of the NCPDP process. Some are already to ballot and I think are getting
voted on this month. Some may take as long as out in August. By the end of the
summer, all four of the standards should be certified and in version 10.1 and
we should be in a position where we can say with 10.1 that all of the standards
are adequate for supporting the Long-Term Care e-Prescribing.

This is a slide I presented last year. This is kind of a famous slide now.
This is some work that was done at NCPDP, and it does show the complexity of
what we are faced into in Long-Term Care. But it also implies there is also
huge opportunity. One of the hardest things that we are faced into is the three
TEARS of communications. The physician working through the nursing home, then
communicating and coordinating to the pharmacy. That is a lot harder then just
a direct from physician to pharmacy interaction that you see in the ambulatory
space. It also is a—when you leverage electronic capabilities, you can get
much more streamline workflow and communication and reduce a lot of errors. We
actually have an order of magnitude more opportunity for problems. That was the
before picture, and this is what we actually implemented. As I said earlier, we
went all the way. Everything we implemented went out in the field and got
tested by real users and by real pharmacists, nurses—now important note is
that we didn’t have that big of a doctor adoption, but we did have every
script in the two facilities that we studied went through the electronic
prescribing process. It was either done by the nurses and agent, or by the
nurse practitioners in the facility. The Nurse Practitioners were doing true
e-Prescribing. We used Rx Hub as our switch. We connected back to Blue Cross
Blue Shield in Minnesota for the Formulary and Benefits but also to get Prior
Authorization. We implemented an unsolicited authorization model and all of
this fed right into the Long-Term Care Pharmacy System without any duplicate
entry. These were not faxes coming over and being retyped in. They came into
cues and the pharmacist processed some, and it will all stay electronic. We
also implemented an electronic—it really demonstrated an electronic refill
process. 80% of the scripts that are filled in Long-Term Care are from refills
of ongoing orders. We felt it was important to demonstrate that technology
could be used to facilitate that process in addition to the new cancel and
change scripts that go through the e-Prescribing process.

MS. GRACE: What we wanted to touch on briefly is really what were the
impacts of Electronic Prescribing. Again, as Mike pointed out, we did this in
an actual live facility with real residents. What we found is that in the
facilities that we tested, many nursing homes use some from of physician’s
orders. In many situations you will find that they are inputting some from of
medical records so they know what to dispense to the residents. We found that
because they were already used to inputting this type of information that it
was not as disruptive as we thought. However, there was a significant benefit
because in the past, they had never been presented with formulary or benefit
information. They also were not presented with patient safety information. We
found that being able to present that information up front, it did allow them
to change and make critical decisions much earlier in the prescribing process.
One of the things that we have found is that integration with the clinical
system was critical. The adoption is very dependant upon a facility being able
to use this in their workflow. In this case it was fully integrated. When you
start trying to impose a system that has to have data in two places, you have
reduced a lot of the proposed benefits to the facility. That was one real
critical finding. Because in the past, even though many facilities used
physician’s orders and med orders, they end up printing out the
prescription and faxing it to the pharmacy, and that is where you get that what
we call the spaghetti slide because there is so much re-work that has to be
done with the order getting to the pharmacy and not understanding it. All those
issues. So, by being able to present the information up front and
electronically transmitted, they did find that there was quite a significant
reduction in the re-work that had to happen with those orders once they
arrived.

Prescriber adoption is critical. Again, as Mike

pointed out, the advantage we have in Long-Term Care is that we do have the
nurses and agent model. However, the advantage of Formulary and Patient Safety
is much higher if you are actually presenting it to the prescriber. One of the
things that we keep touching on, we have been doing a number of subsequent
pilots is trying to get the prescribers to actually participate because we are
finding once they use the system, and they see the benefits, the adoption rate
goes up. It is getting over that hurdle of getting them to do that.

On the pharmacy side, the efficiencies were that not only did the med
information came over but the resident demographic information came over as
well. So, there was significant amount of information that came directly into
the pharmacy system. The pharmacists do not have to re-key all that information
and a lot of the Formulary and Benefit information is there as well. For new
orders, straight forward orders, discontinued orders, and readmissions that was
very beneficial to the pharmacy because we were able to communicate if a
resident was discontinuing orders. We could also communicate that they were
planning to be readmitted so they might put them on hold, but not discontinue
them completely. One point I want to make is Fill Status is something that may
not seem as advantageous in the ambulatory market, but in Long-Term Care it is
critical because often when a prescription gets to the pharmacy, the actual
dispense is different. Right now, the only way to get that back in the resident
record is manually to re-enter it. By using Fill Status for us, we were able to
populate the resident record with the change which the facility found very
beneficial. SO again, one of the key difference between the ambulatory market
and the Long-Term Care market.

Some of the challenges we found, as Dr. Bell alluded to, because we
didn’t test the codified SIG when you find combination orders which
represent multiple orders in a facility, but one order to the pharmacy because
they can only bill one time. We had to find work arounds. We are working on
some options for that right now, and some subsequent releases. It is still one
of the challenging pieces in the marketplace.

Transcription accuracy. Again, when you are using the nurses and agents, no
matter how that prescription is communicating to that nurse, when you are using
a prescriber, it is different, but with a nurse, you have to make sure that the
workflow has the check and balance system, so that what was put into the system
was what the prescriber meant. So, we have put some of those checks and
balances in by making sure that if it is non-prescriber that there is an
authorization step that has to happen to make sure that that med was exactly
what the prescriber intended.

Timely transmission on admission orders, this is more of a workflow issue.
In the facilities, when residents are admitted often there is a large group
that are admitted at the end of the day. Hospitals tend to check residents out
and they will all come in somewhere around the end of the day. They are so busy
getting the residents in that often times getting the med orders in the system
are not necessarily the first priority. So, working with the facilities to help
them understand how they can adjust workflow is a really critical piece. So the
pharmacy didn’t get those orders at too late in the end of their day. One
of the critical findings here is that there do need to be workflow changes and
we need to work with facility and pharmacy to make those changes.

I think that, just some real key points here. The nurses and agent, as we
said, it does work technically. However, the more we can push prescriber
adoption, the more safety that you are going to introduce into the system and
the more benefit you are going to get.

Leadership is absolutely critical both in a

facility and pharmacy side. People do not like to change. We all know that.
The more we have leadership from the top that said, yes, we are committed to
this. We want to do this, the more the adoption was successful.

Formulary and benefit standards worked very well in this setting and we did
prove, with some modifications, that these standards do work in Long-Term Care.

Prior Authorization is really critical if we are

going to get to an electronic health record because it is still one of the
biggest challenges because so many of the meds in Long-Term Care require
prior-op. Yet, there is a small set of data that most of the payers want. It is
just that we have to get them to agree on what that set is and how do we
transmit it in a way that makes it simpler.

What we see with prior-op is that the payers consensus and participation is
the greatest challenge in that there is going to be a significant amount of
leadership required from all sectors in order to move this forward. If we are
going to get to an EHR, it is something we are going to need to do.

Closing thoughts, I will give you a couple and then Mike will do the same.
The biggest challenge right now is making sure that we move forward on these
standards. As we speak, there are many non-standard projects that underway in
Long-Term Care because people are trying very hard to streamline this process.

MR. BORDELON: I think there is almost a myth in some ways that the industry
is not able to make investments in this kind of really high tech type of
capabilities, and LTC is making these investments. The big providers—if
you go out in the field and talk to the big providers and the big pharmacies,
they are all working on e-Mar systems, on electronic prescribing, all of these
things. What we all need to really be conscious about—there was a lot of
discussion about the timeframe it takes to get all of these things approved. In
the intercom, the risk is that people are out there building proprietary
solutions. There is going to be a reinvestment by the industry. Those
investments are happening right now. We can get them aligned. It is going to
save a lot of money and heartache over the long term.

MS. GRACE: Thanks, Mike. I agree. One of the other challenges with this
very proprietary movement is both of the facilities and pharmacies get very
confused about all of the competing solutions that are out there. So, the
challenges are then they do nothing because they are afraid to adopt anything
because they do not know whether it will be standard or not. If they are
investing in technology that will not move forward, so you will not see
adoption of this, and then you will not see the EHR come to fruition in the
timeframe we would like. You also will not see some of the safety advantages if
we can not get these standards in place.

Just a couple of other quick points. The advantage we have in Long-Term
Care is that you have a much small group of vendors, both on the facility side
and on the pharmacy side. As Mike pointed out, in this bullet point, there is
basically five key Long-Term Care pharmacy software providers. By having those
five agree to this standard, you have over 95% of the market. That is huge. It
is significantly different than the ambulatory market. The same is really true
on the front end. You have got, probably ten critical players in this market
place, and there is a lot of consolidation. So again, just adoption of basic
standards can really impact a lot of this market.

The last point I will make, and I will turn it again over to Mike, is that
these standards really move us a long way towards the electronic health record
and Long-Term Care. So, we cannot emphasize enough how important we think they
are.

MR. BORDELON: I feel like we are getting on a soap box a little bit, but we
have an opportunity so we are going to take it. E-Prescribing is a big part of
EHR. Long-Term Care is not in the CCHIT Certification Realm yet, but it needs
to move there quickly. It is just as important as any of the other sectors. Any
prescribing, I think, should be a key part of that whole certification process.
Again, as I mentioned earlier, time legislation is going to keep these
nonproprietary solutions from evolving. Prior Authorization needs to continue
to be an important focus for us here. That has a much opportunity to save money
as a lot of the other things and save lives. We need to keep focus there.

Back to what Shelley was saying, because there are so few vendors here,
some modest investment by the government whether that is the reimbursement or
pay for performance or some process will really help accelerate what really
should be a relatively modest investment for the return to Medicare and to the
industry in general. I think that, in my opinion, there should be a sense of
urgency about driving to that and helping accelerate some of these things as
soon as possible.

MS. WOOLEY: I want to thank you for inviting me to participate today. I
have had over a decade of involvement in health information exchange,
electronic health information exchange, it was really a privilege to be part of
this team, working with CMS and the opportunity to visit and observe what was
going on with each of the pilots. I don’t consider myself an evaluator. I
consider myself more of a reporter. The opportunity to see what was happening
at thee individual pilot sites first hand and then to be able to compare and
contrast across the five different pilot sites.

What I’m going to focus is not the standards part, which is what I
focused on in the reporting, nut of the, what we call the other outcomes.

Each of five grantees participating e-Prescribing Pilots were all expected
to test the six standard, initial standards as you have heard summarized, and
Doug you did a great job at that. They were giving vast flexibility and
latitude in testing what we call the other outcomes of e-Prescribing. Those are
things such as the Prescriber Uptake, Satisfaction, Workflow Changes, Impacts
on Callbacks between the Physicians, the pharmacies, and the PBMs. The use of
e-Prescribing functions including Medication History, Change in Fill Status,
Use of Unformulary or Generic Medications, and the Impact on Medication Errors.

The grantees had mostly completed their reporting of the standards part of
their evaluation, of their pilot tests. However, at the time of the writing of
our intern report, many of the grantees were still compiling and analyzing the
results of their other outcomes. The other outcome results and the
understanding the impact e-Prescribing has on areas outside of the standards
themselves are really critical and truly focusing on a culture of acceptance
and adoption by all stakeholders in this process. Like the lessons learned from
other demonstrations of Electronic Health Information Exchange in order to have
a sustainable environment for exchanging health information, putting the right
information in thee hands of the right individuals at the right time. It is
dependant on both the technological architecture and the adherence to the use
of common standards as well as the policies, the business rules, and the
culture of trust and collaboration between all of the different stake holders
that need to drive those technological design decisions.

Nearly achieving success in the agreement of which standards to use for
e-Prescribing is not going to necessarily move the information where it needs
to be. That is, enables better care for patients, improved efficiency for the
physician and the pharmacy. Without addressing the challenges that face the
various stakeholders in the process in terms of workflow changes, additional
requisite investments, establishment of trust and collaboration among the
various players, we have only solved half of the equation. I want to talk about
just two of the outcomes that impact physician adoption and long-term
sustainability of e-Prescribing.

The first is medication history. A key example is related to the
utilization of the features and functions enabled by the standards for
e-Prescribing and Dr. Bell did talk and show you some examples of the
implementation. Overall, the pilot’s findings demonstrated poor adoption
of dissfunctionality even though this transaction has been implemented by a
vast majority of the e-Prescribing technology vendors over the last several
years. The availability of patients’ medication history can enable
prescribers and pharmacists to prevent medication errors by checking for
duplication of existing drugs or therapeutic class and potential drug-drug
interactions. Three of the pilot sites specifically tracked how frequently
prescribers access medication history information via the e-Prescribing system
and overall data quality as ability and completeness of the standard. There was
agreement that medication history data errors are rare, but given the
flexibility as Dr. Bell mentioned, in naming important data elements as
optional in the data transaction specification, some key information may be
missing including prescriber’s identity, the SIG, the quantity dispensed,
and the name of the dispensing pharmacy.

Another contributor to the low-adoption rate is that each application uses
a different reference to identify this feature in the software. So, physicians
weren’t necessarily sure where that information, or how to access the
medication history, even though it was available within the application that
they were using. But for the physicians who were using e-Prescribing medication
history function prior to and during the pilot testing, they found this
information useful.

Some of the positive comments from physicians surveyed during the pilot
testing related to accessibility of the information, ability to view
medications across multiple prescribers, ability to track potential drug abuse
and doctor shopping, assistance with medical decision making, and the ability
to review a more comprehensive list with their patients. So, they use this as a
tool to engage in a more high quality dialogue with their patient around their
medication use.

Traditional inpatient CPO systems have shown that when prescribers have a
unified view of active prescriptions, there is a decrease in the overall number
of prescribed medications. Overall this is considered an improvement in the
quality of care as medications become more coordinated and drug-drug
interactions are less likely to occur.

This is also an infamous workflow model. The point I want to talk about
here is physician workflow. Our hope for e-Prescribing is that it would improve
workflow for both prescribers and pharmacists. Widespread adoption of
e-Prescribing is going to require that prescribers realize these improvements
in workflow or other proceed benefits of e-Prescribing are large enough to
counteract any negative impact on workflow. What we found in these pilot
evaluation is not only is it important to focus on the physician workflow, most
importantly it is also—we need to focus on the pharmacy workflow. It is
not enough a physician to be using electronic tools to send prescriptions
electronically to the pharmacy if the pharmacies are not ready and up and
running to accept those electronically.

Pharmacy workflow was impacted negatively in several pharmacy chains.
Despite current thinking, the vast majority of pharmacy chains, stores, and one
of the pilot areas did not carry out true e-Prescribing. In this case, the
pharmacies had the capability, but in reality reported that they generally
printed out the prescriptions they received electronically, subsequently, and
then re-entered them into their pharmacy system introducing yet another
potential error point. One of the most important findings of the pilots was the
high rate of surrogate based e-Prescribing. We talked about that earlier.
Engaging surrogates around e-Prescribing appeared to be a remarkably winning
strategy for driving practice option. If the surrogate based workflow makes
sense for a practice in the beginning of an implementation that it worked for a
specific reason intended to persist exhibiting a long-term sustainable change.

Implementation of e-Prescribing does have the potential to dramatically
change prescriber and pharmacy workflow also with positive impacts but some
negative consequences may occur as well. Additional long-term successful
adoption and acceptance of e-Prescribing is going to require a commitment to
upfront training and education of all key stake holders. I want to say that the
success of adoption of e-Prescribing is going to rely on the commitment or
training and education upfront of all the stake holders in the e-Prescribing
process.

Striving for a streamline end-to-end interoperable flow of information in
real time requires careful coordination, collaboration, and ongoing education
amongst these stakeholders. We are at a turning point yet not quite all the way
where we need to be. CMS continues to have a critical role to play to make sure
that we reach our final destination. The result will be better patient care,
improved efficiencies in both prescriber and pharmacy workflow, and the reduced
cost of healthcare delivery and healthier Americans. A set of goals I think are
worthy of pursuing. Thank you for your time.

DR. WHITE: I am going to talk for about two minutes. You just heard several
person years of work. Several thousand pages of results summarized for you in
about an hour’s period of time. It does not do justice to everything that
has been done. The results already speak for themselves. There are a couple of
key points that I want to probably reinforce that have already been made. Some
of the standards are deemed technically acceptable. Those standards that were
not deemed technically acceptable are still really critical to moving us
forward. You’ve heard that, I just wanted to put a bow on it, that those
standards must be moved forward if we are to achieve some of the promise that
we hope for. I think I would point out that there were some constraints placed
on us through the legislation and through some kind of key decisions about how
these had to be funded through cooperative agreements which are grants. I think
there were some benefits too that have left a lot of good work on the table,
and I think had constrained us. I think some of the folks here around the table
have suffered because of that. That is not terribly pleasing to me, but I think
that as we move forward, we all look at ways to address some of those issues. I
think that a really great infrastructure has been built. By that, this is a
real neat example of federal industry stakeholder collaboration. While not
perfect, they really majorly moved us forward in a way that I had not
necessarily seen before. I would love to see that continue. The final think I
would like to leave you with is that beneath this intimidating bureaucratic
exterior lurks the heart of a clinician and a family doctor, and while I really
like standards, I mean, standards are a means to an end and bring a quality of
care. I really remain committed to e-Prescribing as a means to move that
forward. I think there is a lot of work to address, and I’ll leave it at
that.

MR. REYNOLDS: Great job all of you. Jeff you have a question and then if
anybody has a necessary question.

MR. BLAIR: I’m just going to be as fast as I can. I am interested in
how we accelerate the adoption of Rx Norm. You indicated the pretty good shape,
even the mapping had only 1.5 percent that did not map. What are your
recommendations for what are our next steps with Rx Norm to accelerate
adoption?

DR. BELL: I think the National Library of Medicine is moving ahead with
addressing some of the shortcomings that were found, but I think the industry
really needs to be alerted to the value. When I talked about doing subsequent
studies with people in the industry, there is still a low level of awareness of
the value of Rx Norm and I think some more pilot studies of actual
implementation would help to demonstrate the benefits. For instance, even just
looking at a Formulary and Benefit, the Formulary and Benefits files as they
exist today are humongous and potentially using Rx Norm could drastically
reduce the size of those files, make them more manageable, and then hopefully
enable more detail to be distributed. That would potentially be a lab study
that could be done.

MR. BLAIR: Other than a pilots, are there any specific incentives
or—it sounded like the impediments in terms of completion of Rx Norm or
mapping. That is getting down to a very low level. That is not much of a
barrier anymore. I’m just wondering if there is anything you see in terms
of overcoming some other impediments. You said education and awareness. Is
there an incentive to accelerate that?

DR. BELL: That is a good question. The standards already have fields for Rx
Norm so the standards don’t actually have to be changed for Rx Norm to
start being used. It just would have to start getting used. There would need to
be enough critical mass within the industry. So how that would be incentives,
you would think that once the industry saw the advantages that it would just be
lower cost for them to use it, that maybe there wouldn’t some additional
insensitive or guard rails put up even.

DR. WHITE: I guess what I would say is that, given the pilots found Rx Norm
almost but not quite technically acceptable yet. I think that there aught to be
a clearer statement of what needs to be done to make it technically acceptable
based on what has happened in the pilots and then make that happen and then
propose it for adoption.

DR. BELL: I think demonstrating really how it would be used in a live
environment is probably necessary.

MR. REYNOLDS: Okay, Judy, you have a comment? Then Michael you have the
last question.

DR. WARREN: Based on this, one of the things that I am struck by is when
you start looking at the research on EHR failures. You come up with the same
three key pieces that were identified in these studies. There are areas that we
really don’t know much about and I would love to see more research. What
we did prove is the standards were a good start. There are only a couple of
places where they seemed to fail. What comes out key for this is no one really
looked at the human computer interface because people could not find things
within the applications so they did not know how to use them. Two, workflow has
got to be considered before you can integrate any kind of electronic
information management in clinical care, so we really need to look at, do we
just change the current paperwork flow or do we do something that is really
innovative and turn it around? Finally, it is the issue of training and
commitment. Having personally been involved in training and commitment, trying
to get people to those sessions and getting them there, all the stakeholders,
you will have other certain categories that only will come kicking and
screaming and some of them not even them, that we need to do some research
about how to get commitment and training to use these systems, or all the work
in developing standards—all of the work in evolving electronic systems,
the software innovations that we have made are really not going to get us
anywhere until we can handle those three issues. So, I would love to see some
grant things coming out of addressing those as kind of a followup to some of
this.

MR. REYNOLDS: Michael.

MR. FITZMAURICE: I have some of the same thoughts as Judy had. Two points.
One is that for Rx Norm, I would suggest that maybe Rx Norm is being used as a
rollup of the NDC Codes and maybe there needs to be an industry developed or
maybe in partnership with NLM, classification of Rx Norm to rule up so you can
order—show me the list of all beta-blockers, show me the list of all
ace-inhibitors. Those might be two suggestions.

My comment is—or my comment question is that we have seen a very good
framework, good collaboration, and a lot of good hypothesis that have been
developed but not enough sample size or time for collaboration to test those
hypotheses. I am talking about things other than just the standards themselves,
although the standards themselves need more time. Are there any plans to find
this pilot, or new pilot to show the efficiency, the quality of care, the
patient safety, and patient outcomes perhaps with federal partners. I’ll
address that to Jon but anybody else can answer it. Jon is probably the biggest
federal partner. I would also say that this framework and collaboration have
come up because a CMS approach to AHRQ and AHRQ contributed gladly of its
expertise. Without that partnership right up front, it would not have happened.
The two people I see, Jon and Karen here, have been remarkable at making this
happen.

DR. WHITE: Briefly, we had some pending funding opportunities and grants.
Applications have been received and are going to go through review and may
before the end of the fiscal year. We did not specifically ask for follow on
work to the e-Prescribing work because we did not know what was going to be
said at the time that we wrote the FOAs. There will probably be future
opportunities for us to design funding opportunities, but they will come for
fiscal year ’08 or later. Hopefully we will get some good work in under
what we have currently got. That is as far as I am going to go without
committing myself to future funding streams. Anybody else?

MS. TRUDEL: I am just going to grab the chance to thank AHRQ and everybody
who participated in the pilots and NRC and say that there really are three
things we need to do in the future. One is to push forward with potentially
proposed rule for additional standards. Two, is to work on the non-selected
standards and see what we can do sure up their shortcomings, and three is to
use what we learned in the pilots to start addressing some of the
implementation challenges in the part d environment. Some of those things we
can do internally to CMS. In other cases we would need to partner and we are
looking around to find all sources within HHS to start to address some of those
things whether it be working AHRQ, whether it be partnering with a QIOs, etc.

DR. CARR: I just wanted to make a brief observation. First, I want to
compliment the fantastic work. It is just tremendously exciting giant step. I
think, putting my physician hat on, as we look at electron health records, I
think one of the things that is striking is the clinical 15-minute with the
patient has now been compressed because physicians have new responsibilities of
things they have to do. These things might often be done at the end of the day
or work-arounds and sort of multitasking. But now the electronic interaction
forces them in the moment so I think that is something that we have to think
about. Also, doctors are giving work to nurses, nurses to doctors to
pharmacists. Everybody is giving somebody else a new job. All of which is
merging into the new environment, but I second what Judy was saying that we
have to pay attention to this, because when you hear about what is available,
but the resistance. We have got to make that user friendly so the doctor is not
losing his opportunity to talk to the patient.

MR. REYNOLDS: Michael, I would like to make one comment. You were asking
about adoption. I think there is a lot of other work being done around the
country on this and I think that as people are doing it in individual areas,
figuring better ways to group up so there is more adoption across a wider
spectrum. So if Medicaid is doing something in an area, then everybody else
gets involved, or if Medicare is doing it then payers get involved. I know we
are seeing that in our state. I think getting a ground swell because the second
and third and fourth person in—it is a whole lot cheaper for them to get
in than the first person that paid for the technology, the infrastructure, and
the implementation, and so those are things I think we need to take advantage
of other than just the pilots which you have done a marvelous job. But I think
playing off of that is going to make adoption happen a lot faster than just
waiting for a particular entity to come up forward with some money and say let
us make this go.

MR. FITZMAURICE: That is a good point. Maybe we should talk about that in
our planning retreat and bring some of those others in.

MR. REYNOLDS: No question about that.

MS. WOOLEY: I agree with you and I commend CMS for having a strong
requirement for physicians who are doing e-Prescribing to follow the standards.
My point would be that physicians are not going to do one thing for their
Medicare part d patients and do something else for their non-Medicare patients.
If we can train, get that commitment, educate physicians—it should not
impact workflow. It should not require additional work for the physician or
staff. It should actually expedite and create better relationships and better
opportunities to interact with their patients for providing high quality care.
If done right, it think that there is a win for all the stakeholders.

MR. REYNOLDS: Okay, we are going to break for lunch and be back at 1:30.
Prior to that, I think this group would definitely need a round of applause.
Thank you for what you did. All right, we will be back at 1:30, and we will try
to do the NPI in an hour and fifteen minutes since we are familiar with that
subject.

[The meeting has adjourned for lunch.]

A F T E R N O O N S E S S I O N

MR. REYNOLDS: Okay starting this afternoon, it is an update on NPI and a
discussion of the Contingency Guidance and we have Karen Trudel, by popular
demand, and Mike Ubl who will be representing WEDI. Karen, I understand you are
going first and then Mike if you would go ahead and introduce yourself once you
get prepared to make your statement. So, Karen?

Agenda Item: Update on NPI and Discussion of Contingency
Guidance

MS. TRUDEL: I do not actually have very much to communicate except to do a
brief update of the Contingency Planning guidance that has gone out. We did
release the general Contingency Guidance, and it applies to all covered
entities and shortly thereafter released Medicare’s Contingency Plan. We
had one free audio conference on the Contingency guidance in general where we
had over 7,000 locations register in advance. We will be doing, I believe next,
another audio conference on the Medicare Contingency Fee For Service plan
specifically. We are continuing to reach out to the industry directly, and in
partnership with WEDI and others to send out messages, we still do have just a
little over 2 million providers enumerated and are continuing to get lots of
questions about what the Contingency Guidance and the Medicare Contingency Plan
means. We are rolling out information as quickly as we can on our website and
have generally heard a lot of positive feedback that HHS did go ahead and
provide the ability for Contingency Planning and that really does give the
industry a fair amount of time to move ahead and do what they need to do.

MR. FITZMAURICE: I was very favorable when CMS went out with a First
Contingency Plan for transactions and code sets, and you had a measure
that—we have got 90% compliance, 95% compliance, 99% compliance. We think
that everybody should be able to do it now. Here is the end of our Contingency
Plan. Do you have a similar kind of metric whereby you can measure how close
you think the industry is to meeting the requirements of the National Provider
Identifier and being able to use it so that at some point, you say this measure
has gotten large enough, I think that we can chop off the legacy IDs and insist
just on the NPI.

MS. TRUDEL: CMS never did measure compliance in terms of the transactions
and code sets industry wide. We did that for our own Medicare for service line
of business and we will continue to do that for NPI, and that will be one of
the indicators that we will be looking at periodically as we said in the
guidance that we will be assessing that periodically to make a decision. First
of all, when to require that claims must have an NPI on them, and then whenever
the decision is appropriate to cease the Contingency Plan all together.

MR. REYNOLDS: I thought that the guidance I read pretty much had set a hard
stop for Medicare of May of ’08. In other words, it talked about a
transition from the old number to the old and new number and then the guidance
I was going through said as of May of ’08, it would have to be the NPI.

MS. TRUDEL: The Contingency Guidance in general puts that hard stop of May
’08. It does permit covered entities to cease part or all of their
contingency operations at any point earlier than that. One of the things we are
most interested in is providers obtaining their NPIs and being able to use
them. That will be one of the first things that we will be looking at.

MR. REYNOLDS: If somebody is a Medicare Contractor, they still could go all
the way to May of ’08 because that is what the guidance was, right?

MS. TRUDEL: The Medicare contractors, the decision to end the paper service
contingency would be made across the board for all Medicare contractors, not on
a contractor by contractor basis.

MR. REYNOLDS: Okay, Mike.

MR. UBL: Good afternoon everyone. I represent WEDI and I am going to try to
give you some contextual information on kind of what we have been doing and I
am going to also kind of give you some information about some surveys and some
work that we have done.

You should have a transcript of my testimony. I am going to kind of go
through this. I will probably make a couple comments along the way. We can open
up for questions at the end.

Chairpersons and members of the subcommittee, I am Mike Ubl. I am the
Director of eHealth and IT Strategy with Blue Cross Blue Shield of Minnesota
(the largest health plan in Minnesota). I also serve in the WEDI Board of
Directors. Also, part of my job at Blue Cross is all about HIPAA. I have been
involved with running the HIPAA flipper program office since 2000. I kind of
have been living through this journey, if you will, much like most of you I
suspect.

At the request of NCVHS, WEDI recently conducted its fourth National
Provider ID Readiness Assessment survey so we can report on industry readiness.
The survey was conducted between April 2nd and April
13th. I would like to thank you for the opportunity to present
testimony on behalf of WEDI concerning the findings from this survey. As a
point of reference, WEDI’s four NPI Readiness Assessment surveys were
conducted during the following periods. We have actually been very involved in
trying to monitor progress in the industry, over the last year in particular.
Our first major survey was administered in May of ’06. We followed that up
with one in October of ’06, one in January, and then most recently the one
now in April.

WEDI provided testimony to NCVHS on this topic back on January 24, 2007. At
that time, WEDI provided its assessment of NPI readiness across the industry
based upon the results from the second survey, which actually was conducted in
October. The information I want to share with you today will focus on the
progress made by the industry in just the past three months. So it is going to
be looking at the information from the third survey in January to the most
recent survey now in April.

Under the Summary of Survey Findings, I am pleased to say that we are
starting to see some progress and variety of areas while at the same time the
data continues to confirm that many within the industry will not be ready to
fully implement the use of NPIs by May 23rd of this year. From a
demographic perspective, there were fewer returned surveys in April, about 840
versus 1,100 in January. Most of the decrease actually was centered in the
healthcare providers area. We saw some increases in the health plan and
clearinghouse respondents. There were 866 provider survey and responses in
January as opposed to 560 in April. The number of health plan respondents
increased from 156 to 181. The drop in responses from the healthcare providers
could be attributed to a shorter timeframe, this was a couple days shorter than
the last one so we had a little shorter length of time. One thing we did run
into is just overlap a lot with Easter and Spring Break so we ran into a lot of
situations where people just weren’t available. I can vouch for that. Even
at Blue Cross we had a lot of people out at the particular timeframe. Bad time
I guess in some cases. But that is what it is. The mix of participants are
similar in each survey. Due to limitations in the survey tool used by WEDI, any
given survey responder has the option of skipping individual questions. Hence,
the information provided is going to be presented in terms of percentages,
reflecting the results of those who responded to an individual survey topic.

The table on the following page provides some perspective on industry
progress over the past three months. I want to emphasize that WEDI believes
survey participants represent, what I’m going to call the more diligent
part of the industry. Those organizations that are probably more focused on
NPI, they have a thorough understanding, they have had a game plan in place and
they are executing against it, and as a result, I think the information viewed
here should be considered more of a more optimistic scenario.

The number of providers in the survey that obtained their NPI improved from
95% to 97% of respondents. One can expect the last couple of steps in reaching
100% to be the most arduous. I think this is a very positive step in that we
are really starting to see wrap-up in terms of number of NPIs being issued and
providers giving out their IDs. There are certainly going to be stragglers and
I think we are at that straggler phase right now.

The number of providers that have shared their NPIs with health plans
showed a significant increase from 25% to 49%. Certainly good progress but
still far short of where we need to be. It is kind of interesting when you look
at 97% of the providers have got their ID number, but only half of them have
been passing to trading partner. I think that is a pretty important note at
this point.

Provider capability to support NPI transaction processing has jumped
considerably. Some examples would be providers able to submit claims with
dual-identifiers improved from 25% to 52%. Providers able to submit claims with
NPI only improved from 4% to 19%. Providers able to accept a remittance with
NPI only jumped 7% to 26%.

On the other hand, health plans have also seen some significant results, I
think, in this past three months. Health plans are now able to accept claims of
dual-identifiers is up to 75%.

Health plans able to accept claims with NPI only almost tripled from 13% to
34%, and health plans able to send a remittance with NPI only improved from 4%
to 21%.

I think the thing, if we look at this survey, when you look at what has
happened, we are sort of viewing this thing in terms of individual organization
capability. The industry has demonstrated real progress. So, each individual
organization, when you look at the work that has got to be done inside, we are
seeing progress. They are getting work done. They are getting their NPIs. They
are starting to share that information. Health plans are getting cross-walked
and tables and so on put together. However, when you look at the actual
transaction volume, where you are actually interchanging data, between a
provider and a health plan, the volume of claims where you see an NPI is still
pretty darn small. So there is work being done internal, much progress being
made, but we haven’t shipped them significantly with a significant effort
for the next stage of actually starting to move that data back and forth on the
transaction.

As you can see here 78% of the health plans reported that 25% or less of
their incoming electronic claims contain an NPI. That is pretty large. A number
of those is probably less than 5% or 10%. The decrease is an improvement of
only 7%, so back in January, 85% of the health plan said 25% had claims with
25% or less with claims of an NPI on it. We are seeing a little bit of a shift.
We are starting to see more NPIs and their claims, but not the dramatic
increases that we need to start seeing here going forward.

The table itself has a number of different categories, things that we are
trying to track on the survey. We could talk about that in detail later. There
are other specific attributes that the committee might like to have tracked, we
could certainly discuss that and we can incorporate that into future surveys.
When we look at all of this though, there are some key outstanding issues that
I want to sort of bring to the committee for some discussion. In the past 12
months there has been really a difficult time for the industry with regard to
NPI Implementation. I think we can all agree with that. WEDI commends NCVHS for
its leadership role in bringing together a wide variety of industry groups and
listening to the challenges based by healthcare organizations across the
country. It is certainly no small task in what has turned out to be an
incredibly complex issue, in our industry. For your efforts, I want to express
my appreciation on behalf of WEDI and the organization that it represents. The
Contingency guidance announced by CMS back on April 2nd was
certainly welcome news. I want to assure you that WEDI and its members do not
take the NPI situation lightly. Recent discussion with my colleagues in the
industry indicate there is no letup on the work efforts right now. I think we
are at a tipping point where things are starting to wrap-up. There is a lot of
work happening. Also, people are starting to see where the real problems are. I
think that’s important. The information provided today confirms we have a
long uphill battle ahead. We will continue with our education and outreach
efforts within WEDI. There are several issues I would like to bring to your
attention as we prepare for the Contingency Period after May 23rd.

Here are sort of the key items. The first one is NPPES Dissemination. This
is certainly an ongoing problem. No surprise to anyone. I understand the final
regulatory language is currently under review by OMB. However, lack of access
to a central course for NPI information is a significant problem. Providers do
not always have a clear understand about, how, and to whom they should share an
NPI. Labs and pharmacies face a similar problems without access to NPPES, there
is not a way for may labs and pharmacies to generate a payable claim because
referring, ordering, and prescribing providers are required on claims going
forward.

As a result, I think when we look at the CMS must provide an operational
system that supports timely access to NPPES data for industry constituents. Our
recommendations are as follows: CMS published the NPPES Dissemination notice as
quickly as possible. We also believe the CMS should also establish a thirty day
time period for public comment. WEDI is positioned and ready to partner with
CMS on this item. With our industry presence, WEDI can quickly convene
representatives from across the health industry to review and provide feedback
on the proposed process, I think in a very timely fashion. Thirdly, we believe
that NPPES should provide a system solution with electronic access to NPI data
no later than 120 days after the publication of the NPI Dissemination notice.
It might be a little bit of a tight timeline, but I think we need to move
quickly on this to try and move things forward. I don’t think this is
slowing down healthcare organizations from testing and working with one
another. It certainly is a barrier to turn in the switch and getting into a
production mode, and people want to make sure they have crosswalks built and
complete with all the information they need. That is one big item.

The second one has to do with UPIN numbers. CMS

has announced that UPIN numbers will no longer be issued after May 23, 2007.
In addition, access to the UPIN file will be discontinued by June 2007. This
creates a serious problem for providers/health plans that currently use the
UPIN as a legacy number for claim adjudication and payment. I could speak for
Minnesota that we have some large healthcare providers who use UPIN for this
purpose. Based on a recent listserv activity, I can safely conclude that
Minnesota is not the only sate facing this particular problem.

Therefore, WEDI would recommend that CMS implement

the following: continue issuing UPIN numbers beyond May 23, 2007, constant
with the NPI Contingency Guidance announced on April 2nd. Given that
this is a number widely utilized by the industry (beyond Medicare), issuance
should continue until May 23, 2008. Providers that use UPIN as their legacy
number, will not migrate to business operational use of NPIs until sometime
after May 23, 2007, will need an ability to acquire UPIN number for new service
providers that they add to their staff.

Second, continue to maintain and make available the subscription UPIN
database through the Contingency Period and ensure that the UPIN online
registry capability continues through the full contingency period also.

Implementation of these steps will prevent the potential for business
interruptions during the contingency period, and allow healthcare organizations
to focus their resources on a primary goal of NPI compliance by May 23, 2008.

The third issue has to do with variations in the duration of individual
Contingency Plans. The CMS contingency guidance states that entities may elect
to end their contingency plan priors to May 23, 2008. In principle, this is
sound rational thinking. However, entities should exercise discretion in
discontinuing the contingency plan unilaterally if it pulls a significant risk
to business operations with some if its business ends on those partners during
the contingency period. As an industry, we need to adopt a goal of getting
through NPI compliance—an NPI contingency period with all entities
compliant, while not disrupting business operations. Business continuity should
be viewed as a high priority and not just simply NPI compliance during the
contingency period.

WEDI would recommend the following. CMS issue and FAQ or additional
guidance that advises caution on unilateral ending of contingency periods.
Unilateral ending places undue business continuity burdens on those trading
partners who are still dealing with third parties who are not ending
contingency periods. So whether from the perspective of accepting 837s or
accepting 835s or both, it is advisable that key trading partners collaborate
around the timing for discontinuation.

Second, health plans should communicate their contingency plans to their
trading partners as quickly as possible. WEDI wants to recognize the action
taken by CMS Medicare on this subject. On April 20, 2007, CMS published its NPI
Contingency Plan for Medicare Fee For Service. WEDI applauds CMS for its
leadership role in communicating its own contingency plan, and encourages
health plans to follow this example of CMS. Early communication of contingency
plan in a clear and concise manner will insure a smooth transition to NPI
compliance.

Third, CMS collaborate with National Provider Outreach Initiative (NPIOI)
on creating an NPI Transition Plan that provides guidance to the industry on
achieve NPI compliance.

In conclusion, I want to assure NCVHS that the industry is making progress.
WEDI intends to continue with its NPI Readiness Assessment surveys every
quarter through May 2008. We will monitor and update both CMS and NCVHS on our
survey innings as well as escalate important issues as they arise. Thank you
fro your time today. WEDI looks forward to working closely with CMS and
completing the long journey to NPI industry compliance during the contingency
period between May 23, 2007 and May 23, 2008. Thank you.

MR. REYNOLDS: Before I turn it over to Jeff, Jeff wants to start the
questioning. One of the things I would like the committee to think about is we
appreciate the concise testimony and we have got a good forty-five minutes to
discuss this, which is good as we think about it if we need that much. But
also, the WEDI letter has some recommendations and one of the things that we
stated as we sent our last letter forward to the secretary is that we would
continue to hold hearings and forward guidance as we felt necessary. I think it
is important as we do this next forty-five minutes of discussion that we figure
out whether or not there is anything out of what we heard today that warrants
us to put something together because we would want whatever we did to be
probably the full committee in June. It sure isn’t going to help in
September. It is something that we need to do, so that obviously puts a
timeframe in front of us that is aggressive, but I think that this is a subject
that we are well enough versed on that doing what we need to do could happen. I
would like everybody as you do your questioning, as you think through this,
this subject, that we need to promptly today know whether or not we feel there
is anything else we need to say further than we have already set forward and
that is already in the guidance that has come out on the contingency and so on
as a group. I wanted to put that out there so that we make sure that our
questions and our discussion gets us to that point so we don’t walk out of
here and go whoops, we should have done something. Okay? So with that, Jeff,
please start the questioning.

MR. BLAIR: Michael thank you for very helpful information. I would like a
little bit of help or guidance knowing that you could help me with a level of
confidence that I’ve had with certain of the numbers. The 97% of providers
that have IDs, do you feel like that was representative in particular? Were you
able to get physicians in small or rural practices to respond to that number,
or should we have a little bit of a mental adjustment on that piece.

MR. UBL: We did see a good cross-section of providers from large hospitals
systems to small providers from large hospital systems to smaller providers and
so on and so forth. My experience with this survey process is that most of the
entities that have responded have the normally aggressive players in terms of
moving towards NPI Compliance. I think there is a certain segment of the
industry that has not moved that quickly. So hence, I think that 95%, 97% is a
somewhat optimistic view. It is based upon just the data we got from the
respondent from the surveys.

MR. BLAIR: Let me ask the corollary of this is some of the numbers that at
least appeared to me a little bit low, with respect to payers, maybe that
understates the actual coverage because maybe the larger payers might be ready
and some of the smaller ones might—what level of confidence should I have
in those numbers?

MR. UBL: I would say that there is probably a higher level of confidence
there simply because one, there is not as many health plans as there are
providers across the country. We did have 180 plus health plans that responded.
I would say that, from a health plan standpoint, it is fairly representative of
what the industry looks like.

MR. BLAIR: Thank you.

MR. REYNOLDS: Mike, to help along that line, as far as in a state, what is
the highest you have seen as WEDI has looked at it, not necessarily a survey,
of the amount of numbers in a particular state, the providers that have gotten
their numbers. What has been the highest do you think?

MR. UBL: I don’t have that by state. We are probably at about 75%
maybe 80%. We have been tracking it month by month and it keeps going up.

MR. REYNOLDS: And how about percent of claims?

MR. UBL: Less than 20, though it is small.

MR. REYNOLDS: The second number, the percent of claims is pretty well
consistent across the country even though other people may not have as many
numbers.

MR. UBL: That is what I am seeing from our personal standpoint at Blue
Cross and talking to some organizations. We did not go through that
statistically in our surveys.

MR. REYNOLDS: Okay. I have a couple more questions. I think, when you talk
about the contingency, I couldn’t get a sense where you talk about the
timing of the contingencies coming off, and you said that there needs to be
prudence and thought. In other words, if CMS pulls it off earlier than someone
else, what does that do? If CMS pulls it off later than others do, what
does—I couldn’t get a sense whether WEDI was recommending that there
should be a—different than the other HIPAA that we did. Should there be a
singular date where anybody goes to NPI?

MR. UBL: I think that where we are at in our position on this is that,
because everybody is operating on different schedules right now. I really
don’t think we are going to see everybody march to the beat of a single
drum date-by-date. The emphasis that we want to make here in this contingency
planning is that we ask that healthcare organizations pay due diligence in
taking a look at the trading partners that they are doing business with and not
sort of decree an end to their contingency plan in a way that could potentially
disrupt business operations for their training partners. That was really the
part—

MR. REYNOLDS: But different from the transactions? Do the providers really
have a capability to send some people the NPI and others not? Are the systems
out there and the real capabilities that sophisticated. In the past, when we
did the transactions you could have two different streams. I’m sending the
whole transaction this way or the whole transaction that way. Now you are
talking about individual pieces of data.

MR. UBL: That is part of the struggle.

MR. REYNOLDS: That is why I’m asking this question.

MR. UBL: I think it was addressed already in the Fee For Service
contingency program when they were identifying primary providers versus
secondary providers. That part of the process that needs to be addressed so
when organizations are declaring end of the contingency plan, those types of
activities need to be kept in mind moving forward. Organizations may end up
going to a point of sort of saying by a certain date, I want to say all the
primary care providers needs to be NPI. That is fair game. Every organization
should be able to sort of declare their contingency plan. I think one of the
things we said in here is that the industry needs to follow the lead that CMS
has done and get their contingency plan documented and communicated so they
know where their trading partners need to be working towards. If that is not
going to get done, than shame on us. Those are just basic communications that
need to be in place. Then, I think once that is done, trading partners need to
sort of work with each other and arrive at a common date, if you will, where
they will reach NPI compliance. Obviously, you made May 23, 2008 end of the
show. It could happen sooner, but let us make sure we have contingency plans
documented and we are communicating with one another without someone
unilaterally pulling a plug and in putting people in jeopardy.

MR. REYNOLDS: Any other hands? To both of you, you and Karen, on the UPIN,
the recommendation here is that if somebody has not completely implemented
their NPI, then they would need to continue to use UPIN to do business. That is
what I think this is saying, and I there is a hard stop. I understand where
WEDI is coming from, but Karen, I guess any insight you could give us and not
speaking only on the subject not necessarily answering for CMS. I was just
really trying to understand, because with that twelve months, there is still
business that has to be conducted and that is what contingencies are all about.

MS. TRUDEL: I am really not familiar with the UPIN continuation plans.

MR. REYNOLDS: That would seem to me to be one recommendation out of this
testimony that we have to give serious consideration to from WEDI’s survey
as to whether or not—at least send that forward for serious consideration
because if a new doctor—well, whatever occurs, if UPIN has been the mode
of doing business, the reason you do contingencies is to sustain the current
mode of doing business. Not promote it, sustain it. Two different words. That
may be a recommendation that we might consider unless somebody around the table
knows a significant issue with that because it sounds like a logical argument.
Michael?

MR. FITZMAURICE: I guess I see it as two points. One as if we were to be
the Czar or whatever, how are we to know when it is time to end the contingency
plan? Secondly, do we end at the same for everybody, large plans, small plans,
large providers, small providers or not?

MR. REYNOLDS: Let us drill on the discussion of UPIN. We could be in a
situation that when at the latest of May of 2008, UPIN is gone because anybody
between now and then aught to be able to get an NPI, aught to be able to get
ready. The contingencies are out there so I wouldn’t be at all concerned
about setting that as an end date. If you are going to leave UPIN alive, if you
don’t put a hard stop on when it is going away then people can say I am
staying in contingency forever. I think that may be a consideration. If we were
to make a recommendation going forward that we do think about a hard stop. Now
back to your point Michael, and the reason I was asking the question earlier.
The sophistication of systems, especially as you get to the smaller ones is
going to decide whether or not they can do it two different ways. I don’t
see the sophistication in some of those office practice management systems that
is going to be able to pull that off. If one or the other stops the contingency
before that group is ready, it is going to be interesting—

MR. FITZMAURICE: I suppose I am practice and I take in a new doc, and I do
it in July, and that new doc can not get a UPIN anymore and my system has to
handle the NPI. So, I see push coming to shove, much before from this coming
May.

MR. REYNOLDS: No I agree, it happens May 23 of this year. What Mike is
saying in the end of June, it goes away completely. If somebody is hired as a
new doctor in July 1 and they’re not NPI ready, they got a problem. That
is what I think your testimony was saying. It is not good or bad, that is just
what I thought the testimony was saying.

MR. FITZMAURICE: I think it is probably a matter of fact at this point. Do
we recommend that CMS extend the time period for giving a new UPIN. No, because
that is a driving factor in doing all of this. Do they fill it with 99999 and
say this our 999 doctor and create their own contingency. The industry will
work something out, bit eventually vendors will have to find a way to get NPIs
in a system before they get UPINs. They have had some time to do it. This gives
them some more time to do it, and in the short term you have some workarounds,
and the longer term, you have got to get the NPI in there.

MR. REYNOLDS: We have three sets of recommendations from WEDI. Under the
NPPES, we are on record a number of times about that the dissemination notice
should be put out as quickly as possible. I’m not sure as a committee that
that is a necessary addition to another letter. I think we have said plenty
unless—I am throwing that out as a physician. I am not directing anything.
There is a whole group around the table. Everybody needs to jump in. I’m
trying to look at these three recommendations and say what do we say? What
don’t we say? Which do we step away from? Which ones we do not step away
from? I am asking a question.

MR. FITZMAURICE: I was going to suggest that it might be very mild as of
the state. We noticed that the NPPES is available, but we have every confidence
that it will be available shortly.

MR. REYNOLDS: I hope you never get mad at me.

MR. FITZMAURICE: But we told the secretary, so just a recognition of this
as of this state, but we are still looking forward to it.

MR. REYNOLDS: Well, the whole reason I threw out what I threw out was to
keep this conversation. Jeff, you had a comment.

MR. BLAIR: Yes, and prior to my making my comment, let me ask Michael to
clarify slightly—Michael Ubl. Michael, when WEDI made that recommendation
and chose the wording that it did, behind that wording was there any assumption
in WEDI as to when the NPPES would be ready? I am not trying to lead you yes or
no, I am just saying was there any assumption?

DR. UBL: No, we did not pick a—we were not assuming a particular
timeframe. I think the emphasis was we needed it ASAP.

MR. BLAIR: Then that gives me latitude with what I would say. Even though
we have encouraged that the NPPES be available as soon as possible, I would say
that we should still include even though it is a reiteration in our next
recommendation letter because I don’t want it to be assumed that we
don’t consider it an issue anymore.

MR. REYNOLDS: Judy?

DR. WARREN: Looking at their recommendations, I can not remember our last
NPI letter, but did we specify a number of days that the NPPES should be
available after the notice? I noticed that WEDI did for 120. We might want to
followup on that. I mean six months seems reasonable to me to have it
available.

MS. TRUDEL: I think what the previous letters said was that there should be
at least a clear six months availabity of data before the contingency plan
would end. We didn’t draw a line between the data dissemination notice and
the availability. It was between the end of the availability and the end of the
contingency period.

MR. REYNOLDS: If we took WEDI’s recommendation that would put it right
there pretty quick. That would say you have to do it now. If you are going to
leave thirty days for comment and then you are going to leave 120 days for some
other things and that is five months. If you are going to have six months
available, you have between now and next month to get it out.

DR. UBL: I would agree and I think when we were discussing this within
WEDI, I think the one thing we wanted to try and make clear in this particular
recommendation is that publishing the policies and procedures is not enough. We
have got to get the thing in action. We have to have access to the information,
and that is why we recommended a timeframe.

MR. REYNOLDS: So rather being a prescriptive plan off of Karen’s
comment. So Karen, your plan comment is if we stayed with our previous
recommendation, which was that it be available—the dissemination notice be
put out as quickly as possible and that that data be made available for a good
six months before the contingency is pulled off. I haven’t heard anything
today. I don’t know if anybody else has that would necessarily change that
recommendation.

DR. WARREN: I am just trying to clarify the timeline here. I agree with the
clarification that we need to keep—to not close down the contingency
before we have this up, but I am wondering if we don’t have something new
from the dissemination notice, I think that is something new that we should ask
or maybe put in a letter to the secretary that might show urgency a little bit
more that we really tell this is up and we have had 120 days after the
dissemination notice. It almost disconnects a little bit from the contingency
plan that this has to be up within a certain timeframe, otherwise it is going
to keep drifting until it is available. It could be 300 days before it is
available and we still would be then with the contingency plan in place, unless
I am reading this wrong.

DR. UBL: I think it is a good point. It recognizes that there is a time
lapse between the actual publication of the policy procedures to the time it is
executable and people can start using it. We don’t want that to sort of
mushroom and just sort of drag on.

DR. WARREN: I think that is where we heard a lot of the testimony was until
they had this available they weren’t able to populate and do a lot of
their testing until it was available so they don’t know whether or not
they can comply with NPI.

MR. REYNOLDS: I sensed WEDI tempering their position on that state. Your
comment earlier was that it would not keep people from implementing.

DR. UBL: No, it will not keep people from testing. It will keep people from
implementing.

MR. REYNOLDS: No, I wanted to make sure I heard it correct.

MR. FITZMAURICE: Harry, I wonder if I might ask a point of clarification. I
noticed in Michael’s testimony that he says that he understand the final
regulatory languages is currently under review by the Office of Management and
Budget. I wonder if we know that that is true. Are you able to comment Karen on
whether you know if that is true or not? I don’t know if that is true.

MS. TRUDEL: It is a federal register notice and it is still being reviewed
by OMB.

MR. REYNOLDS: Okay, so I guess the committee feels that that on the first
set of recommendations that we should in fact reiterate forward that it needs
to be out as soon as possible. It is important. We should be out there the six
months like we have before. To do so, this looks like a plausible timeline and
maybe the only plausible timeline to have that happen within the contingency
plan that has been executed for May of 2008. Is that a fair statement?

MR. BLAIR: Karen, I am supporting totally what Harry has just said, but I
am trying to think here. CMS wants to get this out as soon as possible. There
are some realities in the way the government works. Would it be constructive or
not for us to add to those recommendations anything about whether we feel that
there is a need for comment or not comment in the process that goes forward?
Can we be helpful by expressing that we feel that this is something that does
not need public comment to go forward to release the NPPES?

MR. REYNOLDS: Jeff, for the record, you have finally stumped Karen.

MR. BLAIR: I don’t think we stumped her, I think maybe I asked a
question that she doesn’t feel she could answer.

MS. TRUDEL: No, I feel as though you are putting me in a position where I
am saying where I need to respond that guidance at the NCVHS might want to give
the secretary is not going to be useful, and I don’t want to say that. I
think what you are saying though is that the availability of the data—it
is not necessarily the process of the data dissemination notice or whether
there is or isn’t a comment period is as germane as the fact that it is
just a screaming need that the industry has got to actually have this data for
a period of time. However the subcommittee feels that they want to— I
don’t think there is any reason why that comment couldn’t be made.

MR. REYNOLDS: Another thing is different than I think anything I have seen.
This system is already in production. That is different. Everything else we
have been talking about get this out so that could be done. This is the first
time we have had one where it is there. When somebody calls to get an NPI and
they are given an NPI, it is put in that system in production. It is there. It
is real. If you want to change your NPI, you go into that same system. Never
before, I don’t think any before that I have seen, where we were actually
talking about a red going out on something that is in production in use and you
have 2 million numbers in it that are active, live, and being done. I think our
comment along that line could use that as a bit of a backdrop. In other words,
this is done. Thy system is done. It is in production. It has got 2 million
numbers in it. Everybody that is implementing would like to have those numbers
whether or not they have an extensive comment period is not going to change the
2 million numbers and not going to change the structure of the 2 million
numbers that are out there which is what the people are really after. This just
seems real different.

MR. BLAIR: Is wording like that going to be helpful?

MS. TRUDEL: I think any wording that is going to inform the decision makers
of what the real world needs and requirements are would be very useful.

MR. REYNOLDS: Does the group concur with the way I had positioned—

DR. UBL: Can I have a comment? I would concur that the system is there,
that the numbers are in the system and they are what they are so nothing is
going to change there. What I think we are talking about is a system function
in the setup processes that support accessing and recording on the information
and that we haven’t seen. So, that is the part that—

MR. REYNOLDS: –needs to comment. So the numbers are part one. The way to
get to them and the rules around getting to them is number two.

It would appear that we need to put some language together. So does the
committee concur that recommendation one, we need to put forward a letter at
least with recommendation one? Is everybody in concurrence with that? Okay.

All right let us go to UPIN. Second one. Any comments on UPIN whether or
not we in fact–?

MR. BLAIR: Right now WEDI’s recommendation to us on UPIN is simply
that—well WEDI really didn’t make a recommendation on UPIN. It was a
statement, I believe, by CMS that it would be available until June. Is that
correct?

MR. REYNOLDS: No, they made a recommendation.

MR. BLAIR: I’m sorry. Could you re-read the WEDI recommendation on
UPIN?

DR. UBL: For the recommendation made by WEDI with regard to UPIN include
the following, continue issuing UPIN numbers beyond May 23, 2007 and make it
consistent with the NPI Contingency Guidance announced on April 2nd.
Given that this a number widely utilized by the industry, issuance should
continue until May 23, 2008. Providers that use UPIN as their legacy number but
will not migrate to business operational use of NPI until some time after May
23, 2007 will need an ability to acquire UPIN numbers or new service providers.

Second, continue to maintain and make available the subscription and
database through the full Contingency Period.

Third, insure that the UPIN online registry capability continues through
the full contingency period. So in essence, we are asking for it to continue
through the whole contingency period rather than over the next 60 days.

MR. REYNOLDS: Allow current business practice through the end of the
contingency. Committee support? Jeff?

MR. BLAIR: If the rest of the committee supports it—I guess I am in
balance mode again. I think that having access to the UPIN numbers up through
the end of May 2008. I think that makes sense. On the other hand whether new
UPIN numbers should be issued, I think we can not have to give another year for
UPIN numbers to be issued. I think we can have that much shorter.

DR. WARREN: I think the use case for continuing to issue though is the use
case of new providers coming into the system and going in to work for places
that are not ready to use the NPI yet because it would really be putting new
providers at a very disadvantage of getting jobs and employment back to
business case again.

MR. BLAIR: I heard her make a statement, but I didn’t hear it as a
different proposal.

DR. WARREN: No, I am agreeing with the proposal that WEDI put out and I am
giving you a reason why we need to keep issuing UPINs.

MR. BLAIR: All the way for another twelve months?

DR. WARREN: Yes, and it has to do with the new providers coming in to the
system during that time.

MR. BLAIR: If the end of the contingency period is May 2008, you would be
willing to issue new UPIN numbers even up to a month before the contingency
period ends?

MR. REYNOLDS: If the organization that they join is not NPI ready, they
will be unable—remember I said regular business as usual. Until that
institution that they joined is NPI ready, the only way to do business is
possibly on a UPIN.

MR. BLAIR: I probably have a different feeling about it, but I would yield
to the majority rule, whatever it is.

MR. FITZMAURICE: I am thinking if their billing service can not handle the
NPI after one, two, three, I don’t know how many years that their billing
service had a chance to do it—extending it for a year is just going to
give them a year without having to do anything and then you come in this time
next year and say, well now we know it is really serious. We thought it was
serious, but now we know it is really serious and we are thinking about doing
something about it. If their own electronic system can not handle the new
provider identifier, they can go to a billing service just for those who need
the NPI and it gives them a year to say, this is serious. Maybe I will have to
change my own vendor system or maybe I have to move to a billing system
permanently. I think every billing service would be able to handle the NPI.

MR. REYNOLDS: The contingency as it is set right now runs through May of
2008.

MR. FITZMAURICE: No problem with that. I would just caution that letting
people get new UPINs doesn’t change anything until this time next year.
There is no driving force then.

MR. REYNOLDS: I know, but the other thing is we allow the contingency for
people that didn’t get their NPI. We are talking about business as usual
for people that are in UPIN. I am just trying to understand whether we want to
become more draconian on people then we have been able to in the past. I
don’t care either way. I just want to make sure that as a committee, we
agree.

MR. FITZMAURICE: I just don’t see it as being very draconian that they
have to go to a billing service for a new provider that has the NPI if they
chose not to push their vendor to allow them to have that capability. I think
we said something fairly tough in the last letter to the secretary about, this
is not going to last forever. We got a little bit tough.

MR. REYNOLDS: So what would be your end date? Are you against using UPINs
at all after May of 2007?

MR. FITZMAURICE: I would go with the contingency as it is, that is, you can
use UPINs if you have them. You get new providers or you have a need for a new
number then go with the NPI. I’m just making this as a suggestion to the
committee. I am not trying to exert my will on anybody. I am looking for
incentives and driving forces to let people ease into it, and this is pretty
easy I think.

Mr. BLAIR: To me it seem. I understand that for those folks that have UPINs
and they are in an organizations which haven’t been able to make the
transition that we are giving them a contingency period that goes till May 2008
in terms of looking up—still continuing to use a UPIN that they already
have. I am okay with that. The piece that I feel uncomfortable with is if
somebody is going to need a new provider identifier number. To allow them to do
that with a UPIN for 12 months, I don’t feel comfortable with that. I
think it is reasonable that maybe after the end of the September, October
timeframe if that ends or maybe earlier. I guess July or August I would like to
say that ends. We are going to give them a couple of months grace, but if they
need a new UPIN, they need to do it then otherwise—I kind of feel like it
is an incentive for the transition for those that don’t have an identifier
yet.

DR. CARR: If we think that in May 23, 2008 then you won’t be able to
do a transaction unless you’re NPI. That will happen. I am not sure why we
would put an arbitrary additional incentive in with the possibility that there
might be unintended consequences. I would favor making UPIN availability
through May 23, 2008.

MR. REYNOLDS: The recommendation as it stands is all it is basically saying
is business as usual until whenever anybody takes the contingency off. That is
what that recommendation is all about. We are getting focused on a particular
number. That is really what this recommendation is. Allowing business as usual
until the contingency comes off. Whomever takes it off and whenever they take
it off.

DR. WARREN: Another way to look at this is the complexity of enforcing
this. If UPIN is going to be available for use, it should be available for use,
which means new ones as well as using the system. If it is just using the
system and we quit having new applications, now we have added a whole other
layer of your bureaucracy to make sure that that recommendation gets enforced
and handled, which I am not sure that I want to do. I guess I am always in
favor of keeping the cost down as low as possible on some of this stuff.

MS. TRUDEL: I just have a point of clarification. It appears that the
recommendation is saying that there are plans and providers out there that use
UPIN as a billing number and I know that Medicare, for instance, does not use
the UPIN as the billing number. We use it for referring and ordering
physicians, and we require a different actual billing number in either the
performing or the rendering or the billing physician fields, and those will be
replaced by the NPI. In cases of ordering and referring, there is an ability in
UPIN to provide what we call a surrogate number, which is basically a fill if
the ordering or rendering physician didn’t have a UPIN. I guess I want to
clarify that you have found that there are actually people—plans that are
using the UPIN as a billing number as opposed to a number to identify ordering
or referring and rendering ordering.

DR. UBL: I can safely say that in Minnesota we have some large provider
systems at Blue Cross Minnesota deals with where the UPIN is the legacy number
that drives the whole blank plain adjudication and payment process.

MR. REYNOLDS: Lynne, did you have a comment?

MS. GILBERTSON: I just wanted to make sure we are aware that the
contingency plan can be invoked by the providers and the payers. If the payer
is still under contingency plan and wants to see the UPIN and the provider can
not obtain a UPIN, the provider is stuck and the other aspect is the UPIN is
being used as one of the fields in the crosswalk, and until everyone gets a
copy of the file to start looking at it to do the cross walking to their
internal systems, not having an UPIN might have a hole in the crosswalk.

MR. REYNOLDS: Reiterating business as usual. So we need to send something
forward on that. Everyone agree on that?

Okay, let us go to the last one and then we will take a break.

DR. WARREN: So we are saying we need to re-work their number one, but are
number two and three okay the way they are?

MR. REYNOLDS: Why would you think we need to re-work?

DR. WARREN: Because you just said we are looking at language.

MR. REYNOLDS: No, I was just saying we have to produce a letter. More than
likely we will use a lot of the working out of here, I’m just saying we
need to actually bring forward a letter that has wording in it. I wasn’t
necessarily pointing or not pointing. I think that is a great question.

Okay, third one. Again, we are talking about frequently asked questions and
then we are talking about health plans communicate their contingency plans,
their trading partners and that CMS collaborate with the National Provider
Identifier Outreach. I think those are comments more than recommendations that
we would expect the secretary to turn around and do something. Those are
statements of collaboration and fact. I’m not sure—we could add them
to a letter, but I’m not sure they are going to make or break—from
our standpoint they are what we would consider a recommendation that the
secretary would do something.

DR. WARREN: You see I really like number three on that one. I’m not
sure we really spoke—

MR. BLAIR: Could you tell me what they are because I can’t—

DR. WARREN: CMS collaborate with the National Provider Identifier Outreach
initiative on creating an NPI transition plan that provides guidance to the
industry achieving NPI compliance. The stuff before then really talks about
some of the actual work of doing that compliance with FAQs and stuff like that.

MR. REYNOLDS: My question to you is you are doing significant outreach.
That was your testimony pretty much. Other than the fact that you would
collaborate with this group, does your outreach change and does your outreach
already include these kinds of things that they already list here in this
recommendation?

MS. TRUDEL: In terms of duration of the contingency plan?

MR. REYNOLDS: No, they have three items under—

MS. TRUDEL: At this point our message has been that each plan determines
when its contingency period ends and I think that is consistent with this. I
think that is sort of another point of consideration for plans when they make
that analysis and make that decision.

MR. REYNOLDS: I just can’t turn this into a recommendation. I
can’t sit here and think of how I would turn this into a recommendation to
the secretary and the HHS aught to consider. I think it is a prudent discussion
about how it should happen and the industry needs to collaborate including CMS
because I don’t think this is a CMS issue. This is an issue that if any
large health plan pulls a contingency in the state and the others aren’t
in that situation, you are going to create the same thing.

DR. UBL: I would concur with both comments. I just want to context I guess
in the standpoint of the first two, I think, are more definitive and concrete.
You can outline specific things people could do. I think the third one is a
little bit more sort of a soft touch type thing. What we wanted to bring
forward, because we have heard of organizations arbitrarily establishing sort
of the end time of their contingency period. They certainly have every right to
do that. What we wanted to bring forward at this point is that rather than just
making an arbitrary decision when an organization would end their contingency
period to, at a minium, take in the consideration where all your trading
partners are at and put emphasis on business continuity during this transition
period.

MR. REYNOLDS: I guess where I look at this and I want the rest of the
committee—this seems like something that WEDI and CMS could discuss and
work on without us writing a letter to the secretary saying, will you have
these two groups work together? That is what I am saying. As we forward things
we want some action on, that could be a collaboration that could be done
tomorrow as a discussion point, not necessarily something that we can come to
the secretary and his staff to come down. Anybody disagree with that?

With that, we will start drafting a letter based on the first two sets of
recommendations and try to get something out quickly. We may have to have a
conference call in advance or the June full committee to have something put
together to take to the full committee and we will proceed through there.

It is 2:48, we will be back at 3:05.

(The meeting has adjourned for a short break.)

Agenda Item: Security: Review of guidance/Current
remote access and ongoing security issues

MR. REYNOLDS: Okay our wrap-up testimony for today is based on some of the
review of the security guidance. We are going to have Lorraine Doo, Sue Miller,
Mike Ubl, and Linda Dimitropoulos, and Matthew Scholl. Do you want to go in
that order? IS that they way you want go or do you have a prescribed order?
Okay, let us just go down the agenda then.

MS. DOO: Thank you very much. I am Lorraine Doo. I assume you all can hear
me. I am trying to lean forward like everybody else. I want to say that I am
going to be talking about security rule and sort of remind you. I realize that
we are between you and probably a double scotch so we will try to be as
entertaining as we can be. We are going to bring you back up to speed on what
the security rule does. Some statistics on complaints and enforcement and talk
a little bit about remote access, and I was very fortunate to have a prop today
which is this little flash drive, which frankly saved our lives on the
presentation because we were actually able to download it from an email because
it had not made it here the other way. This is one of the devices that we will
be talking about a little bit later today so you can actually—

MR. REYNOLDS: Our question would be how is that secured?

MS. DOO: And that is a private question. So just to go back to many years
ago, the final security rule to make sure that we are all clear, applies to
electronic protected health information. So the privacy rule covered all
information. Security rule was written very specifically related to electronic
protected information that was either stored, created, maintained, or
transmitted by the covered entities primarily to protect confidentiality. The
right people are seeing the information. The integrity of the information is
accurate and availability that the right people can see it when they need to
see it.

Covered entities, not that we don’t all know this, the covered
entities are health plans, health care clearing houses, and covered health care
providers who are those that transmit the transactions electronically that have
been adopted under HIPAA. The security rule they have to protect the
information against reasonably anticipated threats or hazards to the security
or integrity of the information and protect against inappropriate uses or
disclosers related to that, and very importantly is to ensure compliance of the
workforce through policies and procedures and training, which we will talk a
little bit about.

The security rule had—and there is a couple of very key things related
to the rule. The first was this concept of scale ability and flexibility based
on an organizations size, the complexity, their technical capabilities. As you
know, we have a range of covered entities from small providers to huge health
systems to health plans. They all have different capabilities and the class of
implementing those are pretty significant and we accommodated that by the
flexibility issue. Tied to that was the concept of being technology neutral, so
we were not prescriptive in the final rule. Some people wanted that. Other
people were not as supportive because they felt that the needed to have more
guidance on specifically what they needed to do. It is technologically neutral,
and that helped drive the whole cost factor.

The way that regulation is organized is based on standards and
implementation specifications. The specifications are essentially the guiding
principles for how you would comply with a standard. A standard is required,
and the implementation specification is either required or addressable.
Occurrence of the addressable has been under considerable debate and the first
thing to remember is it does not mean optional. It means that the organization
has to determine how it applies to their infrastructure, make decisions about
what they need to implement or how they need to implement something in order to
meet that standard. It didn’t mean not to do it if you didn’t think
it applied. It meant to either document what you were doing to at least meet
the specification and the standard.

The security rule was made up of several categories: administrative,
physical, technical, organizational, and then the policies and procedures.
Administrative had to do with things like the risk management, risk mitigation,
training, contingency planning, and all of the operational things that you
would do. The physical safeguards are obviously things that how you are going
to protect your facilities where the data is, where it is set, and how it is
stored. The technical safeguards had to do with the technology of it. Things
like the secure socket layer for example or encryption. The things that people
in the policy world may not be as comfortable talking about, but it is the key
driver obviously. Organizational requirements tied in with the privacy rule and
it partly addressed the business associate agreements and how you had your
downstream partners also required to protect the information. Then obviously
coming to what is key, which are the policies, procedures, and documentation.
Without documentation, should anything happen, there wouldn’t be any way
to protect the organization to say we actually did have all of these things in
place. Those documented policies and procedures and the training that accompany
them are very, very key to this.

What we advise covered entities and a lot of the guidance papers that we
already do have on the website, we talk about risk analysis being the most
important driver because that is how you will determine what it is you need to
do to meet the required or addressable specifications and standards. It will
tell you where your vulnerabilities are so the risk management is really
critical because based on that, you will develop your policies and your
procedures. Obviously, implement them, train the work force, and then conduct
periodic evaluations. It is pretty straightforward or it seems to be
straightforward, but every organization is going to be doing this differently.

We assume events have happened and will happen

that affect a company’s ability to comply even if they had made every
effort up to a certain point. We have a security enforcement process in place.
It is complaint driven. We do not go out during random surprise audits. If we
see something happen in the industry, we will file a complaint ourselves. So
for example, if we hear that a hospital has lost data, we will actually file a
complaint which gives us the authority to then investigate. So, we are not just
waiting for the phone to ring. We are being aware of what is going on in the
industry. The focus is clearly on helping covered entities achieve compliance
and because security is so tightly tied to privacy that typically the
complaints come to us, in fact, because it has been a privacy concern that work
very closely with the Office for Civil Rights on those complaints that come in.
As you will see by the statistics, in fact, most of the complaints that come in
are driven through the privacy process. These are current statistics, and I
don’t know if you will be surprised by the number in terms of thinking it
will be too high or too low. With the total number, so I the past two years of
complaints that we have received is 177. Of those, we have closed 102. There
are still 75 remaining open.

Let me just talk briefly on this issue of a closed. It means that either
the covered entity was found to be compliant in fact and had the documentation
and could support what they had done and be able to resolve it, or they
submitted a corrective action plan that said we are going to be executing
additional training. We have done this policy now. We rectified this situation
with an employee. There was a corrective action plan. We monitored it. We
checked on it, and we have been able to close that case. So now going back to
this issue of the combined privacy and security complaints of the total 177, 99
have been privacy and security combined. That is not just a security issue. As
I said, we have 75 cases that are open. Of the 75, 64 are related to privacy
and came in through privacy. There are only 11 of the 75 open complaints that
have a strict security related issue. So, OCR is leading the charge on the ones
that have a privacy security duality, and we work with specially designated
people in the regional office in evaluating and resolving those complaints.

Now the complaint reasons that we get. The lion(?) share actually the first
and third, which is actually unauthorized access to electronic protected health
information and an alligation of insufficient access controls. It might be
things like I know someone else looked at my data. I know that my wife looked
at my data and she doesn’t have the right to do that. It’s those
kinds of things. You didn’t protect me properly enough and somebody else
got into your system and was able to see.

Then of course the second item bulleted here is the loss or theft of
devices, and that is beginning to have more prominence. People are much more
aware of it, and it is unfortunate because of these very public pronouncements
of a laptop that has been stolen. I think we have two people in the room that
may be related to one of those. That because very scary because it is hundreds
of thousands or millions of records that are a risk, even though the person may
have just taken a laptop for the laptop purpose. It is a tremendous risk for
individuals.

As we heard more and more about these kinds of incidents and they became
prominent, we realized that data is going to continue to be at risk in a whole
new set of ways as health IT activities and we move forwards with a lot of
these initiatives that employees are working outside of the workplace. They are
using devices like this flash drive to do work. They are working off site. They
are working remotely at homes. The data is much more mobile and therefore at a
whole different level of risk. We talked about the flash drives, CDs, PDAs
which is not public displays of affection, laptops, smart phones, and all of
those other devices. As I said before, these high incident profiles that are
starting to come about. The security rule covers all electronic protected
information no matter where it is. We still felt that we need to publish
additional guidance to the industry to reiterate what is implicit in the
security rule very specifically to remote access. We published a document
December 28, which I’m sure you all have read. And again, it reiterates
the requirements of the security rule, but what we did is provided some
recommended strategies that could span the range of small to large entities. We
couldn’t give examples for every single type of organization, but we
wanted to say sort of from the simplest thing to a much more complex technology
that you could implement.

Here are some ideas for each of the categories

that we addressed. When we focused on the risk assessment, are you
vulnerable? If you are not doing any remote access, you don’t have a
vulnerability but be aware that it may be relevant. Develop and implement the
policies and obviously most importantly is train your people on those policies.
Don’t develop a policy and keep it in a legal office. It has got to be
communicated to the staff and documenting that they understand that. The
guidance, as I said, was a set of tables for each of the categories and it
listed risks and then it listed mitigations. For example, on the one you all
may or may not be able to read this, but this one was on data storage. The risk
was a laptop or other portable device is lost or stolen resulting in potential
unauthorized use. Then the mitigation strategies went from identifying a type
of hardware that you are using in your company. Implement a process from
maintaining a record of where it is going and what the movement is required to
use the lock-down mechanisms. Use password protected files. Password protect
the devices themselves and require that the devices have encryption
technologies. There was a gamet of recommendations that were not meant to be
exclusive but were—see, whoever you are, if you are using these kinds of
devices there is still an opportunity for you to see one, are you already doing
it and if not here are some recommendations.

What we are going to do next is actually consider publication of an NPRM
that might incorporate this guidance document, even though the security rule is
clearly implicitly includes anywhere EPHI is. We know we need to work the NCVHS
to pursue publication of a rule. We are working with WEDI. We will continue to
work with them on issues related to security so that when there are conferences
and educational opportunities and white papers, we will work with WEDI on
additional guidance that we may need to be doing.

We are participating in a number of other

national workgroups that are also addressing issues related to privacy and
security because of health IT and that includes the confidentiality, privacy,
and security workgroup under America’s Health Information Community which
is also now looking at requirements for privacy and security. One of the things
we don’t want to do is have all of these groups off working on their own
coming up with recommendations but rather make sure we are all collaborating to
deliver the same kind of message or to support and enhance what each of the
organizations is attempting to do. That is the update on the rule in our
guidance. I guess we will hold questions until the rest of the gang has spoken.
Is that correct?

MR. REYNOLDS: Yes.

MS. DOO: Who is next?

MR. REYNOLDS: Sue or Mike?

MS. MILLER: I am. I am Sue Miller. All I have is written testimony which is
on the table.

So Chairpersons and members of he sub-committee, I am Susan A. Miller. I am
a founding Co-chair of the WEDI Strategic Implementation Process Security and
Privacy Workgroup and I have a national HIPAA and healthcare legal and
consulting practice. I work with and for HIPAA providers, clearinghouses,
health plans, trade associations, and state and federal agencies.

On behalf of WEDI, thank you for the opportunity to present testimony
concerning the HIPAA security rule, including remote access issues and how the
industry is dealing with security requirements: what is working, what is not,
and why.

My three Security and Privacy Workgroup co-chairs, Leslie Berkeyheiser who
is here with us today, David Ginsberg, and Mark Cone, assisted me in preparing
me for this testimony. I am going to present general observations about how the
industry is dealing with HIPAA security requirements, and then discuss remote
access and its issues.

WEDI is in the process of deploying a comprehensive plan to address many
topics regarding HIPAA Security Rule and its implications. Our activities are
in the planning or early development stages. With this in mind and the fairly
limited time to respond to the request for testimony, I want to emphasize that
the information WEDI has available is limited to anecdotal information from a
small segment of WEDI’s membership. This is an initial step in our process
to examine industry status regarding HIPAA security implementation and
compliance. We cannot draw specific conclusions or make sustentative
recommendations at this time as our work is not complete. A near term activity
will include a formal survey to gather more comprehensive data across he entire
industry. WEDI intends to approach for collaboration and support on developing
a survey tool to address this topic.

At this point, WEDI has collected anecdotal reports that demonstrate
misunderstanding the under-implementation of the Security Rule and related
compliance issues in the industry.

The Privacy Rule implementation requires tangible steps that tend to be
similar across covered entities. For example, every provider with a direct
treatment relationship with patients is required to have a Privacy Notice and
to make it available. In contrast, the Security Rule implementation is much
more flexible. Entities are expected to customize implementation. The Security
Rule also includes a compilation of best practices. Under those practices, an
entity would perform a comprehensive risk analysis including consideration of
what standards apply to its unique organization. The application of addressable
implementation specifications is left to be determined based on risk analysis
findings and documentation of the approach taken. There is no formal guidance
about whether or how to conduct, interpret or apply a risk analysis.

The flexibility built into the security rule provides entities with the
ability to tailor security protections to best meet their business and
operational needs based on their unique threats. It would be useful, however,
if the Centers for Medicare and Medicaid Services (CMS) could provide
additional educate and guidance to help some covered entities reach an
understand of how best to implement the security rule.

Now some entities might be a code word for the smaller end of the
environment in some senses of the word. We have tripped across some basic
problems in key areas to focus upon.

Frequently, the co-chairs, meaning the security and privacy co-chairs,
observe simple and fixable problems at their client organizations; they observe
behaviors that are in conflict with organizational policy. Many of these are in
the areas of administrative safeguards. For example: Conversations involving
patient care and treatment conducted via speaker phones in offices with doors
open. PHI data posted on bulletin boards to enhance training and workforce
communication and sometimes we find social security numbers as well. Lack of
organizational policies and procedures, workforce members aware, or aware of
others using some of the newer portable devices such as jump drives, for media
storage; such tools often may not meet an organization’s security
controls. Organizations not conducting inventories of remote deices and storage
media and technology changes and hardware changes are happening all the time.
Passwords posted near computers or passwords shared by multiple workforce
members. Paper with PHI on it placed in confidential areas or recycle bins and
contents left for days or weeks before shredding. They have two containers. One
for regular trash and one for confidential trash, and nobody is picking it up.
It is available for people to use. Un-logged, unsupervised open visitor access
where PHI is available. Lack of, incomplete, or out of date disaster plan
recovery. Lack of formal audit process or program, and lack of regular,
periodic, security risk assessments, and security risk analysis with new tools
or new focus within an environment.

The industry and CMS should promote ongoing risk analysis, risk management,
auditing, and self-monitoring. These are all in the rule, but we find that they
are not necessarily happening. Compliance reminders and best practices could be
disseminated periodically. We have three areas that we think are important.
Organizations should consistently monitor HIPAA policy training of new
workforce, and existing workforce members should be provided regular updated or
refresher training. Organizations should track the length of time it takes to
remove system access for workforce members who leave he organization.
Organizations should develop routine reporting mechanisms for alerting senior
management about security incidents and effectiveness of sanctions.

The security rule defines a security incident as an attempted or successful
unauthorized access or use. When coupled with the requirement of security
incident reporting, it creates a perceived or actual need to report potentially
thousands of unsuccessful access attempts most organizations face on a daily
basis that are prevented by the use of intrusion detection and prevention
software. Redefining a security incident to exclude unsuccessful attempts would
simplify implementation of these parts of the rule.

WEDI can assist CMS in developing sample forms, checklists, and various
metrics so that covered entities can monitor their security compliance.

In the next section of the document we have a table more specifically
outlines some of the things that we think might be able to be considered as we
go into an area where we might get more guidance or perhaps a new NPRM, and I
am not going into those in effort of keeping myself to a certain timeframe
here, but I am more than willing to discuss. So I am on page four.

Privacy and Security can overlap within organizations. However, just as HHS
separates oversight of these Rules, many covered entity organizations address
Privacy and Security in distinct environments. For example, many hospitals
assign Privacy to the Privacy Officer or Compliance Officer, while the Security
becomes the responsibility of Information Technology. WEDI has consistently
suggested that organizations implement one set of policies and procedures to
cover all forms of PHI (electronic, paper and spoken information). WEDI would
like to investigate how the Security Rule requirements can be correlated to and
integrated with the Privacy Rule requirements. Doing so could make both sets of
requirement and their procedures more understandable of the staff members doing
the work.

Now as to the guidance document. WEDI regards the CMS guidance on
safeguarding PHI that is accessed remotely, published in December 2006, as an
important resource on the Security Rule and its requirements. The WEDI SNIP
Security and Privacy Workgroup has begun drafting a white paper on the CMS
Guidance to be released on May 16, 2007 at the WEDI Annual Meeting in
Baltimore. We are going to have a breakout session to discuss this white paper
and the guidance. We have invited CMS to join our presentation and they have
accepted.

Covered entities have reported that they like the list of standards
included in the initial security notice of proposed rule making. The Security
and Privacy Workgroup has drafted a crosswalk from the Guidance requirements to
the Security Rule requirements for the white paper. The Privacy and Security
Workgroup supports such tables and information as a way to further educate and
help the industry.

There has also been concern expressed from members of the industry about
the OIG intention to audit a Georgia hospital regarding HIPAA Security
compliance unrelated to an underling complaint or to a fraud and abuse review.

Now, I want to talk a little bit about HISPC. Linda is here. She is going
to talk a little bit more about it. I have had the good fortune—perhaps
not to be on two of these projects.

The Health Information Security and Privacy Collaborative projects have
focused on the variations of state law relating to the HIPAA Security and
Privacy Rules and on the efforts to implement electronic health records,
reinforcing the importance of basic security to the healthcare industry. Areas
covered in the initial HIPAA Security Rule such as standards for access,
authorization, authentication and audit trails could be expanded and addressed
within the Guidance Document. You are going to hear more about this from Linda.
Further clarification and/or assistance in some of these areas to the industry
greatly assist overall Health Information Exchange.

WEDI acknowledges that there are still many issues and questions in
security that remain to be addressed. WEDI is willing and able to leverage its
knowledge, industry expertise and resources to work in partnership with CMS to
address the challenges in security.

These are the following WEDI recommendations in this area. WEDI is prepared
to assist CMS in getting the word out about the Guidance document. We have the
following activities planned to support this outreach: A CMS HIPAA Security
Guidance white paper is scheduled for release at May 2007 Annual WEDI meeting
in Baltimore. A session scheduled at our May 2007 national conference titled
‘What does the CMS HIPAA Security Guidance for Remote Access Really
Say?’ An audio conference series in the late summer this year about the
CMS HIPAA Security Guidance document and its recommended implementation is also
scheduled. We don’t have a date for that. There will be a security
pre-conference to be held at the WEDI November 2007 meetings that are going to
be in Orlando, Florida. WEDI is willing to hold a HIPAA Security hearing in
order to further assess the industry since on these issues. The WEDI Board will
send the HHS Secretary its findings from such hearings. WEDI understands that
the guidance will shortly become an NPRM or there may be an NPRM about other
security issues. When it is released, WEDI would hold a policy advisory group
meeting and the WEDI Board will send the HHS Secretary its findings from the
PAG. WEDI is willing to collaborate with CMS in surveying the industry and
HIPAA Security implementation and remote access issues. WEDI is willing to
assist CMS in developing sample forms, checklists, and various metrics so that
covered entities can monitor their compliance. Thank you.

MR. REYNOLDS: Thank you Susan. Matthew?

Agenda Item: Health Information Security
& Privacy Collaborative

MR. SCHOLL: My name is Matthew Scholl. I am an Information Security
Specialist in the National Institute of Standards and Technology. I have been
asked to come and discuss a quick overview of remote access, specifically
secure remote access, what it means and what the issues are behind it. I have
slides which basically I’m going to use as talking points. I have left no
written testimony therefore I will leave no data remnants behind.

I want to start off with just some general definitions. One of the biggest
problems in the security world is generally we all start talking the same
things using different languages or we are talking different languages about
the same things and as such often we find people in violent agreements, so I
just want to set the landscape with some things here.

This is kind of what we are talking about as far

as remote access goes. Access by users (or information systems). One thing
to note here is that remote access does not necessarily limited to a remote
person of the workforce dialing in but as often as not it is machines or others
doing this automatically either for synchronizations purposes, scanning
purposes, or active polling purposes. This is an external entity connecting to
a system security perimeter by a security perimeter. By a security perimeter,
what I am talking about generally is a defined, discreet, known architecture
that is govenered by a common policies, procedures, work instructions, and
configurations from a security setting. So we are talking something outside
talking to the perimeter.

This is why we do it. Lorraine said it earlier, the main things we want to
focus on are confidentiality, integrity, and availability of this point of
data. It is important as we look at security and secure remote access that you
follow the data. It is all about the information and the information you are
trying to protect.

There are a lot of ways to do it and a lot of people do it in a lot of
different ways, and a lot of people do it in a lot of different ways very
effectively. That’s okay. Generally, the drivers that will decide the type
of remote access to use are the mission in needs of the organization.
Basically, what are you trying to do in order to support your mission? Is the
access you are trying to do remotely data intensive? Are you passing gigabytes
down across the wire? Are you just viewing data? Are you conducting database
accesses where you are actually going to conduct operations move, add, updates
or changes? Or you are just kind of viewing. Or you are just kind of viewing?
Or you are just doing emails back and forth outside the perimeter. Depending on
the needs and how those needs support the mission, generally will shape the
type of remote access and then the security restraints that need to be applied
to that access. Again, the availability of resources—when we say resources
generally we think of technology and dollars. This also has to do with people.
The heavy side to remote access dollar wise is not the establishment of the
technologies but the maintenance of it because of the diffuse set of
technologies, which can go on the far end, the end outside the perimeter. Often
the support aspects for your remote access can drive costs up. You have to
support everything from Apple OS10 to Windows 98. These things can get
expensive. Again, it has all been driven by what your tolerance for risk is.
What do you need to do to support your mission to get that information to the
remote force versus what is the extra risk that is going to be exposed by doing
this remotely and what are the benefits versus the trade offs for that mission
enhancement versus the exposure to the additional risk?

So with remote access, basically you are talking about three basic things.
Your communication capabilities, your networking, and your end points.

Communication capabilities are pretty straight up. However you connect to
them on the other end. The physical access connection again will drive some of
the technology decisions for the application of the remote access. You’re
talking cable, DSL, Satellite, Dial Up, Power Line, Home Wireless. A lot of
people think specifically about that physical machine or node connection to
that perimeter, but as discussed earlier, there are many other things which now
constitute remote access. Wireless phones, cell phones, Blackberries, PDAs,
Smart Phones, etc. People at home, working out of a home office, using their
900 to 1200 gigahertz wireless phone are susceptible to what I like to call the
baby monitor attack. That is just accidental. If someone actually has bought a
commercial, available, and legal scanner, they can dial in and listen all you
like. I’m often telling my wife when she is discussing certain things to
get off that phone and get on the princess phone depending on my tolerance for
risk for what she is discussing with her mother-in-law. This is especially true
now considering the mobility of the workforce and the devices that are being
used as discussed with Blackberry, Smartphone, PDAs, Mobile memory devices such
as the memory stick I have here, which by the way is encrypted. Email, just
because you are at home and sending email, many people think that is secure.
Email is not necessarily secure because it leaves one node and pops up in
another node, but email can be read, retrieved, and actually modified at any
point that it is sent in transit. Therefore, decisions need to be made about
email and how it is used whether or not encryption or more secure messaging is
appropriate or not. Remote access is not just that VPN, but it is all these
other things.

I am going very fast, I know that. Okay, VPNs, this is the heart and soul
that a lot of people think of as remote access. This is Virtual Private
Network. I think many people here are familiar with VPN. Basically, it is the
establish of kind of a private network but virtually. Hence the phrase Virtual
Private Network. What we are doing is through encryption methods establishing a
secure tunnel between that endpoint and that secure perimeter. Basically, there
are three ways to do it. Gateway-Gateway, Host-Gateway, and Host-Host. I will
quickly touch on these three.

On a Gateway-Gateway, what you are doing is you are talking securely in
that virtual network privately to the exterior of the perimeter to a gateway
device to another perimeter’s gateway device and establishing a secure
tunnel for the duration of that transmission. Think of it as a perimeter to
perimeter transmission. The information or the data that is transmitted within
the perimeter is not necessarily secure. This is most common in enterprise to
enterprise communications. These devices are often called VPN Concentrators.

Host-Gateway is when an individual, a laptop, has a VPN application onboard
and this host talks to an enterprise at the perimeter. It is the laptop talking
to that VPN concentrator, a firewall, at the perimeter of an organization and
establishing a secure tunnel.

The last way is Host-Host whereupon two individual hosts, a workstation to
workstation, both of which perhaps using application level VPN technology to
talk to each other securely. For example, you send a secure digitally signed
email to a friend who then has your key to open it and read it, that might be
an example of a host-to-host VPN.

There are lots of different ways to do a VPN. From the lowest level all the
way up to the highest level of an application level VPN. You are most familiar
with this when you go to Amazon and you buy a book and you get the little lock
in the side and it has the S and the HTTPS and that makes you feel warm and
fuzzy. That is an application level VPN that you are establishing to a gateway
at Amazon when you make that secure order, hopefully.

I have encryption there at the bottom. Encryption is generally the method
through which these Virtual Private Networks are established. In reality, you
are not building a dedicated circuit and locking down your own private tunnel
from you to the enterprise. What you are really doing is through a method of
encryption, sharing secrets with the sender and the sendee that allows for a
virtual private network. Really, these are done through different public, yet
very secure methods of encryption. These VPNs as well as the use of encryption
beyond VPNs allow for that earlier tenant of confidentiality of data to be
shared. It facilitates the availability of data to that remote workforce and it
ensures the integrity of the information by protecting it against certain types
of attacks such as replay, man in the middle attacks, and it also allows data
to be signed or hashed which allows for the integrity of the data on the
receiving end to be evaluated so you know that that data is correct, at least
from the sender’s point of view.

The issue with remote access not only is the fact that it is not just the
tunnel or the VPN anymore, but it is the endpoint. It really comes down to
securing the node. You can secure the transmission. You can secure the link
between the node and the perimeter. The question is what kind of node are you
going to allow to your perimeter? This is a list of things which are generally
good things on those endpoint nodes. The level of fidelity you find within the
home user or the home office varies depending on who it is. If my
brother-in-law who lives on my couch is gambling online at 2:00 AM, the
fidelity of the machine that he is using probably should not be used for
establishing a VPN to a secure workforce. It all depends again on the level of
trust and the tolerance for risk of the enterprise.

Who is using these machines? Are your children using them? What are they
doing with them when they do use them? What do they download? How many of you
have Skipe, that nice little Internet phone technology at home? Are you aware
of what that does to your machines? Is your anti-virus up to date? Do you have
anit-spyware onboard. These are all considerations that need to be taken on the
node. How many of us have used a hotel kiosk to access a VPN? How many of us
have used a wireless point, perhaps off of Starbucks? As was discussed earlier
with EPHI being discussed openly—are you surfing it or looking at in a
public forum where other people can show their surf? These are all
considerations, which need to be done as you look at the security of the node
in remote access.

Issues. A lot of these have been discussed. This is a fast evolving
technology as this is seen as a large market space for many providers. Again,
training, the biggest thing on the other end is the users. You may make the
availabity of VPNs, but whether or not they are established correctly is a
whole other issue. Awareness, are they using it correctly and where are they
using it from? Again, are you doing it in Starbucks or are you doing it at home
in your home office? I talked about solution report. Can it be supported?
Generally, your endpoints are the weakest link because they are the items of or
which you have the least control.

These are future trends. Expanding report as well as expanding usage. I am
going to hit on the third bullet really quickly. Increasing usage of two-factor
authentication and I want to make sure this is clear. When I talk about
two-factor authentication, I don’t mean using a password a second time.
That is single factor being used twice. I am talking about a password and then
something else being biometric like a fingerprint or a token, like a smartcard.
Something you know or something you have or something you are, one or two of
those three items for multifactor authentication. Refer the committee to
memorandum. OMB’s memorandum MO616 which came out from OMB which was
specific guidance to federal agencies on conducting remote access whereas the
federal government is now requiring multifactor authentication for all federal
agencies who are accessing what they call sensitive information remotely.
Multifactor authentication is coming hard and fast as well as the federal
initiative for Personal Identifiable Verification known as PIV Cards, which are
currently being deployed across the federal US force which is that token based
second item which is being deployed. The last bullet also is remote access is
being seen not only as being able to expand the mission to a geographically
dispersed workforce, but it is also being leveraged for disaster recovery and
business continuity planning. When assets and information is consolidated, it
is inherently vulnerable to physical threats. As such, remote access is an
effective—can be an effective method for mitigating certain threats to
businesses and assist in business continuity during disaster situations.

There are a couple references. If you could click on those, it would take
you through them, but you can’t. You may find all of these on
CSRC.NIST.GOV if you wish to look them up. I spoke very quickly and it was a
lot of information and at the end I will entertain any questions that
aren’t too hard. Thank you.

MR. REYNOLDS: Okay, thank you. Linda?

MS. DIMITROPOULOS: Good afternoon. I’m very happy to be here today to
talk about the privacy and security contract. There are a number of people in
the room who are perhaps even more intermittently familiar with the contract
than I am. Jeff Blair certainly with the New Mexico group, Sue with
Massachusetts and New Jersey, Walter Suarez is around and he is part of our
technical advisory panel, and I am sure there are probably others I am
omitting. In any case, the goal today is just to provide a very brief overview
of the current status of the project along with a few highlights of some of the
issues the state teams are working on. Perhaps if we have time, an example from
one of the states. We also want to touch on some of the key areas related to
security that the teams plan to begin to implement this year.

Current status: the 34 teams have submitted final reports in the past
couple of weeks. One is the assessment of Variation and Analysis of Solutions,
and the other is a Final Implementation Plan. We are in the process of creating
a summary and an analysis of those reports. It is some 10,000 pages of
information that needs to be analyzed and summarized. You can forgive me if I
am a little scattered. It is a massive undertaking. The final reports are
due—the summaries are due to AHRQ and ONC on May 15th. We have
a final nationwide summary that is due at the end of June that will include all
of the information and then some.

One of the initial tasks, the information here is really from the interm
assessments. We are still working through the final reports. One of the
purposes of the project was to conduct an assessment of variation of business
practices and policies and state laws that create barriers to interoperability,
and along with finding many sources of variation that need to be harmonized, we
also found that many organizations are just beginning to think about the
practices and policies that need to be in place for widespread inter
organizational exchange. There is ample opportunity here to bring those
organizations together, and while they are making those decisions, moving
forward and perhaps reduce variation or eliminate it going forward. Mitigate
it. In terms of variation, the HIPAA—the flexibility built in. Variation
is a natural outcome. The organizations need to work through and come to some
common agreement on some of that. The HIPAA Privacy Rule, we have been talking
about quite a bit, and in fact most of the states focused on the HIPAA Privacy
Rule, but the Security Rule suffers from the same limitations on applicability
as the Privacy Rule. IN addition, I should mention that it only applies to
electronic information. It is just the variation and the applicability of it
because of the flexibility built in. So it is kind of a double-edge thing going
on. The majority of state teams that addressed security as an issue focused
primarily on technical and physical security and very little emphasis was
placed on administrative security issues. Many of the teams expressed a lack of
knowledge and significant concern related to the technologies that are
available and the associated administrative processes and liabilities.

Nearly all of the state teams raised issues related to State Privacy Law,
but not so much related to State Security Law. About three quarters of the
state team was reported that it is a lack of a common method for authenticating
individuals that created mistrust between the organizations and reduced a
comfort level with other organization standards and policies regarding who may
authorize access. Consumers are primarily wary of the system. Providers,
liability, it’s from a mixed bag. In terms of cultural issues, a number of
states reported that the concern about liability for incidental or
inappropriate disclosures causes many of their organizations to take a
conservative approach to the development of their practice in policy and a
number of the state teams, including Minnesota, reported that their
state’s patient consent requirements placed responsibility and liability
for the appropriate release of information on the healthcare provider that is
releasing the information and no responsibility at all on the healthcare
providers that are requesting the information. Minnesota is working
on—they have legislation and committee to kind of even out the balance
there. Stakeholders are also reporting that they are concerned about policies
that govern their rights to access and control of the data. There is a tension
between who has what rights and control between the healthcare providers, the
hospitals, and the patients.

As we look—We looked through the Enter of Analysis of Solutions
Reports we found that the solutions really fall into four major categories.
Those that address changes to practice and policy, to facilitate inter
organizational operability. As an example, state teams are looking at uniform
consent policies. It is one of the highest priority items. This is also the
bucket where we have categorized state teams plans to develop comon policies
procedures and contracts with business associates and to build trust related to
security. The next major category is legal and regulatory changes. There are
some proposals to modify state statues. The state teams are proposing changes
to state laws. For example, permitting digital signatures. Once again, patient
consent for treatment, some say it is proposing to modify state statutes to
resolve differences regarding when and how patient consent is obtained and
documented. In terms of technology and standards, the third bucket, and again
using consent as an example, the state teams are working to describe the
mechanisms needed to communicate permissions provided with the consent to
access use, collect, or disclose healthcare information which includes
consideration such as the variation of state consent laws and also the special
protections for sensitive data. The state teams also recognized the need for
standard data format that would support segregation of sensitive data. The
fourth bucket is education and outreach. Continual education of staff and
training, but it is also—is this process is cartelized a lot of
discussions among stakeholders in states who haven’t even had these
discussions before. They are just beginning. There is a recognition that in
order to get by in a concensus that they need to continue that outreach through
education of those they need to get by and from so there is a lot of emphasis
on education.

Walter Suarez, part of our team, pulled together a table for us to just
give a sense of sort of a broad cut of the number of states who are working on
any given piece of this puzzle. You will see education is at the top of the
list with 25 states proposed plans for education and outreach programs. These
tables are ordered by frequency from high to low rather than by topic. You can
see we have 24 states working on some aspect of the 4 A’s. We have got 18
state teams working on patient identification issues. On the next slide we have
16 teams working on governance and leadership. Primarily those are states who
are really getting started in recognizing that they need a central coordinating
body and some leadership within their state. We have 15 teams focusing on legal
and regulatory issues at the state level and 14 states that are working through
issues related to federal regulations and 12 states are planning to work on
issues related to protecting sensitive data. I mention Connecticut because they
are working on establishing a uniform statewide electronic process for patient
authorization to access and disclose health information which includes
mechanisms for determining data content sensitivity when sensitive content are
imbedded in textual content are implied by data values.

This slide we have 12 states who are looking at differences between HIPAA
privacy rules and state law and trying to make some sense there of what is
going on and to some extent develop policies to work through some of that. We
have 11 states working on a variety of issues. We have 9 states working on
issues related to exchanging Medicaid data, 7 states that are working through
issues related to access to data by law enforcement and 4 states that have
recommended the creation of an interstate leadership group, which since the
recommendation was made in parallel with a launching of the state Health
Alliance, I think we have that one resolved.

On this slide we have a quick look across the final implementation plans
that were submitted by the states. It shows that the following areas are going
to be a focus of at least half of the participating states as we move into
implementation. Patient identification is a big one. New Jersey has plans to
implement a standard patient identifier using a master patient index. New
Jersey is also moving ahead on defining standard set of VHR elements.

Again, the four A’s are going to be the focus of about 70% of the
state teams, and a subset of those will tackle issues related to access and
management of sensitive data. Stakeholders have identified current inadequacies
in existing applications used to manage data including EHRs and data
repositories that require them to print out copies of the record and redact the
sensitive information manually because they weren’t able to segregate it.
That is part of what is sort of driving that focus on sensitive information.
Several state teams have also indicated that nonexistent or poor audit problems
were a challenge and that is going to be the focus of their work.

I did include an example of an approach that one of the states is using
here. It is from Minnesota. They have approached this work in a very systematic
way that brings their stakeholder organizations together into workgroups that
are developing the policy framework or statewide health information exchange
and they have identified two key barriers that they plan to implement. One is
the need to clarify when and how patient consent needs to be collected. They
have some very strict state laws with their guard to consent. The second is
again the 4 A’s as defined in this slide.

Their workgroup charge is to develop a conceptual solution that describes
the characteristics and requirements for a solution for each of the 4 A’s.
Identify specific policies and procedures and mechanisms or technologies that
meet the characteristics or requirements and develop action plans to implement
those policies or mechanisms. What is guiding their work is a set of
principals. They have developed a set of principals for authorizing and
authenticating individuals and setting access controls and auditing in a health
information exchange. Their principles need to be agnostic with regard to
specific technologies and architectures. Time and variant to avoid obsolescence
and scalable to accommodate small and large models. They also have charted
workgroups and provided some mechanisms for pulling in information that is
being gathered from lessons learned and best practices from others going
through this process. Paying attention to what HIE is doing. In some of the
states that we work with HIE was a big what? This is an important piece of
this. The goal is to share this information broadly across the state teams as
they move into implementation so that we don’t have any of them sort of
recreating or creating more variation out there. We really like to sort of
harmonize that.

They have a set of 19 principles they have developed. There are four
including in these slides, but for the sake of time I am not going to read
through those. I would just like to go through the moving forward slide and
just sort of close out with—this project we have catalyzed a lot of
discussions across the country and not just among industry insiders, but across
a wide range of stakeholder groups who frankly haven’t talked about this
before who are now engaged in lively debate and are slogging their way through
this. We are hoping to be able to pair them up and we have got—states are
just starting out involved in this. We have got states who are in the middle
who are really doing a great job. We have got states who have been doing this
for a long time. So by bringing them all together, we have an opportunity to
leapfrog the ones that are starting up forward. I think we can make some real
progress. There is more information at both of sites. At the AHR site and if
you are interested in more on that Minnesota report that I borrowed, then that
is located there.

Agenda Item: Wrap up and Adjournment

MR. REYNOLDS: I would like to commend you as a team. A very few times do
you have a security presentation that is understandable, concise, focused, and
you are a wonderful self-monitoring panel. You actually got done on time, which
leaves us almost twenty minutes for questions. That in itself is a brand new
event for us.

MR. BLAIR: Let me wait.

MR. FITZMAURICE: I guess I will address one to Matthew and one to Linda.
The one to Matthew is quick. You mentioned three factors, something I know I
have where I am. Are there other factors, or does that pretty much cover it?

MR. SCHOLL: That pretty much covers it.

MR. FITZMAURICE: Four Linda, I went to the conference where the states were
all brought in and they get up and the presented. It was a state run conference
and a good partnership between AHRQ and the Office of the National Coordinator.
Linda really made that run well. I was amazed by how much of this
cross-dialogue had not taken place in the five to ten years since then. It was
like opening up a vacuum and letting groups come together with common problems
and work toward common solutions. When is your contract over and are there any
plans to continue this collaboration with the states, or is that not being
pushed HIE?

MS. DIMITROPOULOS: The plan right now is for the work to move forward. We
have just extended the states contracts by two months. The Office of the
National Coordinator has announced funding to fund a foundational piece of
these implementations for about six months. We were able to extend these states
contracts right now so they could focus on a piece of what they submitted as a
six-month plan. We are now waiting in the paperwork.

MR. FITZMAURICE: The states are to look at the policies, the practices, and
the laws that they have within state flow of information. Are those reports due
in June from the states?

MS. DIMITROPOULOS: The reports from the states have come in. We are working
on creating the summaries which are due to AHRQ in the middle of May and end of
June.

MR. REYNOLDS: Lorraine, you started us off. What do you need from us?

MS. DOO: Ideally, if you believe that a modification or additional rule
making on security to address issues that are coming up with health IT that
this body would consider that and make such a recommendation as it is part of
the regulatory process. SO if you deemed it appropriate given what is going on
in the industry not just from the enforcement standpoint but from the changes
that we need to be more explicit. That is what would be more helpful.

MR. REYNOLDS: Is that the general feeling of the

whole panel?

MS. MILLER: I think the industry needs at least some more guidance as was
put out in December. I think you heard us say that there are specific areas of
the rule that WEDI would support changing, but that is a policy issue and I am
going to defer to Mike on that.

DR. UBL: I’m not here to talk about any policy. I think it is more
about what you heard today. There are issues there I think that need to be
worked through and policies developed.

MR. BLAIR: I want to chime in behind Harry what it is we can do for you and
let me offer a few areas which might be areas so that you can maybe react to
it. One of the areas that appeared to not be clear when we went through HIE
privacy and security project was whether health information exchange networks
were covered entities or not. That is one question. I am going to give you to
or three and you can tell me whether any of these are areas that are important
to you. Another is whether personal health records are covered entities or not
and whether that is an important issue. A third area that maybe you feel NCVHS
should focus on in terms of recommendations are centralized or shared
authentication for a community-wide consistent, standardized, authentication
procedure relative to a health information exchange network. I have given you a
few, so you can sort of see where I am priming the pump here because a lot of
our privacy and security focus has been on individual institutions, but when
you start to go health information exchange networks it raises other issues.
That is where I am wondering if you have areas where you feel that NCVHS should
focus?

MS. DOO: I’m sure everyone has a comment on that, but I will at least
start off. The issue of health information exchanges and PHRs being covered
entities is in fact going under pretty significant discussion with our consumer
empowerment workgroup and the confidentiality privacy and security workgroup
because one could easily off the cuff say, if the tool is offered to buy a
covered entity such as a health plan or a provider, therefore as a covered
entity that tool is responsible for meeting the requirements of the privacy and
security rules. The health information exchanges get more complicated because
they are not necessarily run by a covered entity and yet they are operating
with covered entities who have obligations. What our workgroups are trying to
do is to literally make a matrix of where does the data start? Where is it
going? Who has what responsibilities? Then to determine what policies are we
going to need to put in place? There is significant debate going on related to
that. The Office of Civil Rights is involved and obviously the Office of the
National Coordinator as well. Your concerns are well founded and it is not
unrecognized.

The issue of centralized and shared authentication, again at this health
information exchange level, but this shared credential is something that these
groups are trying to sort out and come up with appropriate polices that would
cover these very highbred entities. Who owns? What is the source of the data
and these entities? Under whose laws do they come? Where is the jurisdiction
going to be? It is bad enough that it is federal and state. That is also under
debate. If NCVHS wanted to have additional hearings on that kind of topic and
have more of the detail, that probably would be of interest to you.

MR. SCHOLL: My survival generally depends on my violent avoidance of policy
questions and as such I will avoid question one and two. The federal government
in this has done a lot of work in central federated authentication
architectures. This is also a space where you see not just the healthcare
history but industry as a whole moving very quickly, especially in web
technologies and service-oriented architectures. When you look at health
exchanges. That system to system, it really smells a lot like a web based
service oriented type architecture in which case there is a need for trust
federations to be established to allow for that kind of cross-credentialing and
access control and authentication. There are a lot of technologically feasible
ways to establish that. Decisions need to be made at a policy level in order to
enable those technical implementations. The people who have most strides in
this area, believe it or not, are DOD. They have done some significant work in
service-oriented architectures and trust federations and they might be an
appropriate model to look at.

MR. BLAIR: I really echo Harry’s appreciation for everybody’s
testimony. There is one individual that I work with and Linda Dimitropoulos has
headed that up. It has been tough. She has had a number of parents to be able
to be accountable to, and above that, some oversight, it has been extremely
difficult. I would like to make a special commendation for the way, after all
these difficulties, Linda you have lead this project to a point where it is
coming out with a set of recommendations that are implementable that will be
useful and I just wanted to compliment you.

MR. REYNOLDS: Michael?

MR. FITZMAURICE: I have another question from our expert from NIST. One of
the things you said was email may not be secure. My understanding of
rudimentary email is that I type an email to Simon, I am here and he is
California. It goes and gets broken packets and they get collected back over
where Simon is. Now, could somebody be sitting at St. Louis and put a tap
across the middle of it and collect those packets? I know it is easier to do it
when I send it or when Simon receives it. Can you do something in the middle?

MR. SCHOLL: Yes.

MR. FITZMAURICE: What is it you can do?

MR. SCHOLL: As those packets travel, there is

generally unless there is unusual circumstances, set or known routes, main
routers, major DNSs through which traffic will pass. The packets as they travel
are also marked. Even though they are split up, they are marked as far certain
things within the data header to identify where they are coming and where they
are going. The middle points to where they are being transmitted. As such, it
is possible to capture and reconstitute them. It is depending on the threat
doing it, but the threats these days are significant and have significant
resources and sometimes are operating at nation state level. If they are
perhaps passing through another country, they are perhaps being collected,
reassembled, and read. Another even more significant and even more real threat
is that that email you are sending, are we sure that it is really from you? It
is quite simple to spoof your email and send it out whereupon the integrity of
the message could be in question. That is an even more direct threat. Without
encryption it can perhaps put email in jeopardy.

MR. FITZMAURICE: I hate to go home scared.

MR. REYNOLDS: Again, thank you to all of you. Tomorrow is part of our
deliberation. We will discuss this as what our next steps are.

DR. WARREN: It is going to take me a while to process what everyone said,
but if while you are thinking about what our committee does, if there are
specific things that you would like us to consider, could you send those to us?
I guess I didn’t hear any specific stuff today. It was mainly reports of
what has happened.

MR. REYNOLDS: Before we adjourn, we are going to put the last couple of
sentences of the letter we discussed earlier today. We have redone those. We
are going to put them up on the screen. We will take a quick look at those to
make sure we are heading the right direction and then by tomorrow we can have
another finalized letter and move forward.

DR. OVERHAGE: Mark Overhage has to drop off. I will see you all personally
in the morning. Thank you very much.

MR. REYNOLDS: Okay, if everyone will turn your attention to the screen
please. Denise, why don’t you put us in context as to where this
information is going to go please?

MS. BUENNING: This paragraph would basically replace the last paragraph
before the sign off which starts NCVHS endorses the proposal. This is a
compilation of comments from a variety of the staff and the subcommittee
members that was submitted to me earlier today. I’ll read it.

The NCVHS endorses the spirit and intent of the proposal and asks that the
department investigates how the proposal could be integrated into the HIPAA
updating process. This would ensure a predictable and timely process, while at
the same time maximizing opportunities for public/industry input. The
department should investigate all appropriate options under the APA to shorten
the time for the regulatory process.

MR. BLAIR: One is I think we should be specific in saying this relates to
the HIPAA transaction standards. Is that okay to add that?

DR. COHN: I guess it would be the HIPAA transaction standard updating
process.

MR. BLAIR: The second one was that was there some reason why we have chosen
not to indicate that we want to encourage comment at that standards development
level?

MR. REYNOLDS: By endorsing the proposal—because the proposal includes
a significant discussion on input throughout that process from the public and
others.

MS. BUENNING: The NCVHS endorses the spirit and intent of the proposal.

MR. BLAIR: I would feel more comfortable saying endorses the public—

MS. BUENNING: Is there a reason to add that in?

DR. COHN: I actually wanted to stay out of the specifics because I think
you will be excited. We really want to get into the specifics. I fully endorse
the spirit and intent of the proposal which is the streamline, produce,
predictable, and timely process. If we want to get into debate every paragraph
of the actual proposal. I was going to move up a level. Recognize that the
department needs to identify what they can do and what they can’t do.

MR. REYNOLDS: The proposal itself is very specific about what it wants to
do and with the APA laid over top of it, the department could come out with an
approach. Any other changes to this? You will see the letter in the morning
looking very much like this.

MS. BUENNING: There were some additional changes that were submitted by
Justine with regarding to the numbering on the first page of the process steps.
She had made the recommendation that instead of having step one and step two,
that we make one 1A and two 1B and then 2 and 3 follow after that.

MR. REYNOLDS: Are you comfortable with how that flows? Okay, then what we
would like to do—we will give everyone a new draft in the morning and
adjudicate it then. That will be good.

Simon, to catch you up quickly, we had the NPI testimony while you were
gone and the committee did recommend that we will be sending a letter forward
and try to get it done for the June full committee on two of the
recommendations that are in there. We will go through those with you in length.

Is there any other business for today? If not, we are adjourned.

[Whereupon, at 4:35 p.m., the subcommittee meeting was concluded.]