[This Transcript is Unedited]




November 19, 2009

National Center for Health Statistics
3311 Toledo Road
Hyattsville, Maryland

Proceedings by:
CASET Associates, Ltd.
Fairfax, Virginia 22030


DR. FRANCIS: John and I are delighted to welcome you to this break out session of the subcommittee on privacy, confidentiality and security. I think we will go around and introduce who is here and then we are going to be talking about next steps in terms of what topics we are going to be moving along on.

So, I am Leslie Francis. I am from the University of Utah and do not have any conflicts.

MR. HOUSTON: I am John Houston, University of Pittsburgh Medical Center, no conflicts.

DR. TANG: I am Paul Tang, Paul, Medical Foundation, no conflicts.

MS. MILAM: Sallie Milam, West Virginia Health Information Network and the West Virginia Health Care Authority, no conflicts.

MR. REYNOLDS: Harry Reynolds, Blue Cross Blue Shield, North Carolina, no conflicts.

MS. BERSTEIN: Maya Bernstein. I am lead staff to this subcommittee. I am from the Office of the Assistant Secretary for Planning and Evaluation.

MS. WATTENBERG: Sarah Wattenberg. I am detailed to ONC, no conflicts.

MR. ISHEE: John Ishee. I am from ONC, no conflicts.

MS. KHAN: Hetty Khan, CDC’s National Center for Health Statistics, Office of Privacy Committee.

MR. HOUSTON: I guess I ask one question on all honesty on the record for Sarah. You are on detail. You are still staff to this committee, correct? I just want to make sure.

MS. WATTENBERG: Yes, I am still what?

MR. HOUSTON: You are staff to the committee regardless of your detail?


DR. FRANCIS: Yes, who is on the phone, please and can you hear us?

MS. HORLICK: Gail Horlick from CDC in Atlanta.

DR. FRANCIS: Hi, Gail.


MS. McANDREW: Sue McAndrew, OCR.

DR. FRANCIS: Thanks, Sue for joining us.

MS. McANDREW: Thank you.

DR. FRANCIS: Who else do we have on the phone?

MS. CHAPPER: Amy Chappper, CMS.

DR. FRANCIS: Ah, Amy you are the third person we did not know was calling in. Welcome, thank you for calling in.


DR. FRANCIS: Okay, so maybe the first thing we should do is we had a conference call recently and we brainstormed there some of the next step issues and maybe we could ask Maya to give a brief. No, you do not want to? List of some of the, there were many, many, many topics that came.

MS. BERNSTEIN: Remember over lunch when I said I did not have that list?

DR. FRANCIS: I actually have it with me but yes.

MS. BERNSTEIN: Sorry about that – I was unprepared.

DR. FRANCIS: The goal of this would be I think it is fair to say that the information that we got from the discussions this afternoon could very much influence what we want to take up; what we do not want to take up; where we want to go from here. That is certainly a possibility for those of you who were here for the discussion.

One other thing that went around was an enormously helpful list of websites from Walter. Walter is our gatherer over at the security subcommittee.

MR. HOUSTON: That is right.

MS. BERNSTEIN: Jonathon, you came from there? Walter is over there.

DR. FRANCIS: Yes, the HIT standards.

MS. BERNSTEIN: The security committee, advisory committee to ONC; HIT standards. I keep wanting to call them security, but yes, HIT standards. See I did it again.

PARTICIPANT: Do we have a copy of the list?

MS. BERNSTEIN: So you were going to give us the list if you are already putting it together? There is one in one place there.

DR. FRANCIS: It is actually. Yes, I am looking for it. So one place on the list here is privacy and public health; privacy and research; accounting for disclosures.

MS. BERNSTEIN: Slower so I can write them and then we can look at them and see them. What was the second one?

DR. FRANCIS: Privacy and research, the question about the interrelationship or lack thereof of HIPAA and the whole protection of research data.

MS. BERNSTEIN: That Sallie talked about earlier today.

DR. FRANCIS: Yes, and there was a report published by the Institute of Medicine called “Beyond the HIPAA Privacy Rule.”

MS. BERNSTEIN: Yes, there was.

DR. FRANCIS: Another topic that came up during that conference call was accounting for disclosures; breach notification; minimum necessary; what to do with respect to any kind of follow-up on sensitive categories of health information. We have been continuing to talk about that. The nest of questions involving state, the multiplicity of state laws, how to think about that. Sallie has got quite a lot to say about that and I know Jeff Blair was interested in that.

MS. BERNSTEIN: I would be surprised if Tony were not also interested.

DR. FRANCIS: Something that has been on the agenda that we have not gone back to and I am not sure it was mentioned here, but data that are outside of HIPAA. The question of providers that are not covered still -whether we have anything more to say about that issue.

MS. BERNSTEIN: And then there is the issue that Paul raised over the email.

DR. FRANCIS: Right and the issue of how we link records making sure that we have the same person.

MS. MILAM: Leslie, during our lunch time conversation, I thought that John identified some really good challenges his basing an UPMC stay that maybe we ought to take up with the group.

DR. FRANCIS: Right. John, do you want to do that?

MR. HOUSTON: Put them on the table; one of them does relate to the record linking issue and it is in a different context that it is occurring right now but I think it is still incredibly relevant which is how do you deal with the fact that as we interchange data between various entities, we are going to find that some of those, hopefully very small subset of those, are actually in error. How do we deal with bad data going to different places and how do we correct it. How do we in-error it and things of that sort. That was one issue.

Specifically with respect to the ARRA, this whole idea of paid for out-of-pocket in full, that the provision that if somebody pays for out-of-pocket in full for a service that they can also restrict, ask for a restriction that their health plan does not receive data from that encounter for either payment or health care operations purposes and there is an incredible operational issue associated with trying to accommodate that, at least in the large health system environment.

Then I think the last thing that I brought up as being an issue was the whole issue of business associates. Under ARRA, there are various provisions that I think are going to be problematic, though not nearly as problematic as the last ones.

MS. BERNSTEIN: Do you have any specific examples of what you mean. Like what about the business associates; the fact that the government’s security role, the breach notification, what?

MR. HOUSTON: There are two issues under business associates that are at issue. The first being is that because of the fact there is a direct accountability now under the HIPAA Security Rule you are going to find organizations that had previously agreed that they were business associates are no longer going to want to declare themselves business associates. They will do everything possible not to do it.

Secondly, under the ARRA regarding accounting and disclosures, covered entities now have the right to list their business associates and in the event that a patient wants an accounting of disclosures, the patient has to go directly to the business associate and say I would like an accounting of disclosures. Seemingly easy much more difficult to operationalize than you might think. Both of those issues are ones for which I have a lot of very direct experience now.

DR. FRANCIS: I think that is actually linked – if you want to put accounting, breach notification and the question of data that are not covered by HIPAA, providers not covered, whether the expansion of the discussion of business associates is going to make that better or worse is a way to put that.

MR. REYNOLDS: I would like to put one up there called the health information exchange ecosystem or something like that, because I see what is going on in our state and I see what is going on in others. You are going to have not for profits set up to be health information exchanges. They do not fit into any category of anything that you are looking at because they are not business associates with any covered entities in many cases. They are going to be contracting with vendors and others, to be the brick and mortar and or delivery of services and unless somehow the state steps up in that state to be the oversight which means then you have to put some back there. Others that are covered entities will have a hard time working with that because they are not a business associate of yours because they are running an HIE that you may or may not.

Just this idea that we say people that are not providers, it is right now this whole data flow is going to go through places and entities that none of us envision.

MR. HOUSTON: Oh, to extend upon that, the idea that they are going to be participants just not the exchanges and like that. There are a lot of participants that are, at most there would be some kind of contractual obligation.

MR. REYNOLDS: That is why I call it the ecosystem because you know every state may set it up a little differently and the jurisdiction will be different but once the data starts flowing through there. So if you take our case for example as a large payor, if we were to get involved in letting our data go through an HIE with which we really have no jurisdiction, the not for profit is set up a certain way, they are using a vendor which we have no jurisdiction. We do not really have what you would consider the normal kind of contract with them in some ways. We want to help the state, but oops. You just threw your data out. You just kind of threw your data out on it.

MS. BERNSTEIN: We are trying to understand is Harry talking about kind of the downstream problem that we were talking about over lunch?

DR. FRANCIS: No, he is not.

MR. REYNOLDS: I am talking about the whole thing related to because there are so many different kinds of entities. If you talk to, if you listen to Jeff it is run by a local clinic foundation which means that is kind of based in a covered entity. I do not know how Sallie has got it. Marc Overhage has got it in an environment that is also dealing with providers but some of the others are setting up new ones and man they are just hanging out there. Hanging out there is not an ugly word, but they are being established to help do this but it is like a tree. There is nothing to hang them on.

DR. FRANCIS: So the question in part is whether again we have that outside, inside, what is the regulatory regime that applies to all of the new forms on state level HIE’s. Sallie?

MS. MILAM: Guess I am thinking about three things. If I were a payer, I would want to have representation on the governance process of the HIE. So I would work that in somehow and then at least in West Virginia there is no association for insurance companies or payers. We have individual payers on the board.

The second thing I am thinking about is with the new high tax law that is not in effect yet, it is going to make exchanges business associates.

SPEAKER: Of whom?

MS. MILAM: Of covered entities. So if you are participating in the exchange, you are going to want a sort of a contract, the HIE to sign your business associate agreement. You are going to push the obligations on to them.

Then I guess thirdly, with ONC kind of stepping into the exchange phase with the grants, I think we are going to see some probably greater uniformity across the country; at least some structure, similar structures and framework so that we, the states are going to have some skin in the game, each state governor will have some skin in the game, and I think there will be greater accountability.

MR. REYNOLDS: I guess I am going back to liability. As in ours, there is skin in the game, and again I am not saying this is good or bad, I am just saying that if we could even spell out all of these pieces that work together to make it okay. In other words, I am not ruling for or against any of them.

MR. HOUSTON: There are still some gaps logically maybe I am missing this what Sallie just said, Assuming HIE’s are business associates are covered.

DR. TANG: When does that happen?

MS. MILAM: February 17th, I think the law will be in effect for that.

MS. BERNSTEIN: I do not remember. I may be wrong about this, but it does not say specifically HIE’s will be business associates.

MS. MILAM: I think it does.


DR. TANG: I just did not know when so you are saying 2010?

MR. REYNOLDS: Yes, but here is the, if you are dealing with 200 payers the ecosystem is a bigger word than.

MR. HOUSTON: Here is the problem though I mean I can see your point is that if you have HIE’s that are in theory business associates with covered entities and you are still in your ecosystem, which is a great word, you have all sorts of entities that are still not covered entities, how do they even participate because in theory those non-covered entity organizations will be contributing data. It gets into that, into the HIE. How is it covered, how does it co-mingled with data for which that HIE has a business associate obligation to somebody else to manage but does not have that same obligation with respect to the non-covered entity? I am explaining this horribly, but when you think about it, the HIE is this melting pot of patient’s data. It will be contributed to by covered entities and non-covered entities, and there could very well be varying levels of obligation and responsibility based upon who contributed what and it does not work.

MR. REYNOLDS: That is why I just want it to be a subject. That is why I am throwing it. We are making a list of the subjects. I am not trying to debate it.

MR. HOUSTON: We are lumping. That is all we are doing.

MS. BERNSTEIN: But only if we allow the HIE to divide themselves because I think once you commingle, if you are covered which the HIE’s are then you good.

MR. HOUSTON: The HIE is covered but the point being is if you had non-covered entities that are also participating. Let us just say a physician that does not bill insurance companies is an all private pay.

MS. BERNSTEIN: Or public health, but for all of its data. If it takes cash for say you have for example, a plastic surgeon who takes cash only for some procedures which are unlikely to be covered and also takes insurance, they are covered for all of it unless they bifurcate their business.

MR. HOUSTON: YOU realize there are a lot of physicians out there that do not do any insurance business.

MS. BERNSTEIN: I understand, but an HIE who does both, is in the same position as a physician who does both unless they bifurcate their business.

MR. HOUSTON: The HIE, as Sallie indicated, would be a business associate. So the question is going to be whether it could even allow non-covered entities to contribute data because that data, that non-covered entity would have to fall outside of the conventions that it was trying to put through.

DR. FRANCIS: I am going to suggest that clearly this is.

MR. REYNOLDS: I want to make one more comment because I am old and I will forget it, okay? So I am going to make it. The thing though is saying the word that somebody can be a business associates versus if it is not for profit does not have a lot net worth, does not have a lot of liability and does not have some other things, does it make it a business associate that large players may want to work with. All I am saying is the words are great, but when you sign up with somebody that has got a loosely knit board that unless those people are going to step on that board and make all accountability. If we got sued for $100,000,000, are they on the hook for it because they are the business associates that we have covered.

I am just saying some of these things that are going to be set up are going to be set up for the common good, but it is kind of hard to do business when it gets down to the bottom line of who is liable with the common good. That is all – I just want to add that to it, too. So everybody is right, but nobody is thought it all ought of that as to how these different entities are going to look and be.

I am living in North Carolina right now and trying to figure out how we philosophically can support it but not go outside of taking care of the people who we trust the data for and sign a contract with somebody that is just a shell; not really something that you can go out and take apart.

DR. FRANCIS: So to put that into this subcommittee language, does the projected business associate set of arrangements adequately protect the data that these health information exchanges are going to have?

MS. BERNSTEIN: Protect what?

DR. FRANCIS: Provide adequate protection and oversight.

MR. REYNOLDS: Are they an entity that has the wherewithal to protect it or do they then – remember we talked about our chain of trust. Most of these things that are going to be set up are going to be outsourcing an awful lot of their stuff to somebody else. You may have a ten entity chain of trust, and you cannot get to anybody and the person that did the chain of trust is not somebody that has enough liability or enough oomph or they are not covered or there is nothing else, so fine. I am going through a shell through a bunch of and that is exactly what happened as we did the use cases in North Carolina. It was a not for profit loosely knit group outsourced it to a vendor. We did not participate because I would not put my data out. We do not want that to have that happen as we do this and so it is just a subject that is not being melded together. I know there are right words in pieces, but it is not being pulled together so that somebody could explain it in a way that everybody, and I think Sallie and everybody that is doing this, could help us immensely, but it is sure on the street and during the regular day, it did not show up quite like everybody thinks it does.

DR. FRANCIS: So to put it.

MS. WATTENBERG: There needs to be kind of a relationship mapping along with the regulations – sort of who is involved in what way and how they relate to them so it is both a relationship mapping and a regulation mapping into those relationships.

MR. HOUSTON: As a co-chair, I would be interested in Jonathan’s thoughts. I mean hearing all of this different sort of dialogue regarding what is out there and what we think potentially there is some value to investigating. From everything you are hearing and involved in, what seems to be the areas of top priority whether they be on this list or maybe are there other things that you are not seeing that, that we are not talking about that you see really are issues that.

MS. BERNSTEIN: By both Jonathan and Sarah, of course they are at ONC now who might have things to say about what is going over there.

MR. ISHEE: Well, I do know for example the policy committee has a new NHIN work group that is going to be focused on not only at the entity but also HIE level issues such as what was just brought up.

MS. BERNSTEIN: With HIE level issues, is that what you said.

MR. ISHEE: Yes, yes, it is not just NHIN specific like it is NHIN in HIE. You know we are doing the accounting for disclosures so.

DR. FRANCIS: So do you think, let me just go back and say, so do you think that if we were, if maybe you could fill us in on what is going on over there. How what is going on over there could link with what we are doing. How we could add value. We do not want to have that committee and our committee, work on the same thing unless we are working on complimentary aspects of it or there is some real reason to think we have different expertise than that committee does, in which case we ought to be cooperating rather than working separately.

DR. TANG: Million dollar question. I mean why couldn’t we address a little bit of it so there is an NHIN work group. There is also a privacy and security work group.

MS. WATTENBERG: It has not started up yet.

DR. TANG: Pardon me?

MS. WATTENBERG: It has not started up yet, but it is starting.

DR. TANG: Yes, correct but the four priorities that were identified for the privacy and security work group are one, patient choice control which is the consent, opt-in/opt-out.

MS. BERNSTEIN: Consent and what?

DR. TANG: Opt-in and opt-out kind of discussion and the secondary uses. The second area actually is PHR privacy, which is and I am going to distribute our letter to them when it starts up. The third area has to do with the whole transparency accounting of disclosures. And the fourth area is linking, consolidating information on an individual.

So it does not specifically cover NHIN per se. I suppose not to say that NHIN work group could not do that. It was not configured by that. In other words we did not have some privacy folks specifically on that team although we certainly could try to decide which areas in working with ONC, which areas would be covered by this group. So if we, for example, wanted to take up things related to NHIN that are not in those other four groups, then that is one way of working together and we already have – you know just this thing has been useful.

MS. WATTENBERG: So one thing is, I mean to be able to respond to your question, I may need to listen a little bit more to the meat of what is inside of all of these topics to sort of carve out different parts of it to see what is overlapping and to see where you guys can help. You all have done a lot of work on secondary data uses and I think one of the big pieces that we are working on now are the non-covered entities and how that information is gathered and how it is used, and especially PHR’s and protections for PHR information that is held by non-HIPAA covered entities for PHR’s.

So if there is something; some follow-up work that you all have with the secondary use stuff, I cannot remember, that may be something. Was there anything else you all were going to continue to do on that or that you wanted to.

MS. BERNSTEIN: That is what this meeting is for to figure out what we are going to do next. I am looking at the list that Paul just gave us and thinking well the first two we have done very significant work on already, so depending on what aspect.

MR. REYNOLDS: What is that list again?

MS. BERNSTEIN: Here. Can you see it?

DR. TANG: Right up there.

DR. FRANCIS: Opt-in/opt-out.

MS. BERNSTEIN: Right and then say that goes off their agenda. I mean there is still more to do in each of these areas, but we have already done significant work in the first two certainly, so I am wondering like how that got on their list given that this group has already. Like they know.

DR. TANG: Oh, because the Recovery Act specifies that.


DR. BERNSTEIN: That you have to do that. Okay.

MS. WATTENBERG: But you know what actually I do think, and Paul, you can comment on this, if you really want to sink your teeth – I think something that would actually be very helpful is a relationship mapping of all of the non-covered entities; the people who are gathering information, and how it is related to the different kinds of laws and the different business associates, the subcontractors to them, because that is going to be relevant to a lot of what you all will be doing.

MS. BERNSTEIN: You mean Paul’s committee now when you are talking about you all, when you say you are talking to Paul?

MS. WATTENBERG: I am talking about Paul. I am talking about HITPC large, and I guess you are now on the HITPC Privacy and Security Work Group, too? Okay.

MS. BERNSTEIN: Does everyone know that? Does everybody know that, John?

MS. HOUSTON: I do not know. Paul just announced that they created one and they asked me to sit on it so I guess.

DR. TANG: The other way it relates here is because we traditionally, at NCVHS has traditionally had the HIPAA stuff and so the hope is to associate this as a HIPAA artifact. So that might be why it makes sense for us to help figure out where post Recovery Act, what other things need to be resolved.

The other thing that I do not know that even though there was this HITPC group, I think states, the state boundary is really going to get in the way of exchange. I do not know that, is ONC doing something specifically?

MS. WATTENBERG: On the state law stuff? Well you know we have several initiatives, some with AHRQ and I guess some on their own.

DR. TANG: So what actions have come out though?

MS. WATTENBERG: That is what I am not exactly sure. I do not know how far they drilled down. I could find that out.

MR. ISHEE: I think that is one of the, that has been highlighted but I do not know – I am sure there is further work that can be done.

DR. TANG: I think most of that work has shown how much difference there is and I do not know that there has been any follow-up.

MS. WATTENBERG: Some of the pilot, some of the work I think also generated models that different states used to harmonize policies across their state boundaries so it was not the solution for every state, but different kinds of best practices that other states have used.

MR. HOUSTON: How much cross state data transfer really occurs yet?


MR. HOUSTON: I suspect that this has not been a big issue because it is not occurring.

MS. MILAM: It really depends on your state. I know we are trying to figure out where we are going to start. We are talking with a variety of hospitals and two of the hospitals in our northern panhandle who are really interested in rolling out first are hospitals in Ohio. And the only way they will allow this is if they roll all of it together. It is a real issue for us. It is hard.

MS. BERNSTEIN: Sorry I was just going to say look anywhere there is a tri-state area like D.C., Maryland, Virginia, you live in one state you could see providers in all three states very easily and that us where your care is going and if you want there to be one or the other you are going to have caregivers.

MR. HOUSTON: Do you know what is interesting though when you are dealing with D.C., Maryland and Virginia, I guess that is three. There are a lot of examples where there is a lot of interchange between a lot of different states. I will give you a great example. In Pennsylvania there is a fair amount of interchange with Florida, at least in western Pennsylvania, because of the older population. You have these snow birds that fly but even though there is a lot of that I suspect we are going to, we have only seen the tip of the iceberg with respect to data interchange because of the whole integration automation.

MR. ISHEE: I think the work that they identified HSPC did was coming up like we talked about with models so they were, I think they talked about maybe like a state conflict compacts or somehow just general like a 50,000 foot how you would, ideas of models to harmonize and take off and not really drill down much in depth.

MS. BERNSTEIN: Also, they had significant resources over there and there was a huge grand program with contractors and all kinds of people participating. We tend not to have resources like that at NCVHS.

DR. TANG: The other way to look at it is health systems who operate across state boundaries have the same EHR and that in and of itself a problem, technically a problem as well.

DR. WATTENBERG: The same EHR? Is that what you just said?

DR. TANG: So of Kaiser or anybody who operates across state lines like a health system, an organization operator across health even if they do not exchange it, it is in the same EHR.

MS. WATTENBERG: What is the question that we would be exploring with this?

DR. TANG: I guess we would have to call the question and propose solutions on how do we deal with maintaining the privacy and security of health information in the era of health information exchange?

MS. BERNSTEIN: How do we –

DR. TANG: We need to call the question and propose potential solutions for how to maintain the privacy and security of health data in the world of health information exchange.

DR. FRANCIS: Specifically the multiple state questions.

MS. WATTENBERG: Across state boundaries.

MR. HOUSTON: Much of state law issues is the thing. It is assumed the privacy and security but we are really dealing with state law and inconsistencies that.

DR. TANG: Correct.

DR. FRANCIS: We have some expertise on this committee to deal with that. We have some strong interest on how you wanted to.

MR. REYNOLDS: As I think back to our previous work, there is two things that I think we need to either settle or walk clear away from them and say that we are walking away from them. The first is opt-in/opt-out. The second is sensitive data. Let me give you a specific example.

I chair CAQH Corp., which is all the payers giving more information to the providers. We have run into sensitive data discussions all day, every day, and as we go further and further because it is a real issue. So, if this gets out, this data flow gets out without us either walking away from it – understand I am not selling anything – walk away from it or have an opinion, and the last time we walked up to it. But now with everything going on and everything going to happen; now that it is going to take off.

When you talk about a real HIE, this idea of consents following all the way through the trail and what does that consent really mean and does that person really understand it. We either have to make a documentation that there is going to be some kind of steward out there that is going to take care of me and my data, or we have to be willing to talk about is there such a thing as sensitive data. It feels untidy to me.

When we took up some real serious issues back when things were not anywhere near this close to happening as they are right now. So I would like to see this committee at least consider walking away from it; declaring that we are walking away from it, or have something else to say based on the new information. Either one of them is fine, but I think those are two subjects that still sit out there. I do not want us to have to say shame on ourselves that we got it going and we got it started and then we stepped back.

DR. FRANCIS: Could I amend that a little bit because I think when Paul said the first topic: opt-in/opt-out, I wish you could scroll up to the list of what ONC is considering. But I was wondering whether some kind of opt-in with protection of sensitive information was going to be one of the issues that was going to be on the table.

DR. TANG: So by the way, it includes segmentation, which we talked about, and granular control. That is what our call in that category.

DR. FRANCIS: So that is the sensitive.

MR. REYNOLDS: Well fine, but let’s term it that way because again I think that.

DR. TANG: I think the committee chose. I think the decision was already made, Harry, I think they committee chose to walk away from it when the committee decided not to take a vote and go with a recommendation.

MS. WATTENBERG: I am sorry. Which committee now are we talking about?

DR. TANG: The privacy and security at NCVHS. So it was a good thoughtful piece but it did not take a position so I think that game is over. Right now I think that is the reason.

MR. HOUSTON: Let me tell you in the context of a larger undertaking. I mean I think we left the doors open for somebody to decide and I do not think it is. Now honestly, if it is on the top four of the hit list that you described, I think as long as we do not step on the policy committee’s toes or the work groups’ toes and tries to coordinate efforts, I mean I think it is something that sits on everybody’s radar. We could easily take it on.

DR. TANG: I think it is too late for this group to take it on.

MR. HOUSTON: Because of that?

DR. TANG: Yes, because this group did not come up with recommendations on each of those points, that group needs to come forward with –

DR. FRANCIS: What? Actually the way I understood it, Paul, we specifically said that record design should incorporate should incorporate pre-defined categories of sensitive information. We gave examples. Next step for us could be, depending on what is happening and what we think we could or should do, a next step for us could be to list some.

MR. REYNOLDS: Let me ask Paul a different question. Are you saying that ONC now has a ball on sensitive data and opt-in/opt-out?

DR. TANG: I think ONC by statute has to give recommendations.

MR. REYNOLDS: So are you saying that they have the ball?

DR. TANG: I think so.

MS. WATTENBERG: Statue they have to give recommendations?

DR. TANG: On data sensitive, on very specific things like data segmentation and granular control.

MR. HOUSTON: Why couldn’t, let me ask a question, I mean I think those four things that you listed off, those four broad categories, that is a hell of a lot of stuff to be working on.

DR. TANG: I know.

MR. HOUSTON: No, it is fine, but hear me out and I think the question is to why cannot we coordinate efforts such that if there is a desire for us to bite off part of this, that we do so and that they consider our input in order to come upon the recommendations that they are obligated to make.

DR. TANG: So I think we have to meet their timeline and obviously work with David.

MR. HOUSTON: And not only the conference call, which I do not think you were in on the conference call, where you?

DR. FRANCIS: NO, Paul was not on our conference call.

MR. HOUSTON: Part of what we discussed was how do we open up communication channels to try to coordinate better because of our desire to one, understanding that there is a sort of a national agenda and a lot of stuff needs to be done, what is our highest and best use in conjunction or in coordination with them.

MR. REYNOLDS: I disagree a little bit, John, from this standpoint. If they, as we look at how we work together and I lot of us are trying to do this, as we look at how we work together, if there is something that is critical to the implementation and it is critical soon, our recommendations go to the Secretary. The reason I am really pushing on this one is if there has to be a decision and that decision is then going to be used for implementation and taken forward to the Secretary by ONC, I think it would be a mistake for us to touch it. The reason is we may come up with something that then when it goes to Paul’s policy committee, they could overturn it and I think the thing we are trying not to do is be in the same space or we could end up making a recommendation that could block what they think is reasonable implementation. I just want to be careful.

MR. HOUSTON: I thought the last meeting there was, I forgot which meeting it was we talked about the fact we do not have to exclusively send letters to the Secretary.

MR. REYNOLDS: We do not, but I think what I am hearing from Paul and feeling from Paul, is that they have to take this and go and make something happen.

DR. TANG: ONC has to.

MR. REYNOLDS: Right, so all I am just doing is I am just making sure that most of our recommendations do not go down to the how. Right?

MS. BERNSTEIN: And do not have to.

MR. HOUSTON: We have done that.

MR. REYNOLDS: We have done it but it is in a much smaller subset.

DR. FRANCIS: Could I try another way of asking the same question? One of the things that we thought was important when we wrote that letter was that records be designed to allow that capacity. We were not at that point prepared to say how. We were prepared to give some examples, but we certainly did not have the ability to provide a technical account, for example, of how you would sequester mental health information, which was one of the possible sensitive categories.

MS. WATTENBERG: You mean technically speaking?

DR. FRANCIS: Yes, how you do it technically. Nor did we even really know whether that would, as this all got worked out, whether that would turn out to be a sensitive category. We did come down very clearly saying, this should be a feature not simply opt-in/opt-out or opt-in for this provider but not for that provider.

Now I would love it if someone else were going to follow-up and try to figure out how that recommendation can be carried through. I would also, I think it would be sad but know what was happening if another committee had a different view about the importance of or the possibility of sequestering sensitive health information. Although I would like to know that, and I would also like to know if there is anything we might be able to say further that would help contribute to a thoughtful resolution of that issue. Does that make sense as a way of putting it? So I guess I need to know where, kind of where it sits.

DR. TANG: I think Harry sort of characterized it pretty well. I think we put a lot of time and effort into this. It is a really good body of work. We did not come up with the final recommendations. The context is different. The context is really different and all of a sudden there is a timeline. The timeline is actually written out in statute. So ONC would love to have recommendations from its FACA group and so there is a group put together to try to pick up, not redo, but pick up where we left off. It would seem silly to have two FACA groups working on the same thing.

MR. HOUSTON: Absolutely.

MS. BERNSTEIN: Yes, but as John was saying, there is a huge bunch of information that is in that topic area and it is unfathomable that one FACA committee could actually cover all of that stuff. So part of it is figuring out how we work together. That is why we will be trying to coordinate like what parts do we have the expertise for and where can we so we not overlap too much.

MS. WATTENBERG: Let me offer something here – One way you could carve it up is that since the ONC advisory groups also it has a policy group and a standards group. You could divide it up so that NCVHS makes determinations about what kinds of information should be sensitive, considered sensitive, and while the ONC advisory groups are working on the different models of choice, whether it is in opt-in/opt-out, opt-in with permission by provider, opt-in you know sort of the whole slew of different ideas, along with the data segmentation issues because that will seamlessly flow from the policy advisory group to the standards committee that will have expertise in those areas. So you would have that chunk of it being done by the ONC groups, and you all would be focusing more on the follow-up to the thematic elements of what you are recommending for sensitive data. What do you think?

You would have to go fast. I mean part of the problem is that you guys are more long term. ONC is shorter term. So you would have to be able to do it quickly enough to be responsive to their ONC requirements.

DR. FRANCIS: What is the timeline there?


MS. BERNSTEIN: What does that mean? There is this statutory deadline. What is that deadline?

DR. TANG: Well, I think actually some of it was due next month.

MS. BERNSTEIN: So you are not going to fix all of that?

MS. WATTENBERG: Early Spring or early-ish, March.

DR. FRANCIS: So one of the things that we could do is we have information in those hearings that led to the sensitive information letter. We have testimony. We have, I mean we did not pick – it is not comprehensive. We did not pick those categories out of the air, though. One of the things we could do is we could go back and see if there might be more information that we could get ready in hand, just from the point of view of which should be model sensitive categories, if any should be.

DR. TANG: I think that is very helpful because as you know just like all of us, if we have the day job and the more digestible information is, the more likely it is going to be used. I mean do not forget John and I are both on this work group and so it is really an overlap. But that kind of suggestion you know like this is just perfect because it puts it together in a readable form for three of our letters and then like you say, if there is other information that could feed in than one we would not have to redo a hearing and two, it is just digestible would just make it so much more effective input.

MS. BERNSTEIN: I just want to point out from the booklet that Paul is holding up, that that does not actually exactly portray the recommendations. It does not exactly quote them. It is important to go back and see what the actual language in the letter is because the recommendations are for paraphrase. I remember how much time you guys spent really being careful about the words. It is not really accurate which I did not notice when I was reviewing it but.

MR. HOUSTON: Is it supposed to be?

MS. BERNSTEIN: It is supposed to be. That is correct.

MR. REYNOLDS: It is communicated at a different level.

MS. BERNSTEIN: Right. It is kind of a high level summary or whatever and right. So if you refer to that, you may get a different sense of what NCVHS said then if you look at the original letters. So you might want to look at both of those together.

MR. HOUSTON: I think the thing we have to do too is just dust off all of the old testimony and try and cull through it and really make sure that we refresh our recollections about what was really said in context.

MS. MILAM: I have a question for Sarah, maybe Paul. What will ONC do with the outfit from the policy committee? Will we see guidance for the HIE grant program or will it be regulatory or how will we see the thinking that comes from the policy committee in its recommendations evolve through the program?

MS. WATTENBERG: Maybe – I don’t know.

MS. BERNSTEIN: It is on the website if they make recommendations. It is available.

DR. TANG: Did she say what are the implications?

MS. MILAM: Yes, I mean I think it depends on what the recommendation is, the reach it needs to have, what we have been asked to do by Congress. I mean a lot of our activities are really generated by HITECH.

MR. REYNOLDS: But if you take sensitive data, there is no halfway. You either make your regulation; you make it a requirement, which means that then all everybody in every state understands what that means, or you make it a free for all.

MS. BERNSTEIN: Okay, but that is for the departments to do, not the advisory committee.

DR. TANG: It is an excellent question and that is where ONC has the ability to make more of its efforts, including all of its grant programs, make sense and get an achievable out of them. Just like Harry was saying, and you are implying, is if it is going to have something to do that affects things either across the state boundaries or in the whole exchange, then it should get worked into the state HIE grants, direct grants, it should work its way into everything. So to the extent that I mean that is policy is so important – that is why are all sitting around this table. That is the implication. It is not dictated in the statute so I think the one really supreme idea that ONC has already done, is it has configured all of its grants, or the important ones are configured around meaningful use. So at least you have one target, you get everybody moving in that direction because they are all stand alone grant programs. To the extent that the policies, and in this group the privacy policies could align, that would be very potent and also very enabling.

MR. REYNOLDS: If we wanted to brush this up in my opinion John and play off to yours, if we wanted to brush this off, it might not hurt to have half a day or a full day hearing where we had testimony from some people to say now that we are in the HIE world for real, is there anything you would add to your testimony now that we know where we are based on where we were two years ago or whenever we did that.

MS. BERNSTEIN: We could write to them about that. I think that is.

MR. REYNOLDS: Pick some of that up and then go back and look at the recommendations and see if we want to add to it and send to them and you can do that in a much greater timeframe than we could if we just start all over.

DR. FRANCIS: I was actually going to say that I would take it upon myself by say the end of the second week in December, to have read back through the testimony and to have a memo for everybody to see what is in it and what is not in it. I mean I might need to work with staff to do that but we could have something that people could then look at and say, where do we need to fill in the holes and how can we do that in possibly even a shared way with some of you folks too by getting information from people. Talk to you all about who you would want if they were going to be a list of sensitive categories, and have that put together say the second or third week of January; something like a hearing, either half day or something of that sort that would be a time that would work with your committee. Would that work with people?

MS. WATTENBERG: The only thing I will just caution is that this work group has not even met yet and so we cannot really determine what their charge will be.

MR. HOUSTON: Why don’t we do this? I agree but maybe since Paul and I are both now involved with this, we can formulate this in terms of a proposal or assessed and put that before a work group and Devin McGraw, but who is the other one at ONC. Jodi Daniel.

MR. REYNOLDS: I would also like to consider the, based on our conversation today, I would like to see if Paul would be willing to discuss this with David because Paul, I and David and some other people are working together. I would rather go ahead and do that because if that is to make sure that it is a collaborative area that has the backing of David.

I am not knocking anybody else out of the way, but it is just one of those things that we are trying to work together to help the Secretary, to help the department. So Paul heard plenty of discussion from us and knows that it is a subject that is in issue whether he would have me, and Sarah and Jonathan helping him it does not matter. But I think that conversation going on in a way that allows us and ONC to work with the department in the right way. Then once the clearance comes forward, have it. I would rather do that than start playing around with it and kicking it back to the back and then forth.

MR. HOUSTON: Then the question really is from a timeframe perspective, how quickly can that occur reasonably?

DR. TANG: So our hearings have had no more than one month notice. The hearings that we have been doing has been basically done within a month period of time. So I think that the minute we get formed and kicked off I am going to send this around and then if Leslie’s offer is still an offer, I think that would both be timely and appreciated, and that would show a definite offer.

MR. REYNOLDS: Right, but I would still like to see you talk to David so we have something.

DR. FRANCIS: I will get started on it because it does not step on anybody’s toes.

DR. TANG: It is additional.

DR. FRANCIS: It is archival data.

MR. REYNOLDS: If ONC takes it goes with it, it is a good addition to what we have given them. If they ask us to it is a good addition for us to start so it is perfect. But I think if Paul steps forward and talks to David, I think that will give us more of a clean shot as to where we are supposed to go.

DR. FRANCIS: I will make sure this gets sent around to everybody before I submit.

MR. MILAM: Would you remind us where the timeframe that we are working within. We are discussing priorities to be addressed. Is it by June? Is that really set in stone?

DR. FRANCIS: No, the timeframe, I mean I think let’s move on to other topics now because I think we are there with this one.

MR. BERNSTEIN: Before we leave that one can I just clarify who is going to be the chair of this new work group?

MR. ISHEE: On the policy committee, it is Deven McGraw.

MS. BERNSTEIN: She is going to chair the new work group? And do we know when it is going to meet?

DR. TANG: It is being scheduled.

MR. ISHEE: Yes, it is being scheduled right now and I just actually got notice that Chuck Friedman is also going to help set up, I think we are trying to set up something with Chuck.

MS. BERNSTEIN: You don’t have another date?

MR. ISHEE: We do not have a date on that. I will send that out.

MS. BERNSTEIN: I would think it would be useful for the co-chairs of the groups to get together and talk.

MR. REYNOLDS: I would first like Paul to talk to David. I would like to put that on the table, to make sure how we are going to work this agreed and then we either given his input or we take the ball and run with it. It is much cleaner. Don’t get everybody grouping up until we know what the group might ought to look like.

MR. HOUSTON: I agree.

DR. FRANCIS: The reason for the June date is the 60th so accomplishments by then greatly appreciated. That is not a timeline that has to do with a statutory requirement or anything.

MS. BERNSTEIN: Because our meeting is then, is that what you are saying?

DR. FRANCIS: Yes, the 60th. Now that is the reason people were talking about divisions for health statistics for the 21st Century and so on, and that date. What I would like us to do is to look at as a next possible topic. There are two that I think we have had a lot of talk about. One is the state law issue, and the other is the mapping question of what is going on with respect to data in health information exchanges and what Sara commented on. I wonder whether people have views about which one, or whether I got it wrong and we should have something else on the table.

How do either of those sit with where you all are? Paul? Jonathan? Sarah? So the two questions that seemed to garner some serious discussion; first of all and I cannot remember exactly how put it but I think I am pretty close, doing the grid of the relationship mapping about different health information exchanges and then there was the state law question.

So in terms of where you all are, those are both things that would be very high on our list, unless I have gotten it wrong. We have a recommendation going back several years about harmonizing or paying attention to in some way or another, state law differences. That is clearly a relevant issue with respect to data and the 21st Century because data are not just in one state. Then the second one was the question of all of these things that are outside of HIPAA that are dumping data into health information exchanges and how that all plays out. Maybe you three could comment on all of that.

DR. TANG: One of the themes that we have been so persistent with is that protection should follow the data. Maybe this is one of our openings to go further with that and say, well here, there is new capabilities and new directions that the nation is being encouraged to go in and that tenant about the protections following the data is really important to enabling that as well as protecting information. We can build on our history of that theme.

That may lead to recommendations having to do with law or regulations and that is not necessarily what the policy committee may want to do. So that is another areas where we already talk about something we have already have a history with, and we are just pursing our same position but we find that it is now a more important with the new context and that is not something like the policy committee would necessarily get into. I think our broader scope, so it is outside of HITECH scope, is also relevant. So that would make perfect sense for us to offer recommendations from this committee.

DR. FRANCIS: So I want to make sure I have gotten this correctly. So this would be following out -the protection follows the data with respect to data going into health information exchanges.

DR. TANG: Yes.

MS. WATTENBERG: What was that last summary? What did you say?

DR. FRANCIS: How do we follow out protection following the data when data goes into health information exchanges and what current legal protections are there and what new ones might be desirable.

MR. REYNOLDS: If you use Sarah’s pictures, it is a great way to follow it; talk about the different places that it could go and be and what does that mean and what does that feel like. I think that is a good place for us to live. It might not be a place for their knowledge. I think that is probably a good asset there. It brings up the right questions in the right places and then they could take them and turn them into what am I going to actually recommend get some.

MS. WATTENBERG: So it also maps the relationships vis-à-vis things like VA’s and HIE’s and covered entities, but it also maps the protections not only as it relates to them but to how the data moves through the system and when it is at rest and in transit. What happens to it after it goes into the HIE? How does it get back out? It is a lot of work.

MS. BERNSTEIN: So that would be like blowing up our, blowing out from our previous recommendation that all data that is health data should be covered by something, right?

DR. FRANCIS: Exactly.

MR. REYNOLDS: It is a lot of work, but the minute we start implementing without all of that thinking, it is out. Game on. The data is loose.

MR. HOUSTON: It is sort of akin to the issue of a national identifier. To me always seems to be hot potato that nobody really wants to deal with for some reason or another. Whether it be the complexity or the idea of you know I know that federal preemption was something that became a non-starter whenever HIPAA was in it. It was legislated and so, I guess practically speaking, to what level of control do we have in this respect?

DR. TANG: Well interesting that you would mention it that way because we were up against state rights at that point. All of a sudden, states will all have their own or their state designate entity who has this problem. In other words, they will have a vested interest in the uniformity of these rules. So you can almost see the states wanting to have an ability to go state to state so it is absolutely swift because all of a sudden they and all of their constituents like us, as providers, have this problem.

MR. REYNOLDS: Before it was a philosophy of control. Now it is a reality of oops how is this going to work? So the picture and the work that we can do could finally be a confirmation of what is happening and that there is no logical way other than to say welcome to this world. We are all in this world. You are going to use this world this way, and oh, by the way, you might decide as a state how you want to be a little bit different but you sure cannot be big different or this stuff is not going to play like it is being played out. But again, that is because we have come from a different place then we were a couple of year ago.

DR. TANG: Technically this is called turning a bug into a feature.

MR. HOUSTON: I hear all of that and I think it is very encouraging. I am just thinking through my mind that how do you go about haggling it? Who do you engage because I would think that there is, you have all sorts of state, federal, constitutional issues. Maybe it is over stated a little bit, but you have I am sure there is going to be a lot of people with a lot of opinions.

DR. TANG: So I sit on the equivalent over on the state side of like California e-Health Advisory Board with the Secretary of HHS in California, and they of course have to deal with the HIE problem. So they turned to what happened at the NGA meeting, and are just as frustrated by the fact that there are not any actions that would help us, the state of California, be able to deal with the problems inside of California and across state lines. So to answer your question, you go to the folks who now have the problem and there is going to be, every state must have one of these.

MR. REYNOLDS: Yes, Sallie says ditto to what Paul just said and so does Harry. We are all working on it in our own states and that is exactly the same.

DR. FRANCIS: What we do is get experts from different states who have been working on different ways of doing it.

MR. HOUSTON: What is interesting though is Sallie has been talking today about how do I deal with this master consent that has all of the language that will allow me to transfer data back and forth. So what Sallie is trying to do from our discussions, is solve this in a manner that is within her control. What I hear is that what you are really doing with this is elevating this number of levels up. I like it, believe me I think this is a great idea. I am just maybe verbally thinking through how the heck do you –

MR. REYNOLDS: You answer and then I think I agree with you.

MS. MILAM: I think we ought to look at what has been learned through HSPC and evaluate which ones need to be followed up on such as the interstate compact. There are certain bodies of people that develop interstate compacts and it is area process. I did not see, I do not recall that any HSPC projects really visited having one privacy law or one set of rules that were specially protected information, but maybe now that every state has a vested interest in making exchange work, states would be more willing to let go of their own state rights in this area and come to a common set of rules.

MR. REYNOLDS: The only other thing maybe a perspective on your words. Sallie really doesn’t have control. She can talk to certain states but the minute one of the people from West Virginia goes to a state she has not talked to, she is in trouble. Doesn’t happen; it doesn’t work.

MR. HOUSTON: You something, Harry I agree. I think in terms of how we address this to Sallie’s point, we need to understand that maybe that is the way to address this is that we need to look at all of the different avenues that are available for trying to address it and identifying which one is the best avenue. It might be as you said, multi-state compacts or, I do not know what they would be but what is the inventory of the different ways that address the problem and then deciding which one is best operationalizable.

MS. WATTENBERG: But how would you do that given that that would change for each different kind of configuration of states. The solution might be different.

MR. HOUSTON: I think what you should do is to Paul’s sort of point that the common factor here is that all states need to solve this because it is now with their purview and best interest so again if there are mechanisms, as you said multi-state compacts or some type of UCC, I guess UCC would not apply but I guess that it is a political compact where it is.

MS. WATTENBERG: Uniform law as opposed to a compact.


MS. MILAM: I would recommend a hearing and perhaps have ONC or RTI, deliver a synthesis of the best thinking that came out of the HSPC project. Meet with them ahead of time so that we understand what are the most viable options and then have people come talk about those. Have the experts come talk about uniform laws, interstate compacts and perhaps have somebody like a Microsoft who has done a lot of thinking about a comprehensive data privacy protection law for all information.

I mean there are a group of large corporations that have had a real legislative agenda to get one comprehensive set of privacy rules. They have done a lot of thinking around this and perhaps it has not been in the health area, but maybe it has. I have heard it generally in other areas about personal identifiable information. So I think we could develop a really good agenda to get some distilled recommendations. I mean when you look at what it takes to get an interstate compact, that is years. We need something that is a lot more expeditious and maybe we can get an undersigning in time.

MR. REYNOLDS: Here is the funny comment. I want to go back to what Sarah said, hurry. No, I mean it is an interesting, we have got hurrying going on and we have delaying going on. So it is time. It is happening in every state. Everybody is looking at it differently. Here we go.

MR. HOUSTON: That is why I think we need to look at all of the different avenues and decide which one is most expeditious, which gets you to the end goal. It may not be the best, but if it gets you there fastest and I do not honestly know what all of those vehicles are. Maybe we need to sort of beat the bushes and decide you know.

MR. BERNSTEIN: I would like to clarify, John what you are recommending is that we go at a very high level and look at interstate compacts, uniform state law, preemption, and other stuff like that, and decide among those approaches to getting uniformity which one works the best?

MR. HOUSTON: Which one would get us to where we need to go fastest with a reasonable? I mean it is speed versus complexity versus what is the best suited. I think then we could even make a recommendation maybe based upon that; how to go about it based on the recommended approach. I just do not even know all of the different ways somebody might go about this thing.

MR. REYNOLDS: But ONC needs something to pick up and use or move with.

MS. BERNSTEIN: Could I just exercise my little cold water role? We have had a lot of discussion about this. I think first of all ONC has done a lot of very significant work in this area already with like I do not know how many millions are involved in those projects, but you know.

MR. ISHEE: I think the contract was budgetary.

MS. BERNSTEIN: Around, but I mean.

MR. ISHEE: I think it was more than ten millions.

MS. BERNSTEIN: Yes, more than ten million dollars which we do not have. And also the expertise is over there. Except for Sallie has been involved in this very closely and maybe some others I know about or whatever. I do not have expertise in this area because ONC has been doing that so I am not worrying about it because that has been in their ballpark. It is sort of the same thing. If we were to take up something that they have been working on now, we are going to have to get up to speed up on it and there is the hurry factor, right. If we were just to look at what John is talking about that is a much more manageable -we can bite off something like that which approach do you think would work for solving this problem.

But if we want to get at all into what the different states are doing or starting to call people from different states to tell us, it is mind boggling to me how much that is without the kind of resources that ONC has to give grants in this area. So I am just a little worried about taking on something where you want to go fast. It could be a multi-year project on just this question.

MS. WATTENBERG: It may be that you cannot decide what you think you can do until you look at all of the materials. If you go to the HSPC website there are huge amounts of materials and tools.

MS. BERNSTEIN: Right, it is a huge amount of materials to get for us, but what I am saying is there is a huge amount of stuff to digest and to get up to speed for those of us who have not already been working on it which is most of the members of the committee.

MR. REYNOLDS: Or a one hour presentation from RTI then supposedly moved from there.

DR. FRANCIS: Why isn’t ONC following up on this just out of curiosity?

MR. HOUSTON: Why isn’t there a recommendation already is what we are addressing?

MS. WATTENBERG: Why aren’t they? I would not say that they are not. I think it has been an ongoing focus of their work is to work with the states and the NGA and through HSPC to sort of progressively and incrementally kind of go after the issue.

MR. HOUSTON: But it seems that you just cannot sort of incrementally go after this set of issues. Somebody has to, in my opinion, you have to set the high level approach and say this is what we are going to do. I am just sort of surprised with all that effort it does not sound like, I guess I would have thought okay somebody has here is the game plan.

MS. MILAM: I have only seen a small tip of the iceberg in the political arena. So you are asking a federal agency to step in and sort of trample on some state rights and NGA is not going to aid and abet that at all. But as Paul said we are in a different time now. We have every state having a health information exchange and a governor being involved so I think they will see it differently.

MS. BERNSTEIN: It is the same concern I have with the other issue which is if we start putting sensitive data over to ONC after we have been working on it, is that where the things that we have been working on we are sending over to someone else. The things that they have been working on we are doing over here and it is like our expertise are not staying.

MR. REYNOLDS: I thought we clearly defined what we could do. Where are we going? Why are we going backwards now?

MS. WATTENBERG: It seems to me that part of what of you all do, and this is not me I do not know if I can separate it, but it is not me as an ONC representative, but it seems to me that part of what you all do is you take information that is available or you solicit information if it is not available. You analyze it and then you write to the Secretary and you make recommendations on policies that the Secretary should adopt.

MR. ISHEE: Or there should be areas for more development.

MS. WATTENBERG: For more development so if you think this money has been spent on HSPC, a lot of data and information is known, maybe what you want to do you know that is part of the information that you use and you make some kind of recommendation if you think that now HIE’s sort rubber has hit the road, and everybody needs something more explicit. So, pick up the materials and say this, this and this has been done and here is what you think you should do with that.

DR. TANG: I think from an immediacy point of view, ONC probably has to do these things because it has to get the data start flowing and it has to do because I almost imagine something like that coming from the NHIN work group as an example. But if it is law, it just takes a lot longer, and you build up a case, that might be something we would recommend. The thing that are under the control of the Secretary immediately to execute the HITECH activities seems like would be an ONC kind of activity or the factor of such devise ONC. But it may be that in addition to compacts which might be the short term thing, actually having a uniform law might be the more level setting.

DR. FRANCIS: Well federal law.

MS. MILAM: Just to give you an example, after the NGA meeting in September, we had our Medicaid Commissioner with us and we talked to surrounding states. We thought what a fabulous idea. We will do it this fall. So we started discussing, just thought it would only be a matter of getting the agreement and surrounding states. Well, you have to have a compact of something this process and then I talked to Joey Pritz(?) and there is an argument that you could possibly need congressional approval and then it became unclear because you have HIPAA preemption and not at all something you throw together with your neighbors. It is something that evolves every time. We thought it was only a matter of getting agreement with surrounding states and getting the same bill with the same language passed by every state and it is not.

MR. REYNOLDS: But in John’s point, Pittsburgh is a neighbor of Florida, and so anytime you put concentric groups of states together as soon as you write it down, I will ask you about the states that fit outside of it and then as soon as you do it, I will talk about your people going to Florida. As soon as you do it, I will talk about. I mean that is the issue here. The other thing is there has been a lot of work done on this and I have been involved with NCHICA and RTI and everything, in North Carolina but that was not put in place and not studied from the standpoint that a HITECH Act would pass when it did and if this would hit the street and game on this fast. So what has happened is yes, you can list all of the work that has been going on but it was going on as a good background work that could be picked up and then something developed over time. Well that time just went boom.

The time is now and oh, by the way, all fifty states are going after money which means if I am going after money, I have to say what I am doing in North Carolina to use that money and what that means is I am moving data. Now that I am moving data, welcome to the Privacy Subcommittee, Privacy and Security Subcommittee of the NCVHS and welcome to ONC. The game has changed. It just went boom; flipped on its head. Now we have to move but we have to make sure that we use all of the right things to move so that we do not, as a group we don’t.

DR. TANG: The only solution is a federal preemptive law and they would not listen to that before. Not because it was even right at the time, but may be very right now, and that is something more that NCVHS pursues than the 850 Policy Committee. This is something we would want a coordinated heads up to make sure.

MS. MILAM: That would really build on our additional work around areas of specially protected information because it is those areas that would find themselves in that law. We would set ourselves up for having a good understanding of what works everywhere.

MS. BERSTEIN: Yes, those things are connected for sure because that is where the differences lie among the states, right? That is where the problems are in those sensitive categories of information. One state says it is HIV and another state says it is mental health, and that is where a lot of conflicts are, yes.

Are there other, I mean there are five. Are there other topics you want to look at today?

DR. FRANCIS: It was listed until 5:30 tonight.

MS. BERNSTEIN: I am saying you have twenty-five minutes.

DR. FRANCIS; This is a huge plate.

MR HOUSTONl: Why don’t we summarize this? It sounds like there are two themes though that we want.

MS. BERNSTEIN: So far. That is what I am asking it talks about categories and we talked about.

DR. FRANCIS: The first theme is categories and our action set for that is I am going to do a little bit of archival work. In the meantime there will be discussions between Paul and David about whether it would be helpful for us to follow up on that archival work with a set of recommendations of possible sensitive categories to be done on a fast track.

DR. TANG: Before, you did not say it with a set of recommendations because we did not set recommendations.

DR. FRANCIS: To follow up on the earlier archival work with now a set of these are the sensitive categories.

DR. TANG: I do not know whether that is something we are going to have time to do in this committee versus the work group and taking the, building upon the need for categories and figuring out how to deal with that.

DR. FRANCIS: I thought what I heard a little while ago was that what we were going to do was we were going to look at what we had done before as it bore on which are candidates for sensitive categories. So is it mental health? Is it substance abuse? Is it genetic information? Is it which? And you were going to talk to David about whether it would make sense for us to follow up on that, getting some supplementary information on a very fast track, about which categories. I thought that is what I understood from Sarah about which categories.

MR. REYNOLDS: No it was not.

DR. TANG: I don’t think we would do any more work. I think we would make our work available in a very accessible way and it includes, we talked about certain categories. I just includes where we left off with that.

MR. REYNOLDS: The agreement was that we have already got that document and that is useful. You were going to go back and by sometime early December, you were going to mention some things that were not covered. Those could go forward too for consideration. At the same time Paul is going to talk to David about who positions where and we go. That is what we talked about.

DR. FRANCIS: I am really confused. Go back to where.

MS. BERNSTEIN: It is really David’s decision as to which committee does what work and so your leaving out some people who might need to be involved in that decision making.

DR. FRANCIS: I want what Sarah said.

MS. BERNSTEIN: It is not clear to me. I am not sure about the departmental, but it is not clear to me that David gets to make the particular decision about what committees do which work.

MR. REYNOLDS: Well, I would say this to you. It has been the responsibility of me, Jim, Paul, Tony Trenkle, and David, to make sure that we are all working in the right space and that we are enhancing the work of the Secretary, that we are not doing that. Nobody has been left out. Everything I say I am totally comfortable with. We have had the meetings. We have had the discussions face to face with David. I am totally comfortable with what I am saying.

I am saying as Chair of NCVHS I have been asked to do that. I am doing it. We have had the people in the room and there is absolutely no reason with so much to do there is absolutely no reason to be walking in each other’s footsteps, period.

MR. HOUSTON: We are passed that. What I understood to be the case though was what Leslie described, which was we were going to talk about whether it made sense in a manner that was compatible, collaborative with Paul’s committee, coming up with the categories of sensitive information. That is what I heard.

DR. FRANCIS: That is what I heard, yes that is right.

MR. REYNOLDS: Well fine, but that is not what we were saying because here is what we are saying. I am not disagreeing with you. I am just saying what we were saying is this. That is a question because if they have to move and move in a way that they do not want to be restricted on how those categories get picked, then let’s step back.


MR. REYNOLDS: Well, but that is question. Paul is supposed to get with David pretty quick. Now after that answer comes back, I do not disagree with anything you said. That is the first answer.

MR. HOUSTON: But that is what we were saying.


MR. HOUSTON: Yes, Paul was going to talk with David Blumenthal to discuss whether this was territory which David thought that would be right for the Privacy and Security Subcommittee should work in and that that was related to the establishment or to fashion a list of sensitive data or of categories.

MR. REYNOLDS: I agree with that.

DR. FRANCIS: Then we are all good on that. Okay.

Then the next one actually there are two handfuls of mud as my contracts teacher would talk about it, that I think ended up being one and that is the protection following the data into HIE’s. The map of the data that goes into HIE’s and what protections comes with it, with an eye to the more general question of things that are in and out of the scope of HIPAA. So that is the first. What the grid looks like of each kind of, the kinds of information that are going into these new state HIE’s.

Then the second question that we recognized I think was linked question, is the interstate question because there is the protection follows the data question and there is the state interchange question. I think we saw those as related questions about HIE’s. So, did I get that right or wrong?

MR. HOUSTON: I agree with that, yes.

DR. TANG: So one possibility of how that could work is if we were willing to do a really fast track and I do not know what that means, maybe within a matter of a few months and to produce an assessment and recommendations on, to an assessment of how privacy laws or state privacy laws, get in the way of health information exchange and provide some kind of recommendation. We could submit that to either – and I could talk to Deven or we are going to end up in the NHIN group, and say which work group would like to receive that information to further develop it for the policy committee. I mean I could ask that question of David.

MS. BERNSTEIN: Okay, there is a slight procedural issue there which is we can make recommendations for the Secretary. That is what we get to do. Now anyone can look at them and you have done them, whatever but it is a little awkward to say we are making recommendations.

DR. TANG: Well, okay, that is the coordination piece of it. So you have to talk to the Secretary but we would not want to be doing something either in parallel or not coordinated. So that could be another thing if this group wanted to and if Harry thought that was a good idea, we could offer to do that kind of work that could contribute to the efforts of the policy work groups or we could ask whether, or expressed our interest in pursuing the data for protecting policy data recommendations which go directly to the Secretary or to Congress, let’s say.

DR. FRANCIS: Either of those last two actually are very relevant to the 21st Century issue because it is relevant as the data go for public health reasons, as well.

DR. TANG: So to summarize what are we putting on the table? The first one was to re-look at our old work and then we as a privacy committee, would have to develop the recommendations that you are proposing. Then is that okay? Would that be a contribution? Then the second one is looking at the state law barriers, state privacy law barriers and –

MR. HOUSTON: And vehicles for trying to facilitate it and –

DR. TANG: Yes, so if we work with the policy committee, then we would be looking at – is it the same whether we were working with them or not or working with?

MR. REYNOLDS: If we draw the picture of the ecosystem that we were talking about and talk about the flow, we can nicely then transition, in my opinion, into so how do the laws, the laws that exist do not seem to fit; so different than saying straight up there are barriers in the states. So if you are going to have this, and this looks this way, and people play this way, then it cannot be 50 ways. It cannot be 150 ways. It probably is going to have to be one way and that does not mean one state at a time.

MR. HOUSTON: So basically what we are saying here is what vehicles could be used to facilitate interchange between states.

DR. FRANCIS: In particular, where our expertise might be the longer view and needed much — that was my understanding; part of what people were saying was RMP’s.

MS. BERNSTEIN: Can you, either Paul or John or when you say look at states privacy law barriers, can you?

MR. REYNOLDS: I was saying I would rather not say it that way. We look at what it takes to make this work. You know to be able to do the things that we want to and protect the person and the data and everything related to it; not necessarily start off. If our premise is there are state barriers, we are going to knock them down. But you are going to the higher level. Now we know more about it, you are going to the higher beam which is if this is going to be what it is; you have to play it different than we used to think we were going to play.

MR. HOUSTON: I think the way to state that again is what vehicles could be used to facilitate data interchange between states. You are not saying barriers, you are saying. Again, the question I have then is this also something that needs to be discussed between Paul and Dr. Blumenthal, as to whether this should be within the purview of within our work list of things to do.

DR. TANG: Our bias in this subcommittee is the longer term legislative solutions. Is that the right?

DR. FRANCIS: That was my understanding.

MR. HOUSTON: The point, but to that from my perspective is that we could come up with some recommendations that seems perfectly suited for the long term and makes a lot of sense and could put a wrench and could either duplicate effort or put a wrench in what needs to be done in the short term to accomplish the same thing. I mean I do not want to make a recommendation that people say oh, gees, I cannot believe you guys said that.

MS. BERNSTEIN: Except by the time we get to it they will have already put out their short term recommendations so we will know.

DR. TANG: As Sallie said, most of the short term things actually do not work that well. It is almost going to be exchanged within the state until we fix this problem. That is sort of the bottom line and so we are saying we know that. We had approached before, didn’t get anywhere, but it is a new world and so now we would like to press on and try to fix it.

MS. BERNSTEIN: I was going to ask Paul, can you remind me what the things are in the statute that it says the HIT policy – it is like four topics.

DR. TANG: It was actually eight topics. I can copy you.

MS. BERNSTEIN: And you were supposed to have made those recommendations by next month?

MS. CHAPPER: End of the year.

MS. BERNSTEIN: Sorry? End of this calendar year?

MS. CHAPPER: Finishing standards is due by the end of the year, calendar year.

MS. BERNSTEIN: Sorry, which set of standards?

MS. CHAPPER: An evolving system.

MS. BERNSTEIN: On all eight of those things?


MS. BERNSTEIN: Okay well, how realistic is it that that is going to happen? Are these things feeding each other?

MR. ISHEE: So the areas required for consideration, Paul said, are technologies that protect the privacy of health information and promote security and qualified electronic health record including for the segmentation and protection from disclosure of specific and sensitive individually identifiable health information with the goal of minimizing reluctance of patients to seek care or to disclose information about a condition because of privacy concerns, in accordance with applicable law for the use and disclosure of limited datasets of such information.

MS. BERNSTEIN: And that is one?

MR. ISHEE: That is one, yes.

MS. BERNSTEIN: That is the segmentation issue and it is like five issues in there. Yes.

MR. ISHEE: Then there is a nationwide health information technology infrastructure that allows for the electronic use and accurate exchange of health information.

Utilization of a certified electronic health record for each person in the United States by 2014.

MR. REYNOLDS: Did you say for each person?


MR. REYNOLDS: I had not heard electronic health record.

MS. BERNSTEIN: That is the same goal as the wizard of Bush executives.

MR. REYNOLDS: Wait a minute. Make sure you understand what I am saying. I have not heard the term each person has one electronic health record. Is that what that is saying?

SPEAKER: Every American.

MR. REYNOLDS: Each presented, it is a conglomeration of electronic health records, right?

MR. ISHEE: It is the utilization of EHR for every person.

MS. BERNSTEIN: I do not think that language was intended to be different than the Bush Administration in the Executive Order language goal for 2014.

MR. ISHEE: Technologies, that as a part of a qualified electronic health record, allow for the accounting and disclosures made by a covered entity as defined for purposes of regulation promulgated under Section 264 of the above for purposes of treatment, payment and health care operations.

Use of a certified EHR to improve the quality of health care by the promoting of the coordination of health care improving continuity of health care among health care providers, by reducing medical errors, improving population health, by reducing health disparities, or reducing chronic disease, by advancing research and education.

MR. REYNOLDS: Number three leaves out about 50 percent of the ecosystem. It talks about covered entities.

MR. ISHEE: The next one is technologies that allow individually identifiable health information to be rendered unusable, unreadable, or indecipherable when authorized individuals when such information is transmitted in the nationwide health information network or physically transported outside the secured physical perimeter of the health care provider, health plan or health care clearing house.

Use of electronic systems to ensure the comprehensive collection of patient demographic data. Technologies that address the needs of children and other vulnerable populations.

Then there are obviously other areas of consideration, so that is biosurveillance, drug safety, medical and clinical research, health service technologies that facilitate the use of patient and exchange of patient information and reduced wait times, tele-medicine, home health. I mean it keeps going.

MS. BERNSTEIN: A long list of things. Okay. I just wanted to get an idea of what else is on their plate besides the one issue that we talked about which is the first issue I guess, segmentation issue.

Did we adequately summarize the three things we were talking about? There are other things on top of our list from the beginning of the meeting.

DR. FRANCIS: Go back to that list for a minute. What we have not brought back are the accounting and breach notification but that may get folded in under the question of the protection following the data because that was a question of who does it.

MS. MILAM: I know isn’t Paul’s committee taking up the accounting for disclosures.

MS. FRANCIS: Yes, so I think that one is off our table.

MS. BERNSTEIN: We were talking last time, I mean I do not think breach notification is that interesting all together and the rules are final. There are comments, lots of comments on them that the department has already got from the public. They are going to be reissued as final, final, when the set of rules comes out.

DR. FRANCIS: The other one that is an open one is figuring out how to make sure you have got the right person when you link records.

MS. BERNSTEIN: Yes, identifying individuals and that is partly in the thing that we talked about over email with the universal health identifier. Jim Scanlon wrote us a note saying we should not even be talking about it because we are expending appropriations to be talking about it, but.

MR. REYNOLDS: Matching patients to their records.

MS. BERNSTEIN: Right, if you I do not read the language that broadly. So it says we cannot spend any money to create a standard and it cannot go final without congressional approval.

MR. REYNOLDS: We covered all of that this morning. I do not want to open that one up.


DR. FRANCIS: There is one other one that we have not gotten back to and this is the question of research data and whether we want to have anything to say about the Institute of Medicines beyond the HIPAA Privacy Rule. That is something we might want to continue to think about.

Another something we might want to continue to think about is whether there are other ways we could contribute to the enterprise that we were talking about earlier this afternoon. The one that stood out for me is as datasets get combined, what about the re-identification issues? That is something that has been on our plate sporadically and I do not know if that, that is probably not something that is in all in ONC’s –

MS. BERNSTEIN: Well except that the world’s expert is on their committee: one of the world’s experts on it anyway and it is a very technical issue actually.

DR. TANG: I do not think we deal with re-identification. We were asked to talk about technologies that would exempt them from, so it would make it unusable. That is the encryption.

MR. BERNSTEIN: Yes, that is like encryption, shredding, destroying, pulping, you can speak of that kind of thing. The last time as I recall, I suggested that the re-identification stuff is in fact quite technical and mathematical kind of stuff that some people might be interested in. We have a lot of expertise in other areas, but if we are real interested in that, we can look into doing it, but I am not sure that we have.

DR. FRANCIS: Are there other topics that people had down that they want to make sure that we do not lose from this meeting?

DR. TANG: Well the PHR, as you know it came up as a high priority for the policy committee. It is something we have already done work on. To the extent that there is anything that does not get dealt with there or in the report to Congress that they just have to do then we might want to re-engage, but it comes under our whole non-covered entities discussion which is one of our expertise.

DR. FRANCIS: I would hope that not only would the letter that we did, but also that extraordinary richness of testimony which is up on the web would be helpful to the other committee.

Okay, last thoughts? We are adjourned. Any last thoughts from people on the phone?

MS. BERNSTEIN: We have not decided where we are going but we have certain activities.

DR. FRANCIS: I think we have decided where we are going.

MS. BERNSTEIN: Do we want to schedule or decide that we are going to have a call to talk about this further or set a whatever?

DR. FRANCIS: I am assuming we are looking forward potentially to a fast track on sensitive categories if we have the green light on that; some kind of meeting in January. Then we are looking forward to a hearing in February on the state law question, or some variant of that.

MS. BERNSTEIN: We have a Full Committee Meeting, is that right? I do not know if anyone else has grabbed the dates that are adjacent to that hearing yet. So we are talking about having a hearing both in January and in February for this subcommittee. I think we get like two a year, right?

DR. TANG: On what?

DR. FRANCIS: I am not sure if it is a hearing but some kind of a follow up, if we have the green light on that and that might not be just us- the question is the sensitive categories. But then a hearing on that nest of issues that HIE’s.

MS. BERNSTEIN: State law.

DR. FRANCIS: State law and state HIE’s.

MS. BERNSTEIN: In February?

MR. BLAIR: Leslie? Indicate that they are not mutually exclusive? Actually the lack of being able to share information is being driven in our state because certain types of activities like behavioral health require the consent and since we technically, and I do not think many exchanges can technically separate out by sequestration it forced us into having have written consent for all — so they are related.

DR. FRANCIS: We actually talked about that so thanks, Jeff for bringing that up again. Thank you.

(Whereupon, the subcommittee adjourned at 5:30 p.m.)