[This Transcript is Unedited]



November 19, 2008

Radisson Hotel Reagan National Airport
2020 Jefferson Davis Highway
Washington, DC

Proceedings by:
CASET Associates, Ltd.
Fairfax, Virginia 22030
(703) 352-0091

Table of Contents


P R O C E E D I N G S (8:00 p.m.)

Call to Order, Welcome

MR. HOUSTON: Good morning, this is the Subcommittee on Privacy and Security meeting scheduled to run from 8:00 o’clock until 9:20. I think that the reason for meeting today is to discuss the future hearings and try to get some sense of really refined topics we want to talk about, as well as logistics on how we put these hearings together, and maybe put together a timeframe for trying to get something out the door as well, preliminarily.

I don’t know if we need to say anything else. I think we need to introduce ourselves. So why don’t we start that off, I can start that off. John Houston, I’m the Co-Chair of this Subcommittee, and I’m with the University of Pittsburgh Medical Center. I have no conflicts.

DR. FRANCIS: I am Leslie Francis, University of Utah, no conflicts, Co-Chair of the Committee.

DR. TANG: Paul Tang, Palo Alto Medical Foundation, member of the Committee, no conflicts.

DR. HORNBROOK: Mark Hornbrook, Kaiser Permanente Northwest, no conflicts, member of the Committee.

DR. SUAREZ: Walter Suarez, with the Institute for HIPAA/HIT Education and Research, a member of the Subcommittee, and no conflicts.

MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield North Carolina, member of the Subcommittee, no conflicts.

MS. BERNSTEIN: I’m Maya Bernstein, I’m the lead staff to the Subcommittee from the Office of the Assistant Secretary for Planning and Evaluation at HHS.

MR. HOUSTON: Before I introduce the room, is there people on the phone that need to also announce themselves.

MS. HORLICK: Gail Horlick of CDC, staff to the Subcommittee.

MR. HOUSTON: Good morning, Gail.

MS. MCANDREW: Sue McAndrew, Office of Civil Rights.

MR. HOUSTON: Good morning, Sue.

MS. MCANDREW: Hi, how are you guys?

MR. HOUSTON: Great, you?

MS. MCANDREW: Okay. I may have to leave you for a DRSA meeting, but we’ll see.

MR. HOUSTON: We will have to survive. Anybody else on the phone?

MS. CHAPPER: Hi, it’s Amy Chapper, Center for Medicare and Medicaid Services, staff of the Subcommittee.

MR. HOUSTON: Good morning, Amy.

MS. CHAPPER: Good morning.

MR. HOUSTON: Any anybody else? No.

MS. HORLICK: John, did you get that, this is Gail Horlick?

DR. FRANCIS: We got Gail, Sue, and Amy.

MR. HOUSTON: I’m sorry, who was it that spoke? Oh, no, Hetty’s not on yet.

Do we want to go around, do you want to introduce the room?

(Around the room introductions)

MR. HOUSTON: Great. Do we want to go through this first?

DR. FRANCIS: There should be on your desk an outline of discussion topics for the breakout session. This is, yes, it’s a little outline, this is a template that we thought we would use to consider what to do for hearings around the time we linked up to the Full Committee meeting in February.

MR. HOUSTON: By the way, for those in the room, I don’t know if people on the phone have a copy of this, but the title to this document is Outline of Discussion Topics, Subcommittee on Privacy and Security Breakout Session.

MS. BERNSTEIN: And for the staff on the phone, I don’t know if you got an email I sent a few days ago making a sort of tentative outline about what we might do for a hearing. I don’t know if everybody got that email, but we could read it as we go along.

DR. FRANCIS: The idea that we have reached for the conference call linking up to the more general question of personal health, was to focus on the kinds of privacy and security issues raised by PHRs. It is clear that what PHRs are is changing and that they are becoming an increasingly important part of the mix with respect to improving the health of people. They are also very impressive data sources. So that is where we thought we’d start.

I’ll just read the first little bit in Maya’s outline. “PHR Models, we kind of did this once already, so perhaps we don’t have to do it again, unless we want to update what we’ve done and what AHIC has done. It could include independent business provided by employer, provided by health insurer, databank repository, et cetera, or it might need to be sliced based on how the data are populated into the PHR such as by claims or PBMs or from EHRS.”

I reviewed last night, there was a 2005 hearing which had two providers of PHRs testifying, that’s what I could find.


DR. FRANCIS: Or 6. It was a couple years ago.

MR. HOUSTON: That would include the DOSIA(?) people?

DR. FRANCIS: Yes. It did not include WebMD or Google Health or some of the newer products that have appeared since then.

MR. HOUSTON: By the way, Sallie, do you want to announce yourself for the record?

MS. MILLAM: Sure, this is Sallie Millam, I am here.

DR. FRANCIS: Where you are from, the whole deal.

MR. HOUSTON: And do you have any conflicts?

MS. MILLAM: West Virginia Health Information Network in the West Virginia Healthcare Authority, I have no conflicts.

MR. HOUSTON: Thank you.

MS. MILLAM: You’re welcome.

DR. FRANCIS: Thanks, Sallie. The first question would be whether we want to hear from certain of the PHR models, what some of the different types are, what’s going on with respect to data inloads, how they are getting their data, where the data is moving in and out in those models.

MR. HOUSTON: What are the consumer rights, things of that sort, and I think.

DR. FRANCIS: Would people like to brainstorm that?

MR. HOUSTON: I guess the fundamental question is do we need as Subcommittee to get additional information to come up to date on what might be out there, I mean do we know necessarily what the landscape is today? Is it different than what we heard about two years ago, and would that be meaningful for our discussions?


DR. HORNBROOK: Thanks, Leslie. Being still relatively new –

MR. HOUSTON: You seem so far down, by the way.

DR. HORNBROOK: Actually, I want to be close to the screen. It seems to me that this Committee could be focusing narrowly on if PHRs exist what are the privacy, security, confidentiality implications, given that they exist. But I hear a flavor of, and I apologize if this is insulting, but it feels a little bit like PHRs ought to exist.

There is an advocacy concept here that PHRs ought to exist because they are inherently part of the personal health home, they are inherently part of assuring continuity of care and coordination, and if they don’t exist we will be in bad shape. I’m not sure exactly what the tone is of this discussion.

MR. HOUSTON: I think the reality is that they do exist. I think the concern that I have or a lot of us have is that especially as we move towards the NHIN and these records become more prevalent, more integrated, potentially bordering on the side of things like EHRs that might sponsored by a provider, or might be related to a health plan claims system, or it might be freestanding, is what protections do they provide today to the consumer, what privacy and security is inherent to them today.

As the industry is moving towards this idea of an integrated understanding of the patient’s medical information, both whether from a PHR or an EHR or whatever, and it be all linked, what should be in place to ensure that information is adequately protected and privacy rights are adequately maintained. So I think that’s my –

DR. FRANCIS: That’s both our take, yes.

DR. HORNBROOK: Okay, thank you. Just to help me quickly understand this, in my case where I have an EHR and a PHR integrated in the same software so that all the data that I put in talking to my doctor and my other healthcare providers goes behind the same firewall, do I have an EHR and a PHR, or do I not have a PHR?

MR. HOUSTON: That is one of the models of a PHR, it is sort of a bolt on the side of the tethered EHR PHR. That is just one of the models. I think if you look at one extreme or the other you have the freestanding privately created PHR, and it might be done like a Google or somebody, that has no linkage to an EHR. To one other extreme, which is it’s tethered to an EHR or a claim system. So you are just one of the two models, and by implication you might argue that a good argument is that realm because the EHR falls under HIPAA the data is integrated into it, I mean I would argue that there’s the same standard for the data that is PHR data that is actually within the EHR. If it is a part of the EHR it has to –

MS. BERNSTEIN: That is not legally so, but it might be a policy choice, if you could bifurcate it.

MR. HOUSTON: If it’s bifurcated, then no, but if it is part of an EHR then I would think you would have to treat it. Sorry, Walt

DR. SUAREZ: Thank you. I think we have, well, I agree, PHRs exist, PHRs are evolving, PHRs are growing. I think from a perspective of privacy and security the way I see it is in a three-prong kind of a view, one is what are the functional characteristics of a PHR with respect to privacy and security, number two what is the legal framework for privacy and security, what is the legal framework of PHRs with respect to privacy and security?

In other words what are – so who would testify about that would be the legal counsel of Google talking about what they see as the legal perspective? And there may be others. I’m just giving an example. But this is the kind of information that I’d be interested in knowing. What today, as legal counsel perceives or believes, is the legal framework for PHRs at this point?

And the third one is the regulatory framework. So first one is functional framework, the second one is legal framework, third one is the regulatory framework. The regulatory framework there is different elements there, one is the federal regulation that might touch into it, state laws that are beginning to come out and beginning to give some framework around this.

I think if we’re focusing, and I agree with Mark, I think the focus of this is PHRs on privacy and security. So let’s try to develop a framework around how we’re going to attempt it.

DR. FRANCIS: Okay. You, too, have actually sketched out one, two, and three, in slightly different ways on this sheet of paper. What are the models, how are they evolving, and that would be the functionality question, I take it, different privacy policies for PHRs, what are their announced policies today. And then we actually had legal and regulatory together, what are the legal and regulatory frameworks, are there some ones evolving in more private sectors, only the public sector, and so on.

If that seems like the framework that people want, then we should talk through who we would like to hear from.

MR. HOUSTON: The question though really is though, obviously what are the different models and where they are going is sort of a background question so we can help understand fully what the PHR space is. Ultimately, I think from my perspective I guess knowing what the policies are and the legal framework today is helpful, but I think really the question then becomes is the current legal framework, regulatory framework, is it adequate. What really needs to be in place to ensure that there are adequate privacy and security protections in place for a PHR. Maybe I’m just stating the obvious, but I think that’s what we really need to get to, because I think the assumption is that there really isn’t a good regulatory framework in place for PHRs, and as a result what you end up with I think is an across the board different policies regarding how information can be used and security that might be in place, and the like.

DR. FRANCIS: That raises, actually just if I could interject, the last of the questions that we had been thinking about preliminarily, which is what are the kinds of privacy issues that had been raised about these, what’s been the experience both of the vendors and the consumers, and what are the concerns. Because if we don’t hear about what the concerns are, that’s crucial, but trying to think through –

DR. HORNBROOK: That’s the point I wanted to raise. When you said consumers, you don’t see consumers as number 4. I would like to see if we could have a consumer advocacy or a consumer with a bad story, a good story, or at least concerns from a policy perspective about how they can use and what their risks are the more they use these.

MR. HOUSTON: I think it would be helpful. I’m a firm believer that in an area where PHRs are of most value and probably of most use is in chronic care, when you have something that’s diabetes and they are trying to manage your diabetes. I think that’s really where the PHR space has the most value, from my perspective. And it might be good to hear from a consumer as to who has chronic conditions or an advocacy group who has chronic conditions, to talk about those needs.

I think Paul had his hand up, then Sallie, then okay, we’ll let Harry talk, too.

DR. TANG: A couple of things that have happened since the last hearing. One that Mark will put out a very comprehensive review of personal health information exchanged throughout the network, to CCHIT, at least had a draft, and I don’t know whether the final is out, certification for PHRs and their privacy and security policies and practices. Those would be things to look at.

Then one of the enforcement mechanisms that people have been relying on is the FTC, so it would be interesting to hear from them about their jurisdiction, as well as the enforcement resources they might have.

Another resource might be I know DOSIA legal counsel for privacy would give us a whole lot of information about just how they have been thinking of it both in the consumer point of view, as well as from the operator side. I think there’s new information that we haven’t heard before more detailed information that can help us.

MS. MILLAM: Just going to the models, over breakfast Blackford and I were talking about a number of things, and he told me about a new study, a value proposition that they just put out all about personal health records, looking at the different models, the way that they are established through benefits, and where the benefits go, and also depending on where the data comes from. That might be some real good information if we want to explore more modeling.

MR. HOUSTON: You said that’s been released?

MS. MILLAM: It has been released. He said it’s on his website, Blackford Middleton.

DR. FRANCIS: If we were going to structure a day and a half hearing, one side or the other of the meeting is February of the Full Committee. If we were going to start out with the models we obviously want to look at Blackford’s. Who else, suggestions from people, or we can try to work that out?

MR. HOUSTON: If we get the documents from Blackford I think that might be good, I mean obviously the question then is do we need to really have more background on that if it’s complete.

MR. REYNOLDS: John, can I ask one question before you start framing this?


MR. REYNOLDS: I have questions. We had talked for a while about making sure that we always went back to our main letter that we produced, and there are still some items in there that I don’t think anybody’s touching. I’ll throw sensitive data out as number one.

DR. FRANCIS: You’re talking about the June 2006 letter?

MR. REYNOLDS: That’s correct. We built a framework then, we put some things together. So if we’re going to walk away from it, then let’s walk away from it. But I think that’s one that sits out there, because as you look at every PHR people get to pick what they aren’t going to send, are going to send, and I think we heard clearly from doctors, we heard clearly from others, that that in itself has a structure. Let’s forget models. That in itself has a base structure, dramatically decides the success or failure of these things. Because remember you have PHRs for the person, but if doctors and others aren’t going to use it because nobody knows what’s in it or what’s being held or not being held.

So that is one subject that we have not walked away from then because we were afraid of it.

MR. HOUSTON: Restate that one more time? Exactly what would you?

MR. REYNOLDS: We had even mentioned categories of sensitive data.


MR. REYNOLDS: Okay. And now we left it there, and as we say they’re continued, so let’s say there’s four models, all four models are going to have sensitive data, and there is nobody, I haven’t seen a single word from anybody in the industry dealing with that other than the way they deal with it is that they say I will let the patient decide.

MS. BERNSTEIN: Am I remembering incorrectly, at the last hearing we had the guy from South Carolina was talking, he’s one of the attorneys. Right. And he had, I mean there were some, it wasn’t the latest –

MR. REYNOLDS: What I’m saying is –

[Simultaneous comments.)

MR. REYNOLDS: They decided the categories. So when you’re talking about how you’re going to deal with all the people in the United States, so whatever PHR they use then somebody is going to explain those categories to them, and then that category is going need to be explained to Paul every time he gets a different patient in, he’s going to get a definition of what the sensitive data they – I’m telling you this is not being dealt with. And I don’t care if we do it or not, but –

DR. SUAREZ: But that’s a bigger issue.

MR. REYNOLDS: Right, but we put it in the letter, and we have talked about always kind of going back and forth. So I don’t mind if we close it, but I’m just saying the next thing I’d like to mention is the whole idea of privacy, and I’ll be anxious to see what CCHIT did, because we both in secondary uses and in the privacy hearings we heard an awful lot about the fact that everything that’s being written to the consumer is at a 13th grade level, and we got more and more about 70 percent of the population understands it at about the 5th or 6th grade level.

So, yes, it’s not the privacy notice, that’s HIPAA, but what accompanies all these PHRs and what does it do? So I think that’s significant.

Maya, if you don’t agree with me. Okay. But body language is not good.

So the next thing –

MS. BERNSTEIN: Sorry. I think there will be more to say about that issue in February.

MR. REYNOLDS: But then I would say one other thing. Let me get my topics out.

The last one is education. We talked and felt that there should be an education component somewhere along the way starting to educate the general public, starting to educate people on what this really is.

You know, Blackford’s value thing might be a great place to start, because most of the time all the discussion is here is a vendor with this or here is somebody that was this. It’s not educating the people on why it might be. Because, John, I agree just a little bit with your perception of PHRs, where you said that it’s just for the chronically ill. I would say there is a generation coming up now, and I’m hiring a lot of them, that want everything they have online about everything, and are willing to do different things with it.

So I think from the vision standpoint from the Committee I want to make sure that we also look four or five years as to who might be the players. So that’s all I’m saying.

MR. HOUSTON: By the way, that’s a great point. I’m not saying it is only for the chronically ill, I just think that that seems to be where the most use is today.

MR. REYNOLDS: Well, people will adopt it, that’s called adoption now. But I want to make sure that this Committee considers adoption like our 21st Century thing. We consider adoption and other things later on and where this is going, not just where it is or who could use it now or what the value is now, let’s go to the light.

DR. FRANCIS: Harry, could I just interject quickly on that sensitive information point? One of the things that we were also contemplating as part of this, was to have the Medicare demonstration projects, the South Carolina one and the Utah Arizona one, as something like case studies, and a place where we might be able to look to see the adequacy. One of the reasons we were interested in doing that is that there is the South Carolina one has some built in using the SNOMED categorizations, some built in functionality for sensitive information. The CCHIT proposal also has something in it, as I recall, about sensitive information.

So one way to get a handle on, I mean I felt we almost hit an impasse, we were trying to push sensitive information categories and there was a lot of pushback. One way to try to break through that impasse is to see whether there are some models out there that look like they might be possible ones in this space. So we weren’t dropping that issue, we were going to think about doing that.

MR. REYNOLDS: You couldn’t find it in the write-up, that’s where I’m going. I’m looking through the write-up and I’m just making sure when we go back to the things, nobody else has tended to deal with some of these and I just want to make sure that when we walk away from something that means that it’s a pretty significant issue and I don’t want to go back.

MS. BERNSTEIN: That’s just a – I think, though, it’s doing the right thing.

MS. MILLAM: I think an interesting interplay of what Harry just laid on the table does impact the models directly, and it goes to the use of the PHR. If it is tethered to the physician’s EHR, the hospital’s, it has a different use than a PHR that is supported by exchange. And when you have a PHR that is supported by an exchange in an area, the physician isn’t really going to be really going to the PHR, the physician is going to be going to the data that is either pushed to them in their EMR or to the portal that they have.

So it really comes down to the issue of how that data is going to be used. I know at least in our exchange in West Virginia, our physicians would have huge issues with being given access to data and then having a lot of the data withheld or not know what’s withheld. So it’s a discussion that we’re having. Now if the PHR is only for the patient’s use, that’s something different.

But it’s a real community dialogue, and it is a complicated privacy discussion to balance the provider’s needs with the individual’s needs, and I think that’s inherent in the value proposition of each of these models. It seems to me that we could break out these different discussions with the different kinds of privacy implications that are inherent with the different approaches.

DR. FRANCIS: Walter and then Mark.

DR. SUAREZ: I just thought of maybe a way to address all these various elements is the following. We know that there are at least five different models right now. One is vendor driver, one is provider driver, one is payer driven, one is employer driven, and one is public program driven, meaning maybe Medicare and Medicaid out there and others, and that could be lumped into the payer driven, if you will.

So we have those models, and we have a bunch of questions in an area that we want to ask them. We want to ask them who benefits, what’s the value, what are the legal framework, what are the regulatory framework that they see or believe, what is the sensitive data issues, and what are the ways that they can do it or have been planning to do it, what are the location needs that they see?

Potentially what we could do is create a day and a half hearing that focuses on those five or four groups, and ask them those seven questions, or eight questions, whatever, topics. Then say we have four or five vendors that are providing EHRs or PHRs, then ask them questions about who benefits and what the sensitive data issue and the legal framework and all those questions. We can even have at the end maybe a special session of regulatory frameworks, or whatever, and have maybe also a separate one for consumers that I think Mark was alluding to, just a separate or specific one.

But I think that’s a way to address as many issues as we can within as many models that we have, and then again separately handle the consumer aspect of it by bringing a group of consumers to provide a perspective.

MR. REYNOLDS: Will you list those again?

DR. SUAREZ: Vendor is one, so a group of vendors, providers, so a group of providers offering PHRs, payers, a group of payers offering PHRs, employers, Walmart and others offering PHRs, and I said probably programs, public programs like Medicare, Medicaid, usually they are lumped into health plan arena, but you can have a separate one there if you wanted, and then a separate one for consumers.

MR. HOUSTON: I think to what you said and what Harry said previously, I think it does sort of provoke some thinking on my behalf, which is should we necessarily think about the models that exist today, or to Harry’s point regarding what is going to exist down the road, he said who are the consumers going to be that use PHRs in five years or ten years. I guess the question is sort of if you look into the crystal ball and see where healthcare IT is going, will the PHR models that we see today be archaic in five years? Will they evolved into a totally different model that is maybe in some ways less focused on those five categories and more focused on individual needs of the consumer?

And what I mean by that, is if we figure the grand scheme of things I would hope in ten years time what we have is throughout the United States a fully integrated medical record where no matter where you are at, where you receive services, that information is available as necessary for purposes of treatment, and do we have this infrastructure to support that. The question is how does a PHR necessarily evolve to work in that space, because it very well may be if you take that ten year vision and say, okay, is a provider PHR archaic because now it’s both into the NHIN so the PHRs are all freestanding to some degree. Maybe we need to get a sense as to where is a PHR space reasonably going to evolve to over the next five to ten years, and what are the models going to be. They may be the same as you described, but they may be dramatically different. Should we be looking at a privacy and security framework that supports where PHRs naturally evolve to, and is that something that’s more appropriate? I don’t know.

DR. SUAREZ: That might be a question for each of these.

DR. FRANCIS: It seems to me that part of the question to push that is if we say things about what privacy and security capacities ought to be built in based on what we know either is or isn’t, that pushes the evolution.

Anyway, Mark?

DR. HORNBROOK: I’ll try a slightly different conceptual framework one you and see. Things like PHRs can be looked at from acute and chronic perspectives regarding health problems. From the public health perspective, acute demands of a PHR would be the ability to know that when you have something really bad happen to you and you are thrown into the ER somebody can open up your chart and know your allergies, know your meds, know your medical history, because you’re not conscious to answer it. So you are getting higher quality healthcare, and you may avoid some kinds of severe allergic reactions and other kinds of bad things.

MR. HOUSTON: Mark, Paul has to leave. Can you just –

DR. HORNBROOK: Go ahead.

DR. TANG: I have to go to the next. So maybe one contract to put together similar to what Walter said and Sallie, or maybe it was Harry, or no, it was you, John, in the sense of not getting tethered to what we have now, and instead focus on the data that may be in these places and what matters. So what kind of data is there, and who is operating the PHR, because that determines if it’s covered versus not covered, etcetera, and then the protections available.

You can think about it legislative, regulatory, and contracting. And you probably can get testimony from regulatory, let’s say FTC, legislation you could have somebody report on, and I could do a reference to that to bills and the different approaches they’ve taken in statutes. Then the contracting, that’s more the DOSIA kind of thing.

That may be a way to look at the broad concepts instead of focusing on the here and now.

DR. HORNBROOK: That’s a good comment, Paul. I was just thinking of option demand being a personal demand which somebody would be willing to pay for in the private market, to know that their medical record would be out there to help them in case they get into trouble in some strange place and they’ve got something that gives access to the emergency provider to their medical history.

From a public health perspective having your population with that coverage would save a certain amount of healthcare resources that could be preventable had the provider had full disclosure of the patient’s health history and conditions when they arrived at this acute emergency sense.

From a private perspective in terms of looking at the future, you have all the domains of personal health management from simply reminding you when your next visit is for somebody, to documenting the things, your immunizations and the things you need documented to get your life insurance or to get into school for your children or whatever, your prevention and your screening services reminder, and then reminders escalate, your medications.

You can get even broader and think about interactive biosensors somewhere in your clothes or your body that start programming you for exercise and for nutrition and falls, so all of a sudden your PHR becomes a wearable medical intervention system. That data of course tells everybody where you are and what you’re doing, then you get into civil rights issues if you’re in a place where you shouldn’t be.

DR. FRANCIS: Which is pretty scary.

DR. HORNBROOK: Right. So I’m just saying think about futures, you know, take it out there. If you have a very frail parent and you’re 3,000 miles away you want to know when they fall, you want to have a system so when they fall they don’t sit there for 30 days until somebody discovers their rotting body, you want them to get emergency services. Why can’t we provide that service? Well, there are ways of doing it now.

There are civil rights issues and privacy issues involved in systems we already have going now for the frail elderly.

DR. FRANCIS: I’m trying to figure out, we have a half an hour, and we have all these amazing ideas, and how to actually structure something. It seems to me that the questions that if we think about the types of vendors, if we think about the types of data, and if we think about the questions that we want to ask those vendors, we ought to also talk about who.

MS. BERNSTEIN: Before we get into this can I just talk a little bit just practically about what we can actually fit in. We are talking about a one day hearing right now, we could have more than one day at some other time, but we’re talking about a one day hearing on February 24th, which is the day before the Full Committee hearing in February. A one day hearing, because otherwise it’s on Wednesday and Thursday, and otherwise it’s Friday and people want to get home for the weekend, people don’t like to stay to the end of the day on Friday. But we will get a full day, you could travel on Monday, you get a full day on Tuesday for this hearing, and Wednesday and Thursday would be the Full Committee hearing.

On a one day hearing you can get either a three or four panels in, like two in the morning, and one in the afternoon if you want to have time for the subcommittee to talk, and four doesn’t leave a lot of time for the subcommittee to talk but you get more information. On a panel pretty much you can get three people, maybe four if you really squeeze, but that gets to be crowded and doesn’t give people a lot of time to talk. So just thinking about how much you can actually cover in one hearing, keep in mind like there’s a manageability kind of thing.

DR. FRANCIS: Can we also ask for written materials from people who don’t come?

MS. BERNSTEIN: Absolutely. We can all take written materials, we could take materials in advance so we don’t even have to cover what is the model of this PHR, we could just ask people to submit a description and have read it in advance. We could skip the oral testimony completely and just ask questions.

MR. HOUSTON: That’s where I think we waste the most time is the oral testimony. Sometimes you really hear interesting things and it’s great, but often it’s there’s this regurgitation of the stuff you already know or the background that doesn’t matter. To me I think the most interesting information comes from the dialogue, I’ve always found that, and if there’s a way to streamline so we have more dialogue time the better.

I would also say that if this is going to be part of the regular committee meeting we will have time to have some discussion. We are going to have a privacy breakout as part of that. I think I would be inclined to go for more panels knowing that we have time to discuss, otherwise we can do a conference call if necessary to discuss what we heard rather than spending time, because one day is not a lot of time. And we have to be very strategic.

DR. SUAREZ: Right. We can talk the next morning early before the NCVHS meeting for at least an hour, don’t we? I mean that’s what we are doing today. If we do it Tuesday, then Wednesday the first day of NCVHS full meeting we can meet from 8:00 to 9:00.

MR. HOUSTON: We’re already here, so it’s not like we have to meet.

DR. SUAREZ: If we wanted to.

MS. BERNSTEIN: Yes, we usually already have time scheduled either on the afternoon of the first day or on the morning of the second day, we could do it on the morning of the first day instead.

MR. REYNOLDS: Well, no, he’s saying an additional.

MS. BERNSTEIN: Oh, okay.

DR. FRANCIS: If we were going to have four panels.

MR. HOUSTON: Harry, did you want to say something? Harry had his hand up.

MR. REYNOLDS: There’s a lot of work being done, the problem is grouping it up so we know it. I didn’t know CCHIT has done.

DR. SUAREZ: Let me clarify, CCHIT in July, they issued a report, very slim, very focused, and they haven’t done anything else.

MR. REYNOLDS: No, but what I’m saying is as part of this making sure we get the right readings, so that it puts us in the current context. For example, we have some of our work where we have letters out and we have some other things, we have our contacts, and there are others doing things around it, everybody’s doing something. So making sure we have those readings, plus the readings from whoever we’re going to have come in and talk to us gets us up to date, then your discussion starts from today, it’s not spent the whole time catching up, then we wished we could have asked other questions now that I’ve caught up. That is what we do a lot of times with testimony is we catch up.

So if we can catch up, using the example from yesterday, where somebody made the statement that in one of the vendors that was mentioned of the PHR as long as you’re within your PHR it’s okay, but the minute you click out they’re tracking your key strokes, they’re tracking what you picked. Now I don’t know about you guys, but that’s a different – you just entered a different land. For example, I would love to see back to somebody mentioned some lawyer coming in, I’d love to hear how they explain that to people.

DR. FRANCIS: That’s one of the big issues.

MR. REYNOLDS: Remember, we talked about education and talking to people at their level. That is what worries me far more, because the technology, the scariest part of technology, and I work with it everyday, is that once it’s there, man, it can jump, it can make stuff happen.

MS. BERNSTEIN: Harry, how far in advance do you want the materials prepared?

DR. FRANCIS: I want to follow up on that point very quickly, because I was the one who made that observation, and actually that question there’s several privacy advocacy groups of privacy information something or other, I forget the name of the group.

MS. BERNSTEIN: The Center for Democracy and Technology.

DR. FRANCIS: It wasn’t the Center for Democracy and Technology, it was a privacy advocacy group who raised those very questions about the flu knowledge, the prediction of flu.

So I think, Harry, we would get at that question of concerns if we hand some consumer advocacy groups.

MR. REYNOLDS: If they know that it’s going on. That’s the hardest thing, catching everybody up. I could ask you questions about tomorrow, it’s hard to get up to today.

DR. SUAREZ: Can’t we do some of this before? For example, CCHIT, I mean we could have a conference call and have someone tell us what’s going on. And CCHIT, by the way, is doing many looking at doing the full spectrum of PHR certification, not just certifying elements of privacy and security. So we could have them tell us during a conference call what is it that they’re doing, rather than spend time on it.

DR. FRANCIS: Their document is online. There was a comment period, and the comment period closed I don’t know, maybe a month ago, something like that. We could learn from them what – and I don’t think they would – I mean I’ve been told that we couldn’t get the comments, but we could learn from them perhaps whatever some of the comments have been. We have actually gone through before this we have this briefing book that Maya put together which is that huge book, the electronic versions got sent around, includes all kinds of information about what’s been going on like this kind of thing, that we used as the basis for preparing these questions and discussion.

MS. BERNSTEIN: There might also be an issue with taking – I’m not sure if it affects the subcommittee, but because we’re FACA covered entities there might be an issue of taking testimony over the phone and something is not a public meeting we can sort of arrange that for people to call in, but there might be some complications to that, and I’m not the expert on FACA, but do have to be aware that we’re trying to be as public as we can. If we get written testimony certainly it could be part of the record and made online and so forth. We did a phone call that brings some issues, but it probably can be worked out.

DR. FRANCIS: We’d probably have to have a transcript of the phone call online.

MS. BERNSTEIN: It’s not clear to me whether the subcommittee itself, as they actually can’t make any decisions on behalf of the Committee, is actually covered by FACA in the same way, but we would like to behave as though we are, and we would like to be as public as we can.

DR. FRANCIS: All the hearing transcripts are online.

MS. BERNSTEIN: Yes, they are.

DR. SUAREZ: It seems to me that we want to ask a series of questions to a group of people, that’s ultimately the goal of the hearing. It seems that we have identified the areas, the topics of the questions. I mean, you know, there are seven or eight that have floated around. I think the question then becomes who do we ask those questions to.

MR. HOUSTON: Can we do the Paul Tang chunking or the lumping or whatever?

DR. FRANCIS: Lumping and splitting.

MR. HOUSTON: The lumping and splitting. We know we have time for four panels, so maybe if we work from the perspective of what are those, and who needs to be in those, and how do we break up the four panels logically, and then from there get back to how we want to pick questions.

DR. FRANCIS: I think one needs to be regulatory frameworks, so it needs to be things like the FTC. Actually I would put CCHIT in that certification processes. And then the question of what state law frameworks look like, and what HIPAA looks like. Those are the huge, and I don’t know who we’d ask on that or whether a background paper on what state law is doing would make more sense rather than –

MS. BERNSTEIN: I think it’s important to think about what can we not get on paper in advance, and who do we want in the room to talk to. So if it’s helpful to get them in the room and talk to them.

DR. FRANCIS: We probably want somebody from the FDC in the room.

MR. HOUSTON: Right. Back to you had spoken about HIPAA and state law. Sue McAndrew, are you still on the phone?


MR. HOUSTON: I’m not sure, do you have any thoughts on from a regulatory perspective whether there is any value or it would make any sense to try to have somebody speak to some of the regulatory if there are any I guess on a PHR side, which I don’t necessarily think there are. But can you think of if there’s somebody or if there’s meaning to doing that?

MS. MCANDREW: From HIPAA or from a broader regulatory perspective?

MR. HOUSTON: Probably broader, because I don’t think HIPAA, unless the data is actually contained within an HER, that HIPAA would ever fly with PHR at least as it is today.

MS. MCANDREW: PHR to the extent it’s offered by or done under the auspices of a covered entity. But in terms of other regulatory framework, I think really right now it is FTC that is in the mix. I have not heard much about anything at this state level in establishing a true regulatory framework for the products. The only thing that might be similar to the FTC is any flow-over from their general consumer protection.

MR. HOUSTON: Like the Attorney General’s Office, or something like that?

MS. MCANDREW: Even in the statutory framework that were on the Hill last year, they were really looking to HIPAA at the FTC and with regards to some notification, perhaps some state attorney general enforcement abilities.

DR. FRANCIS: So that would be the FTC.

MS. MILLAM: Well, and when we think about the logic model that we saw yesterday for who participates in the NHIN, we see that there’s a personal health record as a stand-alone. So they are not a bunch or an exchange or a covered entity. So it would be interesting to understand – and I know that the different organizations participating in NIHN have worked through what’s called the DURSA, the Durable Uniform Reciprocal Support Agreement. There is anticipated to be a governing authority. I think it would be good to see where ONC or AHIC 2 sees this going in terms of a privacy framework for those independent PHRs that have no contractual or other regulatory oversight other than FTC.

MR. HOUSTON: That would actually fill out a panel. I think from a regulatory perspective if you had somebody from CCHIT and FTC and ONC too, if you had the three of those, I think that would.

DR. FRANCIS: Yes, and as background to that we should also make sure we know if there is anything of interest going on at the state level and if there’s any besides that.

MS. MILLAM: Can you say which ones those are again, John? FTC?

MR. HOUSTON: CCHIT, ONC/AHIC 2, I guess it depends on how you want to slice and dice it.

DR. SUAREZ: I would not go CCHIT regulatory, but I would go –

MR. HOUSTON: This regulatory, I think we were sort of taking a liberty calling it regulatory. I think this is sort of it’s either regulatory or you have something, it’s sort of like JCAHCO, I mean JCAHCO is not a regulatory body but it has a lot of impact on how people decide to do their business.

DR. SUAREZ: We can call it regulatory certification.

MR. HOUSTON: That would be fine.

DR. SUAREZ: But the other comment I wanted to make is state laws and the state, at least some of the ones I’m working with, are not really looking to creating state laws to specifically address and focus on PHR, in the sense of they don’t have PHR laws either. What they have is laws that focus on medical records, and whether the medical record resides on a paper, in a clinic, or a set of files in an electronic form and an electronic record, or a databank in a PHR, that’s what is being looked into as potentially becoming another subject.

MR. HOUSTON: A bunch of that though is I suspect there is some activity or potentially a would-be activity out of a state attorney general’s office regarding issues associated with some type of inappropriate business practice or like that, it’s probably where it would come from.

DR. SUAREZ: I know people who would be able to talk from the state perspective.

MR. HOUSTON: The question is as we’re moving forward, though, and we need to actually jump to the next panel, but I think the point being is that you had an appropriate federal framework or some overarching framework would the states necessarily feel compelled or want to get involved in something.

DR. SUAREZ: Well, privacy is exactly that, we have a federal basis for that or floor.

MR. HOUSTON: That federal floor always contemplated certain –

DR. SUAREZ: Let the states talk about it.

DR. FRANCIS: Well, states can do more now under HIPAA. The question for me would be not what the states necessarily want to do, or whatever, but are there any innovative models out there that states have been trying that could be informative.

MR. HOUSTON: We need to sort of move to the next panel.

MR. REYNOLDS: One quick addition. For any of this that we do as we’re building it, let’s at least asterisk or whatever anything that we think also speeds up to help person centered health, just as another filter, because that’s really where we’re all going as a group. Not that we have to use that as the sole focus. Just make sure we asterisk it so we can make sure that those pieces are brought forward to the whole group as anybody doing anything. Because remember the circle yesterday where we are continuously learning, so we find something we want part of person centered health it has to be thought of that way then let’s interject it that way.

DR. FRANCIS: I think in some ways we picked this topic because we saw it as central to exactly that question.

MR. REYNOLDS: No, that’s perfect, but highlighting that shows what we want everybody to keep an eye on.

MS. FRANCIS: So next panel, okay. Mark had a comment

DR. HORNBROOK: In thinking about this, do you think consumers understand that if they get into alternative medicine services there’s a boundary where their information isn’t covered by HIPAA?

DR. FRANCIS: No, and we had hearings on the question of the limitations of HIPAA and all the kinds of things that are not covered by HIPAA.

MR. HOUSTON: That is probably in my mind the overarching issue of all of this, that there aren’t good PHR protections in place today. It is in my mind sort of the wild west, and consumers either don’t know that.

DR. FRANCIS: So I think we should consider having a panel that is about what consumers do and do not know, what concerns, what trust issues are on the side of consumers, and folks that I would be most interested in hearing from there include the Center for Democracy and Technology.

DR. HORNBROOK: What about Consumer Reports, AARP?

DR. FRANCIS: Yes, and then some of the privacy advocacy groups that have been raising some of these kinds of questions.

DR. SUAREZ: I agree. I wish we could start and step back and say what are the four panels, and then getting to the question. So far we have one, which is regulatory, and we have a second one that we’re thinking about consumers. Before we get into the question about consumers, let’s think about what are the other two, perhaps we don’t have to do it in here, but then we can send some of the questions we would ask and some of the suggestions.

DR. FRANCIS: Let me give you two other suggestions. One would be to get some of the primary types of vendors from the different – I like your – the primary types from the vendor like the sale type, the provider type, the payer, the employer, and ask them specifically questions about what is their data functionality, what are the privacy and security issues that have been raised for them, and what are their privacy and security practices. That would be a panel.

And then I actually wanted a panel about the Medicare demonstration project, that was going to be my fourth.

MR. HOUSTON: As I look at that I think I would call the vendor the vendor landscape, and I think the key question that I would think is that where are these things going. I’m very taken by what Harry had said earlier, and then by extension where is it today, is it not as important as where it’s going to be in five or ten years.

MS. BERNSTEIN: How would you recommend getting at that question? Who would you talk to? What would you talk about?

MR. HOUSTON: Well, we could look at the major players here, and I think that you have to –

DR. SUAREZ: Google were saying they want to.

MR. HOUSTON: Well, Google, you may be surprised.

MS. MILLAM: Talk to Blackford. He has a paper on the value proposition as they are today, and he has Google and also Exchange. I don’t know whether Exchange is supporting personal health records now, but I think Blackford could help with seeing where it’s going.

MR. HOUSTON: The question is do we go to Blackford as a member of the Committee here and just talk to him informally, or do we actually ask him to testify?

DR. HORNBROOK: Yes and yes. I think there’s an interesting issue here, and that is that the whole field of telemedicine and modern technologies for remote sensing are going to merge into PHRs.

MR. HOUSTON: But at what point are they a PHR and at what point are they an extension of the EHR?

DR. HORNBROOK: Exactly. That’s the kind of discussion I think you may want to think about if not for this one then a future.

MR. HOUSTON: That’s what I’m talking about, where is it going to be in five to ten years, the idea of the medical home, chronic disease management in the home, and what information. You look at whether it be monitoring glucose levels of a diabetic monitoring a pacemaker, it is amazing what’s done out of the home today and what is –

DR. HORNBROOK: Right, I mean those are both examples of things that your medical home is on your body, because we’ll have the electronics implanted in you and have a centralized station somewhere. Or we will have genetic therapy that cures the disease to start with.

MR. HOUSTON: Whatever it is, whatever the state of things is, those are things that absolutely have to get integrated into this discussion. That is why I think it is almost the background question is where are they going to be in five to ten years.

DR. HORNBROOK: Well, do you want us to see if we can find a futurist?

DR. FRANCIS: New forms of data flow into and out of PHRs. Do we know somebody who would be – maybe we ought to ask, you know, it seems to me that we should be asking Blackford to help us as a Committee person rather than as a testifier, so we could ask him who are the visionaries.

MR. HOUSTON: Can I suggest this? What we will do is today Leslie and I will try to talk to Blackford with the idea that what we may be able to do is set up a conference call with the subcommittee to talk to Blackford and get his input specifically on this type of field of inquiry. And then from there we can decide how we flesh out this I’ll call the vendor landscape panel. I think that probably has to be one of the first panels.

DR. FRANCIS: That has to be the first panel.

DR. SUAREZ: I wouldn’t call it necessarily vendor landscape, because (?) is not a vendor and they offer PHRs. Do we want to hear –

DR. FRANCIS: PHR landscape.

DR. SUAREZ: – models which is really the different – PHR landscape, exactly, that involves all the different offers of –

DR. FRANCIS: And what we want to know is what types of data are flowing, how are the data flowing, you know, who controls it and so on.

The who benefits question is only insofar as it drives the privacy and security question. So we want to know what the privacy practices are, we want to know if who benefits is effecting the privacy and security question.

MR. HOUSTON: Mark, you wanted to say something?

DR. HORNBROOK: I just want to remind us that there is also a lot of stuff going on in long term care around electronic monitoring and civil rights of people who are in nursing homes or assisted living, or living in the community and putting computers in their home, computer monitoring equipment for safety and for medical management. Some of these models are quite advanced, so there are electronic nursing homes now where they will put an RFID badge on every patient so they know where they are on the premises.

MR. HOUSTON: But the question, let me ask you, those are interesting questions and I think this all comes down to we’re talking about PHRs here, the morphing aspect of this is really what concerns me because so much you can argue that there is a personal component of if you are in your home and the information collected in your home is that part of a PHR or if the primary purpose is for it to be linked into an EHR for the direct linear purpose of a provider doing something actively managing your condition.

DR. SUAREZ: There is a whole industry called “remote monitoring” which is basically this telemedicine and remote monitoring.

MR. HOUSTON: Is that EHR, and these are very broad categories, is it PHR or EHR, and how does it all come together.

MS. MILLAM: I think what you’re talking about is getting somebody from the Health 2.0 community, and I know they had a conference like three weeks ago, a colleague participated, and I’d be happy to follow-up and find. The whole group is they’re all futurists, and they’re all looking at where we’re going through the use of the PHR. I can follow-up and get a name or get a few.

MR. HOUSTON: That would be great. I guess this all comes back in my mind as what this whole dilemma is at what does a PHR end and an EHR begin, and how does this all come together, and at what point when do they morph together or they merge together they’re going to say you know something all of a sudden HIPAA does apply, and all of a sudden state law does apply. And where something today is very clear, oh that PHR doesn’t fall under state law, it doesn’t fall under HIPAA, all of a sudden it’s going to merge to the point where people are going to say yep. In my opinion some smart attorney is going to say it does apply.

MS. FRANCIS: I just want to say we have five minutes.

MR. REYNOLDS: What’s interesting as you listen to this, play off of Mark’s comments and others, there are a lot of people spending a lot of time on today and the near term. You just take some of the big companies that are doing it, and some of the other players. So we are not going to catch them right now, we’re not going to catch-up. But this whole idea of where it is going, the futuristic, looking at that has a real sense, and especially if you go back to this whole idea of person centered health, your comment is person centered, most of the stuff we’re hearing.

So I think this idea of us making sure we stay far enough out ahead, especially when we got one or two or three hearings a year. You’re not going to run down Google, you’re not going to run down Microsoft, you’re not going to run down all the things that are going on, but is anybody drawing the overall picture? I think that’s what we did with our original letter under Mark’s tutelage where he really pushed us into being kind of – and then that letter was used as a model by other people to kind of think about, and if we can do that again.

MR. HOUSTON: Going with the idea of the futurist and getting Blackford and other people to say here’s where it’s going where things are going to merge and combine.

MR. REYNOLDS: Then we can say here are the next set of questions, and oh by the way, all you people that got all the resources and time and effort and money.

MR. HOUSTON: The question of what is the fourth panel, if we need a fourth panel.

DR. FRANCIS: I thought the fourth panel should be the Medicare demonstration projects, because that’s something that could be used as a case study. It raises the sensitive information question, because I mean we could focus in on that because that’s actually been out there in what’s happening in South Carolina, and we could use that as a case study of something that is in our backyard.

If we did, I don’t know how people think about this, but if we did a panel that we could call the evolving PHR landscape, a panel that we called the regulatory framework has been – yes, regulatory certification, the third one, consumers, and the fourth one an actual case study.

DR. SUAREZ: I would expand that. I agree, I think having a couple of large scale implementations would be helpful. I would not focus that just on CMS, a demonstration, I would actually try to expand it to bring at least one more if not two more.

MR. HOUSTON: I think what we need to do, to Harry’s point and maybe to my point, which is if we’re going to get them in the room, I understand that they’re looking very closely at what is right in front of them, but we need to get some idea of if they have a crystal ball where they think they’re going, they got to have roadmaps to go out in a year or two.

MS. MILLAM: HHS pilots, because I know Medicaid transformation has a few PHR pilots too, and HHS I would imagine would have some overarching deliverables and objectives. And it would be interesting to see if they have some sort of coordinated evaluation component that they’re leveraging with all of their PHR pilots.

DR. FRANCIS: Could I make a suggestion? We are coming up on right at the end of this, our timeframe, and we’re also coming up on Thanksgiving, and if Maya is going to plan a hearing it has to be done yesterday or February. So we can’t wait for a conference call actually to do this.

What I’m going to ask Maya, would it be all right if you sent around this framework with the suggestions that people have made about who we might actually want to hear from. We will all try to fill it in more, do it by email, so we can all respond and have it mapped out before Thanksgiving. We really have to do that or Maya won’t be in a position to put together a hearing.

MR. HOUSTON: And here specifically is I think what we need to do. One, we need to know what type of questions do we believe need to be asked, and who do we need to ask them to specifically, where will we go to get this information people-wise. It is okay to say, by the way as a sort of third arm to this, is there might be background information that we should gather as well, and we want recommendations like Blackford’s materials, we may say is a background for this we also need to get these materials as well to prepare for these as documents.

DR. FRANCIS: And CCHIT and others, I mean those are available on the website.

MS. MILLAM: I have a request around the materials. Would it be possible to have an executive summary? I know I don’t have time to read through all the original documents. If there could be an executive summary with maybe a point of some specific materials, that would really help me.

MS. BERNSTEIN: There’s just me, right. I mean there are a few other staff members.

MR. HOUSTON: Let’s just try to be more judicious in what we put out there. I think hopefully they all have executive summaries in and of themselves.

MS. BERNSTEIN: And for some of the materials we could get it today, have between today and February to read it, as opposed to giving it to you all the day before anything.

MR. HOUSTON: But those source documents would be good preparation for it. Then again I think what I’m hearing as well as what we want these groups to do is answer very specific questions, there is not going to be the regurgitation of written testimony, it’ going to be an opportunity from the get-go to people to ask questions based on what’s submitted.

DR. SUAREZ: Can I just mention two things very briefly. One is I hope – I mean I love the concept of looking ten years out and the futuristic perspective. But I don’t want to, I hope we – we’re focused on privacy and security, I hope that that doesn’t overshadow the purpose of this, which is privacy and security. I mean we want to see and project and look at into the future what PHRs might look like, but don’t – can I finish? So I hope we want to try to still in the questions ask very specific questions about privacy and security. That would be my first comment.

The second thing I wanted to mention is we just planned one hearing out of what we I hope would be our full year of topics. I think we are focusing right now on PHRs. I would like to know what are the other larger topics we are going to talk about throughout the year, and that discussion will not happen in the next two minutes. I think we might want to begin to think about what are the other topics.

DR. FRANCIS: The other topics that have been on the table have been de-identification and we’ll be hearing a little bit more about that. We sort of put that on the backburner, and then governments, which is a longer term interest of this.

Then, of course, the ongoing issue of the HIPAA coverage, which we’re going to be thinking about in this context, and sensitive data.

DR. SUAREZ: There was another topic that I thought we had was privacy and security and HIEs, which is the big issue.

MS. BERNSTEIN: Which is continuing on with what we had done in previous letters, which is Harry’s point, which is we should tack those things that are HIE privacy and security questions that we began to take on.

DR. SUAREZ: It would be good to have that mapping of these are the core –

MR. HOUSTON: Two points, one on your first comment, which is even though we are proposing I think looking at five to ten years out, that doesn’t say that we don’t worry about privacy today. I think what we’re trying to do is make informed recommendations regarding privacy that aren’t stale in five to ten years.

I think absolutely we want to make sure our recommendations are meaningful today, but I also want to make sure what we do is applicable in five to ten years, which I think is really what this Committee needs to be looking at. So I understand your first point.

The second point, we spoke to the people from AHIC 2 yesterday, I forget the ladies name who was here, and I asked her the question offline about governance. They have a deliverable that is due out next summer regarding a governance model for AHIC, through AHIC, and I asked whether we could be of assistance for viewing that, providing feedback, and she had said yes that that was something of interest to them.

I think what we may find is that we may not necessarily look at governance separately itself, but rather provide feedback to them as they’re looking at their governance model. So it might be something we do very quickly and later on after the start of the year.

DR. FRANCIS: Mark, last comment.

DR. HORNBROOK: It’s not a comment, it’s a question. Disease management companies, they offer services to employers to other purchasers, and a lot of these companies will work over the phone with an expert sitting somewhere in the country or around the world. Are their records, are they HIPAA entities, are their records confidential or do we know?

MR. HOUSTON: Is that related to a PHR question? Because that’s a philosophical question, because that’s tied into on whose behalf are they providing those services.

DR. FRANCIS: Are they a care provider.

MR. HOUSTON: Because often those types of entities end up providing services on behalf of a covered entity itself.

DR. HORNBROOK: You can have a health plan contract with them, you can have an employer contract with them.

MR. HOUSTON: There are a lot of different models.

MS. BERNSTEIN: Are you asking whether they should come to the hearing?

DR. HORNBROOK: I’m trying to figure out whether there is an intersection here between these disease management programs and PHRs with respect to privacy and security issues.

DR. FRANCIS: It could be.

DR. HORNBROOK: Too much to deal with?

DR. FRANCIS: Yes, that’s something that could be handled by email.

MS. BERNSTEIN: I just want to respond to one thing that Walter was saying before, which is about what we’re planning for the next two years, or looking ahead to what we’re planning for the next few hearings. We may find that this one hearing isn’t enough, we may find that we need another hearing or need to talk to somebody else. So we tend to plan one hearing at a time just because we don’t know what we’re going to hear. It takes a few months.

DR. SUAREZ: I understand that. I wasn’t thinking of planning hearings, I was thinking of planning an agenda for the subcommittee for the year. Some of the topics may not be hearing material, and might be dealt with in a different way.

MR. HOUSTON: Let me say this. If we got is this testimony is what I think it will be, we very well may be spending a lot of our time over the next twelve months refining our recommendations out of this. So even though we may have these ideas of all these different things we want to do, this could consume us for a fair period of time. I suspect this could be a recommendation and subject which will lend itself to a fair amount of deliberation and discussion, probably more testimony. So if we get this out in six to nine months I would be surprised, so that sort of does tell us where we go for the next year from my perspective.

DR. FRANCIS: Although, we are as we are framing this trying to keep our more general interests in mind, which is the kind of thing Harry was reminding us of.

Thank you everybody. We’re adjourned.

(Whereupon, the Subcommittee adjourned)