[This Transcript is Unedited]




May 22, 2008

Renaissance Washington Hotel
999 9th Street
Washington, D.C.

Proceedings by:
CASET Associates, Ltd.
Fairfax, Virginia 22030

P R O C E E D I N G S [8:44 a.m.]

MR. ROTHSTEIN: The meeting of the Subcommittee on Privacy and Confidentiality is called to order. Good morning, everyone. My name is Mark Rothstein. For the record, I am the Chair of the Subcommittee and from the University of Louisville School of Medicine. We are not being broadcast, but we are being recorded for transcription.

So for the record, I’d like to ask everyone to identify themselves. We’ll just go round the table, and then our guests as well should they also like to introduce themselves. Harry?

MR. REYNOLDS: Harry Reynolds, Blue Cross and Blue Shield of North Carolina. I’m a member of the subcommittee, no conflicts.

DR. FRANCIS: Leslie Francis, University of Utah, member of the subcommittee and the full committee and no conflicts.

MS. WATTENBERG: Sarah Wattenberg, Substance Abuse Mental Health Services Administration, HHS.

MR. HOUSTON: John Houston, University of Pittsburgh Medical Center, member of the subcommittee as well as the committee, no conflicts.

MS. BERNSTEIN: Mia Bernstein. I work in the Office of the Assistant Secretary for Planning and Evaluation at HHS, and I’m the lead staff to the subcommittee.

MS. MILAM: Sally Milam with West Virginia Health Information Network and Privacy Team for West Virginia State Government. I’m a new member to the subcommittee as well as the full committee, and I don’t think I’m voting. So conflicts aren’t an issue.

MS. MCANDREW: Sue McAndrew, Office for Civil Rights, Privacy liaison to the subcommittee.

MR. BERNBAUM: Adam Bernbaum, Blue Cross Blue Shield Association.

MR. WILLIAMS: Otis Williams, Office for Civil Rights.

MR. WILKINSON: Winston Wilkinson, Office for Civil Rights.

MR. HOUSE: Jonah House with Express Scripts.

DR. DEERING: Mary Jo Deering, National Cancer Institute.

DR. HEFFERNAN: Henry Heffernan, NIH Clinical Center.

MR. ROTHSTEIN: Thank you. And, oh, we’ve got Dan.

MR. RODI: Dan Rodi, AHMIA.

MR. ROTHSTEIN: Welcome to everyone, and thank you to our guests for joining us. I first want to especially welcome Sally Milam who is joining the committee as of June 1st and will be on the Subcommittee on Privacy and Security at that time, and we’ll all very pleased to have you. And I hope your interim status will not chill your participation because we’re planning some very important things, basically the work product for this group for the next six to twelve months.

My view is that for today, we need to do basically three things. One, I want to talk for just as long as we need but relatively briefly on the reorganization of this subcommittee. Second, I want to talk about publishing our prior letters, and I’ll explain that when we get to it. And third is we need to develop the work plan, and I’ll tell you how I would suggest we proceed at that point. John?

MR. HOUSTON: Is number three sort of in line with Harry’s directive yesterday? Is that –

MR. ROTHSTEIN: Yes. I mean Harry’s directive. It really is embodied in number three.


MR. ROTHSTEIN: So the first one, I just want to have for the subcommittee record that this will be the last meeting of the subcommittee in its current iteration. That is, privacy and confidentiality and beginning with our next meeting, it will be privacy and security. And I know all the members are aware of this change. I wanted to give anyone here a chance to comment on how you think that will play out and so on and so forth. We have taken the name confidentiality out of the name just, I suppose, for a matter of simplicity with the assumption being that confidentiality is embedded in privacy, and we’ll leave the philosophical questions about whether that in fact is true to another day and another venue.

But I don’t think we’re giving up on the idea of confidentiality being an important part of our mission, just adding the security elements. Leslie?

DR. FRANCIS: Yeah, the one comment I would make, and I don’t know a lot about the security issues. So I’m going to need as the committee moves along enlightenment on those issues.

But I want to make very clear and sort of underline the point that security and the privacy/confidentiality question should not be confused. And sometimes when discussions raise – I mean, they’re obviously related. If data get hacked and all kinds of things like that, you’ve got a privacy problem also. But security isn’t the only issue involved in privacy, and sometimes people collide those two.

MR. ROTHSTEIN: Well, I think that’s a good point, and it gives the subcommittee and the full committee really sort of a teachable opportunity to clarify for whoever listens to what we do the distinctions among these three areas as we’ve tried in our letters to point out. And, of course, I should mention for the record that Leslie and John are the co-chairs of this new committee. John?

MR. HOUSTON: I, to sort of follow up on that point, out of all the committee people, I’m probably the only person who has a security background. It’s my dual role at UPMC is security and privacy. And I can tell you, though, that I think it’s important that we combine these two. But I don’t believe that this committee should delve into technical security ever. I don’t think that really is what I intended when I had made the recommendation myself that we combine the two.

I think, though, that from a policy perspective and oversight perspective, the two become intermingled. And I agree they’re entirely separately subject matters. They’re a different discipline. But I think that especially in the context of the NHIN which where a lot of the focus really is going, I think, that you can’t put together a good privacy framework without very closely coupling to it a security network. And all the governance that goes into privacy, a lot of it overlaps the security and vice versa.

And I think to be effective, we need to think of them together. And so yes, they’re different. But if you try to work with them in a vacuum, I think we’re going to find that both in a vacuum we’re going to not do justice to either. That’s sort of my first point.

I think the second point I want to make is because security was bolted to the side of standards, I don’t think it got as much play as it deserved in the past. And you know, in talking to Kolodner yesterday and looking down at 9, 10, 13 and 14 on our list here, there’s clearly a great interest from an NHIN perspective at looking at what are the overarching framework standards, policy considerations with regards to privacy and security. And I believe strongly that we should take up these types of issues sort of as our next, you know, big adventure, and that I think it does two things.

One, it does meet in my mind a very pressing need. But secondly, it starts to get us back in the security thinking, put our security hats on a little bit to demonstrate that NCVHS does in fact consider security to be important because we really haven’t done it justice for a long time.

MR. ROTHSTEIN: Well, I think that’s a very good point. I just want to respond briefly and then recognize Harry.

There’s no point in looking back as to why historically security was with standards as opposed to privacy. But if you’ll recall in 2006 when we came up with our big letter on the NHIN, one of the things that we considered is as a principle should we put in there notification of individuals of breaches. And it was deemed by the subcommittee at least to be more of a security issue than a privacy issue and therefore it was left out of that letter which seemed sort of silly if we believed strongly in the principle which was never voted on. I’m just using that as an illustration.

So in some respects the distinction was artificial and perhaps not as natural and valuable as it could have been. Harry?

MR. REYNOLDS: Yeah, and I spend a decent amount of time in my day job also thinking about security, John, too. And I listed four things here that I —

MR. HOUSTON: Sorry about that, Harry. I didn’t mean to —

MR. REYNOLDS: I have no problem with that, but I can learn from you continually. But I think the key part is we have four things as we look at this because I think privacy, as it’s defined by people that are in the arena, is different than privacy identified by the individual person because they don’t care, you know. So as we look at what we do, we have code of conduct where you’re trying to get every – so one thing about having to protect the privacy of somebody’s information and confidentiality, we do a code of conduct. We have role-based access. We have security both internal and external, and that has to do with whether or not we can get hacked which is important because if it’s my personal data and somebody gets hacked and has it, I don’t care. You can call it whatever you want to. I think somebody just took my data, and then my privacy is breached, and then you just have the subject of privacy itself.

So as I was thinking about these committees and we talked about moving that, you can’t in the operation of how people are doing things if you leave any of these out and don’t put the total thread through, and that’s what we’re looking at. So it’s not the actual privacy standard. And that’s why – see, the problem with where it was –- and I’m on both committees. I’ve been spending four years on both.

So as you look at it, if you just take a standard to be the exact standard that you use so that your data doesn’t get hacked but you haven’t put it in a whole program, we actually have moved security and privacy to a corporate position at our company because it’s not a departmental, it’s not an IS, it’s not a legal. It’s a corporate issue that you have to deal with.

So I would ask the group as we think about it, I do this all day every day, too, and I can’t separate these although I could be talking to Mark and he could explain to me that from the true definition of privacy, it’s not included. But if I’m talking to one of the 3.6 million people that we ensure, they don’t care.

And so that’s what I hope we can do because a lot of our messages right now are going to the department or going to the industry. Also I think we can add a real help to the general populace as we think about how to protect their data in levels and in discussions because as we’re getting audited all the time, the auditors are really, really focused there. And when companies fail an audit, it’s how the auditors describe it, not how maybe the industry described it. And then it goes out to your customers or go out to someone.

So as we – keeping track of the individual person who doesn’t get all the idiosyncrasies of how we talk it. But that’s why I’m excited about these being together because I don’t think you can separate them. Because if somebody’s getting audited on whether or not they’re private, there’s a whole lot of security stuff that somebody’s going to chat about to do it. So that’s kind of what I was hoping all got put together but not to the detriment of the things we’ve been doing that have been focused solely on privacy. I’m good with that. But this whole picture is what’s not getting done by a lot of places, and especially as we bring people into the fold that aren’t covered entities, as we bring people into the fold that have business associate agreements or you’ve got chains going on where people are playing with the data, whether or not they have this whole picture is what’s going to decide whether or not we truly did take care of your data, my data, everybody’s data.

MR. ROTHSTEIN: Thank you. Leslie?

DR. FRANCIS: Just an illustration. One of the discussions of the Medical Home concept a couple days ago, there was a suggestion that people should be able to know at any point if they access their records who else had, and that of course could be a security breach. But it could also be a question of whether another healthcare provider which isn’t a security breach but might have to do with the kind of control we were talking about in the sensitive information letter. So that’s an illustration of how they go together.

MR. ROTHSTEIN: So if there are no further discussion items relative to the reorganization, I’d like to briefly go to the second point that I raised earlier, and that’s publication of our letters

You may recall, and for Sally’s benefit and others, that we have talked in both the Executive Subcommittee and the Full Committee about how our work products can be more broadly disseminated. And one of the ways in which that can happen is through publishing reports such as this which I’m sure most of you have seen which is the summary of the enhancing protections for uses of health data, formerly known as our secondary uses project.

And if you’ve had a chance to look at this, it’s a very nice summary. And I was talking with Marjorie yesterday about the issue of whether it would be possible to produce something on this order that would include the framework for privacy and confidentiality in the NHIN that we did in 2006 as well as our 2008 letter on sensitive information, and she said that it would. But as a process matter, it probably ought to come from the subcommittee and then go to the full committee for a vote this afternoon.

So what I would like to do is invite a motion from one of the subcommittee members that we ask the Full Committee to direct the staff to put those two letters together in some format. I mean, this is just a summary. This is not the full report that would be available to a wider audience because, as Harry has mentioned on many occasions, probably the largest impact of our 2006 letter has been so far in the private sector where people are looking to our way of analyzing and organizing the issues, and that may also well be true of our February 2008 letter. And if it’s in a form like this as well as being available on our website, it may get more attention. John?

MR. HOUSTON: I would support that. I just don’t know what the cost implications are of doing that. I think it’s up to Marjorie to decide whether it’s within the budget. But I think it does add sort of a different level of – a letter to the Secretary is different, I guess more focused. And you’re right. I mean, I think sometimes when you put it in a different format, it gets a little more traction and a little broader distribution. So I’m for it, and I do want to support that. And if you want somebody to make a proposal, I would propose that then.

MR. ROTHSTEIN: Okay. Is there a second? Okay, the motion is made and seconded. Mia, you want to comment?

MS. BERNSTEIN: Well, I was just thinking that if the budget weren’t there, then Marjorie would not have invited the committee to make a motion. So I wouldn’t worry too much about that. I think that she would have told you if she thought the budget wasn’t there.

MR. ROTHSTEIN: Yes, I think she basically said it’s doable, and if we wanted to do it. And it’s not something that’s coming out of the blue. I mean, we’ve been talking about publishing the 2006 since 2006. I’m sorry, Leslie, go ahead.

DR. FRANCIS: Well, I guess what I was going to ask was a slightly more general question, which is notice that there are several of the topics for consideration that involve following up. And I wonder whether it would make sense to consider whether we ought to be adding some things to a publication that haven’t been as fully fleshed out as some other areas. I don’t know, maybe we should just go with what we’ve got. But there could be some additional thoughts in such a publication.

MR. ROTHSTEIN: Okay, John and then Harry.

MR. HOUSTON: My only concern with that is that it took us a long time, and I think in certain cases we decided to defer issues in these letters because of the fact that there was substantial more work involved in coming to conclusions. So I think that it probably is not practical, I think, to try to encompass more. But having said that, I think that with some of the things that are potentially on the work plan, I think we as a subcommittee should be mindful as we’re developing work product that maybe this is the format that we should use. There should be a letter to the Secretary. But as we craft that letter recognize that we should put it in a format that would allow us to easily convert it to these types of monographs so that they can be distributed more broadly. So I just —

MR. REYNOLDS: If you pull out a chart from the yesterday, that’s one of the things I had at the bottom two items is exactly that.

MR. HOUSTON: I’m trying to take credit for it, Harry. That’s all.

MR. REYNOLDS: And I can actually say I probably got it from you when I put it on there yesterday. So you are – I got it from you. Can I make a comment?

MR. ROTHSTEIN: So – oh, sure.

MR. REYNOLDS: Because I think what’s key is, and we’ve all talked here about HIPAA where there are only certain covered entities. And I know we’ve had the Home Medical discussion and other things. A lot of us are also dealing regularly and as chair as I may have speeches about the committee, those kinds of things. So if you’re sitting down talking to Microsoft about their health record problem, it’s one thing about a letter to the Secretary. There’s another thing about these are – a document like that that says these are the things that I sure hope you’re thinking about as you’re doing this. And oh, by the way, when you have your conference with 300 vendors that are writing off of what you’re doing, I hope that you’re thinking these things.

Because right now there’s no jurisdiction to make them think about it, and there’s no jurisdiction to make the flow work, and there’s no document right now. See, this tells the story, and there’s so many different people getting into the fray now about this information that we don’t have a story and you can argue with them over a paragraph. But if they don’t get the story, the paragraph doesn’t matter. You know, they’ve set it up the wrong way or get people – so I think these are very, very helpful in taking our message to the world that’s out there continuing to do these things and not each of us one at a time.


MR. HOUSTON: And I think to dovetail what Harry just said, I’m more and more convinced the more I’m involved with this and other committees that we are very active, and I think sometimes we take on frankly issues that are timely that need to be addressed. So I think that we’re getting out in front of issues, and frankly I think that needs to be a focus. And I know that’s what everybody says and I think it’s our intent. But I just want to sort of reiterate the fact that if we don’t do it, I think in a lot of cases it isn’t getting done. Maybe I have a big ego about this. But I’m continually amazed that the number of topics out there, things that need to be addressed is really rich. And yet, people aren’t stepping up to do some of the fundamental things that need to be done with regards to privacy and security and NHIN. So let’s step up. We have to be nimble. We have to be quick. We have to get these things out in a way that people can use them. So —

MR. ROTHSTEIN: Okay, well, thank you. Are we ready to vote?

MS. MILAM: Can I just make a comment?

MR. ROTHSTEIN: Oh, please.

MS. MILAM: As a participant in an N2 project, I don’t think it’s fair to say that privacy and security aren’t being addressed – did I misunderstand?

MR. HOUSTON: Yeah, I’m looking, I’m looking at more at the national level. I’m on a HITSP PS, and I still there are a large number of topics that need to be discussed that haven’t been, and maybe I need to clarify that.

You know, I think each one of the participants that got involved in N2 dealt with issues that they needed to deal with, and privacy’s clearly on everybody’s radar screen. But there’s still, if the ultimate goal is to establish a nationwide health information network where there’s a free flow of information between wherever and wherever, right now from my perspective there is an enormous void with regard to privacy and security in terms of how are we going to do it, not just at the technical level. I’m talking at the high policy level, and that’s more to my point.

MS. MILAM: And I guess then I’d respond that the participants are really working at that issue. I think that’s part of the trial.

MR. HOUSTON: I don’t think it scales, though. From everything I’ve seen, it doesn’t scale to me. That’s my opinion.

MR. ROTHSTEIN: Okay, so the motion was to recommend to the full committee this afternoon at some appropriate time or at this morning that staff put together a monograph of the two letters in June of 2006 and February 2008. All in favor, say aye.

(The motion was adopted.)

MR. ROTHSTEIN: The motion carries. Thank you.

DR. DEERING: Just to clarify what you voted on, the document that you have there is, of course, a rewrite. I mean, it’s substantively the same. Number one, it’s only the executive summary and it is a rewrite. So my question is did you just vote to just package the reports as they were done to dress them up, or did you vote to authorize a little bit of editorial approach which you have done in the past. But I just wanted to be clear what the sense of it is.

MR. ROTHSTEIN: Well, my opinion was that the staff was going to be directed to repackage somehow to make it the most appropriate. This big long secondary uses report obviously had to be summarized. Our two letters are much shorter and could probably be included in a document that’s maybe not this long. But I would leave those specifics up to staff. Harry?

MR. REYNOLDS: What I would want to see happen is that the full committee agrees that whatever is done is done under the watchful eye of the co-chairs and, if necessary, than working with you since you brought this up on your last day as to whether or not you’d take a look at it and make sure you thought it was a good – no, because, again, you’re exactly correct. We’ve got to make sure that we don’t – you don’t summarize the issues nor do you only summarize certain issues. So you’ve got to do it with a bit of art.

So I think Susan did a great job writing it. So did others. But it still needs to be under the watchful eye, I believe of —

MR. ROTHSTEIN: But I thank you, Mary Jo, for pointing that out. And so that when we make the motion to the full committee, I think we need to be explicit about that, about what we’re directing or requesting staff to do.

DR. DEERING: An affirmative way to put it not just with regard to your letter, but I think the point that Harry was making yesterday is that what you really want to be using as your criteria is first of all the integrity of the content absolutely is primary.

But second is its effectiveness. And so you want to –

MS. BERNSTEIN: Say that again, Mary Jo, your second point.

DR. DEERING: The effectiveness of the document.


DR. DEERING: And doing what is appropriate while maintaining, you know, first of all integrity is the absolute irrevocable standard. But above that, what is it that would work for the audience that you’re trying to reach and if you follow – and that would be different for different audiences.

MR. REYNOLDS: Sure. And the discussion back and forth between, you know, a little bit ago, the people that are in the game are working on it. You know, the people that are here in Washington or here on the committees are working on it.

I’m more excited and more interested in these messages getting out to the people that are still doing stuff every day and building stuff. And they wouldn’t be able to tell you who was on any of these committees up here. You know, we get ourselves sometimes real excited that we’re it. But when I spend my day going around and I’m sure Sally does and I’m sure John does, I’m running into a whole lot of people that are doing this, and they don’t’ know whether or not they ever will or won’t be part of an NHIN nor could they describe it to you. But everything that we have in the letters is equally important no matter what we’re going to end up doing, you know, HIEs or mini-HIEs or my own company or my own vendor or my own something else. So that’s what I’m excited about using this stuff for is these are the kind of things that play in the general populace. And, oh, by the way, if the letter itself with its specifics can help drive some of these bigger events, then I think we really start to make a difference. Then I think we actually move more into the mainstream than just the inner workings of what we’re all doing here, and that creates a dramatically different debate than is going on in a lot of the day jobs that all of us do. So that’s where I was trying to go with this. So I don’t disagree with any of it. But I think there’s another audience, and that’s what we were talking about yesterday. How do we make a difference out there in different ways.

MR. ROTHSTEIN: Mia, you had a comment?

MS. BERNSTEIN: Yeah. I was just thinking about what Harry was saying about how the June ’06 letter, that its biggest impact was really in the private sector. And it seems that the format of that letter, you know, didn’t detract from the fact that it had a big impact on the private sector in the format it was in.

So in thinking about what this subcommittee went through to get that letter out and all the wordsmithing and struggling with exactly how we wanted to word it, I just want you all to be thinking about whether, given that it’s much shorter than the so-called secondary uses letter which I know it’s called something else but I can never remember what, and the fact that we know to have been effective in the private sector whether it’s appropriate or whether it’s trying to be —

MR. ROTHSTEIN: Well, at the very least, it would be, I would assume, taken out of the Dear Secretary kind of format and just state it as sort of findings and principles and whatever of the committee.

MS. MCANDREW: But since you are merging two letters and one builds on a subset of the recommendations, it would seem to me there would need to be some harmonization in it.

MR. ROTHSTEIN: Well, yeah, and what I would do is leave up to the drafters of this document whether they think it’s better to try to harmonize them or have them sequential. In other words, you have the framework set out in 2006, and then sort of the second part one issue that we’ve gone into with greater detail is the following which was recommendation R-7, and it recommends the following. Yeah?

MR. HOUSTON: Maybe I’m going to restate the obvious. But we need to be very careful we don’t lose the meaning or change the meaning, I should say, of the letters. And I think secondly for those who have already read the letters, you don’t want them to be confused that this is something other than a restatement of the letters.

And so if you do try to do too much harmonization, I think one of those two things could occur, and I think then I’m not sure whether that’s —

MR. ROTHSTEIN: There probably should be an introduction, a very brief introduction setting out where this material came from and what the purpose of it is. And then I have every confidence in the staff to, you know, keep the original language and intent intact. And the committee chair and subcommittee co-chairs will be happy to assist with that.

Okay, so let’s move now to the third item for today’s agenda, and that is developing our work plan for the next six to twelve months. You all should have at your place a list of 14 topics for consideration. This came out of our conference call as well as email exchanges both before and after the conference call. And I would propose to proceed in the following manner in talking about these topics.

First, some of them may not be totally self-explanatory. So I’d like to very briefly go through. I’ll take the first eight because I’m familiar with those, and then I would ask John who recommended, I believe, 9 through 14 to very briefly explain what he has in mind so everyone knows what they’re considering.

Then I would open the floor to people adding 15, 16, 17, whatever other issues you think we should do. And then at that point, we’ll talk about a system for do we prioritize these, which ones we want to do and in what order. Then once we have that, we need to consider and we may not have time for that today, but at some point, we need to develop a work plan of how to address the issues that we rank at the top. In other words, how many hearings we entail and what do we see involved and also address some of the concerns and suggestions and mandates from Harry’s slides yesterday such as are there cross-cutting issues where we need to go, the subcommittees involved, who is the audience, who are what we’re doing and how do we need to tailor that and so forth.

But the first step if you – without objection, is to just very briefly go through the list of 14 topics that were suggested. Mia, I think, did a very good job of just putting them down in whatever order they were sent in and without sort of attempting to reorganize them or editorialize or anything like that.

And so these reflect suggestions from Paul, from John, from Harry and perhaps others as well. I may even have added something, sneak in here, with Leslie.

Okay, number one is to take up the issue of the problem of protecting privacy and confidentiality in a subcategory of non-covered entities who are web-based aggregators which would include free standing PHR vendors and disease-related patient sites. The most commonly cited one is Patients Like Me, which started with a patients group of families of folks with ALS where they put their entire health record and history and symptoms and medications and all this other stuff on line, and there is some question about the security of that information. There’s some question about the commercial exploitation of that information, et cetera. So that was number one.

Number two is uses of protected health information for disease surveillance. And I think this is one – I’m not sure whose suggestion this was. Was this yours, Leslie? Your explainer?

DR. FRANCIS: Well, it was basically a follow up on the whole set of questions in the secondary uses, one of the questions because obviously one secondary use that’s of great importance is surveillance, and there are a lot of confidentiality issues that raises.


MR. REYNOLDS: We heard a lot about registries the other day. Does that include registries?

DR. FRANCIS: I should think so. I mean one thing about registries are the question of how’s care working or, you know, what kind of care people are getting. Surveillance is what’s going on with respect to frequency and so on.

MR. HOUSTON: Registries, I think, are broader. You could have a research registry like a clinical trials registry, things like that. So it depends on the context.

MR. REYNOLDS: Yeah, but as I listen to it the other day, the fact that for a lot of things that people are looking at in the future, everybody wants somebody on a registry so that somebody would know that somebody has something. Then as you put it on the registry, you would know that somebody has something.

So that’s all I was saying is that if that’s going to be a term that just continues to get thrown out places, if we’re including, I don’t know. I just heard it a whole lot.

DR. FRANCIS: I think you’re right, that that’s another very closely related to this example of the use of protected health information in ways that might have significant confidentiality questions that would be an important follow up to the secondary uses.

MR. ROTHSTEIN: Number three, disclose of sensitive health information for non-healthcare uses including the relationship with contextual access criteria. You, of course, know that our February 2008 letter on sensitive information was specifically sensitive information that’s used in the healthcare setting. And you may recall that I drafted a proposed letter that would be uses of sensitive information beyond healthcare settings that’s disclosed pursuant to an authorization.

So in other words, if I decide that I want to sequester some information from disclosure to other health providers, what happens when I apply for life insurance and they ask that I sign an authorization. Can they require that I also authorize access to my sequestered information, et cetera. So that was the purpose of number three to take up that issue.

MS. MCANDREW: I’m sorry. Is it strictly in the authorization context, or is this like a public health use? A law enforcement use?

MR. ROTHSTEIn: We could use those. I mean, we could split it either way. We were limited in the earlier letter to healthcare uses. But there are certainly, there are permissive disclosures under the privacy rule, and we could take a look at those for which an authorization is not required. Law enforcement, public health and the like or pursuant to authorization or both, whatever.

MS. MCANDREW: But you were thinking of authorizations.

MR. ROTHSTEIN: I was thinking of that at least initially because I think that’s where the most push back is going to occur because the disclosures of public health for public health purposes and for law enforcement purposes in many instances already contemplate disclosure of sensitive information, okay. So if you have a statute that requires STD reporting, right, you can’t sequester your STDs. But what happens to that kind of information when you want to apply for long term care insurance or whatever.

I would like to for just our simplicity combine four and six. There really was no November 7th letter. There was supposed to be a November ’07 letter. It turned into the February ’08 letter. Actually, it was probably a March ’07 letter that kept being delayed.

But it would be a follow up to our sensitive information letter, and, of course, there are numerous unsettled issues that were raised in that like what is sensitive information and what categories, and what are the inclusion and exclusion criteria and what notation, if any, goes to providers. And I mean, you remember the letter. There were a zillion issues that are unresolved.

Number five, I would suggest just for analytical purposes combining with number seven which Harry recommended that we go back to sort of what we’ve been doing for the last two years and look into more detail following up on our June ’06 letter. And he specifically recommended recommendations 4, 5, 6, 8 and 8, and you can see that we have a copy of the ’06 letter at your place so that you can see what those are. Harry, did you want to comment?

MR. REYNOLDS: Well, a good example is we’ll just take our four which was on, I think, the fourth page. It’s on the fourth page at the bottom. This whole opt in-opt out approach is still not a term of art in anywhere, and we heard in our discussions, there’s a kind of I’ll tell you you’re in, and then there’s aggressive opt-out, and then there’s opt-in. But the point is at some point, you know, a next level down to say what really ought to happen because right now it is still being left open to everyone, and I have had enough personal experiences recently in dealing with people that it is somewhat very, very cavalier about what they can do under even payment health operations and what they can do under this and what they can do under that. And opt-in and opt-out is still an issue.

So it’s just – it isn’t going away. But on the other hand, we kind of left it and we kind of in this case, we said the Department or HHS ought to monitor it. Well, It think we’ve all had some time between the letter and when we started working on the letter to monitor it. And guess what, I’m not seeing a richness in the environment. So that was my thinking as I went through these. I don’t care which ones we actually go into. I’m not going to push that. But on these ones if they just don’t go away and every time you get into a discussion somewhat there they are again, then you go whatever you want to do.

MS. WATTENBERG: I would say the conversation needs to really delve into whether or not opt in and opt out comports with a number of the different laws that provide more granular permission to patients in terms of what they disclose when they disclose it and to whom because I know for the Part II law, the opt in and opt out, depending on which variation, as Harry said, you know, you’re working with, it’s not sufficient to support the substance abuse laws and many of the mental health laws.


MS. MILAM: I think a framework could be helpful. When we’re talking opt in or opt out, that’s for participation to move your data over the network. There’s another layer of permission called authorization which is where Part II touches. That gets into the discussion of whether or not you need HIPAA authorization as well, state law consent, that type of thing.

And in harkening back to our first discussion around security, it could be helpful as we think about exchange to recommend a privacy framework or set of principles. We have a set of principles in the Executive Branch, and one of our principles is security. One is consent and authorization.

And so different states have different laws around this opt in opt out requirement. It would seem a good starting point could be that we would look at a principle-based approach where your consent and authorization, the whole concept of permission is part of the framework and then look at allowing, at least requiring permission everywhere to participate in the network, and then letting those at a lower level kind of figure out what that permission might look like. Right now, a lot of states have no laws on the books requiring any sort of consent to participate in the network. So you could have networks not requiring that consent whether it be opt in or opt out.

MR. ROTHSTEIN: Okay, John?

MR. HOUSTON: Yeah, to follow up on that point a little bit. I think it even goes even a little bit further than that at times.

There has been sort of an ad hoc decision made by some groups as to what they think is best without, I think, even a lot of meaningful dialogue that I’ve heard. This is sort of secondhand. So they’ve really said, well, we know people want to be in this. So it’s going to be an opt out, and there really hasn’t been even any thought as to, okay, what are the ethical considerations, what are the legal considerations.

And I think that above and beyond even opt out, to sort of Sarah’s point, you know, some of these laws are very proscriptive. So even if you said I want to opt in, that may not even be enough because it may be on encounter or on a transactional basis that that patient needs to say yes, I agree to the exchange between A and B, and that even gets a little thornier than opt in and opt out because it’s opt in on steroids. You know, and it really, I think, could cause significant – it becomes a great challenge when you talk about the free flow of data, the thought that a patient is going to need to on a transactional basis say yes, I’m okay with that going to there.

MS. MILAM: I think, John, what you’re saying is that as the technical architectures develop, for privacy to exist, it has to be a multi-layered approach. It has the network question first, and then you have the authorization question as to the specific information.

Because you could opt into the network. But if your network tends to segregate all of your categories, especially protected information, then you don’t have a Part II authorization. Then that information can’t move even if they’ve opted in.

MR. HOUSTON: And I agree with you. My only point is that people will absolutely – they will look at opt in opt out as being the authorizaton.

MS. MILAM: Except that it’s up to the network as the steward of the data to make sure that it doesn’t move without appropriate authorization.

MR. HOUSTON: Let me go one step further. A lot of people that I think manage the networks will argue that opt in is the authorization.

MS. WATTENBERG: Right. But I think also a part of what Sally is saying is that if you can get these principles out there, it can help to distinguish for people that it’s not in fact an authorization.

MS. MILAM: What we’re finding is there isn’t a framework. I think along these lines and this is an issue not on your list but something we’re struggling with and soon may have a ready answer. One of the things we’re working with on the N2 project is the legal categorization. And most people had assumed that health information exchanges, and there are a lot of different kinds looking at a lot of different organizational structures, are not covered entities.

We are revisiting that, looking at the first definition under healthcare clearinghouse, not the definition that gets into standard transactions, but the one that is very generic about processing information when there is not a lot of guidance. If we had guidance about whether health information exchanges were covered entities, that would give you a huge framework upon which to layer a lot of privacy.

MR. ROTHSTEIN: Oh, Sarah will have that by three this afternoon. That’s a really interesting point, and I’ll tell you the only fear that I have about NCVHS taking on that particular topic, it almost becomes – NCVHS almost becomes sort of a super legislative. I mean we can almost make a – by interpretation make it a rule.

MS. MILAM: The language is there.

MR. ROTHSTEIN: I understand that. But somebody’s got to then interpret it. If NVCHS interprets it, and I don’t know whether this is our rule or not, but if it’s left up to us to interpret, which I don’t think that it is —

MS. MILAM: Or make a recommendation –

MR. ROTHSTEIN: Or make a –

MS. MILAM: has that authority.

MR. ROTHSTEIN: Which I believe we already did. I think that’s subsumed within our June 2006 recommendation that anyone who handles information should be covered by some mechanism. Now whether that’s through an expansive interpretation of the existing privacy rule, amending the privacy rule, enacting new legislation, whatever. But we certainly are on record as saying that everybody ought to be covered.

But I do want to underscore something that you said. One of the other tasks that I have is co-chairing the privacy committee of the Kentucky eHealth Network, and I do think it’s unbelievably inefficient for 50 states to separately flesh out the issues surrounding health information exchange. And you know, they may or may not get it right or whatever. But if the NCVHS could at least say, look, as you’re going through this process, don’t forget to consider these issues, then I think that would be very helpful to the states who are struggling with this. Why don’t we just get Sarah, John and Leslie.

MS. WATTENBERG: You know, based on a lot of the information we’ve gotten from HITSP and NGA, it would seem to me that that would be welcomed in many ways by the governors because it would help with this state order issue to have some sort of common approach to this.

And one of the things we may do short of interpretation is just this idea of, you know, different scenarios if you think of it this way and use this as your framework, here’s how it could work. If you do it this way and just sort of lay out sort of the different options, different things people are doing, you know, that that way you don’t have to get into the taking of sides.

MR. ROTHSTEIN: John, then Leslie.

MR. HOUSTON: I’m sort of rambling thought on all this, and some of it is for Sally’s information. I think, you know, one of the things we need to do to clarify, though, is we, NCVHS alone doesn’t make recommendations. I think we obviously have published a lot of testimony on this, and I think that we want all the constituents and people that are really involved in NHIN just to – I think there’s going to be a lot of process to try to get to these answers. I think it is one that I think – one of a number I think that really does need to be addressed, and I think if we can —

MR. ROTHSTEIN: Well, it would take a lot longer time certainly to make recommendations than it would be to raise a set of issues.

MR. HOUSTON: I’m a little afraid of raising it in a vacuum with different sophistications and different groups that are involved. I’m not sure how meaningful it is. I think we need to understand what people are currently doing in perspectives and then try to pull that together. It’s going to be a lot of testimony, I can say that.

MS. MILAM: Can I give an example of one thing we’re struggling with just to let you know. Say you have a principle that called individual rights individual participation. That’s what our principle is called, and that pulls in all of your HIPAA patient right type of things, the ability to request an amendment, request an accounting or disclosures, file a complaint, know who to contact.

You can say as an exchange you’re going to do that. But you really need to look at your functionality. If you’re like a number of exchanges, the few that are actually sustainable, then you’re starting with clinical messaging. You’re starting with technology, and you’re getting your communities electronic. And at that point, you’re really just mimicking the paper flow. You’re not querying. You’re not seeing consumers at all. You’re not seeing patients at all.

So when you think about a principle like that, you think can you say you’re doing that, or are you going to say you’re going to support the providers who are consumer phasing and carrying that out.

So I think those are the kinds of issues we’re working through. What should be the responsibility of the exchange. Where is it in a support role as we morph through the different phases. How does that role change. I think it’s multi-layered and multifaceted depending on how you’re organized, what exactly you’re doing, and who you’re doing it with. I don’t think even it’s a one size fits all.

MR. ROTHSTEIN: Okay, John, did you want to respond to that briefly.

MR. HOUSTON: Part of my concern is you’re speaking of those sort of local exchange.

MS. MILAM: I’m speaking at the statewide RHIO.

MR. HOUSTON: Right. Okay. Well, that’s just a local versus national. And the question is at what level should our recommendations be. Are they – I understand there’s implications to the different RHIOs. But I guess maybe naively a little bit I look sort of at the next level up which is how do we develop the infrastructure the connects all of that.

MS. MILAM: Most healthcare is local. You have a lot more data flowing in your community. So it’s a rare situation when you have somebody in an emergency, then that data’s going to be queried or it’s going to move. But your bigger privacy issues are happening locally, I think.

MR. ROTHSTEIN: Well, I’m going to take the chair’s prerogative. I think I’ve got one left stored somewhere to try to move this discussion forward. Leslie, did you have something?

DR. FRANCIS: Well, I just wanted to make the observation that I think if we went to look at what’s going on with respect to, say, particular R-4, linking together what Sally said and what Sarah said, it’s actually a question of the interrelationship between opt in/opt out and some of the issues we were trying to raise in the sensitive information letter.

MR. ROTHSTEIN: Right. Yes, I think so.

MS. WATTENBERG: I just want to say one thing which is I do think that the technology has really progressed by leaps and bounds in the past couple of years in terms of these consent mechanisms and would like this committee to really make a point of taking in a lot of testimony on the different options that are now available because I think that they can really inform and make easier a lot of these HIE issues.

MR. REYNOLDS: Yeah, I’ve already mentioned to Don and Leslie that I’ve seen some kind recently that not for purposes of caring about who the vendor is or what the product is. But it brings in a lot of the characteristics, and it shows that it is being developed now a lot more than I thought it was, and it would be a good demonstration and testimony just to get everybody on it.

MR. ROTHSTEIN: I think it would be great for the full committee.

MR. REYNOLDS: Just seeing what people are doing because what it does then is it generates incredible discussion because now you see a different way. And the hardest thing in a lot of this, you talk about you don’t see anything. And then as soon as you see it, you know, you immediately see the good and you immediately see – I mean, it allows you to divert, but you divert from a central point, not everybody all over the place trying to converge. So I’d be happy to, and I will pass those names on them and they can decide if they would want that – again, under the structure that we’re not touting a product, we’re not touting a company. We’re looking at capabilities that we already thought we should have and that how do they actually play out in reality and what does that reality bring us then from a positive and a negative and another standpoint.

MR. ROTHSTEIN: We really need to move. Number eight very briefly is following up on our business associate agreement. This has been on our sort of back burner for a couple of years. And the question might be whether there’s more to be done in light of what we said in the secondary uses report. But that was a number eight.

And John, I would ask if you can in five minutes go through 9 through 14 because we need to vote.

MR. HOUSTON: Yeah. I’m going to make it real easy because I was asked to sort of without much precision sort of put together a list of potential security related topics for consideration. I don’t think given as – I didn’t try to create an all-inclusive list as much as I tried to create a list that was demonstrative of the types of things that we might want to consider.

I could lump all of this – and by the way, there’s probably far too much detail in comparison to the other eight items here. So I guess my point is I could roll this up in large measure into this whole earlier discussion we had and discussion with Kolodner about that there needs to be a framework overall for the NHIN, a sort of governance structure put in place for privacy and security, and that all of these are sort of examples of what might be necessary for that governance model.

So you could argue that really 9 through 14 are really just simply recommendations regarding a governance model for privacy and security in the NHIN.

MR. ROTHSTEIN: Okay. Does anyone want to add some other item that is not on the 14 that we have so far. Oh, I see that we have a visitor.

DR. DEERING: Well, I’m wearing my hat now as the federal lead on the Data Use and Reciprocal Support Agreement for the NHIN. And so as a non-lawyer, I’ve learned more about it than I ever wanted to know.

And I guess what I simply wanted to put on the table for the committee’s consideration, and if you’re a lawyer on NCVHS this tends to be where you sit as opposed to anywhere else which is I think this agreement has the potential to cause quite a few waves. I think that it’s going to elevate a lot of policy regulatory legal issues with regard to the federal participation that would require regulatory relief, and it could be a really, really, really, really big deal.

And so just in terms of how full your sponge gets as you begin to go through your list of 14, I think just being mindful that this could shape a lot of how the feds just in terms of their energies – I could be wrong. But it’s proving an extremely painful process and could raise a lot of issues.

Now the other side of that that I think –

MS. BERNSTEIN: Mary Jo, could I interrupt – could you talk just a few sentences about what this project is.

DR. DEERING: So as part of what the requirement of participating in the trial implementations, the nine HIEs, initial HIEs and now the subsequent additions were required to draft a data use and reciprocal support agreement that would govern – that would set forth the terms by which they would exchange information with each other as part of the trial implementation.

And it has been determined that for the trial implementation it will only be totally anonymized fabricated data, totally desensitized data, and I won’t go into those details right now. And the nine accomplished their contractual requirement of drafting this agreement. But then the feds have joined as back for the second round of all state HIEs. The feds were the tenth, and of course, you know, Kaiser has now joined. But the feds have joined and DOD, MVA and the Social Security Administration and HIS are all going to participate in this trial implementation, and they must sign the DURSA with RIOs.

And the current drafters of which they’re calling the test data, the test data drafters is about to go out of EXECSEC. It’s just gone back late last night for some final clearance after some final clean up, and it would be going out to the agencies to look out. And, again, so you’ll see your first wave of sensitive issues being raised even when there’s no sensitivity in the data.

And then secondly, the next phase which has already been requested by ONC is to proceed to surface those issues that need to be addressed to sign such an agreement for sensitive information. Again, the HIEs are obligated to move in that direction, and the Feds, if they are participating, will be obligated to go in that direction.

MR. ROTHSTEIN: So Mary Jo, could I ask –

DR. DEERING: So I can stop there.

MR. ROTHSTEIN: Can I ask you what you would be seeing as the NCVHS role in all this, keeping in mind that people are signing these agreements right now and it would take months before we could study these.

DR. DEERING: Well, I think what will be interesting and it was just as much to keep it as a placeholder on your horizon. It could well be that the examination of the federal ability to sign these, what are the legal, you know, concerns because they’re going to come up from different agencies from different sides. So it really is a pan-governmental issue.

So, again, I’m not saying that you should add it right now. But it could be something that gets brought up.

MS. WATTENBERG: Have all the operating divisions been involved in this?

DR. DEERING: No, only those that are going to participate. So IHS, for example, within HHS is the only one that’s participating right now.

MR. ROTHSTEIN: Okay. Are there other suggestions? Hearing none, now we take the – we have the task of try to of these 15 items or counting John’s, you know, amalgram, deciding what our priorities are, and there are various ways that we can do this.

One way would be to have an initial go through and give every voting person three votes and then see which ones got no votes, drop those off, et cetera.

Mia, you look pained. Do you have a better system?

MS. BERNSTEIN: Well, I’m looking at my watch. So that’s one reason I’m pained. But the – I mean we’ve had no discussion about the proprietary of any of this or the approach of any of this. And so, you know, it’s almost – well, it’s up to you guys how you want to conduct your affairs. But it seems a little premature without some discussion about the advantages or disadvantages of looking at any of these or going on to something else other than what you approve.

MR. ROTHSTEIN: I understand. This is our last face-to-face meeting for a while.

MS. BERNSTEIN: Yeah, I know.


DR. FRANCIS: One of the things I think should be taken into account in deciding what to prioritize also is what other committees are doing. For example, the questions about following up on particularly our four is very related to some of the issues about Medical Home. Disease registries, those sorts of questions are also very related to at least some conceptions of a Medical Home but perhaps not others.

So if that’s going to be a cross-cutting set of issues for the entire NCVHS, and I don’t know whether it’s going to be or not, that would speak for starting in on some of those.

MR. ROTHSTEIN: What I would not like to see happen is to leave today without at least winnowing the list to some degree.


MR. ROTHSTEIN: And if we could get down to three or four or five things, my recommendation would be then we’d have maybe a one-paragraph description of what each of those would involve and circulate that in advance of a conference call and then start working on the specifics of the work plan where we take up the issue from Harry’s slides of who is the audience for it and what are the collaborations involved and what’s the hearing requirements and so on and so forth. But a list with 15 things on it is just sort of really unwieldy now, and I think we’ve had a reasonable discussion.

MR. HOUSTON: We’ve already narrowed it down effectively to seven.

DR. FRANCIS: Yes, nine through fourteen is really one.

MR. ROTHSTEIN: Correct. Okay. So –

MR. HOUSTON: One, and you narrowed another one down. You narrowed –

MR. ROTHSTEIN: I’ve paired four and six and five and seven.


MR. HOUSTON: So you’ve got those two out of the way.


MR. HOUSTON: You really effectively are already down two. What does that make? Seven.

DR. FRANCIS: But if our four is a question about levels like the relationship between opt in/opt out and authorization for transfer of certain kinds of sensitive information, then that’s a family of issues that could be essentially one.

The one that’s kind of – the two that I would say are really new initiatives, although I think number one is incredibly important. It’s a big time new initiative.


DR. FRANCIS: And that could be something we decide is a one year rather than a six-monther. My own thought is that the six-monther would be nine through fourteen as one and four, six, five, seven as one. That is, the follow up on –

MS. WATTENBERG: What’s the second category?

DR. FRANCIS: Five, seven is the follow up particularly on R-4. But that’s actually linked to if we’re going to think about the relationship between opt in/opt out and whether there are emerging practices that also look like sensitive authorization control.

MR. ROTHSTEIN: But are you suggesting four, six?

DR. FRANCIS: Well, I’m suggesting actually that four, six is more linked to five seven and initially meets the eye the way they’re presented here.

MR. ROTHSTEIN: Yeah, but four-six is huge.

DR. FRANCIS: Oh, yes. But if what you start doing is looking at what the practices are that are emerging, you learn something about four-six from doing five-seven.

MS. MILAM: Can I just – I don’t know if you all know, but the National Association of Attorneys General did a study last year for NPA and has a whole report on all the different categories especially for protected information, and they also graph it. So that could move that along possibly.

MR. ROTHSTEIN: That would be very helpful if you could get this distributed. So my question is to John and Leslie, I’m your servant. How would you like to proceed. Do you want to just make a suggestion of what the agenda going forward ought to be and have approval of that?

MR. HOUSTON: Yes, I think we need to have as a subcommittee need to have a conference call. And prior to that, I think we need to summarize each one of these categories in a way that allows people to have informed vote and discussion and informed vote. And I think the pieces that we also need in the paragraph is some relative measure of immediacy of a recommendation because some things out are going to linger regardless of what we think and some things are going to be – need to be more timely for them to —

MR. ROTHSTEIN: So in sort of the summary, I think some of the factors or criteria to put down for each one are how long is it going to take, what resources, who else is doing it, who’s the client and –

MR. HOUSTON: Right, and how immediate is the need for a recommendation.


MR. REYNOLDS: And again, if we’re going to have any hearings this year, we’re going to have to do this fairly quickly.

MR. HOUSTON: What does that mean, Harry?

MR. REYNOLDS: Well, I’m saying in the next month at the latest to start because then you’re going to need a couple months to plan hearings.

MR. HOUSTON: I think a lot of these are going to require substantial input for them not to be dismissed as being overly, you know, naïve or uninformed.

MR. REYNOLDS: No, I agree.

MR. ROTHSTEIN: So just to tie together loose ends before we adjourn, I assume then that John and Leslie will get together at some point, go over this list with Mia and make some decision about who is going to prepare summaries of what items, work out a plan for circulating it to the members of the subcommittee and then arrange for a conference call to proceed.

MR. REYNOLDS: I would add one other thing. If you would be willing to go through this list and circle your top three.

DR. FRANCIS: Yeah. Well, we’d want to include you on the conference call.

MR. REYNOLDS: Yeah, or that you think ought to be – I would really like to not lose that input.

MR. ROTHSTEIN: To add my unofficial suggestion.

MR. REYNOLDS: No, no, I mean it. And then I’d like to turn it over to John and Leslie, but I would really welcome that from the committee.

MR. ROTHSTEIN: I’d be happy to. So if there’s no other business, let me just add my thank you once again to the members of the subcommittee for all your guidance and help and cooperation over the last several years, and the meeting of the subcommittee is adjourned.

DR. FRANCIS: And us to you.

MR. HOUSTON: Yeah, I just want to say thanks again, Mark. We said it last night at dinner. But it’s been a pleasure especially the subcommittee meetings have always been enjoyable and informed and your leadership has been fantastic and going out the door, we’ll miss you and again I enjoyed working with you.

MR. ROTHSTEIN: Thank you, and as I mentioned last night, I want to thank Jeanine and Marietta and all the others who’ve facilitated our group. We couldn’t have done anything without your support. So the meeting of the subcommittee is adjourned.

Whereupon, at 10:00 a.m., the meeting adjourned.]