[This Transcript is Unedited]

Department of Health and Human Services

National Committee on Vital and Health Statistics

Subcommittee on Privacy, Confidentiality and Security

November 13, 2013

National Center for Health Statistics
3311 Toledo Road
Hyattsville, MD 20782

Proceedings by:
CASET Associates, Ltd.
Fairfax, Virginia 22030

P R O C E E D I N G S (4:11 p.m.)

Agenda Item: Welcome

DR. FRANCIS: We are just starting the meeting of the Privacy, Confidentiality, and Subcommittee of the NCVHS. I think there are a number of people who are here. Maybe we should have everybody introduce themselves and then talk about who is on the phone.

(Introductions around table)

DR. FRANCIS: I am hearing a number of little phone bings. I would like to ask for – first of all, we are going to go around and just who is here and then everybody on the phone, I will ask to identify themselves.

(Introductions continued)

DR. FRANCIS: So we are going to talk briefly about the outline of the Privacy and Security content of the HIPAA report to Congress. Linda, did you want to –-

MS. KLOSS: I think we are picking up on the conversation that we had on content that we had on our last conference call. Maya had the outline of the topics that we had said we wanted covered in that. Perhaps, in the interest of moving forward, since Devon is here, let’s just flip agenda item one and two and move the accounting for disclosure discussion up. We will return to the report to congress.

DR. FRANCIS: So the floor is open for discussion of where we think this committee is, given what we heard on the slides this morning from Laura, from ONC. Maybe, Devon, you could fill us in on timetable before we get the discussion going or any other information you think we ought to have at this point in time.

MS. MCGRAW: So our timetable on the health IT policy committee and the work that the Tiger Team is trying to do on this issue is we are aiming to present an initial set of recommendations to the Health IT Policy Committee at our upcoming meeting on December the 4th. It is a pretty crowded agenda on that day. There are a lot of other things that are going on, as Paul Tang is well aware, but the regulators are very anxious to hear from us on this issue and we are also eager to provide them with our thoughts as early as possible. We do hope to get an initial set of recommendations to the policy committee in December.

If the Committee likes what it hears, we may, in fact, be done with the work that we intend to do on December 4th. If past is prologue or predictive in any way, I think there is likely some additional work that we will need to do in response to questions and suggestions that will come from the Committee. I think it is likely that our work on this would wrap up at our January meeting, rather than necessarily being done in December.

We are aiming to provide the Committee with as complete a set of recommendations as we think we can in December. We have two more Tiger Team calls before that meeting.

DR. FRANCIS: The first of those is on the 18th, as I recall.

MS. MCGRAW: Yes. Next Monday the 18th and then the next one – we have one two days before the December 4th meeting. It is on December 2nd.

DR. FRANCIS: So maybe it would be helpful if we had members of this committee comment on issues that we have at least preliminarily surfaced that we think it would be useful for the Tiger Team to be aware of.

MS. MCGRAW: That would be great.

DR. FRANCIS: Okay. Maybe just the first question is what this group thinks about what I will call an access approach, the NPRM approach. I think it is fair to say – perhaps I will just try out a straw comment on this. The general consensus is an access dump, where what patients get is a list of all the accesses, is not helpful to patients, not what patients could make good use of most likely, and quite expensive and probably not the way to go, although, it did appear to have been what might have been required by the earlier 2010 NPRM. I will try that one out on this group. Does that go around? I see a lot of nods. I am asking for verbalization.

MS. MILAM: Yes. I think we heard more, too, that we need some more information about some of the issues, perhaps quantifying some of the different concerns. What are the issues that would be remediated by having such a report? What problems are we trying to fix? What is being done today? What is working? What is not working? What is it, exactly, that needs to be solved through a report to the patient? I can be more specific.

DR. FRANCIS: Yes, could you?

MS. MILAM: Sure. Leslie, you indicated – in our discussions this morning, we were talking about how if there is an incident, the patient is notified, often, by letter and then can request an accounting of disclosures. Your concern was what happens when there is no notification of the patient because, perhaps, the facility is unaware. It is a snooping problem. It is an impermissible use. It is where an employee pulls a record and it is not somebody under that person’s care. It is not for treatment, payment, or operations. It is for personal interest. How would the patient ever know?

I think it would be really helpful to understand how widely is that occurring? Is that occurring? Are there current mechanisms in place to address it? Or is the accounting of disclosures option really the only option to give the patient that information?

DR. FRANCIS: Maybe following up on that, there was some discussion on the Tiger Team call about celebrities in that concern. I think this committee is interested in the more general question of ordinary people and snooping and the extent to which that was a motivation behind including TPO. On the other hand, whether an accounting of everybody who has seen it is the way to go that way or whether the response to that concern could better be addressed through a hard look at what facilities could do, should do with respect to risk assessment, administrative security, developing the audit capability to pick up when these kinds of things have occurred so that – and lots of staff training and things like that.

The alternatives aren’t a log of uses versus patient complaints, which, after all, is after the horse is out of the barn, but some room – the door open for understanding what the issues are here and what alternatives there are.

MS. MILAM: Can I just do a quick follow up? I know others have their cards up. I would love to see a study where we actually or OCR as part of its audit function actually looks at audit logs and is able to define, out of so many audit logs reviewed, X percentage is appropriate and X percentage is inappropriate so we can see how much snooping has occurred across the spectrum. We know it does occur. Is it significant?

It is a question of cost. We heard this morning that – what was it? – over $100 million possibly to introduce this technology. Whenever you introduce a control, you have to weigh it against the value you are receiving.

DR. FRANCIS: This subcommittee, to follow up on that, was essentially asked this morning by OCR and the concerns that they have about the failure to do risk assessments, we were asked to at least do some thinking and follow up on that. We haven’t decided whether that is something we are going to take up, but it is certainly something we would want to have the door open to.

I have been talking a lot and there are a bunch of cards up so I will just go around.

DR. STEAD: If it would be appropriate, I will give you an example of what one large system did that largely has worked. A fundamental lesion is that today’s electronic medical record systems are not designed to limit access based on explicit known roles. It is that simple.

Absent that, what we elected to do was, one, each time a provider – each time a person who has an account goes into a record for the first time, they are told they are going into it for the first time. In the audits, we discovered a lot of this was accidental. Second, they are asked what their role is related to the patient. We have a hook for the audits when we want to go back. Third, they are informed that every access to an employee record will be audited. Those three things have completely – have dramatically changed, virtually eliminated the patient reported events.

MS. KLOSS: The other tack our discussion this morning took was thinking about the testimony that came out at the virtual hearing about the status of the logs and the fact that they are really designed as security devices, not as reporting devices to be use, certainly to convey information to patients. One of the paths that might be productive for the industry is to go through a process of defining what is a reasonable minimum data content for those logs and moving through the certification process over time to see that those mechanisms get better and that that would be, certainly, a reasonable precursor to any expected use of those logs for patient information purposes.

I think, in addition, Bill your examples were great, we had teased out several areas that we thought would be wise investments and additional work for our industry. Certainly, strengthening acknowledged best practices, such as the example you gave, Bill, but stronger investigative procedures. How should organizations, in fact, reasonably chase down these and deal with these issues? Stronger work to help inform patients about all the ways information is, in fact, used and to help them learn more about the use system.

Third, we had some discussion about, at this moment in time, helping organizations invest in really making sure that patients have adequate – there are adequate mechanisms for patients to access their records because that piece is still, certainly, far from perfect in most organizations. There are other sort of transparency actions that felt to us in some of our discussion – are compelling.

MR. SOONTHORNSIMA: To chime in, that is what you guys were talking about, Bill and Linda. When I look at access log or access accounting, it is too prescriptive at the end of the day. What organizations, large or small, try to do is come up with a balanced approach as to how do you mitigate an appropriate access through either system capabilities – and not every system can do those audit details that are being prescribed. Second is around policies. What policies do you have in place to protect the data, appropriate use, appropriate access, training, and, lastly, audit? What are some of the internal audit that they do?

If you come up with more of a balanced approach and give that as a recommendation, but more holistic, not be prescriptive to system capabilities alone – we already had some of that in HIPAA practices. A lot of organizations already have this. Use that as the starting point, perhaps. I think I am echoing the same thing that you are saying.

DR. FRANCIS: Maybe I will try out a summary and see if people think this is a fair summary. This group would be – and this is only this group. This is not an official statement of NCVHS. The folks who are sitting around this table would be comfortable with a recommendation to the Policy Committee that focuses on disclosure, which is external to the system, folks who do not have access authorization to the system, but that we be comfortable with a recommendation that deals with incorporating TPO into disclosure defined in that way, but that we would want the door left open to a wide variety of further looking at and mechanisms to consider the whole use question, along some of the ways that Ob and Linda and Bill were discussing without any prescription at this point about what that should look like except to say that that is an important question that needs to be regarded as an open question and on the table.

How does that go down with the group? A lot of nods and one very well and a comment from Maya.

MS. BERNSTEIN: Again, I just want to point out I am not sure what the relationship exactly is between this subcommittee and the Tiger Team, except for that we have cross-pollination of our membership. We don’t normally give recommendations to another advisory committee. We will have to figure out how the best process is for doing that formally by the committee.

DR. FRANCIS: I was just saying these were views of the people sitting around the table. I don’t know whether there is sentiment for having this group ask NCVHS to send a formal recommendation to the Secretary, which is what we do as a committee. I don’t know. I was seeing this much more in terms of input into the discussion that the Tiger Team can take or leave.

MS. GREENBERG: You are on the Tiger Team. Also, this group can give you – give the Tiger Team a sense of the group. It is not a recommendation of the Committee. I think we have a quorum of the Privacy Subcommittee. It certainly could be the thinking of the Privacy Subcommittee.

It doesn’t seem – at this point, it seems like it is not necessary. Would it even be kind of feasible to send anything to the Secretary that would be timely enough that would say anything beyond what you described. What would the Secretary do with it? Let’s think about this practically. By the time it got to her and –

MS. BERNSTEIN: She has not issued a final rulemaking. There is much time to discuss.

MS. KLOSS: Well, I think – just a couple more thoughts. We, as a Committee, have had a very extensive process of roundtable stakeholders through the course of this year reminding us that we really need sort of a roadmap to understand how all of these new regulations coming at everybody fit together and making some sense of that.

My perspective, and it is just my perspective, comes at a real acute awareness of balancing certainly what is a legislative mandate that the Tiger Team has to respond to with the harsh reality of what is going on in the field right now and understanding this is not an insignificant area to tackle for any health care organization at this point. It just seems, as a very pragmatic role, that there are a lot of things that the industry can do to improve our stewardship of the data, stopping short of a full accounting for disclosure using audit logs.

I think, from my own personal opinion, I heard so much about this at the AHIMA convention a couple of weeks ago. I just think it is sinking the ship. I just think there would be just huge backlash to the idea that over some short period of time, the industry was going to have to gear up to do this. I think we have an obligation to kind of look at those issues and balance all of the interests.

MS. MILAM: You referenced the request that OCR made this morning with regard to feedback to them as to what might be helpful, in terms of getting the risk analysis requirement out to providers. I think that discussion might be good for us to have when it is appropriate.

DR. FRANCIS: I think there is clear interest in this group in doing that. One other point that has been raised that I want us to chew on briefly while Devon is on the phone is there is an open issue on the table about whether any kind of recommendation should focus on only disclosures through electronic health records or whether whatever an accounting requirement looks like, it should include information maintained in electronic form, even if it is not in the form of, say, the designated record set in an electronic medical record or an electronic health record. If anybody on this group has any thoughts about that, I would appreciate them.

MS. MILAM: I am wondering for the payers around the table who don’t have an electronic health record set, how they would anticipate responding to that requirement.

MR. BURKE: I don’t think it is wise to limit the accounting discussion to only electronic health records. I think anyone who is a covered entity and possesses electronic information should be subject to the same. The other point I wanted to raise was one you raised this morning or re-raised – that you spoke to this morning that would differentiate between TPO disclosures inside a company and external disclosures. Many covered entities rely on many business associates. From one perspective, it could be determined to be an extension of a TPO service. From a patient’s perspective, the individual’s perspective, it might be thought of as external.

DR. FRANCIS: Other comments? I do have just a closing personal comment, which is that I think the general sense of a number of people, the general sense of the blog was that this is a highly controversial area. Anything anybody does in this area should be slow steps that don’t preclude other steps. I don’t know whether that is – so, for example, if the – this is not – again, this is only my personal view. If the policy committee were to recommend to OCR a particularly narrow rule that shouldn’t necessarily be taken as that is all there is, but as a start in the recognition that this is a very complex and controversial question. As Linda said, if we are thinking in roadmap terms, you don’t get to the destination all at once or assume you have gotten there because you took the first step.

MS. BERNSTEIN: Speaking of steps, what next step do you think this subcommittee might want to take down that road?

DR. FRANCIS: I think that the whole question of risk assessments and what the alternatives are, whether it is what Bill was suggesting, what kinds of audit capability – what the alternatives are for the snooping problem is something this committee is going to want to take a look at.

MS. BERNSTEIN: I am actually not aware of the timing of any of this. I know, Devon, you talked about the December meeting of the Policy Committee. Is there something that is driving that particular date?

MS. MCGRAW: I think there are a couple of things. One is that the proposed rule on implementation of the high tech changes has lingered for quite some time. I think Linda Clock made a very good point that the buzz around this issue is crowding out a lot of other discussion. I think there is this desire not to have this continue to ferment or foment for longer than is necessary and to try to have a path forward for implementing what is possible to do in this area.

There has already been a statutory deadline missed, not that that necessarily is a huge consideration. That certainly does happen. Nevertheless, I think that the longer you let this thing stew, the more that industry will continue to be concerned about staring down the prospect of an access report. That is, essentially, what is in the proposed rule.

MS. BERNSTEIN: Well, if some of the alternatives that we have been talking about start getting pursued that are not that particular thing, I think that would quiet —

MS. MCGRAW: Until somebody affirmatively takes that access report on the table, people will still be concerned that it might happen. You are probably in a better position, Maya, to suss out what the urgency is.

MS. BERNSTEIN: Yes, and I know nothing.

MS. MCGRAW: This is one of those topics, also, that has so many deep nooks and crannies to it, as you just pointed out, that you could talk about it for years.

DR. FRANCIS: Speaking of nooks and crannies, one other just comment was that I think a shared view, here, is that the range of patient perspectives that appeared at the virtual hearing was quite thin and, to some extent, not on point about what the range of patient concerns, which include a variety of privacy concerns and are not limited to that. As there is movement forward, I think part of the interest of this group would be to get a wider range of patient concerns into the mix. I think I speak for the group on that one. I am seeing nods.

MS. MILAM: And some data behind it.

DR. FRANCIS: Yes, not just anecdotal. Does anybody have anything else to say on this? I think we have said our piece then.

MS. MCGRAW: I really appreciate the viewpoints. What is probably most affirming is that we are very well aligned in how we are thinking about this or at least I think we are. Again, we are not done from the Tiger Team perspective, but in terms of the discussions that we have already had and the concerns that have been expressed and the potential paths forward and the notion that you don’t – you have to sort of try to take this on in stages and the issue of transparency and concerns about inappropriate record access are so much broader than just this accounting issue.

MS. KLOSS: So next steps, Leslie, you will follow?

DR. FRANCIS: I will be on the call on the 18th.

MS. KLOSS: We are on tap to help or respond to or review draft recommendations. I know everybody on NCVHS will help in any way we can.

DR. FRANCIS: Anybody who wants to listen in on the call on the 18th – what is it, Monday at two o’clock Eastern time?

MS. MCGRAW: Yes. That is correct. Web and telephone.

DR. FRANCIS: Okay. Thanks.

MS. MCGRAW: Thank you.

DR. FRANCIS: We are now going to move back to the Privacy and Security content of the HIPAA report. Maya, you have a little bit of an outline there?

MS. BERNSTEIN: Sort of. Yes. So the subcommittee had a phone meeting a week or two ago, a couple weeks ago. We looked at the outline that was prepared I think by Terri Deutsch with guidance from Walter and others on the Committee, who are preparing the larger so-called Annual HIPAA Report, which seems to actually get issued biannually, but we report on annual activities.

We thank Teri for her work on detail to work on this matter. In the fourth section of the outline, it talks about advancements in the implementation of HIPAA privacy and security policies and standards. One thing we have to do is talk about sort of what has happened in the area of privacy and security standards in the last reporting period, which includes a lot of activity in the rulemaking area.

MS. KLOSS: Do you think our time period should be from the 10th report to congress?


MS. KLOSS: So that really takes in all of 2012 and 2013.

MS. BERNSTEIN: Pretty much.

MS. DEUTCH: I am Terri Deutsch. Everybody now knows I am on a detail at OESS. I work in CMS and Medicare and payment policy. I have been doing that for about 13 years. I write all of the regulations and the policies having to do with payment. I have now been in OESS for about 10 months. I have written reports to congress before. It is not new. I am really enjoying it very much. I am getting to know Ob and Walter very well. I thank you for the opportunity.

My understanding is the report is covering from October 2011 through December 2013 because it is on the fiscal year. We are shooting for February. That would be the draft report in February.

MS. KLOSS: But our draft on privacy needs to be ready to drop in earlier than that.


MS. BERNSTEIN: I would think that if you were going to vote on it, approve it on February, the full committee needs it further in advance. Executive Committee is going to want to take a look at it. Marjorie is nodding even though she won’t be here to do all of that work. If you want to issue it on a February date, there needs – we need to back up from there. I am not necessarily here to talk about the deadlines and so forth for the full report, but we need to think about that. There will be drafts that the Committee will get to see earlier than that. We can all comment on them through the SharePoint site or however you get that done.

There have been some rulemakings, the Omnibus Rule, in particular. There has been – we are going to talk about some other advancements. I think what we talked about was having a description of kind of common errors that we see in privacy and security, the things that come up all the time like the lost laptop or whatever, the kinds of things that are really a problem. It can be useful for people to focus on those things that are happening most often. Perhaps talking about new guidance that may come out, has come out, or could come out from OCR in those areas.

MS. KLOSS: We mentioned that they have done the product contract. They have done the field audits.

MS. BERNSTEIN: I am writing it down. There are some other guidance that they have put out and some that is forthcoming. You have heard Rachel Seeger talk about some of that this morning.

We have a little subsection on enforcement of the privacy and security policies and standards – so the most common types of actions, resolution agreements, major changes, the types of organizations that have civil monetary penalties against them, what the root causes of these kinds of thing are, and that sort of thing. Status and trends.

Sue McAndrew told us that – we asked her about do we have any current statistics on enforcement. In fact, they do put out in two different reports to congress, one on breach and one on enforcement. These are separate. They have a slightly different bent. They expect a January issuance so we will have those data before we are planning to come out with our report, which could be useful. They can share whatever stats – if we need them, we can get you statistics that they are already collecting.

Their conclusions may be different than the ones that this committee comes up with. The Department is going to, perhaps, have a different message than this committee might have, but that is okay. Essentially, the idea is that the report is going to hopefully drive best practices. We are going to highlight things that may point to a future direction or things the Department can be doing.

I think there is going to be a section on sort of planned changes. Yes?

DR. CARR: I think it is worth highlighting the educational outreach that OCR has done. I think that made a huge impact on the committee. I think that was a major step forward.

PARTICIPANT: Was it around policy – privacy and security?

DR. CARR: Yes. Privacy, all of the educational things – remember, we had, two meetings ago, a great presentation. I think that that demystified a lot of the complexity. ONC is doing the same thing with their video games – their games on security. I think it is a point worth highlighting that we have – we have gone to sort of the end user perspective and packaged it in a way that is very user friendly and understandable.

MS. BERNSTEIN: I think it might be worth pointing out some of the discussion – that is right, Justine – that happened this morning. Although those kinds of outreach are very creative and useful, they are also kind of preaching to the choir. The choir is very large, but also there are a bunch of people not in the choir you are not reaching. Rachel is concerned about – she expressed a lot of concern about reaching smaller providers and how to get out to them. Maybe this committee has relationships with smaller organizations that represent different kinds of communities, providers, whatever, small entities that they are not getting to that is difficult for them to get to.

DR. CARR: But I would frame it in the positive. Not only have they recognized how to make it understandable by the end user, but they have also recognized the need for broader distribution and outreach.

MS. KLOSS: I think the way she described it today – you know, going after areas where there is this impression, targeted where the law and the regulations were being often perceived as a barrier where they aren’t.

DR. FRANCIS: So there is what OCR has been doing. Something else we ought to make sure to mention is the new notice of privacy practices from ONC.

MS. BERNSTEIN: The models that are on the website and stuff? It is part of the outreach guidance, part of the Omnibus roll out.

DR. TANG: So does the report include any new issues or issues we want to highlight as well?

MS. BERNSTEIN: Yes. Things that are coming down the road is the last piece – is that not what you meant?

PARTICIPANT: We want to identify what should be in there.

DR. FRANCIS: Terri was going to have a looking to the future section. Maybe we should open that.

MS. BERNSTEIN: What would you like in there?

DR. TANG: The one is, picking up on Justine’s point, it is really refreshing material. We do have to get it out. One of the comments is it isn’t just the small – so, yes, the small practices, but, unfortunately, it wasn’t just the small practices.

MS. BERNSTEIN: Right, there is a lot of misreading of the law.

DR. TANG: Well, she gave us some stats. It is the vast majority are not complying with HIPAA security. I think we just need to take it totally to everybody and find new ways. I think this wonderful content is there. We have to find ways to leverage the asset in a positive way and make it available in places where people are looking for it.

MS. BERNSTEIN: Leverage what asset? The guidance you are talking about, the guidance documents or are you talking about some other —

DR. TANG: The educational. The training programs. The games. The things that made it accessible to the end user because, by and large, the person – I mean, it is the docs that need to understand that they even need this before you can have policies that are implemented.

MS. BERNSTEIN: What is it that you want to say about that in the report?

DR. TANG: It is sort of – I noticed CMS is having homepages of where – when you have questions of meaningful use, go here. If you have training, go here. This should be in wherever this page for how to answer your questions from the small doc practice up to the large health system, who have now just been tasked to go make sure you comply with HIPAA. The first they may have heard about it is when they get challenged in their audit for meaningful use that you are not meeting this criteria. Then they may go searching, oh, well, what is the criteria that I need to meet?

Wherever they go or wherever we could point them to needs to have a comprehensive set of guidance and tools to educate their end user. In fact, it is these one minute videos that are going to be far more effective than putting yet another section on the health stream thing that you are supposed to do. Do you know what I am saying?

MS. BERNSTEIN: I am good with that. The question is in this report, how do you want to express that idea?

DR. CARR: It is great to tell this story, in terms of the half full. I think that we have achieved an environment of alignment where the agencies are cross-referencing and collaborating together to get the message out. Actually, the implementation, now, of high tech engages the patient and the person in recognizing that they have the right to know where their data goes and to participate in it.

The notice of privacy practice is one thing. I guess we are struggling with how we inform individuals, but we are telling individuals that you have that right. I see it as just an alignment, whereas before, it was a rule that people were trying to implement. Now, we have made it understandable. I think people understand the value of it more now than the burden of it.

DR. TANG: Maybe getting a little either confused or looking for an opportunity of how to use this annual report to congress. What was it originally? Originally, they wanted to know how are we doing. This seems to be an opportunity to say, well, one of the things we found out is eight years later we aren’t doing well at all in implementing HIPAA security.

We have, fortunately, developed some really nice tools that get all the way to the end user and we are looking for ways to make that more known in a convenient place where people look. That is sort of the message. That is what I want to read out of the report.

DR. CARR: We are better able to assess compliance with the development of meaningful use, et cetera. As we identify the gaps, we are also better able to provide information in a consumer-friendly fashion.

DR. TANG: So what are the accomplishments? What are the gaps remaining? What are the actionable things I can get out of reading this report?

MS. GREENBERG: The audit report, didn’t I hear it actually hasn’t been released yet?


DR. TANG: Correct. So OCR has a pilot they did of auditing apparently some randomly picked sites that span the entire spectrum of health care delivery organizations, including small providers.

MS. KLOSS: Both security and privacy practices.

DR. TANG: The results of the audit, which have not been released yet, showed a very, very poor compliance in this area. CMS, I think, has their own audit program. They are confirming – they are aligned. The results are aligned.

MS. GREENBERG: What I am just wondering is what we can put in this report? We can say, certainly, that this was reported to the national committee. I don’t know that we will be able to site the report if it hasn’t been released.

MS. KLOSS: There may be data available in January. I think we should write it with the hope that we can drop in some figures.

MS. GREENBERG: That would be good. It is very important.

DR. TANG: It is very important. The Department has the tools, i.e. like regulations, at its disposal to make it better.

MS. BERNSTEIN: Following up on that, when you said actions I can get out of reading this report, I want to remind you that you are talking to congress. If you want them to take action, it is going to be in legislation. If you don’t want them to take action, you should say that we are doing something else and all is pretty well.

MS. DEUTCH: I think that is the intent of the way the report and the outline is is that when you look at the outline for enforcement of privacy and security, there is the current status and the plan change. If I can give an example, we have enforcement for the code sets. In their write up, it talked about that there were 49 valid complaints that were lodged during that time frame. It will be updated based on what happens through December. We only had it through October. If the plan changes, what do they plan to do because of the findings that they had.

I think that is around the context. I agree that we have to be careful that we are not divulging anything in the report to congress that has not been divulged through the hierarchy so that the Secretary doesn’t read about it in the report. We have to be very careful. There are sensitivities that need to be looked at before any of that information. The 49 complaints for the claims has been vetted.

MS. KLOSS: I think one of the messages in the go forward is reiterate the lesson of HIPAA from the 10th report to congress. This is a major transformative change of a complex industry. It brings home just how difficult it is to communicate and educate. What we have learned is you don’t do it once and then you are done. You have to do it intensively and continuously. I don’t think we did that as well with HIPAA. We ran around. We did all the training. Now, go for it. I just think we have to reiterate those points.

MS. MILAM: I completely agree with Justine and Paul about calling out the innovative ways we are disseminating information. The fact that there are some tool kits and products that is terrific. We haven’t seen that in the past. In fact, OCR is fairly recently in the security space. Remember, they started off in privacy. What we are hearing, though, universally, is that the information is not going far enough. We need to focus on that.

We are also hearing that a specific component, the risk analysis, is not being conducted by providers of all types or plans, covered entities, probably business associates, but I don’t know – and I think this is where we need more discussion and thought. I don’t know that lack of dissemination is the issue. When you look at what is available there is information that describes the process, but no developed toolkit.

In other industries for risk assessment, you might be able to click on a portal and have the risk assessment be available online so that the organization taking the risk assessment would have the questions, could rate itself, and have a report generated. We don’t have a comparable tool for HIPAA risk analysis. I think, at least from where I sit, with my own organization, that is a road block to getting that done.

I think there are probably a variety of roadblocks, in terms of the risk analysis. I think it is so fundamental. I think it is a separate issue from dissemination. I don’t know that we are ready to talk about it. If we did, the report to congress is probably not the case because we don’t want to surprise the Secretary.

I think we need to be careful how we shape this issue as to why some of the fundamental building blocks don’t exist. I think it is a variety of things. I know OCR was given more funding for education. That is important to congress. Is this money well spent? I think it is huge to get these new toolkits, but we need to be clear where we are getting them. We have not gotten one in the security risk analysis area.

DR. FRANCIS: So maybe that is something – if we have as an open question the comment from Rachel to us about what we might do with respect to the – oh, Rachel. One of the things this committee could take up is the wisdom of and what, perhaps, a toolkit might look like.

Thank you for coming. We are just talking about the report to congress.

DR. CARR: We are talking about highlighting your good work.

DR. TANG: First of all, is it already vetted? Will this surprise the Secretary?

MS. SEEGER: I think when I was speaking this morning it was also reactive to what I was hearing from CMS, as wells as from ONC. I think that all of us are in agreement that there is more that we could – there is more that can be done to reach the industry with our message. We have developed many, many tools and continue to do so. I think a very small percentage of the industry is hearing about them.

People who are already engaged know that these tools exist. The issue is how do we get down to the more rural providers? How do we get down to providers who are serving in a more urban area without the resources and the benefit of being affiliated with an association? That is really where the rubber meets the road.

MS. GREENBERG: Can I just ask – I mean, Sally said that there isn’t actually a tool for security risk analysis. Are you saying there really is a tool?

MS. SEEGER: Well, we have issued guidance.

MS. MILAM: I said there is guidance, but not a tool.

MS. GREENBERG: You are talking about kind of an interactive tool. It sounds like you have the pieces that you could do that. Is that something you have thought?

MR. HOLTZMAN: Perhaps I can help Rachel with the answer, here, if that would be okay. So OCR, in coordination with NIST, developed a security risk analysis tool that was issued approximately two years ago. It is an interactive, self-executing application that could be downloaded by a user. They can perform an analysis based on queries that were developed by NIST and is similar to what you would find in NIST’s Special Publication 800-66, which is the guide to implementing the HIPAA security rule.

The challenge with this particular tool is that it is very lengthy. It is very involved. We have heard feedback from smaller health care organizations that it is not as useful to them as it is, perhaps, for larger organizations. In response to that, ONC and OCR have been collaborating for approximately the past year on developing a simplified risk analysis tool that will be available on the web, free of charge, but specifically designed for small health care practitioners or small physician practices. We, hopefully, will have that tool up and available early in 2014.

MS. MILAM: Is the longer tool available now somewhere?

MR. HOLTZMAN: Yes. The HIPAA Security Risk Analysis tool, which is linked from the OCR website, is available. On the NIST website and through Maya, I will get that information disseminated to you.

MS. BERNSTEIN: This is Maya. David, could you just send me an email and I will get it to the group.


DR. FRANCIS: Paul and Raj and Ob – did somebody just join us on the phone?

MS. BERNSTEIN: Can I just ask a quick question, David? When you said early in 2014, January/February or later than that, do you think?

MR. HOLTZMAN: It is hard to put a date on it.

MS. BERNSTEIN: Only because we are shooting for a report in February.

MR. HOLTZMAN: If you were to look at it in quarters, we are in the final quarter of the development.

MS. BERNSTEIN: Okay. Thank you.

DR. FRANCIS: Paul then Raj. We have five more minutes on this topic and then we are going to move on.

DR. TANG: So the point I guess I wanted to raise is sort of a global point. At HIPAA or even before our last report, no one was using an EHR in the country, virtually. Now, 60 percent of the providers and 83 percent of the hospitals are. It is dramatically different, even from our last report. That is a difference in, one, what are the implications of people not following the security and, two, do they even know, which is why I really like the end user approach. People just don’t even know, but they would probably agree with the concept.

It is just alerting – that is what I am trying to articulate in this report – alerting people to how the world has changed and the implications on HIPAA, 1996 HIPAA, on this new world that changed in the past two years alone. How do we deal with it? Should we deal with it differently? There is definitely a new opportunity. That has to be said in this report in order for it to be useful, I think.

By the way, as far as what congress could do, they could make some of the resources available to either get the stuff created, put it in the right places, but also use the regional extension centers to get the information out in a usable way. I just see incredible opportunity in more than just another report. The world has changed dramatically.

DR. CHANDERRAJ: My problem is with the OCR handing out penalties because this risk analysis was not performed and disqualifying physicians from meaningful use incentives. Where does this take us? We are not there yet.

MS. SEEGER: OCR is enforcing HIPAA and not Meaningful Use. That is CMS’s jurisdiction. We are serious about HIPAA enforcement. The HIPAA Security Rule has been around since 2005. It is our expectation that the industry – we had plenty of time through voluntary compliance efforts for the industry to come up to speed. Director Rodriguez is very serious about HIPAA enforcement.

DR. FRANCIS: Sallie, Linda, Ob, and then Larry.

MS. MILAM: So Rachel, the link to the NIST guidance off of your Privacy and Security page, is that the tool that David is referring to?

MS. SEEGER: Yes. That is the tool.

MS. MILAM: I guess I wouldn’t call that a tool. Again, not trying to beat a dead horse, but it is not like something you can enter a rating into and have a report issued at the end.

MS. BERNSTEIN: It is a methodology, I guess, for going through your own thing.

MS. KLOSS: I want to raise a question. In the future section of the report, do we want to touch on any of the thinking that this committee has done about areas – now, because information has become suddenly so liquid and the stewardship issues beyond covered entities and business associates or is that something we just leave for another day because it is not strictly related to HIPAA?

MS. BERNSTEIN: It is not, unless you believe that – the Committee has in the past opined and recommended to the Secretary that privacy and security regulations, really, should be expanded beyond the current outlines of HIPAA. The Department has done part of that by expanding to business associates more directly. The Committee is on record as saying that it is the belief of the Committee that there needs to be a broader thing so that would not be news. In that sense, it is related. If you want to talk about the scope of HIPAA, the scope of HIPAA is a relevant topic, I would think.

MS. KLOSS: I think so, too.

MS. GREENEBERG: Wait. What did we agree here?

MS. KLOSS: We talked about it in the 2011 Report. I think we need to come back and talk about the stewardship framework for use of data by communities and in other uses that go beyond the initial tent of HIPAA.

DR. FRANCIS: I think there is agreement on that.

MS. GREENBERG: The scope of HIPAA is in scope.

MS. KLOSS: Yes, but I don’t see us writing pages about it. I think it should be —

MR. SOONTHORNSIMA: A similar scope issue and this is a question I brought up this morning. I don’t know how to coin this, whether it should be in this report or not. This is the expansion of the HIPAA privacy and security provisions for the exchanges. I am not saying – I am not at all advocating one way or the other whether we should make the government a covered entity. All I am saying is shouldn’t we at least apply similar rigor, similar principles to ensure that the exchanges are following sort of similar practices, recognizing there are some problems today, in order for us to ensure that, in the future, hopefully near future, there will be confidence and trust?

MS. GREENBERG: You are talking about the health insurance exchange?

DR. SOONTHORNSIMA: I am being very specific to the health insurance exchange.

MS. GREENBERG: The health insurance exchanges, which would not be seen as business associates.

DR. SOONTHORNSIMA: Exactly right.

MS. BERNSTEIN: You mean the insurance exchanges.

DR. SOONTHORNSIMA: Insurance exchanges. That is what I meant.

MS. GREENBERG: So what are they covered by?

MS. BERNSTEIN: They are covered by the Privacy Act. They are covered by FISMA. There are security controls because CMS is covered by those rules and is required to comply with both the Privacy Act, which has security requirements, and the specific security requirements of the Federal Information Security Management Act.

MR. SOONTHORNSIMA: So are we satisfied with that? I don’t know. I don’t know the rules.

DR. CARR: Didn’t we just hear this morning that they are business associates?

MR. SOONTHORNSIMA: No. They are not.

MS. BERNSTEIN: They are not business associates. They are not covered by HIPAA. The plans, themselves, are, of course, covered. The insurance exchange is a marketplace like Part D. There are multiple arcane pieces of HIPAA that work together to get us to the place that there are not – they have to be doing a covered activity, which they are not. They have to be inside the hybrid part that is covered, which they are not.

Part D is similar. You go there to look for a Part D plan. All of the Part D plans are covered, but the shopping for it is not covered.

MR. SOONTHORNSIMA: In this case, if you really look at the insurance exchanges functions – different states have different functions to the degree that they actually perform those business processes differ. I am asking this subcommittee to opine on whether or not we should sort of include that as the future section, not necessarily what happened over the past two years.

DR. FRANCIS: I think it should be at least mentioned as outside of the scope of HIPAA. Larry had a —

DR. GREEN: Leslie, I want to go back to something I heard Paul say a little while back about this is not just another HIPAA report. The bill is 15 years old. When it was written the world was a completely different place when it comes to managing data and health care.

MS. GREENBERG: 17 years old.

DR. GREEN: I thought it was – it came out in 1994?

PARTICIPANT: 1996 when it passed.

MS. BERNSTEIN: The rule isn’t that old. The rules aren’t that old. The law is 1996.

MS. GREENBERG: The bill passed in 1996.

DR. GREEN: It is 17 years old. This committee, through all of its subcommittees for several years now, keeps noticing the huge gaps between what the law is and its implementation. 17 years may be typical. Given the size of what has happened and Paul’s example of it being written at a point where we didn’t have electronic health records, it was an imagined future to a large extent, it seems to me that in that framing of this letter as being something more than just another HIPAA report, we should call out the evolution of the goals of HIPAA.

While its aims and goals have, perhaps, not changed, getting them implemented has. There are big gaps. There are big problems. There is a need for help and attention to what is required by this law. It seems to me this could be a letter that, particularly with the implementation of the health insurance exchanges – when you just stack up all of the things that have happened now, HIPAA is inadequate. We haven’t even gotten it done, but it is not really adequate to the present that has evolved since it has been here.

I am not saying that should go in the letter. I am just making a case about – I want to underscore Paul, saying this should not just be a routine letter. We are not doing our job to know what we know and just put check marks by the things we are supposed to report and talk about.

DR. FRANCIS: Maya has one thing to say and then we have to move on. We are going to be drafting and sending this around. Everybody will have lots of chances to weigh in.

MS. BERNSTEIN: So I hear your conclusion about that. I am thinking that if the Committee agrees and feels the same way about HIPAA and wants to make that case, we can draft – or you can help us draft – we don’t want to be drafting the conclusions for the Committee as the staff. We want to be reflecting what the Committee has decided are its conclusions.

I would not feel comfortable making up conclusions, but if your conclusion and your message is that HIPAA is inadequate, you want to flesh that out some in a concluding few paragraphs, either members of the Committee, who want to talk about what they think should be in the conclusions, please send them to us and we will try to flesh that out for you. The message has to be a message of the Committee and not of the staff.

DR. FRANCIS: At that point, it is not just about the privacy section. Getting a first draft of the entire report and then thinking through what the conclusions should be is the way to go.

MS. KLOSS: We have 7 minutes, now, to talk about the 2014 plan, which we will be prepared to report. We talked earlier today. If you look down at line three, which doesn’t have a number – sorry about that – we had talked about, first of all, doing the research on the stewardship best practices for community use with a target of a report of that in third quarter, coming, presumably, to the September meeting for final approval. Backing into that, we have the research done in first quarter and have a hearing in second quarter.

Is there consensus that that is an agenda that is meaningful, important to do? I am seeing nods. Is there any dissent on that plan? Three part – research now, hearing on best practices or to respond to the straw man that we prepare from the research, and then, finally, a report based on that as a key work product for 2014. Going once? Going twice? Okay.

The second major new initiative that we put a place holder here for is really number four, which is to identify a future focused issue, maybe it is what the new HIPAA looks like. I don’t know. I think the Committee can take time in conference calls and in the next meeting to figure out what that is. Do you think we have the resources to do one more product in 2014, which was to hold a hearing and do a letter on something future focused?

DR. FRANCIS: Can I just interject that as I am now understanding three, it is informed by yesterday’s hearing on what public health – I mean, it is not stewardship just for the community data uses that were the subject of the CHIP report, but it is more generally for public health and population health uses of data.

MS. KLOSS: As long as we frame the research work to be broader because it will be whatever is the scope of that research.

DR. FRANCIS: That is of much more interest to the Secretary as a general point.

MS. KLOSS: So we will change that wording. Then what is the appetite of the Committee to try to tackle something new to push the envelope?

DR. FRANCIS: I am eager. I would also say that there are some other things that are probably on OCR’s agenda. Minimum necessary is one. Another is civil monetary penalties and sharing them with people.

MS. KLOSS: That is a third thing.

DR. FRANCIS: Well, no, just under number four, some forward looking things. There might be some interest from OCR to have this subcommittee look up one or another of those issues.

MS. KLOSS: I kind of see those as unfinished HIPAA business, which isn’t necessarily pushing the envelope. It may be that once the framework gets fleshed out, there is some work that we could do on what that stewardship layer might look like in that framework. I think it might be wise to keep for their – as a placeholder, and then confer on that in first quarter and make a decision as to what the topic is.

Does that makes sense? All right. We will add one more thing here on seeing if we can be in an advisory role on some of those outstanding issues. Anything else for the good of the cause? We’re early. I think we ought to have one more topic. We don’t ever want to adjourn early.

DR. FRANCIS: We did have one more – the public health data network. I just want to make sure nobody ever talked to Denise Chrysler about calling in. Okay. Good. We are adjourned.

(Whereupon, the meeting adjourned at 5:26 P.M.)