[This Transcript is Unedited]
NATIONAL COMMITTEE ON VITAL AND HEALTH STATISTICS
SUBCOMMITTEE ON PRIVACY, CONFIDENTIALITY & SECURITY
“Personal Health Records”
May 21, 2009
Hubert H. Humphrey Building
200 Independent Ave, SW
Washington, DC 20201
CASET Associates, Ltd.
Fairfax, Virginia 22030
- Introductions and Opening Remarks – Leslie P. Francis, PhD, JD, Co-chair and John Houston, JD, Co-chair
- Panel IV – Plans and PHRs
- Joy M. Grossman, Ph.D., Senior Health – Researcher Center for Studying Health System Change
- Christopher B. Sullivan, Ph.D., Admin, Office of Health Information Technology, Florida Agency for Health Care Administration
- Bruce H. Taffel, M.D., VP, Chief Medical Officer, Shared Health
- Panel V – Providers and PHRs
- Gail L. Graham, RHIA, Dir. of Health Data and Informatics, Veterans Health Administration, Dept of Veterans Affairs
- Anna-Lisa Silvestre, M.P.H., VP, Online Services, Kaiser Permanente HealthConnect
- James M. Walker, M.D., FACP, Chief Health Information Officer, Geisinger Health System
- Matthew K. Wynia, M.D., M.P.H., Director of the Institute for Ethics, American Medical Association
- Working Lunch/Discussion
P R O C E E D I N G S (9:00 a.m.)
MR. HOUSTON: Good morning. I along with Leslie Francis, are the co-Chairs of
the Subcommittee on Privacy, Confidentiality, and Security for the National
Committee on Vital and Health Statistics. NCVHS is a Federal advisory committee
consisting of private citizens that make recommendations to the Secretary of
HHS on matters of health information policy.
On behalf of the subcommittee and staff, I want to welcome you to the second
day of hearings on privacy, confidentiality, and security of personal health
records. We will begin with introductions of the subcommittee staff, witnesses,
and guests. Subcommittee members should disclose any conflicts of interest,
others need not do so. I’ll begin by noting that I have no conflicts of
DR. FRANCIS: I’m Leslie Francis. I’m at the University of Utah and I’m a
member or co-Chair of the Subcommittee and a member of the full Committee and I
have no conflicts.
MS. BERNSTEIN: I’m Maya Bernstein. I’m the privacy advocate of the
Department. I work in the Office of the Assistant Secretary for Planning and
Evaluation. I’m the lead staff to this subcommittee.
MR. REYNOLDS: Harry Reynolds, Blue Cross and Blue Shield, North Carolina.
I’m a member of the Subcommittee, Chair of the Full Committee, and no
MS. MILAM: Sallie Milam, West Virginia Health Information Network and the
West Virginia Healthcare Authority, member of the Subcommittee. I’m an N2
DR. TANG: Paul Tang, Palo Alto Medical Foundation, member of the
Subcommittee. No conflicts.
MS. KHAN: Hetty Khan, National Center for Health Statistics, CDC. I’m staff
to the Subcommittee.
MS. CHAPPER: Amy Chapper, Centers for Medicare and Medicaid Services, HHS,
staff to the Subcommittee.
DR. TAFFEL: I’m Bruce Taffel, Chief Medical Officer, Vice President for
DR. GROSSMAN: Hi, I’m Joy Grossman. I’m a senior health researcher at the
Center for Studying Health System Change, which is a nonpartisan health policy
research organization in Washington, D.C.
MR. HOUSTON: Chris Sullivan, are you on the phone?
DR. SULLIVAN: Yes, I am. This is Christopher Sullivan. I am the
administrator of the Office of Health Information Technology in the Florida
Center for Health Information and Policy Administration at the Agency for
Health Care Administration in Florida. I have no conflict of interest.
DR. FRANCIS: While we’re at it, is Gail on the phone?
MS. HORLICK: Yes, this is Gail Horlick at the Center for Disease Control and
Prevention and I am staff to this subcommittee.
MS. WATTENBERG: Sarah Wattenberg, Senior Public Health Analyst from
Substance Abuse and Mental Health Services Administration. I’m staff to the
DR. SUAREZ: I’m Walter Suarez with the Institute for HIPAA and HIT Education
and Research, a member of the Subcommittee and no conflict.
(Introductions around the room.)
MR. HOUSTON: Thank you and welcome to everybody. As I discussed yesterday, I
would like to give a brief background on the purpose of these hearings. As you
are aware, great emphasis is being put on the improvement of quality care,
while controlling health care costs. Part of these reductions are hoped to
occur through the adoption of electronic health records systems and the
efficiencies that come through their use. Along with the adoption of electronic
health records systems, there is a significant interest in the deployment of
personal health record systems. Hopes for PHR’s include better management of
chronic disease and greater patient participation by patients in their care.
At the present, these personal health records systems come in a variety of
forms. We anticipate more forms in the future, including greater integration of
PHR’s with EHR’s. For right now, PHR’s include PHR’s that are tethered to
provider-based EHR’s, PHR’s that are tethered to pair-based claim systems, free
standing PHR’s, which may be hosted by such entities as Google, Dossia,
Microsoft, and others and generally use PHR’s that are tailored towards chronic
It is likely that there will be a significant change in consumer facing
health IT over the next five to ten years and that these changes will continue
to raise important issues for privacy and security. These hearings are intended
to explore the privacy, confidentiality, and security requirements of PHR’s and
consumer facing health IT today and in the future. The first two panels today
will speak to various kinds of PHR’s and the privacy and security issues that
they have encountered. The third panel will discuss privacy related to federal
PHR demonstration projects–that’s June 9th? Sorry. My apologies. So
we only have two today. Sorry about that. I got ahead of myself.
Invited witnesses will be asked to limit their remarks to five minutes if at
all possible. After witnesses on each panel have testified, we should have
ample time for question and discussion. Witnesses may also submit additional
written testimony to Marietta Squire within two weeks of the hearings. At this
time, if anyone has their cell phone in the on position or any other electronic
device that would interfere with navigation or hearing, please turn them off.
We will be broadcasting via the internet today, correct? So welcome those who
are listening. Again, we are also being recorded as well and are being sent to
people on the telephone so I would ask that everybody speak clearly and at a
level that can be heard.
With that, we are going to start the first panel. I don’t know, Bruce or Joy
or Christopher, who wants to go first? Want to go with Joy?
DR. GROSSMAN: I would like to thank the Subcommittee co-Chairs, the members,
and the staff for the opportunity to speak with you today. My comments are
going to be drawn primarily from a study that was funded by the Robert Wood
Johnson Foundation that was published in the March-April 2009 issue of the
journal Health Affairs. This study looked at 12 health insurers that were
offering personal health records and I just wanted to note that we excluded
Kaiser Permanente and other health plans like that so this is really looking at
commercial insurers. A copy of the study, I believe, was submitted to the panel
in advance. I wanted to acknowledge my co-authors, Teresa Zayas-Caban of the
Agency for Healthcare Research and Quality, and my colleague Nicole Kemper.
I’d like to briefly summarize some of the findings and highlight a few of
the implications that I think are relevant for the work of this subcommittee
and I’m happy to discuss the findings in more detail during the discussion
period. As with most PHR’s out there, the health insurer PHR’s are new and
evolving products and they vary substantially in design, but we can draw a few
trends from the information that we collected.
First, insurer PHR’s are adding data and functionality. Most are beginning,
either have or are in the process of planning to auto-populate the PHR’s with
claims-based medical records and a claims-based medication list. Plans are also
moving to provide actual clinical laboratory results. Second, plans are giving
enrollees the capability to allow their physician to access their PHR
electronically. Some plans are actually also developing a separate physician
portal that gives physicians access to the claims-based data, but not to any
data that is entered by the enrollee directly. That would require the enrollee
to provide access. Some of those portals are being marketed specifically to
physicians or emergency rooms and other Medicaid providers, which I think Bruce
will talk about. Lastly, health plans are beginning to integrate applications
into PHR’s. The most common was clinical data support, for example drug-drug or
drug-allergy alerts and preventive care or other gaps in care reminders. Those
were going both to the patients and to physicians in many cases, and they
relied on both the claims-based data and the data entered by the patient or the
enrollee. Some plans were also beginning to use the data to identify patients
who were eligible for disease management programs.
As with the kind of data and the functionality of the PHR, there was a lot
of variation in the control of the PHR data, which I know is of interest to
this panel. Just sort of globally, it is true that in general insurers
typically gave enrollees control over third party access to the patient-entered
PHR data and a fair amount of control over what data elements are shared. At
the same time, the health plans, themselves, gained consent for insurer access
to the enrollee-entered data as a condition of participation, typically through
the privacy agreement and sometimes through specific agreements entered into as
part of participating in a care management or disease management program.
There’s a lot of detail that we collected on these different types of issues
and we can talk about that more in the Q&A period if you’d like. For
example, in terms of sensitive information, about half of the plans excluded
some type of sensitive information. That really varied across the board. The
other plans typically provided that data to consumers. Some restricted the view
of providers and may or may not have given the consumer the opportunity to
reveal that data to providers if they so chose. There’s other examples like
that in terms of the variation.
At the time we did the study, there was really no data portability, no
ability to export this data to any other PHR’s. There was obviously discussion
I think people are aware of among the health plans in terms of coming up with
standards to be able to do that. Two of the plans announced around the time of
the study that they were developing relationships with Google or Microsoft. I
think those relationships typically were to export the data. I don’t know that
there were any to actually import data into the health plan PHR’s.
In terms of the potential benefits and limitations to patients and
physicians, we weren’t really able to identify users because these were so new
so we spoke to consumer representative and physician IT experts in local
communities across the country typically involved in health information
exchange or other efforts. In their view, from the consumer representative
perspective was that these insurer PHR’s address a major hurdle in consumers
using PHR’s because they auto-populated the data. At the same time, they felt
that consumers had a general distrust about sharing personal health information
with employers and health plans as well as concerns about internet security and
so perceived these as serious barriers to wider adoption and use of these
products. On the physician side, they had–I know that you discussed yesterday,
in terms of data quality issues that physicians are concerned about using
claims-based data for treatment purposes, although in the absence of other data
many acknowledged the value of having at least some data to start with at the
basis for talking with their patients. In addition, though, they saw serious
workflow barriers to being able to access this data and then to be able to
absorb it and review it in the context of a pressured patient encounter. So,
again, they saw serious barriers to being able to use this data.
In terms of thinking about what kinds of things might be able to improve or
expand uptake of these products, the people that we spoke with had some ideas.
Clearly the health plans are aware of these barriers and working to try to
design the projects to make them more accessible to the user so they’re
targeting. Obviously you’re going to be hearing from the public payers as well
that Medicare is doing a similar kind of thing.
So some of the things that we identified were developing a clear,
understandable privacy policies, specifying for example how the data will or
will not be used. In the case of insurer PHR’s, you can imagine being very
explicit about whether employers have access to this data and whether the data
will be used to impact on premiums, restrict coverage, or curtail benefits. A
second tool that some plans were using, which was real time audit tools to be
able to allow enrollees to identify who has access to their PHR, rather than
submitting a written request and waiting for disclosure of information at a
later date. Third is supporting the portability of PHR data to other platforms
or application. One could imagine the reverse also allowing data to be imported
into a health plan, a health insurer PHR. I note this in particular because
some of the consumer representatives suggested that health plans really have a
potential role to play in providing unique tools to patients to help them
navigate the health care system, understand their insurance benefits, and
manage out of pocket costs. I think some health plans were sort of forward
thinking in this direction, but not a lot has been done to integrate the other
types of tools that they have on their websites with the PHR. One plan did
mention that they were in the process of integrating a cost-estimator and a
condition specific provider search engine into the PHR to leverage the data for
I think on the physician side, physicians noted that with this data and some
of the plans with this data portability, it would be possible, potentially, for
physicians to be able to auto-populate their EMR with data that they thought
was valuable. I think that from the workflow barriers and the value of the data
issues for providers, this is really reflective of a broader problem that we’ve
identified in a number of studies that we’ve done, which is that providers are
increasingly being able to get access to electronic data, either from hospital
portals or from a large reference lab they use or from health information
exchange or from some potential PHR products, but it’s a lot of different
things coming at them and very few of these products cover all of their
patients or for any given patient, cover all of their care. So there are going
to be barriers, even when you resolve the interoperability issue, to figuring
out how to absorb this data in a workflow and what you’re going to import into
I think with that I’ll just conclude and I’m happy to answer more detailed
questions about the privacy or other issues.
MR. HOUSTON: Thank you very much. Bruce?
DR. TAFFEL: Okay, co-Chairs Houston and Francis, members of the
Subcommittee, fellow panelists, I appreciate the invitation to join you for a
discussion on a topic that stands, I feel, at the intersection of our nation’s
goal in health care and that is improving care, reducing costs and of course
the vital mission of this subcommittee, protecting privacy.
My name is Bruce Taffel. I am the Chief Medical Office, Vice President of
Shared Health. We’re one of the nation’s largest public/private Health
Information Exchanges. I am here first and foremost as a physician and I know
the quality of medical care surely depends on the quality of medical
information available to the clinician rendering care. More and better medical
information exists today than ever before. But this information is stored in
silos–from physician offices to pharmacies to insurers–preventing care
providers from considering the totality of a patient’s clinical conditions and
needs. These silos are a barrier for informing physicians and that is the
Within that problem lies this possibility. These silos store enough
information to paint a complete, detailed, and accurate picture of a patient’s
health, if that information is interoperable and made easily available to both
patients and clinicians. The purpose, the mission of Shared Health is to use
this interoperable data to transform care.
For many that mission remains a vision still to be accomplished. However,
for more than 2.6 million patients who participate in the Shared Health
Clinical Xchange and the more than 3,800 clinicians who care for them, it is a
Share Health collects and integrates participants’ medical information from
multiple sources, including payers, clinicians, in-patient/out-patient
facilities, laboratories, pharmacies, and pharmacy benefit managers. We
function as a trusted data steward for consumers, providers, and health plans.
Our HIPAA status is that of a covered entity clearinghouse with BA
relationships with those organizations providing our data. Shared Health
delivers this data delivers this data accompanied by innovative clinical
decision support tools to the point of care through both an online longitudinal
record in integration with EHR’s.
Patients can opt out of Shared Health, but only less than one tenth of one
percent do so because we carefully and comprehensively explain two things. One,
what the benefits are for Shared Health to the patient and two, the stringent
safeguards in place to protect the security and privacy of their personal
information. Share Health’s benefits in terms of both patient health and the
cost of care are already clear. Using our platform, clinicians in Tennessee,
for example, have lowered readmission rates to the hospital by nearly 30
percent, reduced services needed in the emergency room by 40 percent, and
brought down the average length of a hospital stay by 20 percent. Treatment
efficiency has increased by 17 percent. Other costs are falling, too. We have
seen a 21 percent reduction in ER visit costs and an average of eight dollars
less per prescription. In addition, we also track quality. In compliance with
evidence-based medicine, guidelines on wellness care also have risen
Our security system is the bond that links Shared Health with consumers. It
is proof that they can trust us with their personal medical information.
Consequently, Shared Health maintains a culture of transparency around privacy
and security practices. We educate consumers about privacy in settings ranging
from our website to our call center to live meetings. Shared Health provides
all individuals with their rights as prescribed under HIPAA, such as an
accounting of disclosures outside of TPO, access to their information, and the
ability to request an amendment to their information.
Shared Health is further committed to privacy and security where our
safeguards even exceed the minimum requirements currently in HIPAA. We
absolutely believe that any records that contain a member’s medical history,
including PHR’s, should be subject to current and future HIPAA privacy and
We provide an audit trail report to each individual who requests it, telling
them who accessed their record and when and all information and critical
details are logged. We impose a strict authentication process to ensure private
patient information is accessed only by authorized users. In addition, we
routinely monitor user access and activity and have identified aberrant
patterns and triggers that we employ for real time alerts to our compliance
department. Finally, sensitive data is filtered from the data input process to
ensure compliance with multiple state, federal laws and regulations.
As you know, a number of potential regulatory and other issues will help to
determine whether systems like Shared Health continue to transform care. In
these remarks I want to briefly mention two. First, for the benefits of health
information technology to be fully realized, networks must be as seamless as
possible. Consequently, Shared Health favors replacing the patchwork of state
regulations with federal standards that would make administration and privacy
rules more consistent. The optimal position for sensitive data would be a
federal standard that would preempt all state disclose requirements. Secondly,
security systems can and must adequately protect patient privacy without
causing either needless delays that impede adoption of the technology,
interrupt workflow, or potentially dangerous delays in emergency situations.
In addition, Shared Health supports many of the suggestions contained with
NCVHS’ February 2008 letter addressing individual control of sensitive
information. The issues that were brought up in that letter, such as
categorized sense of domains, break the glass functionality, and notations for
missing data are things that we support. We share NCVHS’ concerns regarding
making sensitive data available for clinical decision support processes.
Finally, allow me to conclude by saying that the full promise of HIT is
immense. Even the remarkable possibilities we have already seen are only the
foundation for innovation still to come. In the future, evolving technology
will increasingly inform and empower patients, giving them enhanced control of
their personal information and treatment. Growing interoperability will relieve
patients and their families from the overbearing burden of being the sole
messengers of complex medical information. And the results will be remarkable
progress toward the goal our country shares: better patient care, delivered
more efficiently, at a lower cost. Thank you.
MR. HOUSTON: Thank you very much. Mr. Sullivan?
DR. SULLIVAN: Yes, good morning and thank you. I’d like to extend my
appreciation for being invited to this committee and I look forward to
providing my testimony on the Medicaid personal health record, which we are
planning to roll out in Florida.
Just as a little background, the Agency for Health Care Administration has a
five year history of trying to promote health information exchange in Florida
and personal health records. Last year, for example, we promoted a website for
disaster preparedness looking forward to the hurricane season. In that website,
we presented a number of pages on personal health records, what you need in a
personal health record, how do you obtain one, and what type of information
should you be collecting and storing securely in case of a disaster. So we have
had this in our headlights for a number of years and we’re really pleased that
we’ve been able to implement and integrated plan that includes both providing
claims-based electronic health records to physicians and then using that same
database from Medicaid claims to roll out a personal health record for Medicaid
Again, just as a part of the background, we are planning on rolling out a
Medicaid electronic claims-based electronic health record this summer, which we
will, for the first time, take Medicaid claims data as well as Medicaid
medication history and provide that to physicians for use at their point of
care. While we were working on this project, we started kicking around the idea
that if we can provide physicians with the claims data from Medicaid, we could
also provide patients who are Medicaid beneficiaries with the same level of
As we discussed, we realized that we also could take a personal health
record and use it as a way of empowering patients, especially Medicaid
beneficiaries, to start taking a little bit of control on their own health care
by using the personal health record to put in their own health records, to put
in their own notes, to keep track of appointments, and to basically take a much
more active role in their health care.
With the planning for the personal health record, we have been very lucky in
being able to work with a couple of companies–one in Florida, one based in
Denver–we’re able to work with Availity, LLC, who has agreed to pick up our
Medicaid claims and roll them up into their Availity-claims profile, which
currently provides claim-based data from Blue Cross Blue Shield and Humana.
What we are planning is to have a multi-payer claims-based electronic health
record, which will integrate not only the Medicaid claims, but also Blue Cross
and Humana for providers. We find that Medicaid patients come in and out of
Medicaid roughly on a six month cycle. The fear of having just a Medicaid
claims database is that if they leave Medicaid, then you loose track of their
record. This way we feel we can at least have some continuity of care across
health plans if a Medicaid beneficiary goes to Blue Cross or Humana.
We have dealt with the distribution of record by requiring that a physician
gets patient consent at the point of care in order to access the Medicaid
claims records. This was really a good step, we feel, because one, it allows us
to get patient consent for having the physician use the health information
exchange to look at their records and two, it allows us to provide a complete
record to the physician without having to screen for what we would call the
supersensitive data, such as mental health notes, HIV, or substance abuse. With
the patient consent, then the physician can have a full record of the patient
and counter-history as well as their prescription history. This also applies
for the PHR, in which the patient will be consenting, so to speak, to have his
or her records put in.
We‘re working with Health Trio, who is connecting with Availity to
provide our personal health record for Medicaid beneficiaries. We have about 3
million Medicaid beneficiaries in Florida and that is sort of a large number to
address a PHR to so as our first phase in our demonstration project we decided
to focus on new mothers and their infants, their babies. There was a good
reason for this.
We know in Florida that over 50 percent of all the children born in Florida
are born under Medicaid. So we know that there is a large population of mothers
with newborns who have access to Medicaid services and while the mother may not
be on Medicaid after the birth, the child continues on Medicaid. So we felt
this would be a really good target audience because new mothers tend to be very
interested in the health care of their child, they’re interested in
information, they’re interested in picking up a lot more knowledge about what
to do with their child. So in working with Health Trio, we rolled out a two
year plan. In the first year, Health Trio will provide a basic client-centered
PHR, a personal health record, in which the mother or guardian of the newborn
can enter information about the child, can note immunization appointments. They
can basically use it as the very common client enters all the information into
the personal health record.
We have also had Health Trio work with us to develop a content to the PHR
that provides links to a whole range of informational resources for the new
mother so that if she desires or he desires, whoever the guardian is, we have,
for example, links to the CDC, which provide information on head size, birth
weight, growth charts, as well as other links to a lot of other resources. In
this way, we felt that we could provide a compendium of information for the
parent. Once the child is born, of course the child becomes a Medicaid
beneficiary, the child gets his or her own PHR and those two PHR’s are linked
so that the parent can record information on her doctor visits and then can
step over to the child’s PHR and record information on the child’s doctor
In the second year of the roll out, what we’d really like to do is to then
provide a link between our Medicaid claims health information exchange,
Availity, and have Availity populate the personal health record with Medicaid
claims records. Now, on our phase two of the Availity–of our health
information exchange for Medicaid, we not only hope to be able to pull in
Medicaid claims as well as Medicaid prescriptions, but we hope to be able to
pull in immunization data from our immunization registry in the Department of
Health in Florida, as well as other data that we can find either at the
government level or from other institutions. The idea being that if we can let
the Medicaid Health Information Exchange gather data from different sources and
integrate that, then we can provide that to the patient as a record of his or
her encounter history with physicians and also on the newborn encounter
history. At that point, we also would like to institute a notification system
where we can actually send messages to the parent that it’s time for the well
baby visit, it’s time for an immunization check, it’s time for other physician
visits or provider visits that would be scheduled and the parent can schedule
that on hers or we can populate the schedule for her.
One of the issues that we have run into is the privacy and security. In the
first phase of rolling out our personal health record, we are going to work
with the Health Trio approach, which is using a username password to log in,
but we are really looking at some form of two factor authentication once we
start loading the claims data into the personal health record for the
beneficiary. We are still working out the correct identity management approach,
but we know that there are issues of guardianship, who gets to see records,
things like that that we really need to work out and really need to address
before we get into the second phase. But we felt it was very important right
now to be able to provide a personal health record to at least starting with
newborns and mothers, then spread that out to other beneficiaries so that we
can really promote the whole idea of using a PHR to take control of your own
health care and to record and to note and to remember what went on.
Finally, we would like the PHR, in the second phase, to be able to take
those records that we have filled in the personal health record and then port
those to any health vault that the patient requires, either on the patient’s
computer or the beneficiary’s computer or to a Google Health or Microsoft
Health vault or some other health banking method. The idea being that if the
patient goes off Medicaid, the record stops, at least the beneficiary can take
those patients with him or her and have that as part of a long term record.
So we are working here to try to do something we’ve never done, which is to
release Medicaid data not only to physicians but to patients, and we’re also
looking to really try to energize a whole group of Medicaid beneficiaries to
really take some steps, active steps towards their own health care, the health
care of their newborn, and to work towards a much healthier state in the
future. So that sort of summarizes my five minutes, but I’d like to thank you
for listening and I’m open to all questions.
MR. HOUSTON: Thank you all very much.
MS. BERNSTEIN: Thanks everyone for making it brief so that we have time for
MR. HOUSTON: Yes, we wanted to spend a fair amount of time with each panel
just to have time to ask questions and delve into some of these issues further.
I’m going to use my prerogative as the co-Chair to ask the first question and
then we’re going to go around the table because I’m sure everybody has
This one is, I guess, aimed initially at Dr. Taffel. You indicated in your
written testimony and your actual oral testimony as well that you don’t store
certain types of sensitive information such as STD’s and chemical dependencies.
This is an area of great interest of mine. You also questioned whether
sensitive data should be available for clinical decision support. I know I’m
currently engaged with physician’s at my health system to discuss just this
issue. I guess the question I have is that I understand that especially when
you’re dealing with mental health information that maybe not all information is
relevant or under a variety of laws is something we could make available
generally, but is there a certain class of information that is not minimally
necessary such as med lists, problem lists, current lab tests, things like
that. What type of information is important from a sensitive–for sensitive
information types to be available within these types of records?
DR. TAFFEL: I think particularly medications. I get concerned about
drug-drug interactions. I also get concerned about where the privacy rights of
one individuals may adversely affect another. As an obstetrician, I have
concerns about newborns and the privacy rights, certainly of the mother on
substance abuse, but on the other hand doesn’t the neonatologist need to have
this information available to care for that baby.
Those are two examples of areas where I think there’s some real concern.
Right now we don’t load much of this data. We’re really waiting to get some
guidance, particularly federally. What’s going to be done? Can we make this
available for clinical decision support? What are the policies around break the
glass so that we can load this data and make it available in the right
situations for the right purposes? This is a topic, too, as I’m on the Privacy
and Compliance Committee for CCHIT, this comes up all the time. The discussion
is we need more guidance, we need standards, and this is something that we hope
to see soon.
MR. HOUSTON: If I could follow up just briefly. You talk about break the
glass and everybody knows what that is, but I guess one of the dilemmas that I
hear all the time is that when you’re dealing with medications, especially
medications, it’s not really a break the glass situation. If it’s in the
record, physicians are saying I need to see it because it’s never something
that’s not relevant or it might not be relevant to my care. Break the glass–I
mean is there a core set of information that you’ve just got to have as a
physician? Is there stuff that you need to have available through break the
glass and other stuff that you just don’t really think is relevant other than
within the realm of either drug and alcohol treatment or psychiatric treatment?
I’m trying to get a sense on what the continuum is.
DR. TAFFELL: Right. I think medications are critical. Not knowing certain
medications can kill an unconscious patient in the emergency department. So
that’s number one. Beyond that, I think there are–trying to come up with all
the possible use cases is very difficult so what happens is we may try to
anticipate classes of information that you say well you probably don’t need
until something catastrophic happens.
My sense is as we move forward with this, we can’t let the perfect be the
enemy of the good. So I do think it is probably a worthwhile exercise to
establish classifications that we can get some consensus on, but also
understand that there will be some trial and error and to allow flexibility in
the system to make those midcourse directions. So I can’t answer all of those.
I can come up with a few use cases. Medications, though, I think as far as
interactions, to me that is one of the key things that need to be available so
that mistakes don’t happen.
MR. HOUSTON: I don’t know if Joy or Mr. Sullivan have a comment as well?
DR. GROSSMAN: Sure. I think I mentioned this, but I think there was a wide
variation in how the different health plans dealt with this. We talked to 12
plans and seven of them excluded some conditions from the PHR’s and the
physician portals. That was typically all claims related to particular
diagnoses or particular types of treatments so the usual mental health, alcohol
and substance abuse, HIV/AIDS, and sexually transmitted diseases. Which data
were excluded varied by plan. They didn’t all exclude all of them.
Then there were other plans that decided to leave it up to the patient as to
what to do with that data. So the data were in there. Patients, in some cases,
could delete the data or they could hide some of that data. They could do it by
diagnosis or they could do it by specific claim. Then the physician view, in
some cases it was hidden from the physician view, but there might be a filter
and a note indicating that the data had been filtered out, but that something
existed, sometimes with the source of that information. In other cases, that
was the way it was set up, but patients could actually opt to reveal the data.
So it really ran the gamut in terms of what plans were doing and I think the
point that Bruce made that plans potentially are looking for guidance and at
this point they’re each trying to deal with whatever particular state laws they
have to deal with in terms of disclosure and come up with a workable product
and probably what their vendor has in place. There are a lot of different
parameters that go into that.
MR. HOUSTON: Mr. Sullivan, did you have a comment as well?
DR. SULLIVAN: Yes, we address the delivery of sensitive records to
physicians and we actually, in planning for the Medicaid Health Information
Exchange, spent a lot of time trying to consider the best approach. With the
use of Availity and their Humana/Blue Cross platform, those two health plans
were screening their data. They were pulling out any record that had anything
to do with mental health notes, HIV, or substance abuse, and that was on a
routine basis. On the other hand, Availity reported that providers who used
this system had some complaints that they weren’t being given all of the
We spoke with Medicaid. We discussed the whole idea of whether you wanted to
keep certain important records from a physician or let the physician have all
of the records so that when he or she is treating a patient there is full
disclosure. In Florida, we have laws that really are stricter than HIPAA
regarding patient consent for substance abuse information, for mental health
notes, and for HIV tests and we were well aware of that. We came to the
conclusion that if we were to provide the opportunity for a patient to opt in,
to provide authorization to the physician to download their health claim
record, including the sensitive data, that that would provide basically the
coverage that is required by Florida statute. It would also provide coverage as
required by our Medicaid state plan and by HIPAA. At the same time, the
physician would not be kept from acquiring information that could be vital to a
diagnosis. We felt this was the right way to go and actually we are discussing
with Blue Cross and Humana that they might want to change their sensitivity
policies, their policies towards sensitive information, so that we provide
We are going to then move this down to the personal health record level and
we feel that a patient in a PHR should be able to receive all the information
on him or her. That, really, we should not try to screen for the patient, but
the beneficiary should be able to hold all the records that pertain to his
case, her case. Thank you.
DR. TAFFEL: If I may, one other thing related to this and I think it’s
extremely important. As we deal with sensitive codes, we have statutes that say
well, anything substance abuse or these large categories, it is extraordinarily
difficult to go through every diagnosis code, every laboratory, and every
medication and figure out is this sensitive or not? This is a terrible,
terrible burden. Not only that, but medications may have two uses and one case
has a sensitive use, in another case it’s not. So there needs to be some better
guidance coming essentially to help with that.
MR. HOUSTON: I know Leslie has a follow up question as well as Sarah. What
we were going to do then is go around the room starting with Walter and work
around to the opposite side of the table.
DR. FRANCIS: I think I got my answer from Dr. Sullivan, but I just want to
be sure. When the patient is seeing the provider, the patient consents and it’s
all or nothing? So there is no possibility of a patient giving consent, for
example, to see medication records, but not seeing any of the rest of what is
in the electronic record. So it’s just all or nothing and are you worried about
the risk then that people will not–that you’ll be worse off because people
won’t give consent?
DR. SULLIVAN: We did consider that, yes. When we ask for patient consent, we
also expect the physician to have an authorization form that the physician
would hold and we made it all or nothing. In part, the decision to go with
patient consent and not screen was in part a technical decision. We are pulling
Medicaid data. We had developed a whole list of ICD-9 codes. We actually used
the code list that we had gotten from Blue Cross Blue Shield. But the technical
issues of trying to screen code and, as was mentioned earlier, to determine if
a particular medication was used for mental health or used for say sleep apnea,
we didn’t feel like we were in a position to do that. We feel like we would
rather err on the of providing complete information. We feel that we’ll get a
pretty good response from patients. We feel that the majority of patients will
think it’s fine and only a minority of patients would say that we don’t want
you to look at the records, in which case the patient is free to say that and
the physician will not pull down the records.
MS. WATTENBERG: Just to your last point, I just want to get clear about
something. So the physician has to have an authorization, but then you’re also
talking about opt in and all or nothing consents. Could you just clarity for
MR. HOUSTON: Is that for Dr. Sullivan?
MS. WATTENBERG: Yes, I’m sorry, Dr. Sullivan.
DR. SULLIVAN: The patient consent form that the physician holds is a 100
percent opt in and then all claims data that we hold on the patient in Medicaid
will be delivered to the physician. The patient records in Blue Cross and
Humana will still be screened because they have the technical set up to screen
the data, but the Medicaid record will be everything that we hold. It will be
disclosed to the patient that it is everything.
MS. WATTENBERG: Would it be helpful to have–I understand this issue about
the burden of sort of screening for different kinds of codes and stuff. Is it
helpful to provide guidance on that to help your IT people do it? Is it better
to include that in some of the technical standards development for the
architecture for these EHR’s, PHR’s?
DR. TAFFEL: I think these are largely clinical determinations. I think that
some kind of review from HHS or department within HHS to determine what are
codes that should be considered sensitive and have hearings on those things.
MS. WATTENBERG: Yes, that’s what I mean.
DR. TAFFEL: Yes, I think that would be terrific. Then we would be able to
know what are the codes that need to be specially considered and then the
programming of that is easy. It’s the clinical judgment that’s the problem.
MS. WATTENBERG: Okay, then the last thing is this thing about medication
lists that John raised, if the technology allowed for assessing drug
interactions in the background where there was masking of the sensitive drug,
for instance, would that be sufficient?
DR. TAFFEL: It would be a good start. Here’s the challenge, if you indicated
a drug-drug interaction and then indicated that the drug in question was
masked. You say we can’t tell you what it is, but there’s a potential
interaction, then you have got to make a decision into the background as to
what the level of the interaction is and should it affect the clinical
judgment. One of the issues that go on in these DUR alerts is that there are
low level, where really, yes, you can take it so your big toe itches–it’s not
that important. On the other hand, there are some more serious concerns. So you
might do that, but then it puts the burden on the programmer or on the
clinician behind the programmer to say let’s launch that alert because we think
it’s significant enough, but we don’t know the patient’s condition. So there is
still some problems. It’s better but it’s not perfect.
MR. HOUSTON: Walter do you have a quick question? Marjorie do you have a
MS. GREENBERG: No.
MR. HOUSTON: Okay, Walter?
DR. SUAREZ: Yes, thank you. I appreciate the testimony and I appreciate
especially the shortness of the testimony so we have enough time to ask
questions. I have so many questions that I am boiling down those two or three
important issues. I’ll boil it down even to one.
I just saw this picture and Bruce you pointed out very nicely the concept
and the concern of silos and we’re about to connect those silos to pipes. All
these silos have information about consumers, about patients. What is
interesting is that information is in many cases the same information seen
different ways. We’re about to create, where it used to be I had one record,
one medical record, electronic or paper usually, now I have my electronic
health record that a provider has, the provider has my personal health record
also, then I have a health plan or maybe more personal health records, I have
probably my own personal health records some other place. So I have, now, as a
consumer, multiple places where my information is. In some places my
information is presented as it was supposed to be, which is I am the doctor, I
provided you this service, this is how I recorded it in notes or some other
way, then I bill that, I send a claim, and in creating the claim I converted
that into some codes that then are put through the claims data of the payer,
the payer creates its own version of that and presents that to the consumer so
now I’m seeing my record from my provider and it’s one way of telling the story
and then I see my record from a payer and that’s a completely different way of
telling the same story.
I just thought it would be very important to hear about two things. One is
the significance of the need to educate consumers about there are different
ways of telling your story and if you see that this type of information
reflects something that might not be what you thought was done to you, there
are some reasons for that. So number one is the importance of education. Chris,
I think the experience with Medicaid population is going to be so critical.
Number two is how to integrate all that data particularly, in the cross
validation and verification. Now I’m a provider, I used to have my record and I
see what I did to you, but now I have also some pieces of information, some of
them are contradictory because you added some information that you thought you
understood and so you typed it, then the health plan added some, and some other
providers added some. So now I’m seeing this record and I’m concerned that I’m
going to have to validate and spend a lot more time talking to you about did
you really take this drug? Was this test really done to you? So the
verification and validation is the second point. I’ll stop there. Thank you.
DR. TAFFEL: There’s no simple answer as you can understand. However, this
leads into what are the data elements that you want to render and what kind of
processing needs to be done for those data elements. With regard to the
consumer, the other issue is what are the taxonomies, what is the nomenclature
you’re going to use? We did a project with CMS for a personal health record and
there was, whereas for clinical medicine we certainly lack lots of nomenclature
standards, but there are some in place SNOMED CT. So you can pick out something
to standardize the taxonomy. There are no standards for laymen. So even before
you get to this you have to decide what is the nomenclature that is going to be
used in a PHR because you give them an ICD-9 code, forget about it. You’ve not
helped them at all.
The other point here is I think that Walter you raise an excellent point.
All of this information, some of which we can agree is garbage, even some lab
results if you’ve got a one doctor practice that’s got a culture counter
sitting on a counter somewhere and it’s never been calibrated, how good is that
blood count? So one of the things that we do is we process the data. We use a
methodology that takes ICD-9 codes and boils those down into problem lists so
that we simplify this. For workflow that’s critical and for the patient that’s
critical. If you’ve ever seen a claim, it is absolutely overwhelming. Not only
that, most laymen couldn’t understand it and it’s just got all this stuff in
it. Not only that, but in a standard encounter, maybe they’ve gone to
radiology, there’s a bunch of stuff. So you’ve got to be able to boil that down
for both the consumer and the doctor.
The other thing is that we give a lot of thought as to what is our mission,
what is our goal? To me there’s data that’s used in day to day operations. That
means a kid comes into the emergency room, has a Colles fracture, goes to the
office the next morning, wants to see the pack image on the screen and all of
that. To be honest, from our perspective that’s not the key. The key to us is
continuity of care. What are the conditions that you need to follow, not all
these little acute events, which are important, but the key problem with which
we deal are all of these chronic conditions and multiple physicians seeing
those patients. So we say what are the big things we need to look at and what
are the key clinical indicators?
Once you’ve boiled that down, it’s real interesting. We’ve looked at lab
data and said look at all these different lab tests, but when we started to say
what really is significant and if you look at what are the types of tests that
get ordered most, all of a sudden thousands of pages gets narrowed down to just
several pages of lab. So we have to rationalize the data in a way that we can
achieve appropriate continuity of care. We have to process that data a little
further, find out standard taxonomies and normalize that data. That simplifies
the problem a lot.
The other thing that we do is since we have data from several sources, well
how do you reconcile this? We’ve built in the logic that goes out and says
what’s the best data we have? So for a process event, hemoglobin a1c in a
diabetic, we’ll go out and say alright, let’s look first for a lab results,
seven percent, we’ll populate that information. If that’s not there we’ll then
look for a g-code or a cpt ii code with the qualitative result and we’ll
populate that. Finally, if that doesn’t exist, we’ll go find the cpt code for
payment and say look, it was done, don’t know the result, but at least you know
that it was done. Then in our systems the physicians can go back and say, well,
great, I’ve got the result and improve the information.
So those are some of the things we’re doing to help with that, but it’s an
ongoing effort and it’s complex.
DR. GROSSMAN: I guess I wanted to make a couple of related comments. I think
on the consumer side, most of the health plans were working to do something
similar to what Bruce mentioned in terms of reducing diagnosis codes to
something that looks like a patient-friendly problem list with links that
explain–where the patient could go to a reference site that would explain what
the diagnosis was.
We did have some discussion, most of these because the PHR’s had just begun
to roll them out, they had maybe 18 months to two years worth of data, but the
plans, some people mentioned, that they were trying to figure out over the long
run what to do with these acute claims and whether to really focus on chronic
diseases and sort of major sentinel events and get rid of the more minor acute
situations or take them off the record at a certain point in time. So I think
that the plans were thinking about these issues.
I think on the physician side, certainly what we heard from the physicians
we spoke with–I mean, this is an issue they’ve always dealt with. Patients
might bring in paper records from another doctor, they get their own lab
results, they get something from the hospital, they ask the patient questions.
This is an issue for medication reconciliation as well. So physicians are
always trying to aggregate all of this data very quickly. I think this just
compounds the issue by saying that there are these multiple data sources, some
of them will come electronically and because they arrive electronically do
people suppose that therefore they are more likely to be the truth than the
things that are either delivered orally or on paper. So I think this is going
to be a continuing challenge for physicians, even as the technical issues get
I think that the physicians we heard from said that ultimately what they saw
as potential value for this data, for example from a health plan PHR, would be
as a starting point for discussion with a patient, to trigger more questions
that they might ask the patient, or potentially in some cases for their staff
to then go hunt down information that they don’t have. We did talk to–one of
the physicians was the community health center physician. Because he typically
sees patients that he hasn’t seen before and he has even less data, he was even
more inclined to say this data was of value. We did include one Medicaid plan
in South Carolina that had rolled out a physician portal and they were doing
the same thing that was mentioned by Chris Sullivan about being about to
provide continuity or records for patients who are on and off the Medicaid
rolls to the physician.
We did another study looking at health information exchanges and we heard
from physicians saying we get inundated with multiple versions of lab tests
when the patient is in the hospital. We don’t need those in the ambulatory
setting, we need to find a way to be able to cull that data and get the final
lab results and the important labs that we need. So I think this is going to be
a continuing discussion about how to manage this data.
I’ll just say one last thing. I’m going to take off my objective researcher
hat and put on my active caregiver hat and say that I’m a caregiver for
somebody who is on 12 medications. I use an online service to order
medications. Sometimes I get them online because I get all 12 at one time and
sometimes I need to do a refill quickly at the local pharmacy. It gets listed
every time and so the list of his active medications, you know, there’s 36 or
something like that when I log on. So I think that as you look at other data
opportunities, platforms like Google or Microsoft or other things to be able to
import data from multiple sources, there is this issue of reconciliation. I
think that some health information exchanges and some of these entities are
starting to tackle this problem, but it’s a problem that I think exists not
only for providers but will exist for consumers. The more data we have
electronically–it’s great, but it also creates these obstacles.
MR. HOUSTON: Dr. Sullivan, did you have a comment?
DR. SULLIVAN: Yes, I’ve been listening with interest to the discussion and a
lot of what has been discussed we really went around and around with in our own
meetings, especially trying to put this together with Medicaid. We really think
that, quite frankly, by trying to make a decision ahead of time on what data to
provide a doctor or not, really bypasses the doctor’s own ability to make a
decision. We also felt that when we looked at Florida statutes that the type of
confidential data that we would have to deal with was very narrow. For example,
it wasn’t mental health prescriptions, it was mental health notes. So we felt
like when Blue Cross Blue Shield or Humana screened all the drugs or
prescriptions that might be related to a mental health issue, that was very
understandable from their point of view because they were trying to cover all
of their bases, but quite frankly under Florida statute and under HIPAA it was
not necessary to screen that deeply. Really we just looked at the law, you
could screen just for notes or for HIV tests, not for HIV prescriptions.
When you really think about it, if a patient presents and a patient has HIV
and the patient gives consent to the physician to look at his or her
prescriptions, then with our prescription solution we hope to not only have
Medicaid prescriptions, but prescriptions from any provider that is reported.
It would be better for the physician, with patient consent, to know that there
are HIV prescriptions than to have those prescriptively deleted from the record
because of concerns over the confidentiality of those records.
Again, the whole issue comes down to patient consent. What we feel is very
important is for patients to understand what they are giving consent to, what
they are authorizing, that the physician actually have a paper record of the
authorization of the patient. The physician has to testify before he or she
pulls the record that the patient has given consent and that they have a
consent in hand and that the patient is aware that those records will be used
for treatment purposes only. We have health forms of a lot of patients, a lot
of consumer, and really their fear of disclosure is when you have negative
effects coming back at them–job-oriented or things like that, but when we
asked them about treatment in our forums they were very open about the fact
that they thought physicians should have information on their medical history.
So that’s just our thinking. The complications that arise in trying to
screen can be dealt with technically, yes. It becomes a real complicated
problem trying to second guess what should be included, what shouldn’t be
included. That was just our decision. So we actually felt very good about the
fact that we are allowing the opt in, we are allowing the patients to make the
decision on their record, and we feel that’s actually a way to empower a lot of
the Medicaid beneficiaries and make them part of their health care.
MR. HOUSTON: Thank you. Leslie?
DR. FRANCIS: One of the areas that Joy mentioned in her discussion that I
don’t think has been explored quite yet is that some of the PHR’s that you
mentioned have the functionality to allow patients to say they do or do not
want patient-entered data shared. One of the fascinating things about what
we’re talking about here is the interplay between the various sorts of data
that come from professional or claims sources and data that the patient enters
him or herself.
Now I take it that the kinds of records that Bruce is talking about–you
haven’t mentioned yet patient-entered data and I know that Dr. Sullivan what
you were talking about was the possibility of a roll out for Medicaid patients
of their being able to enter their own data. A pretty easy screen is by source
of data. I wonder if you have any thoughts about building in the capability
that would allow patients to say I get to enter my own data, but it’s my choice
whether providers see what I’ve entered or not.
DR. SULLIVAN: Yes because from the consumer or the beneficiary perspective,
the beneficiary will have the ability to determine what to provide to a
physician. Of course, we also hope that the new mothers and their babies will
actually enter their own observations and then use those as part of a dialogue
with their physician.
It is not necessarily the only scenario that the physician doesn’t want to
use patient-entered data because it’s not clinical, but it is patient
observation and it is a patient record and we feel that it would actually
enhance patient-physician communication. If patients were able to say this is
what I have watched with my baby the last two weeks and these are the things
that he or she has done and this is what I’m concerned about. But in terms of
transferring records to a physician, we do feel that the patient should have
full control over those records and be able to determine which go to the doctor
and which don’t.
DR. TAFFEL: We offer, well we can it a consumer view. It is not
bidirectional it is read only. The reason we’ve decided to do that is that is a
deep vault that if a particular customer wants to use that, that’s great.
However, our preference is to provide data liquidity so that the consumer can
choose their own PHR. So given that they want to take this data and send it to
Google, we say fine we’ll go ahead and do that. So we kind of stay out of the
fray in that way.
Still it’s a legitimate question. What happens when someone enters data. I
think there are three situations that I consider. One is a patient goes ahead
and enters fields for some kind of observation, maybe their weight or whatever.
The other and I think this in many ways may be even more viable is we
anticipate to see more and more home health aides and equipment that will be
able to feed data into a database and, in fact, you’ll see Google and Microsoft
already making those connections. I almost think that that may in some ways be
more important. Nonetheless, still there are certain responses to questions and
certain health status surveys that are also in their own way, individual
applications. So those things are valuable for the physician as well. I’m
thinking in terms of asthma. There is an asthma survey that you can do, fill
out monthly, and doctors can track, particularly for children, how well they’re
doing. That I think also needs to be available.
Finally, the thing we haven’t talked about is data transmission by secure
messaging. I think that things like Relay Health and other similar applications
where consumers have the opportunity to message that information into a
physician and then the physician can enter the pertinent information to the
record is yet another way that this happens. So I think we need to think
certainly about what happens when a patient enters stuff into their PHR, should
it go to the doctor, and how do we reconcile that with other information? It
should be sourced, certainly, and the doctor should know where it comes from,
but there are other methodologies of getting that information within that
community of information for that patient-centered record.
DR. GROSSMAN: In terms of the health plans we spoke to, there were some
examples of health plans that allowed patients to actually email their PHR or
selected summary of information. I’m assuming it was secure, but I really don’t
know a lot about the technology. We didn’t probe them that much. But nine out
of the 12 health plans either were currently or planned to allow patients to
give electronic access to others and that could be caregivers as well as
physicians. So not just giving them their password, but actually allowing them
their own access to the data. A few of them mentioned sort of break the glass
options as well for emergency room treatment or things like that.
There were a couple of plans, I believe, that gave physicians access to the
data unless the patient opted out. So most of them were opt in, but there were
a few that were opt out. As I mentioned, there were four plans that had the
separate portals that just had the claims-based data for physicians. One of
those was solely for emergency room doctors, others were marketing it in an
I think, in addition to that overall access, there were issues about control
over specific data elements to share, once they did provide access to third
parties. Seven of the 12 plans allowed patients to either hide and/or delete
specific data elements. Those included not only the data they were entering,
obviously in the case of hiding it, but also any data that came from the claims
that they could delete those or hide them. As I mentioned earlier, with respect
to sensitive data some of them created a filter so that physicians could see
that some data had been filtered and potentially the source. Others did not at
all so if the patient decided to delete or hide that, the physician would not
know that that had been done with that data.
Then there is the issue of kind of correcting the data. So some plans said,
well, patients can do whatever they want with the data. They can delete it,
hide it, if they’re not comfortable with it. There were a few plans that said
that for the claims-based data that the patient could request a change. There
were two plans that said you could request a change and one of those plans, I
believe, said that if it wasn’t resolved to your satisfaction, the record
wasn’t changed, that there was an ability to annotate the particular entry so
that you could put in what you thought occurred or didn’t occur to provide that
information to the third parties who have access to it. So again, it’s really
all over the map in terms of how that issue is being addressed.
MR. REYNOLDS: I have one clarification on a testimony and then I have a
question. Doctor Sullivan, you mentioned the Medicaid HIE. Is there going to be
one HIE in Florida or will Medicaid have theirs and others have theirs?
DR. SULLIVAN: We looked at the Medicaid HIE as really being a way to pull
together health care data sets that are being held by the state government. The
Medicaid promotion of claims is really just–and our model would be the first
in integrating a number of different data sets.
MR. REYNOLDS: Thank you. My question to the group is so we heard yesterday a
lot of testimony and the testimony yesterday said that all data is sensitive
and should be accessible. We hear from you that there may be some sensitive
data, but it would be good to be some guidance because at some point we need to
recommend the pragmatic. Then if you have a brief description or a clear
definition of what it is then you can also use consent if a person feels
uncomfortable. So I would love an opinion–you know we’ve written a lot of
stuff as this committee on this and now, as it starts to evolve, it’s becoming
less clear rather than more clear so trying to come up from each of you with
some kind of pragmatic statement that if this committee were to send forward a
recommendation about sensitive data and the whole process around it, what might
that look like from the three of you to do that because, again, it’s all over
the place. As Dr. Grossman, you said 50 percent of the plans have something, 50
percent don’t. So it’s a bit of a free for all at the time and it’s very
difficult to pragmatically implement a free for all. So if you could help us
with framing that that would be helpful to me, I know.
DR. TAFFEL: It’s a hot potato, but I don’t shy away. You know, Harry, I
think that first off the big problem right now is 50 different states doing 50
different things and then there are federal statutes. I think the first step is
to say to make this effective we need a single statute that helps to define
this. That would be very helpful and not only that I think it would at
least–and I think in NCVHS’ letter in February 2008, which we mentioned, I
think there’s a good groundwork there. It’s saying let’s start out with these
categories and they make sense. If we can get agreement that those are the
categories that we start with and then begin to get clinical input, alright,
what are the codes and have continuous review that updates this. CMS does this
all the time and Medicare puts out these opinions and updates medical
decisions. I think if we would do that within those categories that were
recommended it would be a great start and say those are the categories for the
United States and here are the codes that fall into that.
I think that’s where you go and then have the mechanism in place to allow
the flexibility as practical experience occurs to begin to modify that. But I
think I was impressed by that in your letter in 2008 and I think that that’s a
good starting place.
MR. REYNOLDS: Then obviously, not to put words in your mouth, then obviously
the opt in/opt out would allow a person to completely step away if they had any
concerns at all.
DR. TAFFEL: Well, first off, there’s the big opt in/opt out, which is
binary. I’m in or I’m out. Then there’s the granularity issue. So if we
establish these categories, we can allow the granularity to be you pick out a
category that you don’t want to share and that becomes the protected health
information. As you said in the letter, otherwise it’s going to get really
complex. This, too, we deal in the CCHIT on the privacy side, what is the level
of granularity? Does it get down to the point that I want this data point to be
seen by Dr. Jones and Dr. Smith, but not by Dr. Brown and Dr. Green? It becomes
unmanageable. I think, again, that the concept of categories is a good starting
MR. REYNOLDS: Dr. Sullivan, I think Dr. Grossman wants to go last so you’re
DR. SULLIVAN: Yes, well, I guess we have opposing positions here. I do feel
that we are not in a position, at least as a state agency or Medicaid, to
adequately determine which records are more sensitive than others. I do agree
that all records are sensitive. The so called super sensitive records are super
sensitive because they have been addressed in statute and have been identified
as being very important records and those that cannot be–you don’t want to
breach, in particular, these records.
It is possible to set up a technological screening software. I can imagine
that it could be one of which has been described already and that we could
essentially pick and choose based on either criteria that are external or by
criteria that are provided by the patient. I have seen the discussions where
the patient should have a right to say I want this part of my record
distributed, that part not or I want Dr. X to see these records and Dr. Y to
see those records.
Quite frankly, we in discussion had a problem with that. While we want to
give patients full control over records, we also feel that physicians need full
information in order to make an adequate diagnosis. To a certain extent, if you
allow cherry picking as it were of certain records to go to one physician or
certain records to another, there also lies a chance of really having a
misdiagnosis or of certain critical information being blocked. Maybe it’s
sensitive to the patient, but the physician will not come up with the correct
treatment plan. So when we really phrased it that way, we felt as though all
information is sensitive therefore we must maintain the security and
confidentiality of all that information, but we do not want to screen for
physicians. We would rather allow the physician to have full knowledge of a
patient’s encounter history.
Again, remember, we’re providing claims data. Most physicians we have spoken
to are somewhat suspect of claims data, quite frankly, and we recognize that
there are issues with the selection with ICD-9 codes or the procedures based on
different issues other than the patient diagnosis–for billing reasons or for
this is the only way I can get this test done, I need to code it this way. But
we feel that it provides the treating physician with information that is, A,
currently not available and, B, creates enough of a picture so that at least
the treating physician can ask the correct question and can track down the
I do like the idea of doing some of the summary roll ups of lab reports and
things like that. We had worked at one point, as our fiscal agent had called,
ontologizing the claims data in their attempt to create a clinical record out
of a claims record. That was pretty much frowned upon by most of the medical
community that we discussed and talked to, but the concept is there and it
could be done quite profitably.
All told, we feel like the method that we have taken holds all data secure,
all data sensitive, but we really feel reticent to forestall the physician
having complete information. So I guess that’s our policy stand at the moment.
DR. GROSSMAN: I’m neither a real doctor, that is an M.D., or a lawyer so I’m
a little reluctant to weigh in as a researcher on this topic except to say that
I agree with much of what’s been said. I would say I think that many entities
are dealing with this multiplicity of state laws and that’s really complex to
try to figure out how to deal with that. Providing some sort of guidance about
different categories is helpful because everybody’s kind of reinventing the
wheel over and over again and it certainly would reduce administrative burden
in trying to figure out how you might protect some sensitive data.
I also agree that what’s viewed as sensitive data is really based on the
patient’s perspective and who they share that data with also varies. Sometimes
they’re not really worried about the doctor getting a hold of it, but they
might be worried about their spouse getting a hold of it in a divorce
proceeding or custody battle. I was involved in some efforts in Washington
state, around their Health Record Bank activity and heard a lot of interesting
things from people about the kinds of things they’ve heard from consumers about
their concerns. I think this issue, while narrowly is important and relates to
specific laws about disclosure, I think it is embedded in this broader issue
about what patient control you need and what are the privacy, confidentiality,
and security components you have in place so that you might balance off having
that data available to the patient and giving them the right to share that with
other people. Or to feel comfortable because they can see an audit trail and
know that their data weren’t revealed to people so that it’s really I’m going
to punt and pay as part of a bigger package as well.
MR. HOUSTON: I know we’re running out of time, but I want to make sure Paul
and Sally both have an opportunity. So Sally if you have any questions?
MS. MILAM: I’m interested in exploring Florida’s model a little bit further,
given the repeated concerns about the multiplicity of state laws around
specially protected information and the challenges that those laws present. Dr.
Sullivan, in Florida you indicated that you have something like a universal
consent form or authorization process that would cover all of the different
areas, especially protected information. Did I understand that correctly?
DR. SULLIVAN: We have just passed in the legislative session this year a
bill authorizing a universal patient authorization form, which would cover all
of the confidential information. One of our concerns in look at Health
Information Exchange and patient authorization was that different facilities
would use different authorization consent forms and then there was a tendency
for those facilities, hospitals for example, to insist on their consent form.
So if you had a consent form from another hospital and you went from hospital
one to hospital two, then your consent form could be rejected simply because it
was the wrong piece of paper. So what we have instituted is an universal
consent form. We will go into rule making this summer in order to hammer out
the correct form, although we are modeling it on one that is used by our
Department of Health in working with HIV and other services. What we’d like to
do is to have a form that is used across the board and anybody can accept it.
This does not mean that you can’t have your own authorization form, you can use
any patient consent form you want, but if a patient has been with a universal
authorization form or a provider uses that form, then it would be accepted in
any health care setting as a consent form. We want to craft it in such a way
that when the patient gives consent, there is clear understanding that the
consent would include mental health, substance abuse, or HIV records. That
would be part of the patient’s background. If we don’t do it this way, then
we’re really in the position of having two or more consent forms, for example,
one for general records, one for mental health, one for substance abuse, one
for HIV. So we felt if we did it all in one piece, the patient is informed
before he or she signs, but then it would cover all of those super sensitive
classes of information. But I do like the definition that all personal health
information is sensitive and we should treat it all equivalently.
MRS. MILAM: Two very quick follow-ups because I know we’re short on time.
When you presented the universal form to the patient and they could, up front,
go ahead and allow all information to flow, what was the percentage of patients
that did not want their more sensitive, their HIV/mental health data flowing
and what challenges did you face in helping to make these forms understandable
to the Medicaid population?
DR. SULLIVAN: I’m sorry. I’m going to have to punt on this one. Our roll out
for our Medicaid Health Information Exchange will be, at this point, we think
in July and our personal health record will be in August or early September so
we haven’t really had a chance to work with providers or with patients to
really get those numbers. We do have, as part of our contract, a metrics
reporting, in which the physician will report on issues like that. I’d be
certainly happy to make that available. Those are great questions and I really
would like to answer them.
We do know from Availity, in its experience with providing these types of
records to physicians, that they have about a 97 percent opt in rate. Now, of
course, Humana and Blue Cross screen for the sensitive data so it’s not
equivalent, but we think if they’re getting more than 95 percent opt in, that
we may have pretty much the same luck or success. As far as materials so that
the Medicaid beneficiaries understand what we’re doing, we have an editor in
house and we are working on crafting those materials so that they are very
plain language, they are understandable, I believe we are targeting eight-grade
level, and that they could be explained to the Medicaid beneficiary so that he
or she really understands what he or she is agreeing to.
Excellent question. Thank you. I’m making a note here so that we make sure
we do that.
MR. HOUSTON: I know Sarah Wattenberg wanted just a few seconds before we got
to Paul. I apologize Paul. She just wanted to make a statement.
MS. WATTENBERG: I just wanted to–I appreciate the thoughtfulness that
everyone is giving to this. I think that for the substance abuse
confidentiality federal laws, opt in, binary yes or no is not necessarily
sufficient to meet the requirements of consent. SAMHSA will be coming out with
some FAQ’s on part two in EHR’s and how the consent requirements function in
Dr. Sullivan, I’m curious, one of the things SAMHSA is working on is it is
difficult to manage consents at a granular level. Would it be helpful if we
handle it at the technical solution level?
DR. SULLIVAN: That is one solution, but, again, any technical solution
really preempts the physician from having certain classes of information that
might be very helpful to the physician. So I’m not certain. I don’t want to
second guess SAMHSA or say what is actually prescriptively correct.
I can say this. We have developed, through a grant from the Health
Information Security and Privacy Collaboration with the Office of the National
Coordinator, a HIPAA Florida statute crosswalk tool. This is part of a provider
education toolkit we were working on this past year. What we hope to do in
about a month is to launch this crosswalk toolkit online so that any physician
or anybody could look up a specific issue: patient consent, HIV, mental health,
substance abuse. What we are doing is we are going to list every single
regulation under HIPAA that applies to that particular issue and then the
corresponding Florida statutes that apply to that issue. Then we will flag
which statutes are more stringent than HIPAA. What we want to do is be able to
provide that information to physicians who, frankly, don’t understand HIPAA and
equally don’t understand Florida statutes. We felt that way at least physicians
could become knowledgeable on what is accepted and not accepted in terms of
issues under security, privacy of data, confidentiality of specific classes of
I know that doesn’t answer your technology question, but I guess from our
point of view any front end manipulation of the data really preempts the
physician from having a full view. I’m certain how to get around that is a
social issue not a technological issue.
MR. HOUSTON: We’re going to extend over a little bit. I know Paul has a few
questions and I want to make sure there’s adequate time so we’re going to
extend it by a few minutes. Paul?
DR. TANG: So let me just start with a confirmation like Harry. Joy, you
mentioned that some plans make permission for them to access the personally
entered data a condition of participation in their PHR. In your paper you
mentioned that some plans use that in premium setting and in underwriting. Is
DR. GROSSMAN: I think what I meant to say–I think I said it–is that they
didn’t say that they wouldn’t do that. We didn’t have time, unfortunately, in
this study to actually get privacy agreements from all the plans and compare
them and do an analysis. I did notice from what I could access on the sites
publicly that–for example one of the plans in their FAQ said we will not use
this information to set premiums and we had some other plans who said we won’t
do this, but it wasn’t clear to me that they’ve explicitly said how they would
or would not use this data. In their privacy agreements, there’s these sort of
these you can use our website kind of agreements as opposed to specifically
geared to PHR’s.
MS. BERNSTEIN: I noticed that in Dr. Taffel’s testimony it also sort of
talked about this, but you have a statement that says information collected for
clinical use should not be shared with employers or insurance companies for the
purpose of underwriting except with consent. I looked at it and went, well, why
is it okay with consent and when would someone consent to underwriting? Are you
asking them whether they are going to consent then they’re likely to consent
but that’s not–that’s putting people in a position, which was troubling when I
DR. TAFFEL: Point of fact, every time you apply for health insurance you–we
all do–we put ourselves to say we consent to provide information for the
purposes of under riding. That is the way the system works. If we get clinical
information from a provider, that does not go back to the health plan. It
requires explicitly tacit permission. We feel that if the patient or the
physician ask that it go–remember, too, one of the things that happens, as
well, is in case management and disease management, the case manager and the
disease manager will talk to the provider and this is the information we need
to use for that. We’re not a health plan. If a patient says information needs
to go someplace then it goes.
DR. TANG: So my question to the panel is we’ve talked a lot about claims and
clearly the pre-population from plan PHR’s is really from claims and the
literature also clearly shows how inaccurate they are and that’s been
acknowledged and you can draw very false conclusions based on that. My question
is really when exposing this information to patients we need to have a better
understanding–we know how doctors, if given the opportunity to know this came
from claims data can interpret that–can patients do the same thing? That to me
seems a very important question. The e-patient, Dave, is one example of how a
patient reacts. Are there plans to evaluate how they are responding to it,
interpreting it, and the harms and benefits from that?
DR. TAFFEL: Again, from our perspective, we have a consumer view. To be very
honest, the consumers have not been that engaged in that. The number of
accesses that we get to that is relatively small. But, again, we don’t have a
full interactive PHR. We actually, oddly enough even though we’re talking about
PHR’s, we don’t consider ourselves a primary PHR, but we do cooperate with
those that have them. Having said that, again going back to the project that we
did with CMS, which was a PHR project, there was a lot of effort that went into
taking that data and putting it into layman’s language and processing that data
so that they could understand that.
It’s very clear that all the taxonomies, whether you’re talking about
administrative data or clinical data have very little meaning to the average
consumer. That is a big area for standards to come through. In clinical, we’ve
got some standards. We’ve got NCPDP for medication and Rx norms. We’ve got
SNOMED CT. But for the consumer, there is nothing. I think that is a necessary
first step to be able to put this into an understandable format for the
DR. GROSSMAN: I think this is an interesting questions. Some of the plans
have already been doing this on a paper-based version–so sending reminders to
patients about preventive care or sending drug alerts or other reminder
information to physicians as well. So some of this is merely a transition to an
electronic format. Obviously it has the potential to incorporate the
patient-entered data, as well, which then compounds this–is that better data?
Worse data? What do you do now that you’re interacting these two pieces of
I think that the consumer representatives viewed at least the reminder data,
in particular, as helpful as a starting point to remind patients. I’m not sure
without my notes because we talked to a lot of plans to say whether they’re
doing this in their paper-based versions or they’re doing these electronic
versions, but some plans said the idea is to go talk to your doctor about this.
So the idea is to start the conversation. Presumably, you hope patients
wouldn’t stop taking pills before they talk to their doctor or go get another
mammogram or whatever, but obviously you don’t know that.
I think the patient component and education component is probably important.
I think the health plans–you know, these are all very new and they have very
little experience. There were a couple plans that had been doing pilots with
certain employer groups or that kind of thing, but there’s not a lot of
experience with this, I think, at this point.
I think the physicians had a similar attitude that they have to the
paper-based notices that they’ve been getting or to phone calls, which is that
because it’s claims-based they often ignore this information and didn’t feel
that this was really anything different. Although, some physicians did say we
don’t do a very good job with reminders so in the same way the consumer
representatives thought this important that this is a way to trigger us to do
our job or to have communication with the patient. I think, like many of these
things, I think it’s a question of optimal information versus absence of any
information and you’re sort of in this in between state.
MR. HOUSTON: We are out of time on this panel. The good news, Paul, is the
next round you will start. I would say three things before we have a short
break. The panelists are invited to provide additional written testimony and
actually I would encourage them if possible if we could see copies of consents
and other materials it might help us understand how some of that occurs. Also,
would it be okay if as we are going through this if we have the opportunity to
ask you to respond to some written testimony because I think we’re going to
have some other questions based on our other panels, as well. So I hope you
don’t mind that.
Paul you’re raising your hand. It has to be brief.
DR. TANG: Can I submit a question for written response?
MR. HOUSTON: Absolutely.
DR. TANG: It’s very difficult for provider-based PHR’s to get
authentication. How do you really know who that person is? I imagine that’s
even harder for a plan that doesn’t have the same in your face kind of
encounter. So it would be very interesting to know how the plans authenticate
the other person. You talked about using ID and password–how do they
authenticate you are really who you are?
MR. HOUSTON: Thank you. With that we will break, but if we could follow up
in written testimony that would be very helpful to us.
MR. HOUSTON: Why don’t we get started here. The next panel, which is
Provider and PHR’s, we have Gail Graham, Anna-Lisa Silvestre, James Walker, and
Matthew Wynia. So I don’t know if anybody has a preference who would like to go
first. If not I’ll pick. Nobody’s saying anything so we’ll start from Gail,
since you’re closest to the computer.
MS. GRAHAM: Good morning. Today as we discuss complex and comprehensive
issues surrounding personal health record, my message is simple. We in the
Department of Veterans Affairs continue to lead and work in partnership with
other federal and private entities to offer tools that improve the quality of
health care. We assist both providers and consumers by enhancing continuity of
care. We do this together working in systematic ways in the service of our
consumers: the veteran users, their families, and the American people.
What matters most to the veterans we serve is not the VA’s advance
technology tools, but that these tools work for them. We established our
personal health record with that in mind and we have continued to enhance it in
forwarding with the consumer-driven model.
VA’s personal health record, referred to as My HealtheVet addresses veterans
as active consumers of their health care, empowering them to be true partners
in health care. This matters to them and to their families. It matters to the
American people who owe a debt to those who have sacrificed so much for our
country. As leaders in the development of personal health records, we in VA
have gained invaluable experience in establishing our dynamic, consumer-driven
PHR. One that embodies the high standards of privacy and security that
consumers have come to expect from VA.
At the turn of the 20th century, President Theodore Roosevelt
said far and away the best prize that life offers is the chance to work hard at
work worth doing. The employers and leaders driving this technology know there
is perhaps no more worthy than caring for those who have served the nation in
uniform. Our work on behalf of the veteran and therefore their families and the
legacy of the American people helps fulfill what our first president called a
debt of gratitude to the veterans of our military forces. Ladies and gentlemen,
at this time, with those words in mind, I share with you the following video
that really gives the testimony from our veterans and their families who have
been using our personal health record.
MR. HOUSTON: While we’re trying to get that set up, again, because this is a
larger panel we want to allow adequate time for questions, if we can try to
keep our comments to about five minutes if at all possible.
MS. GRAHAM: We’ve responded to the questions on many of the things you’ve
asked in previous panels. We’ve grappled with those as I’m sure you’ll hear
from my colleagues. I think one of the most important things for VA is that the
features, the functionality from the ground up have been determined by those
who have used the product and used the services and I think that’s a very
important aspect to engage all consumer, not just veteran consumers. I’d be
happy to answer questions after the panel presents.
MR. HOUSTON: Thank you. Anna?
MS. SILVESTRE: Hi. I’m Anna-Lisa Silvestre from Kaiser Permanente, which is
the nation’s largest non-profit health plan. Today I’m happy to share that
through the use of the PHR on our online website kp.org, we have convincing
evidence that consumers will engage in online health services and through the
use of looking at clinical data, be supportive in their own decision making and
strengthen relationships with their providers.
Today 3 million of our 8.7 million members are active users where about 50
percent of those who are eligible to use online services, those 13 and older.
Through proxy we reach another several hundred thousand members so, for
example, today I am able to go online and act for my father who is 92 and while
he has held a computer in his hand is unlikely to ever get through the
registration process and really use online services in a very deep and
meaningful way. But through the services I am able to view my children’s
records and also go on and observe and be part of the care that’s being offered
to my parents.
We believe that important capabilities of a PHR need to include clinical
transaction capabilities such as refill and appointments, connectivity with
pharmacists, nurses, doctors and other care providers through secure email,
online health behavior change programs that allow members to take action once
they have viewed part of their health record, and of course being able to see
the health record, itself, which includes immunizations, allergies,
medications, and health problems.
Our PHR is considered to be an integrate PHR. I know there have been several
terms floating around for what an integrated PHR or portal view into the EHR
is. We have active plans to continue to expand the capability to allow for
patient-entered data, which would likely be stand along and then through a
careful process we’ll be looking at what patient-entered data becomes part of
the electronic health record. In an integrated system it won’t be as easy as a
patient being able to say I want all of this in my record, however today
members can request a change to their record if they notice an error in their
chart or missing information such as an immunization or a surgery that was done
outside of Kaiser Permanente systems.
We believe important parts of a PHR include interoperability and portability
so we’ve started efforts to understand how members could request a copy of
their health summary be sent. We’re testing that with Microsoft today, a very,
very small pilot, to really look at whether a copy of the health summary can be
transferred safely, securely and whether the data at the other end passes the
authenticity and the non-repudiation tests.
To move this forward we’re going to need a level playing field, we believe,
for privacy and security across all parties who offer some sort of PHR to
consumers. Today, as we’re well aware, HIPAA covers those largest entities, but
PHR vendors at the other end of this space are not required to follow those
same rules. I think from the consumer’s point of view, to gain trust about
having their data moved across various parts of systems, they’ll want to
understand there’s a level playing and they can be assured that security and
privacy rules and standards are consistent. We know that consumers will trust
and use online services in very great numbers when they believe that trust and
security is in place.
In terms of the issues around security, privacy, and confidentiality, we’ve
worked for over ten years in this area. I believe we have probably the largest
set of data about what happens when data is exposed to patients and how you
handle breaches in privacy notifications. We believe very strongly that there
shouldn’t be any kind of rule that tells plans or other PHR’s that you have to
do reporting within a very short time frame. Our experience is that it can
often take days and sometimes a week or longer to uncover where data has been
tripped and exposed incorrectly.
We continue to have instances where consumers actually don’t recognize their
own data when they see it online, which would be a little bit hard to believe
but people will go in for care or go in for a treatment or procedure and
sometimes a doctor’s name is put on that ordering procedure and when they get
it back online they don’t recognize the name of the doctor. So in a number of
cases and regularly by telephone we coach and counsel members to understand and
accept the data in front of them, which in fact does belong to them.
So I’m happy to talk further about those processes in place. We also have a
great experience in managing privacy. I call it the dysfunctional family
relationship set. It really spurs a lot of unauthorized attempted access to
records. For anybody managing PHR’s, there really needs to be a process in
place that helps to untangle those. Our systems are set up so that a member is
notified if someone is trying to set up an account. Probably one or two times a
month we find that an unauthorized person–sometimes a mother of an older teen,
sometimes grandmothers, sometimes ex-wives–will attempt to set up an account
in someone else’s name.
So we’re pleased to talk more about any of these areas. Going forward I
would say that we’re considering also how we are going to accept claims data
into the PHR. Today our system is really based on clinical data that is
available in real time. So members can view a lab test that was done in the
morning and be able to take action on that. Understanding how we’re going to
accept claims data into the record is I think more of a challenge. I heard
other speakers this morning consider that and what I think is helpful is to
understand claims data from how it relates to episodes of care in terms of
dates of service, where treatment or services were provided, names of
providers. In our view, claims data is not actionable for clinical decision
making either by the patient or the provider given that claims data is often
inaccurate and does not really provide a true view of the diagnosis at the time
of the visit.
So I’ll wrap up there. Thank you very much for having us this morning.
MR. HOUSTON: Thank you. Dr. Walker would you like to go next?
DR. WALKER: Good morning. In case you don’t know Geisinger, we’re a health
care system, three hospitals, 38 clinics in about 30 counties of rural
Pennsylvania. We have an integrated EHR that runs across in-patient/out-patient
health information exchange, other forms of outreach EHR, and a networked PHR
that serves about 123 thousand patients, about 25 percent of the patients with
whom we have an ongoing care relationship.
I think the most interesting theme to you about our PHR is that over the
last two or three years it’s become obvious to us that the PHR fundamentally is
a critical tool in designing and executing value-added care processes. Care
processes, which measurably improve quality, which measurably decrease costs
and in which both the patient as one of the primary stake holders and the
clinicians feel more satisfied with their relationships and the care that’s
given than they did before.
If you start to look at health care in that way then you obviously need a
tool like our network PHR that lets the patient see their medicine list, see
their lab results with the clinician’s interpretations and recommendations
related to them. It enables secure e-messaging back and forth between
physicians and nurses and patients and others. It enable care givers to apply
for separate access with the patient’s consent, and obviously then we have lots
of 60 year olds who love the PHR not because their data is in it but because
for the first time they know what their 80 year old parents appointments and
medicines and upcoming tests and all of those things are. We’ve actually had
cases where 60 year old surrogate users arrange for office visits so early that
their 85 year old parents didn’t have to be hospitalized for pneumonia, which
is almost unheard of. It also provides our 80 year old patients the
opportunity, anywhere there’s an internet connected computer–so we had an 80
year old who sent me an email that said I can’t believe it, I was in Maine and
I got sick and the doctor sent me to the emergency room and I showed them my
record and they nearly fell off their chairs and said they could take care of
me a whole lot better with a whole lot less fiddle diddle.
So, clearly, for us the PHR has become one of the ways we engage patients
more and more and all of the health care team in really high value processes.
One of the things that you find when you start doing that is that you need lots
of outside data. You need hemoglobin a1c’s from outside and x-ray results and
ED visits and discharge summaries from outside summaries so one of the things
that we’re doing, rather than just dumping all of that on the physician’s desk,
which is in many ways the operative model, is creating sort of incrementally a
data management center where all of this information comes and is preprocessed.
Lots of it never needs to go to a clinician’s consciousness. Lots of it just
needs to be in the record. Some of it is acted on by protocol without any
clinician being aware of it. Some of it needs to go to a nurse. Some does need
to go to a physician and what we’re working out is a system where all of that
information is received, analyzed, and then sent to the right place and acted
on in the appropriate way.
I think that bears on the discussion that we have here. One of the tricks
with free-standing PHR’s, with insurer-populated PHR’s is that all of that data
needs to be interpreted by somebody and, by the way, we don’t have a shred of
evidence that we can do that in any automated way that is safe and effective.
One of the things I’d say is that one of the things we need is research so that
when we’re talking about, well, we can mask this automatically or we can manage
this level of granularity with software, it would be nice to have a study or
two that showed that we actually can. Right now we just don’t have it.
So on to security and confidentiality. We worked very hard at that. Some of
us sometimes think that the information safety office and the privacy and
security office work too hard on it, but we have for years now worked very hard
at securing information and educating patients ongoing on the efforts that we
make to keep their information secure and all of the different options they
have to let us know if there are problems. One of the gratifying things about
having this information is that occasionally we’ve had to fire an employee or
provide information–someone who was an employee had access to patients
records, but often what we can do is provide conclusive evidence that a spouse
has not accessed the patient’s record when they were afraid they had. So it
does cut both ways. and in our experience and in multiple feedback groups of
patients over several years, the vast majority of patients finds the access to
information both to them and for their physicians and their sense of security
about that information very satisfying.
I wanted to comment on the earlier discussion just briefly. I think masking
data is a very powerful idea. One of the things that we currently do in our EHR
is if a patient is in a study and they’re on a study drug, either that or
placebo, that’s noted in the EHR on the problem list–it says the patient is in
this study–but nobody can tell whether they’re on the placebo or the active
drug. Drug/drug interaction checking runs as if they were on the active drug
and if it fires an alert, then the clinician has a phone number that they call
24 by 7. They say I’m seeing a patient and I need to give them this medicine
and it’s a life saving medicine and I need to know what’s going on with that
other medicine because I got this alert and I need to know if I can do it or
not. That other person, not some automated rule, helps the other clinician
assess the relative risk and benefit and, if necessary, breaks the code and
tells the clinician whether or not the patient is on the active drug.
Clearly, when we talk about break the glass, it seems to me at least, that
we have a broken model in mind. I can say, yeah, I need it and bam go see it.
It can easily be a situation like that where what I get is a phone number and
if I’m in the emergency room and I’ve got an obtunded patient, I can see
there’s a phone number behind this masked information, call that number and say
I’ve got a patient unconscious in the emergency room is there anything I need
to know. That psychiatrist or whoever it is could look at that patient’s record
and say no there isn’t or say yes they have two previous attempted suicides
So there are solutions that we haven’t really discussed yet that would
preserve patient security and privacy in very substantial ways without making
that information completely unavailable to people when it’s genuinely needed.
I’m probably at 5 minutes.
MR. HOUSTON: We’re not completely strict on that, but it’s keeping to that
general timeframe. So if there are any comments you’re more than welcome, but
otherwise Dr. Wynia?
DR. WYNIA: Yes, good morning. I’m Matt Wynia. I direct the AMA’s Institute
for Ethics. I’m also a practicing physician. I specialize in infectious
diseases at the University of Chicago. First, I want to thank the Subcommittee
for inviting me to speak with you today about physicians’ views on personal
health records. I have to make a quick disclaimer, which is I think the reason
I’m here is because we did a survey within the last year on physicians’ views
on personal health records with the Markle Foundation. So I’m going to give you
some results of that survey. I’m also here from the AMA and so I’m going to try
to be clear when I’m talking about survey results or my own opinions and when
I’m saying this is what the AMA’s position is on something because those are
not always exactly the same and there are plenty of issues where the AMA does
not have a formal position yet. These are new and emerging technologies. The
other disclaimer, by the way, is this was a survey on physicians’ concerns
about and potential barriers to adoption of PHR’s so I may end up sounding less
enthusiastic when in fact I personally am and I can certainly say that the AMA
is strongly supportive of effective patient/physician communication and sees
personal health records and other electronic methods as a valuable adjunct to
direct communications. We see great opportunities for the use of PHR’s to
improve patient care.
The survey that we did with the Markle Foundation took place last year in
the latter part of 2008. It was a national random sample survey. We asked
physicians about a number of issues ranging from potential uses of PHR’s to
risks and costs of PHR’s. We had a section, which I was not intending to talk
about, on patient’s asking doctors to withhold specific information from their
record and patient requests for doctors, when they transfer records from one
party to another, to withhold certain pieces–so the masking issue was
addressed in the survey. These are all unpublished data at the moment. We gave
you some looks at the data in the written testimony and I’m certainly happy to
share more details during the day today. One caveat, these are, we recognize,
sort of a snapshot in time. As of mid-2008, only about 10 percent of doctors
really knew anything about PHR’s in a sense that they had a meaningful
experience using a personal health record with a patient on a national basis.
So many of these physician responses are not informed by actual use, they are
more concerns informed by the way they practice and their concerns about flow
and their concerns about privacy and so on.
So most physicians did express some degree of concern about incorrect
information–that privacy protections might not be adequate, that patients
might omit important information from their PHR, that they might be deluged
with raw data, and that they could be accountable for being aware of,
analyzing, and acting upon these data, by the way, while receiving no payment
for any of that work. In our written testimony, again, I provided some detail
on each of those, but I’d like to call your attention to two basic issues in my
few minutes this morning.
Privacy and confidentiality were very high on the concern list, but we’ve
talked about them a lot already so I’m actually going to focus on two other
areas, which are related and have received a little less attention, although
they have come up repeatedly this morning. Those are ensuring the quality of
the data that you’re seeing as a clinician and ensuring the utility or what I
think I’ll call clinical interoperability. On the data quality issues, many
physicians, the great majority–75 percent–are concerned that PHR’s might
contain incorrect data. The recent stories about using claims data to populate
PHR’s I think have borne out this concern.
One proposed set of solutions has been that patients should be more
proactive about managing their PHR and they should sit down with their doctor
and discuss what’s in the PHR and reconcile what’s in it with clinical reality.
That sounds like an ideal kind of solution. The problem is there are patients
who are not up to managing their PHR’s proactively and where does this
conversation to reconcile PHR data with clinical reality fit in the relatively
long list of things you’re supposed to accomplish in an increasingly
constrained patient visit. So in our survey, 60 percent of physicians were
concerned they would not be reimbursed for the time it would take them to sit
and ensure with the patient that the data in the PHR were high quality data.
That could be a significant barrier, actually, to adoption.
This relates, by the way, to the issue of the cost of implementing the PHR.
Sometimes we think about the cost only in terms of the cost of buying a system,
but using a system has costs as well. So the total cost for a clinician to use
a PHR means that even a free product is not really free if it entails time to
aggregate, organize, analyze, and then act on the data. So one physician has
been quoted saying, “The last thing I want is for my office staff to have
to deal with patients arriving at the front desk with multiple proprietary
PHR’s, in a host of different formats, containing all sorts of unverifiable
I think that kind of encapsulates this concern.
Data quality is also related to the sourcing issues that we’ve discussed
earlier and to notification of the clinician when PHR data are being masked. 84
percent of physicians are worried that patients might omit important
information from their PHR. So the masking issue is very much in the forefront
of many physicians’ minds. I don’t have the perfect solution to how to handle
that, but just to be aware that if we want doctors to use these in clinical
decision making, we have to be aware of these concerns.
At the same time, many doctors recognize that no one holds the complete
truth. 38 percent said that giving patients access to their EHR records would
actually provide a valuable check on the record accuracy. So many physicians
recognize that kind of reconciliation of my truth and your truth is a way to
build a better partnership and come to a shared understanding of what’s going
on and how to manage it.
The second issue I wanted to spend just a minute on is interoperability.
There’s been a lot of discussion about what I would call electronic
interoperability, which is to say the ability to transfer data from one source
to another and maintain accuracy. That kind of interoperability is very
important for reasons that haven’t come up much yesterday or today. One of the
reasons is that one of the costs for patients and doctors of investing in a PHR
is that over time it actually could become difficult to transfer records from
one place to another if this interoperability is not handled well. I call this
the TurboTax trap. It’s because I use TurboTax and I love TurboTax. I have no
problems with it so I’m not ragging on TurboTax, but if I wanted to start using
Tax Cut software tomorrow, it would be a huge barrier to my moving because I
can not translate all of my information from one product to another. I would
have to start from scratch and TurboTax has all of my information for the last
ten years. I know how much difficultly this would pose because I actually had a
computer crash a couple years ago and had not backed up my TurboTax for the
year. It was a major problem. It was hours and hours and hours of my time to
So if that lack of interoperability comes into play, then this notion of
consumer choice becomes somewhat illusory. If you don’t have easy
interoperability it would be possible to have a PHR product that, for example,
could be changed unilaterally after you’ve made this big investment. Small
print becomes a big issue. Transparency–actual transparency in a way patients
can understand becomes an issue. It could be that you are, for example, given
incentives or even coerced into signing up and putting all of your data into a
PHR because of an extra payment that you receive at work and then find later
that it’s difficult to change to a different product or to limit the uses that
those data are being used for. So just saying choice isn’t enough. Fair
contracting requires standards for transparency, the existence of legitimate
options, and easy ways to transfer your business somewhere else.
The clinical interoperability function, though, is more I think what Dr.
Walker was just talking about, which is we need to be able not only to transfer
data in a pile from one source to another, we need in some way to analyze,
organize, and create meaningful utility out of that data as it’s being
transferred. I think one of the main things that I’ve come to learn in my work
on this topic is that more raw data is not necessarily better. There’s a series
of studies in cognitive neuroscience on how people make decisions. It is far
from clear that just giving me a big data dump that includes all of the blood
pressure, glucose, cholesterol, and weight readings for all of my patients
taken daily at home, is actually going to improve my clinical decision making.
In this regard, I think that effective PHR use is going to require that they
include clinical operations to digest and organize and analyze data as they
come in. From a clinician’s standpoint, a data repository is not actually all
that useful. You need to have triggers, alerts, educational products linked to
data and so on.
75 percent of doctors in our survey were worried that they could be held
liable for knowing all of the information that’s in a PHR if they’re given the
key. So if I get the key to a patient’s PHR and I now know that that now makes
me responsible for knowing everything in it, including data that are added
between visits, then I actually don’t want that key, unless it comes with a
promise that I will be notified when important data are added and that there is
some kind of functionality to screen those data to make sure I’m not getting
dozens or hundreds of irrelevant alerts every day. There have been a number of
studies recently about how doctors handle alerts. I’m sure you’re familiar with
these. We ignore most of them because most of them are easy to ignore and maybe
should be ignored, but that leads to a pattern of behavior which is not
necessarily healthy either.
I think the window of opportunity to address all of these concerns is open,
but it’s actually short given the requirements of the ARRA to have standards
for interoperability published by December. So I’ll summarize just by saying,
again, I’ve laid out problems and I sort of want to apologize for that because
I’m actually a proponent and the AMA is a proponent of using electronic data
interchange and PHR’s to improve patient care and the patient/doctor
relationship. I think the basic lesson from our survey is that the data in
PHR’s needs to be of good quality, secure, and in a format that is clinically
useful. It can’t simply be a data repository, unchecked with piles of
information that doctors and patients are expected to sift through and then be
accountable for. That could actually be harmful for decision making.
I’m going to stop there because I know I’m over my five minutes. I just have
MR. HOUSTON: Thank you everybody for your testimony. We are going to take
some questions now and keeping with my prior comment I’m going to start with
Paul Tang and work around the table in the opposite direction.
DR. TANG: Great. Thank you. I’ve enjoyed all of the testimony we’ve had in
the past couple days. I think there’s been a palpable difference in what I’m
going to describe about this one. We talked a lot about theoretical and
theoretical benefits and costs, but here we’re talking about people who live
and breathe and have real and substantive and quantitative material to present
in terms of the benefits and the costs of using these things.
We’ve heard about the quality of care and the satisfaction of both the
patient and the health care team and the penetrates–less than one percent,
perhaps, for the claims-based plan provided version and 50 percent in the
provider-supplied version. So I’m trying to figure out what are the key
differences. We’ve talked about the quality of the data across the board. We’ve
talked about interoperability and privacy protection, which is the topic of
this one. So what are the recommendations that we could provide from a policy
point of view. Interoperablity is being covered by the Recovery Act.
Privacy–and I don’t think you can regulate quality of the data–but privacy
is something that we could potentially regulate. One of the things that
Anna-Lisa mentioned is leveling the playing field so that we understand and the
patient understands what is the benefit of dealing with a covered entity. There
is a floor. So what does the panel think of the need for whatever that vehicle
is–regulation or legislation–that would put a floor on how you protect the
privacy or confidentiality of health information for the non-covered entity? So
that’s my question for the panel.
MS. SILVESTRE: Without going into a long discourse about technical
standards, what I know about the efforts that we’ve made and those of other
large integrated systems is a considerable investment in understanding the
security system behind what you’ve built. One thing is you’ve got to bake that
in from the beginning. Security and privacy is not something to add several
years later. It has to be thought through at the beginning and a continuing
investment needs to be made.
I think it’s hard for consumers to interpret privacy policies. I think
they’re not well written. It’s like all of us, I’m sure, go to websites and you
get this terms and conditions and it scrolls for pages and you go straight to
the box and if you really want to do something, you just click the box. We know
that some people read it word for word and when ours changes we have people
that track the changes but that’s a small percentage of people today. So I
think standards around lay language in privacy policies would be attainable. If
level, that actually would help a lot. I think it’s hard to legislate here’s
how you need to make the investment in the back end, but you could write
standards for how you need to explain what’s being used, how it’s set up, and
some standard capabilities that every PHR would need to answer to. Some of
those standard questions are how do you store the data, how do you use the
data, how is the data shared, and just sort of a template of how you could
explain that in a standardized way across all, even without extending HIPAA
protection across non-covered entities might be a very good start.
DR. TANG: Let me clarify the question and see if I can interpret your
response. So my question is should there be a reg or a law that has a floor on
the protection of health information entered in PHR’s? Did you say the reg or
MS. SILVESTRE: I think it’s both. I think that there should be a floor
because I think there should be a level playing field, whether it’s HIPAA or
not HIPAA. Consumers will trust and use online services, but they have to go in
with a feeling of trust and if that’s not there–I think people don’t
understand what HIPAA provides them. I think HIPAA gets bashed a lot and, in
fact, I think HIPAA has done a lot of very good things for large systems to
help us protect the data and pay attention to how it’s protected.
DR. WALKER: Paul, I’d break that into two levels. I think there are some
groups that need motivation–we probably all need motivation, some need it more
than others do and I think that should be part of the floor. I think the other
side of that is if you are motivated to protect patient confidentiality, it’s
very, very difficult. We probably spent several hundred person hours reviewing
national policies, state requirements, and our own existing policies.
One of the things I did was we completely revamped our own general patient
protection policies in the light of that review and then created those very
complex–maybe they don’t look complex to you–agreements that various people
can do so that a parent can have access to an eight year olds record. That’s
critically important. If you have an eight year old with diabetes, having the
parent be able to work with the patient and say they drive two hours to their
diabetologist, which is nothing unusual, the ability to have the parent and the
child work together and sort of keep that care process going in between fairly
infrequent visits is critically important clinically, but it took us forever to
work out how we could do that. We have colleague organizations in other states
where at least their interpretation of the state law is that it forbids them
doing that at all.
So I think there are two levels. One is just giving us all a kick in the
butt to do it. Then the other is really looking carefully at all the things
that make it hard to do well and addressing those.
MS. GRAHAM: I just wanted to add–I won’t speak for Kaiser, but for those of
us that cross state lines and cross the nation, this consistency in message is
very important. I don’t think the average consumer knows that you are probably
a little bit safer going with a provider-based PHR than not just because of the
protections that come with it. I think that normalizing the information that
goes to the patients across the country and putting a floor in place so that
it’s a level playing field. Even to protect those consumers that don’t ask the
questions is really the right thing to do.
DR. WYNIA: So, three quick points. One, I actually have a statement here
that the AMA Washington staff drafted for me so I can say, with clarity, that
the AMA supports federal efforts to apply the HIPAA rules to directly cover
additional parties involved in the electronic exchange, storage, use, or
handling of health information not currently covered by HIPAA. So with regard
to PHR’s, the AMA is in support of extending HIPAA privacy protections.
I can also tell you a little something about–and this I found interesting,
actually, in terms of our survey data–not surprising, two thirds of doctors
believe that PHR’s might not have adequate privacy protections right now. More
surprising, two thirds of doctors–61 percent–said to promote record sharing
there should be better enforcement of current privacy laws. You almost never
get doctors saying there should be better enforcement of existing law. Now,
granted, this is in the context of a survey about these issues, but it does
give a sense that there’s a little more nuance to understanding both the pros
and the cons of the HIPAA regs amongst the clinician community. I think it’s
common to think doctors don’t really understand or know much about these and
there’s probably some truth to that. We’ve done other survey work around HIPAA
and that’s probably true. Nevertheless, the concern with privacy is strong
enough that it’s driving some doctors to say it should be enforced even better
than the onerous rules that we already feel we live under.
The third thing is, just on a personal note, I would absolutely endorse the
notion of better transparency and literacy and cross-cultural issues, looking
at how we communicate information in consent forms. Most of these are more like
notifications because, in fact, when you’re signing up for something, you’re
probably going to sign up almost–you know, if your employer’s offering you one
of these and they’re giving you 50 dollars a month in credit in order to start
using it you know people are not going to look at the small print. So if
there’s something worrisome, it needs to be there.
That goes back to the point I made earlier about changes in these contracts
over time–about making it easy for people to block specific uses over time. I
almost wonder if one of the models for how you think about these contracts
would be the credit card regs that have just been revised. You don’t want it to
one of these products. I’m just thinking off the top of my head but I wonder if
there’s something to be learned from other regulatory environments where a
change in the existing contract may be of real meaning to the consumer end and
they may not feel like it’s all that easy for them to walk away from this
contract, even though it’s changing on them.
DR. TANG: So to summarize, you all seem to indicate you thought there should
be a floor that was easy to understand and that was uniform across the country.
MR. REYNOLDS: Thanks to all of you. I’ve touted you numerous times as we’ve
watched each of you–a lot of us, as we look around the country. You’ve done a
great job so effective immediately, you no longer get to work in your closed
Help us understand that as we take the successes that you are clearly
stating–and Paul said it eloquently earlier–and now as we try to write
considerations to the world out there where there are docs who don’t have
anything, there are consumers who are not a part of your environment, and we
have to bring everyone along. As you take your successes and now you translate
it to the rest of the world that’s out there that we’re trying to move along
that doesn’t have quite as clear and precise management and agreement process
as you do–it’s a bit more open out there–what are the things that we need to
know and what are the things that we have to make sure get put forward–we’ll
stay with privacy and security for this time, that really are going to allow
the rest of that group that isn’t anywhere near where you are come along and
make sure that the things are in place to do that?
MS. GRAHAM: We talk about this a little bit in our written testimony but
right now for full access to your electronic health record information, for VA
we’re still in this in-person authentication mode. I think greater clarity for
acceptable online authentication would both increase our usage, but we’ve seen
that it is essential for an uptake in the private sector and if we really
believe that these benefits can be propagated outside our own organizations we
know that is a major hurdle right now–the need for online authentication.
MS. SILVESTRE: We’ve–at Kaiser Permanente–really pushed the envelope on
making authentication as easy as possible. So we’ve noticed a huge uptick in
usage once we went to online authentication that is used by the financial
industry. So today if you apply for any kind of credit or open any account
online through a financial institution, chances are you can go through a system
where you get asked four questions from public databases and if you pass three
of those four then you are able to get a password right away and use the
That system, which was a very challenging initiative to put in through
health care, a lot of queasiness and qualms about asking consumers who are in a
medical care situation questions that come from other parts of their life and
their past. Let’s just say it took over a year to get that through our
organization. Now that it’s through and we can work with the vendor on fine
tuning those questions, that has removed a significant barrier to usage. I
think the VA and other systems still require patients to come in in person and
sign forms and show identification and that kind of process, especially if we
want to reach the huge number of people who don’t have very many office visits,
what we’re really saying is you’ve got to go drive in and authenticate in
person. While that’s a very secure method, we can learn much from other
industries who are much more advanced in how they use online systems than in
So we tried that. We were first out there. We have a lot of good learning’s
about it. We should probably publish those so that others can understand. We
actually do share pretty openly how that works and who the vendor is and what
MS. BERNSTEIN: Can you just give me a quick example before we go on about
the kinds of questions you’re talking about? Are you talking about, you know,
how much is your monthly mortgage payment?
MS. SILVESTRE: Yes. So you would be asked questions. Here are four answers.
Tell us what your mortgage payment is. One of my favorites because I did this
for a financial institution and I kept having to yell to my husband in the
house, what was our address 12 years ago. It was an address form 20 years and
that brought up this I didn’t like where I lived then, I didn’t like my life
then, I don’t want to have to remember that address. But it does ask you
personal questions that come from public databases. I think we’re always a
little surprised to understand how much of our private data is available.
MR. HOUSTON: I think you referenced in your testimony, though I can’t find
it, the service that you are using.
MS. SILVESTRE: It’s RSA.
MR. HOUSTON: Thank you.
DR. WALKER: Why don’t you let me respond to Harry’s, if you would? I want to
go back to the two level. I think one of the things would be to have a clear
floor and you just have to do these things to do a PHR. I think at a second
level, if there were a voluntary best practices set that an organization could
say we’re going to agree to do all of these best practices and if we do all of
those best practices–someone could certify that in some reasonably
cost-effective way–then there would be a set of tools that would go with that
and there would be a consent form and consent form for surrogate users and for
children and a whole set of supporting tools. Instead of the organization
having to be robust enough or crazy enough to expend a huge amount of
resources, creating those and maybe getting half of them wrong anyway, you
would be able to sort of have that whole set of tools so that if you’d say,
yes, we’ll agree to use sixth-grade reading level in all of our communications
and to tell them about this and to tell them when there’s changes–all of the
things you can’t get into statute and reg but would be good ideas in almost
everybody’s mind–then you’d have a situation where an organization would have
a very powerful motivation to accept that voluntary set of standards and then
have a set of tools to execute them and cut the costs probably by 80 or 90
DR. TANG: My follow up question to Anna-Lisa is the notion of online
authentication using publicly available information–doesn’t that seem the
antithesis of secure authentication because you, yourself, said you have to
deal with the ex-spouse. Wouldn’t the ex-spouse have access to the
exact–first, wouldn’t they have access to their personal information, but more
importantly since these are all publicly available why wouldn’t anybody be able
to do that?
MS. SILVESTRE: Right, let me explain the end to end process. So the online
authentication is only the piece that gives you the password. You have to start
in our system by giving us your medical record number, your date of birth, and
your address. Then you can get an instant password by answering three out of
four questions correctly. We also send an email to you saying you just
requested a password and that gives the alert if somebody is not who they say
they are but it is possible.
In any situation today I have, for example, enough of my parent’s personal
information. I know their social security numbers, I know their address, I know
their phone number, I know their medical record numbers. I could go in a create
accounts on their behalf. So we’ll never have a secure enough method unless I
think you’re using biometrics to individually certify that every single person
that sets up an account is who they say they are but there are enough
safeguards in this system by notifying people when we are sending up something
in your name and asking some personal information that prevent unauthorized
MR. HOUSTON: Is it possible that Kaiser could submit–do you have something
like a white paper that you have on this? It might be interesting for our
committee if something like that is available. If it’s not, that’s fine too.
MS. SILVESTRE: I can see what we can do. Give me a couple weeks.
MR. HOUSTON: Great. Thank you. Leslie.
DR. FRANCIS: Something that you all have touched on but that hasn’t gotten
maybe as much attention over the course of things–and I’d love to hear your
thoughts about it–is audit and notification. That’s something that pretty
readily available to regulation and also we know that one of the things that
really worries consumers is the possibility that somebody might have access to
their information and they may not know.
I know one of you, I think it was Anna-Lisa, commented that policies that
are really draconian–you have to get it tomorrow are a problem. I think it was
you who said something about not wanting to have policies that require–about a
breach? Yes. Right. So what I’d like to know is what your policies are about
whether you tell people automatically, think you should tell people
automatically? What kind of notice policies about who has accessed their data
you think should be in place? What you have? What you think should be in place?
And perhaps if you have any data about what providers think would be a good
idea about what we ought to do about letting consumers know who has seen their
MS. SILVESTRE: It is our standard business practice and was before state
laws kicked in on privacy–California has some very strong privacy state laws
about notification of suspected breach both in the financial and in the health
care industry. Our standard business practice is we do notify every patient
where we then have a confirmed care where their data has been accessed or
shared by others.
It starts to get really tricky because PHI has got a standard definition of
HIPAA but is first name only a disclosure? Is last name only a disclosure? What
if it was just a partial of your street address or just your email address?
We’ve had a situation where running a test script email addresses were
disclosed inadvertently. So that’s a tough one where you could say by strict
PHI standards that’s PHI, an email address, but is it really a breach of your
personal health information. It didn’t have anything about any part of your
care, just one piece about you.
So the more you parse it, the trickier it becomes. If you’ve got breaches
that cross several systems and you have several different data sets, that’s
where–you know, the more complex the system, the larger the volume that you’re
running, the more unlikely it is that within a 24 or 48 hour or even 3-day
period you’re really going to have confirmed what data was shown to what other
person inadvertently. Then, again, defining what PHI is.
I think we’re all clear that if my personal health record that contains
sensitive mental health diagnosis, sensitive health information diagnosis,
drugs, street address, medical record number was disclosed to somebody else
then that’s a clear breach. It starts to break down as you get more into the
finite details. So I think it should be standard business practice for any
business today to disclose whether your information was shared with someone
else. I know I got a notice from DSW Shoe Warehouse–I was quite disappointed
that breaches had gone all the way into the shopping realm.
DR. WALKER: In terms of audit and reporting to patients, we audit very
carefully who accesses their record. We don’t send out that to the patient as
raw data. If the patient asks we provide it. That’s another one of those
situations where no one’s actually tested what happens when you give that
information to patients.
We had a case years ago in another life where a VIP was admitted to a
hospital was there about 36 hours and there were 69 accesses to their
electronic record so we assumed we had a problem. We went through it very
carefully. It turned out every one of those people had a care relationship with
the patient. So the way health care is set up, patients end up being cared for
or having contributors to their care who they would have no idea had ever been
related to it. So you can imagine sending that list of 69 providers to a
patient without any interpretation–what the effect could be of that.
MS. SILVESTRE: We would not advocate for keeping a database alive of who has
accessed your electronic health record. The storage space for that alone–and I
put that in my testimony–would just be enormous in real time. If you wanted to
go in and say who’s looked at my EHR within a given system, that’s a really big
DR. WALKER: But we do that routinely and provide it if the patient asks for
MS. GRAHAM: I just wanted to add the PHR for us is very, very different. We
make it clear from the beginning to the veteran that while the servers and the
databases are behind the VA firewall, it’s really their information to control.
We are testing delegation. Delegation will include delegating to a VA provider.
The only connection that we currently have is by volunteer of the patient
wanting the provider to participate. Then also on our electronic health record
we tell the provider this person has a My HealtheVet account so that if they
want to use that as a teaching tool because we do have teaching aids and health
diaries and things within in it. But, as Anna-Lisa stated, in VA we follow the
same privacy breach regulations we follow for any information that we hold
within our organization.
MS. SILVESTRE: Kaiser Permanente recently took care of a very well known
patient in the state of California who delivered multiple children. There were
a number of individuals within the care system who had unauthorized access and
did access that record. They were all terminated or resigned. So we took really
swift action on that and there is also a way within I think most care systems
to block access to records for somebody who has a high profile of any kind.
DR. FRANCIS: Excuse me, could I just follow up. Did the patient know of
MS. SILVESTRE: In this case, yes. It became quite public.
DR. WYNIA: I just want to note that, first of all it’s fascinating the
discrepancy in how easy or difficult it is to maintain an ongoing, active audit
process. I think we heard yesterday as well from one of the other folks that
they maintained a list of who has accessed the data. The question about whether
patients would know what to do with the list of–I think Mark Siegler, ten
years ago, showed that something like 75 people have legitimate access to your
medical record any time you’re admitted to the hospital within a day. Most of
those people’s names you would not recognize. Whether it’s useful to provide
that to patients is another question.
We did not ask about audits, per se, but we did ask in the survey about
patients requesting that you withhold some of their data from some of the other
providers taking care of them. It turns out that’s actually very, very
uncommon. The vast majority, 94 percent of doctors, said they basically never
had that kind of a request. So I don’t think, unfortunately, that solves the
problem because for that five percent or for that one patient that really
doesn’t want that information to go to their dermatologist, it’s a big deal.
But it’s not a common scenario.
MR. HOUSTON: Thank you. I’m going to shift gears slightly because I want to
talk about proxy for a few minutes. There’s sort of two ends of the spectrum
with respect to proxy and I look at Gail and I realize that VA only has to do
deal probably with one of them, which is the elderly population, but I’m very
much interested in both sides. Working for health system in Pennsylvania like
Dr. Walker, we had to deal with rights of minors and their ability to
separately consent for STD treatment and mental health treatment and things of
that sort. I know we wrestle with what type of proxy access do we make
available to parents or caregivers–people who are responsible for according
care? How much granularity do we have? How much access to the record do we
provide? How do we manage it to ensure that not only do we meet the reasonable
expectations under the law but also make sure that the patient receives
appropriate care? Clearly with the elderly population it’s a huge issue as
I would just like to get your insight as to how you deal with proxy and what
are some of the real world issues that you had to deal with when developing a
proxy schema within your PHR.
MS. SILVESTRE: Well, now we could be here for a couple more hours. We are
very, very deep into this issue. We’ve extended proxy, what we call the first
phase, adult to adult. So if you are a member within the system you can assign
proxy to another individual and it doesn’t matter whether they are related to
you or not related to you because many caregivers are not related. So we have
adult to adult proxy in place. I have that in place for both of my parents.
We have adult to child, however the complication there is that by state law
at 13–that varies by state so that’s even trickier–then children have a right
to receive confidential services without parental notification. So what we’re
building now is a way to mask the confidential information so that parents can
be proxy and view legitimate parts of the medical record like immunizations is
probably the most important and being able to email the doctor. So I have a
teenage daughter and I definitely would want her to receive confidential
services without worrying about her mom in the way, but I also want to be able
to email her doctor because she just had a stress fracture and I can’t do that
today. I can’t look up the other medications and immunizations that she’s
taking. So we need to go in and fix that.
We also need to extend proxy relationships to people who are not members of
the system, which brings up another whole level of authentication. How do you
authenticate people who don’t have data in your own system to reconcile date of
birth, name, and address? That will be tricky but I think we will get through
An interesting challenge we faced internally is that the legal group is
very, very strong on restricting access and wanting to be able to do a very
often renewal. So my mom would every two years have to go in and say, yes, I
still want my daughter to have proxy access. There are some consumers, very few
actually, who want line by line veto with what they can share with others. So
there was a husband that didn’t want to share his test results but he wanted to
share everything else.
MR. HOUSTON: Are you making that accommodation in your product?
MS. SILVESTRE: No, we’re not. We’re actually going in the other direction.
For convenience, because we recognize that it’s a hassle to go in and do that
assignment, we kind of have an all or nothing approach. So if you want proxy
access it will be everything except for confidential teen records, which is
protected, or you sign up for everything and we want to loosen the operational
restriction for how often you have to go in and validate that. I think it would
be a really tricky database to maintain if we allowed consumers to go in and
say I only want these kind of records available to others. It’s certainly not
available in the EHR but we’re not going in that direction at a PHR level
within the system.
MR. HOUSTON: I really want to hear everyone else, but as you were answering
I had one question to interject. Are you going to allow physicians to grant
proxy access, especially in cases of parents that might not have their full
faculties, such as I have a parent that has dementia or Alzheimer’s? Are you
going to allow somebody to be able to grant proxy access?
MS. SILVESTRE: Yes. We do that today. That is actually handled through an
office visit where you can go in–that would be true for my Dad that I would go
in and talk to the doctor and say he can’t even sign or he’s not aware of what
this is but I really need to access his records.
MS. GRAHAM: Right now we handle this with delegation so it’s actually the
patient that’s delegating. They can delegate–obviously for our purposes the
individual doesn’t have to be within the VA structure. It could be to a non-VA
provider. It could be to a VA provider. It could be to one of their children or
others. They can make this time limited and they can’t have control over the
parts of their PHR that the individual has access to. What we’re dealing with
now with our general council are those other relationships–guardianship, power
of attorney, relationship, which I think is more of a proxy. So an individual
could grant it just for 24 hours because you’re being seen in an ER somewhere,
DR. WALKER: We use delegation and we enable power of attorney to demonstrate
that they are power of attorney and have access. That’s the only way we give
access besides to children under 14 without the patient validating it. It would
be interesting–we ought to give the Kaiser policy and our policy to
demonstrate how hard it is for very well resourced organizations to go through
this and come up with the same conclusions about what is appropriate both from
the patient’s needs and from confidentiality and privacy and from legal. We’d
probably find our stances are fairly different even though we have a brilliant
attorney who must spend a third of his time on health IT issues, a very capable
privacy and security officer, we involved adolescent medicine physicians,
patients, and spent six or eight months working through the process. I’m sure
we’d all be confident that there are places that we wouldn’t be surprised if
someone interpreted it quite differently than we did.
MS. SILVESTRE: I think that would be true. Just to add to that our process
is ongoing. We actually have a whole e-log group within the organization that
combs through all of the suggested changes to anything. It’s really a balancing
act between the needs of operations and convenience to patients and at the
other end a set of laws that don’t always call out a specific statute but they
call out a position and then there’s interpretation. So I think that’s a really
good point. I would be interesting to see how we vary having gone through a
very similar process.
MR. HOUSTON: If you’re comfortable–I don’t know if anybody would be willing
to share their proxy policies. I know it’s something I have great interest in
and I think as we’re trying to fashion all of this that it would be helpful to
us as well. Again, I don’t know how much of that is publicly disclosed by your
DR. WALKER: I gave you our sign up forms from which you can infer a fair
amount and we’re trying to find out what we have else that’s written.
MS. BERNSTEIN: Yes, those were attached to the back of your testimony or
separate handouts but we do have them. If you don’t have one, I will get it to
MR. HOUSTON: Yes, I don’t remember seeing that but it would be very helpful.
MS. BERNSTEIN: No, I don’t think anyone sent one but Dr. Walker. If others
want to supply them, we’d be happy to have them.
MR. HOUSTON: That would be very helpful. We have about ten minutes. Walter
do you have a question?
DR. SUAREZ: Yes, thank you. Well, first of all, thank you for your
testimony. It’s been just a terrific couple of days. We have heard throughout
the two days a variety of issues around PHR, not just exclusively focusing on
privacy and security, but a number of areas including some of the functional
aspects of PHR’s. This last conversation, incidentally, made me think that all
of these requirements seem to apply to providers but not so much to vendors of
PHR’s–all these proxy issues.
That’s the point I want to make and raise as a question because over the
last two days we’ve heard a number of–I asked a number of questions of the
panel about the expectation or the need for some minimum privacy and security
protections to be required of PHR providers, particularly those that are not
subject to HIPAA. HIPPA, as a provider you are all required to comply with that
whether it’s about an EHR or PHR. They help plan the same thing but there are
some vendors that of course are not subject to any of those.
There’s one interesting aspect about the vendor perspective, which is the
locus of jurisdiction. If I am Google, to give an example, and I have PHR’s
from patients and from consumers all over the country, what are the state laws
that regulate the expectations of that control? If I have patients that are
consumers from Minnesota and from Florida and from California and I’m based in
Portland, Oregon, for example, what’s the law that requires, on the state
level, protection or controls? The good thing is there are not too many, if
any, state laws–as much as we had a lot of state law and that’s what HIPAA
tried to address back in the nineties when there were hundreds and a variety of
state laws controlling the privacy of health information from the perspective
of entities like providers and health plans. There aren’t too many, if any,
state law requiring or controlling the privacy of personal health records or
non-entities that are not covered by either federal or state regulations on
health care. So the tendency is to try to extend HIPAA into those entities and
my concern, I guess, would be that an extension of all the requirements might
not be the most appropriate way to do things because in many respects some of
the requirements of HIPAA are counterintuitive to the purpose of a PHR in some
aspects or perspectives. You know part of a PHR is really the responsibility of
the consumer to protect his or her consent–his or her information from a
privacy angle and have that responsibility too.
So what aspects of HIPAA–first question is really do you believe that an
extension of HIPAA into PHR–non-covered PHR would be the right approach and if
not what would be some of the elements from HIPAA that would be applicable to
PHR? What might be some that are not? I’ll give you one example, PHR requires
all of us as providers and all the covered entities to give a notice of privacy
practices to every consumer we see. Should that be something that should be
expected by non-covered PHR? Just going down, a few examples of what might be
some of the things that might be applicable from HIPAA?
First of all, again, do you believe HIPPA–just an extension the right
approach? If not, what might be some of the unique things that are applicable
and what might not be?
MS. GRAHAM: I don’t think you can just pick up the HIPAA legislation and
just slap in PHR. I think you need to do it thoughtfully. I think many of the
aspects do apply. I do think they should have a notice of privacy practices
that that individual should know if they are reseller of the data, for example.
Maybe it doesn’t need to be as constraining but I think there needs to be some
up front notification of the consumer as they use these tools. I think it’s
probably just as workable to thoughtfully review HIPAA and determine what
portions apply: the notice, the ability to amend, for example.
Speaking from a federal entity, we’re still waiting for the day when HIPAA
becomes the ceiling instead of the floor because for most of us we’re still
applying a whole cadre of privacy regulations to this information of which
HIPAA is only one.
Certainly, we don’t see, even though a large percentage of our population is
over 65 but they’re still very mobile–partially because now they’re retired so
they’re spending six months here and then three months with their children and
then they’re going abroad–so I think it’s very detrimental to continue to look
at these things in a state boundary kind of way. I think where we live just
amplifies that. I live in Virginia but I have received my care in Silver Spring
and in DC. It just becomes, when you think about it, a really ridiculous way to
approach this thing.
DR. WALKER: Rather than suggesting specific elements–I think you raise a
good point and I would sort of address it structurally. HIPAA was designed for
and is applied to people most of whose professional identity, usually all of
whose professional identity is involved in patient care. It applies to people
who, most of whom and almost all of whom have actually seen the patients that
these rules affect and seen the outcomes of situations where the rules weren’t
followed. So you’re taking a set of rules that may or may not have been
designed with some understanding of that context and now applying them to a
group of people who do not see patients ever, who have made very large
businesses on executing processes, supporting processes that are pretty low
stakes processes. If the search in Google doesn’t work, what do you do? You
don’t even slow down. I think there is probably a cognitive problem in terms of
when we read HIPAA it probably sounds very different than when other
organizations read HIPAA and it would probably be a mistake to think that you
could just apply HIPAA to completely different sorts of organizations and
expect anything like the same thing or perhaps anything that you intended to
happen from it.
DR. WYNIA: I’d like to endorse and expand on that just a little bit. I think
that we consider privacy and the promise of confidentiality in health care to
be supremely important because people have to tell us stuff that they wouldn’t
normally want to tell us. They are breaching their own privacy in the promise
that we will keep that information confidential and they have to do so. So
they’re operating under this constraint and they’re making a decision that they
might not even be completely comfortable with but that is going to have
ramifications. So we have to operate as trustees of that information. I don’t
know if that mindset of trustee-ship exists in all other aspects.
There is this alternative mindset about health information in the
consumerism world where people say, you know, look, it’s my information. I can
do with it what I want. If I want to put it up on my blog I can do that. Why
can’t I decide whether to disclose it, decide this, decide that. I’m sensitive
to that but it leaves this big gap between, you know, what people think they’re
going to get, whether they feel like they really have choice–if my employer
tells me I’m going to be using a PHR, I’m going to think that that PHR is
covered by this broad promise of confidentiality within the health care system
and that anyone I disclose health information to understands because there is a
professional ethic in health care. Everyone I give my sensitive information to
obviously understands that this is sensitive information and they will treat it
accordingly. I trust them in that way.
There are tons of people out there who have that level of trust across the
board in the health care system. And we want them to have that level of trust
across the board in the health care system and in this notion of
professionalism that occurs. No matter who’s receiving my health information, I
know that they understand that this is sensitive information. There are plenty
of examples where information ended up in the hands of a judge and then on the
internet and so on where there just wasn’t that sensitivity or sensibility or
sense of medical professionalism about the privacy or confidentiality promise
that we make implicitly any time we collect information from patients.
I fear that that promise is implied or inherent or assumed on the part of
patients, even when they’re putting data into a PHR. They’re not going to read
the thing. They’re going to assume that this is health care. It’s not like the
information I give to the guy who just did my body work–I mean car body work.
I just have the gut sense that people think of health care differently and they
assume that when I’m giving you my sensitive health information, you will treat
it accordingly. You’re now in the health care field. You are now are a health
professional, whether you know it or now, that’s what people are going to
MS. SILVESTRE: That’s what makes it really tough when large vendors, who I
think have appeared before this group, state we’re not in health care but
they’re going to be handling health care data. So to go along, expand and
endorse everything that’s been said before, I think it’s less about–HIPAA’s
not perfect legislation. It’s not perfect within health care but I think it has
upped everyone’s game about the role of stewardship of data. So I think the
elements to go after and apply are what are the required data stewardship roles
that any organization has when handling consumers’ sensitive information.
I think that’s where–I would worry about how large companies with large
databases would do one of two things: sell that data or start to target
information back to me without my consent based on my individual responses and
individual data. We hear this all the time. People don’t necessarily want,
without asking and consenting first, to start to get a deluge of information
just because they’ve searched for something.
MR. HOUSTON: Paul’s going to ask one more question and then we need to wrap
it up very quickly. Do you have a short question, Paul?
DR. TANG: Yes, it’s short. So you said you that you had some questions or
concerns about these companies who say they are not in health care and you say
that you are interfacing with one of those companies. How are you thinking
MS. SILVESTRE: How we’re thinking about that right now is in the role of
portability. So today the data exchange we’re doing is very, very small. It’s a
group of employees who are requesting a copy of their health summary be sent
over to Microsoft so that we can begin to understand–because we realized that
we’re on an island. We have a lot of data. It isn’t readily portable or
interoperable. I’m actually really enlightened by somebody’s thinking I think
through this group about how interoperability might actually solve PHR
portability issues before PHR has to go figure out portability. In the mean
time, we need to not stay on that island. We need to start testing approaches
to data exchange. So realistically that’s the direction that we’re going in is
we want to understand what it will take within the organization, what’s the
consumer acceptance, how do they think about it being sent over, most
importantly how’s the usability? Is it easy to do? Today it is not easy to do.
Those are very, very small steps before we get to widespread how does other
organizations take all that data? What’s our role as stewards of that data upon
member requests for sending a copy elsewhere? So I kind of separate the two
that in a way, it’s buyer beware if you’re out there by choice, if you’ve asked
us to send a copy of your data. How far we extend our roll as data stewards is
something all of us are going to be grappling with and trying to figure out.
MR. HOUSTON: I appreciate the panelists’ time. You’re encouraged, if you
want to submit additional materials. In fact, we’d really appreciate it.
MS. BERNSTEIN: Do we have a moment to request specific things like that? Dr.
Walker earlier said that you had a list of those things–if you have a list–of
things that you thought there should be on a list of best practices and if you
did those best practices–but if you could produce such a thing we would like
to have that because it would give us an idea of where we need to work.
MR. HOUSTON: Great. We’re going to break for lunch. The plan here is this.
It’s about 12:35 now. We’re planning on having sort of a working lunch because
we have a hard break at two o’clock or shortly there before. So we want to get
lunch, bring it back here for the committee, and then maybe we can sit down an
talk about what our next steps are next meeting, things like that. Leslie has
an agenda thing she wants to work through.
DR. FRANCIS: Because Sally has to leave now, why don’t I just read out my
list here and then we can have further discussion after we bring our lunches
back. Number one, if anyone has additional questions for panelists, please get
them to Maya because we’d like any additional information from panelists within
the next two weeks. If committee folks around the table could send via email to
Maya by Monday any further information she’d like to get from panelists.
MS. BERNSTEIN: We haven’t asked the panelists to do that but if they are
willing to do that it would be lovely.
DR. FRANCIS: And, of course, if panelists don’t want to do it that’s fine
but we can always ask. We’ve also had some discussion about whether we had
anything to say about meaningful use and we thought–John and I–we’re not
going to go there for now but if people want to in June we can talk more about
Maya reminded me that if we want to get a letter in some kind of draft form
ready for the September NCVHS meeting, we’re going to have to have a set of
conference calls over the summer so Jeanine will be sending out requests for
calendar things. So expect–we will try within the next week or so to get a set
of conference call meeting set up with everybody.
Finally, I think what we’re going to be doing after lunch is trying to
identify some major themes that we know we’re going to want to address. I mean
an obvious one is the question of a minimum regulatory floor. Another one is
whether extending HIPPA–whether we’re going to have any recommendations about
that or going another way. Obviously the sensitive information question is a
major theme but it might be nice if people have major themes. We will be
talking about that after lunch but if you’re not here in the time after lunch
and want to have things be out there that we should be thinking about in a
letter for our discussion when we resume on June 9th that would be
MR. HOUSTON: With that we do thank the panelists and we are going to break
and, again, be back as quickly as possible. Hopefully over the next ten or
(Whereupon, a lunch recess was taken.)
MR. HOUSTON: Since we’re all working and this is supposed to be a working
lunch–I know Leslie was going to sort of drive the boat.
DR. FRANCIS: Okay. The task that we want to address I think at this point is
to begin to sketch out some themes that we think or some overall approaches
that we think we are going to want to be addressing. My assumption is we are
going to want to do a letter or report about PHR’s. Whether in letter form or
report form, I’m not quite sure. If it actually turns out to be pretty lengthy,
which I think it might, my own sense is that a report form might be better but
if we start at that assumption–Paul, you have a comment, though.
DR. TANG: Just on what you just mentioned I thought I would re-bring it into
the context of what’s going on in the other policy areas. Clearly, ONC has this
timeline of February for this report on privacy as it affects PHR’s. This was
exactly a hearing on privacy as it affects PHR’s. I think we really need to get
input–formal, committee-approved input into that process. If you work
backwards, no later than the September meeting should we have this product.
Then if we work from that it seems like as far as we would get would be a
letter and that’s challenging but doable. So I wouldn’t make any decision that
wouldn’t allow us to meet that timeline.
MR. HOUSTON: Is there any reason to believe that September is too late to
provide input? I know that adds other dimensions to this.
DR. TANG: Sue would be the best person to ask there.
MS. BERNSTEIN: Is November too late? Yesterday we were talking about having
a draft in September and November might be too late.
MS. MCANDREW: I think the timeline either–September, October, November–is
not going to be too late because the other factor that needs to be reflected in
this report is, of course, the reaction from both HHS and FTC with regard to
jurisdiction over the breach notification aspects of high tech. In both cases,
the regulatory framework for recertification will probably not be issued before
mid-August and will only be going into effect then 30 days thereafter, which is
mid-September. I think the decision making on the report, itself, is going to
be a work that is going to be done in the December-January–
MS. BERNSTEIN: After that period, is what you’re saying, because you’re
going to be caught up with doing the breach notice stuff before August and then
you’ll be collecting comments on it, although we’re not necessarily required
MS. MCANDREW: All I’m saying is that all of this is going to be happening
and there is going to be late-fall to early-winter data gathering that will
inform the final structure of this. Of course, in all cases earlier is better,
but I don’t think that even November is out of time.
DR. FRANCIS: So that would suggest the timeline of first draft of what we’re
going to have in September for full committee discussion and final approval of
what we have at the November committee meeting or hopefully even earlier but at
MS. GREENBERG: If you identify–try to introduce the subject, as Harry
suggested, in the June meeting and then if you have something that can pass the
committee in September, all the better, but from what Sue is saying it wouldn’t
be dead on arrival from November but that’s it.
MR. HOUSTON: Could we change–from a format perspective, knowing how hard it
seems to be at times to get certain types of documents through a committee, I’m
almost inclined to say is it possible to say we have a one page cover letter
and then a document that is attached that has bullet points of the things that
we find are important concepts with regards to PHR’s and privacy and security.
I’m just trying to think of ways to get things through the committee quicker
because we have this, and I’m guilty of this myself, problem of wordsmithing to
death certain things that are of no substantive value. I’m trying to think of a
way we can get around that.
MS. BERNSTEIN: I realize that this subcommittee, in particular, our work
tends to be the most controversial and tends to get the most discussion, but I
also tend to feel that the reason for that is because each of us, individually,
feels we’re an expert on our own privacy whether or not we call ourselves
MR. HOUSTON: We have an opinion. Everybody has an opinion.
MS. BERNSTEIN: Everybody has an opinion. On standards, I have to tell you, I
look at those–I have no idea what’s in there or whether they did it right. I
have nothing to say about that. I’m not an expert and I haven’t looked at it.
But on privacy all of us have something to say and we all come from our
perspectives and I think it’s that time that we spend doing that–I tend to
think that figuring out the right word is actually where the issues of the
policy really come forward and trying to match the intention–understand the
intention of the committee and then trying to get our letter to accurately,
fairly represent that intention is challenging for any legislation project,
MR. HOUSTON: But what ends up happening is we have a report that has a bunch
of recommendations–I think from the last experience we spent a lot of time,
almost a year, trying to get this report through when I think the most
important stuff in this particular case is making sure that we have clearly
articulated recommendations that are actionable, released for consideration by
HHS and FTC. I think if that’s what’s most important and I think it is, then,
boy, let’s get that list together in as concrete and well-described terms as
possible attach it to a cover letter and say this is what we think because
otherwise I think we’re going to spend forever.
DR. FRANCIS: I want to just–this isn’t exactly disagreement but it’s close.
I think another important function that we can serve out of this is we got
amazingly rich information and something that is a little bit–what I was
actually envisioning as a report is not really terribly controversial. I was
thinking, actually, a compendium of the rich information that we got would be
helpful to whoever has to decide that. I also think we ought to do
recommendations. But the recommendations are the controversial part, the report
is not the controversial part and we could generate that I think easily by
September. That’s a record that we want others to be able to have.
MS. GREENBERG: We always ask the subcommittees if they want detailed
meetings from the hearing. I would think that you would from this.
MS. BERNSTEIN: Or we might want a summary in a way that we did a summary for
MS. GREENBERG: That you could what?
MS. BERNSTEIN: A summary statement of the information that came out–what we
asked and so forth. What I want to know was what came out of it, not the back
and forth so much.
MS. GREENBERG: I know but there are two different things. One pretty much
goes through each panel and summarizes and another would be more of a synthesis
like we did for the meaningful use but we don’t have a contractor for that
right now. I’m not saying we couldn’t maybe obtain one but we didn’t bring them
in on the front end. We are prepared to at least have someone do minutes.
MR. HOUSTON: Here’s my fear of a summary, though, is simply that we all
probably have totally different notes of what we took away as being important
from this conversation today–in good faith. My fear is that with only a
summary, it’s a summary of one person’s perception of what they heard–
MS. BERNSTEIN: Unless she’s just reading the transcript because she wasn’t
MS. GREENBERG: Right, right, they’re reading the transcript. I’m not saying
that would be all you would have. You would build from that on your
observations and recommendations or something but I’m just being administrative
in a way. I just want to get clarified that you do want us to prepare minutes
or a summary.
DR. FRANCIS: Yes. I actually think we should try to produce an analytic
summary. I know you don’t have the staff to do it but I think it’s something
that one of us could take the lead to write up and others could then add in.
MS. GREENBERG: In lieu of minutes?
DR. FRANCIS: No, in addition–once we have the minutes.
MS. GREENBERG: Oh, well, that’s another story.
MR. REYNOLDS: I hope we go back and look at our letter. It was referenced a
number of times. So the important thing to me is to either restate that we
still feel the same way on those things or adjust them based on what we heard
or give additional information about them. I think it’s always good for us–if
our stuff is referenced then it hasn’t been acted on significantly but it’s
still relevant that we make sure we don’t–if we change what we thought, we
change it structurally. If we don’t, we reinforce it. So I think that’s the
The second–John, playing off of your comment about at least initially
getting it to the committee as some kind of bullets and some other things–I
think the other thing that would be helpful is if you look around the room and
you think about the committee, we have one of our doctors here and that’s
Paul–we have two, excuse me. So the point is that I would like to see, as
certain parts of these issues we know that our physician group has concerns and
has voiced those concerns consistently–not right, not wrong, just voice their
concerns. So I would like to see if we come up with recommendations, John, as
you guys were talking about that members of the subcommittee who have been here
and agree that that’s where we’re going would be willing to discuss those areas
as the person in context. So you two how docs thing and so on might be a little
more helpful getting it through, otherwise it turns into–you know if just the
Chairs do it or we just submit it as the group then their first question is,
well, nobody thought about it from the doc’s standpoint. So that might be
helpful as we look at these things so that we share–because a long time ago we
decided we would try to do things in the subcommittee and then when you bring
that back to the committee in some kind of context–I think that would be most
helpful. At times we kind of got ourselves spun around so that might be a
helpful way to do it. Again, to get it to the committee, even if it’s this June
meeting, get some highlights as to the things that we clearly thought we heard
even if they’re just subjects because then if the group starts having a chance
to react, we’re going to know where we are on it.
MR. HOUSTON: That’s Leslie’s point, I guess, of what she actually opened
this with–thematically what are we talking about?
MR. REYNOLDS: And, again, I’m not talking about anything other than possibly
a summary of the discussion with key subjects so that you’ve got two or three
shots at the full committee to get it. That would be my thought. I know Walter
has his hand up.
DR. SUAREZ: First of all, I think it would be very helpful to have detailed
notes for us. I’ve been taking notes myself but trying to capture some of the
essence of the testimony will be great. I think there is detailed notes about
the testimony and then there’s notes about the question and answer that
happened. I think those are very important because those illicit some of the
essence of the themes. Thirdly, I agree with Harry that we can provide our
perspectives based on our own backgrounds but I think we also can bring some of
the perspectives of other areas or aspects of all these issues that have been
discusses. Certainly I’ll be happy to provide that perspective as a physician
but I can also provide my own perspective about what I think of other things.
Fourthly, I want to mention this and maybe clarify the scope. As I mentioned in
the last questioned I asked in this last panel, we heard a lot about things
related to PHR’s. We heard about functionality of PHR’s. We heard about a
number of things that are not specific or exclusive of privacy or security. So
one question would be do we want to capture those as well? Because in many
respects, we might be setting up sort of the this is what the state of the
nation is on PHR’s across the board or do we want to really focus on the
privacy or security aspects?
MR. HOUSTON: I don’t think we have the luxury of time to dive into PHR’s in
general. I understand we have a lot of great testimony but because of the
timing I think we have to be laser focused on things that are concerned with
privacy and security. I think it’s fair game afterward, to talk more generally
if we think there are other themes or punt it to the full committee to say we
think these are things that maybe should be explored but I think we need to
focus on privacy and security first.
MS. GREENBERG: I think that’s why you should have full minutes because that
will pick up everything. Otherwise, if you were just going to pick up on the
privacy and security issues, all of that other rich testimony would only be in
the transcript. The other thing, though, it would be very worthwhile, in
addition to Harry was suggesting going back and reading the privacy letters, to
look at the committee’s report on PHR’s, which was several years ago but much
of it is still relevant.
MR. HOUSTON: And sensitive information because I think that was the other
one that was referenced as well.
MS. GREENBERG: That’s on the web.
MS. BERNSTEIN: In talking about scope and the richness of the information
that we got in the last two days, the testimony that we collect as a
subcommittee is not just for the subcommittee. It’s for the whole committee, we
just happen to have arranged this particular meeting. That’s sort of going to
what Harry said, but we need to think more globally and look back at our
letters and see what’s useful. The information that we collected that’s not
specifically relevant to this subcommittee may be relevant to other
subcommittees that want to look at it or follow up on it so I think we should
think of ourselves as acting on behalf of the full committee when we arrange on
of these hearings–
DR. SUAREZ: If I may very quickly say something about that because the
Standards Subcommittee would be interested in some of the standards concepts
that we’re discussing.
MS. BERNSTEIN: Even if I admit I may have tuned out a little right there.
The second thing I wanted to say is that Carrie mentioned our stuff–some of
it hasn’t been acted on by the Department but it’s being quoted in the private
sector. Even if the Secretary hasn’t acted on it, the private sector is acting
on our recommendations. This committee is very well respected. The group of
experts that we have here–and this subcommittee, in particular, develops what
I think have been very useful–and all that hard discussion and wordsmithing
and all, which is difficult and contentious is apparently very valuable out
there in the world. So I think somebody’s glad somebody’s doing it.
The third thing I wanted to talk about just process-wise is things that we
can do to make that less difficult. We tried to do some of those things in
those last letters that I think we should do again. One of them is to invite
the Committee members to our calls–other Committee members, who are not on the
Subcommittee to our calls. Not all of them took us up on it but some of them
did who were particularly interested. The other thing we can do is circulate
the drafts and invite other committee members to comment on that so that even
if they don’t pay attention, they were at least supplied and had the
opportunity to get prepared as to what was going to be talked about at the
September meeting and perhaps at the November meeting if it goes like that.
MS. GREENBERG: Our process document that we labored over. I can send that to
you if you need it.
MR. REYNOLDS: Let me comment first, so that I don’t forget to say it, this
was an amazing two days. This was really a great cross-section of what’s going
on so thank you to everybody that was involved.
Second, I think it’s really, really important for us to make sure that we
position this in that although, I agree with Maya, the industry has picked it
up, but they are not standards. They are not certified. In other words, the
things that we have recommended have been picked up and used by segment of the
industry and some of those segments of the industry are government but they are
not–as we heard over and over again and as we questioned, they did not receive
the seal of approval. So as we go to this next really fast movement we’re about
to enter, just with what we heard and the reference to things we had talked
about before and so on, having that now be picked up whether it’s through some
other committees, whether it’s directly be the Secretary of something, then
makes it happen. That’s what I think is the key. So, yes, I’m really excited
about what we did and it is getting picked up but now is the time to get it
plugged into the right place to say this is it and then it starts to happen.
MS. BERNSTEIN: I think because of the report we have an opportunity for that
getting picked up much more than we have in the past where there wasn’t some
particular issuance that we were coming out with.
DR. TANG: Are we ready to move to themes? Just to reiterate what everybody
said about the value, I think it’s been a very productive two days. We’ve heard
from all those sides and I guess what I keep going back to is some of the
summary questions that we asked this panel, which is I think the status quo is
not good enough. I think there is action required in order to protect the
No matter who you are when you give up private information we just in this
society have this expectation. It comes from the Hippocratic Oath. In order to
meet the public’s expectation and fit they way they behave–that is they give
up confidential, private information with the expectation that it’s maintained
in a secure and confidential manner. I think there does need to be a floor that
covers everyone. It so happens that HIPAA is a floor above where I’m imagining
this universal floor to be so it really doesn’t change anything for the covered
entities but that in order to help grease the skids for use of health
information in ways that benefit the individual and population, which is the
goal of the whole HIT movement, one consideration is to recommend, whether it’s
law or legislation, that establishes a floor. Ideally, and I think you heard
that from everybody yesterday and today, it should be uniform. So that would
imply a federal–implies a bit more than that but let me stick with it would
imply a federal regulation or law that would establish privacy protections for
health information no matter where it’s stored.
MR. REYNOLDS: Can I make one friendly amendment to what you said? I think
this is where maybe we’ve gotten a little bit in trouble in the past. I love
what you said about the consumers and the public but I think what we also are
saying is something that allows the caregivers to feel comfortable and allows
those that are building the tools that will be used–the products and tools
that will be used to also be successful. So I think that’s the thing that we’re
really trying to get to because with the stimulus money people have to adopt
things. So we want to satisfy the public and the consumers and what they want,
we want to satisfy the caregivers that they can still give care and get the
right information they need, and we want to be able to give a clear direction
to those that are building the capabilities so they can start. That’s what we
heard. If you don’t tell me what I need to do or don’t give me some framework,
how do I–how do I build to a ghost is basically what happens that keeps
changing all the time? So if you would take those other two additions as an
amendment it gives the whole thing because you already said the public and then
I added the caregivers and the people that are developing the answers.
MS. WATTENBERG: So you’re saying the floor would be not above HIPAA or above
HIPPA? So what do you mean it would be stricter or less strict?
DR. TANG: So there are a lot of things that a covered entity has to do that
is totally unrelated to a patient, a consumer so it’s very unlikely to involve
anything and that’s why I don’t think, for example, we “extend
HIPAA”. I think there needs to be some principles that get codified in law
or regs that would protect health information no matter where it goes.
DR. SUAREZ: I wanted to make a comment because my sense is what we need is a
privacy and security protection framework for personal health records that are
not subject to HIPAA. Personal health records that are by providers and payers,
they are already covered by HIPAA and there is everything and anything about
privacy and security that applies to Kaiser on its role as a maintainer of data
for user of EHR that applies for a PHR. What doesn’t exist is a level of
protection for consumers when the data is being maintained by a vendor of a
I started my own analysis of the what I categorize as about 40 plus privacy
requirements on HIPAA and a number of them are not translatable to a PHR, stand
alone PHR. My sense is and what I heard more was that we need–we already have
regulations on the provider and payer side. We are protected from a HIPAA
perspective. We need something that provides the same level of protections
applicable to a private vendor. That’s what I heard.
MR. HOUSTON: To follow up on what Walter just said, I think one could argue
that you could spend–the entire theme of this could be the need for some type
of floor or some type of regulatory framework. Then we could drill down in into
or recommendations specific to everything from proxy to sensitive information.
The only area that I would probably disagree with you Walter is that I’m not
sure that this is only for entities outside of HIPAA. I think there needs to be
some common framework that an entity or entities can point to and say this is
the way we’re going to conduct business. If you have Microsoft or Google out
there and they’re interacting with a Kaiser or a UPMC or whomever, there almost
needs to be some uniformity as to the way that they can expect to interact,
which says to me that the framework isn’t just for those who are uncovered. It
has to be the touch points and I think we could spend a lot of effort and it
would be very meaningful to say here are these items that need to be part of
the legislation. We heard a lot of testimony that I think could give us that–
DR. SUAREZ: Yes, but when you’re looking–and those are some of the
questions I would point to them. When you look at the models, Kaiser, for
example, has its own PHR built out of an EHR product that they have but Mayo
Clinic, for example, and a few other providers actually use the platform that
is provided by Microsoft or by Google. In so far that Microsoft and Google
provide them that, they become a business associate of Mayo and they become a
business associate of the Cleveland Clinic. So that kind of extension applies
to that segment of all the Google-type products but then there’s Google that
sells to my wife who is not in the Mayo Clinic and she goes directly to them,
that’s outside the sphere of a business associate. So that is why I was trying
to draw the line of what is it that isn’t covered currently–
DR. FRANCIS: Could I interrupt and just suggest a framework of topics rather
than resolution to topics. Topic number one would be we need to have a common
floor that protects the expectations in some way or another of at least the
following stakeholders: patient, caregiver, plans and product developers.
Second of all, we need to address the question of HIPAA fit or non-fit. That’s
the issue we were just talking about and I’m not saying how we need to address
it but the question is whether we’re just talking about entities outside of
HIPAA? That’s one of the questions, there, another question there is whether
the proper starting point is HIPAA or whether it’s not HIPAA. I think most of
us think there are a lot of issues about whether it would be HIPPA but on the
other hand there are some benefits to HIPAA so we need to explore that space.
I’m not saying how we explore it.
DR. SUAREZ: My whole point was the main theme should be we need a
framework–a privacy and security protection framework for PHR’s, stand alone
MR. HOUSTON: Agreed. Put a period right there because I see a lot of nodding
of heads that say yes and then the next level down is thematically what do we
think needs to be part of that framework and it’s interaction with fit versus
DR. FRANCIS: Then the next question to ask are what are the parts of that
framework that we want to address. I take it one topic, anyway, that came up–I
don’t know what we want to do about this–is the question of levels of consumer
control, granularity, sensitive information. That’s a topic.
DR. SUAREZ: The first thing we can do is split privacy and security in the
following sense–when you look at security some of these people are–if you
look at the 42 implementation specifications of the security rule, these people
apply them in a much better way than many hospitals in this country and many
providers. These people meaning the people that actually offer PHR’s. So from a
security standpoint, the security types of protection that are afforded by
HIPAA or others would be–
MR. HOUSTON: Walter, Walter, we only have less than a half hour. Can we get
sort of the major themes out without any discussion? I think if we went around
the table and said give me one and we could sort of build that up. I understand
the conversation but we don’t have a lot of time so let’s just throw out blank
themes. If you want to start with Amy and just say two or three words and then
you have to go to the next person.
MS. CHAPPER: How about authentication?
MS. KHAN: Standards for interoperability.
DR. TANG: Clear attribution of the source of the data and its integrity.
MS. MCANDREW: Skip me and come back.
MS. BERNSTEIN: I thought Hetty was going to say education. What I want to
say is we heard a lot about sixth-grade sort of level of education–meaningful
DR. FRANCIS: I think we need to address the level of granularity of control,
whether there should be any by source, by type of information–a return to the
question raised about the sensitive information letter.
MR. HOUSTON: I’m going to say proxy access.
DR. SUAREZ: One I think was important was and I’m looking at
it–verification and validation.
MS. BERNSTEIN: Of people? Of data?
DR. SUAREZ: It is the multisource verification of disparities in the data.
MR. HOUSTON: That was Paul’s.
DR. SUAREZ: Maybe that was Paul’s already.
MR. HOUSTON: He had attribution of source and integrity, but verification of
people is also–
DR. SUAREZ: Well, that’s authentication.
MR. HOUSTON: Well, authentication is something a little bit different but we
won’t go into that because that’s talking about a solution.
DR. SUAREZ: Then the one I would add and I don’t know if this was put out
DR. FRANCIS: Can you add notice to that?
MS. GREENBERG: Some of these people say it’s higher, it’s lower, and I don’t
know really what’s intended. I do think that you’re dealing with a different
situation with PHR and the EHR and the applicability of HIPAA in that the HIPAA
allows a lot of disclosures without consent–
MS. BERNSTEIN: What’s your topic?
MS. GREENBERG: –treatment, payment and operations. I don’t think that’s
being suggested at for PHR’s, it’s much more consent driven.
DR. FRANCIS: How about this as a topic that maybe you raised, which is the
relationship between PHR’s and EHR’s.
MS. GREENBERG: And then, of course, the issue is if when the PHR includes
EHR information it gets complicated. Then I think there’s also stuff related to
claims data and the whole education of the consumer and communication with the
MR. HOUSTON: Okay, I hate to cut you off but we were saying like three of
four words and you got about 20 in.
MS. GREENBERG: Have I said too many?
MS. WATTENBERG: Data utility.
MR. HOUSTON: What about sensitive information?
MS. WATTENBERG: She already picked that up.
MR. REYNOLDS: Clear definition of sensitive data.
MR. HOUSTON: Excellent. We can go around again if people–Amy do you have
MS. MCANDREW: Clear definition of PHR.
DR. FRANCIS: I’ve got the list to read so far but go ahead.
DR. TANG: Accountability and enforceability.
MS. CHAPPER: Masking or deleting data.
MR. HOUSTON: By the patient? Okay. Again, different than authentication, I
think we still need to be able to do some level of identity proofing with
respect to how people get credentials. So identity management is maybe the best
way to describe it.
MS. BERNSTEIN: Do you mean people who use–not the patients but–
MR. HOUSTON: Both. Patients masquerading as other patients or caregivers
masquerading and caregivers for patients. I think there has to be some–not
just authentication because authentication says I’m authenticating an account,
you are who you say you are as an account owner. I’m talking about people who
try to set up accounts. So it’s the intake of people setting up accounts, which
is an issue we heard today.
MS. BERNSTEIN: Yes. I was just trying to differentiate from the people who
are theoretically authorized users who are managing the system–the people
offering the PHR’s as opposed to the patient or caregivers who use the PHR.
MR. HOUSTON: That’s identity management.
DR. SUAREZ: One that Hetty mentioned, which is standards, but I’m not sure
if it was mentioned in this context of we need standard nomenclature to
communicate with patients.
MR. HOUSTON: Is that a privacy issue?
DR. SUAREZ: It is a privacy issue in the sense of allowing people to
understand what it is they are agreeing to.
MS. BERNSTEIN: I think it’s related to what I first said about coming up
with the right level of communication to the patient.
MR. HOUSTON: Okay, again, we’re just getting things out. Sarah or Marjorie?
MS. GREENBERG: That’s an interesting question as to whether that’s a privacy
issue but I think in my mind this hearing was dealing with PHR’s, it was
certainly dealing with privacy and security, but part of that is transparency
and usability and all of that to consumers and communication between consumers
and providers, et cetera.
MR. HOUSTON: So if we say transparency to consumers as being the topic point
because, again, we’re just trying to throw concepts out.
MS. GREENBERG: It relates to Sarah’s usability, of course–data utility and
DR. TANG: I thought we established a scope and I think that’s out of scope.
MR. HOUSTON: Tell you what we’re going to do. We will publish this list and
let people take shots at what’s in scope and out of scope. This is just a raw
data intake right now. Sarah?
MS. WATTENBERG: I think it’s been covered, which is consent-driven–
MS. KHAN: Just a clarification, I know Amy spoke of masking but I don’t know
if she touched deletion specifically.
DR. FRANCIS: And correction ought to be added there, too.
MR. REYNOLDS: I’d like us to also look over this list with a filter as to
what did we hear that also affects EHR’s and anything else that’s going on
right now because we talked about privacy. The last three panelists have whole
systems that do more than PHR’s. They’re doing care. They’re doing everything
else. So were there any of the things we heard that are more far reaching than
just a PHR or something that we’ve talked about.
MR. HOUSTON: Let’s do one more then what I can do is summarize this and we
can email this out because I have it all typed in already. Leslie, I’ll send it
to you. We can massage the list and then get it out.
DR. SUAREZ: This is very related to privacy, which is ownership versus
MR. HOUSTON: Good point.
MS. MCANDREW: One point that really didn’t come up at all in the testimony
but is something that we will have to grapple with is the security standards
around communications with the consumer themselves and the role of email and
encryption in that environment.
MR. HOUSTON: I’ll tell you what we’re going to do now. I think we’re almost
out of time and I know Leslie had some other things we wanted to do. Leslie and
I will work this list and send it out. We can add to it. We can give our
comments about which ones we think are in or out of scope. From that, then, I
think we can refine that list pretty quickly. I know, Leslie, you had some
other things you wanted to talk about so why don’t we–
DR. FRANCIS: Well, the only thing I wanted to say about that is that we may
think some things are out of scope in terms of recommendations but we may have
found useful information in the testimony that we would still want to make sure
doesn’t get forgotten. So we would just do a digest of the testimony on some
points. What I think we’ll do with this is send it around to anybody, if people
want to add themes we could have a kind of analytic summary that we present in
June to the full Committee to say we’re going to be preparing recommendations
on these topics. If there are things you think we should be considering, if you
want to have input we’re going to be having scheduled conference calls over the
summer. Please sign up to be included in those calls so we work with Harry’s
concern that we have the Full Committee on board as soon as possible.
DR. SUAREZ: Maybe as a suggestion, we can have two lists. One is this
in-scope list. Then there is another list, which is another set of themes that
we heard that we think it would be helpful for the whole committee to know
about. Now we don’t think they are really part of what we’re supposed to be
doing in the privacy and security, but we think they’re important. I know the
Standards Subcommittee will be interested in some of them and maybe the
Populations. I don’t know.
DR. TANG: Same point. So if you would distribute those, remember it’s not
going to do any good if we don’t make our deadline. The way that we will miss
our deadline is by going off in other areas. But if you preserve the second
list that will ensure that it doesn’t get lost.
MS. BERNSTEIN: Do you want us or the co-Chairs to come up with that
MR. HOUSTON: I think we can very quickly work through this list by email. I
really do. Then I think we can make some decisions and put it back out for
review. I think this could happen pretty quickly and then come up with some
DR. FRANCIS: My personal thought is we should have this resolved by June
9th, although there will be new information that presumably comes up
on June 9th. Marjorie?
MS. GREENBERG: Two point. One, of course everything always relates to
everything else, at least in my head. At the June 9th meeting or
10th and 11th of the full Committee, we’re bringing
forward this compendium on data stewardship for approval. It will not have
recommendations in it but data stewardship came up several times so I also
think you can use the lens of this hearing, also, to see whether the things you
want to pull out of that that could go into this framework of recommendations.
The other thing is I’m just confirming that obviously we would not have the
minutes for you by the June 9th meeting because we hope to have the
transcript. I’m confirming that you do want us to do the minutes, we’ll work
with our contractor and have that happen.
DR. FRANCIS: Confirmed.
MR. HOUSTON: Okay. I know a bunch of us have hard breaks at two o’clock. We
have ten minutes left and I want to make sure that we get everything else
through that we need to. Leslie what else is on your agenda?
DR. FRANCIS: I’m ready to go. Any final comment from anyone? Paul? Harry?
DR. TANG: Just a logistics question. Is it possible to have this piece on
the agenda of the Full Committee on the 10th rather than the
11th. My daughter is graduating so I can’t be here.
DR. FRANCIS: The final item of business for today is to thank everybody who
has been here including our wonderful administrative staff. Please join me in
saying wow, what an amazing job. Thank you.
(Whereupon, the meeting adjourned at 2:00 p.m.)